Non-facilities-based resellers must incorporate the required analytics in the IP portions of their networks to deploy the proper capabilities. There are six required administrative steps providers must take in order to be fully compliant with STIR/SHAKEN.

  1. Obtain an Operating Company Number (“OCN”). These are assigned by NECA and used to identify companies in other telecommunications resources.
  2. Register with the Policy Administrator. The Policy Administrator (iconectiv is the designated “PA” [https://iconectiv.com/]) evaluates and authorizes certain trusted third parties to act as Certification Authorities (“CAs”) and issue SHAKEN digital certificates to service providers. This both protects the authenticity and validity of the certificates and prevents people who shouldn’t be signing calls from getting a certificate. Iconectiv is responsible for coordinating, registering, and verifying CAs through a closely controlled process outlined by the Secure Telephone Identity Governance Authority (“STI-GA). ATIS manages the STI-GA, defining the rules governing the certificate management infrastructure to ensure effective use and security of SHAKEN certificates.
  3. Get a token from the PA. Carriers must request a service provider code or token from the PA. If the PA validates the service provider and approves the request, they then provide a token to the service provider with contains the OCN, and authorizes the service provider to request a certificate from a CA.
  4. Select a CA. Secure Telephone Identity Certification Authorities (“STI-CAs”) are critical to call authentication. CAs will be responsible for assigning digital certificates to authorized service providers that will be used to ensure calls get proper caller ID. The PA maintains an up-to-date list of all authorized certificate issuers, which is available to all service providers. Every Certification Authority must be authorized by the PA to issue SHAKEN certificates, and they are the only means through which service providers can obtain STIR/SHAKEN certificates and comply with the TRACED Act.
  5. Request a Certificate. To get a certificate, service providers need to submit a certificate signing request “(CSR”) and send it with their token to the CA. If the application is approved, the CA issues a certificate to the service provider.
  6. Update the FCC’s Robocall Mitigation Database to certify as fully STIR/SHAKEN compliant.