What is STIR/SHAKEN?
STIR/SHAKEN is the FCC’s framework for verifying that caller ID information is legitimate. The name is a bit of a backronym — STIR stands for “Secure Telephony Identity Revisited” and SHAKEN stands for “Signature-based Handling of Asserted information using toKENs.” Yes, someone really wanted that to spell out a James Bond reference.
The problem it solves is simple: robocallers spoof caller ID to make it look like calls are coming from legitimate numbers. You’ve probably gotten a call that appeared to be from your own area code — or even your own number. STIR/SHAKEN is designed to make that much harder to pull off.
How does it work?
When a call originates, the originating carrier digitally signs the call with an attestation — basically a cryptographic stamp that says “we know who’s making this call, and here’s how confident we are.” That signature travels with the call through the network, and the terminating carrier can verify it before delivering the call.
There are three levels of attestation:
- Full (A): The carrier knows exactly who the caller is and has verified they’re authorized to use that number. This is the gold standard.
- Partial (B): The carrier knows who the customer is but can’t fully verify their right to use the specific number. Common with trunking arrangements.
- Gateway (C): The carrier received the call from a gateway (like an international call) and can’t verify the origin. This is the lowest level of confidence.
Who has to implement it?
If you’re a VoIP provider — whether you’re operating as an IPES or a CLEC — you almost certainly have obligations here. The FCC has been phasing in requirements over time, and the moose-t important thing to know is that small providers aren’t exempt. Even if you got an initial extension, the deadlines have largely passed.
You’ll need a certificate from a Certificate Authority authorized by the STI Policy Administrator, and you’ll need to implement the signing and verification processes in your call infrastructure.
What happens if you don’t comply?
The FCC requires carriers to file information about their STIR/SHAKEN implementation in the Robocall Mitigation Database. If you’re not in that database with a current filing, other carriers can — and will — block your traffic. That’s not a theoretical risk; it’s happening today.
Need help?
STIR/SHAKEN touches both the technical and compliance sides of your operation. We can help you sort through the requirements and make sure you’re in good shape. Reach out — we’ve helped plenty of operators get this right.