""" CALEA System Security and Integrity (SSI) Plan generator. Under 47 USC § 229 and 47 CFR § 1.20003 every telecommunications carrier (including interconnected VoIP providers) must maintain — and review annually — a System Security and Integrity policy covering lawful- intercept capability, CPNI safeguards, personnel vetting, supervisory review, and records retention. The SSI plan is kept internally. It's produced for DOJ on subpoena (28 CFR § 100.10) — not routinely filed with the FCC. We generate a carrier-specific, signable DOCX that follows the 10-section outline expected by DOJ / FCC Enforcement reviewers. Customer-specific substitutions come from ``intake_data["calea_ssi"]``. Usage: from scripts.document_gen.templates.calea_ssi_generator import ( generate_calea_ssi_plan, ) path = generate_calea_ssi_plan( entity_name="Falcon Broadband LLC", law_enforcement_contact={"name":"Jane Doe","title":"General Counsel", "phone":"555-123-4567","email_24h":"le-contact@falcon.example.com"}, cpni_protection_officer={"name":"John Roe","title":"VP Operations"}, network_infrastructure_summary="FreeSWITCH cluster + Ribbon SBC; " "trunking via Bandwidth.com + Inteliquent", interception_support_method="CALEA intercept provided by our upstream " "provider Bandwidth.com under the standard " "CALEA Reference Model for VoIP", output_path="/tmp/calea_ssi.docx", ) """ from __future__ import annotations import logging from datetime import date, datetime from pathlib import Path from typing import Optional LOG = logging.getLogger("document_gen.calea_ssi") try: from docx import Document from docx.shared import Pt, Inches, RGBColor from docx.enum.text import WD_ALIGN_PARAGRAPH except ImportError: LOG.warning("python-docx not installed — CALEA SSI generation unavailable") Document = None # type: ignore[assignment,misc] NAVY = RGBColor(0x1A, 0x27, 0x44) if Document else None def _heading(doc, text: str) -> None: p = doc.add_paragraph() p.paragraph_format.space_before = Pt(12) p.paragraph_format.space_after = Pt(4) run = p.add_run(text) run.bold = True run.font.size = Pt(13) run.font.color.rgb = NAVY def _body(doc, text: str, bold: bool = False) -> None: p = doc.add_paragraph() p.paragraph_format.space_after = Pt(6) run = p.add_run(text) run.font.size = Pt(11) run.bold = bold def _bullets(doc, items: list[str]) -> None: for it in items: p = doc.add_paragraph(style="List Bullet") p.paragraph_format.left_indent = Inches(0.25) p.paragraph_format.space_after = Pt(3) p.clear() run = p.add_run(it) run.font.size = Pt(11) def generate_calea_ssi_plan( # Carrier identity entity_name: str, frn: str = "", # Law enforcement designated 24-hour contact (47 CFR § 1.20003(a)(1)) law_enforcement_contact: Optional[dict] = None, # CPNI protection officer (47 CFR § 64.2009(d)) cpni_protection_officer: Optional[dict] = None, # Network / infrastructure network_infrastructure_summary: str = "", interception_support_method: str = "", # Operational scope is_interconnected_voip: bool = True, is_wholesale: bool = False, has_retail_customers: bool = True, # Signatory (typically the officer named on the CPNI cert) signatory_name: str = "", signatory_title: str = "Chief Executive Officer", # Dates effective_date: str = "", next_review_date: str = "", # Reviewer (PW compliance team) reviewer_name: str = "Justin Hannah", reviewer_company: str = "Performance West Inc.", # Output output_path: str = "/tmp/calea_ssi_plan.docx", ) -> Optional[str]: """Produce the 10-section CALEA SSI Plan as a DOCX.""" if Document is None: LOG.error("python-docx not installed") return None le = law_enforcement_contact or {} cpni = cpni_protection_officer or {} today = date.today() effective = effective_date or today.strftime("%m/%d/%Y") next_review = next_review_date or today.replace(year=today.year + 1).strftime("%m/%d/%Y") doc = Document() for section in doc.sections: section.top_margin = Inches(1) section.bottom_margin = Inches(1) section.left_margin = Inches(1.25) section.right_margin = Inches(1.25) # Title title = doc.add_paragraph() title.alignment = WD_ALIGN_PARAGRAPH.CENTER tr = title.add_run("System Security and Integrity (SSI) Plan") tr.font.size = Pt(15); tr.bold = True; tr.font.color.rgb = NAVY sub = doc.add_paragraph() sub.alignment = WD_ALIGN_PARAGRAPH.CENTER sr = sub.add_run(entity_name) sr.font.size = Pt(13); sr.bold = True cite = doc.add_paragraph() cite.alignment = WD_ALIGN_PARAGRAPH.CENTER cr = cite.add_run( "Pursuant to 47 U.S.C. \u00a7 229 and 47 CFR \u00a7 1.20003" ) cr.font.size = Pt(10); cr.italic = True cite.paragraph_format.space_after = Pt(18) # ── 1. Purpose ────────────────────────────────────────────────── _heading(doc, "1. Purpose") _body(doc, ( f"This System Security and Integrity (SSI) Plan governs {entity_name}'s " f"compliance with the Communications Assistance for Law Enforcement " f"Act (CALEA), 47 U.S.C. \u00a7\u00a7 1001\u20131010, and the Federal " f"Communications Commission's implementing rules at 47 CFR Part 1 " f"Subpart Z. It defines the procedures {entity_name} uses to " f"support lawful electronic surveillance of its telecommunications " f"and interconnected VoIP services while protecting customer " f"privacy and the integrity of company operations." )) # ── 2. Scope and Applicability ────────────────────────────────── _heading(doc, "2. Scope and Applicability") scope_bits = [f"{entity_name} is subject to CALEA as a provider of "] if is_interconnected_voip: scope_bits.append("interconnected Voice over Internet Protocol services ") scope_bits.append("and has designed and implemented the systems described " "herein to support lawful intercept obligations.") _body(doc, "".join(scope_bits)) if has_retail_customers: _body(doc, ( f"{entity_name} maintains retail customer relationships subject " f"to the CPNI safeguards defined in Section 5." )) if is_wholesale: _body(doc, ( f"{entity_name} also operates in a wholesale capacity. Wholesale " f"intercept requests are coordinated with the downstream service " f"provider per the CALEA Reference Model." )) # ── 3. Designated Law Enforcement Contact ────────────────────── _heading(doc, "3. Designated Law Enforcement Contact (24-hour)") _body(doc, ( f"Per 47 CFR \u00a7 1.20003(a)(1), {entity_name} designates the following " f"senior officer as point of contact for law enforcement inquiries, " f"court orders, pen register / trap-and-trace orders, and Title III " f"wiretap orders. This contact is staffed 24 hours a day." )) _bullets(doc, [ f"Name: {le.get('name') or '[TO BE POPULATED]'}", f"Title: {le.get('title') or ''}", f"Phone (24-hour): {le.get('phone') or ''}", f"Email (24-hour): {le.get('email_24h') or ''}", f"Backup contact: {le.get('backup_name') or '[TO BE POPULATED]'}", ]) _body(doc, ( f"Law enforcement officers may effect service of process on the " f"above designee by telephone, email, or in person at the address " f"of record. {entity_name} commits to acknowledging any intercept " f"or traffic-capture order within two (2) business hours of receipt." )) # ── 4. Network Architecture ──────────────────────────────────── _heading(doc, "4. Network Architecture and Interception Capability") _body(doc, network_infrastructure_summary or ( f"{entity_name} operates a VoIP network consisting of session " "border controllers (SBCs) for signaling, softswitch(es) for " "call control, and DID origination / termination via " "commercial-grade upstream providers." )) _body(doc, interception_support_method or ( f"CALEA intercept capability is provided through {entity_name}'s " "upstream voice service provider(s) under the standard CALEA " "Reference Model for interconnected VoIP. Upon receipt of a valid " "court order, the designated law enforcement contact coordinates " "with the upstream provider's CALEA team to provision the intercept " "at the upstream switching element." )) _body(doc, ( f"{entity_name} retains documentation of CALEA implementation " f"capability including upstream provider CALEA attestations, " f"interconnection agreements, and ATIS J-STD-025 / TIA-J-STD-025 " f"compliance references." )) # ── 5. CPNI Safeguards ───────────────────────────────────────── _heading(doc, "5. Customer Proprietary Network Information (CPNI) Safeguards") _body(doc, ( f"{entity_name} maintains separate, written CPNI procedures under " f"47 CFR \u00a7\u00a7 64.2001\u201364.2011. The CPNI Protection Officer is:" )) _bullets(doc, [ f"Name: {cpni.get('name') or '[TO BE POPULATED]'}", f"Title: {cpni.get('title') or 'CPNI Protection Officer'}", ]) _body(doc, ( "Access to CPNI is authorized only for legitimate business " "purposes, supervised by the CPNI Protection Officer, and logged " "for supervisory review. See the company's separate CPNI " "Procedure Statement for detailed controls." )) # ── 6. Personnel Vetting and Training ───────────────────────── _heading(doc, "6. Personnel Vetting and Training") _bullets(doc, [ f"All {entity_name} personnel with access to intercept systems or " "CPNI complete annual CALEA and CPNI training.", "Background checks are performed on all personnel prior to being " "granted access to intercept provisioning interfaces.", "Access is revoked within 24 hours of termination of employment.", "All intercept-related actions are attributed to named individuals " "via authenticated logins (no shared credentials).", ]) # ── 7. Supervisory Review ───────────────────────────────────── _heading(doc, "7. Supervisory Review") _body(doc, ( f"The {le.get('title') or 'Designated Senior Officer'} reviews all " f"intercept-related activity no less than quarterly. Any anomaly " f"(unauthorized access attempt, tampering, missed response SLA) " f"is escalated to the CEO within one business day of detection." )) # ── 8. Records Retention ────────────────────────────────────── _heading(doc, "8. Records Retention") _body(doc, ( "Records of intercept provisioning, service of process, " "acknowledgments, and termination are retained for a minimum of " "ten (10) years per 47 CFR \u00a7 1.20003(b). CPNI access logs are " "retained for at least two (2) years per 47 CFR \u00a7 64.2009(c)." )) # ── 9. Annual Review ────────────────────────────────────────── _heading(doc, "9. Annual Review") _body(doc, ( f"This Plan is reviewed at least annually by the designated senior " f"officer and updated when: (i) a new class of service is offered, " f"(ii) an upstream provider material to CALEA intercept capability " f"changes, (iii) the FCC or DOJ issues new guidance, or (iv) a " f"material breach or near-miss is identified. Next scheduled " f"review: {next_review}." )) # ── 10. Certification and Signature ─────────────────────────── _heading(doc, "10. Certification") _body(doc, ( f"I, {signatory_name or '[Authorized Officer]'}, as " f"{signatory_title} of {entity_name}, certify that I have reviewed " f"this System Security and Integrity Plan and that {entity_name} " f"has implemented the policies, procedures, and technical measures " f"described herein. I further certify that {entity_name} complies " f"with 47 U.S.C. \u00a7 229 and 47 CFR \u00a7 1.20003, and that " f"{entity_name} will make this Plan available to the Commission " f"and the Department of Justice on request." )) _body(doc, "") doc.add_paragraph("_" * 45) _body(doc, signatory_name or "[Authorized Officer]", bold=True) _body(doc, f"{signatory_title}, {entity_name}") _body(doc, f"Effective Date: {effective}") if frn: _body(doc, f"FRN: {frn}") _body(doc, f"Reviewed By: {reviewer_name}, {reviewer_company}") _body(doc, f"Next Review Date: {next_review}") out = Path(output_path) out.parent.mkdir(parents=True, exist_ok=True) doc.save(str(out)) LOG.info("CALEA SSI plan generated: %s", out) return str(out)