justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
new-site/scripts/document_gen/templates/calea_ssi_generator.py
justin f8cd37ac8c Initial commit — Performance West telecom compliance platform 
Includes: API (Express/TypeScript), Astro site, Python workers,
document generators, FCC compliance tools, Canada CRTC formation,
Ansible infrastructure, and deployment scripts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-27 06:54:22 -05:00

308 lines
14 KiB
Python
Raw Blame History

"""
CALEA System Security and Integrity (SSI) Plan generator.
Under 47 USC § 229 and 47 CFR § 1.20003 every telecommunications carrier
(including interconnected VoIP providers) must maintain — and review
annually — a System Security and Integrity policy covering lawful-
intercept capability, CPNI safeguards, personnel vetting, supervisory
review, and records retention. The SSI plan is kept internally. It's
produced for DOJ on subpoena (28 CFR § 100.10) — not routinely filed
with the FCC.
We generate a carrier-specific, signable DOCX that follows the 10-section
outline expected by DOJ / FCC Enforcement reviewers. Customer-specific
substitutions come from ``intake_data["calea_ssi"]``.
Usage:
from scripts.document_gen.templates.calea_ssi_generator import (
generate_calea_ssi_plan,
)
path = generate_calea_ssi_plan(
entity_name="Falcon Broadband LLC",
law_enforcement_contact={"name":"Jane Doe","title":"General Counsel",
"phone":"555-123-4567","email_24h":"le-contact@falcon.example.com"},
cpni_protection_officer={"name":"John Roe","title":"VP Operations"},
network_infrastructure_summary="FreeSWITCH cluster + Ribbon SBC; "
"trunking via Bandwidth.com + Inteliquent",
interception_support_method="CALEA intercept provided by our upstream "
"provider Bandwidth.com under the standard "
"CALEA Reference Model for VoIP",
output_path="/tmp/calea_ssi.docx",
)
"""
from __future__ import annotations
import logging
from datetime import date, datetime
from pathlib import Path
from typing import Optional
LOG = logging.getLogger("document_gen.calea_ssi")
try:
from docx import Document
from docx.shared import Pt, Inches, RGBColor
from docx.enum.text import WD_ALIGN_PARAGRAPH
except ImportError:
LOG.warning("python-docx not installed — CALEA SSI generation unavailable")
Document = None # type: ignore[assignment,misc]
NAVY = RGBColor(0x1A, 0x27, 0x44) if Document else None
def _heading(doc, text: str) -> None:
p = doc.add_paragraph()
p.paragraph_format.space_before = Pt(12)
p.paragraph_format.space_after = Pt(4)
run = p.add_run(text)
run.bold = True
run.font.size = Pt(13)
run.font.color.rgb = NAVY
def _body(doc, text: str, bold: bool = False) -> None:
p = doc.add_paragraph()
p.paragraph_format.space_after = Pt(6)
run = p.add_run(text)
run.font.size = Pt(11)
run.bold = bold
def _bullets(doc, items: list[str]) -> None:
for it in items:
p = doc.add_paragraph(style="List Bullet")
p.paragraph_format.left_indent = Inches(0.25)
p.paragraph_format.space_after = Pt(3)
p.clear()
run = p.add_run(it)
run.font.size = Pt(11)
def generate_calea_ssi_plan(
# Carrier identity
entity_name: str,
frn: str = "",
# Law enforcement designated 24-hour contact (47 CFR § 1.20003(a)(1))
law_enforcement_contact: Optional[dict] = None,
# CPNI protection officer (47 CFR § 64.2009(d))
cpni_protection_officer: Optional[dict] = None,
# Network / infrastructure
network_infrastructure_summary: str = "",
interception_support_method: str = "",
# Operational scope
is_interconnected_voip: bool = True,
is_wholesale: bool = False,
has_retail_customers: bool = True,
# Signatory (typically the officer named on the CPNI cert)
signatory_name: str = "",
signatory_title: str = "Chief Executive Officer",
# Dates
effective_date: str = "",
next_review_date: str = "",
# Reviewer (PW compliance team)
reviewer_name: str = "Justin Hannah",
reviewer_company: str = "Performance West Inc.",
# Output
output_path: str = "/tmp/calea_ssi_plan.docx",
) -> Optional[str]:
"""Produce the 10-section CALEA SSI Plan as a DOCX."""
if Document is None:
LOG.error("python-docx not installed")
return None
le = law_enforcement_contact or {}
cpni = cpni_protection_officer or {}
today = date.today()
effective = effective_date or today.strftime("%m/%d/%Y")
next_review = next_review_date or today.replace(year=today.year + 1).strftime("%m/%d/%Y")
doc = Document()
for section in doc.sections:
section.top_margin = Inches(1)
section.bottom_margin = Inches(1)
section.left_margin = Inches(1.25)
section.right_margin = Inches(1.25)
# Title
title = doc.add_paragraph()
title.alignment = WD_ALIGN_PARAGRAPH.CENTER
tr = title.add_run("System Security and Integrity (SSI) Plan")
tr.font.size = Pt(15); tr.bold = True; tr.font.color.rgb = NAVY
sub = doc.add_paragraph()
sub.alignment = WD_ALIGN_PARAGRAPH.CENTER
sr = sub.add_run(entity_name)
sr.font.size = Pt(13); sr.bold = True
cite = doc.add_paragraph()
cite.alignment = WD_ALIGN_PARAGRAPH.CENTER
cr = cite.add_run(
"Pursuant to 47 U.S.C. \u00a7 229 and 47 CFR \u00a7 1.20003"
)
cr.font.size = Pt(10); cr.italic = True
cite.paragraph_format.space_after = Pt(18)
# ── 1. Purpose ──────────────────────────────────────────────────
_heading(doc, "1. Purpose")
_body(doc, (
f"This System Security and Integrity (SSI) Plan governs {entity_name}'s "
f"compliance with the Communications Assistance for Law Enforcement "
f"Act (CALEA), 47 U.S.C. \u00a7\u00a7 1001\u20131010, and the Federal "
f"Communications Commission's implementing rules at 47 CFR Part 1 "
f"Subpart Z. It defines the procedures {entity_name} uses to "
f"support lawful electronic surveillance of its telecommunications "
f"and interconnected VoIP services while protecting customer "
f"privacy and the integrity of company operations."
))
# ── 2. Scope and Applicability ──────────────────────────────────
_heading(doc, "2. Scope and Applicability")
scope_bits = [f"{entity_name} is subject to CALEA as a provider of "]
if is_interconnected_voip:
scope_bits.append("interconnected Voice over Internet Protocol services ")
scope_bits.append("and has designed and implemented the systems described "
"herein to support lawful intercept obligations.")
_body(doc, "".join(scope_bits))
if has_retail_customers:
_body(doc, (
f"{entity_name} maintains retail customer relationships subject "
f"to the CPNI safeguards defined in Section 5."
))
if is_wholesale:
_body(doc, (
f"{entity_name} also operates in a wholesale capacity. Wholesale "
f"intercept requests are coordinated with the downstream service "
f"provider per the CALEA Reference Model."
))
# ── 3. Designated Law Enforcement Contact ──────────────────────
_heading(doc, "3. Designated Law Enforcement Contact (24-hour)")
_body(doc, (
f"Per 47 CFR \u00a7 1.20003(a)(1), {entity_name} designates the following "
f"senior officer as point of contact for law enforcement inquiries, "
f"court orders, pen register / trap-and-trace orders, and Title III "
f"wiretap orders. This contact is staffed 24 hours a day."
))
_bullets(doc, [
f"Name: {le.get('name') or '[TO BE POPULATED]'}",
f"Title: {le.get('title') or ''}",
f"Phone (24-hour): {le.get('phone') or ''}",
f"Email (24-hour): {le.get('email_24h') or ''}",
f"Backup contact: {le.get('backup_name') or '[TO BE POPULATED]'}",
])
_body(doc, (
f"Law enforcement officers may effect service of process on the "
f"above designee by telephone, email, or in person at the address "
f"of record. {entity_name} commits to acknowledging any intercept "
f"or traffic-capture order within two (2) business hours of receipt."
))
# ── 4. Network Architecture ────────────────────────────────────
_heading(doc, "4. Network Architecture and Interception Capability")
_body(doc, network_infrastructure_summary or (
f"{entity_name} operates a VoIP network consisting of session "
"border controllers (SBCs) for signaling, softswitch(es) for "
"call control, and DID origination / termination via "
"commercial-grade upstream providers."
))
_body(doc, interception_support_method or (
f"CALEA intercept capability is provided through {entity_name}'s "
"upstream voice service provider(s) under the standard CALEA "
"Reference Model for interconnected VoIP. Upon receipt of a valid "
"court order, the designated law enforcement contact coordinates "
"with the upstream provider's CALEA team to provision the intercept "
"at the upstream switching element."
))
_body(doc, (
f"{entity_name} retains documentation of CALEA implementation "
f"capability including upstream provider CALEA attestations, "
f"interconnection agreements, and ATIS J-STD-025 / TIA-J-STD-025 "
f"compliance references."
))
# ── 5. CPNI Safeguards ─────────────────────────────────────────
_heading(doc, "5. Customer Proprietary Network Information (CPNI) Safeguards")
_body(doc, (
f"{entity_name} maintains separate, written CPNI procedures under "
f"47 CFR \u00a7\u00a7 64.2001\u201364.2011. The CPNI Protection Officer is:"
))
_bullets(doc, [
f"Name: {cpni.get('name') or '[TO BE POPULATED]'}",
f"Title: {cpni.get('title') or 'CPNI Protection Officer'}",
])
_body(doc, (
"Access to CPNI is authorized only for legitimate business "
"purposes, supervised by the CPNI Protection Officer, and logged "
"for supervisory review. See the company's separate CPNI "
"Procedure Statement for detailed controls."
))
# ── 6. Personnel Vetting and Training ─────────────────────────
_heading(doc, "6. Personnel Vetting and Training")
_bullets(doc, [
f"All {entity_name} personnel with access to intercept systems or "
"CPNI complete annual CALEA and CPNI training.",
"Background checks are performed on all personnel prior to being "
"granted access to intercept provisioning interfaces.",
"Access is revoked within 24 hours of termination of employment.",
"All intercept-related actions are attributed to named individuals "
"via authenticated logins (no shared credentials).",
])
# ── 7. Supervisory Review ─────────────────────────────────────
_heading(doc, "7. Supervisory Review")
_body(doc, (
f"The {le.get('title') or 'Designated Senior Officer'} reviews all "
f"intercept-related activity no less than quarterly. Any anomaly "
f"(unauthorized access attempt, tampering, missed response SLA) "
f"is escalated to the CEO within one business day of detection."
))
# ── 8. Records Retention ──────────────────────────────────────
_heading(doc, "8. Records Retention")
_body(doc, (
"Records of intercept provisioning, service of process, "
"acknowledgments, and termination are retained for a minimum of "
"ten (10) years per 47 CFR \u00a7 1.20003(b). CPNI access logs are "
"retained for at least two (2) years per 47 CFR \u00a7 64.2009(c)."
))
# ── 9. Annual Review ──────────────────────────────────────────
_heading(doc, "9. Annual Review")
_body(doc, (
f"This Plan is reviewed at least annually by the designated senior "
f"officer and updated when: (i) a new class of service is offered, "
f"(ii) an upstream provider material to CALEA intercept capability "
f"changes, (iii) the FCC or DOJ issues new guidance, or (iv) a "
f"material breach or near-miss is identified. Next scheduled "
f"review: {next_review}."
))
# ── 10. Certification and Signature ───────────────────────────
_heading(doc, "10. Certification")
_body(doc, (
f"I, {signatory_name or '[Authorized Officer]'}, as "
f"{signatory_title} of {entity_name}, certify that I have reviewed "
f"this System Security and Integrity Plan and that {entity_name} "
f"has implemented the policies, procedures, and technical measures "
f"described herein. I further certify that {entity_name} complies "
f"with 47 U.S.C. \u00a7 229 and 47 CFR \u00a7 1.20003, and that "
f"{entity_name} will make this Plan available to the Commission "
f"and the Department of Justice on request."
))
_body(doc, "")
doc.add_paragraph("_" * 45)
_body(doc, signatory_name or "[Authorized Officer]", bold=True)
_body(doc, f"{signatory_title}, {entity_name}")
_body(doc, f"Effective Date: {effective}")
if frn:
_body(doc, f"FRN: {frn}")
_body(doc, f"Reviewed By: {reviewer_name}, {reviewer_company}")
_body(doc, f"Next Review Date: {next_review}")
out = Path(output_path)
out.parent.mkdir(parents=True, exist_ok=True)
doc.save(str(out))
LOG.info("CALEA SSI plan generated: %s", out)
return str(out)
Reference in a new issue View git blame Copy permalink