Second Security, Stability, and Resiliency Review (SSR2) Pending Recommendations

Why is the Board addressing the issue?

The Security, Stability, and Resiliency (SSR) Review is one of the four Specific Reviews anchored in Section 4.6 of the ICANN Bylaws. Specific Reviews are conducted by community-led review teams, which assess ICANN's performance in fulfilling its commitments. Reviews are critical to maintaining an effective multistakeholder model and helping ICANN achieve its Mission, as detailed in Article 1 of the Bylaws. Reviews also contribute to ensuring that ICANN serves the public interest. The SSR2 Review is the second iteration of the SSR Review and relates to key elements of ICANN's Strategic Plan.

In its action on 22 July 2021, the Board placed 34 recommendations into one of the three pending statuses, and committed to take further action on these recommendations subsequent to the completion of steps as identified in the Scorecard. Three pending recommendations are now ready for Board action.

Background information

On 22 July 2021, the ICANN Board took action on the recommendations of the community-led second Security, Stability, and Resiliency (SSR2) Review Team.

The SSR2 Review Team issued 63 recommendations in its final report; many recommendations are complex and touch on other significant areas of work underway and therefore could not be addressed in silos.

Noting some broad areas and themes in relation to the SSR2 recommendations, many of which are emphasized in public comments, the Board developed six categories of Board action on SSR2 recommendations; approved, rejects because the recommendation cannot be approved in full, rejects, pending-likely to be approved, pending-holding to seek clarity or further information, pending-likely to be rejected, as specified within the Scorecard titled the "Final SSR2 Review Team Recommendations – Board Action." accompanying the Board rationale.

As detailed in the Scorecard supporting the 22 July 2021 action, the Board made the following determinations by pending categories:

The Board placed four recommendations (5.4, 19.1, 19.2 and 20.2) into "pending, likely to be approved once further information is gathered to enable approval".
The Board placed six recommendations into "pending, likely to be rejected unless additional information shows implementation is feasible": 6.1, 6.2, 7.4, 9.2, 16.2 and 16.3.
The Board placed 24 recommendations into "pending, holding to seek clarity or further information": 3.1, 3.2, 3.3, 4.3, 5.3, 7.1, 7.2, 7.3, 7.5, 9.3, 11.1, 12.1, 12.2, 12.3, 12.4, 13.1, 13.2, 14.2, 17.1, 18.1, 18.2, 18.3, 20.1 and 24.1.
The Board committed to resolve the pending status of these 34 recommendations and to take appropriate action on the pending recommendations, subsequent to the completion of intermediate steps, as identified in the 22 July 2021 Scorecard. The expected actions range from: ICANN org conducting analysis and identifying gaps or coordinating efforts in particular areas of work, engagement with community or SSR2 Implementation Shepherds for additional clarification and providing reports on related work done to date. This proposed action focuses on three recommendations (5.4, 19.1 and 19.2) of the category, "pending, likely to be approved once further information is gathered to enable approval".

What is the proposal being considered?

The proposal is in furtherance of resolution 2021.07.21.11, which placed SSR2 34 recommendations in pending status. The Board is being asked to take action on three of the SSR2 pending recommendations:

Recommendation 5.4 calls for ICANN org to "reach out to the community and beyond with clear reports demonstrating what ICANN org is doing and achieving in the security space including information describing how ICANN org follows continually improving best practices and process to manage risks, security and vulnerabilities."
Recommendations 19.1 and 19.2 state that ICANN org should "complete the development of a suite for DNS resolver behavior testing" and "ensure that the capability to continue to perform functional testing of different configurations and software versions is implemented and maintained."
ICANN org engaged with the SSR2 Implementation Shepherds and analyzed their responses to inform Board action. With its action on 22 July 2021, the Board directed ICANN org to engage with SSR2 Implementation Shepherds to get clarification on certain recommendations. The details of the engagement are available via the publicly archived email list (see SSR2 Implementation Shepherd workspace). The SSR2 Board Caucus considered this input and ICANN org assessment in developing their recommended Board action.

ICANN org has informed the SSR2 Board Caucus that it requires additional time to continue addressing the 31 remaining pending recommendations, and will continue to provide regular updates on progress towards Board action.

Which stakeholders or others were consulted?

In assessing the SSR2 Pending Recommendations, the SSR2 Board Caucus reached out to the SSR2-RT Implementation Shepherds. Implementation Shepherds are former review team members who volunteered to be a resource to provide the Board with clarifications as needed on the intent behind recommendations, the SSR2-RT's rationale, facts leading to the SSR2-RT's conclusions, its envisioned timeline, and/or the SSR2-RT's consideration of what successful measures of implementation could look like. The SSR2 Board Caucus and ICANN org have engaged with the SSR2-RT Implementation Shepherds since the review team concluded its work as detailed on the dedicated wiki page.

Rationale Supporting Board Action on Individual Recommendations

Recommendation the Board approves

The Board approves one recommendation: 5.4 as specified in the Scorecard: SSR2 Pending Recommendations-Board Action 1 May 2022. This recommendation is consistent with ICANN's Mission, serves the public interest, and falls within the Board's remit.

Recommendation 5.4 calls for ICANN org to "reach out to the community and beyond with clear reports demonstrating what ICANN org is doing and achieving in the security space including information describing how ICANN org follows continually improving best practices and process to manage risks, security and vulnerabilities." While the Board felt the implementation of the recommendation appeared feasible, the Board needed clarification on several elements of this recommendation in order to accurately assess resource requirements and enable approval. For example, the required granularity of the reports expected by the SSR2 Review Team, and what entities the SSR2 Review Team envisioned ICANN org report out to "beyond" the ICANN community were not clear. The Board directed the ICANN President and CEO, or his designee(s) to seek clarifications from the SSR2 Implementation Shepherds on elements of this recommendation that were not clear such as those noted above.

Further clarification from the SSR2 Implementation Shepherds on the granularity of reports and the frequency of publications was received on 10 January 2022. The clarifications received from the Implementation Shepherds confirmed that ICANN org should seek the disclosure of additional details within audit reports, with an annual reporting cadence.

The Board therefore approves this recommendation with a direction to the ICANN President and CEO to engage in discussion with any firm producing an audit for ICANN to implement appropriate additional disclosures within the publicly available reports, implementation is subject to prioritization and costing

Recommendation the Board rejects

The Board rejects two recommendations: 19.1, 19.2.

Recommendations 19.1 and 19.2 state that ICANN org should "complete the development of a suite for DNS resolver behavior testing" and "ensure that the capability to continue to perform functional testing of different configurations and software versions is implemented and maintained." Upon first inspection, ICANN org determined that this recommendation was feasible to implement, thus it was put into the "Pending, likely to be approved" category. However, upon receipt of clarification of the scope of recommendation 19.1 to extend resources to maintain the existing ICANN testbed in perpetuity for public use, and broadening ICANN's testbed as recommended in 19.2, to implement functional testing of different configurations and software versions goes beyond ICANN's remit.

The Board is in alignment with ICANN org's assessment that ICANN does not have a role in setting standards for DNS resolvers, and therefore rejects these recommendations that require ICANN to commit resources to continue or enhance existing resolver testbeds for public use.

Additionally, the Board notes that even though these recommendations are being rejected, ICANN org does and will continue to build and use resolver testbeds, when appropriate to further ICANN's mission, as well as to assess aspects of DNS resolver behavior as it applies to ICANN org's remit.

What concerns or issues were raised by the community?

Within the Staff Report of Public Comment Proceeding (PCP) on the SSR2 Final Report, recommendation 5.4 was generally supported by commenters, as no commenters specifically noted objections or concerns. Recommendations 19.1 and 19.2 received support from several commenters by way of their overarching support for all recommendations in the SSR2 Final Report. Several commenters objected to the grouping of recommendations on the basis that they believe the recommendations ask for ICANN to act outside of its remit.

By way of their overarching support for all recommendations in the SSR2 Final Report, International Trademark Association (INTA), Business Constituency (BC), At-Large Advisory Committee (ALAC), and Intellectual Property Constituency (IPC) supported this grouping of recommendations as-is.

RySG, i2Coalition, and RrSG expressed concerns that they believe this grouping of recommendations is outside of ICANN's remit, and as such do not support this grouping of recommendations. For example, RySG notes "the report fails to explain why the development of the DNS Regression Test Suite is a requirement of ICANN org. Similar to the context for Recommendation 18, it is reasonable for ICANN to track and report on the behavior of DNS resolvers since they are a significant client of the DNS services that registries are required to support. However, the RySG considers making this obligation or requirement of ICANN out of scope and objects to Recommendation 19." Afnic offers its full support to the RySG comment.

The above noted concerns and issues, along with specific concerns on individual recommendations, have been considered by the Board in reaching its decision.

What significant materials did the Board review?

In assessing and considering the pending SSR2 recommendations, the Board considered input from SSR2 Implementation Shepherds in addition to various significant materials and documents, including Scorecard -SSR2 Pending Recommendations the Report of Public Comments on the Final Report, and the ICANN org Detailed Assessment on Pending SSR2 Recommendations.

Prioritization of approved recommendations

Prioritization of ICANN's work is a targeted outcome of the Planning at ICANN Operating Initiative in ICANN's FY22-26 Operating Plan. It includes the design and implementation of a planning prioritization framework as part of the annual planning cycle. All Board-approved recommendations are subject to prioritization efforts. ICANN's planning process involves close collaboration among the community, Board, and organization to prioritize and effectively implement ICANN's work while ensuring accountability, transparency, fiscal responsibility, and continuous improvement. This robust planning process and the resulting plans help to fulfill ICANN's Mission.

Are there positive or negative community impacts?

Taking action on the SSR2 recommendations will contribute to ensuring ICANN meets its commitments relative to the Bylaws-mandated reviews and the role they play in ICANN's accountability and transparency, as well as enhancing the security, stability, and resiliency of the DNS. Additionally, the Board action on the recommendations will have a positive impact on the continuous improvement of ICANN as a whole. Approved recommendations are consistent with ICANN's Mission and serve the public interest. The Board does not foresee any potential negative community impacts as part of its action. Additional impacts resulting from further actions on recommendations will be assessed at that time.

Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

For the recommendation that the Board approves, the implementation is subject to prioritization, risk assessment and mitigation, costing and implementation considerations, which will provide a further view of the fiscal impact. It is expected that any recommendations that require incremental resources should be included into operational planning and budgeting processes, allowing for appropriate community consideration and prioritization, as applicable, of planned work.

Are there any security, stability or resiliency issues relating to the DNS?

By nature of the SSR2 Review, implementation of the recommendations may impact how ICANN meets its security, stability, stability, and resiliency commitments. The Board considered this potential impact as part of its deliberations. Approved recommendation is consistent with ICANN's Mission, serves the public interest, and falls within the Board's remit.

Is this decision in the public interest and within ICANN's mission?

This action is in the public interest as it is a fulfillment of an ICANN Bylaw, as articulated in Section 4.6. It is also within ICANN's Mission and mandate. ICANN's reviews are an important and essential part of how ICANN upholds its commitments.

Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring public comment or not requiring public comment?

The Board initiated a Public Comment Proceeding on the SSR2 Final Report, opened 28 January 2021 and closed on 8 April 2021.