SSAC Review Request for Proposal (RFP): Click here to view
SSAC Review Request for Proposal (RFP) extension: Click here to view
Board Resolution to Initiate SSAC Review: Click here to view
Scope of the Review
As part of ICANN's ongoing commitment to its evolution and improvement, Article IV, Section 4.4 of ICANN's Bylaws contains provisions for “periodic review of the performance and operation of each Supporting Organization, each Supporting Organization Council, each Advisory Committee (other than the Governmental Advisory Committee), and the Nominating Committee […]by an entity or entities independent of the organization under review.”
These periodic reviews present ICANN structures with opportunities for continuous improvement through consistent application of compliance audit principles to objectively measure performance relative to specific and quantifiable criteria developed by ICANN based on the unique nature of its structures. The resulting implementation of improvements and the systematic means of measuring performance and validating effectiveness of implementation are of utmost importance to the ongoing legitimacy of ICANN.
According to Article 12.1 of the ICANN Bylaws: “The Board may create one or more "Advisory Committees" in addition to those set forth in this Article 12. Advisory Committee membership may consist of Directors only, Directors and non-directors, or non-directors only, and may also include non-voting or alternate members. Advisory Committees shall have no legal authority to act for ICANN, but shall report their findings and recommendations to the Board.”
Article 12.2(b) of ICANN Bylaws provides for the Security and Stability Advisory Committee, whose role “is to advise the ICANN community and Board on matters relating to the security and integrity of the Internet's naming and address allocation systems.”
The SSAC is a committee whose members are appointed by the ICANN Board. SSAC appointments are for three-year terms, and there are no limits on the number of terms the chair or members may serve.(see also Article 12 Section 12.2(b) of the ICANN Bylaws and the SSAC Operational Procedures).
(i) The role of the Security and Stability Advisory Committee ("Security and Stability Advisory Committee" or "SSAC") is to advise the ICANN community and Board on matters relating to the security and integrity of the Internet's naming and address allocation systems. It shall have the following responsibilities:
(A) To communicate on security matters with the Internet technical community and the operators and managers of critical DNS infrastructure services, to include the root name server operator community, the top-level domain registries and registrars, the operators of the reverse delegation trees such as in-addr.arpa and ip6.arpa, and others as events and developments dictate. The SSAC shall gather and articulate requirements to offer to those engaged in technical revision of the protocols related to DNS and address allocation and those engaged in operations planning.
(B) To engage in ongoing threat assessment and risk analysis of the Internet naming and address allocation services to assess where the principal threats to stability and security lie, and to advise the ICANN community accordingly. The SSAC shall recommend any necessary audit activity to assess the current status of DNS and address allocation security in relation to identified risks and threats.
(C) To communicate with those who have direct responsibility for Internet naming and address allocation security matters (IETF, RSSAC (as defined in Section 12.2(c)(i)), RIRs, name registries, etc.), to ensure that its advice on security risks, issues, and priorities is properly synchronized with existing standardization, deployment, operational, and coordination activities. The SSAC shall monitor these activities and inform the ICANN community and Board on their progress, as appropriate.
(D) To report periodically to the Board on its activities.
(E) To make policy recommendations to the ICANN community and Board.
Section 4.4 of the Bylaws addresses the periodic review of ICANN’s structures and operations:
The Board shall cause a periodic review of the performance and operation of each Supporting Organization, each Supporting Organization Council, each Advisory Committee (other than the Governmental Advisory Committee), and the Nominating Committee (as defined in Section 8.1) by an entity or entities independent of the organization under review. The goal of the review, to be undertaken pursuant to such criteria and standards as the Board shall direct, shall be to determine (i) whether that organization, council or committee has a continuing purpose in the ICANN structure, (ii) if so, whether any change in structure or operations is desirable to improve its effectiveness and (iii) whether that organization, council or committee is accountable to its constituencies, stakeholder groups, organizations and other stakeholders.
These periodic reviews shall be conducted no less frequently than every five years, based on feasibility as determined by the Board. Each five-year cycle will be computed from the moment of the reception by the Board of the final report of the relevant review Working Group.
The results of such reviews shall be posted on the Website for public review and comment, and shall be considered by the Board no later than the second scheduled meeting of the Board after such results have been posted for 30 days. The consideration 6 by the Board includes the ability to revise the structure or operation of the parts of ICANN being reviewed by a two-thirds vote of all Directors, subject to any rights of the EC under the Articles of Incorporation and these Bylaws.
The outcome of the current review will be factored into ICANN’s strategic planning work and holistic considerations of the ICANN structure.
Scope of Work
1. An assessment of the implementation state of SSAC’s prior review; This includes a status report of the implementations approved by the ICANN Board from the first SSAC Review, and an assessment of the effectiveness of these implementations.
2. An assessment of whether SSAC has a continuing purpose within the ICANN structure; Examination of SSAC’s chartered purpose, to advise the ICANN community and Board on matters relating to the security and integrity of the Internet's naming and address allocation systems, and how well it is fulfilled, will help assess the SSAC’s continuing purpose within the ICANN structure.
3. An assessment of how effectively SSAC fulfills its purpose and whether any change in structure or operations is needed to improve effectiveness, in accordance with the ICANN-provided objective and quantifiable criteria Subject to the scope of the SSAC’s chartered remit (ICANN Bylaws, 12.2(b)), examination of purpose, structure, and operations with respect to the SSAC’s effectiveness, in accordance with ICANN-provided objective and quantifiable criteria
4. An assessment of the extent to which SSAC as a whole is accountable to the wider ICANN community, its organizations, committees, constituencies, and stakeholder groups. Determine if the SSAC is sufficiently accountable regarding security matters according to its chartered mandate to provide advice to the ICANN community and Board, and to engage and communicate with the community on various security matters as detailed in its charter.
The scope of work for this review includes years from 2011 to the present. Any additional areas of exploration during the review are dependent on input from the ICANN Board’s Organizational Effectiveness Committee (OEC) and/or the SSAC Review Work Party. In addition, the SSAC may perform a self-assessment in preparation for, or in parallel with, the independent examiner’s work.
Timeline
July - August 2018 - Request for proposals
February 2018 - Start review
February 2018 - Work plan + timeline
March 2018 - Interview plan
March - April 2018 - Survey(s) plan
June 2018 - Deliver Assessment Report; solicit feedback
September 2018 - Deliver Draft Final Report; solicit feedback
November 2018 - Deliver Final Report; solicit feedback
Background
Current Review
The timing of the current SSAC Organizational Review is in accordance with the July 2015 ICANN Board resolution on Proposed Schedule and Process / Operational Improvements for AoC and Organizational Reviews, setting the second organizational review of the Security and Stability Advisory Committee for 2017/2018. In preparation for the 2017/2018 SSAC Review, the current SSAC established a Review Work Party to serve as a liaison between the independent examiner, the wider Community, the current SSAC and the Organizational Effectiveness Committee of the Board (OEC) who is responsible for the oversight of organizational reviews, including this SSAC Review. The role of the SSAC Review Work Party is to provide input on review criteria and the SSAC assessment, participate in interviews and objectively supply clarification and responses to the Assessment Report and the Final Report as well as any intermediary findings. Once the Final Report is issued, the SSAC Work Party is expected to coordinate with the SSAC to prepare a Feasibility Assessment and Initial Implementaton Plan based on the Final Report. Subsequently both reports will be sent on to the ICANN Board’s OEC for its consideration.
Previous Review
The SSAC Review Working Group formed in June 2008 was charged with addressing recommendations in the independent examiner’s Final Report, to consider named improvements. 10 JAS Consulting was appointed as independent examiner. This was the first SSAC Review, and it focused on how well SSAC performed its function, and whether there were general or specific ways to enhance its effectiveness. The Final Report, summarizing findings from the independent review and containing proposals for action, was published on 15 May 2009. The Public Comment period on Draft Independent Review of the Security and Stability Advisory Committee was open from 20 March 2009 to 22 April 2009. The SSAC Review Working Group (RWG), following a process that is no longer in practice, presented its report for public comment to ensure that the Review Working Group report contained sufficient and accurate information and to advise the Board on the changes recommended for SSAC. Following the 22 April 2009 closing of the public comment period, the Final Report was presented to the ICANN Board on 29 January 2010. The SSAC RWG’s report addressed the 33 recommendations made by the independent examiner, plus nine Working Group conclusions from the SSAC community. Pursuant to its Charter, the report was presented to the Structural Improvements Committee (SIC), currently the Organizational Effectiveness Committee (OEC) of the ICANN Board. After the SIC reviewed the report, and developed implementation steps, the Committee recommended that the ICANN Board Approve them.
The report was adopted in June 2010. The Board resolution can be found here: https://www.icann.org/resources/board-material/resolutions-2010-06-25-en#1.4
The latest details of the implementation of all recommendations from the 2009 Review were published on 18 March 2011. Additional information about the first SSAC Review is available at: https://www.icann.org/resources/reviews/org/ssac
The Final Report of the SSAC Review Working Group is available at: https://www.icann.org/en/system/files/files/ssac-review-wg-final-report-29jan10-en.pdf
The public comment on the RWG-SSAC Review Draft Report, is available at: https://www.icann.org/resources/pages/ssac-review-2009-2009-10-05-en
