Page History
The 22 July 2021, the Board took action on the 63 SSR2 recommendations as issued in the SSR2 Review Team Final Report. As noted in its resolution and specified in the Scorecard titled "Final SSR2 Review Team Recommendations – Board Action” the Board resolved to: The Board’s action on subject to prioritization, risk assessment and mitigation, costing, and implementation considerations.
SSR2 Implementation - Status of 24 Board Approved Recommendations | ||
Complete | ||
1, |
11.1, |
10.1, |
13.2, |
1, |
1, |
23.2, |
In progress | 4 Recommendations 1.1, | |
5. |
4, |
7. |
5, |
21.1, |
22. |
1 | ||
| Not started | Recommendations 22.2, | |
ICANN Org is working on the pending recommendations in groups: 1) pending/likely to be approved, 2) pending/likely to be rejected, and 3) pending/additional clarification and information is needed.
ICANN Org has initiated the Q&A phase on group 1 recommendations, pending/likely to be approved, with the SSR2 Implementation Shepherds, while continuing to work on other pending category recommendations in parallel.
The table below includes information relating to the implementation of Board approved recommendations.
23.1 |
Quarterly Updates |
|---|
| Status | ||||||
|---|---|---|---|---|---|---|
|
Progress by Quarter
|
|
|
|
|
|
|
|
|
Q2 2024 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Complete | 2 | 2 | 2 | 10 | 11 | 12 | 13 | 13 | 16 | 17 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| In progress | 0 | 5 | 6 | 6 | 7 | 8 | 8 | 8 | 6 | 5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Not started | 12 | 7 | 6 | 7 | 5 | 3 | 3 | 3 | 2 | 2 |
Rec # | Implementation Status | Priority level assigned by the community (where P1 corresponds to the highest priority and P4 to the lowest - see here for more information) | Description | Notes |
1.1 | In progress | P4 | The ICANN Board and ICANN org |
Rec #
Status
Description
Implementation Update as of 17 February 2022
1.1
Not started
should perform a further comprehensive review of the SSR1 recommendations and execute a new plan to complete the implementation of the SSR1 Recommendations (see Appendix D: Findings Related to SSR1 Recommendations) | N/A |
| 3. |
Completed
| 2 | Complete | N/A | The ICANN Board and ICANN org should ensure specific budget items relating to ICANN org’s performance of SSR related functions are linked to specific ICANN Strategic Plan goals and objectives. ICANN org should implement those mechanisms through a consistent, detailed, annual budgeting and reporting process. | See implementation documentation. |
| 3.3 | Complete | N/A | The ICANN Board and ICANN org should create, publish, and request public comment on detailed reports regarding the costs and SSR-related budgeting as part of the strategic planning cycle. | See implementation documentation. |
4.1 | Complete | N/A | ICANN org should |
continue centralizing its risk management and clearly articulate |
its Security Risk Management Framework and ensure that it aligns strategically with the organization’s requirements and objectives. |
ICANN org should describe relevant measures of success and how to assess them. |
5.1 |
Not started
Complete | N/A | ICANN |
org should implement an ISMS and be audited and certified by a third party along the lines of industry security standards (e.g., ITIL, |
ISO 27000 family, SSAE-18) for its operational responsibilities. The plan should include a road map and milestone dates for obtaining certifications and noting areas that will be the target of continuous improvement. |
5.2 |
Complete | N/A | Based on the ISMS, |
ICANN org should put together a plan for certifications and training requirements for roles in the organization, track completion rates, provide rationale for their choices, and document how the certifications fit |
into ICANN org’s security and risk management strategies. | ||||
| 5.3 | Complete | P2 | ICANN org should require external parties that provide services to ICANN org to be compliant with relevant security standards and document their due diligence regarding vendors and service providers. | See implementation documentation. |
5.4 | In progress | P4 | ICANN org should reach out to the community and beyond with clear reports demonstrating what ICANN org is doing and achieving in the security space. These reports would be most beneficial if they provided information describing how ICANN org follows best practices and mature, continually-improving processes to manage risk, security, and vulnerabilities. | N/A |
| 7.1 | Complete | N/A | ICANN org should establish a Business Continuity Plan for all the systems owned by or under the ICANN org purview, based on ISO 22301 "Business Continuity Management," identifying acceptable BC and DR timelines. | See implementation documentation. |
| 7.2 | Complete | N/A | ICANN org should ensure that the DR plan for Public Technical Identifiers (PTI) operations (i.e., IANA functions) includes all relevant systems that contribute to the security and stability of the DNS and also includes Root Zone Management and is in line with ISO 27031. ICANN org should develop this plan in close cooperation with the Root Server System Advisory Committee (RSSAC) and the Root Server Operators (RSO). | See implementation documentation. |
| 7.3 | Complete | N/A | ICANN org should also establish a DR Plan for all the systems owned by or under the ICANN org purview, again in line with ISO 27031. | See implementation documentation. |
| 7.5 | In progress | P4 | ICANN org should publish a summary of their overall BC and DR plans and procedures. Doing so would improve transparency and trustworthiness beyond addressing ICANN org’s strategic goals and objectives. ICANN org should engage an external auditor to verify compliance with these BC and DR plans. | N/A |
9.1 | Complete |
N/A | The ICANN Board should direct the compliance team to monitor and strictly enforce the compliance of contracted parties to current and future SSR and abuse related obligations in contracts, baseline agreements, temporary specifications, and community policies. |
10.1 | Complete |
Not started
P1 | ICANN org should post a web page that includes their working definition |
of DNS abuse, i.e., what it uses for projects, documents, and contracts. The definition should explicitly note what types of security |
threats ICANN org currently considers within its remit to address through contractual and compliance mechanisms, as well as |
those ICANN org understands to be outside its remit. |
If ICANN org uses other similar terminology—e.g., security threat, malicious |
conduct—ICANN org should include both its working definition of those terms and precisely |
how ICANN org is distinguishing those terms |
from DNS abuse. This page should include links to excerpts of all current abuse-related obligations in contracts with contracted parties, including any procedures and protocols for responding to abuse. |
ICANN org should update this page annually, date the latest version, and link to older versions with associated dates of publication. | ||||
| 11.1 | Complete | N/A | The ICANN community and ICANN org should take steps to ensure that access to CZDS data is available, in a timely manner and without unnecessary hurdles to requesters, e.g., lack of auto-renewal of access credentials. | See implementation documentation. |
13.2 | Complete | N/A | ||
16.1 | Complete |
Not started
P3 | ICANN org |
should provide consistent cross-references across their website to provide cohesive and easy-to-find information on all actions—past, present, and planned—taken on the topic of privacy and data stewardship, with particular attention to the information around the RDS. |
21.1 |
Not started
In progress | P1 | ICANN org and PTI operations should accelerate the implementation of new RZMS security measures regarding the authentication and authorization of requested changes and |
offer TLD operators the opportunity to take advantage of those security measures, particularly MFA and encrypted email. | N/A |
22.1 |
In progress | P4 | For each service |
that ICANN org has authoritative purview over, including root-zone |
and gTLD-related services as well |
as IANA registries, ICANN org should create a list of statistics and metrics that reflect the operational status (such as availability and responsiveness) of that service, and publish a directory of these services, data sets, and metrics on a single page on the icann.org web site, such as under the Open Data Platform. |
ICANN org should produce measurements for each of these services as summaries over both the previous year and longitudinally (to illustrate baseline behavior). | N/A | |
22.2 | Not started | P4 |
ICANN org should request community feedback annually on the measurements. That feedback should be considered, publicly summarized after each report, and incorporated into follow-on reports. The data and associated methodologies used to measure these reports’ results should be archived and made publicly available to foster reproducibility. | N/A | ||
23.1 | Not started | P3 | PTI operations should update |
the DNSSEC Practice Statement (DPS) to allow the transition from one digital signature algorithm to another, including an anticipated transition from the RSA digital signature algorithm to other algorithms or to future post-quantum algorithms, which provide the same or greater security and preserve or improve the resilience of |
the DNS. | N/A |
23.2 |
Complete | P1 | As a root DNSKEY algorithm rollover is a very complex and sensitive process, PTI operations should work with other root zone partners and the global community to develop a consensus plan for future root DNSKEY algorithm rollovers, taking into consideration the lessons learned from the first root KSK rollover in 2018. | Implementation documentation in progress. | |
| 24.1 | Complete | N/A | ICANN org should coordinate end-to-end testing of the full EBERO process at predetermined intervals (at least annually) using a test plan that includes datasets used for testing, progression states, and deadlines, and is coordinated with the ICANN contracted parties in advance to ensure that all exception legs are exercised, and publish the results. | See implementation documentation. |
24.2 |
Not started
In progress | P4 | ICANN org |
should make the Common Transition Process Manual easier to find by providing links on |
the EBERO website. |
