Approved Resolutions | Special Meeting of the ICANN Board | 16 November 2022

Rationale for Resolution 2022.11.16.01

Article 7, Section 7.2 and Article 14 of the ICANN Bylaws call for the Board to appoint the Board Chair, Board Vice Chair, and chairmanship and membership of each Board Committee. Maarten Botterman brings valuable skills and experience to the Organizational Effectiveness Committee. Maarten has been a member of the Board since 2016, during which time he served as the Board Chair from 2019 to 2022.

The appointment of the Board Committee membership is consistent with ICANN's Mission and is in the public interest as it is important to ensure that the Board and its Committees have the properly skilled expertise to carry forth ICANN's Mission, Commitments and Core Values. This decision will have no direct fiscal impact on the organization and no impact on the security, stability, or resiliency of the domain name system.

This is an Organizational Administrative Function that does not require public comment.

Rationale for Resolution 2022.11.16.02

ICANN org conducted a cross functional assessment of the 45 prioritized recommendations, which included the development of an implementation plan identifying the resources required to complete the implementation of each recommendation. Fifteen functions across the organization were identified as having roles in the implementation of the prioritized Board-approved recommendations that require staff and external resources to complete. The one-time effort of implementation will cost US$5,800,000 and take approximately one year to complete. The funding for this effort is being requested through the SFICR since it requires additional effort and resources above and beyond the annual plan and budget. The SFICR was established to support increasing the capacity of the organization to address activities and projects not currently included in the organization's historical expenses or current budget. All ongoing efforts to maintain service levels and review requirements, after initial implementation, will be incorporated into ICANN org's annual plan and budget.

This action is consistent with ICANN's mission and is in the public interest as it is important to ensure that Specific and Organization Reviews are implemented according to ICANN's Bylaws and that a healthy multistakeholder model is supported. Furthermore, the SFICR was created to fund projects, as approved by the Board, when the size, complexity, and length of the projects create a challenge to be solely funded by recurring funding. The SFICR will fund projects based on the public interest of the community that would otherwise go unbudgeted.

This action will not have a negative financial impact on ICANN, as funding has already been accounted for with the establishment of the SFICR. In addition, this action is intended to have a positive impact on the security, stability, or resiliency of the domain name system.

This is an Organizational Administrative Function that does not require public comment.

Rationale for Resolution 2022.11.16.03

As part of ICANN's Investment Policy, the Operating Fund should be at a level of funds to cover a minimum of three months of ICANN organization's operating expenses, and that any amount determined to be in excess may be transferred to the Reserve Fund to ensure its balance is at or above the minimum target level, as determined and approved by the Board.

ICANN organization has evaluated the balance of the Operating Fund as of 30 June 2022 on the basis of its unaudited Financial Statements and has determined that excess funds of US$19,000,000 should be transferred to the Reserve Fund.

This action is consistent with ICANN's mission and is in the public interest as it is important to ensure stability of ICANN organization in the way of a robust Reserve Fund in case use of a Reserve Fund becomes necessary.

This action will not have a financial impact on ICANN, and will not have an impact on the security, stability, or resiliency of the domain name system.

This is an Organizational Administrative function that does not require public comment.

Rationale for Resolutions 2022.11.16.04

On 23 June 2019, the Board adopted the ICANN Strategic Plan for Fiscal Years 2021 to 2025 and directed that as part of the ongoing annual planning cycle with the community, new trends or shifts in existing trends be factored into the annual iteration of ICANN's plans as appropriate. These efforts are conducted through the strategic outlook program.

The Strategic Outlook program is conducted annually to ensure ICANN has a consistent way to: identify and track trends; prepare for opportunities; mitigate or avoid challenges; and inform strategic and operational planning.

It is a joint effort between the ICANN organization, the community, and the ICANN Board to engage on emerging or evolving trends that affect ICANN. Trends indicate general directions in which things are developing or changing, that have or could have an impact on ICANN, its mission, its operations, or its ecosystem. Trends can be internal or external, organization-specific, community-related, or go beyond ICANN's ecosystem as ICANN does not operate in a vacuum.

ICANN org finds the exercise to be beneficial to help surface opportunities and challenges that lay ahead, review the adopted Strategic Plan, inform the annual operating planning.

Between February and April 2022, ICANN org convened 13 strategic outlook trends identification sessions with 261 participants from the community, Board and the organization, resulting in 1,016 data points collected. Community sessions outputs have been published on the Strategic Planning page of the icann.org website.

Between May and October 2022, the Board Strategic Planning Committee, as supported by ICANN org, reviewed the analysis of the trend session data inputs received, which included trends, risks, opportunities, and potential impacts on ICANN. The details of this analysis and associated recommendations have been documented in the ICANN Strategic Outlook FY24 Trends Report.

On the basis of the analysis of the data collected in these trends identification sessions, the Board Strategic Planning Committee recommends keeping the ICANN Strategic Plan for Fiscal Years 2021 to 2025 unchanged, with no restatement of the Strategic Plan needed at this time.

Though the recommendation is for the Strategic Plan to remain unchanged, the items highlighted and reflected in the Trend Report are still of urgency within ICANN, and both the Board and the org are working diligently to address them from both strategic and operational lenses. Where appropriate, the ongoing efforts to address the trends are highlighted within the Trend Report.

This resolution is not expected to have a fiscal impact on ICANN, though the changes anticipated to ICANN's Operating Plan might have an impact once approved. This action is expected to have a positive impact on the security, stability and resiliency of the domain name system (DNS) as it continues to support ICANN's strategic work in this area.

This resolution serves ICANN's mission in ensuring a secure and stable operation of the Internet's unique identifier systems. The ICANN Strategic Plan for Fiscal Years 2021-2025 builds upon ICANN's mission so that it may continue to effectively fulfill its aims and meet new and continuously evolving challenges and opportunities.

This resolution is in the public interest as the Strategic Plan guides ICANN's activities and informs ICANN's operating plans and budgets to fulfill its mission in fiscal years 2021 through 2025. The Strategic Plan serves the public interest by articulating the path towards a new vision to be a champion of the single, open, and globally interoperable Internet. The Strategic Plan complies with ICANN's commitments and is guided by ICANN's core values.

This is an Organizational Administrative Function that has been subject to community consultation as noted above and is not requiring further public comment.

Rationale for Resolutions 2022.11.16.05 – 2022.11.16.06

Why is the Board addressing the issue?

The Security, Stability, and Resiliency (SSR) Review is one of the four Specific Reviews anchored in Article 4, Section 4.6 of the ICANN Bylaws. Specific Reviews are conducted by community-led review teams, which assess ICANN's performance in fulfilling its commitments. Reviews are critical to maintaining an effective multistakeholder model and helping ICANN achieve its mission, as detailed in Article 1 of the Bylaws. Reviews also contribute to ensuring that ICANN serves the public interest. The SSR2 Review is the second iteration of the SSR Review and relates to key elements of ICANN's Strategic Plan. As stated in the Bylaws, the Review focuses on the assessment of:

• "security, operational stability and resiliency matters, both physical and network, relating to the coordination of the Internet's system of unique identifiers;
• conformance with appropriate security contingency planning framework for the Internet's system of unique identifiers;
• maintaining clear and globally interoperable security processes for those portions of the Internet's system of unique identifiers that ICANN coordinates".

The SSR2 Review also assesses the extent to which ICANN has successfully implemented its security efforts, as well as their robustness and effectiveness to deal with actual and potential challenges and threats to the security, stability and resiliency of the DNS, consistent with ICANN's mission.

In its action on 22 July 2021, the Board placed 34 recommendations from the SSR2 Review Team Final Report into one of the three pending statuses: pending, likely to be approved once further information is gathered to enable approval; pending, holding to seek clarity or further information; pending, likely to be rejected unless additional information shows implementation is feasible. The Board committed to take further action on these recommendations subsequent to the completion of steps as identified in the July 2021 Scorecard. On 1 May 2022, the Board took action to address three of the 34 recommendations. With clarifications received from the SSR2 Implementation Shepherds and the org's associated feasibility assessment, 21 additional pending recommendations are now ready for Board consideration.

What is the proposal being considered?

The proposal is in furtherance of resolution 2021.07.21.13, which placed SSR2 34 recommendations in pending status. As directed by the Board in its 22 July 2021 action, ICANN org produced an assessment that gathered relevant information, including clarification received from the SSR2 Implementation Shepherds, to inform subsequent Board consideration.

Today, the Board takes action on 21 pending recommendations and notes that additional time is required to continue addressing the 10 remaining, pending recommendations. ICANN org will continue to provide regular updates to the Board on progress toward addressing open items.

Recommendations that the Board approves as fully implemented.

In consideration of the assessment, the Board approves Recommendations 3.2, 3.3, 7.1, 7.2, 7.3, 11.1, 24.1 as fully implemented, as stated in the 16 November 2022 Scorecard. For each of these, the Board directs ICANN org to produce implementation documentation to assist the subsequent SSR review team with its assessment work.

Recommendations 3.2 suggests that budget items related to the performance of SSR functions be linked to ICANN Strategic Plan goals and objectives, while Recommendation 3.3 calls for transparency and opportunity to comment on SSR budgeting. Recognizing the existing transparency and public comment framework around the organization's planning and budgeting cycle, the Board notes Recommendations 3.2 and 3.3 as fully implemented and encourages ICANN org to continue enhancing its periodic communication on SSR activities as part of its work and operations. See 16 November 2022 Scorecard for more information.

Recommendations 7.1, 7.2, 7.3 pertain to Business Continuity (BC) and Disaster Recovery (DR) plans. ICANN org follows the Contingency Planning Guide for Federal Information Systems (NIST SP 800-34 Rev 1) which is a more integrated approach with, and given, ICANN org's existing plans and processes. The Board notes the SSR2 Implementation Shepherds' confirmation that "the NIST Cybersecurity Framework [...] is a reasonable alternative [...]." Consequently, the Board approves Recommendations 7.1, 7.2, 7.3 as fully implemented, as detailed in the 16 November 2022 Scorecard.

Recommendation 11.1 pertains to the access to Centralized Zone Data Service (CZDS) data. Based on clarification received from the SSR2 Implementation Shepherds and data provided by ICANN org in the assessment (volume of complaints), the Board believes that the ongoing and completed work to date, conducted to address SAC097, meets the requirements of Recommendation 11.1. See 16 November 2022 Scorecard for more information.

Recommendation 24.1 asks ICANN org to perform end-to-end testing of the full Emergency Back-end Registry Operator (EBERO) and to publish the results.

Based on clarification received from the SSR2 Implementation Shepherds, the Board notes that testing is not intended to be conducted on currently active TLDs. In ICANN org agreements with the EBERO service providers, there is a provision which allows for EBERO readiness exercises to be conducted annually. The Board believes that the existing agreements, including provisions for readiness exercises, as well as past tests, meet the requirements and success measures of this recommendation. As detailed in the 16 November 2022 Scorecard the Board approves Recommendation 24.1 and notes it as fully implemented.

Recommendations the Board approves subject to prioritization.

The Board approves Recommendations 5.3 and 7.5 subject to prioritization, risk assessment and mitigation, as well as costing and implementation considerations.

Recommendation 5.3 recommends ICANN org to "require external parties providing services to ICANN org to be compliant with relevant security standards, and to document their due diligence regarding vendors and service providers." ICANN org's Engineering & Information Technology (E&IT) function already requires all appropriate vendors and service providers to have a risk assessment performed and documented to meet ICANN org's needs as instructed by industry-standard practices.

The Board notes that to complete this recommendation, ICANN org, when renegotiating its one-year based contracts with external service-provider parties, would need to include a clause on compliance with relevant security standards. The Board approves Recommendation 5.3, as noted in the 16 November 2022 Scorecard, subject to prioritization, risk assessment and mitigation, costing and implementation considerations.

Recommendation 7.5 calls for publishing a summary of overall BC and DR plans to improve transparency, and taking steps to verify compliance with these plans. The Board directs org to publish current appropriate summary information of the established Contingency and Continuity Plan (CCOP) and the Disaster Recovery (DR) Plan which covers all ICANN systems, and which are tested annually by ICANN org. As detailed in the 16 November 2022 Scorecard, the Board approves Recommendation 7.5 subject to prioritization, risk assessment and mitigation, costing and implementation considerations.

Recommendations that the Board rejects because they cannot be approved in full.

The Board notes that, while some portions of the recommendation could be feasible, and in some cases, work is already underway, there are limitations imposed by other portions of the same recommendation that impact feasibility. While the Board agrees in principle with the intent of many of these recommendations, the Board does not have the option of selectively approving some parts and rejecting other parts of a single, indivisible community recommendation and must act on a recommendation as written and not as interpreted by ICANN org or the Board. Actions with which the Board agrees in principle would not be tracked as part of the implementation of SSR2 recommendations.

The detailed rationale for each recommendation sets out the specific reasons for the Board's rejection.

The Board rejects Recommendations 20.1 and 20.2 as documented in the 16 November 2022 Scorecard. While the Board agrees with some elements of 20.1 and 20.2 (such as procedures and activities for future key rollovers), the Board does not have the option of selectively approving some parts and rejecting other parts of a single, indivisible community recommendation.

Recommendation 20.1 calls for ICANN org to establish a formal procedure, supported by a formal process modeling tool and language, to specify the details of future key rollovers. The recommendation suggests a novel model that cannot be implemented with existing resources and expertise. The Board notes that ICANN org had proposed an alternative process that would still contain evaluation checkpoints. The SSR2 Implementation Shepherds pointed to research done in the medical field, noting that it could be replicated in the DNSSEC Root Key management, without providing evidence of this approach having been researched or used in fields with direct applicability to the org's processes. The Board does not recommend developing such a complex and specific model based on speculative outcomes that were not researched in the DNSSEC Root Key Management and, as a result, rejects Recommendation 20.1.

The Board notes that rejecting Recommendation 20.1 impacts the feasibility of Recommendation 20.2 that calls for ICANN org to create a group of stakeholders involving relevant personnel (from ICANN org or the community) to periodically run table-top exercises that follow the Root Key Signing Key (KSK) rollover process.

The Board notes that FY24 IANA Operating Plan & Budget identified the next key rollover as one of its operating priorities.

Recommendations that the Board rejects

The Board rejects Recommendations 3.1, 4.3, 6.1, 6.2, 7.4, 16.2, 16.3, 18.1, 18.2, 18.3, as documented in the 16 November 2022 Scorecard.

Recommendations 3.1 pertains to responsibilities of the C-Suite position. As the implementation of Recommendation 3.1 relies on Recommendation 2 that the Board rejected in July 2021, Recommendation 3.1 cannot be approved.

Recommendation 4.3 calls for ICANN org to appoint a person in charge of security risk management that will report to the C-Suite Position.

The Board notes that org has a Risk Management department as well as a Risk Management Framework which creates a holistic view of the most significant risks to the organization's mission, unifies risk management activities across the organization and provides assurance to Executive Management and the Board that the organization is operating safely in support of ICANN's mission. Additionally, ICANN org has a Board adopted Risk Appetite Statement which articulates the level of risk which ICANN org is willing to take and retain on a broad level to fulfill its mission. The Board also notes that the Committee of Sponsoring Organisations (COSO) framework applied by org for risk management activities is appropriate for ICANN's needs.

As the recommendation feasibility depends on Recommendation 2, the Board rejects Recommendation 4.3.

Recommendations 6.1 and 6.2 pertain to promotion of voluntary adoption of SSR best practices and objectives for vulnerability disclosures by the contracted parties, and to the implementation of coordinated vulnerability disclosure reporting.

While supporting the continued efforts of all parties to adopt Best Common Practices (BCPs) and encouraging ICANN org to promote initiatives that support and encourage voluntary adherence to current BCPs, the Board notes that parts of both recommendations call for changes to contracted party agreements which would be a matter of policy or a result of voluntary negotiations between ICANN org and contracted parties.

Therefore, for the aforementioned considerations the Board rejects Recommendations 6.1 and 6.2.

Recommendation 7.4 calls for ICANN org to establish a new site for Disaster Recovery (DR) for all the systems owned by or under the ICANN org purview with the goal of replacing either the Los Angeles or Culpeper sites or adding a permanent third site.

The Board notes that the SSR2 Implementation Shepherds clarified that the scope of Recommendation 7.4 was strictly the key management facilities for the DNSSEC Root KSK, and that the main objective was to provide diversity of the jurisdiction of the facilities. The Board cannot justify the cost of building and maintaining an additional key management facility, knowing the level of required effort and constraints, as the possible benefit seems to be based on a perception that new non-U.S. physical construction would enhance diversity and address disaster recovery scenarios in a meaningful way.

Therefore, for the aforementioned considerations the Board rejects Recommendation 7.4.

Recommendation 16.2 relates to the creation of specialized groups within the contract compliance function that understand privacy requirements and principles and that can facilitate law enforcement needs under the Registration Directory Service (RDS) framework. Recommendation 16.3 calls for ICANN org to conduct periodic audits on registrar privacy policies.

The Board notes that ICANN org's Contractual Compliance already has subject matter experts in multiple areas, including those enumerated by the recommendation, who contribute to policy development when requested by the ICANN community.

The SSR2 Implementation Shepherds' feedback indicates that these specialized groups should require registrars to publish their privacy policies and procedures, and track them. ICANN org agreements with registries and registrars do not specifically require registrars to have "privacy policies." The Board finds that this part of Recommendation 16.2 would be a matter of policy or a result of voluntary negotiations between ICANN org and contracted parties, and not something ICANN org or Board can unilaterally impose. With respect to Recommendation 16.3, ICANN org's Contractual Compliance cannot carry out any audit on or enforce compliance with something that is not an ICANN contractual requirement.

Therefore, for the aforementioned considerations the Board rejects Recommendations 16.2 and 16.3.

Recommendations 18.1, 18.2 and 18.3 call for ICANN org to track developments in the peer-reviewed research community and to publish a report for the ICANN community summarizing implications of publications that are relevant to ICANN org or contracted party behavior, and including recommendations for actions and additional studies.

The Board acknowledges that ICANN org is already taking appropriate measures to ensure that any emerging or evolving technology within ICANN's scope is evaluated appropriately and followed up on as needed. The Board supports the idea of continuing to follow such emerging or evolving technologies and invites the community to raise awareness of any such technology or protocol that they feel ICANN org should pay particular interest.

The Board notes that there are organizations and research communities that already perform many of the actions as described in the recommendations. The Board determined that the benefits do not outweigh the costs for ICANN org to act as a proxy to the work of those organizations and communities.

Finally, the Board wishes to highlight that the recommendations, as written, call for unbound work which is deemed as a critical element for their implementation. The list of places to monitor for these conceptual papers is exhaustive and beyond the list of the examples in the recommendation. ICANN org focuses its work on protocols and technologies that are implementable, have a potential impact on the ICANN ecosystem, and are within the narrow scope of the ICANN mission.

Therefore, for the aforementioned considerations the Board rejects Recommendations 18.1, 18.2 and 18.3.

Which stakeholders or others were consulted?

The SSR2 Final Report was published for public comment and the Board received feedback as part of that process. See Public Comment on Final Report. Additionally, ICANN org consulted the SSR2 Implementation Shepherds through its dedicated mailing-list. See workspace for more information.

What significant materials did the Board review?

In addition to clarification provided by the SSR2 Implementation Shepherds, the Board considered various significant materials and documents, including the July 2021 Scorecard, the Staff Report of Public Comment Proceeding on Second Security, Stability, and Resiliency (SSR2) Review Team Final Report, the July 2021 assessment ICANN org Assessment, and November 2022 ICANN org assessment.

Are there positive or negative community impacts?

Taking action on 21 SSR2 pending recommendations will contribute to further address the outcome of the SSR2 Specific Review.

Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

For the recommendations the Board approves that require action, their implementation will be subject to prioritization, risk assessment and mitigation, costing and implementation considerations.

Are there any security, stability or resiliency issues relating to the DNS?

By nature of the SSR Review, implementation of any recommendation may impact how ICANN meets its security, stability, and resiliency commitments. The Board considered this potential impact as part of its deliberations.

Is this decision in the public interest and within ICANN's mission?

This action is in the public interest as it is a fulfillment of ICANN Bylaw, as articulated in Section 4.6. It is also within ICANN's mission and mandate. ICANN reviews are an important and essential part of how ICANN upholds its commitments.

Approved recommendations are consistent with ICANN's mission, serve the public interest, and fall within the Board's remit.

Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring public comment or not requiring public comment?

As noted above, public comments were received on the SSR2 Final Report prior to Board consideration of the recommendations. No additional public comment period is required.

Rationale for Resolutions 2022.11.16.07 – 2022.11.16.08

In late February 2020, ICANN organization closed its office doors due to the COVID-19 pandemic. During this time, the org practiced extreme caution and diligence in observing protocols designed to keep ICANN Staff, Board, and Community safe.

Now, almost three years later, ICANN org continues to follow best practices while carefully returning to normal operations. As part of this forward momentum and under the direction of the President and CEO, ICANN org plans to hold the first ICANN Org All-Hands meeting in Los Angeles, California, from 6 to 9 February 2023.

Throughout the fiscal year, all functional teams have budgeted to meet in order to discuss upcoming projects, priorities and key deliverables. In the past, these functional meetings have taken place separately, and although beneficial to maintain staff engagement and understanding of priorities, this meeting is intended to combine these separate meetings and budget, into one for FY23.

The ICANN Org All-Hands meeting will allow for line managers to be set up for success through inspiration, expectation-setting and education the first two days of the event. The final two days will gather all functions of ICANN org to: (i) meet new team members hired during the pandemic; (ii) take part in priority setting activities; (iii) participate in teambuilding and leadership exercises; (iv) explore and collaborate on new opportunities; and (v) review the strategic and operating plans for the coming year.

The Board Finance Committee (BFC) has carried out its standard due diligence in reviewing the proposed spend and has recommended that the Board approve. As part of this diligence, the BFC has reviewed the financial risks associated with the proposed spend and the information provided by the org on the measures in place to mitigate those risks. The BFC has found these financial risks and the mitigation in place reasonable and acceptable.

The Board reviewed the organization's briefing for hosting the 2023 ICANN Org All-Hands meeting in Los Angeles, California, and approved the related costs for the facilities selected for that meeting.

There will be a financial impact to ICANN in hosting this event and providing travel as necessary. However, this fiscal impact can be covered within the existing FY23 approved budget with no to very minimal disruption to the daily operations of ICANN org.

This event supports ICANN's mission as a gathering point to bring the org together to align for the work ahead, have discussions around the org's key objectives and priorities to support the org's mission. This is critical with the key initiatives being prioritized for the coming year(s), to ensure staff engagement and understanding of these priorities, additionally understanding the impacts on the importance of these for the public interest and continuing to fulfill ICANN's mission of a secure and stable internet.

This action will have no impact on the security or the stability of the Domain Name System.

This is an Organizational Administrative function that does not require public comment.