Preliminary Report | Special Meeting of the ICANN Board | 16 November 2022
Formal Minutes are still to be approved by the ICANN Board.
Note: This Preliminary Report has not been approved by the Board and does not constitute minutes. It does set forth the unapproved reporting of the resolutions from that meeting. Details on voting and abstentions will be provided in the Minutes, when approved at a future meeting.
NOTE ON ADDITIONAL INFORMATION INCLUDED WITHIN PRELIMINARY REPORT – ON RATIONALES – Where available, a draft Rationale for each of the Board's actions is presented under the associated Resolution. A draft Rationale is not final until approved with the minutes of the Board meeting.
A Special Meeting of the ICANN Board of Directors was held telephonically on 16 November 2022, at 15:00 UTC.
Tripti Sinha, Chair, promptly called the meeting to order.
In addition to the Chair, the following Directors participated in all or part of the meeting: Alan Barrett, Becky Burr, Edmon Chung, Sarah Deutsch, Avri Doria, Danko Jevtović (Vice Chair), Christian Kaufmann, Göran Marby (President and CEO), Patricio Poblete, Sajid Rahman, León Sánchez, Katrina Sataki, and Matthew Shears.
The following Board Directors sent their apologies: Chris Chapman.
The following Board Liaisons participated in all or part of the meeting: Harald Alvestrand (IETF Liaison), Manal Ismail (GAC Liaison), James Galvin (SSAC Liaison), and Wes Hardaker (RSSAC Liaison).
Secretary: John Jeffrey (General Counsel and Secretary).
The following ICANN Executives and Staff participated in all or part of the meeting: Michelle Bright (Board Content Coordination Director), Xavier Calvez (SVP, Planning & Chief Financial Officer), Franco Carrasco (Board Operations Specialist), Mandy Carver (SVP, Governmental and Intergovernmental Organization), Samantha Eisner (Deputy General Counsel), Jamie Hedlund (SVP, Contractual Compliance & U.S. Government Engagement), John Jeffrey (General Counsel and Secretary), Aaron Jimenez (Board Operations Specialist), Vinciane Koenigsfeld (VP, Board Operations), Elizabeth Le (Associate General Counsel), David Olive (SVP, Policy Development Support & Managing Director – Washington, D.C.), Lisa Saulino (Board Operations Specialist), Amy Stathos (Deputy General Counsel), Theresa Swinehart (SVP, Global Domains & Strategy), and Gina Villavicencio (SVP, Global Human Resources).
1. Consent Agenda:
The Chair opened the meeting and introduced the Consent Agenda. Following discussion, the Chair called for a vote and then the Board took the following action:
a. Appointment of Board Member to the Organizational Effectiveness Committee
Whereas, the Board Governance Committee has recommended that the Board appoint Maarten Botterman to the Organizational Effectiveness Committee (OEC) and the Chair of the OEC agrees with the recommendation.
Resolved (2022.11.16.01), the Board appoints Maarten Botterman to the Organizational Effectiveness Committee.
Rationale for Resolution 2022.11.16.01
Article 7, Section 7.2 and Article 14 of the ICANN Bylaws call for the Board to appoint the Board Chair, Board Vice Chair, and chairmanship and membership of each Board Committee. Maarten Botterman brings valuable skills and experience to the Organizational Effectiveness Committee. Maarten has been a member of the Board since 2016, during which time he served as the Board Chair from 2019 to 2022.
The appointment of the Board Committee membership is consistent with ICANN's Mission and is in the public interest as it is important to ensure that the Board and its Committees have the properly skilled expertise to carry forth ICANN's Mission, Commitments and Core Values. This decision will have no direct fiscal impact on the organization and no impact on the security, stability, or resiliency of the domain name system.
This is an Organizational Administrative Function that does not require public comment.
All members of the Board present voted in favor of Resolution 2022.11.16.01. One Director was unavailable to vote. The Resolution carried.
2. Main Agenda:
a. Review Implementation Prioritization Supplemental Fund for Implementation of Community Recommendations (SFICR) Request
The Chair introduced the agenda item. The Board engaged in a discussion regarding the purpose of the Supplemental Fund for Implementation of Community Recommendations (SFICR). The Board also discussed the process by which community recommendation that are due to be implemented were prioritized by for implementation. The Board agreed that the resolution should reflect the details regarding the implementation prioritization process.
Following discussion, the Chair called for a vote with the contingency that the resolution be updated to reflect the Board's discussion. The Board then took the following action:
Whereas, the Supplemental Fund for Implementation of Community Recommendations (SFICR) allows ICANN to segregate resources in support of increasing the capacity of the organization to address activities and projects not currently included in the current budget.
Whereas, ICANN organization has a requirement by the ICANN Bylaws to implement Board approved recommendations in a transparent and timely manner.
Whereas, 45 Specific Reviews Board-approved recommendations or recommendation components (13 from the third Accountability and Transparency Review; 15 from the Competition, Consumer Trust and Consumer Choice Review; nine from the second Security, Stability and Resiliency Review; eight from the second Registration Service Directory Review) were prioritized by a Planning Prioritization Group made up of community members.
Whereas, the 45 recommendations were assigned priority levels based on an "urgency-importance" matrix.
Whereas, the current effort for the one-time implementation of these community prioritized review recommendations is incremental to ICANN org's annual budget and operating plan.
Resolved (2022.11.16.02), the Board approves the use of US$5,800,000 from the SFICR to fund implementation of community prioritized reviews.
All members of the Board present voted in favor of Resolution 2022.11.16.02. One Director was unavailable to vote. The Resolution carried.
Rationale for Resolution 2022.11.16.02
ICANN org conducted a cross functional assessment of the 45 prioritized recommendations, which included the development of an implementation plan identifying the resources required to complete the implementation of each recommendation. Fifteen functions across the organization were identified as having roles in the implementation of the prioritized Board-approved recommendations that require staff and external resources to complete. The one-time effort of implementation will cost US$5,800,000 and take approximately one year to complete. The funding for this effort is being requested through the SFICR since it requires additional effort and resources above and beyond the annual plan and budget. The SFICR was established to support increasing the capacity of the organization to address activities and projects not currently included in the organization's historical expenses or current budget. All ongoing efforts to maintain service levels and review requirements, after initial implementation, will be incorporated into ICANN org's annual plan and budget.
This action is consistent with ICANN's mission and is in the public interest as it is important to ensure that Specific and Organization Reviews are implemented according to ICANN's Bylaws and that a healthy multistakeholder model is supported. Furthermore, the SFICR was created to fund projects, as approved by the Board, when the size, complexity, and length of the projects create a challenge to be solely funded by recurring funding. The SFICR will fund projects based on the public interest of the community that would otherwise go unbudgeted.
This action will not have a negative financial impact on ICANN, as funding has already been accounted for with the establishment of the SFICR. In addition, this action is intended to have a positive impact on the security, stability, or resiliency of the domain name system.
This is an Organizational Administrative Function that does not require public comment.
b. Reserve Fund Transfer
The Vice Chair introduced the agenda item. The Board engaged in a discussion regarding the Reserve Fund. The discussion included the minimum level of 12 months of expected expenditures and the current Reserve Fund level. The Board also discussed the impact on the Reserve Fund as a result of the market volatility this year. The proposed transfer of USD 19 million from the Operating Fund into the Reserve Fund will bring the level of the Reserve Fund to be aligned with 12 months minimum level and will also include exceed the minimum level to protect the organization with a sufficient level of Reserve Fund. The Board noted that some money will remain in the Operating Fund due to the ongoing market volatility.
Following discussion, the Chair called for a vote and the Board took the following action:
Whereas, the Operating Fund includes the funds used for ICANN's day-to-day operations and must contain enough funds to cover a minimum of three months of ICANN organization's operating expenses.
Whereas, periodically, excess funds in the Operating Fund may be transferred to the Reserve Fund to ensure its balance is at or above the minimum target level, as determined and approved by the Board.
Whereas, ICANN organization has determined that the balance of the Operating Fund as of 30 June 2022, based on unaudited Financial Statements, contained excess funds.
Whereas, both ICANN organization and the Board Finance Committee have recommended that the Board approve a US$19,000,000 transfer to the Reserve Fund from the Operating Fund.
Resolved (2022.11.16.03), the Board approves the transfer of US$19,000,000 of excess funds from the Operating Fund to the Reserve Fund.
All members of the Board present voted in favor of Resolution 2022.11.16.03. One Director was unavailable to vote. The Resolution carried.
Rationale for Resolution 2022.11.16.03
As part of ICANN's Investment Policy, the Operating Fund should be at a level of funds to cover a minimum of three months of ICANN organization's operating expenses, and that any amount determined to be in excess may be transferred to the Reserve Fund to ensure its balance is at or above the minimum target level, as determined and approved by the Board.
ICANN organization has evaluated the balance of the Operating Fund as of 30 June 2022 on the basis of its unaudited Financial Statements and has determined that excess funds of US$19,000,000 should be transferred to the Reserve Fund.
This action is consistent with ICANN's mission and is in the public interest as it is important to ensure stability of ICANN organization in the way of a robust Reserve Fund in case use of a Reserve Fund becomes necessary.
This action will not have a financial impact on ICANN, and will not have an impact on the security, stability, or resiliency of the domain name system.
This is an Organizational Administrative function that does not require public comment.
c. FY24 Strategic Outlook Trends Report
Matthew Shears, the Chair of the Strategic Planning Committee (SPC), introduced the agenda item. The Board discussed ICANN'S strategic outlook program being a key component in the org's strategic and operational planning. The SPC has reviewed the analysis of the trend session of data inputs and recommends keeping the ICANN Strategic Plan for Fiscal years 2021-2025 unchanged.
Following discussion, the Chair then called for a vote and the Board took the following action:
Whereas, following community, Board and ICANN organization inputs received between February and April 2022 on key trends anticipated to impact ICANN in the coming years, the Board reviewed ICANN org's analysis of those trend data, and concluded that the Strategic Plan for Fiscal Years 2021-2025, does not need to change.
Whereas, the Board, through the Strategic Planning Committee, oversees the annual strategic outlook program to identify relevant trends and events that inform ICANN's strategic and operational planning efforts. This committee, supported by the ICANN organization, reviewed the results of the trend data and the related opportunities, risks, and impacts on ICANN. The ICANN Strategic Outlook FY24 Trend Report documented this work with a set of proposed priority trends, related impacts, and associated strategic and/or tactical recommendations for full-Board consideration.
Whereas, members of the ICANN Board and ICANN organization held a webinar with the community on 08 September 2022 to present the strategic outlook program update, including the process and methods used to conduct the analysis.
Resolved (2022.11.16.04), the Board affirms that the ICANN Strategic Plan for Fiscal Years 2021 to 2025, as approved on 23 June 2019 shall remain in force and unchanged, with no restatement of the Strategic Plan needed at this time.
All members of the Board present voted in favor of Resolution 2022.11.16.04. One Director was unavailable to vote. The Resolution carried.
Rationale for Resolutions 2022.11.16.04
On 23 June 2019, the Board adopted the ICANN Strategic Plan for Fiscal Years 2021 to 2025 and directed that as part of the ongoing annual planning cycle with the community, new trends or shifts in existing trends be factored into the annual iteration of ICANN's plans as appropriate. These efforts are conducted through the strategic outlook program.
The Strategic Outlook program is conducted annually to ensure ICANN has a consistent way to: identify and track trends; prepare for opportunities; mitigate or avoid challenges; and inform strategic and operational planning.
It is a joint effort between the ICANN organization, the community, and the ICANN Board to engage on emerging or evolving trends that affect ICANN. Trends indicate general directions in which things are developing or changing, that have or could have an impact on ICANN, its mission, its operations, or its ecosystem. Trends can be internal or external, organization-specific, community-related, or go beyond ICANN's ecosystem as ICANN does not operate in a vacuum.
ICANN org finds the exercise to be beneficial to help surface opportunities and challenges that lay ahead, review the adopted Strategic Plan, inform the annual operating planning.
Between February and April 2022, ICANN org convened 13 strategic outlook trends identification sessions with 261 participants from the community, Board and the organization, resulting in 1,016 data points collected. Community sessions outputs have been published on the Strategic Planning page of the icann.org website.
Between May and October 2022, the Board Strategic Planning Committee, as supported by ICANN org, reviewed the analysis of the trend session data inputs received, which included trends, risks, opportunities, and potential impacts on ICANN. The details of this analysis and associated recommendations have been documented in the ICANN Strategic Outlook FY24 Trends Report.
On the basis of the analysis of the data collected in these trends identification sessions, the Board Strategic Planning Committee recommends keeping the ICANN Strategic Plan for Fiscal Years 2021 to 2025 unchanged, with no restatement of the Strategic Plan needed at this time.
Though the recommendation is for the Strategic Plan to remain unchanged, the items highlighted and reflected in the Trend Report are still of urgency within ICANN, and both the Board and the org are working diligently to address them from both strategic and operational lenses. Where appropriate, the ongoing efforts to address the trends are highlighted within the Trend Report.
This resolution is not expected to have a fiscal impact on ICANN, though the changes anticipated to ICANN's Operating Plan might have an impact once approved. This action is expected to have a positive impact on the security, stability and resiliency of the domain name system (DNS) as it continues to support ICANN's strategic work in this area.
This resolution serves ICANN's mission in ensuring a secure and stable operation of the Internet's unique identifier systems. The ICANN Strategic Plan for Fiscal Years 2021-2025 builds upon ICANN's mission so that it may continue to effectively fulfill its aims and meet new and continuously evolving challenges and opportunities.
This resolution is in the public interest as the Strategic Plan guides ICANN's activities and informs ICANN's operating plans and budgets to fulfill its mission in fiscal years 2021 through 2025. The Strategic Plan serves the public interest by articulating the path towards a new vision to be a champion of the single, open, and globally interoperable Internet. The Strategic Plan complies with ICANN's commitments and is guided by ICANN's core values.
This is an Organizational Administrative Function that has been subject to community consultation as noted above and is not requiring further public comment.
d. Second Security, Stability, and Resiliency (SSR2) Review Team Pending Recommendations
Katrina Sataki introduced the agenda item. She read the resolution into the recording, noting that it will be updated to include another whereas clause.
Following discussion, the Chair called for a vote with the contingency that the resolution be updated as discussed. The Board then took the following action:
Whereas, on 22 July 2021, the Board took action on each of the 63 recommendations issued within the Second Security, Stability, and Resiliency (SSR2) Review Team Final Report dated 25 January 2021 ("SSR2 Review Team Final Report"), as specified within the Scorecard titled "Final SSR2 Review Team Recommendations – Board Action" (hereafter referred to as "July 2021 Scorecard"), and provided rationale for each recommendation.
Whereas, on 22 July 2021, the Board resolved to place 34 recommendations into one of the three "pending" statuses, committed to take further action on these recommendations subsequent to the completion of steps as identified in the July 2021 Scorecard, and directed ICANN org to provide periodic updates on progress toward gathering relevant information, starting within six months from the 22 July 2021 Board action.
Whereas, the Board took action on three pending recommendations on 1 May 2022 as specified within the "Scorecard: SSR2 Pending Recommendations-Board Action 1 May 2022" (hereafter referred to as "May 2022 Scorecard").
Whereas, the Board Organizational Effectiveness Committee (OEC), through the SSR2 Board Caucus Group, considered the assessment produced by ICANN org, including clarifications received from SSR2 Implementation Shepherds on 16 March 2022 and 20 June 2022.
Whereas, the OEC made a recommendation to the ICANN Board to approve nine, and reject 12 recommendations.
Resolved (2022.11.16.05), the Board approves SSR2 Review Team Final Report Recommendations 3.2, 3.3, 5.3, 7.1, 7.2, 7.3, 7.5, 11.1, 24.1, rejects Recommendations 3.1, 4.3, 6.1, 6.2, 7.4, 16.2, 16.3, 18.1, 18.2, 18.3, 20.1, 20.2, as specified within the 16 November 2022 Scorecard, and directs ICANN's President and CEO, or his designee(s), to take all actions as documented within the 16 November 2022 Scorecard.
Resolved (2022.11.16.06), the Board notes that additional time is required to continue addressing the 10 remaining pending recommendations in the SSR2 Review Team Final Report, and directs ICANN org to continue to provide regular updates as work progresses.
All members of the Board present voted in favor of Resolutions 2022.11.16.05 and 2022.11.16.06. One Director was unavailable to vote. The Resolutions carried.
Rationale for Resolutions 2022.11.16.05 – 2022.11.16.06
Why is the Board addressing the issue?
The Security, Stability, and Resiliency (SSR) Review is one of the four Specific Reviews anchored in Article 4, Section 4.6 of the ICANN Bylaws. Specific Reviews are conducted by community-led review teams, which assess ICANN's performance in fulfilling its commitments. Reviews are critical to maintaining an effective multistakeholder model and helping ICANN achieve its mission, as detailed in Article 1 of the Bylaws. Reviews also contribute to ensuring that ICANN serves the public interest. The SSR2 Review is the second iteration of the SSR Review and relates to key elements of ICANN's Strategic Plan. As stated in the Bylaws, the Review focuses on the assessment of:
- "security, operational stability and resiliency matters, both physical and network, relating to the coordination of the Internet's system of unique identifiers;
- conformance with appropriate security contingency planning framework for the Internet's system of unique identifiers;
- maintaining clear and globally interoperable security processes for those portions of the Internet's system of unique identifiers that ICANN coordinates".
The SSR2 Review also assesses the extent to which ICANN has successfully implemented its security efforts, as well as their robustness and effectiveness to deal with actual and potential challenges and threats to the security, stability and resiliency of the DNS, consistent with ICANN's mission.
In its action on 22 July 2021, the Board placed 34 recommendations from the SSR2 Review Team Final Report into one of the three pending statuses: pending, likely to be approved once further information is gathered to enable approval; pending, holding to seek clarity or further information; pending, likely to be rejected unless additional information shows implementation is feasible. The Board committed to take further action on these recommendations subsequent to the completion of steps as identified in the July 2021 Scorecard. On 1 May 2022, the Board took action to address three of the 34 recommendations. With clarifications received from the SSR2 Implementation Shepherds and the org's associated feasibility assessment, 21 additional pending recommendations are now ready for Board consideration.
What is the proposal being considered?
The proposal is in furtherance of resolution 2021.07.21.13, which placed SSR2 34 recommendations in pending status. As directed by the Board in its 22 July 2021 action, ICANN org produced an assessment that gathered relevant information, including clarification received from the SSR2 Implementation Shepherds, to inform subsequent Board consideration.
Today, the Board takes action on 21 pending recommendations and notes that additional time is required to continue addressing the 10 remaining, pending recommendations. ICANN org will continue to provide regular updates to the Board on progress toward addressing open items.
Recommendations that the Board approves as fully implemented.
In consideration of the assessment, the Board approves Recommendations 3.2, 3.3, 7.1, 7.2, 7.3, 11.1, 24.1 as fully implemented, as stated in the 16 November 2022 Scorecard. For each of these, the Board directs ICANN org to produce implementation documentation to assist the subsequent SSR review team with its assessment work.
Recommendations 3.2 suggests that budget items related to the performance of SSR functions be linked to ICANN Strategic Plan goals and objectives, while Recommendation 3.3 calls for transparency and opportunity to comment on SSR budgeting. Recognizing the existing transparency and public comment framework around the organization's planning and budgeting cycle, the Board notes Recommendations 3.2 and 3.3 as fully implemented and encourages ICANN org to continue enhancing its periodic communication on SSR activities as part of its work and operations. See 16 November 2022 Scorecard for more information.
Recommendations 7.1, 7.2, 7.3 pertain to Business Continuity (BC) and Disaster Recovery (DR) plans. ICANN org follows the Contingency Planning Guide for Federal Information Systems (NIST SP 800-34 Rev 1) which is a more integrated approach with, and given, ICANN org's existing plans and processes. The Board notes the SSR2 Implementation Shepherds' confirmation that "the NIST Cybersecurity Framework [...] is a reasonable alternative [...]." Consequently, the Board approves Recommendations 7.1, 7.2, 7.3 as fully implemented, as detailed in the 16 November 2022 Scorecard.
Recommendation 11.1 pertains to the access to Centralized Zone Data Service (CZDS) data. Based on clarification received from the SSR2 Implementation Shepherds and data provided by ICANN org in the assessment (volume of complaints), the Board believes that the ongoing and completed work to date, conducted to address SAC097, meets the requirements of Recommendation 11.1. See 16 November 2022 Scorecard for more information.
Recommendation 24.1 asks ICANN org to perform end-to-end testing of the full Emergency Back-end Registry Operator (EBERO) and to publish the results.
Based on clarification received from the SSR2 Implementation Shepherds, the Board notes that testing is not intended to be conducted on currently active TLDs. In ICANN org agreements with the EBERO service providers, there is a provision which allows for EBERO readiness exercises to be conducted annually. The Board believes that the existing agreements, including provisions for readiness exercises, as well as past tests, meet the requirements and success measures of this recommendation. As detailed in the 16 November 2022 Scorecard the Board approves Recommendation 24.1 and notes it as fully implemented.
Recommendations the Board approves subject to prioritization.
The Board approves Recommendations 5.3 and 7.5 subject to prioritization, risk assessment and mitigation, as well as costing and implementation considerations.
Recommendation 5.3 recommends ICANN org to "require external parties providing services to ICANN org to be compliant with relevant security standards, and to document their due diligence regarding vendors and service providers." ICANN org's Engineering & Information Technology (E&IT) function already requires all appropriate vendors and service providers to have a risk assessment performed and documented to meet ICANN org's needs as instructed by industry-standard practices.
The Board notes that to complete this recommendation, ICANN org, when renegotiating its one-year based contracts with external service-provider parties, would need to include a clause on compliance with relevant security standards. The Board approves Recommendation 5.3, as noted in the 16 November 2022 Scorecard, subject to prioritization, risk assessment and mitigation, costing and implementation considerations.
Recommendation 7.5 calls for publishing a summary of overall BC and DR plans to improve transparency, and taking steps to verify compliance with these plans. The Board directs org to publish current appropriate summary information of the established Contingency and Continuity Plan (CCOP) and the Disaster Recovery (DR) Plan which covers all ICANN systems, and which are tested annually by ICANN org. As detailed in the 16 November 2022 Scorecard, the Board approves Recommendation 7.5 subject to prioritization, risk assessment and mitigation, costing and implementation considerations.
Recommendations that the Board rejects because they cannot be approved in full.
The Board notes that, while some portions of the recommendation could be feasible, and in some cases, work is already underway, there are limitations imposed by other portions of the same recommendation that impact feasibility. While the Board agrees in principle with the intent of many of these recommendations, the Board does not have the option of selectively approving some parts and rejecting other parts of a single, indivisible community recommendation and must act on a recommendation as written and not as interpreted by ICANN org or the Board. Actions with which the Board agrees in principle would not be tracked as part of the implementation of SSR2 recommendations.
The detailed rationale for each recommendation sets out the specific reasons for the Board's rejection.
The Board rejects Recommendations 20.1 and 20.2 as documented in the 16 November 2022 Scorecard. While the Board agrees with some elements of 20.1 and 20.2 (such as procedures and activities for future key rollovers), the Board does not have the option of selectively approving some parts and rejecting other parts of a single, indivisible community recommendation.
Recommendation 20.1 calls for ICANN org to establish a formal procedure, supported by a formal process modeling tool and language, to specify the details of future key rollovers. The recommendation suggests a novel model that cannot be implemented with existing resources and expertise. The Board notes that ICANN org had proposed an alternative process that would still contain evaluation checkpoints. The SSR2 Implementation Shepherds pointed to research done in the medical field, noting that it could be replicated in the DNSSEC Root Key management, without providing evidence of this approach having been researched or used in fields with direct applicability to the org's processes. The Board does not recommend developing such a complex and specific model based on speculative outcomes that were not researched in the DNSSEC Root Key Management and, as a result, rejects Recommendation 20.1.
The Board notes that rejecting Recommendation 20.1 impacts the feasibility of Recommendation 20.2 that calls for ICANN org to create a group of stakeholders involving relevant personnel (from ICANN org or the community) to periodically run table-top exercises that follow the Root Key Signing Key (KSK) rollover process.
The Board notes that FY24 IANA Operating Plan & Budget identified the next key rollover as one of its operating priorities.
Recommendations that the Board rejects
The Board rejects Recommendations 3.1, 4.3, 6.1, 6.2, 7.4, 16.2, 16.3, 18.1, 18.2, 18.3, as documented in the 16 November 2022 Scorecard.
Recommendations 3.1 pertains to responsibilities of the C-Suite position. As the implementation of Recommendation 3.1 relies on Recommendation 2 that the Board rejected in July 2021, Recommendation 3.1 cannot be approved.
Recommendation 4.3 calls for ICANN org to appoint a person in charge of security risk management that will report to the C-Suite Position.
The Board notes that org has a Risk Management department as well as a Risk Management Framework which creates a holistic view of the most significant risks to the organization's mission, unifies risk management activities across the organization and provides assurance to Executive Management and the Board that the organization is operating safely in support of ICANN's mission. Additionally, ICANN org has a Board adopted Risk Appetite Statement which articulates the level of risk which ICANN org is willing to take and retain on a broad level to fulfill its mission. The Board also notes that the Committee of Sponsoring Organisations (COSO) framework applied by org for risk management activities is appropriate for ICANN's needs.
As the recommendation feasibility depends on Recommendation 2, the Board rejects Recommendation 4.3.
Recommendations 6.1 and 6.2 pertain to promotion of voluntary adoption of SSR best practices and objectives for vulnerability disclosures by the contracted parties, and to the implementation of coordinated vulnerability disclosure reporting.
While supporting the continued efforts of all parties to adopt Best Common Practices (BCPs) and encouraging ICANN org to promote initiatives that support and encourage voluntary adherence to current BCPs, the Board notes that parts of both recommendations call for changes to contracted party agreements which would be a matter of policy or a result of voluntary negotiations between ICANN org and contracted parties.
Therefore, for the aforementioned considerations the Board rejects Recommendations 6.1 and 6.2.
Recommendation 7.4 calls for ICANN org to establish a new site for Disaster Recovery (DR) for all the systems owned by or under the ICANN org purview with the goal of replacing either the Los Angeles or Culpeper sites or adding a permanent third site.
The Board notes that the SSR2 Implementation Shepherds clarified that the scope of Recommendation 7.4 was strictly the key management facilities for the DNSSEC Root KSK, and that the main objective was to provide diversity of the jurisdiction of the facilities. The Board cannot justify the cost of building and maintaining an additional key management facility, knowing the level of required effort and constraints, as the possible benefit seems to be based on a perception that new non-U.S. physical construction would enhance diversity and address disaster recovery scenarios in a meaningful way.
Therefore, for the aforementioned considerations the Board rejects Recommendation 7.4.
Recommendation 16.2 relates to the creation of specialized groups within the contract compliance function that understand privacy requirements and principles and that can facilitate law enforcement needs under the Registration Directory Service (RDS) framework. Recommendation 16.3 calls for ICANN org to conduct periodic audits on registrar privacy policies.
The Board notes that ICANN org's Contractual Compliance already has subject matter experts in multiple areas, including those enumerated by the recommendation, who contribute to policy development when requested by the ICANN community.
The SSR2 Implementation Shepherds' feedback indicates that these specialized groups should require registrars to publish their privacy policies and procedures, and track them. ICANN org agreements with registries and registrars do not specifically require registrars to have "privacy policies." The Board finds that this part of Recommendation 16.2 would be a matter of policy or a result of voluntary negotiations between ICANN org and contracted parties, and not something ICANN org or Board can unilaterally impose. With respect to Recommendation 16.3, ICANN org's Contractual Compliance cannot carry out any audit on or enforce compliance with something that is not an ICANN contractual requirement.
Therefore, for the aforementioned considerations the Board rejects Recommendations 16.2 and 16.3.
Recommendations 18.1, 18.2 and 18.3 call for ICANN org to track developments in the peer-reviewed research community and to publish a report for the ICANN community summarizing implications of publications that are relevant to ICANN org or contracted party behavior, and including recommendations for actions and additional studies.
The Board acknowledges that ICANN org is already taking appropriate measures to ensure that any emerging or evolving technology within ICANN's scope is evaluated appropriately and followed up on as needed. The Board supports the idea of continuing to follow such emerging or evolving technologies and invites the community to raise awareness of any such technology or protocol that they feel ICANN org should pay particular interest.
The Board notes that there are organizations and research communities that already perform many of the actions as described in the recommendations. The Board determined that the benefits do not outweigh the costs for ICANN org to act as a proxy to the work of those organizations and communities.
Finally, the Board wishes to highlight that the recommendations, as written, call for unbound work which is deemed as a critical element for their implementation. The list of places to monitor for these conceptual papers is exhaustive and beyond the list of the examples in the recommendation. ICANN org focuses its work on protocols and technologies that are implementable, have a potential impact on the ICANN ecosystem, and are within the narrow scope of the ICANN mission.
Therefore, for the aforementioned considerations the Board rejects Recommendations 18.1, 18.2 and 18.3.
Which stakeholders or others were consulted?
The SSR2 Final Report was published for public comment and the Board received feedback as part of that process. See Public Comment on Final Report. Additionally, ICANN org consulted the SSR2 Implementation Shepherds through its dedicated mailing-list. See workspace for more information.
What significant materials did the Board review?
In addition to clarification provided by the SSR2 Implementation Shepherds, the Board considered various significant materials and documents, including the July 2021 Scorecard, the Staff Report of Public Comment Proceeding on Second Security, Stability, and Resiliency (SSR2) Review Team Final Report, the July 2021 assessment ICANN org Assessment, and November 2022 ICANN org assessment.
Are there positive or negative community impacts?
Taking action on 21 SSR2 pending recommendations will contribute to further address the outcome of the SSR2 Specific Review.
Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?
For the recommendations the Board approves that require action, their implementation will be subject to prioritization, risk assessment and mitigation, costing and implementation considerations.
Are there any security, stability or resiliency issues relating to the DNS?
By nature of the SSR Review, implementation of any recommendation may impact how ICANN meets its security, stability, and resiliency commitments. The Board considered this potential impact as part of its deliberations.
Is this decision in the public interest and within ICANN's mission?
This action is in the public interest as it is a fulfillment of ICANN Bylaw, as articulated in Section 4.6. It is also within ICANN's mission and mandate. ICANN reviews are an important and essential part of how ICANN upholds its commitments.
Approved recommendations are consistent with ICANN's mission, serve the public interest, and fall within the Board's remit.
Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring public comment or not requiring public comment?
As noted above, public comments were received on the SSR2 Final Report prior to Board consideration of the recommendations. No additional public comment period is required.
e. 2023 ICANN Org All-Hands Meeting
The ICANN President and CEO introduced the agenda item, which seeks the Board's approval for ICANN org to engage in contractual arrangements in order to have the first ICANN org all-hands staff meeting in Los Angeles next February. This will be the first time many org for many org members to meet face to face since the ICANN went completely virtual in February 2020 due to COVID-19. The benefits of the meeting are identified in the resolution.
Following discussion, the Chair then called for a vote and the Board took the following action:
Whereas, ICANN org intends to hold its first full org ICANN Org All-Hands meeting in 2023 in Los Angeles, California.
Whereas, ICANN organization has completed a thorough review of the venue and hotel and finds the [Redacted – Confidential Negotiation Information] in Los Angeles, California to be suitable.
Whereas, both ICANN organization and the Board Finance Committee have recommended that the Board authorize the President and CEO, or his designee(s), to enter into and make disbursement in furtherance of contracts for the [Redacted – Confidential Negotiation Information] hotel for the February 2023 ICANN All-Hands meeting in Los Angeles, California.
Resolved (2022.11.16.07), the Board authorizes the President and CEO, or his designee(s), to facilitate all necessary contracting and disbursements for the [Redacted – Confidential Negotiation Information] in Los Angeles, California, where ICANN Org will hold the ICANN Org All-Hands meeting in an amount not to exceed [Redacted – Confidential Negotiation Information].
Resolved (2022.11.16.08), specific items within this resolution shall remain confidential for negotiation purposes pursuant to Article 3, section 3.5(b) of the ICANN Bylaws until the President and CEO determines that the confidential information may be released.
All members of the Board present voted in favor of Resolutions 2022.11.16.07 and 2022.11.16.08. One Director was unavailable to vote. The Resolutions carried.
Rationale for Resolutions 2022.11.16.07 – 2022.11.16.08
In late February 2020, ICANN organization closed its office doors due to the COVID-19 pandemic. During this time, the org practiced extreme caution and diligence in observing protocols designed to keep ICANN Staff, Board, and Community safe.
Now, almost three years later, ICANN org continues to follow best practices while carefully returning to normal operations. As part of this forward momentum and under the direction of the President and CEO, ICANN org plans to hold the first ICANN Org All-Hands meeting in Los Angeles, California, from 6 to 9 February 2023.
Throughout the fiscal year, all functional teams have budgeted to meet in order to discuss upcoming projects, priorities and key deliverables. In the past, these functional meetings have taken place separately, and although beneficial to maintain staff engagement and understanding of priorities, this meeting is intended to combine these separate meetings and budget, into one for FY23.
The ICANN Org All-Hands meeting will allow for line managers to be set up for success through inspiration, expectation-setting and education the first two days of the event. The final two days will gather all functions of ICANN org to: (i) meet new team members hired during the pandemic; (ii) take part in priority setting activities; (iii) participate in teambuilding and leadership exercises; (iv) explore and collaborate on new opportunities; and (v) review the strategic and operating plans for the coming year.
The Board Finance Committee (BFC) has carried out its standard due diligence in reviewing the proposed spend and has recommended that the Board approve. As part of this diligence, the BFC has reviewed the financial risks associated with the proposed spend and the information provided by the org on the measures in place to mitigate those risks. The BFC has found these financial risks and the mitigation in place reasonable and acceptable.
The Board reviewed the organization's briefing for hosting the 2023 ICANN Org All-Hands meeting in Los Angeles, California, and approved the related costs for the facilities selected for that meeting.
There will be a financial impact to ICANN in hosting this event and providing travel as necessary. However, this fiscal impact can be covered within the existing FY23 approved budget with no to very minimal disruption to the daily operations of ICANN org.
This event supports ICANN's mission as a gathering point to bring the org together to align for the work ahead, have discussions around the org's key objectives and priorities to support the org's mission. This is critical with the key initiatives being prioritized for the coming year(s), to ensure staff engagement and understanding of these priorities, additionally understanding the impacts on the importance of these for the public interest and continuing to fulfill ICANN's mission of a secure and stable internet.
This action will have no impact on the security or the stability of the Domain Name System.
This is an Organizational Administrative function that does not require public comment.
The Chair then called the meeting to a close.