Changes

===DNS Security Threat Audits===

===DNS Security Threat Audits===

In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref>[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance Addressing DNS Infrastructure Abuse], November 8, 2018</ref> The audit was conducted over seven months, from November 2018 to June 2019.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:

In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref>[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance Addressing DNS Infrastructure Abuse], November 8, 2018</ref> The audit was conducted over seven months, from November 2018 to June 2019.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:

<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>

<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>

The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />

The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />

In February 2021, Contractual Compliance launched an audit of registrars' compliance with abuse-specific requirements of the RAA.<ref name="21audit">[https://www.icann.org/en/system/files/files/compliance-registrar-audit-report-2021-24aug21-en.pdf ICANN.org - Contractual Compliance Report on the February 2021 Registrar Audit], August 24, 2021 (PDF)</ref> Of the 126 registrars audited, deficiencies were identified within three different categories of compliance requirements:

In February 2021, Contractual Compliance launched an audit of registrars' compliance with abuse-specific requirements of the RAA.<ref name="21audit">[https://www.icann.org/en/system/files/files/compliance-registrar-audit-report-2021-24aug21-en.pdf ICANN.org - Contractual Compliance Report on the February 2021 Registrar Audit], August 24, 2021 (PDF)</ref> Registrars were selected for audit if they at least 5 domains listed in the the Security Threat Reports received during the 2019 Registry Operator Audit, or listed in the November 2020 OCTO Abuse Reports based on metrics from Reputation Block Lists (RBLs).<ref name ="21audit" /> During the RFI phase, one registrar was terminated for unrelated reasons, leaving a total of 126 registrars in the audit pool. The registrars being audited managed over 90% of all registered second-level domains at the time of the audit.<ref name="21audit" /> Of the 126 registrars audited, deficiencies were identified within three different categories of compliance requirements:

{| class="wikitable"  

{| class="wikitable"  

|}

|}

In total, only 15 registrars passed the audit process without any notice of deficiency.<ref name="21audit" /> Of the remaining 111 registrars, 92 cured any reported deficiencies before the end of the audit's remediation phase. 19 registrars were unable to cure all deficiencies within the audit timeframe, and negotiated due dates with Contractual Compliance for completion of work to cure.<ref name="21audit" />

In total, only 15 registrars passed the audit process without any notice of deficiency.<ref name="21audit" /> Of the remaining 111 registrars, 92 cured all reported deficiencies before the end of the audit's remediation phase. 19 registrars were unable to cure all deficiencies within the audit timeframe, and negotiated due dates with Contractual Compliance for completion of their work to cure.<ref name="21audit" />

==Outreach==

==Outreach==