Line 25: |
Line 25: |
| # Remediation Phase: ICANN collaborates with the auditees to remediate issues. | | # Remediation Phase: ICANN collaborates with the auditees to remediate issues. |
| # Final Report Phase: ICANN issues a confidential final audit report to each auditee. ICANN also summarizes the audit round in an overall audit [https://www.icann.org/resources/pages/compliance-reports-2021 report] | | # Final Report Phase: ICANN issues a confidential final audit report to each auditee. ICANN also summarizes the audit round in an overall audit [https://www.icann.org/resources/pages/compliance-reports-2021 report] |
− | ===DNS Abuse=== | + | ===DNS Security Threat Audits=== |
− | On 6 November 2018, ICANN Contractual Compliance (Compliance) launched a Registry Operator Audit for Addressing DNS Security Threats<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref>
| + | In November 2018, ICANN Contractual Compliance (Compliance) launched a Registry Operator Audit for Addressing DNS Security Threats.<ref>[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance Addressing DNS Infrastructure Abuse], November 8, 2018</ref> The audit was conducted over seven months, from November 2018 to June 2019.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2017, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations: |
| + | <blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote> |
| + | The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good practices.<ref name="19audit" /> |
| + | |
| + | In February 2021, Contractual Compliance launched an audit of registrars' compliance with abuse-specific requirements of the RAA.<ref name="21audit">[https://www.icann.org/en/system/files/files/compliance-registrar-audit-report-2021-24aug21-en.pdf ICANN.org - Contractual Compliance Report on the February 2021 Registrar Audit], August 24, 2021 (PDF)</ref> Of the 126 registrars audited, deficiencies were identified within three different categories of compliance requirements: |
| + | |
| + | {| class="wikitable" |
| + | |- |
| + | ! Registry Agreement Requirement |
| + | ! # of Registrars with Deficiencies |
| + | ! % of Registrars with Deficiencies |
| + | |- |
| + | | General Abuse Reporting (RAA 3.18.1) |
| + | | 46 |
| + | | 37% |
| + | |- |
| + | | Law Enforcement Abuse Reporting (RAA 3.18.2) |
| + | | 33 |
| + | | 26% |
| + | |- |
| + | | Abuse Handling Procedures (RAA 3.18.3) |
| + | | 78<br /> |
| + | | 62% |
| + | |} |
| + | |
| + | In total, only 15 registrars passed the audit process without any notice of deficiency.<ref name="21audit" /> |
| | | |
| ==Roles at ICANN== | | ==Roles at ICANN== |