IANANAMINGFUNCTIONCONTRACT
This IANA Naming Function Contract (this “Contract”) is dated as of [l] 2016 and isentered into by and between Internet Corporation for Assigned Names and Numbers, aCalifornia nonprofit public benefit corporation (“ICANN”) and Public Technical Identifiers, aCalifornianonprofitpublicbenefitcorporation(the“Contractor”),andiseffectiveasofthelastdate onwhich all of the conditions set out in ARTICLE II have been satisfied (the “EffectiveDate”). ICANNandContractormay each be referred to herein individually as a “Party” andcollectivelyasthe“Parties.”
WHEREAS,on14March2014, theU.S.National Telecommunicationsand InformationAdministration (“NTIA”) announced the transition of NTIA’s stewardship role of key Internetdomainnamefunctionstotheglobalmulti-stakeholdercommunity(the“Transition”);
WHEREAS, following the Transition, ICANN will continue to serve as the InternetAssignedNumbersAuthority(“IANA”)functionsoperator;and
WHEREAS, ICANNandContractordesire toenter into thisContractpursuant towhichContractorwillserveastheoperatorfortheIANAnamingfunctionaftertheTransition.
NOW, THEREFORE, for good and valuable consideration, the sufficiency of which isherebyacknowledged,thePartiesagreeasfollows:
ARTICLEI:DEFINITIONSANDCONSTRUCTION
Section1.1 Definitions.
(a) “Contract”hasthemeaningsetforthinthePreamble.
(b) “ApprovedIANABudget”hasthemeaningsetforthinSection10.2.
(c) “ccNSO”hasthemeaningsetforthinSection4.7.
(d) “ccTLD”hasthemeaningsetforthinSection4.4(c).
(e) “CCOP”hasthemeaningsetforthinSection5.2(b).
(f) “Complainant”hasthemeaningsetforthinSection8.1(a).
(g) “Complaint”hasthemeaningsetforthinSection8.1(a).
(h) “Contractor”hasthemeaningsetforthinthePreamble.
(i) “CSC”hasthemeaningsetforthinSection4.9(c).
(j) “CSSReport”hasthemeaningsetforthinSection3.eofAnnexA.
2
(k) “customer”meansagTLDregistryoperator,accTLDmanagerorregistryoperatororotherdirectcustomerofContractor(e.g.,arootserveroperatororothernon-rootzonefunction).
(l) “Delegation”referstotheprocessbywhichtheoperatoroftheIANANamingFunctioninitiallyassignsmanagementresponsibilityorassignspreviouslyassignedresponsibility(afterarevocation)forthemanagementofaccTLD,asfurtherdefinedintheRFC1591asinterpretedbytheFOI.
(m) “DNS”meansdomainnamesystem.
(n) “DOC”hasthemeaningsetforthinSection2.1.
(o) “DS”hasthemeaningsetforthinSection1.d.iofAnnexA.
(p) “EffectiveDate”hasthemeaningsetforthinthePreamble.
(q) “FOI”hasthemeaningsetforthinSection4.7.
(r) “GAC2005ccTLDPrinciples”hasthemeaningsetforthinSection4.7.
(s) “GNSO”hasthemeaningsetforthinSection4.7.
(t) “gTLD”hasthemeaningsetforthinSection4.4(c).
(u) “IANA”hasthemeaningsetforthintheRecitals.
(v) “IANAFunctionReview”or“IFR”hasthemeaningsetforthinSection7.3(a).
(w) “IANAIntellectualProperty”hasthemeaningsetforthintheLicenseAgreement.
(x) “IANANamingFunction”hasthemeaningsetforthinSection4.3.
(y) “IANAWebsite”hasthemeaningsetforthinSection4.6.
(z) “ICANN”hasthemeaningsetforthinthePreamble.
(aa) “ICANNBoard”hasthemeaningsetforthinSection7.3(a).
(bb) “ICANN’sBylaws”meansthosecertainBylawsforInternetCorporationforAssignedNamesandNumbers,aCaliforniaNonprofitPublic-BenefitCorporation,adoptedbytheICANNBoardon27May2016,asamended.
(cc) “IFRT”hasthemeaningsetforthinSection4.9(c).
(dd) “InitialTerm”hasthemeaningsetforthinSection9.1.
3
(ee) “InterestedandAffectedParties”meansallgTLDregistryoperators,ccTLDmanagersandregistryoperators,theRootZoneEvolutionReviewCommittee,theCSC,and(ifformedandwhileinexistence)eachIFRT.
(ff) “KeyPersonnel”hasthemeaningsetforthinSection4.9(a).
(gg) “LicenseAgreement”meansthatcertainIANAIPRLicenseAgreement,datedasof[l],2016,betweentheIETFTrustandICANN.
(hh) “NS”hasthemeaningsetforthinSection1.d.iofAnnexA.
(ii) “NTIA”hasthemeaningsetforthintheRecitals.
(jj) “Party”or“Parties”hasthemeaningsetforthinthePreamble.
(kk) “PerformanceIssue”hasthemeaningsetforthinSection8.1(b).
(ll) “PTIBoard”hasthemeaningsetforthinSection4.9(c)(ii).
(mm) “RenewalTerm”hasthemeaningsetforthinSection9.2(a).
(nn) “Revocation”referstotheprocessbywhichtheoperatoroftheIANANamingFunctionrescindsresponsibilityformanagementofaccTLDfromanincumbentmanager,asfurtherdefinedintheRFC1591asinterpretedbytheFOI.
(oo) “RFC1591”hasthemeaningsetforthinSection4.7.
(pp) “RootZoneManagement”hasthemeaningsetforthinSection4.3(a).
(qq) “RR”hasthemeaningsetforthinSection1.d.iofAnnexA.
(rr) “RZMA”meansthatcertainRootZoneServicesMaintainerAgreement,datedasof[l],2016,betweenICANNandVeriSign,Inc.
(ss) “SignificantlyInterestedParties”hasthemeaningsetforthintheRFC1591asinterpretedbytheFOI.Foravoidanceofdoubt,undertheRFC1591asinterpretedbytheFOIthesepartiesinclude,butarenotlimitedto:(i)thegovernmentorterritorialauthorityforthecountryorterritoryassociatedwiththeccTLDand(ii)anyotherindividuals,organizations,companies,associations,educationalinstitutions,orothersthathaveadirect,material,substantial,legitimateanddemonstrableinterestintheoperationoftheccTLD(s)includingtheincumbentmanager.TobeconsideredaSignificantlyInterestedParty,anypartyotherthanthemanagerorthegovernmentorterritorialauthorityforthecountryorterritoryassociatedwiththeccTLDmustdemonstrate(andshallhavetheburdentodemonstrate)thatitishasadirect,materialandlegitimateinterestintheoperationoftheccTLD(s).
4
(tt) “SOW”hasthemeaningsetforthinSection4.3(a).
(uu) “SP”hasthemeaningsetforthinSection4.b.iiiofAnnexA.
(vv) “Transfer”referstotheprocessbywhichtheoperatoroftheIANANamingFunctiontransfersresponsibilityformanagementofaccTLDwiththeconsentoftheincumbentmanagerandthenewmanager,asfurtherdefinedintheRFC1591asinterpretedbytheFOI.
(ww) “TLD”hasthemeaningsetforthinthedefinitionof“InterestedandAffectedParties.”
(xx) “Transition”hasthemeaningsetforthintheRecitals.
Section1.2 Construction.UnlessthecontextofthisContractotherwiserequires:(a)wordsofanygenderincludeeachothergender;(b)wordsusingthesingularorpluralnumberalsoincludethepluralorsingularnumber,respectively;(c)theterms“hereof,”“herein,”“hereby”andderivativeorsimilarwordsrefertothisentireContract;(d)theterms“Article,”“Section,”or“Annex”refertothespecifiedArticle,Section,orExhibitofthisContract;(e)theterm“or”has,exceptwhereotherwiseindicated,theinclusivemeaningrepresentedbythephrase“and/or”;and(f)theterm“including”or“includes”means“includingwithoutlimitation”or“includeswithoutlimitation”soastonotlimitthegeneralityoftheprecedingterm.Unlessotherwisestated,referencestodaysshallmeancalendardays.
ARTICLEII:CONDITIONSPRECEDENT
Section2.1 ConditionPrecedent.ThisContractshallbeeffectiveasofthelastdateonwhichthefollowingconditionshavebeensatisfied:(a)theagreementbetweenICANNandtheUnitedStatesDepartmentofCommerce(“DOC”),effectiveasof01October2012(includinganyextensionthereof)hasterminatedorexpiredand(b)ICANNhasacceptedtheresponsibilitytocoordinateandadministertheservicesthatwerepreviouslyprovidedthereunder.
ARTICLEIII:REPRESENTATIONSANDWARRANTIES
Section3.1 ICANN’sWarranties.ICANNrepresentsandwarrantsthat(a)ithasallnecessaryrightsandpowerstoenterintoandperformitsobligationsunderthisContract;(b)theexecution,deliveryandperformanceofthisContractbyICANNhasbeendulyauthorizedbyallnecessarycorporateactionanddoesnotviolateanyapplicablelawtowhichICANNissubject;and(c)theexecution,deliveryandperformanceofthisContractbyICANNdonot(i)requireaconsentorapprovalunder,or(ii)conflictwith,resultinanyviolationorbreachof,constituteadefaultunder,oraccelerateanyrightsinfavorofathirdpartyunder,anyagreementbetweenICANNandathirdparty.
Section3.2 ContractorWarranties.Contractorrepresentsandwarrantsthat(a)ithasallnecessaryrightsandpowerstoenterintoandperformitsobligationsunderthisContract;(b)theexecution,deliveryandperformanceofthisContractbyContractorhasbeenduly
5
authorizedbyallnecessarycorporateactionanddoesnotviolateanyapplicablelawtowhichContractorissubject;and(c)theexecution,deliveryandperformanceofthisContractbyContractordonot(i)requireaconsentorapprovalunder,or(ii)conflictwith,resultinanyviolationorbreachof,constituteadefaultunder,oraccelerateofanyrightsinfavorofathirdpartyunder,anyagreementbetweenContractorandathirdparty.
ARTICLEIV:SERVICESANDREQUIREMENTS
Section4.1 Designation.ICANNherebydesignatesContractorastheoperatoroftheIANANamingFunction,andauthorizesContractortoperform,theIANANamingFunctioninaccordancewiththetermsofthisContract(includingtheSOW).Withoutlimitingtheforegoing,ICANNherebygrantstoContractor,andContractorherebyaccepts,aworldwide,royalty-free,fully-paidrightandlicensetotheIANAIntellectualPropertytothefullestextentpermittedtobelicensedtoContractorunderthetermsoftheLicenseContract(includingtherighttofurthersublicensetotheextentpermittedintheLicenseContract).ICANNherebyauthorizesContractortoutilizeanyotherrightsandsublicensablelicensesheldbyICANNtotheextentnecessaryorusefultoperformtheIANANamingFunctioninaccordancewiththetermsofthisContract(includingtheSOW).Contractorherebyacceptssuchdesignation,rightsandlicensesandagreestoperformtheIANANamingFunctioninaccordancewiththetermsofthisContract(includingtheSOW).
Section4.2 U.S.Presence.
(a) ContractorshallbeawhollyU.S.ownedandoperatedcorporationoperatinginoneofthe50statesoftheUnitedStatesorDistrictofColumbia;(ii)incorporatedwithinthestateofCalifornia,UnitedStatesofAmerica;and(iii)organizedunderthenonprofitpublicbenefitcorporationlawsofthestateofCalifornia.
(b) ContractorshallperformtheIANANamingFunctionintheUnitedStatesandpossessandmaintain,throughouttheperformanceofthisContract,aphysicaladdresswithintheUnitedStates.ContractormustbeabletodemonstratethatallprimaryoperationsandsystemswillremainwithintheUnitedStates(includingtheDistrictofColumbia).ICANNreservestherighttoinspectthepremises,systems,andprocessesofallsecurityandoperationalcomponentsusedfortheperformanceoftheIANANamingFunction.
Section4.3 ScopeoftheIANANamingFunction.The“IANANamingFunction”iscomprisedof:
(a) ManagementoftheDNSRootZone(“RootZoneManagement”)inaccordancewiththeStatementofWorkattachedasAnnexAtothisContract(“SOW”);
(b) Managementofthe.INTtop-leveldomain;
6
(c) Maintenanceofarepositoryofinternationalizeddomainnametablesandlabelgenerationrulesets;and
(d) ProvisionofotherservicesandimplementationofmodificationsinperformanceoftheIANANamingFunction,ineachcaseuponICANN’srequestandinconformancewithapplicablepoliciesandprocedures.
Section4.4 PerformanceofIANANamingFunction.
(a) ContractorshallperformtheIANANamingFunctioninastableandsecuremannerandinaccordancewiththeSOW.TheIANANamingFunctionisadministrativeandtechnicalinnaturebasedonestablishedpoliciesthataredevelopedthroughapplicableICANNpolicydevelopmentbodiesandapprovedbyICANN,ineachcaseinaccordancewithICANN’sBylaws.
(b) ContractorshalltreattheIANANamingFunctionwithequalpriorityastheotherIANAfunctionsperformedbyContractor,andprocessallrequestspromptlyandefficiently.
(c) Contractorshallmakedecisionsbyapplyingdocumentedpoliciesconsistently,neutrally,objectively,andfairly,withoutsinglingoutanyparticularcustomerfordiscriminatorytreatment(i.e.,makinganunjustifiedprejudicialdistinctionbetweenoramongdifferentcustomers)andinamannerthatdoesnotdiscriminatebetweentypesofcustomers(whethersuchcustomersare(i)countrycodetopleveldomain(“ccTLD”)orgenerictopleveldomain(“gTLD”)registryoperators,(ii)payingornon-paying,(iii)contractedornon-contracted,or(iv)associatedwithsupportingorganizations,advisorycommitteesorothergoverningbodiesofICANNorotherwise).
(d) ContractorshallrespectthediversityofcustomersoftheIANANamingFunctionandshallprovideservicetoitscustomersinconformancewithprevailingtechnicalnorms,andinsupportoftheglobalsecurity,stabilityandresilienceoftheDNS.Ifacustomer’sreceiptofservicesisbasedonacontractbetweensuchcustomerandICANN,Contractorshallcontinuetoprovideservicestosuchcustomernotwithstandinganyon-goingoranticipatedcontractualdisputesbetweenICANNandsuchcustomer.
Section4.5 SeparationofPolicyDevelopmentandOperationalRoles.ContractorshallensurethatitsstaffperformingtheIANANamingFunctiondonotpubliclyinitiate,advanceoradvocateanypolicydevelopmentrelatedtotheIANANamingFunction.Notwithstandingtheforegoing,Contractor’sstaffmay(i)respondtorequestsforinformationrequestedbyInterestedandAffectedParties,and,atContractor’svolition,provideobjectiveinformationtosuchcustomers,ineachcase,toinformongoingpolicydiscussions,(ii)requestguidanceorclarificationasnecessaryfortheperformanceoftheIANANamingFunction,and(iii)publish,contributetoorcommentonanydocumentrelatedtoongoingpolicydiscussions,providedthat,inthecaseofclause(iii),theprimarypurposeofsuchpublication,contributionorcommentaryistosupplyrelevantIANANamingFunctionexperienceandinsight.
7
Section4.6 UserInstructions.Contractorshall,incollaborationwithallInterestedandAffectedParties,maintainuserinstructionsfortheIANANamingFunction,includingtechnicalrequirements.Contractorshallpostsuchinstructionsatiana.org(“IANAWebsite”).
Section4.7 ResponsibilityandRespectforStakeholders.ContractorshallapplythepoliciesfortheRootZoneManagementcomponentoftheIANANamingFunctionthathavebeendefined,orafterthedateofthisContractarefurtherdefined,by(a)theGenericNamesSupportingOrganization(“GNSO”),asappropriateunderICANN’sBylaws,(b)theCountryCodeNamesSupportingOrganization(“ccNSO”),asappropriateunderICANN’sBylaws,and(c)RFC1591:/DomainNameSystemStructureandDelegation/(“RFC1591”)asinterpretedbytheFrameworkofInterpretationofCurrentPoliciesandGuidelinesPertainingtotheDelegationandRedelegationofCountry-CodeTopLevelDomainNames,datedOctober2014(“FOI”).Inadditiontothesepolicies,Contractorshall,whereapplicable,consultthe2005GovernmentalAdvisoryCommitteePrinciplesandGuidelinesfortheDelegationandAdministrationofCountryCodeTopLevelDomains(“GAC2005ccTLDPrinciples”).ContractorshallpublishdocumentationpertainingtotheimplementationofthesepoliciesandprinciplesontheIANAWebsite.
Section4.8 Managementofthe.INTTLD.
(a) Contractorshalloperatethe.INTTLDwithinthecurrentregistrationpoliciesforthe.INTTLD.
(b) UpondesignationofasuccessorregistrybyICANN,ifany,ContractorshallcooperatewithICANNtofacilitatethesmoothtransitionofoperationofthe.INTTLD.Suchcooperationshall,ataminimum,includetimelytransfertothesuccessorregistryofthethen-currenttop-leveldomainregistrationdata.
Section4.9 GeneralManager;KeyPersonnel.
(a) Contractorshallprovidetrained,knowledgeabletechnicalpersonnelaccordingtotherequirementsofthisContract,includingthefollowingkeypersonnel:aGeneralManager,aDirectorofSecurityandaConflictofInterestOfficer(“KeyPersonnel”).AllContractorpersonnelwhointerfacewithICANNmusthaveexcellentoralandwrittencommunicationskills."Excellentoralandwrittencommunicationskills"isdefinedasthecapabilitytoconversefluently,communicateeffectively,andwriteintelligiblyintheEnglishlanguage.
(b) TheConflictofInterestOfficershallberesponsibleforensuringtheContractorisincompliancewithContractor’sinternalandexternalconflictofinterestrulesandprocedures.
(c) TheGeneralManagerofContractorshallorganize,plan,direct,staff,andcoordinatetheoverallperformanceoftheIANANamingFunction;managecontractandsubcontractactivitiesastheauthorizedinterfacewithICANNandensurecompliance
8
withapplicablerulesandregulations.TheGeneralManagerofContractorshallberesponsiblefortheoverallperformanceofContractorunderthisContractandshallmeetandconferwithICANN(includingtheCustomerStandingCommittee(“CSC”)andIANAFunctionReviewteams(“IFRT”),assuchtermsareusedinICANN’sBylaws)regardingthestatusofspecificContractoractivitiesandproblems,issues,orconflictsrequiringresolution.TheGeneralManagerofContractormustpossessthefollowingskills:
(i) demonstratedcommunicationskillswithalllevelsofmanagement;
(ii) capabilitytonegotiateandmakebindingdecisionsforContractor(subjecttoanyrequirementsofContractor’sBylawsandtheauthoritydelegatedtosuchpersonbytheContractor’sBoardofDirectors(“PTIBoard”));
(iii) extensiveexperienceandprovenexpertiseinmanagingsimilarmulti-taskagreementsofthistypeandcomplexity;
(iv) extensiveexperiencesupervisingpersonnel;and
(v) athoroughunderstandingandknowledgeoftheprinciplesandmethodologiesassociatedwithoperationsmanagementandcontractmanagement.
(d) ContractorshallobtaintheapprovalofICANN,afterconsultationwiththePTIBoard,priortomakingKeyPersonnelsubstitutions.ReplacementsforKeyPersonnelmustpossessqualificationsreasonablyequaltoorexceedingthequalificationsofthepersonnelbeingreplaced,unlessanexceptionisapprovedbyICANN.
Section4.10 InspectionOfAllDeliverablesAndReportsBeforePublication.
(a) PriortopublicationorpostingofreportsandotherdeliverablesanticipatedunderthisContractonatemplatethathasnotbeenpreviouslyapprovedbyICANN,ContractorshallobtainapprovalfromICANNforsuchtemplate,whichwillnotbeunreasonablywithheld.AnydeficienciesidentifiedbyICANNshallbecorrectedbyContractorandresubmittedtoICANNwithin10businessdaysafterContractor’sreceiptofnoticeofsuchdeficiency.
(b) ICANNreservestherighttoinspectthepremises,systemsandprocessesofallsecurityandoperationalcomponentsusedfortheperformanceofalltherequirementsandobligationssetforthinthisContract.
ARTICLEV:PERFORMANCE
Section5.1 ConstructiveWorkingRelationship.ContractorshallusecommerciallyreasonableeffortstomaintainaconstructiveworkingrelationshipwithICANN,therootzone
9
maintainerandallInterestedandAffectedPartiestoensurequalityandsatisfactoryperformanceoftheIANANamingFunction.
Section5.2 ContinuityofOperations.
(a) EitherICANNortheContractorshallprovide,ataminimum,redundantsitesinatleasttwogeographicallydispersedsiteswithintheUnitedStatesaswellasmultipleresilientcommunicationpathstocustomerstoensurecontinuationoftheIANANamingFunctionintheeventofcyberorphysicalattacks,emergencies,ornaturaldisasters.
(b) ContractorshallcollaboratewithICANNtodevelopandimplementaContingencyandContinuityofOperationsPlan(“CCOP”)fortheIANANamingFunction.ContractorincollaborationwithICANNshallfromtimetotimeupdateandannuallytesttheCCOPasnecessarytomaintainthesecurityandstabilityoftheIANANamingFunction.TheCCOPshallincludedetailsonplansforcontinuationoftheIANANamingFunctionintheeventofcyberorphysicalattacks,emergencies,ornaturaldisasters.ContractorshallsubmittheCCOPtoICANNaftereachupdateandpublishontheIANAWebsiteareportdocumentingtheoutcomesoftheCCOPtestswithin90calendardaysoftheannualtest.
Section5.3 PerformanceExclusions
(a) Contractorisnotauthorizedtoperformtheservicesperformedbytherootzonemaintainer,assuchservicesarecontemplatedbytheRZMA,unlessauthorizedbyICANN.
(b) ContractorshallnotmakechangesinthepoliciesandproceduresdevelopedbytherelevantentitiesassociatedwiththeperformanceoftheIANANamingFunction.
(c) TheperformanceoftheIANANamingFunctionshallnotbe,inanymanner,predicateduponorconditionedbyContractorontheexistenceorentryintoanycontract,agreementornegotiationbetweenContractorandanyTLDregistryoperatororanyotherthirdparty.CompliancewiththisSectionmustbeconsistentwiththeSOW.
ARTICLEVI:TRANSPARENCYOFDECISION-MAKING
Section6.1 Transparency.Toenhanceconsistency,predictabilityandintegrityinContractor’sdecision-makingrelatedtotheIANANamingFunction,Contractorshall:
(a) PublishreportspursuanttoARTICLEVIIofthisContractandSection3oftheSOW.
(b) MakepublicalldecisionsofthePTIBoardrelatingtotheIANANamingFunction,unless,uponthedeterminationofthePTIBoard,suchdecision(i)relatestoconfidentialpersonnelmatters,(ii)iscoveredbyattorney-clientprivilege,workproductdoctrineorotherrecognizedlegalprivilege,(iii)issubjecttoalegalobligationthatContractor
10
maintainitsconfidentialityorotherwisewouldresultinthedisclosureofconfidentialinformationofContractor’scustomers,(iv)woulddisclosetradesecrets,or(v)wouldpresentamaterialriskofnegativeimpacttothesecurity,stabilityorresiliencyoftheIANANamingFunctionortheInternet.
(c) AgreenottoredactanyPTIBoardminutesrelatedtodecisionsconcerningtheIANANamingFunction,providedthatthePTIBoardmayredactsuchminutesonthedeterminationthatsuchredactedinformation(i)relatestoconfidentialpersonnelmatters,(ii)iscoveredbyattorney-clientprivilege,workproductdoctrineorotherrecognizedlegalprivilege,(iii)issubjecttoalegalobligationthatContractormaintainitsconfidentialityorotherwisewouldresultinthedisclosureofconfidentialinformationofContractor’scustomers,(iv)woulddisclosetradesecrets,or(v)wouldpresentamaterialriskofnegativeimpacttothesecurity,stabilityorresiliencyoftheIANANamingFunctionortheInternet.
(d) HavetheGeneralManagerofContractorandchairpersonofthePTIBoardsignanannualattestationthatContractorhascompliedwiththerequirementsofthisSection6.1.
(e) SubjecttothetermsofthisContract,PTIshalloperatetothemaximumextentfeasibleinanopenandtransparentmannerandconsistentwithproceduresdesignedtoensurefairness,ineachcase,assuchconceptsarecontemplatedbyICANN’sBylaws.
ARTICLEVII:AUDITS,MONITORINGANDREVIEWS
Section7.1 Audits.
(a) ContractorshallgenerateandpublishviatheIANAWebsiteamonthlyauditreportidentifyingeachrootzonefileandrootzone“WHOIS”databasechangerequestanditsstatus.Therelevantpoliciesunderwhichthechangesaremadeshallbenotedwithineachmonthlyreport.SuchauditreportshallbeduetoICANNnolaterthan15calendardaysfollowingtheendofeachmonth.
(b) ContractorshallannuallyperformaspecializedcomplianceauditofContractor’ssecurityprovisionsrelatingtotheIANANamingFunctionagainstexistingbestpracticesandARTICLEXI.Thisspecializedcomplianceauditshallbeperformedbyanexternal,independentauditor.
Section7.2 PerformanceMonitoring.
(a) SolongastheCSCexistspursuanttoICANN’sBylaws,ContractoracknowledgesandagreesthattheCSCisentitledtomonitorContractor’sperformanceunderthisContract(includingtheSOW)inaccordancewithICANN’sBylaws.
(b) ContractorshallprovidereportstotheCSCascontemplatedbytheSOW.
11
(c) ContractorshallactingoodfaithtoresolveissuesidentifiedbytheCSC.
(d) ContractoracknowledgesthattheCSCshallbeempoweredtoescalateidentifiedareasofconcernassetforthinARTICLEVIII.
Section7.3 IANANamingFunctionReviews.
(a) ContractoracknowledgesthatICANN’sBoardofDirectors(the“ICANNBoard”)maycauseareviewbyanIFRT,relatingtotheIANANamingFunction,thisContractandContractor’sperformanceunderthisContract(includingtheSOW),inaccordancewithICANN’sBylaws(an“IANAFunctionReview”or“IFR”).
(b) ContractorshallcooperatewiththeconductofanyIFRT,includinganysitevisitconductedbyanIFRTthathasbeenpreviouslyapprovedbyICANNinaccordancewithICANN’sBylaws.
(c) ContractoragreesthatICANNmayunilaterallyamendorterminatethisContract(includingtheSOW)inaccordancewithanapprovedIFRRecommendation,anapprovedSpecialIFRRecommendationoranapprovedSCWGRecommendation(assuchtermsaredefinedinICANN’sBylaws),subjecttothelimitationssetforthinICANN’sBylaws.Contractoragreestoabidebyandimplementanysuchamendments.
ARTICLEVIII:ESCALATIONMECHANISMS
Section8.1 ComplaintResolutionProcess.
(a) IfContractorreceivesacustomerservicecomplaintfromacustomer(a“Complaint”),ContractorwillreviewtheComplaintandattempttoresolveittothereasonablesatisfactionofthepersonorentitywhobroughttheComplaint(the“Complainant”)assoonasreasonablypracticable.IftheComplaintisnotsoresolved,theComplainantmayescalatethematterinwritingtoContractor’smanagementteam,inwhichcaseContractorshallnotifytheCSC.IftheComplaintisstillnotresolved,theComplainantorthePresidentofContractormayescalatethematterinwritingtoICANN’sOmbudsman.
(b) If(i)aComplainantisacustomerand(ii)aftercompletingtheescalationprocessprovidedforinSection8.1(a),theComplaintisstillnotresolved,then(A)theCSCmayconductareviewtodeterminewhethertheComplaintissubjectofapersistentperformanceissueofContractororanindicationofasystemicproblemwithContractor’sperformanceoftheIANANamingFunctionpursuanttothetermsofthisContract(a“PerformanceIssue”)and(B)theComplainantmay(x)requestmediation,whichshallbeconductedinamannerconsistentwiththetermsandprocesssetforthbelowinSection8.1(c)and(y)iftheissueisnotresolvedfollowingsuchmediationandtheComplaintmeetstherequirementsoftheIndependentReviewProcess,initiateanIndependentReviewProcess(asdefinedintheICANN’sBylaws).IftheCSCdetermines
12
thataPerformanceIssueexists,theCSCmayseekremediationofthePerformanceIssuethroughtheIANAProblemResolutionProcessdescribedinSection8.2.
(c) CustomerMediationProcess.
(i) IfaComplainantisacustomerofContractor,aftercompletingtheescalationprocessprovidedforinSection8.1(a),thecustomermayinitiatemediationbydeliveringawrittennoticetothePresidentofContractorandtheSecretaryofICANN.
(ii) ThereshallbeasinglemediatorwhoshallbeselectedbytheagreementofthecustomerandICANN.ICANNshallproposeaslateofatleastfivepotentialmediators,andthecustomershallselectamediatorfromtheslateorrequestanewslateuntilamutuallyagreedmediatorisselected.ThecustomermayrecommendpotentialmediatorsforinclusionontheslatesselectedbyICANN.ICANNshallnotunreasonablydeclinetoincludemediatorsrecommendedbythecustomeronproposedslatesandthecustomershallnotunreasonablywithholdconsenttotheselectionofamediatoronslatesproposedbyICANN.
(iii) ThemediatorshallbealicensedattorneywithgeneralknowledgeofcontractlawandgeneralknowledgeoftheDNSandICANN.ThemediatormaynothaveanyongoingbusinessrelationshipwithICANN,Contractororthecustomer.Themediatormustconfirminwritingthatheorsheisnot,directlyorindirectly,andwillnotbecomeduringthetermofthemediation,anemployee,partner,executiveofficer,director,consultantoradvisorofICANN,Contractororthecustomer.
(iv) ThemediatorshallconductthemediationinaccordancewiththisSection8.1(c),thelawsofCaliforniaandtherulesandproceduresofawell-respectedinternationaldisputeresolutionprovider.
(v) ThemediationwillbeconductedintheEnglishlanguageandwilloccurinLosAngelesCounty,California,unlessanotherlocationismutuallyagreedbetweenICANN,Contractorandthecustomer.
(vi) ICANN,Contractorandthecustomershalldiscussthedisputeingoodfaithandattempt,withthemediator’sassistance,toreachanamicableresolutionofthedispute.
(vii) ICANNshallbearallcostsofthemediator.
(viii) IfICANN,Contractorandthecustomerhaveengagedingoodfaithparticipationinthemediationbuthavenotresolvedthedisputeforanyreason,ICANN,Contractorandthecustomermayterminatethemediationatanytimebydeclaringanimpasse.
13
(ix) IfaresolutiontothedisputeisreachedbyICANN,Contractorandthecustomer,ICANN,Contractorandthecustomershalldocumentsuchresolution.
Section8.2 IANAProblemResolutionProcess.FollowingtheEffectiveDate,ContractorshallworkcooperativelywiththeCSCtodevelop“RemedialActionProcedures”forthepurposeofaddressingPerformanceIssues.IftheCSCdeterminesthataPerformanceIssueexists,theCSCmayseekresolutionofthePerformanceIssuewithContractor,inwhichcaseContractorshallcomplywithsuchRemedialActionProceduresifandtotheextenttheCSCalsocomplieswithsuchprocedures.
Section8.3 NoticeandMitigationPlan.
(a) ContractorshallpromptlyinformICANNofanyissueordisputearisingfromitsperformanceoftherequirementsandservicescontemplatedbythisContractpriortotheComplaintbeingescalatedpursuanttoSection8.1(a),andshallagreewithICANNonaplantoresolvetheComplaint.
(b) If,foranyreason,ContractorfailstomeetanyoftherequirementsofthisContract,Contractorshall(i)conductananalysisofitsoperationstodeterminetherootcauseofsuchfailure,(ii)developamitigationplantoavoidtherootcauseofsuchfailurefromoccurringinthefuture,and(iii)deliverthereporttoICANNuponitscompletion.ContractorshallmodifyandupdateanymitigationplanasdirectedbyICANN.
ARTICLEIX:TERM;RENEWAL;TRANSITIONANDTERMINATION
Section9.1 InitialTerm.TheinitialtermofthisContractwillbefiveyearsfromtheEffectiveDate(the“InitialTerm”).
Section9.2 Renewal;Termination.
(a) ThisContractwillbeautomaticallyrenewedforsuccessiveperiodsoffiveyears(each,a“RenewalTerm”)upontheexpirationoftheInitialTermandeachsuccessiveRenewalTerm,unless(i)ICANNterminatesthisContractpursuanttoanSCWGRecommendationarisingfromanIANANamingFunctionSeparationProcess(assuchtermsaredefinedinICANN’sBylaws)approvedinaccordancewithICANN’sBylawsor(ii)ICANNelectsnottorenewtheInitialTermoranyRenewalTermthereafterpursuanttoanIFRRecommendation,SpecialIFRRecommendation,orSCWGRecommendation(assuchtermsaredefinedinICANN’sBylaws)approvedinaccordancewithICANN’sBylawsbyprovidingContractorwithnotlessthantwelvemonthspriorwrittennotice.AnyterminationorelectionbyICANNtonotrenewthisContractunderthisSection9.2mustbeapprovedbytheICANNBoardtobeeffectivehereunder.
(b) SubjecttoSection9.2(a),thefirstRenewalTermshallcommenceimmediatelyfollowingtheendoftheInitialTermandeachRenewalTermthereaftershallcommence
14
immediatelyfollowingtheendoftheprecedingRenewalTerm.EachRenewalTermshallendonthefifthanniversaryofthecommencementoftheRenewalTerm.
Section9.3 Transition.
(a) Contractorshalldevelopandmaintain,withICANNinput,aplaninplacefortransitioningtheIANANamingFunctiontoasuccessorprovidertoensureanorderlytransitionwhilemaintainingcontinuityandsecurityofoperations,includinginconnectionwiththenonrenewalofthisContractand/ordivestitureorotherreorganizationofPTIbyICANNascontemplatedbyICANN’sBylaws.ThetransitionplanshallbesubmittedtoICANNandpostedtotheIANAWebsitewithin18monthsaftertheEffectiveDate.Theplanshallthereafterbereviewedannuallyandupdatedasappropriate.
(b) ContractorshallprovidesupportandcooperationtoICANN,andtoanysuccessorprovideroftheIANANamingFunction,inordertoeffectanorderly,stable,secureandefficienttransitionoftheperformanceoftheIANANamingFunction.
(c) ContractoragreestobeengagedinthetransitionplanandtoprovideappropriatetransitionstaffandexpertisetofacilitateastableandsecuretransitionoftheIANANamingFunctiontoasuccessorprovider.
(d) ICANN,inconjunctionwiththeCSCasnecessary,shallreviewthetransitionplanatleasteveryfiveyears.
Section9.4 SurvivalofTerms.UpontheexpirationorterminationofthisContractunderthisARTICLEIX,thisContractshallbecomewhollyvoidandofnofurtherforceandeffect,andfollowingsuchexpirationorterminationnoPartyshallhaveanyliabilityunderthisContracttotheotherParty,exceptthateachPartyheretoshallremainliableforanybreachesofthisContractthatoccurredpriortoitsexpirationortermination;provided,however,thatthefollowingprovisionsshallsurvivetheexpirationorterminationofthisContract:ARTICLEI,ARTICLEIII,Section9.3,ARTICLEXII,ARTICLEXIII,Section14.1(butonlywithrespecttoobligationsaccruingpriortotheexpirationorterminationofthisContract),Section14.2throughSection14.15,andthisSection9.4.
ARTICLEX:RESOURCES,FEESANDBUDGET
Section10.1 ResourcesandFees.
(a) ICANNshallprovideormakeavailabletoContractorthenecessarypersonnel(includingsecondedemployees),material,equipment,servicesandotherresourcesandfacilitiestoperformContractor’sobligationsunderthisContract,includingfundinginaccordancewiththeApprovedIANABudget.
(b) ContractormaynotchargeorcollectfeesfromthirdpartiesrelatedtotheperformanceoftheIANANamingFunctionwithoutthepriorwrittenconsentofICANN.
15
(c) AnyfeesapprovedbyICANNandchargedbyContractorrelatingtotheIANANamingFunctionwillbebasedontheactualcostsincurredbyContractortoperformtheIANANamingFunction.
(d) ICANNacknowledgesandagreesthattheperformancebyContractoroftheIANANamingFunctionisconditioneduponthefullandcompleteperformanceofalloftheservicesandobligationsrequiredofICANNundertheServicesContractbetweenICANNandContractor.
Section10.2 Budget.ContractorshallcomplywiththerequirementssetforthinitsBylawsrelatingtopreparing,submittingandmonitoringanannualbudget.ICANNwillmeetannuallywiththeGeneralManagerofContractortoreviewtheannualbudgetfortheIANANamingFunction,whichshallbeapprovedinaccordancewithContractor’sBylawsandICANN’sBylaws(“ApprovedIANABudget”).
ARTICLEXI:SECURITYREQUIREMENTS
Section11.1 ComputingSystems.WithrespecttotheperformanceoftheIANANamingFunction,Contractorshallinstallandoperateallcomputingandcommunicationssystemsinaccordancewithbestbusinessandsecuritypractices.ICANNandContractorshallimplementasecuresystemforauthenticatedcommunicationstoContractor’scustomerswhencarryingouttheIANANamingFunctionpursuanttothetermsofthisContract.ICANNandContractorshalldocumentpracticesandconfigurationofallsystems.
Section11.2 NotificationSystems.Contractorshallimplementandthereafteroperateandmaintainasecurenotificationsystemataminimum,capableofnotifyingTLDregistryoperators,ofsucheventsasoutages,plannedmaintenance,andnewdevelopments.Inallcases,ContractorshallnotifyICANNofanyoutages.
Section11.3 Data.Contractorshallensuretheauthentication,integrity,andreliabilityoftheservicedatainperformingtheIANANamingFunction.
Section11.4 SecurityPlan.ICANNshallcoordinatewithContractortodevelopandexecuteasecurityplanthatmeetstherequirementsofthisContractandthisARTICLEXI.ICANNandContractorshalldocumentinthesecurityplantheprocessusedtoensureinformationsystemsincludinghardware,software,applications,andgeneralsupportsystemshaveeffectivesecuritysafeguards,whichhavebeenimplemented,plannedfor,anddocumented.Contractorshall,incoordinationwithICANN,performperiodicreviewsofthesecurityplanandupdatetheplanasnecessary.
Section11.5 DirectorofSecurity.Contractor’sDirectorofSecurityshallberesponsibleforensuringContractor’scompliancewiththetechnicalandphysicalsecuritymeasuresandrequirementsofthisContract.
16
ARTICLEXII:CONFIDENTIALITY
Section12.1 Confidentiality.EachofICANNandContractoragrees,intheperformanceofthisContract,tokeeptheinformationfurnishedbytheotherPartyoracquiredordevelopedbyICANNorContractorinperformanceofthisContract,inthestrictestconfidence.EachPartyalsoagreesnottopublishorotherwisedivulgesuchinformation,inwholeorinpart,inanymannerorform,nortoauthorizeorpermitotherstodoso,andshalltakereasonablemeasurestorestrictaccesstosuchinformationwhileinsuchParty'spossession,tothoseemployeesneedingsuchinformationtoperformtheworkdescribedherein,i.e.,ona“needtoknow”basis.EachofICANNandContractoragreestoimmediatelynotifytheotherPartyinwritingintheeventthatICANNorContractor,asapplicable,determinesorhasreasontosuspectabreachofthisrequirementhasoccurred.
Section12.2 Consent.ContractoragreesthatitwillnotdiscloseanyinformationdescribedinSection12.1toanypersonunlesspriorwrittenapprovalisobtainedfromICANN.Contractoragreestoinsertthesubstanceofthisclauseinanyconsultantagreementorsimilaragreement.
Section12.3 Cooperation.Contractoracknowledgesthatitisobligatedtocooperatewiththedisputeresolution,IFRTreviewandrelatedescalationproceduresinICANN’sBylawsandContractor’sBylawsandtoproducedocumentsandinformationinaccordancewith,andsubjecttothelimitationsof,thoseprocedures.
ARTICLEXIII:INTELLECTUALPROPERTY
Section13.1 Ownership.AsbetweenICANNandContractor,ICANNshallownallintellectualpropertyconceived,reducedtopractice,createdorotherwisedevelopedbyContractorunderthisContract(includingtheSOW).
Section13.2 Assignment.Contractorshallassign,andshallcauseallofitsemployeesandcontractorstoassign,allrightsinanypatentablesubjectmatter,patentapplications,copyrights,tradesecretsandallotherintellectualpropertycreatedbytheContractor,itsemployeesorcontractorspursuanttothisContracttoICANN.
Section13.3 WorkforHire.Withrespecttocopyright,allworkperformedbyContractorpursuanttothisContract(includingtheSOW)isa“workforhire”andICANNshallbedeemedtheauthorandshallownallcopyrightableworkscreatedbyContractorhereunder,andallcopyrightrightsthereto.Intheeventthisisnotdeemedaworkforhireagreement,ContractorherebyassignsandagreestoassignownershipoftheforegoingcopyrightableworksandcopyrightstoICANN.
Section13.4 License.ICANNshalllicensebackanypatents,patentapplications,copyrightsandtradesecretstoContractorforthedurationoftheTermsolelytotheextentnecessaryforContractortoperformitsobligationsunderthisContract.Thislicenseshallbenon-exclusive,non-assignable,non-sublicensable,non-transferableandroyalty-free.
17
ARTICLEXIV:MISCELLANEOUS
Section14.1 Indemnification.SolongasContractorisanaffiliateofICANN(i.e.ICANNisthesolememberofContractor,withtheabilitytoelectatleastamajorityofthedirectorsofthePTIBoard),ICANNshallindemnifyandholdharmlessContractor,itsofficers,agents,andemployeesfromliabilityofanynatureorkind,includingcostsandexpensestowhichtheymaybesubject,fororonaccountofanyorallthird-partyclaims,suitsordamagesofanycharacterwhatsoever,(i)resultingfrominjuriesordamagessustainedbyanypersonorpersonsorpropertybyvirtueofContractor’sperformanceofthisContractorfailuretoperformunderthisContract,or(ii)arisingorresultinginwholeorinpartfromthefault,negligence,wrongfulactorwrongfulomissionofICANNoranyofitssubcontractors(otherthanContractor),ortheirrespectiveemployeesoragents.
Section14.2 Notices.AllnoticestobegivenunderorinrelationtothisContractwillbegiveneither(i)inwritingattheaddressoftheappropriatePartyassetforthbelowor(ii)viaelectronicmailasprovidedbelow,unlessthatPartyhasgivenanoticeofchangeofpostaloremailaddress,asprovidedinthisContract.
IftoICANN:
InternetCorporationforAssignedNamesandNumbers12025WaterfrontDrive,Suite300LosAngeles,CA90094-2536Attn:PresidentandChiefExecutiveOfficerPhone: +1-310-301-5800Email:[●]
Withacopyto(whichshallnotconstitutenotice):
InternetCorporationforAssignedNamesandNumbers12025WaterfrontDrive,Suite300LosAngeles,CA90094-2536Attn:GeneralCounselPhone: +1-310-301-5800Email:[●]
Withacopyto(whichshallnotconstitutenotice):
InternetCorporationforAssignedNamesandNumbers12025WaterfrontDrive,Suite300LosAngeles,CA90094-2536Attn:President,GlobalDomainsDivisionPhone: +1-310-301-5800Email:[●]
18
IftoContractor:
PublicTechnicalIdentifiers12025WaterfrontDrive,Suite300LosAngeles,CA90094-2536Attn:[●]Phone: [●]Email:[●]
Withacopyto(whichshallnotconstitutenotice):
InternetCorporationforAssignedNamesandNumbers12025WaterfrontDrive,Suite300LosAngeles,CA90094-2536Attn:GeneralCounselPhone: +1-310-301-5800Email:[●]
AnynoticerequiredbythisContractwillbedeemedtohavebeenproperlygiven(i)ifinpaperform,whendeliveredinpersonorviacourierservicewithconfirmationofreceiptor(ii)ifbyelectronicmail,uponconfirmationofreceiptbytherecipient’semailserver,providedthatsuchnoticeviaelectronicmailshallbefollowedbyacopysentbyregularpostalmailservicewithinthreecalendardays.Intheeventothermeansofnoticebecomepracticallyachievable,suchasnoticeviaasecurewebsite,thepartieswillworktogethertoimplementsuchnoticemeansunderthisContract.
Section14.3 Amendments.ExceptasprovidedinSection7.3(c),anytermorprovisionofthisContractmaybeamended,andtheobservanceofanytermofthisContractmaybewaivedonlybyaphysicalwritingreferencingthisContract,andeither(a)manuallysignedbythePartiestobeboundor(b)digitallysignedbythePartiestobebound.NothinghereinshalllimitSection7.3(c)aboveorICANN’sobligationsunderICANN’sBylawstotheextentrelatedtoICANN’scommitmentsrelatedtotheamendmentormodificationofthisContract,includingtheabilitytoamendthisContractpursuanttoanapprovedIFRRecommendation,anapprovedSpecialIFRRecommendationoranapprovedSCWGRecommendation,eachasdefinedandsetforthinICANN’sBylaws.
Section14.4 Waiver.AnytermorprovisionofthisContractmaybewaived,orthetimeforitsperformancemaybeextended,bythePartyorPartiesentitledtothebenefitthereof.AnysuchextensionorwaivershallbevalidlyandsufficientlyauthorizedforthepurposesofthisContractif,astoanyParty,itisauthorizedinwritingbyanauthorizedrepresentativeofthePartyentitledtothebenefitsofanysuchwaivedtermorprovision.ThefailureordelayofanyPartytoassertorenforceatanytimeanyprovisionof,oranyofitsrightsunder,thisContractshallnotbeconstruedtobeawaiverofsuchprovision,norinanywaytoaffectthevalidityofthisContractoranyparthereofortherightofanyPartythereaftertoenforceeachandeverysuch
19
provision.NowaiverofanybreachofthisContractshallbeheldtoconstituteawaiverofanyotherorsubsequentbreach.
Section14.5 Severability.IfanyprovisionofthisContractshouldbefoundbyacourtofcompetentjurisdictiontobeinvalid,illegalorunenforceable,thevalidity,legalityandenforceabilityoftheremainingprovisionsshallnotbeaffectedorimpairedthereby.
Section14.6 AssignmentandSubcontracting.
(a) NeitherPartymayassignortransferthisContract,oranyobligationunderthisContract(inwholeorinpart,andwhethervoluntarily,involuntarily,orbyoperationofLaw)withouttheotherParty’spriorwrittenconsent.
(b) PTIshallnotsubcontractalloranyportionofitsrightsorobligationsunderthisContract.
Section14.7 GoverningLaw.ThePartiesagreethatthisContract,andanyandalldisputesarisingoutoforrelatedtothisContract,shallbegovernedby,construed,andenforcedinallrespectsinaccordancewiththeLawsoftheStateofCalifornia,UnitedStatesofAmerica,excludingitsconflictoflawsrules.EachPartyexpresslywaivesanyclaimthatthejurisdictionofsuchcourtwithrespecttopersonaljurisdictionisimproperorthatthevenueisinconvenientorimproper.
Section14.8 ThirdPartyBeneficiaries.NoprovisionofthisContractisintendedto,norshallbeinterpretedto,provideorcreateanyrights,benefitsoranyotherinterestofanykindinanythirdpartyorcreateanyobligationsofICANNorContractortoanythirdparty.
Section14.9 EnglishVersion.IfthisContractistranslatedintoanylanguageotherthanEnglish,andifthereisaconflictbetweentheEnglishversionandthetranslatedversion,thentheEnglishversionshallprevailinallrespects.
Section14.10 SavingsClause.Anydelay,nonperformanceorotherbreachbyaPartyofitsobligationsunderthisContractandanyliabilitytherefor,shallbeexcusedtotheextentsuchfailureiscausedbytheotherParty’sactsoromissionsortheactsoromissionsofsuchParty’semployeesorcontractors,includingsuchParty’sfailuretoperformitsobligationsunderthisContract.
Section14.11 CumulativeRemedies.Exceptasotherwiseexpresslyprovided,allremediesprovidedforinthisContractshallbecumulativeandinadditionto,andnotinlieuof,anyotherremediesavailabletoeitherParty.
Section14.12 Counterparts.ThisContractmaybeexecutedincounterparts,allofwhichtakentogethershallconstituteonesingleagreementbetweentheParties.
Section14.13 Headings.ThePartiesagreethattheheadingsusedinthisContractareforeaseofreferenceonlyandshallnotbetakenintoaccountininterpretingtheContract.
20
Section14.14 FurtherAssurances.SubjecttothetermsandconditionsofthisContract,eachofICANNandContractoragreestousecommerciallyreasonablebesteffortstotake,orcausetobetaken,allappropriateaction,andtodo,orcausetobedone,allthingsreasonablynecessary,properoradvisableunderapplicablelawstomakeeffectivethetransactionscontemplatedbythisContract.
Section14.15 EntireContract.ThisContract,includingallstatementsofwork,schedules,exhibitsorotherattachmentshereto,constitutestheentireunderstandingandagreementbetweenICANNandContractorwithrespecttothesubjectmatterofthisContract,andsupersedesanyandallpriororcontemporaneousoralorwrittenrepresentation,understanding,agreementorcommunicationrelatingthereto.
[SignaturePageFollows]
INWITNESSWHEREOF,thePartieshavecausedthisContracttobedulyexecutedasofthedatesetforthbelow.
INTERNETCORPORATIONFORASSIGNEDNAMESANDNUMBERS
By:_________________________________ (Signature)
____________________________________Name(print)
____________________________________Title
PUBLICTECHNICALIDENTIFIERS
By: ________________________________ (Signature)
____________________________________ Name(print)
____________________________________Title
ANNEXA:STATEMENTOFWORKFORMANAGEMENTOFTHEDNSROOTZONE
1. ROOTZONEMANAGEMENT
a. TheRootZoneManagementcomponentoftheIANANamingFunctionistheadministrationofcertainresponsibilitiesassociatedwiththeInternetDNSrootzonemanagement.
b. ContractorshallcollaboratewithInterestedandAffectedPartiestodevelop,maintain,enhanceandpostperformancestandardsforRootZoneManagement.Specifically,ContractorshallperformRootZoneManagementinaccordancewiththeservicelevelssetforthinSection2.
c. ContractorshallalsoimplementDNSSECinallzonesforwhichICANNhastechnicaladministrationauthority.
d. Contractorshallfacilitateandcoordinatetherootzoneofthedomainnamesystem,andmaintain24hour-a-day/7days-a-weekoperationalcoverage.ContractorshallworkcollaborativelywiththeRootZoneMaintainer,intheperformanceofthisfunction.
i. ContractorshallreceiveandprocessrootzonefilechangerequestsforTLDs.ThesechangerequestsincludeadditionofneworupdatestoexistingTLDnameservers(“NS”)anddelegationsigner(“DS”)resourcerecord(“RR”)informationalongwithassociated“glue”(AandAAAARRs).AchangerequestmayalsoincludenewTLDentriestotherootzonefile.ContractorshallprocessrootzonefilechangesasspecifiedinSection2ofthisAnnexA.
ii. Contractorshallmaintain,update,andmakepubliclyaccessibleaRootZoneregistrationdatabasewithcurrentandverifiedcontactinformationforallTLDregistryoperators.TheRootZoneregistrationdatabase,ataminimum,shallconsistofthefollowingdatafields:domainstatusandcontactpointsforresolvingissuesrelatingtotheoperationofthedomain(comprisedofatleastorganizationalname,postaladdress,emailaddressandtelephonenumber).ContractorshallreceiveandprocessrootzoneregistrationdatachangerequestsforTLDs.
iii. ContractorshallapplyexistingpoliciesinprocessingrequestsrelatedtotheDelegation,RevocationandTransferofccTLDs,includingRFC1591asinterpretedbytheFOIandanyfurtherclarificationofthesepoliciesdevelopedbytheccNSO,asappropriateunderICANN’sBylaws,andapprovedbytheICANNBoard.Inadditiontothesepolicies,Contractorshall,whereapplicable,consulttheGAC2005ccTLDPrinciples.Ifanexistingpolicyframeworkdoesnotcoveraspecificsituation,Contractor
willusecommerciallyreasonableeffortstoconsultwithandprovideopportunityforinputfromSignificantlyInterestedPartiesand,wherenecessary,mayrequesttheccNSOtoundertakepolicydevelopmentworktoaddresssuchissues.
iv. ContractorshallapplyexistingpolicyframeworksinprocessingrequestsrelatedtoretirementofaccTLD,includingRFC1591asinterpretedbytheFOIandanyfurtherclarificationofthesepoliciesdevelopedbytheccNSO,asappropriateunderICANN’sBylaws,andapprovedbytheICANNBoard.Ifanexistingpolicydoesnotcoveraspecificsituation,ContractorwillusecommerciallyreasonableeffortstoconsultwithandprovideopportunityforinputfromSignificantlyInterestedPartiesand,wherenecessary,mayrequesttheccNSOtoundertakepolicydevelopmentworktoaddresssuchissues.
v. ContractorshallverifythatallrequestsrelatedtothedelegationandredelegationofgenericTLDsareconsistentwiththeproceduresdevelopedbyICANN.
vi. Contractorshallmaintainanautomatedrootzonemanagementsystemthat,ataminimum,includes(A)asecure(encrypted)systemforcustomercommunications;(B)anautomatedprovisioningprotocolallowingcustomerstomanagetheirinteractionswiththerootzonemanagementsystem;(C)anonlinedatabaseofchangerequestsandsubsequentactionswherebyeachcustomercanseearecordoftheirhistoricrequestsandmaintainvisibilityintotheprogressoftheircurrentrequests;(D)atestsystem,whichcustomerscanusetomeetthetechnicalrequirementsforachangerequest;and(E)aninternalinterfaceforsecurecommunicationsbetweentheContractorandtheRootZoneMaintainer.
2. SERVICELEVELS
a. ContractorshallperformtheServices inaccordancewiththefollowing“ServiceLevels”. The expectation is that Contractor will normally perform within thethreshold.Thethresholdswillbemodifiedovertimeaspartofperiodicreviewsof the service level expectation. A subset of the followingmeasures relate tomeasurementofnon-routinechangeswhereitisnotapplicabletosetaspecificthreshold for performance. It is expected for measurements of non-routineprocess steps these will only be reported with no applicable service levelexpectation.
b. ServicesDefinitions
i. CategoryI(RoutineupdatesimpactingRootZoneFile).RoutinechangerequeststhatalterthetechnicaldatapublishedintheDNSrootzone(e.g.changestoNSrecords,DSrecordsandgluerecords).Athirdpartymaybeengagedtocompile,publishanddistributetherootzone.
ii. CategoryII(RoutineupdatesnotimpactingRootZoneFile).RoutinechangerequeststhatdonotaltertheDNSrootzone(e.g.,contactdataandmetadata).Thesechangesdonotrequirechangestotherootzone.
iii. CategoryIII(CreatingorTransferringagTLD).Requeststocreate(“delegate”)ortransfer(“redelegate”or“assign”)agenericTLD.ThesechangesrequireadditionalprocessingbyContractortoensurepolicyandcontractualrequirementsassociatedwithachangeofcontrolfortheTLDaremet.
iv. CategoryIV(CreatingorTransferringaccTLD).Requeststocreateortransferacountry-codeTLD.ThesechangesrequireadditionalprocessingbyContractortoensurepolicyrequirementsaremet.Thisprocessingincludesadditionalanalysisonthechangerequest,productionofareport,andreviewofthereport(includingverificationthatallexistingregistrationdatahasbeensuccessfullytransferredfromtheoldtonewregistryoperator).
v. CategoryV(Otherchangerequests).Othernon-routinechangerequests.Contractorisrequiredtoprocesschangerequeststhatmayhavespecialhandlingrequirements,orrequireadditionaldocumentaryevidenceorclarificationsfromthecustomerorthirdparties,thatpreventautomatingthehandlingoftherequest.Theserequestsinclude,butarenotlimitedto:
1. Customersthatrequirerequeststobehandledoutsidetheonlineself-serviceplatform,suchasthoselodgingchangerequeststhroughtheexchangeofpostalmail;
2. CustomersthathaveplacedspecialhandlinginstructionsonfilewithContractor,orhaveotherwiseaskedforspecialhandlingforarequestthatdeviatesfromthenormalprocess,resultingintherequestbeingexecutedmanually;
3. Uniquelegalorregulatoryencumbrancesthatmustbesatisfiedthatrequireadditionalprocessing;
4. RemovingaTLDfromservice(i.e.retirementorrevocation);and
5. Changesthatrelatetotheoperationoftherootzoneitself,includingchangingtheRootKeySigningKey,alteringthesetofauthoritativenameserversfortherootzone(i.e.the“rootservers”),andchangestothe“roothints”.
c. ServiceLevels
i. Thefieldsinthefollowingtablesareasfollows:
1. Process. The business process that Contractor is requested toperform.
2. Metric.Theindividualmetricthatwillbemeasuredaspartofthecompletionofthebusinessprocess.
3. Threshold. The specified target for each individual changerequest.
4. Type. Whether the threshold specified is a minimum target(compliance must not be less than the target) or a maximumtarget(compliancemustnotbemorethanthetarget).
5. Compliance. The percentage that the target goal in aggregatemustbemetorexceededwithinthespecifiedtimeperiodforallrequestsinthespecifiedcategory.
6. Period.Thetimeoverwhichcomplianceismeasured.(TheperiodofcollectingmeasurementstomeettheServiceLevelAgreement(SLA)).
ii. ProcessPerformance. Total Contractor transaction time for emergencychangesshouldbecompletedwithinatargetof12hoursuntilreviewedbytheCSCwithContractor.
ProcessCategory
Metric Threshold Type Compliance Period
CategoryI—RoutineupdatesimpactingRootZoneFile(NS,DSandgluerecords)
SubmissionTimeforticketconfirmationtobesenttorequesterfollowingreceiptofchangerequestviaautomatedsubmissioninterface
≤60secs Max 95% Month
ProcessCategory
Metric Threshold Type Compliance Period
TimeforlodgmentofchangerequestintoRZMSbyContractoronbehalfofrequestsentbyemail
≤3days Max 95% Month
TechnicalChecksTimetoreturnresultsfortechnicalchecksfollowingsubmissionofrequestviaautomatedsubmissioninterface
≤50mins Max 95% Month
Timetoreturnresultsforsubsequentperformanceoftechnicalchecksduringretestingduetoearlierfailedtests
≤3mins Max 95% Month
ContactConfirmationTimeforauthorizationcontactstobeaskedtoapprovechangerequestaftercompletingpreviousprocessphase
≤60secs Max 95% Month
TimeforresponsetobeaffirmedbyContractor
≤60secs Max 95% Month
ContractorReviewandProcessingTimetocompleteallothervalidationsandreviewsbyContractorandreleaserequestfor
≤5days Max 90% Month
ProcessCategory
Metric Threshold Type Compliance Period
implementationSupplementalTechnicalChecks
TimetoreturnresultsforperformanceoftechnicalchecksduringSupplementalTechnicalCheckphase
≤60secs Max 95% Month
ImplementationofChangesTimeforrootzonechangestobepublishedfollowingcompletionofvalidationsandreviewsbyContractor
≤72hrs Max 99% Month
Timetonotifyrequesterofchangecompletionfollowingpublicationofrequestedchanges
≤60secs Max 95% Month
CategoryII—RoutineupdatesnotimpactingRootZoneFile(Contactdetailsandmetadata)
SubmissionTimeforticketconfirmationtobesenttorequesterfollowingreceiptofchangerequestviaautomatedsubmissioninterface
≤60secs Max 95% Month
TimeforlodgmentofchangerequestintoRZMSbyContractoronbehalfofrequestsentbyemail
≤3days Max 95% Month
TechnicalChecksTimetoreturn No Not Not Not
ProcessCategory
Metric Threshold Type Compliance Period
resultsfortechnicalchecksfollowingsubmissionofrequestviaautomatedsubmissioninterface
TechnicalChecksUndertaken
Applicable Applicable Applicable
Timetoreturnresultsforsubsequentperformanceoftechnicalchecksduringretestingduetoearlierfailedtests
NoTechnicalChecksUndertaken
NotApplicable
NotApplicable
NotApplicable
ContactConfirmationTimeforauthorizationcontactstobeaskedtoapprovechangerequestaftercompletingpreviousprocessphase
≤60secs Max 95% Month
TimeforresponsetobeaffirmedbyContractor
≤60secs Max 95% Month
ContractorReviewandProcessingTimetocompleteallothervalidationsandreviewsbyContractorandreleaserequestforimplementation
≤5days Max 90% Month
SupplementalTechnicalChecksTimetoreturnresultsforperformanceoftechnicalchecksduringSupplemental
NoTechnicalChecksUndertaken
NotApplicable
NotApplicable
NotApplicable
ProcessCategory
Metric Threshold Type Compliance Period
TechnicalCheckphase
ImplementationofChangesTimeforrootzonechangestobepublishedfollowingcompletionofvalidationsandreviewsbyContractor
NoTechnicalChecksUndertaken
NotApplicable
NotApplicable
NotApplicable
Timetonotifyrequesterofchangecompletionfollowingpublicationofrequestedchanges
≤60secs Max 95% Month
CategoryIII—CreatingorTransferringagTLD
SubmissionTimeforticketconfirmationtobesenttorequesterfollowingreceiptofchangerequestviaautomatedsubmissioninterface
≤60secs Max 95% Month
TimeforlodgmentofchangerequestintoRZMSbyContractoronbehalfofrequestsentbyemail
≤3days Max 95% Month
TechnicalChecksTimetoreturnresultsfortechnicalchecksfollowingsubmissionofrequestviaautomatedsubmissioninterface
≤50mins Max 95% Month
Timetoreturn ≤3mins Max 95% Month
ProcessCategory
Metric Threshold Type Compliance Period
resultsforsubsequentperformanceoftechnicalchecksduringretestingduetoearlierfailedtests
ContactConfirmationTimeforauthorizationcontactstobeaskedtoapprovechangerequestaftercompletingpreviousprocessphase
≤60secs Max 95% Month
TimeforresponsetobeaffirmedbyContractor
≤60secs Max 95% Month
ContractorReviewandProcessingTimetocompleteallothervalidationsandreviewsbyContractorandreleaserequestforimplementation
≤10days Max 90% Month
SupplementalTechnicalChecksTimetoreturnresultsforperformanceoftechnicalchecksduringSupplementalTechnicalCheckphase
≤5mins Max 95% Month
ImplementationofChangesTimeforrootzonechangestobepublishedfollowingcompletionofvalidationsand
≤72hrs Max 99% Month
ProcessCategory
Metric Threshold Type Compliance Period
reviewsbyContractorTimetonotifyrequesterofchangecompletionfollowingpublicationofrequestedchanges
≤60secs Max 95% Month
CategoryIV—CreatingorTransferringaccTLD
Submission
Timeforticketconfirmationtobesenttorequesterfollowingreceiptofchangerequestviaautomatedsubmissioninterface
≤60secs Max 95% Month
TimeforlodgmentofchangerequestintoRZMSbyContractoronbehalfofrequestsentbyemail
≤3days Max 95% Month
TechnicalChecks Timetoreturn
resultsfortechnicalchecksfollowingsubmissionofrequestviaautomatedsubmissioninterface
≤50mins Max 95% Month
Timetoreturnresultsforsubsequentperformanceoftechnicalchecksduringretestingdue
≤3mins Max 95% Month
ProcessCategory
Metric Threshold Type Compliance Period
toearlierfailedtests
ContactConfirmation Timefor
authorizationcontactstobeaskedtoapprovechangerequestaftercompletingpreviousprocessphase
≤60secs Max 95% Month
TimeforresponsetobeaffirmedbyContractor
≤60secs Max 95% Month
ContractorReviewandProcessing Timetocomplete
allothervalidationsandreviewsbyContractorandreleaserequestforimplementation
≤60days Max 100% Month
Timeforthird-partyreviewofrequest(e.g.byICANNBoardofDirectors,PTIBoardorotherrelevantverificationparties)
(WhereApplicable)≤60days(subjecttoreview)
IntentionallyLeftBlank
IntentionallyLeftBlank
IntentionallyLeftBlank
SupplementalTechnicalChecks Timetoreturn
resultsforperformanceoftechnicalchecksduringSupplementalTechnicalCheckphase
≤5mins Max 95% Month
ImplementationofChanges Timeforrootzone
changestobepublishedfollowing
≤72hrs Max 99% Month
ProcessCategory
Metric Threshold Type Compliance Period
completionofvalidationsandreviewsbyContractor
Timetonotifyrequesterofchangecompletionfollowingpublicationofrequestedchanges
≤60secs Max 95% Month
CategoryV—Otherchangerequests(i.e.non-routinechangerequests)
SubmissionTimeforticketconfirmationtobesenttorequesterfollowingreceiptofchangerequestviaautomatedsubmissioninterface
≤60secs Max 95% Month
TimeforlodgmentofchangerequestintoRZMSbyContractoronbehalfofrequestsentbyemail
≤3days Max 95% Month
TechnicalChecksTimetoreturnresultsfortechnicalchecksfollowingsubmissionofrequestviaautomatedsubmissioninterface
≤50mins Max 95% Month
Timetoreturnresultsforsubsequentperformanceoftechnicalchecksduringretestingduetoearlierfailed
≤3mins Max 95% Month
ProcessCategory
Metric Threshold Type Compliance Period
testsContactConfirmation
Timeforauthorizationcontactstobeaskedtoapprovechangerequestaftercompletingpreviousprocessphase
≤60secs Max 95% Month
TimeforresponsetobeaffirmedbyContractor
≤60secs Max 95% Month
ContractorReviewandProcessingTimetocompleteallothervalidationsandreviewsbyContractorandreleaserequestforimplementation
NoValidationsUndertaken
NotApplicable
NotApplicable
NotApplicable
SupplementalTechnicalChecksTimetoreturnresultsforperformanceoftechnicalchecksduringSupplementalTechnicalCheckphase
≤5mins Max 95% Month
ImplementationofChangesTimeforrootzonechangestobepublishedfollowingcompletionofvalidationsandreviewsbyContractor
≤72hrs Max 99% Month
Timetonotifyrequesterofchangecompletionfollowing
≤60secs Max 95% Month
ProcessCategory
Metric Threshold Type Compliance Period
publicationofrequestedchanges
d. Accuracy
Metric Measurement Threshold Type Compliance PeriodRootzonefiledatapublishedintherootzonematchesthatprovidedinthechangerequest
Accuracy 100% Min <100%
Rootzonedatabaseiscorrectlyupdatedinaccordancewithchangerequests(doesnotincludeimpactofnormalizationandotherprocessingstandardization-whichinanyeventshallneverdetrimentallyimpacttheupdate)
Accuracy 100% Min <100%
e. OnlineServicesAvailabilityandEnquiryProcessing
Metric Threshold Type Compliance Period
RZMSavailability—availabilityofanonlineinteractivewebserviceforcredentialedcustomerstosubmitchangerequeststotheirrootzonedatabaseentries.
≥99.0% Min <99% Month
Websiteavailability—availabilityofrootzonemanagementrelateddocumentation(i.e.onhttp://www.iana.org)
≥99.0% Min <99% Month
Directoryserviceavailability—availabilityoftheauthoritativedatabaseofTLDs
≥99.0% Min <99% Month
Credentialrecovery— ≤60secs Max 95% Month
timetodispatchconfirmationemailofforgottenusernameorpasswordCredentialchange—timetoimplementnewpasswordwithinthesystem
≤5min Max 95% Month
Dashboardupdatefrequency—averagetimetoupdatethedashboardtoensureup-to-datereporting
≤30min Max 100% Month
Dashboardaccuracy—thedatapresentedonthedashboardisaccurate
100% Min <100% Month
Dashboardavailability—availabilityofthedashboardonline
≥99% Min <99% Month
SLEreportproduction—timetoproducereportsfollowingtheconclusionofthereportingperiod
Monthly
SLEreportavailability—availabilityoftheSLEreportsandassociateddataonline
<10daysaftermonthend
Max >10days Month
SLEreportpublication—scheduleofreportingperiods
Monthly
Timetosendacknowledgeofenquiry—timetakentosendinitialacknowledgementofreceiptofageneralenquirypertainingtorootzonemanagement(butnotpertainingtointeractionsinachangerequestcontext)
≤60secs Max 95% Month
Timetosendinitialresponsetoenquiry—
≤5days Max 90% Month
timetakenforstafftorespondtoenquiry,eitherinpartorinwhole
f. TheseelementsreflectactivityareasthatshouldbeinstrumentedbyContractor,andreportedpursuanttoARTICLEVIIoftheContractandSection3ofthisSOW.
g. Either Party may initiate a change to the services performed by Contractorhereunder by delivering to the other a change request, in a form mutuallyacceptable to the Parties. Thereafter, the Parties will discuss the requestedchange in good faith and upon the Parties’ mutual written agreement that achange to the services performed by Contractor hereunder should be made,suchchangeshallbeevidenced inwritinganddeemedtobe incorporated intothisContract,withoutanyneedtoamendthetermsofthisContract.
3. PERFORMANCEMETRICREQUIREMENTS
a. ProgramReviewsandSiteVisits
i. ContractacknowledgesthattheCSCisentitledtoconductreviewsinaccordancewithICANN’sBylawsandtheCSCCharter.
ii. ContractoracknowledgesthatanIFRTisentitledtoconductsitevisitsinaccordancewithICANN’sBylaws.
b. MonthlyPerformanceProgressReport.ContractorshallprepareandsubmitreportsasmutuallyagreedbetweenContractorandtheCSC.
c. RootZoneManagementDashboard.ContractorshallworkcollaborativelywithICANNandInterestedandAffectedPartiestoproducethedashboardtoreportServiceLevelExpectationsforRootZoneManagement,whichwillbeusedforreal-timereportingofContractor’sperformance.
d. PerformanceStandardsReports.ContractorshalldevelopandpublishperformancestandardmetricreportsfortheIANANamingFunctioninconsultationwiththeCSC.Theperformancestandardsmetricreportswillbepublishedviaawebsiteeverymonth(nolaterthan15calendardaysfollowingtheendofeachmonth).
e. CustomerServiceSurvey.InaccordancewithICANN’sBylaws,ContractorshallcollaboratewiththeCSCandICANNtomaintainandenhancetheannualcustomerservicesurveyconsistentwiththeperformancestandardsforRootZoneManagement.Thesurveyshall,ataminimum,includeafeedbacksectionfortheIANANamingFunction.Nolaterthan60calendardaysaftercompletingacustomerservicesurvey,Contractorshallprepareareport(the“CSSReport”),
submittheCSSReporttoICANNandpubliclyposttheCSSReporttotheIANAWebsite.
f. FinalReport.ContractorshallprepareandsubmitafinalreportontheperformanceoftheIANANamingFunctionthatdocumentsstandardoperatingprocedures,includingadescriptionofthetechniques,methods,software,andtoolsemployedintheperformanceoftheIANANamingFunction.ContractorshallsubmitthereporttotheCSCandICANNnolaterthan30daysaftertheexpirationorterminationoftheContract.
g. Inspectionandacceptance.ICANNwillperformfinalinspectionandacceptanceofalldeliverablesandreportsarticulatedinthisSection3,assetforthinSection4.10(a)oftheContract.AnydeficienciesidentifiedbyICANNshallbecorrectedbyContractorandresubmittedtoICANNwithin10businessdaysafterContractor’sreceiptofnoticeofsuchdeficiency.
4. BASELINEREQUIREMENTSFORDNSSECINTHEAUTHORITATIVEROOTZONE
a. DNSSECattheauthoritativeRootZonerequirescooperationandcollaborationbetweentheContractorandtheRootZoneMaintainer.ThebaselinerequirementsencompasstheresponsibilitiesandrequirementsforContractorandtheseresponsibilitiesandrequirementsmustbeimplementedincooperationwithsimilarresponsibilitiesandrequirementsdefinedwithinICANN’srelationshipwiththeRootZoneMaintainer.
b. GeneralRequirements
i. TheRootZonesystemneedsanoverallsecuritylifecycle,suchasthatdescribedinISO27001,NISTSP800-53,etc.,andanysecuritypolicyforDNSSECimplementationmustbevalidatedagainstexistingstandardsforsecuritycontrols.
ii. Theremainderofthissectionhighlightssecurityrequirementsthatmustbeconsideredindevelopinganysolution.ISO27002:2005(formerlyISO17799:2005)andNISTSP800-53arerecognizedsourcesforspecificcontrols.NotethatreferencetoSP800-53isusedasaconvenientmeansofspecifyingasetoftechnicalsecurityrequirements.ThesystemsreferencedinthisdocumentareassumedtomeetalltheSP800-53technicalsecuritycontrolsorequivalentrequiredbyaHIGHIMPACTsystem.
iii. Wheneverpossible,referencestoNISTpublicationsaregivenasasourceforfurtherinformation.TheseSpecialPublications(“SP”)arenotintendedasauditingchecklists,butasnon-bindingguidelinesandrecommendationstoestablishaviableITsecuritypolicy.Comparable
securitystandardscanbesubstitutedwhereavailableandappropriate.AlloftheNISTdocumentreferencescanbefoundontheNISTComputerSecurityResearchCenterwebpage(http://www.csrc.nist.gov/).
c. SecurityAuthorizationandManagementPolicy
i. Contractorshallhaveitsownsecuritypolicyinplace;eachsecuritypolicymustbeperiodicallyreviewedandupdated,asappropriate.
1. SupplementalguidanceongeneratingaSecurityAuthorizationPolicymaybefoundinNISTSP800-37.
ii. Thepolicyshallhaveacontingencyplancomponenttoaccountfordisasterrecovery(bothman-madeandnaturaldisasters).
1. SupplementalguidanceoncontingencyplanningmaybefoundinSP800-34
iii. ThepolicyshalladdressIncidentResponsedetection,handlingandreporting(see4below).
1. SupplementalguidanceonincidentresponsehandlingmaybefoundinNISTSP800-61.
d. ITAccessControl
i. ThereshallbeanITaccesscontrolpolicyinplaceandenforcedforthekeymanagementfunctions
1. Thisincludesbothaccesstohardware/softwarecomponentsandstoragemediaaswellasabilitytoperformprocessoperations.
2. SupplementalguidanceonaccesscontrolpoliciesmaybefoundinNISTSP800-12.
ii. Userswithoutauthenticationshallnotperformanyactioninkeymanagement.
iii. Intheabsenceofacompellingoperationalrequirement,remoteaccesstoanycryptographiccomponentinthesystem(suchashardwaresecuritymodules)isnotpermitted.
e. SecurityTraining
i. AllpersonnelparticipatingintheRootZoneSigningprocessshallhaveadequateITsecuritytraining.
ii. SupplementalguidanceonestablishingasecurityawarenesstrainingprogrammaybefoundinNISTSP800-50.
f. AuditandAccountabilityProcedures
i. Contractorshallperiodicallyreview/update:(1)itsformal,documented,auditandaccountabilitypolicythataddressespurpose,scope,roles,responsibilities,managementcommitment,coordinationamongorganizationalentities,andcompliance;and(2)theformal,documentedprocedurestofacilitatetheimplementationoftheauditandaccountabilitypolicyandassociatedauditandaccountabilitycontrols.
1. SupplementalguidanceonauditingandaccountabilitypoliciesmaybefoundinNISTSP800-12.
2. Specificauditingeventsincludethefollowing:
a. Generationofkeys.
b. Generationofsignatures
c. Exportingofpublickeymaterial
d. Receiptandvalidationofpublickeymaterial(i.e.,fromtheZSKholderorfromTLDs)
e. Systemconfigurationchanges
f. Maintenanceand/orsystemupdates
g. Incidentresponsehandling
h. Othereventsasappropriate
ii. Incidenthandlingforphysicalandexceptionalcyber-attacksshallincludereportingtoICANNinatimeframeandformatasmutuallyagreedbyICANNandContractor.
iii. Theauditingsystemshallbecapableofproducingreportsonanad-hocbasisforICANNortheCSC.
iv. AversionofthereportsprovidedtoICANNortheCSCmustbemadepublicallyavailable.
g. PhysicalProtectionRequirements
i. Thereshallbephysicalaccesscontrolsinplacetoonlyallowaccesstohardwarecomponentsandmediatoauthorizedpersonnel.
1. SupplementalguidanceontokenbasedaccessmaybefoundinNISTSP800-73.
2. SupplementalguidanceontokenbasedaccessbiometriccontrolsmaybefoundinNISTSP800-76.
ii. Physicalaccessshallbemonitored,logged,andregisteredforallusersandvisitors.
iii. Allhardwarecomponentsusedtostorekeyingmaterialorgeneratesignaturesshallhaveshort-termbackupemergencypowerconnectionsincaseofsitepoweroutage.(SeeNISTSP800-53r3).
iv. Appropriateprotectionmeasuresshallbeinplacetopreventphysicaldamagetofacilitiesasappropriate.
h. AllComponents
i. Allhardwareandsoftwarecomponentsmusthaveanestablishedmaintenanceandupdateprocedureinplace.
1. SupplementalguidanceonestablishinganupgradingpolicyforanorganizationmaybefoundinNISTSP800-40
ii. Allhardwareandsoftwarecomponentsprovideameanstodetectandprotectagainstunauthorizedmodifications/updates/patching.
i. InterfaceBasicFunctionality
i. Contractor’sinterfaceshallhavetheabilitytoacceptandprocessTLDDSrecords,including:
1. AcceptTLDDSRRs
a. BeingabletoretrieveTLDDNSKEYrecordfromtheTLD,andperformparametercheckingfortheTLDkeys,includingverifyingthattheDSRRhasbeencorrectlygeneratedusingthespecifiedhashalgorithm.
2. Havingproceduresfor:
a. ScheduledrolloverforTLDkeymaterial;
b. SupportingemergencykeyrolloverforTLDkeymaterial;and
c. MovingTLDfromsignedtounsignedintherootzone.
ii. AbilitytosubmitTLDDSrecordupdatestotheRootZoneMaintainerforinclusionintotherootzone.
iii. AbilitytosubmitRZkeysettotheRootZoneMaintainerforinclusionintotherootzone.
Top Related