Officials urge agencies to coordinate their IPv6 and zero-trust plans
Agencies should develop their IPv6 and zero-trust architecture implementation plans simultaneously because the two work in tandem to improve network cybersecurity, say federal officials.
IPv6‘s 340 undecillion Internet Protocol addresses not only solve the scalability issue of IPv4, which ran out of readily available addresses in 2015, but they support end-to-end visibility and microsegmentation required for zero-trust security.
Agencies’ IPv6 implementation plans, due before the end of fiscal 2021, align with the cybersecurity executive order President Biden issued in May requiring agencies to develop zero-trust architecture implementation plans.
“By providing end-to-end network paths and better support of microsegmentation, the transition to IPv6-only is going to be a key component of zero-trust architecture — which is one of the key pillars of the executive order,” said Maria Roat, deputy federal chief information officer, during the IPv6 Summit hosted by the General Services Administration on Wednesday.
GSA officials at the event would not immediately comment on whether all agencies had met the Office of Management and Budget‘s 180-day deadline to publicize their IPv6 policies, set in a November memo, or if they’re on pace to complete one IPv6-only system pilot before the end of fiscal 2021.
Agencies have opened a “great dialogue” around IPv6 in recent recent months, with the Cloud and Infrastructure Community of Practice hosting meetings in January and May attended by hundreds of federal employees, said Tom Santucci, director of governmentwide policy for the Data Center Optimization Initiative and CloudSmart at GSA.
OMB’s memo further requires 80% of all IP-enabled assets on federal networks to operate in IPv6-only environments by fiscal 2025.
“Support from agency leadership and our industry partners is essential to meet this goal,” Roat said. “And when I say agency leadership, this is not just the CIOs; this is the [chief financial officers], this is the mission owners and everyone that has a stake in the modernization across the board.”
While IPv6 promotes zero-trust security, it also paves the way for 30 billion network devices to connect to the internet by 2023 — expanding the cyber threat landscape even as it improves 5G connectivity. That has agencies like the National Institute of Standards and Technology updating security guidance and developing related testbeds and practice guides.
NIST’s Guidelines for the Secure Deployment of IPv6 haven’t been updated since they were published in 2009.
“A lot has changed about the IPv6 technical landscape, how people handle transition mechanisms to bridge legacy systems, mp6 systems,” said Doug Montgomery, manager of internet and scalable systems research at NIST. “That security guidance needs updates.”
The goal is to turn the guidance into an IPv6 deployment scenario playbook for agencies’ decision makers, Montgomery added.
Meanwhile the National Cybersecurity Center of Excellence within NIST is launching a public-private partnership to demonstrate IPv6-only deployments with plans to produce a practice guide full of use cases.
NIST is also working to ensure IPv6 transitions are included in risk assessments under its Risk Management Framework.
The Cybersecurity and Infrastructure Security Agency is addressing the expanded cyber threat landscape IPv6 presents by issuing guidance for agencies and industry, starting with its Trusted Internet Connections 3.0 program. CISA also wants to ensure its tools can measure IPv6 implementation.
“We are making sure that all programs and services that CISA provides to federal agencies and other state, local, tribal and territorial governments also support IPv6,” said Branko Bokan, cybersecurity specialist at CISA.
While OMB has pushed a transition to IPv6 since 2005, for the first time every common operating system and platform on the market has a mature IPv6 implementation, and much more is known about how to transition away from IPv4, Montgomery said.
Now the majority of traffic to agencies’ public-facing services is IPv6 because industry surpassed the government in IPv6 adoption.
“Amazon Web Services supports the U.S. federal government’s move to IPv6,” wrote Dominic Delmolino, vice president of worldwide public sector technology and innovation at AWS, in a blog Tuesday. “Transitioning to IPv6 will make sure that growing government networks and Internet of Things devices benefit from the increased scale of IPv6.”
