Agencies are being pushed to move to more secure Internet Protocol version 6 (IPv6) systems and services under a finalized memo the Office of Management and Budget released Thursday.
The memo requires every agency to create a team of acquisition, policy and technical staff or another governance method within 45 days to enforce IPv6 efforts, issue and publicize a policy within 180 days, and ensure all new systems are IPv6-enabled by fiscal 2023.
Many agencies already maintain distinct network infrastructures, or dual stacks, for IPv6 and IPv4, the previous standard for identifying entities communicating over the internet. IPv4 will be phased out with milestones that 20% of IP-enabled assets on federal networks are operating in IPv6-only environments by the end of fiscal 2023, 50% by the end of fiscal 2024 and 80% by the end of fiscal 2025.
Systems that can’t be converted must be scheduled for replacement and retirement. IPv4 was developed in 1983 and ran out of readily available addresses in 2015, necessitating technical and economic stopgaps hindering network infrastructure and innovation.
IPv6 uses 128-bit addresses for 340 undecillion combinations that support end-to-end encryption and more secure name resolution, unlike IPv4’s 32-bit addresses comprised of only four numbers ranging from zero to 255 separated by periods.
OMB‘s memo requires agencies to complete at least one IPv6-only system pilot, as well as develop an implementation plan, by the end of fiscal 2021.
Agencies must use the National Institute of Standards and Technology‘s “USGv6 Profile” for IPv6 capabilities when procuring information technology, although chief information officers may waive the requirement if an agency demonstrates “undue burden” and provides a transition timeline.
Former federal Chief Information Officer Suzette Kent, who was still in her role when the memo was first drafted, wrote in supplementary information that large network operators, software vendors, service providers, and state and foreign governments have “dramatically increased” IPv6 adoption in the last five years.
An OMB memo from August 2005 first required agencies to enable IPv6 on their backbone networks by June 2008. A second memo from September 2010 required agencies to upgrade servers and web and email services to IPv6 by the end of fiscal 2012, as well as client applications communicating with public internet and their supporting networks by fiscal 2014.
Every deadline was missed.
While the Trump administration made an IPv6-only environment a priority in its proposed fiscal 2021 budget, agency CIOs have said the transition will still likely be a slow one.
Department of Commerce CIO André Mendes said in February that, despite the added security IPv6 provides, most breaches agencies suffer are due to human error: shoddy engineering, clicking on a phishing link or poor patching.
“We tend to focus on the really esoteric levels of the cybersecurity arena, but unfortunately most of the major breaks are driven by either stupidity or human error,” Mendes said. “So I think it’s high time that we really start focusing a lot of effort on making sure those particular issues are taken care of because sometimes, when you’re looking at the esoteric, you miss the really simple.”