CISA Releases Draft Guidance for Agencies’ Transition to IPv6

Federal agencies are on the clock to transition networks and systems to using Internet Protocol version 6, and the Trusted Internet Connection program office released draft guidance to help them make the move securely.

The last pools of addresses for the previous standard—IPv4—were exhausted in 2011. With that in mind, the Office of Management and Budget reissued the IPv6 transition mandate in March 2020, giving agencies until 2025 to shift at least 80% of systems to the new standard.

That work—which has been ongoing since 2005—is more than just flipping a switch. The IPv4 standard uses four sets of one to three digits to create 4.3 billion unique identifiers; IPv6 uses eight sets of four digits each, producing 340 undecillion IP addresses, or 340,000,000,000,000,000,000,000,000,000,000,000,000. All systems that use or interact with IP addresses—read: all systems—need to be recoded to accept the IPv6 format.

The TIC program office—part of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency—has been working on the third iteration of the internet connection security policy: TIC 3. As the lead office in charge of prescribing how federal employees connect to agency networks, TIC officials developed guidance for agencies rearchitecting to enable IPv6.

“IPv6 is an essential component to enterprise network modernization that requires an increased understanding to fully leverage,” the document states.

The draft guidance released Thursday offers agencies baseline technical guidance on IPv6 and what is required for the transition, as well as additional cybersecurity issues to consider.

The document also goes into detail on the differences between IPv4 and IPv6 and how the latter offers more capabilities.

“There are many other differences between IPv4 and IPv6, but the addressing, security and mobility features are most relevant to federal agencies,” the draft states.

The guidance is meant to be generally applicable to every agency and is more of a guidepost than a set of requirements.

“This document is intended to be architecture-agnostic and broadly support the governmentwide deployment and use of the IPv6 network protocol,” it states. “It is not intended to be prescriptive but rather facilitate decision-making in determining the appropriate level of security in IPv6 environments.”

The draft is out for public comment through Oct. 15. TIC officials are primarily interested in feedback on two questions:

• Are there other TIC 3.0 IPv6-related considerations and/or security challenges that should be considered?
• While “IPv6 Considerations for TIC 3.0” is designed to be high-level, CISA may produce additional IPv6 guidance related to TIC 3.0 in the future. Is there specific guidance on IPv6 as it pertains to TIC 3.0 that your agency would find helpful?