The U.S. Government Accountability Office (GAO) is closely monitoring the Federal government’s transition to Internet Protocol version 6 (IPv6), and believes that agencies need to provide better training for their employees as the shift accelerates, a top GAO official said on Jan. 25.
Jennifer Franks, Director, Information Technology and Cybersecurity at GAO, said the agency is conducting oversight and reviewing how agencies are handling the transition, which the government has required be mostly complete by the end of Fiscal Year 2025.
“From an oversight perspective, we are looking for how organizations are following federal legislation and guidance,” Franks said at a FedInsider webinar on securing networks from IPv6 threats. “…How are you being compliant in establishing the procedures you need for your various infrastructures” to make the transition is one of the things that GAO is watching, she said.
So far, she said, GAO has noticed that “one of the biggest challenges has been the lack of training” for employees in how to move to IPv6 while safeguarding Federal networks.
Federal civilian and Department of Defense (DoD) networks in recent years have begun to transition from the legacy Internet Protocol version 4 (IPv4) to IPv6, the latest-generation internet protocol addressing system. Development for IPv6 began in the late 1990s to address the exhaustion of IPv4 addresses, the last of which were issued in 2015, but the older-format addresses are still widely used across the globe.
A 2020 memo from the Office of Management and Budget (OMB) outlines the requirements for completing the operational deployment of all-IPv6 across Federal information systems and services, and sets a deadline for the end of Fiscal Year 2025 to have the vast majority of systems running IPv6 only.
The effort is considered vital to major Federal government IT and cybersecurity modernization plans – including the adoption of IoT and smart infrastructures – that depend on a scalable, robust and agile network infrastructure as a foundation.
While IPv6 provides a vastly larger address space to meet current and future needs, it also has a broad impact on cybersecurity that organizations should address with due diligence, according to recent guidance issued by the National Security Agency (NSA).
In the meantime, as the transition proceeds, some agencies continue to use IPv4, and many networks operate on dual-stack – running both IPv4 and IPv6 protocols simultaneously – arrangements as an interim solution toward an IPv6-only end state.
Experts have said that dual-stack raises additional security issues, such as expanded attack surfaces, a concern that Franks echoed in her presentation.
“We’re going to need to support a dual stack effort for the foreseeable future,” she said. “Although it isn’t the end goal, it’s a stepping stone to getting us to supporting IPv6-alone network capacity…but it becomes more complicated because for agencies, it increases our attack surface.”
The transition to IPv6 is also considered key to paving the way for migration to zero trust architectures, and Franks praised the U.S. Secret Service’s efforts as a model for other agencies.
GAO recently issued a report saying the Secret Service has made progress toward zero trust, though work remains. In her presentation, Franks noted that the report “did include plans to transition infrastructure from IPv4 to IPv6, which is really unique…having this plan in place is definitely one step the agency was taking to really add some additional security measures.”
Asked for her closing advice to Federal leaders overseeing the IPv6 transition, Franks focused on educating the workforce. “Education and awareness, there is so much out there,” she said. “New guidance new procedures – just stay abreast of what’s really going on.”