It has been decades in the making, but the near future is crystal clear now: the DoD is mandating IPv6-only. This is different than previous pushes to move the Department to some level of IPv6 enablement – including IPv6/IPv4 dual-stack, etc. This new push comes with very specific actions. This directive also arrives at the heels of the U.S. Government’s (OMB M-21-07) own major directive mandating that all departments and agencies move to an IPv6-only state starting in FY 2023 and ending in FY 2025. Here are the absolute timelines for DoD as per the DoD memo DTM 21-004 released on 29 June 2021:
- Require that at least 20 percent of IP-enabled assets on DoD networks are operating in IPv6-only environments by the end of FY 2023.
- Require that at least 50 percent of IP-enabled assets on DoD networks are operating in IPv6-only environments by the end of FY 2024.
- Require that at least 80 percent of IP-enabled assets on DoD networks are operating in IPv6-only environments by the end of FY 2025.
So what does this mean for product vendors?
If you are an enterprise IT product vendor and you have done no planning or preparation for IPv6 in your product roadmap, then you have a lot of work to do. Based on Section 2.e, which is effective immediately: “Acquisitions of networked information technology hardware, software, and services will contain contract clauses with explicit requirements for IPv6 capabilities using the NIST/USGv6 Profile.” We are unsure how this will ultimately be enforced for procurements as the DoD Information Network Approved Products List (DoDIN APL) is currently a requirement.
DISA could follow two courses of action: (1) enforce USGv6 certification as a prerequisite to certification similar to the FIPS 140-2/3 requirement, or (2) initiate an IPv6-only test process in the current APL testing process. They currently don’t do this today and would require a lot of work in each of the test labs to move forward with this. Bottom line is this: USGv6 certification is required now – even for DoD procurements.
So what does this mean for DISA’s JRSS and the DISN?
The DISA Joint Regional Security Stack (JRSS) program has successfully migrated numerous departments, agencies, post, camps, and stations to a singular security stack and internet access point. However, JRSS currently has no support for anywhere in the stack or across the wide area network. That is is why section 2.1.q is very concerning: “Provides dual stack IPv4/IPv6 JRSS service to its customers beginning in FY 2022 and supports IPv6-only service starting in FY 2023.” JRSS has to provide at-least dual-stack services to supported customers starting in October 2021, and IPv6-only service starting in October of 2022.
This is also means that DISA has to ensure the backbone transit points are fully enabled for IPv6. DISA’s backbone network is the DoD Information Systems Network (DISN). DoD mandated that: “the Defense Information Systems Network (DISN) to provide dual stack Internet Protocol version 4 (IPv4)/IPv6 and IPv6-only connectivity to all DoD Components as a standard DISN service (i.e., without specifically requesting IPv6 service) by the end of FY 2021.” This means that the DISN has to have a fully available IPv6 network for all components by October of 2022.
Aggressive Mandates
This Directive-type Memorandum (DTM) has concrete milestones for everyone from its users, service providers, and acquisitions These are great steps and we really hope that DoD sticks to these dates and provides enforcement mechanisms and funding to ensure they are met. A lesson learned from the 2008 and 2012 mandates were that funding and oversight were never provided. With global adoption rates exponentially increasing, DoD has to take this mandate seriously this time for the good of the country and the world.
Are you a product vendor or DoD agency confused on where to get started? Get in touch with us today, we can help!