Internet Protocol Version 6:

DOD Needs to Improve Transition Planning

GAO-20-402: Published: Jun 1, 2020. Publicly Released: Jun 1, 2020.

Additional Materials:

Contact:

Vijay A. D’Souza
(202) 512-6240
dsouzav@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

An internet protocol or “IP” address allows devices to send each other information over the internet. DOD began planning for its transition to the next version of IP in 2017, following at least 2 prior attempts to do so since 2003.

But, DOD has yet to clearly define the magnitude of work involved, the level of resources required, and the extent or nature of cybersecurity risks if vulnerabilities aren’t proactively managed.

We made 3 recommendations to DOD to inventory IP-compliant devices, estimate transition costs, and assess risks to develop more realistic transition plans and proactively address potential threats.

DOD relies on its IP networks to control drones and enable other mission-critical technologies

Two uniformed service members looking at monitors in a dark room

Two uniformed service members looking at monitors in a dark room

Additional Materials:

Contact:

Vijay A. D’Souza
(202) 512-6240
dsouzav@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Defense's (DOD) current initiative to transition to Internet Protocol version 6 (IPv6), which began in April 2017, follows at least two prior attempts to implement IPv6 that were halted by DOD. In one effort that began in approximately 2003, DOD initially did make progress implementing IPv6 on its systems, but then the department ended the effort due to security risks and a lack of personnel trained in IPv6. DOD initiated another attempt in response to 2010 OMB guidance. However, this initiative was terminated shortly thereafter, again due to security concerns.

For its current initiative, DOD has not completed three of four longstanding OMB requirements (see table). Without an inventory, a cost estimate, or a risk analysis, DOD's plans have a high degree of uncertainty about the magnitude of work involved, the level of resources required, and the extent and nature of threats, including cybersecurity risks.

Status of the Department of Defense's (DOD) Efforts to Complete Selected Office of Management and Budget (OMB) Internet Protocol version 6 (IPv6) Transition Planning Requirements, as of March 2020

OMB requirement

Completed?

Assign an official to lead and coordinate agency planning

Yes

Complete an inventory of existing IP compliant devices and technologies

No

Develop a cost estimate

No

Develop a risk analysis

No

Source: GAO analysis of DOD documentation. | GAO-20-402

In February 2019, DOD released its own IPv6 planning and implementation guidance that listed 35 required transition activities, 18 of which were due to be completed before March 2020. DOD completed six of the 18 activities as of March 2020. DOD officials acknowledged that the department's transition time frames were optimistic; they added that they had thought that the activities' deadlines were reasonable until they started performing the work. Without an inventory, a cost estimate, or a risk analysis, DOD significantly reduced the probability that it could have developed a realistic transition schedule. Addressing these basic planning requirements would supply DOD with needed information that would enable the department to develop realistic, detailed, and informed transition plans and time frames.

Why GAO Did This Study

An internet protocol provides the addressing mechanism that defines how and where information moves across interconnected networks. Increased use of the internet has exhausted available IPv4 address space, spurring the adoption of its successor protocol, IPv6. OMB has required that agencies plan for transitioning from IPv4 to IPv6.

Senate and House reports accompanying the 2020 National Defense Authorization Act included provisions for GAO to review DOD's IPv6 transition planning efforts. This report (1) identifies past DOD attempts to transition to IPv6, (2) examines the extent to which DOD has completed OMB's planning requirements for its current transition effort, and (3) identifies DOD's progress in completing its own IPv6 transition activities. To do so, GAO assessed DOD's IPv6 transition plans and documentation against OMB's requirements, reviewed DOD's planned IPv6 transition activities, and interviewed agency officials.

What GAO Recommends

GAO is making three recommendations to DOD to develop an inventory of IP compliant devices, an estimate of the IPv6 transition costs, and an analysis of IPv6 transition risk. DOD agreed with the recommendations to develop a cost estimate and risk analysis, but disagreed with the recommendation to develop an inventory of IP-compliant devices. Nevertheless, GAO believes the recommendation to develop an inventory is warranted.

For more information, contact Vijay A. D’Souza at (202) 512-6240 or dsouzav@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should direct the DOD CIO to complete a department-wide inventory of existing IP-compliant devices and technologies to help with planning efforts and requirements development for the transition to IPv6. (Recommendation 1)

    Agency Affected: Department of Defense

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should direct the DOD CIO to develop a cost estimate as described in OMB memorandum M-05-22 for the department's transition to IPv6. (Recommendation 2)

    Agency Affected: Department of Defense

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should direct the DOD CIO to develop a risk analysis as described in OMB memorandum M-05-22 for the department's transition to IPv6. (Recommendation 3)

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Jun 29, 2020

Jun 25, 2020

Apr 7, 2020

Mar 4, 2020

Feb 6, 2020

Jan 27, 2020

Dec 18, 2019

Nov 18, 2019

Sep 18, 2019

Jul 29, 2019

Looking for more? Browse all our products here