Internet Protocol Version 6: DOD Needs to Improve Transition Planning
An internet protocol or “IP” address allows devices to send each other information over the internet. DOD began planning for its transition to the next version of IP in 2017, following at least 2 prior attempts to do so since 2003.
But, DOD has yet to clearly define the magnitude of work involved, the level of resources required, and the extent or nature of cybersecurity risks if vulnerabilities aren’t proactively managed.
We made 3 recommendations to DOD to inventory IP-compliant devices, estimate transition costs, and assess risks to develop more realistic transition plans and proactively address potential threats.
DOD relies on its IP networks to control drones and enable other mission-critical technologies
Two uniformed service members looking at monitors in a dark room
What GAO Found
The Department of Defense's (DOD) current initiative to transition to Internet Protocol version 6 (IPv6), which began in April 2017, follows at least two prior attempts to implement IPv6 that were halted by DOD. In one effort that began in approximately 2003, DOD initially did make progress implementing IPv6 on its systems, but then the department ended the effort due to security risks and a lack of personnel trained in IPv6. DOD initiated another attempt in response to 2010 OMB guidance. However, this initiative was terminated shortly thereafter, again due to security concerns.
For its current initiative, DOD has not completed three of four longstanding OMB requirements (see table). Without an inventory, a cost estimate, or a risk analysis, DOD's plans have a high degree of uncertainty about the magnitude of work involved, the level of resources required, and the extent and nature of threats, including cybersecurity risks.
Status of the Department of Defense's (DOD) Efforts to Complete Selected Office of Management and Budget (OMB) Internet Protocol version 6 (IPv6) Transition Planning Requirements, as of March 2020
|
OMB requirement |
Completed? |
|
Assign an official to lead and coordinate agency planning |
Yes |
|
Complete an inventory of existing IP compliant devices and technologies |
No |
|
Develop a cost estimate |
No |
|
Develop a risk analysis |
No |
Source: GAO analysis of DOD documentation. | GAO-20-402
In February 2019, DOD released its own IPv6 planning and implementation guidance that listed 35 required transition activities, 18 of which were due to be completed before March 2020. DOD completed six of the 18 activities as of March 2020. DOD officials acknowledged that the department's transition time frames were optimistic; they added that they had thought that the activities' deadlines were reasonable until they started performing the work. Without an inventory, a cost estimate, or a risk analysis, DOD significantly reduced the probability that it could have developed a realistic transition schedule. Addressing these basic planning requirements would supply DOD with needed information that would enable the department to develop realistic, detailed, and informed transition plans and time frames.
Why GAO Did This Study
An internet protocol provides the addressing mechanism that defines how and where information moves across interconnected networks. Increased use of the internet has exhausted available IPv4 address space, spurring the adoption of its successor protocol, IPv6. OMB has required that agencies plan for transitioning from IPv4 to IPv6.
Senate and House reports accompanying the 2020 National Defense Authorization Act included provisions for GAO to review DOD's IPv6 transition planning efforts. This report (1) identifies past DOD attempts to transition to IPv6, (2) examines the extent to which DOD has completed OMB's planning requirements for its current transition effort, and (3) identifies DOD's progress in completing its own IPv6 transition activities. To do so, GAO assessed DOD's IPv6 transition plans and documentation against OMB's requirements, reviewed DOD's planned IPv6 transition activities, and interviewed agency officials.
Recommendations
GAO is making three recommendations to DOD to develop an inventory of IP compliant devices, an estimate of the IPv6 transition costs, and an analysis of IPv6 transition risk. DOD agreed with the recommendations to develop a cost estimate and risk analysis, but disagreed with the recommendation to develop an inventory of IP-compliant devices. Nevertheless, GAO believes the recommendation to develop an inventory is warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | The Secretary of Defense should direct the DOD CIO to complete a department-wide inventory of existing IP-compliant devices and technologies to help with planning efforts and requirements development for the transition to IPv6. (Recommendation 1) |
The Department of Defense (DOD) did not agree with our recommendation. In its written response, DOD stated that the Office of Management and Budget's (OMB) March 2020 draft guidance on Internet Protocol version 6 (IPv6) would rescind OMB's fiscal year 2005 IPv6 guidance, which included the inventory requirement. DOD also stated that creating such an inventory would be impractical given the department's size. The department added that it has been mitigating the risk of not having an inventory by only acquiring IPv6-capable devices since December 2009. As we noted in the report, however, the National Institute of Standards and Technology's current IPv6 transition guidance cites an inventory of internet protocol devices as a key step in transitioning to IPv6 since such information would help identify requirements for transitioning, including which assets would transition and what security controls would be needed. As such, we continue to believe that our recommendation is warranted. In March 2022, DOD informed us that it is currently modifying its existing DOD IT Portfolio Repository to collect data that would establish an inventory of IP compliant devices. At the completion of this effort, we will determine whether it is sufficient to close the recommendation.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO to develop a cost estimate as described in OMB memorandum M-05-22 for the department's transition to IPv6. (Recommendation 2) |
The Department of Defense (DOD) agreed with this recommendation and, in December 2020, officially adopted a contractor-developed Internet Protocol version 6 (IPv6) transition study that included a $558 million cost estimate. According to the study, the $558 million figure comprised the estimated costs of DOD's IPv6 transition activities from fiscal year 2023 through fiscal year 2030 for the Defense Information Systems Agency, all DOD Services, the Coast Guard, and the National Guard Bureau, among other areas. Cost estimates are critical to decision making and project planning, and, as a result of implementing this recommendation, DOD should be less likely to experience cost overruns, missed deadlines, and performance shortfalls in its transition to IPv6.
|
| Department of Defense | The Secretary of Defense should direct the DOD CIO to develop a risk analysis as described in OMB memorandum M-05-22 for the department's transition to IPv6. (Recommendation 3) |
The Department of Defense (DOD) agreed with this recommendation and, in December 2020, officially adopted a contractor-developed Internet Protocol version 6 (IPv6) transition study that included a risk analysis as described in OMB memorandum M-05-22. Specifically, the risk analysis in the transition study considered all 18 categories of risks as required in M-05-22, including those related to technology, security, privacy, and the overall risk of investment failure. As a result of implementing this recommendation, DOD should be better able to understand the potential threats and obstacles facing the IPv6 transition initiative and create more realistic modernization plans and goals.
|