Internet Protocol Version 6:

Federal Agencies Need to Plan for Transition and Manage Security Risks

GAO-05-471: Published: May 20, 2005. Publicly Released: May 24, 2005.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Internet protocol (IP) provides the addressing mechanism that defines how and where information such as text, voice, and video move across interconnected networks. Internet protocol version 4 (IPv4), which is widely used today, may not be able to accommodate the increasing number of global users and devices that are connecting to the Internet. As a result, IP version 6 (IPv6) was developed to increase the amount of available IP address space. It is gaining momentum globally from regions with limited address space. GAO was asked to (1) describe the key characteristics of IPv6; (2) identify the key planning considerations for federal agencies in transitioning to IPv6; and (3) determine the progress made by the Department of Defense (DOD) and other major agencies to transition to IPv6.

The key characteristics of IPv6 are designed to increase address space, promote flexibility and functionality, and enhance security. For example, by using 128-bit addresses rather than 32-bit addresses, IPv6 dramatically increases the available Internet address space from approximately 4.3 billion addresses in IPv4 to approximately 3.4 x 10^38 in IPv6. Key planning considerations for federal agencies include recognizing that the transition is already under way, because IPv6-capable software and equipment already exists in agency networks. Other important agency planning considerations include developing inventories and assessing risks; creating business cases that identify organizational needs and goals; establishing policies and enforcement mechanisms; determining costs; and identifying timelines and methods for transition. In addition, managing the security aspects of an IPv6 transition is another consideration since IPv6 can introduce additional security risks to agency information. For example, attackers of federal networks could abuse IPv6 features to allow unauthorized traffic or make agency computers directly accessible from the Internet. DOD has made progress in developing a business case, policies, timelines, and processes for transitioning to IPv6. Despite these efforts, challenges remain, including finalizing plans, enforcing policy, and monitoring for unauthorized IPv6 traffic. Unlike DOD, the majority of other major federal agencies reported not yet having initiated key planning efforts for IPv6. For example, 22 agencies lack business cases; 21 lack transition plans; 19 have not inventoried IPv6 software and equipment; and none had developed cost estimates.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: Energy has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of the Treasury

    Status: Closed - Implemented

    Comments: HUD has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of the Interior

    Status: Closed - Implemented

    Comments: Treasury took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Office of Personnel Management

    Status: Closed - Implemented

    Comments: As reported in our June 2006 report on federal efforts to transition to IPV6, the Department of Defense has conducted an inventory of existing routers, switches, and hardware firewalls.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of State

    Status: Closed - Implemented

    Comments: NASA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Labor

    Status: Closed - Implemented

    Comments: OPM took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: VA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: United States Agency for International Development

    Status: Closed - Implemented

    Comments: SBA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: Education has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: General Services Administration

    Status: Closed - Implemented

    Comments: EPA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: NRC took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: NSF took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Office of Personnel Management

    Status: Closed - Implemented

    Comments: Agriculture has taken actions to address near term security risks by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: The Director of OMB should instruct federal agencies to begin addressing key IPv6 planning considerations, including developing inventories and assessing risks; creating business cases for the IPv6 transition; establishing policies and enforcement mechanisms; determining costs; and identifying timelines and methods for transition, as appropriate.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: On May 20, 2005, we identified that the majority of federal agencies had not initiated the following planning efforts for the transition to Internet Protocol Version 6 (IPv6): (1) cost determination, (2) business case creation, (3) identification of timelines and methods, (4) development of inventories and risk assessment, and (5) establishment of enforcement mechanisms. As a result, we recommended that the Director of the Office of Management and Budget (OMB) instruct agencies to begin to address key planning considerations for the IPv6 transition. Based on GAO analysis of the issues surrounding IPv6, OMB issued a policy memorandum on August 2, 2005, to aid federal agencies with the transition to the new protocol. The guidance includes a deadline of June 2008 for all government agencies' to transition their network backbones to IPv6. The OMB policy memorandum ensures that federal agencies will have a structured approach to follow as they transition to IPv6. The memorandum addressed all GAO planning considerations, with the exception of a discussion on creating a business case. In February 2006 OMB issued additional IPv6 guidance for the agencies. This guidance discusses creating a business case.

    Recommendation: The Director of OMB should amend the Federal Acquisition Regulation with specific language that requires that all information technology systems and applications purchased by the federal government be able to operate in an IPv6 environment.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Not Implemented

    Comments: In August 2006, the Civilian Agency Acquisition Council and Defense Acquisition Regulations Council submitted a proposal to amend the Federal Acquisition Regulation (FAR) to require that IPv6 capable products be included in information technology procurements to the maximum extent practicable. The proposal also included language requiring agencies to specify how their acquisition will comply with the IPv6 requirements outlined in OMB's memo on transition planning for IPv6 (M-05-22). On September 16, 2009, an official from the General Services Administration office responsible for collecting comments on the proposal stated that the proposal had not yet been incorporated into the FAR.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Labor

    Status: Closed - Implemented

    Comments: SSA took action to determine its IPv6 cababilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Energy

    Status: Closed - Implemented

    Comments: Commerce took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: United States Agency for International Development

    Status: Closed - Implemented

    Comments: Labor has taken actions to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Education

    Status: Closed - Implemented

    Comments: Interior took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: DHS has taken action to determine its IPv6 capabilities by conducting a systems inventory.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Environmental Protection Agency

    Status: Closed - Implemented

    Comments: Justice has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Social Security Administration

    Status: Closed - Implemented

    Comments: Transportation took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Justice

    Status: Closed - Implemented

    Comments: GSA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Housing and Urban Development

    Status: Closed - Implemented

    Comments: USAID has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Department of Commerce

    Status: Closed - Implemented

    Comments: State took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have.

    Agency Affected: Nuclear Regulatory Commission

    Status: Closed - Implemented

    Comments: HHS has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of the Treasury

    Status: Closed - Not Implemented

    Comments: In June 2009, we requested information on the status of this recommendation from the Department of Homeland Security. We followed up with the department several times and, as of September 2009, had not received any response.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Small Business Administration

    Status: Closed - Not Implemented

    Comments: In June 2009, we requested information on the status of this recommendation from the Department of Justice. We followed up with the department but, as of September 2009, we had not received any response.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: General Services Administration

    Status: Closed - Not Implemented

    Comments: While the Acting Associate Chief Information Officer for Infrastructure Operations stated that the department had performed several activities to address this recommendation, including configuring its firewalls and intrusion detection systems, and establishing monitoring capabilities, the department did not provide evidence of these activities.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In October 2007, OPM issued an IPv6 Risk Assessment. This assessment includes a threat identification and impact analysis among other security analysis on IPv6.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of the Interior

    Status: Closed - Implemented

    Comments: SSA included a policy in its IPv6 transition plan that states that its network will be monitored for IPv6 traffic.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: GSA developed an IPV6 transition plan that included policies for managing and monitoring IPv6 traffic.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: National Aeronautics and Space Administration

    Status: Closed - Implemented

    Comments: HUD has included a policy in its IPv6 transition plan that states that, as IPv6 is enabled, the network control center must perform the daily maintenance and support of the network.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: Commerce has begun to address near term security risks by creating a policy within their IPv6 transition plan that bans IPv6 traffic from DOC networks that carry operations traffic.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Housing and Urban Development

    Status: Closed - Implemented

    Comments: The EPA has taken steps to address near term security risks by including a policy in its IPv6 transition plan that calls for IPv6 network monitoring, management and troubleshooting.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Agriculture

    Status: Closed - Implemented

    Comments: State included a policy in their IPv6 transition plan that defines what needs to be done to manage IPv6 traffic on its network.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of State

    Status: Closed - Implemented

    Comments: Education has begun to address near term security risks by actively monitoring their network for IPv6 traffic. Additionally, they have included IPv6 related network monitoring and internal controls in their policies per ED's Security Review Board (SRB).

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Justice

    Status: Closed - Implemented

    Comments: USAID has taken steps to control and monitor IPV6 traffic including. On September 17, 2009, USAID security officials presented evidence of USAID's IPV6 capable network intrusion detection system that was capable of monitoring all inbound and outbound IPV6 traffic.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: Consistent with our recommendation, the Small Business Administration developed an IPv6 Information Security Plan in November 2007. The security plan, among other things, includes information on IPv6 security threats and the implementation of a separate firewall for IPv6 traffic.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Education

    Status: Closed - Not Implemented

    Comments: The Department of Health and Human Services stated that IPv6 is not enabled on its backbone network and therefore security devices have not been configured to actively monitor or block IPv6 traffic.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: Consistent with our recommendation, the Department of Labor, among other things, used a test environment to transport IPv6 data across its networks which it documented in its May 2008 IPV6 Test Results Summary.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Small Business Administration

    Status: Closed - Implemented

    Comments: Consistent with our recommendation, the Department of Interior configured its firewalls to prevent inbound and outbound IPV6 traffic which it documented in its July 2009 IPV6 Security Posture.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: In June 2009, we requested information on the status of this recommendation from the Department of Transportation. We followed up with the department several times, but, as of September 2009, we had not received any response.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: National Aeronautics and Space Administration

    Status: Closed - Implemented

    Comments: Consistent with our recommendation, the Department of Agriculture, among other things, conducted readiness tests for transporting IPv6 data across its core network, and between this network, partner agencies, and the Internet which it documented in its February 2008 IPV6 Readiness Testing Implementation Summary.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: Consistent with our recommendation, the National Science Foundation, among other things, configured its firewalls so that they do not route IPV6 traffic and is monitoring network switch data to ensure no IPv6 traffic.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Agriculture

    Status: Closed - Implemented

    Comments: NRC has included a policy in their IPv6 transition plan that states they will block and monitor IPv6 traffic.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: National Science Foundation

    Status: Closed - Implemented

    Comments: In its IPV6 transition plan, the Department of Energy included policies that dictate network maintenance and monitoring policies for the new protocol.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Energy

    Status: Closed - Implemented

    Comments: Defense has taken steps to address near term IPv6 security risks by including a policy in their IPv6 transition plan stating that no IPv6 traffic is allowed on networks that contain operations traffic.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Education

    Status: Closed - Not Implemented

    Comments: In June 2009, we requested information on the status of these recommendation from the National Aeronautics and Space Administration. We followed up with the agency several times, but, as of September 2009, we had not received any response.

    Recommendation: Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic.

    Agency Affected: Department of Commerce

    Status: Closed - Implemented

    Comments: On September 16, 2009, the Department of Veterans Affairs provided evidence that it has developed IPv6 security policy and that it has the capability to monitor IPV6 traffic.

    Mar 10, 2014

    Jan 6, 2014

    May 23, 2013

    May 22, 2013

    May 21, 2013

    Apr 24, 2013

    Apr 18, 2013

    Feb 28, 2013

    Feb 22, 2013

    Jan 29, 2013

    Looking for more? Browse all our products here