A federal watchdog found that poor planning by the Department of Defense has blurred the department’s understanding of the risks and costs associated with upgrading the system that routes internet traffic across the globe, known as Internet Protocol version 6 (IPv6).
According to a June 1 report from the Government Accountability Office, the Pentagon needs to improve its transition planning for the most recent effort, which began in April 2017. The DoD has tried twice previously to implement IPv6 in 2003 and 2010, but stopped those transitions after identifying security risks and lacking adequately trained personnel.
The problem for the DoD is that IPv4, the IP management system the DoD uses, is running out of address space. IPv4 only has room for 4.3 billion addresses. In contrast, IPv6, created in the 1990s, provides about 340,000,000,000,000,000,000,000,000,000,000,000,000 (undecillion) IP addresses. The Defense Department owns approximately 300 million IP addresses with about 59.8 million unused and planned for use by future DoD components. The department estimates it will run out of its unused IP addresses by 2030.
The department’s IPv6 implementation plan from early 2019 listed 35 actions needed to switch over from IPv4. Eighteen of those steps were scheduled to be completed by March 2020. The report said six of the 18 tasks were completed on time.
Upgrading to IPv6 would increase connectivity, add security, improve the warfighter’s connection and communications on the battlefield, and preserve interoperability with allied systems, the GAO wrote.
The watchdog found that the department was not compliant with several IPv6 transition requirements from the White House’s Office of Management and Budget. The DoD hasn’t completed a cost estimate, developed a risk analysis or finished an inventory of IP compliant devices, the report said. Pentagon officials told the GAO that they knew their time frame for the transition was “optimistic," adding that they thought the pace was reasonable "until they started performing the work,” the GAO wrote.
“Without an inventory, a cost estimate, or a risk analysis, DOD significantly reduced the probability that it could have developed a realistic transition schedule,” the GAO wrote. “Addressing these basic planning requirements would supply DOD with needed information that would enable the department to develop realistic, detailed, and informed transition plans and time frames.”
The Department did meet OMB’s requirement to name an official to lead and coordinate the agency planning. But because the Pentagon failed to complete the other three OMB requirements. the move is at risk.
“Without an inventory, a cost estimate, or a risk analysis, DOD’s plans have a high degree of uncertainty about the magnitude of work involved, the level of resources required, and the extent and nature of threats, including cybersecurity risks,” the GAO wrote.
Among the DoD’s goals it did complete are several IPv6 training programs, information sharing opportunities and a program management office.
The GAO recommended that Defense Secretary Mark Esper direct the DoD chief information officer to complete an inventory of IP-compliant devices, develop a cost estimate and perform a risk analysis. The DoD agreed that it needed to develop a cost estimate and risk analysis but didn’t concur that it needed to inventory devices, citing new guidance from OMB and calling an inventory “impractical” because of the department’s size.
“The lack of an inventory is problematic due to the role that it should play in developing transition requirements,” the GAO wrote.