Corporate Policy

Millennium Challenge Corporation Internet Protocol Policy

July 29, 2021

AF-2021-84.0

SCOPE

This policy defines agency efforts to be compliant with federal guidance for IPv6.

OVERVIEW

Beginning in 2005, the Federal government began an initiative that served as a catalyst to commercial development and adoption of Internet Protocol Version 6 (IPv6). Designed to replace IPv4, which has been in use since 1983, these protocols are globally unique numeric identifiers necessary to distinguish individual entities that communicate over the Internet.

AUTHORITIES

The regulatory authorities include:

  1. OMB Memorandum M-21-07, Completing the Transition to Internet Protocol Version 6 (IPv6), November 19, 2020
  2. OMB Memorandum M-05-22, Transition Planning for Internet Protocol Version 6 (IPv6), August 2, 2005 (rescinded by M-21-07)
  3. OMB Memorandum dated September 28, 2010, Transition to IPv6
  4. OMB Circular A-130, Managing Information as a Strategic Resource
  5. Federal Acquisition Regulation; FAR Case 2005-041, Internet Protocol Version 6 (IPv6)

ROLES AND RESPONSIBILITIES

The memorandum identifies clear activities agencies must conduct with indication of roles required to take action.

  1. The Chief Executive Officer (CEO) is responsible for establishing an agency-wide integrated project team (including acquisitions, policy and technical members) or other governance This team will be required to govern and enforce IPv6 efforts.
  2. The Director of Policy and Planning in the Office of the Chief Information Officer will develop this policy and incorporate required language.
  3. The Chief Information Security Officer is responsible for privacy incident response and incident reporting.
  4. The Director of Web Services is responsible for providing assistance in publishing this policy on the public website.

ENTERPRISE POLICIES

Network information systems

By the end of Fiscal Year (FY) 2023, all new networked Federal information systems will be IPv6-enabled at the time of deployment. The agency’s strategic intent is to phase out the use of all IPv4 systems.

External Partner

As MCC interacts with external partners, we will work to encourage migration to IPv6 for all network interfaces.

Public/External Facing Systems/Server

MCC shall complete upgrading all public/external facing servers and services, and internal client applications that communicate with public Internet services and supporting enterprise networks to operationally use native IPv6.

FAR Compliance

MCC shall follow all guidance in the FAR regarding future acquisitions of networked information technology with IPv6 requirements. MCC shall:

  1. Unless the agency Chief Information Officer waives the requirement, when acquiring information technology using Internet Protocol, the requirements document must include reference to the appropriate technical capabilities defined in the USGv6 Profile (NIST Special Publication 500-267) and the corresponding declarations of confidence defined in the USGv6 Test Program.
  2. Continue to use the USGv6 Profile to define agency or acquisition specific requirements for IPv6 capabilities when purchasing networked information technology and services. Going forward, this should include specifying the requirement for hardware and software to be capable of operating in an IPv6-only environment.
  3. Continue to require potential vendors to document compliance with such IPv6 requirement statements through the USGv6 Test Program.
  4. In rare circumstances where requiring demonstrated IPv6 capabilities would pose undue burden on an acquisition action, provide a process for agency Chief Information Officers to waive this requirement on a case-by-case basis. In such cases, the purchasing agency shall request documentation from vendors detailing explicit plans (e.g., timelines) to incorporate IPv6 capabilities to their offerings.

IT Security

MCC will follow best practices in securing networked information technology utilizing IPv6. MCC shall:

  1. Ensure that plans for full support for production IPv6 services are included in IT security plans, architectures, and acquisitions.
  2. Ensure that all systems that support network operations or enterprise security services are IPv6- capable and can operate in IPv6-only environments.
  3. Follow applicable Federal guidance and leverage industry best practices, as appropriate, for the secure deployment and operation of IPv6 networks.
  4. Ensure that all security and privacy policy assessment, authorization, and monitoring processes fully address the production use of IPv6 in Federal information systems.