It was half a decade in the making (2005) , but the U.S. Government’s IPv6 Federal Acquisition Requirement (FAR) will be in effect on 1 July 2010 (that’s tomorrow).  In most DoD and civilian agencies, this milestone passed without much fanfare.  In fact, many of these agencies are still trying to figure out how to handle its contractual effects.

Fortunately (or unfortunately), each civilian and DoD/IC agency has a lot of latitude in terms of what level of compliance is demonstrated with this Federal Requirement a vendor product must meet in order for that agency to buy the product.

The IPv6 FAR Minimum Requirements

The minimum standard is probably what at least 50% of DoD and Federal Agencies will attempt to achieve as IPv6 isn’t being broadly implemented across the US government at the moment.  So at a minimum, the following is required per the IPv6 FAR:

“Unless the agency Chief Information Officer waives the requirement, when acquiring information technology using Internet protocol, the requirements documents must include reference to the appropriate technical capabilities defined in the USGv6 Profile (NIST Special Publication 500–267) and the corresponding declarations of conformance defined in the USGv6 Test Program. The applicability of IPv6 to agency networks, infrastructure, and applications specific to individual acquisitions will be in accordance with the agency’s Enterprise Architecture (see OMB Memorandum M–05–22 dated August 2, 2005).”

In deconstructing this further, there are two things that need to be done: (1) provide written compliance with the IPv6 standards in the IPv6 Profile from the vendor, and (2) demonstrate compliance with the standards in accordance with the NIST IPv6 Test Program.

The IPv6 Test Program 

So the minimum requirement puts the ownership on the vendor to demonstrate compliance with those standards in accordance with the NIST IPv6 Test Program.  This means the vendor must test their products in the way that the Agency requires in the RFP or procurement requirement.   That looks a little like this:

• Agency issues IPv6 requirements matrix in open or sole source procurement.
• In said requirements matrix, the Agency will state what testing is acceptable.  NIST requires that Conformance be demonstrated in at least Accredited 1st Party (vendor owned) test labs and Interoperability testing demonstrated in at least Accredited 2nd Party (Agency owned) or Accredited 3rd Party (independent) labs.  However, the minimum is 1st Party Conformance Testing for Hosts and Routers and 2nd or 3rd Party Conformance and IA Testing for Network Protection Devices (ie Firewalls, IPSs, and IDSs.
• Vendor provides IPv6 Suppliers Declaration of Conformity (SDoC) proving the stated compliance in the Agency RFP.

Is the Minimum Enough?

Of course that’s the billion dollar question.  Vendors will need to use their judgment as to how much time, effort, and dollars they want to spend on testing. If they chose to do the minimum, they may be “shut out” of some RFPs – the testing they choose to do may not meet the requirements of some agencies.  My advice is that all standard Host and Router companies invest in testing Conformance and Interoperability at one of the NIST and ISO 17025 3rd Party Accredited labs (UNH-IOL or ICSA).  Network Protection Device (NPD) vendors should submit their products for conformance, interoperability and IA testing at one of the aforementioned 3rd Party Accredited labs, as well.

The minimum might be enough for one Agency, but it may not be enough for them all.  For example, DoE might state that Conformance testing at a 1st party vendor lab is enough for that will put onto the DOE network, but the DoD may state that 3rd Party Conformance and Interoperability testing must be done for the routers that will land on DoD networks.  If the vendor only tests for DoE’s requirements, then they could potentially lose a sale for DoD.

However, each vendor must balance risk appropriately as 1 July 2010 is now upon us.  IT equipment vendors must prepare for some type of IPv6 solicitation that will meet this new requirement in the U.S. Government.  Having a plan to respond now will save millions of dollars and man-hours in the future.

  The debate began as rousing and intellectually stimulating as it ended. The motion was, “The Cyber War Threat has been grossly exaggerated.” This Neustar, WAMU, Newseum and Rosencrantz-sponsored debate refreshingly stayed on topic.  This, of course, was unlike the Bipartisan Policy Center’s Cyber Shockwave, which showed how unprepared government and industry can be in even hypothetically discussing cyber threats.

No, this debate took the best minds of cyber security, cyber defense, and cyber warfare and logically debated whether on not the United States is at the precipice of cyber war or merely lots of cyber crime. The debaters were all very qualified in their fields.

• For the motion: Marc Rotenburg and Bruce Schneier
• Against the motion: VADM Mike McConnell (ret.) and Jonathan Zittrain

The debate centered on trying to delineate the differences between cyber war and cyber crime. Both parties recognized that the Internet is not a safe place. In fact, metaphors regarding passing beer from one person to another at a Red Sox game abounded! Cyber crime, as Rotenburg argued, exists; however, calling it a war only provides billions of dollars in un-needed government expenses, and accelerates a historical “power grab” by the National Security Agency (NSA).

Rotenburg insightfully discussed the numerous attempts by NSA to take control of the Internet, referencing the infamous Clipper Chip, which, of course, was NSA’s failed attempt to be the man-in-the-middle of all encrypted communications on the Internet.

However, the side against the motion argued that this issue was not even the point to the debate. In fact, we are threatened every day by Russian and Chinese cyber warfare agencies. That’s right, they have cyber warfare agencies right now and are actively using them. The Russian cyber war attack on Georgia was referenced as evidence. Even more broad and successful cyber attacks used to reinforce traditional warfare have been conducted by Israel against Syriian radar and North Korean nuclear factories.

Unfortunately, the discussion had to remain at an unclassified level, need I say more?  Overall, the debate was very well argued on both sides. I concluded simply that the threat of cyber war is very real, but having defenses and preparations made in secret are counter productive. Keeping this issue open and transparent and reinforcing our cyber defenses are the only ways to actually mitigate these threats.

In the tradition of all Intelligence Squared Debates, a winner is chosen based on audience feedback. Initially, the vote revealed around 54% against the motion, 22% for the motion, and 24% undecided. However, by the close of the debate the tables turned: 72% against, 22% for, and 6% undecided.  So the convincing arguments from Jonathan Zittrain and VADM McConnell won the debate.