Purpose
The purpose of this policy is to establish the requirements for completing the operational deployment of Internet Protocol Version 6 (IPv6) across all CFTC systems and services and help overcome barriers that impede migration to an IPv6-only network environment. The strategic intent is for CFTC to deliver its information services, operate its networks, and access the services of others using only IPv6.
Scope
This policy covers all CFTC systems (including internal and external networks) that are owned or leased by the Commission, the delivery of information services, and interconnections with external entities.
Policy
This policy outlines specific activities that the Commission is required to undertake in achieving compliance with memorandum M-21-07.
- CFTC has designated a commission-wide IPv6 integrated project team jointly led by the Chief Information Officer (CIO) and Chief Information Security Officer (CISO). This team will incorporate acquisition, policy, and technical activities in a coordinated effort to achieve the requirements outlined in memorandum M-21-07.
- The Commission-wide IPv6 policy requires that, no later than Fiscal Year (FY) 2023, all new networked CFTC information systems are IPv6-enabled at the time of deployment, and the Commission's strategic intent is to phase out the use of IPv4 for all systems.
- The Commission will conduct at least one pilot of an IPv6-only operational system by the end of FY 2021 and report the results of the pilot to OMB upon request.
- The Commission will develop an IPv6 implementation plan by the end of FY 2021, and revise the CFTC Information Resources Management (IRM) Strategic Plan to update all networked information systems (and the IP-enabled assets associated with these systems) to fully enable native IPv6 operation. The plan shall describe the Commission’s transition process and include the following milestones and actions:
- At least 20% of IP-enabled assets on CFTC networks are operating in IPv6-only environments by the end of FY 2023;
- At least 50% of IP-enabled assets on CFTC networks are operating in IPv6-only environments by the end of FY 2024;
- At least 80% of IP-enabled assets on CFTC networks are operating in IPv6-only environments by the end of FY 2025; and
- Identify and justify CFTC information systems that cannot be converted to use IPv6 and provide a schedule for replacing or retiring these systems.
- The Commission will work with partner agencies to identify systems that interface with networked CFTC information systems and develop plans to migrate all such network interfaces to the use of IPv6.
- The Commission will complete the upgrade of public/external facing servers and services (e.g., web, email, DNS, and ISP services) and internal client applications that communicate with public Internet services and supporting enterprise networks to operationally use native IPv6.
- The Commission will ensure future acquisitions of networked information technology include IPv6 requirements. In accordance with existing FAR requirements, the Commission will:
- Amend requirements documents to include reference from NIST Publication 500-267 and the corresponding declarations of conformance defined in the USGv6 Test Program
- Continue to use the USGv6 Profile to define agency or acquisition specific requirements for IPv6 capabilities when purchasing networked information technology and services
- Going forward, this should include specifying the requirement for hardware and software to be capable of operating in an IPv6-only environment
- Continue to require potential vendors to document compliance with such IPv6 requirement statements through the USGv6 Test Program
- In rare circumstances where requiring demonstrated IPv6 capabilities would pose undue burden on an acquisition action, provide a process to waive this requirement on a case-by-case basis. In such cases, the purchasing agency shall request documentation from vendors detailing explicit plans (e.g., timelines) to incorporate IPv6 capabilities to their offering.
- The Commission will leverage the USGv6 Test Program for basic conformance and general interoperability and ensure that CFTC or acquisition specific testing focus on specific systems integration, performance and information assurance testing not covered in the USGv6 Test Program.
- The Commission shall maximize the security benefits of IPV6 by ensuring the following:
- Plan for full support for production IPv6 services are included in IT security plans, architectures and acquisitions
- All systems that support network operations or enterprise security services (e.g., identity and access management systems, firewalls and intrusion detection /protection systems, end-point security systems, security incident and event management systems, access control and policy enforcement systems, and threat intelligence and reputation systems) are IPv6-capable and can operate in IPv6-only environments
- All federal guidance and industry best practices will be leveraged, as appropriate, for the secure deployment and operation of IPv6 networks
- All security and privacy policy assessment, authorization, and monitoring processes fully address the production use of IPv6 in CFTC information systems.