Lawyer Article

On January 23, 2008, the National Institute of Standards and Technology ("NIST") within the U.S. Commerce Department released Special Publication 500-267, A Profile for IPv6 in the U.S. Government – Version 1.0 *SECOND DRAFT* -- for public review and comment. To put this development in perspective, let's recap the history of the federal government and IPv6 to date:

6/2003 - Department of Defense ("DoD") announced its goal to transition all inter- and intra-networking to Internet Protocol Version 6 ("IPv6") by FY 2008

/2/2005 - OMB memo issued which gives guidance to federal agencies regarding the transition from IPv4 to IPv6 by June 2008

6/30/2006 - Government Accountability Office report concluded that federal agencies have taken steps in planning for the transition to IPv6, but several have not completed key activities

8/6/2006 - Proposed Federal Acquisition Regulation calling for agencies to include requirements for IPv6 capable products and services and to establish procedures for granting exceptions

1/24/2007 - "The Federal Chief Information Officer Council Strategic Plan for FY 2007-2008" issued by the Federal Chief Information Officer Council ("CIOC")

1/31/2007 - Special Publication 500-267, A Profile for IPv6 in the U.S. Government - Version 1.0, "Pre-Release for Public Review and Comment" was released by NIST with comments due by March 2, 2007. With 67 footnotes and a glossary, the stated purposes of the first draft of the standards profile were to:
1. Define a simple taxonomy of common network devices. 
2. Define their minimal mandatory IPv6 capabilities and identify significant options so as to assist agencies in the development of more specific acquisition and deployment plans.
3. Provide the basis to further define the technical meaning of specific policies.

1/23/2008 - Draft 2 of the IPv6 Profile released by NIST

5/28/2008 - All agency infrastructures (network backbones) must be using IPv6¹ and agency networks must interface with this infrastructure. Agencies will include progress reports on meeting this target date as part of their EA transition strategy." OMB

So, four months and five days before the deadline, we have a second draft of an IPv6 Profile and it again seeks public comment. It is a very useful document and is certain to have taken a great deal of effort to review and take into account the more than 500 comments from more than 50 sources in Government and industry that were submitted in response to the first draft of the IPv6 Profile. No one should criticize the people at NIST who have prepared the Profile.

One must question, however, how agencies and their contractors are to know how to properly respond when asked to state their IPv6 compliance status -- which is happening frequently today. The IPv6 Profile, second draft, answers as follows:

Primarily, the means of expression of compliance for a specific product will be through a Supplier’s Declaration of Conformity, as specified in ISO/IEC 17050². The SDOC is backed by a chain of traceability of results through laboratories accredited under ISO/IEC 17025 General Requirements for Testing Laboratories³, and specific test methods as described in NIST SP-500-273 IPv6 Test Methods: General Description and Validation. To be recognized in this program, test laboratories must be accredited by an accreditation body compliant to ISO/IEC 17011 Conformity assessment – General requirements for accreditation bodies accrediting conformity assessment bodies⁴, and subject to peer review as a signatory to the International Laboratory Accreditation Conference, ILAC.

The Profile does not expressly say it, but it implies that every information technology vendor needs to go hire an accredited laboratory to stay in business -- good business for the laboratories!

The IPv6 Profile goes on to provide a Node Requirements Table, which is the "normative, definitive specification of requirements for IPv6 Host, Routers and [Network Protection Devices] NPDs that claim compliance to this profile." It identifies public specifications for each requirement. For each of the three categories of devices (host, router, NPD) the Table says whether each requirement is a MUST ("M"), SHOULD ("S"), SHOULD+ ("S+") or MAY ("O"). Those requirements identified as SHOULD+ are expected to become MUST requirements in future versions of the IPv6 profile, giving developers a hint where to focus their efforts.

The Node Requirements Table includes an Effective Date -- "the earliest date at which devices should be required to documents compliance with a given requirement." NIST reasons that 12 months should be allowed after the first time a requirement is declared as a MUST and 24 months should be allowed after it is identified as a SHOULD+ before the effective date of the requirement. In keeping with this philosophy, the profile is expected to be re-released no more than once per year. In this Second Draft, no MUST requirements have an effective date before March 2010.

The profile makes great strides towards describing the elephant and is well-reasoned and is in keeping with the rational methodology of the technical community's standards setting processes, but unfortunately conflicts with the policy mandates found in many agency CIO offices and requirements being imposed on contractors and vendors. In particular, NIST reiterates its earlier comments that "the existing DoD and industry profiling and testing efforts are currently not well suited in content, or governance, for the perceived requirements of the US [Government] as a whole." Further, the March 2010 effective date is clearly after the OMB deadline of May 28, 2008.

Expect to see the IPv6 Profile more widely referenced. It states that "[a]cquisition officers and others writing purchasing and contract language may use this document as a reference when they develop specific product and system requirement text."

Progress is being made, but the May 28, 2008 deadline will arrive all too soon.

Notes
¹ Meaning the network backbone is either operating a dual stack network core or it is operating in a pure IPv6 mode, i.e., IPv6-compliant and configured to carry operational IPv6 traffic.
² ISO/IEC 17050-1:2004 Conformity assessment -- Supplier's declaration of conformity -- Part 1: General requirements.
³ ISO/IEC 17025:1999 General requirements for the competence of testing and calibration laboratories.
⁴ ISO/IEC 17011:2004 Conformity assessment -- General requirements for accreditation bodies accrediting conformity assessment bodies.