CDM IPv6 compliance plans due July 6: Why the technology matters

By Amanda Mull, contract specialist

As I mentioned in my previous blog, there have been some changes to CDM. The Cybersecurity and Infrastructure Security Administration (CISA) announced recently that the common requirements for the Continuous Diagnostics and Mitigation (CDM) Program had been updated to align with the extended compliance schedule published in the Office of Management and Budget (OMB) Memorandum 21-07 (M-21-07) – PDF.

By FY2023, all federal information systems must be Internet Protocol version 6 (IPv6) enabled. This is an important policy move for acquiring information technology (IT) products and services contained in Federal Acquisition Regulation (FAR) 11.002.

On June 4, CISA directed suppliers with CDM-approved products suspected of not being natively IPv6 compliant to provide proofs of capability or a plan for becoming compliant by July 6, 2021. CISA will conditionally approve products that are not fully IPv6 compliant, providing applicants submit an acceptable plan detailing how their products will become fully operational in an IPv6-only network by the end of FY2023. CISA intends to perform periodic progress checks on accepted plans.