Internet Protocol Version 6 (IPv6) Policy

Number: 2120.1A CIO
Status: Active
Signature Date: 12/17/2025
Expiration Date: 12/31/2028

Full Directive [PDF - 294 KB]

Purpose 

This order provides acquisition and IT policy for the General Services Administration (GSA) on the provisioning of products and services, and the continued transition, implementation and use of the next generation of the Internet Protocol (IP), which is the primary protocol that serves as the building block of nearly all information and communication technology (IT or ICT) and operational technology (OT). 

The next-generation Internet Protocol, known as IPv6, is necessary due to the worldwide exhaustion and inherent security, operational and performance (i.e., user experience) limitations of the more prominent Internet Protocol version 4 (IPv4). Proactive integration of IPv6 requirements into GSA contracts reduces the costs and complexity of transition by ensuring that Federal applications can operate in an IPv6 environment without costly upgrades. 

This order directly addresses and incorporates applicable federal policies, standards, and guidelines, including roles and responsibilities, the GSA Acquisition Manual (GSAM), and FAR 39.101(d)

Background

In November 2020, the Office of Management and Budget (OMB) issued OMB Memorandum M-21-07, Completing the Transition to Internet Protocol Version 6 (IPv6), requiring federal agencies to complete the transition to IPv6 and retire the use of IPv4 - namely on internal network infrastructure. While M-21-07 rescinded previous OMB memorandums, the following elements remain applicable:

  1. Upgrade public/external facing servers and services (e.g., web, email, DNS, ISP services, etc.) to operationally use native IPv6; and
  2. Upgrade internal client applications that communicate with public Internet servers and support enterprise networks to operationally use native IPv6.

Since 2006, the Federal Acquisition Regulation (FAR) has incorporated IPv6 acquisition requirements as a result of the previous OMB memoranda on IPv6. This long-time transition to IPv6 is increasingly necessary due to the inability of IPv4 to meet the Government’s long-term business needs because of limited robustness, scalability, and features.

Applicability

This IPv6 policy applies to all activities and contracts for supplies, products, and services associated with information and communications technology (IT and/or ICT), operational technology (OT or “Internet of Things”), and associated digital services. This order directly addresses and incorporates applicable Federal policies, standards, and guidelines, including roles and responsibilities. This order applies to:

  1. The IT system owner—when writing your acquisition plan, conducting market research and description of agency needs, in accordance with FAR 7.105(b)(4) and FAR 12.202.
  2. The contracting officer (CO)—for all IT and ICT-related acquisitions of products and services, in accordance with GSAM 511.170(e) and 511.171, unless otherwise indicated. COs must include compliance with this policy in the contract or task order for contractor employees.
  3. The IT service provider (i.e., government and contractor teams)—who manage, maintain, operate, procure, or protect GSA systems and data, as well as all GSA Office of the Chief Information Officer (GSA IT) systems, and any GSA data contained on, or processed by, IT systems owned and operated by, or on behalf of, any GSA Service or Staff Office.
  4. Government and contractor teams, including but not limited to Contracting Officer Representatives (CORs), Technical Points of Contact (TPOCs) and Program Managers (PMs)—when conducting cybersecurity, development, modernization and enhancement (DME) activities, and ongoing operations and maintenance (O&M) of all IT products and services; see Section 6. Roles and Responsibilities, for more details.
    • This order applies to the Office of Inspector General (OIG) to the extent that the OIG determines it is consistent with the OIG’s independent authority under the IG Act, and it does not conflict with other OIG policies or the OIG mission.
    • This order applies to the Civilian Board of Contract Appeals (CBCA) to the extent that the CBCA determines it is consistent with the CBCA’s independent authority under the Contract Disputes Act and other authorities and it does not conflict with the CBCA’s policies or the CBCA mission.

Cancellation

This Order supersedes 2120.1, Internet Protocol Version 6 (IPv6) Policy.

Summary of Changes

  1. Updated document to conform with OAS 1832.1C
  2. Added paragraph to align with requirements in OMB memo M-25-21.

Roles and Responsibilities

IPv6 roles and responsibilities are distributed as follows:

  1. Office of the Chief Technology Officer. Manages GSA’s IT Standards function. Responsibilities include reviewing and approving requests for new software solutions (including the solution’s IPv6 capabilities and parity with IPv4) to be added to the list of approved agency IT Standards. Responsibilities include ensuring that all new software solutions added to the list of approved software are IPv6 enabled/compliant, and current approved IPv4 software have plans to migrate to IPv6.
  2. Office of the Chief Information Security Officer:
    • Identifies, evaluates, and engineers GSA IT’s security-related hardware and software (i.e., domain name system (DNS), firewalls, intrusion prevention), and zero-trust architectures;
    • Conducts vulnerability and penetration testing (with parity between IPv4 and IPv6); and
    • Reviews and recommends approval or rejection of proposed security configurations in accordance with departmental and federal risk management standards.
  3. Office of Digital Infrastructure Technologies:
    • Receives and processes incoming customer requests, responds to incidents and maintains configuration standards for IT end-user (e.g., laptop, mobile devices) solutions, which are supportive of approved configuration requirements for native IPv6, as appropriate; and
    • Conducts Tier 1 and Tier 2 customer support and coordinates opening, resolving and closing IT service requests and incidents.
    • Identifies, evaluates, and engineers GSA IT’s end-user (e.g., laptops, mobile devices) and infrastructure compute (e.g., physical and virtual servers) and network solutions (e.g., routers, switches, load balancers); and
    • Coordinates closely with the Information Security Engineering division to ensure IPv6 cybersecurity and operational capabilities are evaluated.
    • Designs, tests, and accepts/rejects  infrastructure compute, storage and network solutions proposed by GSA IT, including ensuring the solution is an IPv6-only enabled asset, prior to its promotion in the production environment(s) within the timeframe requirements of the OMB memo and this policy.
    • Operates and maintains GSA IT’s infrastructure compute, storage and network solutions, including support of IPv6-only and (when authorized) dual-stack IPv4/IPv6 enabled assets, in pre-production and production environment(s); and
    • Coordinates closely with the Information Security Operations division to ensure cybersecurity and operational capabilities are maintained.
  4. System Owners. Understand the impact of migrating to an IPv6 only environment (internal systems) and IPv4/IPv6 (public-facing or external systems), including evaluating the potential impacts to budget and resources required to support completing the transition to an IPv6 only environment, and serve as liaison to the vendor community for supporting the agency’s requirement for IPv6 readiness of cloud-based solutions.
  5. Technology Transformation Services. Support and champion the transition, implementation and use of IPv6 in the performance and execution of shared service delivery of and consulting services for government-wide and agency-specific solutions at the federal, state, tribal and local levels of government.
  6. Contracting Officers (CO). In accordance with GSAR parts 511.170(e) and 511.171, COs must include compliance with this policy in the contract or task order for contractor employees. They must also ensure that all new acquisition activities to award contracts and task orders associated with information technology, including professional services, include:
    • the addition of appropriate contract clauses;
    • a requirement that the vendor(s) include the appropriate USGv6 conformance standards and attestation reports; and
    • contract modifications to ensure that ongoing performance of the contract/task order is supportive of federal and GSA requirements, playbooks and framework requirements for IPv6 in consultation with Contracting Officer Representatives (CORs) and Program Managers.
  7. IPv6 Integrated Project Team (IPT) was established to meet the requirements of OMB M-21-07; to serve as the IPv6 governance structure and to effectively govern and enforce IPv6 transition efforts for the GSA enterprise. The IPv6 IPT is led by the Deputy Chief Information Officer (DCIO) and includes representatives from the Federal Acquisition Service’s TTS and Office of IT Category and various divisions within GSA IT that are supportive of IPv6 transition efforts with all services and staff offices.
Print Page
Last updated: Dec 18, 2025
Top