Routing Security: A Call to Action for Federal Agencies
By: Robert Cannon, Senior Telecommunications Policy Analyst
Securing our nation's cyber infrastructure is imperative. That is why all Department of Commerce networks have taken the first step to implement Internet routing security.
Routing security ensures that Internet traffic reaches its intended target. Misconfigurations or manipulations of routing information can lead to significant degradation and loss of service.
The United States Government is tackling concerns about routing security through a whole-of-government approach. The Department of Commerce is playing a leading role in these efforts:
- The National Institute of Standards and Technology (NIST) works with stakeholders to research and develop routing security solutions, produce guidance, and operate testbeds.
- The National Oceanic and Atmospheric Administration (NOAA), working with the White House’s Office of the National Cyber Director (ONCD), produced guidance for federal agencies on how to implement routing security via the Federal Public Key Infrastructure (RPKI) Playbook.
- In May, the Department of Commerce held a Route Signing Day to mark a renewed effort to implement routing security across federal networks.
- In September, NTIA’s Communications Supply Chain Risk Information Partnership (C-SCRIP) hosted an Internet routing security webinar for stakeholders.
Critically, ONCD and Commerce have worked with the American Registry for Internet Numbers (ARIN) to secure an extension of the lower legacy rate for routing security service for federal networks holding legacy address resources. This extension expires on December 31, 2024.
In December of 2023, ONCD (on behalf of civilian agencies), the Department of Defense, and the Department of Commerce filed tickets with ARIN stating an intent for agencies across the government to sign a Registration Services Agreement (RSA) for Internet routing security to lock in that lower legacy rate through 2024.
Since then, all Commerce networks have signed the ARIN RSA. The next step is to create Route Origin Authorizations (ROAs), cryptographic validations that a destination is properly found on a specific network. Here again, Commerce is making significant progress: 84% of Commerce routes are now signed with ROAs.
Federal agencies have until the end of December 2024 to sign the ARIN agreement and take advantage of the current fee structure, or they will face significantly increased fees. To ease the administrative burden on agencies, ONCD and Commerce negotiated a template ARIN RSA for use by any federal agency, and have been assisting in this process.
The National Cybersecurity Strategy and the subsequent Roadmap to Enhancing Internet Routing Security call on federal agencies to implement routing security. We are proud to have answered this call and are actively working to assist other federal agencies to ensure that they have a signed ARIN RSA covering their Internet addresses.