Skip to content

Commercial Deployment Security Policies

This guide outlines the security processes and standards required for applications deployed in Second Front’s Commercial Deployment environment. Although the Commercial Deployment environment is outside formal Authorization to Operate (ATO) and FedRAMP boundaries, our goal is to uphold the same rigorous security practices used in Department of Defense (DoD) environments, including:

BoE

All applications must have a completed BoE within the Game Warden platform. The following sections may be omitted:

  • Role Identification 
  • Information Security Plan  
  • CAC Personnel
  • Secure Software Development Framework (SSDF) Attestation
  • Certificate to Field (CtF) Recommendation Memo

CVE management

All applications must comply with Second Front’s Acceptance Baseline Criteria for vulnerabilities (CVEs):

  • All CVE vulnerabilities must be remediated. If remediation is not possible, a written justification or mitigation plan must be provided, along with a proposed remediation timeline.
  • Justifications must be reviewed and approved by Second Front’s security team before deployment to development or production.
  • If a Critical or High CVE cannot be remediated, the security team must sign a risk acceptance memo before deployment.

External Data Connections (EDCs)

All external data connections must be documented in the BoE and included in the Authorization Boundary Diagram; and each EDC must be reviewed and approved by Second Front’s security team before use in the application.

Authorization Boundary Diagram (ABD)

An Authorization Boundary Diagram visually maps your system’s components, data flows, and security boundaries. It ensures your system integrates securely with Game Warden and meets DoD deployment standards.

All customers must submit an Authorization Boundary Diagram in accordance with DoD deployment standards. This diagram should include:

  • All containers
  • Communication flows
  • Ports and protocols
  • External data connections

For submission requirements, see Authorization Boundary Diagram.

Image hardening

All container images are hardened by Second Front engineers using Game Warden’s official image hardening scripts. This process is verified by the security team as part of the security review. Only hardened images are eligible for promotion to staging or production environments.

DAST and SAST requirements

As part of our security screening, Second Front performs Dynamic Application Security Testing (DAST) scan on all container images.

  • DAST scans must meet DoD-level standards.
  • Third-party reviewers are not required to review DAST results for commercial deployments.

Customers must perform Static Application Security Testing (SAST) on all container images.

  • These scans will be held to the same standards as DoD deployments.
  • Results must be submitted as part of the security review.

Second Front is committed to maintaining strong security practices across all deployment environments. Adhering to the policies in this document ensures your applications are production-ready, defensible, and aligned with federal cybersecurity expectations—even without a formal government authorization boundary.

🚀 Got a question? Submit a support ticket today!