Skip to content

Commercial Deployment Security Policies

This guide outlines the security processes and standards required for applications deployed in Second Front’s Commercial Deployment environment. Although the Commercial Deployment environment is outside formal Authorization to Operate (ATO) and FedRAMP boundaries, our goal is to uphold the same rigorous security practices used in Department of War (DoW) environments, including:

BoE

All applications must have a completed BoE within the Game Warden platform. The following sections may be omitted:

  • Role Identification 
  • Information Security Plan  
  • CAC Personnel
  • Secure Software Development Framework (SSDF) Attestation
  • Certificate to Field (CtF) Recommendation Memo

CVE management

All applications must comply with Second Front’s Acceptance Baseline Criteria for vulnerabilities (CVEs):

  • You must remediate all CVE vulnerabilities. When remediation isn't possible, submit a written justification or mitigation plan with a proposed timeline.
  • Second Front's security team must review and approve justifications before deployment to development or production.
  • If you cannot remediate a Critical or High CVE, the security team must sign a risk acceptance memo before deployment.

External Data Connections (EDCs)

You must document all external data connections in the BoE and include them in the Authorization Boundary Diagram. Second Front's security team must review and approve each EDC before you use it in the application.

Authorization Boundary Diagram (ABD)

An Authorization Boundary Diagram visually maps your system’s components, data flows, and security boundaries. It ensures your system integrates securely with Game Warden and meets DoW deployment standards.

All customers must submit an Authorization Boundary Diagram in accordance with DoW deployment standards. This diagram should include:

  • All containers
  • Communication flows
  • Ports and protocols
  • External data connections

For submission requirements, see Authorization Boundary Diagram.

Image hardening

Second Front engineers harden all container images using Game Warden's official image hardening scripts. The security team verifies this process as part of the security review. Only hardened images qualify for promotion to staging or production environments.

DAST and SAST requirements

As part of our security screening, Second Front performs Dynamic Application Security Testing (DAST) scan on all container images.

  • DAST scans must meet DoW-level standards.
  • Third-party reviewers are not required to review DAST results for commercial deployments.

Customers must perform Static Application Security Testing (SAST) on all container images.

  • These scans must meet the same standards as DoW deployments.
  • Customers must submit results as part of the security review.

Second Front is committed to maintaining strong security practices across all deployment environments. Adhering to the policies in this document ensures your applications are production-ready, defensible, and aligned with federal cybersecurity expectations—even without a formal government authorization boundary.

🚀 Got a question? Submit a support ticket today!