Security Processes for FedRAMP¶
This guide outlines key security responsibilities and processes customers must follow when deploying their applications into Game Warden’s FedRAMP-authorized environment.
Incident response¶
While some of the Incident Response controls are partially inheritable, the responsibility of Incident Response falls heavily on the customer.
If the customer has an incident, notify Second Front Security immediately at security@secondfront.com. The Second Front Security Team will conduct an investigation in accordance with our Incident Response Plan.
If the incident requires intervention or communication with Second Front Security Team, the team will reach out to the customer via Slack or email to help resolve the issue.
Application security requirements¶
This section outlines the key security activities customers must complete and maintain to remain compliant with FedRAMP and agency expectations.
Common Vulnerabilities and Exposures (CVEs) remediation¶
Important
The customer’s sponsor reserves the right to approve any CVEs normally not accepted by Second Front. The approval must be obtained by the customer in writing from their sponsor. Anything that is approved by the sponsor will need to be an operational requirement and a deviation request must be submitted to Agency Security and the 3PAO.
All CVEs must comply with FedRAMP's Acceptance Baseline Criteria. You must remediate each CVE, or justify it for the Second Front Security Team to accept. For any CVE you cannot remediate, add it to your Plan of Action and Milestones (POA&M) documentation with real, actionable incremental milestones to reduce risk over time until you resolve it.
For any Critical or High CVE you cannot remediate (remove from the application before deployment), you must either submit a deviation request or create a POA&M with actionable milestones.
Second Front Security Team will review each image’s remediation and justifications before allowing them to be deployed to staging and/or production after FedRAMP Authorization is obtained.
You must resolve or justify all Moderate and Low vulnerabilities that exceed FedRAMP remediation timelines before Production (PRD) deployment. Once Continuous Monitoring (ConMon) begins, these items move to a POA&M.
For Moderate and Low vulnerabilities still within their remediation window, customers must exercise due diligence to resolve or POA&M them before their respective deadlines.
Remediation Timeline
For required timeframes to remediate or justify findings, see Tables A–C in the Acceptance Baseline Criteria.
External Data Connections (EDCs)¶
All customers must list all EDCs according to Agency Security's requirements for the Body of Evidence (BoE).
Authorization Boundary Diagram (ABD)¶
All customers will be expected to complete an ABD in accordance with our current FedRAMP processes found here.
For any changes to the ABD, you must add a new diagram to your account and communicate the changes to Agency Security, 3PAO, and your sponsor.
Image hardening¶
All images must be hardened using Game Warden’s hardening script. No unhardened images may be promoted to staging and/or production with the exception of images without a shell which will not be hardened.
Second Front’s engineers will be responsible for applying hardening scripts to each image. Second Front Security Team will be responsible for ensuring hardening scripts are applied to images during the Security Review process.
Static Application Security Testing (SAST)¶
All customers must perform SAST scans on every codebase in images deployed to Game Warden. Customers must upload the SAST results to the Game Warden application for the initial deployment.
Dynamic Application Security Testing (DAST)¶
All customers are responsible for running DAST on their applications in accordance with FedRAMP’s ConMon requirements. Second Front offers DAST scanning in house for customers that can be run monthly.
ConMon¶
Once your application enters Game Warden's FedRAMP-authorized environment, it begins an ongoing monthly security reporting and review process. FedRAMP requires this process to maintain platform and application security over time.
The sections below outline Second Front's responsibilities and yours during ConMon.
Game Warden’s FedRAMP Authorization ConMon¶
The Second Front Security Team will submit the Game Warden relevant information on a monthly basis, in accordance with FedRAMP standards. The Game Warden relevant information will encompass the Platform as a Service and will not include the applications hosted on Game Warden. Second Front will not provide the platform monthly continuous monitoring information to customers.
Second Front submits Asset Inventory Lists, Database Scans, Operating Systems Scans, and Web Application Scans (only for images that Second Front uses), and Second Front’s POA&M. Second Front is not responsible for any of the customer’s recurring submission requirements except for Database Scans.
Image scanning¶
The Game Warden application scans all production images for new CVEs/Vulnerabilities once a month. Agency Security will help you pull down these scans so you can submit the images for ConMon.