Security Processes for FedRAMP¶
This guide outlines key security responsibilities and processes customers must follow when deploying their applications into Game Warden’s FedRAMP-authorized environment.
Incident response¶
While some of the Incident Response controls are partially inheritable, the responsibility of Incident Response falls heavily on the customer.
If the customer has an incident, notify Second Front Security immediately at security@secondfront.com. The Second Front Security Team will conduct an investigation in accordance with our Incident Response Plan.
If the incident requires intervention or communication with Second Front Security Team, the team will reach out to the customer via Slack or email to help resolve the issue.
Application security requirements¶
This section outlines the key security activities customers must complete and maintain to remain compliant with FedRAMP and agency expectations.
Common Vulnerabilities and Exposures (CVEs) remediation¶
Important
The customer’s sponsor reserves the right to approve any CVEs normally not accepted by Second Front. The approval must be obtained by the customer in writing from their sponsor. Anything that is approved by the sponsor will need to be an operational requirement and a deviation request must be submitted to Agency Security and the 3PAO.
All CVEs must comply with FedRAMP’s established Acceptance Baseline Criteria. All CVEs will need to be remediated or justified and accepted by Second Front Security Team. CVEs that are not able to be remediated must be added to the customer Plan of Action and Milestones (POA&M) documentation with real and actionable incremental milestones to reduce risk over time until the CVE is resolved.
Any Critical or High CVEs that cannot be remediated (removed from the application before deployment) will need to be submitted as a deviation request or a POA&M must be created with actionable milestones.
Second Front Security Team will review each image’s remediation and justifications before allowing them to be deployed to staging and/or production after FedRAMP Authorization is obtained.
All Moderate and Low vulnerabilities exceeding FedRAMP remediation timelines must be resolved or justified prior to Production (PRD) deployment. These items will be transitioned to a POA&M once Continuous Monitoring (ConMon) begins.
For Moderate and Low vulnerabilities still within their remediation window, customers must exercise due diligence to resolve or POA&M them before their respective deadlines.
Remediation Timeline
For required timeframes to remediate or justify findings, see Tables A–C in the Acceptance Baseline Criteria.
External Data Connections (EDCs)¶
All customers will be required to list out all EDCs according to Agency Security’s requirements for the Body of Evidence (BoE).
Authorization Boundary Diagram (ABD)¶
All customers will be expected to complete an ABD in accordance with our current FedRAMP processes found here.
Any changes to the ABD will require a new diagram to be added to the customer’s account and the changes should be communicated to Agency Security, 3PAO, and the customer's sponsor.
Image hardening¶
All images must be hardened using Game Warden’s hardening script. No unhardened images may be promoted to staging and/or production with the exception of images without a shell which will not be hardened.
Second Front’s engineers will be responsible for applying hardening scripts to each image. Second Front Security Team will be responsible for ensuring hardening scripts are applied to images during the Security Review process.
Static Application Security Testing (SAST)¶
All customers will be required to perform SAST scans on all codebases included for all images deployed onto Game Warden. SAST should be uploaded into the Game Warden application for the initial deployment.
Dynamic Application Security Testing (DAST)¶
All customers are responsible for running DAST on their applications in accordance with FedRAMP’s ConMon requirements. Second Front offers DAST scanning in house for customers that can be run monthly.
ConMon¶
Once your application is deployed into Game Warden's FedRAMP-authorized environment, it enters an ongoing, monthly security reporting and review process required by FedRAMP to ensure platform and application security over time.
The sections below outline Second Front's responsibilities and yours during ConMon.
Game Warden’s FedRAMP Authorization ConMon¶
The Second Front Security Team will submit the Game Warden relevant information on a monthly basis, in accordance with FedRAMP standards. The Game Warden relevant information will encompass the Platform as a Service and will not include the applications hosted on Game Warden. Second Front will not provide the platform monthly continuous monitoring information to customers.
Second Front submits Asset Inventory Lists, Database Scans, Operating Systems Scans, and Web Application Scans (only for images that Second Front uses), and Second Front’s POA&M. Second Front is not responsible for any of the customer’s recurring submission requirements except for Database Scans.
Image scanning¶
The Game Warden application is configured to scan all images for new CVEs/Vulnerabilities in production once a month. Agency Security will assist the customer in pulling down those scans monthly to allow the customer to submit the images for ConMon.