System Security Plan¶
Is a new System Security Plan (SSP) needed for each version/update in Production (PRD)?¶
An updated System Security Plan (SSP) will be needed for each version which will be part of the deployment passport for that version. Though most fields will not change, things like Authority to Operate (ATO) status and assessment date will be different for each version.
Do I need to fill out a new System Security Plan (SSP) for each government customer I onboard?¶
No, you can select one current customer that supports your app's deployment at your target Impact Level (IL) to include in the System Security Plan (SSP). However, if the government customer you select stops working with your app, you will need to update the SSP to ensure it references a current customer.
What specific information does Game Warden need from my DOD contracts to meet the Authority to Operate (ATO) validation requirement?¶
Please upload the entire active contract and enter the contract number into your System Security Plan (SSP). We primarily look at the first page for validity of relationship between you and the DoD. We also need to verify the expiration date (Period of Performance) as well as a line item that specifies the mission application.
You cannot move your initial deployment into Staging (STG) until this is received in full, as it is part of your Deployment Passport.
In the System Security Plan (SSP), what is the difference between Government Customer and Government Sponsor, and why do we need them for Game Warden?¶
Government Sponsor can be any government organization that has provided a requirement you’re filling (ex: AFWERX, 16th Air Force). We recommend choosing your largest contract holder; one that is going to be around longest. In this case, you do not have to continually update your SSP. You can also include multiple sponsors. Government Customer should be one of your customers that you are targeting with this deployment and match the Impact Level (IL) target. So, if you have a customers who needs IL-4, you can use them on the SSP for a target deployment to IL-4. If aiming for IL-6, put down a customer that needs IL-6; this will cover all lower ILs as well.
How do I determine the classification level of my app?¶
Your mission sponsor/government customers should be able to confirm for you what classification level of information your app will be storing or processing.