App Central is your primary starting point for Game Warden App access. Here, you can do the following:
- Add new applications
- Create, edit, and view your application's System Security Plans (SSP)
- View application and pipeline statuses
- View the latest vulnerabilities
- Deploy your containers to Staging and Production
App Central's functionality (coupled with other Game Warden product and application features) expedites your path to inheriting our Authority to Operate (ATO) and deploying your application(s) onto the Department of Defense (DoD) network.
FAQ: How do I access App Central?
Once you have completed the steps to setup your New User Account, you should have access to App Central in the Game Warden app.
The table below provides insight into the topics in the App Central left navigation pane:
|This is the Landing page and allows you to view your application information. You also may access Pipelines and Scan Lab, and create and review SSPs.
|This page displays the Latest and History tables. Both tables display the Image, Component, Version, Status, and Date fields. This page displays information about the image status, which also is helpful if you or our engineers need to troubleshoot an issue.
|This page displays Guidance, Application, Approved Justifications, Deployment Passports, and Meeting Recordings. Guidance displays documents our team shares with you. Application displays technical documents specific to your application and container. You can upload documents here to ensure our engineers have the most current files. Approved Justifications displays the justifications approved by our Security team. Deployment Passports reveals your ATO package details. Meeting Recordings provides access to relevant meeting videos recorded with your permission.
|This page displays user alerts. For example, Security Returned Scan Results (as its name implies) notifies you of the availability of scan results.
|This page provides Game Warden product documentation.
|From the Support Ticket page you can submit tickets directly to the Game Warden team to get help on issues from account problems, process questions, feature requests, and more.
|This page reveals the Users tab which displays information for Team Members invited to your profile. The table includes Name, Email, and Role fields. This page also includes the DUNS#, company website URL, and LinkedIn access information.
|This page allows you to view and edit your Profile information.
|This button, upon selection, launches you to the Keycloak Account Management page.
Administrators and Contributors comprise the two user roles.
The following illustrates the priviledges of each role:
Note: Only users with the Admin role can use the In-App Deployment feature.
Application Settings allows you to review and/or add high-level details about your solution.
- Click the Gear icon next to your application name.
The Application Settings page opens, displaying the Basics and Technical Review Form sections or panels.
Click Fill Out Form to begin content entry, selecting Save to store changes. To edit your forms, select the pencil icon in the upper right corner.
- Select the checkbox associated with your preferred Impact Levels (ILs).
- Technical Review Form
- Enter information specific to any external API Calls, Secrets, DNS Records, Production Environments, Data Migrations, Resource Requirements, and Mobile Components. This information helps our team understand your application design. You must complete this section prior to your Technical Review.
Harbor is a secure image registry. As an open source and feature-rich registry, Harbor manages the images you push into this environment. As your images navigate the scanning and hardening processes, tags are appended to the end of your image names to designate the status of each. For additional information, read Harbor Registry.
Pipelines and Vulnerabilities¶
Under the Latest Pipeline column, click on the green check mark or red x to reveal the current image version number and its pipeline status. Each time you push an image, it appears in the Latest Pipeline section. A pipeline is a set of automated tasks. Pipelines represent image progression within the scanning and hardening processes. You can click the Pipeline button to retrieve detailed insight to include historical pipeline information as well as download artifacts.
Vulnerabilities are specific to a single pipeline and include security findings, which require your attention. Selecting the number of security findings launches you to the Scan Lab page.
+ New Application, upon selection, allows you to add a new solution.
Here, you add an Application Name, click Create and – in the new page that opens – enter information in the Basics and Technical Review Form sections or panels. You must click Fill Out Form to begin content entry, clicking Save to store changes. This Application Settings page also opens when you click the Gear/Settings icon next to your application name, as previously noted.
System Security Plans¶
FAQ: What is an SSP?
An SSP is a form that proves you meet ATO security requirements. You create the System Security Plan (SSP) from a Game Warden-provided template, and the Game Warden Security team reviews this form. The SSP includes any required external approvals and proof of an active government contract for your company. It is used as part of your Deployment Passport.
The System Security Plans (SSP) section includes links to any existing IL SSPs you have established along with a plus symbol (+), which allows you to create a new SSP. To view or edit an existing SSP, click the corresponding block. To create a new SSP, click the + ADD SSP button.
All SSPs are specific to Production (PRD) environments and align with the IL you designate. You must create an SSP for each PRD deployment.
Tooltips provide explanatory text that guides you through form completion as you develop your SSP. An “i” enclosed in a circle represents a tooltip. Select this icon to gain additional insight.
Page panels/sections include:
This section allows you to include an abbreviated Application Name or alias. The Application Name might be a shortened name that you use for a specific IL. For example, your Application Name might be Bossy Apps, but the abbreviated name or alias for IL4 might be Boss. This section includes the Application Name, System Version, and Impact Level fields.
Authorization Boundary Diagram
- This section requires you to provide your software components and data connections such that our team may understand your system design – ensuring proper connections to our environment. For example, we need to know your external data connections and similar components. You must complete a Game Warden-provided template for upload. For additional information, read Authorization Boundary Diagrams.
- You must provide the names of government persons pertinent to your contract/application. Each grouping contains a tooltip which – upon selection – provides explanatory text about the roles you must identify. This section contains the Full Name, Title, Organization, Email, and Phone fields for the Government Authorizing Official, Government System Owner, Government Information System Security Manager, Government Contract Sponsor, Government Prime Contractor, Company Product Owner, and Company Security Manager.
- This section requires you to include or exclude components. The components you exclude will neither appear in your Deployment Passport SSP nor be deployed at this IL.
- You must provide information that helps our team understand your application security levels, such as Confidentiality, Integrity, and Availability. This section also includes the Distribution Control Type and Controlled Unclassified Information drop-down list boxes. You can provide applicable Security Classification Guide information along with insight specific to Personally Identifiable Information (PII).
- You must add information relative to government access cards and contract details along with insight into your application and external systems. For example, you must provide the names of all system personnel with a government access card, such as a Common Access Card (CAC), External Certification Authority (ECA), or a Personal Identity Verification (PIV) card. For additional information, read Government Access Cards. You must include the Full Name, Title, DoD Number, and Expiration Date. You also must list Government Contract details along with Application Programming Languages, Dependencies, Databases, and External Systems.
- You must provide at least two emergency contacts who may be notified if there are events, such as outages. This section contains the Full Name, Title, Email, and Phone fields.
Clicking the + ADD SSP opens the Create SSP modal.
From the Desired Impact Level drop-down list box, you must choose an IL. The Duplicate an existing SSP? radio button defaults to No; do not change this setting if you want to create an entirely new SSP. In this case, simply click Create to proceed. If you are creating a new SSP from an existing one, click the Yes radio button associated with Duplicate an existing SSP? This option further streamlines the SSP creation process, as it reduces content entry if much of the information for the new SSP is similar to the one you are duplicating. If you are creating an IL4 SSP from an IL2 SSP, for example, our Security team can work with you to determine which fields must be updated in the newly created SSP. Changing this radio button to Yes, enables the Which SSP would you like to duplicate? drop-down list box. Select the IL from which you want to copy. Next, click Create to proceed.
A new page opens, displaying several panels that you must complete to designate your SSP specifications. Form panels include Basics, Authorization Boundary Diagram, Role Identification, Components, Information Security, Deployment Information, and Business Continuity. This is the same page that displays if you click “IL2” or “IL4”, for example, to review or update an existing SSP. You must click Fill Out Form to begin content entry, selecting Save to store changes.
As you add content to develop each SSP, the panel headers turn green – indicating panel or section completion. You can click Fill Out Form (now enclosed in a solid blue box) to revisit these updates, should you need to edit content. Delete SSP, as its name implies, allows you to remove all file content. You might use this feature if, for example, you discover that you no longer need to deploy to IL4.
Future automation includes validation checks that ensure SSP content accuracy. For example, there will be checks to ensure you do not include Controlled Unclassified Information (CUI) in IL2 SSP documents.