Body of Evidence Overview¶
A Body of Evidence (BoE) is the complete set of documentation and attestations required to demonstrate that an application meets Game Warden's security and compliance standards. Submitting a complete and compliant BoE is a prerequisite for authorization to deploy.
How the BoE relates to authorization¶
Completing the BoE is one step in a larger authorization workflow. The table below outlines how the four key stages relate to each other.
| Step | Stage | Description | Reference |
|---|---|---|---|
| 1 | Understand the BoE | Learn the requirements and rationale for all 11 BoE components. | BoE Component Overview |
| 2 | Meet Compliance Standards | Fulfill the required security scanning and acceptance baseline criteria prior to submission. | Acceptance Baseline Criteria |
| 3 | Complete the BoE | Fill out all sections in App Central, including SAST results, attestations, and architecture documentation. | Completing the BoE |
| 4 | Obtain a Deployment Passport | The completed BoE is submitted as part of the Deployment Passport package to the Authorizing Official (AO) for review. Upon approval, a Certificate to Field (CtF)/Software Approval is issued, authorizing your application to deploy. | Deployment Passport |
BoE components at a glance¶
The BoE template includes the following components:
| Component | Description |
|---|---|
| Deployment Information | Captures details about your application’s architecture, technologies, programming languages, and government contract information. |
| Information Security | Documents how your application handles confidentiality, integrity, availability (CIA), PII, CUI, and security classification. |
| Images | Lists the version currently in use for each of the images in your application. |
| Authorization Boundary Diagram | A visual diagram that shows your application's architecture, data flows, and external connections to define its security boundary. |
| Role Identification | Identifies key stakeholders such as the government sponsor, system owner, product owner, and security manager. |
| Business Continuity | Provides emergency contact details for key personnel responsible for resolving outages or security incidents. |
| CAC Personnel | Lists individuals with Common Access Card (CAC) or similar credentials who require access to IL4+ environments. |
| SAST | Details your Static Application Security Testing tools and findings as part of the secure development lifecycle. Your organization is responsible for conducting SAST scans on the source code repositories from which containers are built and deployed to Game Warden. |
| DAST | Documents results from Dynamic Application Security Testing, used to detect runtime vulnerabilities. Second Front (2F) Systems performs and includes DAST artifacts in your application’s Authorization Package. |
| SSDF Attestation | Affirms your development practices align with the Secure Software Development Framework (SSDF) as required by DoW guidance. |
| CtF Recommendation Memo | A memo summarizing the security posture of the application and recommending it for Certificate to Field (CtF)/Software Approval issuance. |
| AI Attestation | A required form disclosing whether AI is used in your application, and assessing associated risks and controls. → AI Attestation Form |
Once submitted, the Game Warden security team will review the BoE as part of your Deployment Passport.
BoEs are specific to Production (PRD) environments and must align with the designated Impact Level (IL) of your deployment. You are required to create a separate BoE for each IL environment your application will support.
What's next?¶
Create & Manage BoEs
Step-by-step instructions for creating, updating, and managing your BoEs.
Complete BoEs
Learn how to complete all sections of the BoE to ensure they are align with the designated IL of your deployment.
Authorization Boundary Diagram
Diagram showing your application’s architecture, data flow, and external connections.
Understand ATO and Deployment Passport
Learn how Game Warden’s ATO, Deployment Passport, and CtF/Software Approval work together to enable compliant deployments.