Body of Evidence Overview¶
A Body of Evidence (BoE) is a formal document that explains how your application meets Game Warden's Authority to Operate (ATO) security requirements. It is a critical component in obtaining your Certificate to Field (CtF). The BoE includes required external approvals and proof of an active government contract for your organization.
Once submitted, the Game Warden security team will review the BoE as part of your Deployment Passport.
BoEs are specific to Production (PRD) environments and must align with the designated Impact Level (IL) of your deployment. You are required to create a separate BoE for each IL environment your application will support.
The BoE template includes the following components:
| Component | Description |
|---|---|
| Deployment Information | Captures details about your application’s architecture, technologies, programming languages, and government contract information. |
| Information Security | Documents how your application handles confidentiality, integrity, availability (CIA), PII, CUI, and security classification. |
| Images | Lists the version currently in use for each of the images in your application. |
| Authorization Boundary Diagram | A visual diagram that shows your application's architecture, data flows, and external connections to define its security boundary. |
| Role Identification | Identifies key stakeholders such as the government sponsor, system owner, product owner, and security manager. |
| Business Continuity | Provides emergency contact details for key personnel responsible for resolving outages or security incidents. |
| CAC Personnel | Lists individuals with Common Access Card (CAC) or similar credentials who require access to IL4+ environments. |
| SAST | Details your Static Application Security Testing tools and findings as part of the secure development lifecycle. Your organization is responsible for conducting SAST scans on the source code repositories from which containers are built and deployed to Game Warden. |
| DAST | Documents results from Dynamic Application Security Testing, used to detect runtime vulnerabilities. Second Front (2F) Systems performs and includes DAST artifacts in your application’s Authorization Package. |
| SSDF Attestation | Affirms your development practices align with the Secure Software Development Framework (SSDF) as required by DoD guidance. |
| CtF Recommendation Memo | A memo summarizing the security posture of the application and recommending it for Certificate to Field (CtF) approval. |
| AI Attestation | A required form disclosing whether AI is used in your application, and assessing associated risks and controls. → AI Attestation Form |
What's next?¶
Create & Manage BoEs
Step-by-step instructions for creating, updating, and managing your BoEs.
Complete BoEs
Learn how to complete all sections of the BoE to ensure they are align with the designated IL of your deployment.
Authorization Boundary Diagram
Diagram showing your application’s architecture, data flow, and external connections.
Understand ATO and Deployment Passport
Learn how Game Warden’s ATO, Deployment Passport, and CtF work together to enable compliant deployments.