Security Compliance Policy¶
On October 14, 2022, the Department of Defense (DoD) granted Second Front Systems, Inc. (2F) – and by extension the Game Warden platform – its Authority to Operate (ATO). This action enables our Platform-as-a-Service (PaaS) to operate within the DOD network at Impact Levels (ILs) 2, 4, and 5 for applications deployed to both the Staging (STG) and Production (PRD) environments. 2F develops, maintains, and operates the Game Warden platform.
The Security Compliance Policy affects all 2F customers with applications hosted on our platform and deployed to STG and PRD at ILs 2, 4, and 5; however, if you deploy applications to PRD at these ILs, you must have a signed Deployment Passport from the government Information Systems Security Manager (ISSM). Deployment Passport, a Game Warden-specific term, is a body of evidence that includes the artifacts required to meet ATO requirements. An ISSM-signed Deployment Passport allows you as customers to inherit our ATO; a permission which authorizes application deployments into both the STG and PRD environments at the above-mentioned ILs. The ATO is non-transferable and only valid for Game Warden-hosted applications. The Deployment Passport includes documents ranging from the Authorization Boundary Diagram and System Security Plan (SSP) to the Common Vulnerabilities and Exposures (CVE) summary. For additional information, read Deployment Passport.
The Security Compliance Policy defines the processes 2F will follow should your application(s) not adhere to the CVE remediation timelines. You must review, acknowledge, and address all CVEs as defined by our Acceptance Baseline Criteria.
The Security Compliance Policy stipulations are as follows:
- Application developers must regularly update and maintain PRD applications.
- 2F will notify application developers if there are outstanding security findings approaching the acceptable timeline to remediate. 2F requires timely action to address all findings such that applications may continue to run in PRD.
- If required action is not taken within a reasonable timeframe (in agreement with the ISSM, our team, and the application developer), 2F will adhere to its ATO guidelines. Subsequent actions may result in an interruption of service to include removal of the application from the STG and PRD environments.
- Service will be restored after you address and resolve outstanding vulnerabilities. The ISSM must approve all security findings prior to application re-deployment. If the previously issued Deployment Passport expired, a new Deployment Passport must be issued before service restoration.