Skip to content

Significant Software Changes and Authorization Requirements in Game Warden

The Department of Defense (DoD) utilizes Game Warden, a Platform as a Service (PaaS) solution, to streamline cloud-hosted application development, deployment, and operations. Understanding how software changes within the Game Warden environment impact security and authorization is crucial. Game Warden defines significant software changes for applications and outlines when a new Deployment Passport is necessary based on deltas in a given cyber risk posture.

Defining significant changes

Security review requirement

Any significant change to your application will trigger a new security review and Deployment Passport.

A significant software change in a Game Warden-hosted application refers to any modification that could:

  • Alter the security posture: Introduce new vulnerabilities, change data flows, add new user populations, or expose new attack surfaces within the Game Warden environment.

  • Materially increase cyber risk: Expand the potential for unauthorized access, data breaches, or service disruptions specific to the Game Warden platform.

Game Warden considerations

  • Shared Responsibility Model: Game Warden manages the security of the underlying Game Warden infrastructure and platform.

  • Built-in security features: Game Warden incorporates various security features, such as continuous monitoring, automated security testing, and vulnerability scanning. Significant changes may require re-evaluation to ensure continued compliance with the terms of the authorization to operate.

  • Compliance requirements: Game Warden facilitates compliance with DoD security standards. Significant changes may require re-evaluation to ensure continued compliance with the terms of the authorization to operate.

Examples of significant changes

  • Modifying core application logic: Changes to the primary functionality or workflow of the application hosted on Game Warden.
  • Altering data handling: Changing how sensitive data is stored, accessed, or processed within the Game Warden environment.
  • Integrating new services or APIs: Adding new third-party integrations within Game Warden that could expose data or introduce new vulnerabilities.
  • Customizing security configurations: Modifying firewall rules, access controls, or encryption settings within the Game Warden platform.
  • Leveraging new Game Warden features: Utilizing newly released Game Warden features that significantly alter the application's behavior or capabilities.
  • Major system changes: Adding application containers or services.

Routine updates vs. Significant changes in Game Warden

Feature Routine Update Significant Change
Scope of Change Minor code adjustments, configuration tweaks, or content updates within the Game Warden environment. Changes to core application logic, data handling, or integration with external services on Game Warden.
Security Impact Minimal impact on the security posture or risk exposure of the Game Warden application. Likely to introduce new vulnerabilities, alter data flows, or change the overall attack surface.
Authorization Typically covered under the existing authorization and do not require a new review by the AO. Requires a new authorization from the AO to ensure the modified software meets security standards.
Examples Deploying new versions of the application with bug fixes, updating configuration files, or adding like content within Game Warden. Implementing a new feature, integrating with a new API, or changing data storage mechanisms on Game Warden.

There are new change management requirements that necessitate a formal Security Relevant Change (SRC) be completed and signed off by the government. Depending on the impact of the change, approval authority will be our DIU Information Systems Security Manager (ISSM), the Government Security Controls Assessor (SCA), or the Authorizing Official (AO) himself for significant changes.

Changes to Game Warden, including our pipelines, IaC, SaC, and processes to yield deployment passports must be carefully evaluated before making the change. The Security Champions in the Product teams are the best way to ensure that proposed changes are correctly managed.

AWS Bedrock integration and updates

Before integrating Amazon Bedrock on Game Warden, use steps here to determine how your application will use the service.

Integrating AWS Bedrock into an application is considered a significant change:

  • If the application is adding AWS Bedrock and the configuration matches Game Warden Baseline, a new Deployment Passport is required.
  • If the application is adding AWS Bedrock and the configuration deviates from Game Warden Baseline, a new Deployment Passport and SRC is required.
  • If the application has an approved Deployment Passport with AWS Bedrock and wants to change what AWS model is used, no Deployment Passport or SRC is required.

Current Game Warden Baseline includes

  1. AWS Bedrock Guardrails
  2. Assessed IAM User role policy
  3. Assessed IAM Service role policy
  4. Customer application is a single tenant deployment
  5. All AWS FedRAMP High approved models within AWS GovCloud East
  6. AWS Bedrock RAG is limited to customer S3 buckets deployed as part of the CtF/Software Approval
  7. AWS Bedrock VPC only allows egress to the VPC Cidr (10.0.0.0/16)
  8. No AWS Bedrock Agents

For deployments in AWS GovCloud (US-East), visit Model support by AWS Region in Amazon Bedrock to check which models are currently supported.