Deployment Passport Submission Process¶
This article covers the steps involved in getting your Deployment Passport signed by Game Warden’s Authorizing Official (AO) following the collection of all applicable documentation.
Prerequisites to Deployment Passport Submission¶
Before the Game Warden Security team can compile your Deployment Passport for review, the following steps must be completed:
Task | Responsibility | |
---|---|---|
1. | ALL security findings have been resolved and accepted by the Game Warden security team | Customer & Second Front |
2. | System Security Plan reviewed and verified accurate:
|
Customer |
3. | SSP - Authorization Boundary Diagram Section is up to date and accurate:
|
Customer |
4. | SSP - Information Security Section - work with your Government System Owner and Contract Sponsor to identify applicable values based on Impact Level of application for the following:
|
Customer |
5. | SSP - Deployment Information Section
|
Customer |
6. | Ensure all pipelines are hardened in Harbor | Second Front |
7. | Upload Static Application Security Testing scanning documents and attestation to your SSP in Game Warden within 30 days of submitting your Deployment Passport. | Customer |
8. | Dynamic Application Security Testing scan approval
|
Second Front |
Deployment Passport Submission¶
When the Prerequisite items have been completed and your team is ready for your Deployment Passport to be submitted, your Technical Implementation Manager will submit an internal support ticket to track progress as the Game Warden security team begins their formal review.
Code Freeze
It is imperative that while your Deployment Passport is under review, no changes are made to the application you wish to deploy on Game Warden. Any changes could prompt new CVEs to resolve and will start the process over again.
Deployment Passport Reviews¶
Security Team Review¶
The Game Warden security team will review your Deployment Passport documents for completeness in accordance with the above table. They will look for completeness of documentation to include resolution of all security findings surfaced by ScanLab, and SAST/DAST scanning. They also verify that the application you intend to deploy on DoD environments matches exactly with the components and versions listed in your System Security Plan (SSP) and Authorization Boundary Diagram.
The Game Warden security team's review is rigorous and thorough to ensure your Deployment Passport does not risk rejection from our Authorizing Official or our third party risk assessors. If we uncover an error, your team will need to work with your Technical Implementation Manager or Customer Success Manager to correct the issue and resubmit your Deployment Passport.
Third Party Review¶
With the Game Warden security team’s stamp of approval, your Deployment Passport is forwarded to our third party assessors who will perform an outside review of your documentation with an eye towards accuracy and completeness.
Authorizing Official¶
The last stop for your Deployment Passport is the desk of Game Warden’s Authorizing Official. With their review and signature, your application will receive its Certificate to Field and will inherit Game Warden’s Authority to Operate on DoD environments.
Final Steps Prior to Deployment¶
If this is the first time deploying your application, when your Deployment Passport is returned with the Authorizing Officials signature, your Technical Implementation Manager will coordinate a Pre-Deployment Brief to include key stakeholders from Second Front Systems, your company, and your Government Sponsor. This meeting serves as the final check and approval before your initial deployment.
Upon conclusion of the Pre-Deployment Brief, your application will be green-lit for deployment to your staging environment.
Can you submit an IL4 renewal Deployment Passport at the same time as an IL5/IL6 being worked on separately, with an earlier renewal date?
If it is the same application, yes, you can submit all DP's, and that effort will probably reduce the workload for the AO.
The DAST scan is run against DEV, and as long as you are using a single DEV environment, AND there are NO application differences, you can use the same DAST Scan.
Feedback
Was this article helpful? Want to see something more?
Please reach out to us here with your feedback.