Skip to content

Deployment Passport Submission Process

This article covers the steps involved in getting your Deployment Passport signed by Game Warden’s Authorizing Official (AO) following the collection of all applicable documentation.

Prerequisites to Deployment Passport Submission

Before the Game Warden Security team can compile your Deployment Passport for review, the following steps must be completed:

Task Responsibility
1. ALL security findings have been resolved and accepted by the Game Warden security team Customer & Second Front
2. System Security Plan reviewed and verified accurate:
  • Components are updated to the current version
  • If a component will not be included on the Deployment Passport, select “Excluded” from the drop-down menu
  • If there us CUI, the type of CUI is selected
  • Identify and update all personnel
  • Government contract information is up to date and accurate
  • All external databases, external systems, and external dependencies are listed (uncommon)
Customer
3. SSP - Authorization Boundary Diagram Section is up to date and accurate:
  • Diagrams should be readable and organized
  • All containers listed on the Architecture Diagram match exactly to the container titles in the Components section of the SSP
  • Diagrams should list all external connections (anything that will need to cross the Game Warden boundary for the application to function properly) and clearly indicate how data ingress and egress is working
  • Dependencies used, external systems used, and database names should match exactly to what is listed on SSP
  • (If Applicable) [Add Connection] → External Data Connections: Ensure external data connection name is filled out. Explain complete data flows between your Game Warden Application and the external connection. Provide ports, protocols, data that's in transit, as well as the directionality of that data. Tell a story for how the data will flow and interact with the application.
Customer
4. SSP - Information Security Section - work with your Government System Owner and Contract Sponsor to identify applicable values based on Impact Level of application for the following:
  • Confidentiality, Integrity, Availability Levels
  • Classification Level
  • Security Classification Guide (SCG)
  • Distribution Control Type
  • Controlled Unclassified Information (CUI). IL2 will not contain CUI.
  • Personally Identifiable Information (PII): Work with your applicable Privacy Official (Representative) to determine what PII will be utilized within the application
Customer
5. SSP - Deployment Information Section
  • Programming Languages Used: List every programming language used in the app you are submitting.
  • List all dependencies used: Briefly describe any things within the environment that the application is dependant on (excluding databases)
  • List all databases used: list any databases that your application references. Ensure that the naming convention matches what’s on your authorization diagram.
Customer
6. Ensure all pipelines are hardened in Harbor Second Front
7. Upload Static Application Security Testing scanning documents and attestation to your SSP in Game Warden within 30 days of submitting your Deployment Passport. Customer
8. Dynamic Application Security Testing scan approval
  • You must have a functioning application in DEV for the DAST scan to be successful
  • No additional architecture or code changes
  • All security findings surfaced by the DAST scan must be resolved prior to Deployment Passport submission
Second Front

Deployment Passport Submission

When the Prerequisite items have been completed and your team is ready for your Deployment Passport to be submitted, your Technical Implementation Manager will submit an internal support ticket to track progress as the Game Warden security team begins their formal review.

Code Freeze

It is imperative that while your Deployment Passport is under review, no changes are made to the application you wish to deploy on Game Warden. Any changes could prompt new CVEs to resolve and will start the process over again.

Deployment Passport Reviews

Security Team Review

The Game Warden security team will review your Deployment Passport documents for completeness in accordance with the above table. They will look for completeness of documentation to include resolution of all security findings surfaced by ScanLab, and SAST/DAST scanning. They also verify that the application you intend to deploy on DoD environments matches exactly with the components and versions listed in your System Security Plan (SSP) and Authorization Boundary Diagram.

The Game Warden security team's review is rigorous and thorough to ensure your Deployment Passport does not risk rejection from our Authorizing Official or our third party risk assessors. If we uncover an error, your team will need to work with your Technical Implementation Manager or Customer Success Manager to correct the issue and resubmit your Deployment Passport.

Third Party Review

With the Game Warden security team’s stamp of approval, your Deployment Passport is forwarded to our third party assessors who will perform an outside review of your documentation with an eye towards accuracy and completeness.

Authorizing Official

The last stop for your Deployment Passport is the desk of Game Warden’s Authorizing Official. With their review and signature, your application will receive its Certificate to Field and will inherit Game Warden’s Authority to Operate on DoD environments.

Final Steps Prior to Deployment

If this is the first time deploying your application, when your Deployment Passport is returned with the Authorizing Officials signature, your Technical Implementation Manager will coordinate a Pre-Deployment Brief to include key stakeholders from Second Front Systems, your company, and your Government Sponsor. This meeting serves as the final check and approval before your initial deployment.

Upon conclusion of the Pre-Deployment Brief, your application will be green-lit for deployment to your staging environment.

Can you submit an IL4 renewal Deployment Passport at the same time as an IL5/IL6 being worked on separately, with an earlier renewal date?

If it is the same application, yes, you can submit all DP's, and that effort will probably reduce the workload for the AO.
The DAST scan is run against DEV, and as long as you are using a single DEV environment, AND there are NO application differences, you can use the same DAST Scan.

Feedback

Was this article helpful? Want to see something more?

Please reach out to us here with your feedback.

Return to Help Center Home