Deployment Passport Submission Process¶
This guide outlines the steps to get your Deployment Passport signed by Game Warden’s Authorizing Official (AO) after all required documentation has been collected and verified.
Prerequisites¶
Before the Game Warden security team can prepare your Deployment Passport for review, the following requirements must be met:
| Task | Responsibility |
|---|---|
| 1. Resolve all security finding All security findings must be addressed and accepted by the Game Warden security team. |
Customer & Second Front |
| 2. Verify Body of Evidence (BoE) Ensure the BoE is accurate and up to date: - Components updated to the current version. - Mark components not included in the Deployment Passport as Excluded. - Identify CUI type (if applicable). - Personnel details are complete. - Government contract information is accurate. - All external databases, systems, and dependencies are listed (rare cases). |
Customer |
| 3. Update the Authorization Boundary Diagram Diagrams must: - Be clear and organized. - Match container names in the BoE exactly. - Show all external connections and data flows (ingress/egress). - Match dependencies, systems, and database names exactly to the BoE. - For External Data Connections, provide name, ports, protocols, direction, and a complete narrative of data flow. |
Customer |
| 4. Update the Information Security section With your Government System Owner and Contract Sponsor, determine: - Confidentiality, Integrity, and Availability levels. - Classification Level and Security Classification Guide (SCG). - Distribution Control Type. - CUI status (IL2 contains no CUI). - PII details with your Privacy Official. |
Customer |
| 5. Update the Deployment Information section Include: - All programming languages used. - Dependencies (excluding databases). - Databases used (names must match diagram). |
Customer |
| 6. Harden all pipelines in Harbor | Second Front |
| 7. Upload SAST scan results and attestation Must be uploaded to the BoE in Game Warden within 30 days of Deployment Passport submission. |
Customer |
| 8. DAST scan approval Requirements: - Functioning application in DEV. - No architecture or code changes. - All findings resolved before submission. |
Second Front |
Submission process¶
Once all prerequisites are complete, your Technical Implementation Manager (TIM) will submit an internal support ticket to initiate the formal review process.
Code freeze
While your Deployment Passport is under review, do not make any changes to the application. Any change may generate new CVEs, requiring resolution and restarting the process.
Review stages¶
Security Team Review
The Game Warden security team checks your Deployment Passport for:
- Complete documentation.
- All CVE findings, SAST, and DAST findings resolved.
- Consistency between the deployed application, BoE, and Authorization Boundary Diagram.
If issues are found, your TIM or Mission Success Managers will work with you to resolve them before resubmission.
Third-Party Review
Once approved internally, the Deployment Passport is sent to independent assessors for an external accuracy and completeness review.
Authorizing Official Review
The final review is done by the Authorizing Official. Upon approval, your application receives a Certificate to Field (CtF) and inherits Game Warden’s Authority to Operate (ATO) in DoD environments.
Final steps before deployment¶
For first-time deployments:
- Your TIM will schedule a Pre-Deployment Brief with Second Front, your team, and your Government Sponsor.
- This meeting serves as the last review before deployment.
- Upon completion, your application will be cleared for deployment to the staging environment.
FAQ¶
Can you submit an IL4 renewal Deployment Passport at the same time as an IL5/IL6 Deployment Passport that is being worked on separately, with an earlier renewal date?
Yes — if it’s the same application, you can submit all Deployment Passports together.
This approach will likely reduce the Authorizing Official’s workload.
The DAST scan is run against the DEV environment. As long as you are using a single DEV environment and there are no differences in the application, the same DAST scan can be used for both submissions.