Skip to content

Implementation Kickoff Guide for FedRAMP Deployment

This guide outlines the FedRAMP implementation process and shared responsibilities between your team and Second Front’s Game Warden platform. It includes what’s expected at each phase of onboarding, what artifacts you need to provide, and how we’ll work together to securely deploy your application and obtain FedRAMP Authorization to Operate (ATO).

Implementation phases & milestones

Phase What Second Front Does What You Do 
Pre-engagement alignment Validate FedRAMP alignment and technical feasibility.
  • Identify a U.S. Federal Agency Sponsor
  • Confirm FedRAMP authorization intent
  • Complete the FedRAMP Technical Intake Form
Kickoff
  • Assign Mission Success Manager (MSM) and Technical Implementation Manager (TIM)
  • Deliver FedRAMP onboarding guidance
  • Assign technical, compliance, and security leads
  • Review FedRAMP onboarding requirements
  • Begin artifact collection and documentation planning
Configuration
  • Configure development environments
  • Set up pipelines, Helm charts, and platform integrations
  • Provide container images
  • Configure identity and access management
  • Begin platform integration activities
Gap assessment & documentation development
  • Coordinate Security Advisory Services and Agency engagement
  • Support control gap identification
  • Participate in control gap analysis
  • Support remediation planning
  • Develop required FedRAMP documentation, including:
    • Body of Evidence (BoE)
    • Control implementation statements
    • Policies and procedures
    • Asset inventory
    • Plans of Action & Milestones (POA&Ms)
Security review
  • Perform platform-level security assessment
  • Review:
    • Dynamic Application Security Testing (DAST)
    • Container scan results
  • Resolve vulnerabilities found in your application
  • Provide justifications for findings as needed
  • Close Critical and High vulnerabilities
  • Submit application for security review
    		•
    Approve Approve readiness for production deployment. No action required.
    Deploy to Production Enable production deployment. Deploy application to Production environment through the Game Warden platform.
    Third Party Assessment (3PAO) Coordinate 3PAO engagement.
    • Participate in 3PAO assessment activities
    • Support interviews and evidence review
    • Contribute to development of the Security Assessment Report (SAR)
    Important: Customers are responsible for conducting Static Application Security Testing (SAST) and submitting the results to the 3PAO for review.
    Authorization
    • Submit the authorization package to the sponsoring agency
    • Coordinate FedRAMP PMO review
    		 Support agency review and clarification requests. If approved, your application will be listed as "Authorized” on the FedRAMP Marketplace
    Day 2 Operations – Continuous Monitoring (ConMon)
  • Monthly platform scans:
    • Operating system scans
    • Database scans
    • Web application scans
    • Container scans
    • Configuration scans
  • Monthly platform inventory submission to FedRAMP
  • Submission of customer scan artifacts to FedRAMP
  • POA&M submission
  • ConMon Executive Summary submission
    		•
    • Monthly container vulnerability scans
    • Application container inventory
    • POA&M development and updates
    • Support continuous monitoring reporting

    Shared Responsibility Model

    Second Front uses the Shared Responsibility Model to clarify which tasks are owned by the customer and which are managed by Second Front, helping streamline implementation and compliance. Refer to Game Warden's Shared Responsibility Model for more information.

    Required technical artifacts

    To support a smooth and secure implementation, please collect and submit the required items listed in the Technical Artifacts guide as early as possible in the process.

    Security requirements

    Security is core to the Game Warden platform. You must be prepared to support the following:

    Authorization Boundary Diagram Visual representation of your system's FedRAMP boundary, showing what's included in the authorization scope and how external systems integrate.
    CVEs & Remediation You’ll use Findings to manage container scans. CVEs must be addressed per the Acceptance Baseline Criteria.
    BoE Complete FedRAMP authorization package containing all security documentation, control implementations, test results, and supporting evidence required for ATO.
    Control Implementations Detailed documentation demonstrating how your system implements each required NIST SP 800-53 security control with evidence of compliance.
    SAST Scan & AI Attestation Prepare static analysis outputs and AI-related disclosures, if applicable.

    Technical considerations

    • Access Control: Identity federation, least privilege, and strong authentication

    • Logging & Monitoring: Centralized logging, audit trails, and monitoring

    • Pipelines & Image Push: Secure CI/CD pipelines, signed images, and controlled promotion

    • Configuration Management: Change control and configuration baselines

    Action items & best practices

    • Secure a Federal Agency Sponsor early
    • Assign clear compliance ownership
    • Start system security control planning and BoE development immediately
    • Resolve vulnerabilities early in the process
    • Align application architecture with FedRAMP authorization boundaries
    • Treat the 3PAO assessment as a formal audit
    • Establish ConMon workflows before authorization