Game Warden's Shared Responsibility Model¶
The Game Warden Shared Responsibility Model outlines the division of responsibilities between Second Front (2F) and our customers across key areas of the platform, including infrastructure, security, development, and accreditation.
This model benefits customers by:
- Clarifying ownership of operational and compliance tasks, reducing confusion during implementation and ongoing operations.
- Streamlining collaboration, ensuring that both Second Front and customers can focus on their core responsibilities.
- Supporting faster authorization, by identifying who is accountable for delivering required artifacts and security controls.
The tabs below outline specific areas of responsibility across key deployment types:
| Category | Responsibility Area | 2F | Customer | Shared |
|---|---|---|---|---|
| Infrastructure | Compute, storage, database, networking | ✔ | ||
| Platform | CI/CD, container & runtime scans, deployment environments, identity & access management | ✔ | ||
| Security | Continuous monitoring, 24/7 incident response, penetration testing, DoD compliance | ✔ | ||
| Security | Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) | ✔ | ||
| Development | App development, container builds, client-side data, encryption & data integrity, data seeding / migration, vulnerability remediation | ✔ | ||
| Accreditation | CtF package preparation and submission | ✔ | ||
| Deployment manifests & container artifacts | ✔ | |||
| CtF supporting documentation | ✔ |
The journey to FedRAMP authorization and deployment with 2F progresses through these phases:
Development → Infrastructure → Platform → Security → 3PAO → Government Accreditation
The tabs below outline the roles and responsibilities in the collaboration model:
- App development
- Container builds
- Client-side data, encryption & data integrity
- Data seeding and/or migration
- Vulnerability remediation
- Compute
- Storage
- Database
- Networking
- CI/CD
- Container & runtime scans
- Deployment environments
- Identity & access management (IAM) (Customer)
- Continuous monitoring
- 24/7 incident response
- SAST & DAST
- Penetration testing (customer's application)
- Compliance readiness:
- Gap assessment and documentation support, including preparation of the Body of Evidence (BoE), Security Assessment Plan (SAP), and Risk Assessment Report (RAR).
- Evidence gathering (screenshots, audit logs)
- Plan of Action & Milestones (POA&M)
- Ongoing continuous-monitoring guidance & updates
Important
Customers engage directly with your 3PAO (Third-Party Assessment Organization) and are billed by the 3PAO. You may leverage 2F's negotiated discounted rates when selecting a participating 3PAO.
Work with your selected 3PAO to produce the Security Assessment Report (SAR):
- Risk assessments (OS, web, database, container, and other scans)
- Security controls testing
- FedRAMP Initial Authorization Checklist
- Penetration testing (customer's web application)
- Security remediation & mitigation plan
The Agency Sponsor or FedRAMP Program Management Office (PMO) conducts SAR review and issues the ATO:
- Sponsoring Authorizing Official reviews the complete authorization package (BoE, SAP, SAR, )
- If the assessment passes, the Agency Sponsor issues the ATO
| Category | Responsibility Area | Second Front | Customer | Shared |
|---|---|---|---|---|
| Infrastructure | Compute, storage, database, networking | ✔ | ||
| Platform | CI/CD, container & runtime scans, deployment environments, identity & access management | ✔ | ||
| Security | Continuous monitoring, 24/7 incident response, penetration testing, DoD compliance | ✔ | ||
| Security | Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) | ✔ | ||
| Development | App development, container builds, client-side data, encryption & data integrity, data seeding / migration, vulnerability remediation | ✔ |