Using Government Access Cards with Game Warden¶
This guide provides essential information about government-issued access cards and when they're required for accessing Game Warden.
Once you have obtained a government access card, refer to Link Access Card with Platform One (P1) Account for instructions on associating your card with your P1 account for future authentication to Game Warden.
What are government access cards?¶
Government-issued access cards are secure credentials that use certificate-based authentication to verify a user’s identity when accessing government systems and environments. These cards embed cryptographic certificates that support Private Key Infrastructure (PKI) standards for secure access.
Game Warden supports the following types of government-issued access cards:
Issued by the U.S. Department of Defense (DoD) to military personnel, government employees, and eligible contractors.
Process to acquire CAC
To obtain a CAC, you must go through the DoD vetting process with the support of a government sponsor. This process can take several months to complete.
The DoD issues CACs to eligible individuals, including:
- Active-duty military personnel
- Reservists
- Federal civilian employees
- Authorized contractors
Acquisition process:
You must work directly with your government sponsor to complete the following steps:
- Sponsorship and Eligibility Verification
- Registration and Enrollment
- Background Investigation
- Card Issuance
For detailed guidance, see the Process for Acquiring or Renewing a CAC or refer to the General Information section.
Note
You may receive a CAC based on fingerprint results; however, final approval depends on passing the National Agency Check with Inquiries (NACI). If the background check is not approved, the CAC will be revoked.
Issued by DoD-approved commercial vendors to contractors and vendors who work with DoD systems but are not eligible for CACs.
Process to acquire ECA
The ECA program provides digital certificates to eligible individuals affiliated with companies that require access to DoD systems. ECAs serve as an alternative to CACs for contractors and partners who are not eligible for a CAC.
To obtain an ECA certificate, you must complete the DoD vetting process through a DoD-approved vendor such as IdenTrust or WidePoint. The typical processing time is approximately 30 days.
Acquisition process with IdenTrust:
- Complete the required forms and have them notarized. You must submit your notarized forms within 30 calendar days of notarization — late submissions are invalid.
- Submit your application and documentation to the vendor within 30 days of notarization.
- Undergo identity verification by the vendor (typically 3–5 business days).
- Receive your certificate by mail based on the delivery option you select.
For compatibility recommendations and important usage notes, see the ECA Certificate Compatibility Guide.
Warning
- Game Warden recommends using IdenTrust, a DoD-approved provider, for obtaining ECA certificates.
- For best compatibility with Game Warden’s Keycloak Single Sign-On (SSO), we recommend selecting the ECA Medium Token Assurance option from IdenTrust. This token type has been validated to work with Game Warden’s identity and access management system.
- Game Warden is not affiliated with IdenTrust. Please contact IdenTrust directly for questions regarding certificate issuance or support.
-
Known compatibility considerations:
- Mac users with M1 chips must use Firefox when accessing government systems with an IdenTrust ECA. IdenTrust is aware of this limitation and is working to address it.
- Linux/Ubuntu is not supported for retrieving digital certificates from IdenTrust.
- Recommended browsers for certificate setup:
- Windows: MS Edge or Google Chrome (latest versions)
- Mac: Mozilla Firefox (latest version)
For complete system requirements and supported configurations, refer to the IdenTrust Certificate Compatibility Guide.
Issued by U.S. federal agencies for access to federal systems.
Process to acquire PIV
Federal agencies issue PIV cards to eligible individuals to provide secure access to government systems. To obtain:
- Work directly with your government sponsor to request and complete the PIV issuance process.
- Confirm that your PIV card is issued with the required certificate policies to enable access to IL4+ environments via Platform One SSO.
- Coordinate with the Game Warden team to verify your access after issuance.
Note
- Game Warden does not issue or manage government access cards. You must obtain them directly from a government sponsor or a DoD-approved provider.
- Users with a CAC, ECA, or PIV can access Game Warden environments at IL2, IL4, and IL5 through Platform One (P1) Single Sign-On (SSO) — provided their access card includes one of the required certificate policies.
- Contact the Game Warden Platform team for proactive guidance before attempting access. We can assist with validating your card’s configuration and ensuring it works with IL2, IL4, and IL5 environments.
Government access card comparison¶
The table below summarizes key requirements and acquisition processes for each supported government access card.
- CAC and PIV cards are issued directly by government sponsors.
- ECA certificates must be obtained from a DoD-approved vendor, such as IdenTrust, Inc.
| Card Type | Estimated Wait Time | U.S. Citizenship Requirement | Cost |
|---|---|---|---|
| CAC | Up to 18 months (based on background investigation) | Not required | Consult with your government sponsor |
| ECA | ~30 days after submitting notarized forms | Not required | View IdenTrust pricing — prices may vary for non-U.S. citizens |
| PIV | 2–6 weeks | Must be a U.S. National† | Consult with your government sponsor |
† U.S. National: An individual who owes permanent allegiance to the United States. This includes U.S. citizens and certain non-citizens, such as individuals born in American Samoa or Guam.
When is a government access card required?¶
Access to Game Warden-hosted applications is governed by Impact Level (IL) requirements and access control policies. A government-issued access card is required for certain environments and strongly recommended for others, depending on the deployment stage and access method.
The table below summarizes where a government access card is required:
| Resource | Requires Government Access Card |
|---|---|
| Customer Application at IL2 STG | 🚫 |
| Customer Application at IL2 PRD | 🚫 |
| Customer Application at IL4 | ✅ |
| Customer Application at IL5 | ✅ |
| Game Warden Application at IL2 | 🚫 |
| Game Warden Application at IL5 | ✅ |
| Harbor Registry at IL2 | 🚫 |
| Harbor Registry at IL5 | ✅ |
| ArgoCD at IL2 | 🚫 |
| ArgoCD at IL4 | ✅ |
| ArgoCD at IL5 | ✅ |
| Grafana at IL2 | 🚫 |
| Grafana at IL4 | ✅ |
| Grafana at IL5 | ✅ |
Certificate policies and Public Key Infrastructure (PKI)¶
What is PKI?¶
PKI is a security framework used to issue and manage digital certificates for secure authentication, encryption, and digital signatures. In government systems, PKI ensures that users accessing sensitive environments—such as Game Warden at IL4 and IL5—are authenticated with trusted, cryptographically validated credentials.
PKI works by using a pair of cryptographic keys (public and private) linked to a user's identity, managed through a Certificate Authority (CA). These keys are embedded in a digital certificate that users present when authenticating to a system.
What are Certificate policies?¶
A certificate policy is a defined set of rules embedded in a digital certificate that dictates how the certificate may be used and the level of assurance it provides.
Certificate policies are represented by Object Identifiers (OIDs) — standardized numeric codes uniquely assigned to each policy. Systems such as P1 and Game Warden validate both the certificate and its associated policy before granting access.
These policies allow relying parties to enforce usage restrictions and ensure compliance with security standards.
Approved certificate policies¶
| Certificate Policy OID | Policy Identifier |
|---|---|
2.16.840.1.101.2.1.11.5 |
id-US-dod-medium |
2.16.840.1.101.2.1.11.9 |
id-US-dod-mediumhardware |
2.16.840.1.101.2.1.11.10 |
id-US-dod-PIV-Auth |
2.16.840.1.101.2.1.11.17 |
id-US-dod-mediumNPE |
2.16.840.1.101.2.1.11.18 |
id-US-dod-medium-2048 |
2.16.840.1.101.2.1.11.19 |
id-US-dod-mediumHardware-2048 |
2.16.840.1.101.2.1.11.20 |
id-US-dod-PIV-Auth-2048 |
2.16.840.1.101.2.1.11.31 |
id-US-dod-peerInterop |
2.16.840.1.101.2.1.11.36 |
id-US-dod-mediumNPE-112 |
2.16.840.1.101.2.1.11.37 |
id-US-dod-mediumNPE-128 |
2.16.840.1.101.2.1.11.38 |
id-US-dod-mediumNPE-192 |
2.16.840.1.101.2.1.11.39 |
id-US-dod-medium-112 |
2.16.840.1.101.2.1.11.40 |
id-US-dod-medium-128 |
2.16.840.1.101.2.1.11.41 |
id-US-dod-medium-192 |
2.16.840.1.101.2.1.11.42 |
id-US-dod-mediumHardware-112 |
2.16.840.1.101.2.1.11.43 |
id-US-dod-mediumHardware-128 |
2.16.840.1.101.2.1.11.44 |
id-US-dod-mediumHardware-192 |
2.16.840.1.101.2.1.11.59 |
id-US-dod-admin |
2.16.840.1.101.2.1.11.60 |
id-US-dod-internalNPE-112 |
2.16.840.1.101.2.1.11.61 |
id-US-dod-internalNPE-128 |
2.16.840.1.101.2.1.11.62 |
id-US-dod-internalNPE-192 |
2.16.840.1.101.3.2.1.12.1 |
id-eca-medium |
2.16.840.1.101.3.2.1.12.2 |
id-eca-medium-hardware |
2.16.840.1.101.3.2.1.12.3 |
id-eca-medium-token |
2.16.840.1.101.3.2.1.12.4 |
id-eca-medium-sha256 |
2.16.840.1.101.3.2.1.12.5 |
id-eca-medium-token-sha256 |
2.16.840.1.101.3.2.1.12.6 |
id-eca-medium-hardware-pivi |
2.16.840.1.101.3.2.1.12.8 |
id-eca-contentsigning-pivi |
2.16.840.1.101.3.2.1.12.9 |
id-eca-medium-device-sha256 |
2.16.840.1.101.3.2.1.12.10 |
id-eca-medium-hardware-sha256 |
2.16.840.1.101.3.2.1.3.4 |
id-fpki-certpcy-highAssurance |
2.16.840.1.101.3.2.1.3.7 |
id-fpki-common-hardware |
2.16.840.1.101.3.2.1.3.12 |
id-fpki-certpcy-mediumHardware |
2.16.840.1.101.3.2.1.3.13 |
id-fpki-common-authentication |
2.16.840.1.101.3.2.1.3.16 |
id-fpki-common-High |
2.16.840.1.101.3.2.1.3.18 |
id-fpki-certpcy-pivi-hardware |
2.16.840.1.101.3.2.1.3.20 |
id-fpki-certpcy-pivi-contentSigning |
2.16.840.1.101.3.2.1.3.24 |
id-fpki-SHA1-hardware |
2.16.840.1.101.3.2.1.3.36 |
id-fpki-common-devicesHardware |
2.16.840.1.101.3.2.1.3.38 |
id-fpki-certpcy-mediumDeviceHardware |
2.16.840.1.101.3.2.1.3.39 |
id-fpki-common-pivi-contentSigning |
FAQs¶
Will it affect my app’s deployment to IL4+ environments if I don’t have a government access card?
Game Warden can deploy your application to IL4+ staging (STG) and production (PRD) environments even if you do not have a government access card (CAC, PIV, or ECA). However, you will not be able to access your environment, logs, or application endpoints without an approved government access card.
Can I hire a service member with a government access card to perform DevSecOps work for my company?
No. Hiring a Reservist or National Guard member to use their government access card for company work is strictly prohibited. This constitutes misuse of government credentials and can result in serious consequences for the service member.