Security Compliance Policy¶
On October 14, 2022, the Department of Defense (DoD) granted Second Front Systems, Inc. (2F)—and, by extension, the Game Warden platform—its Authority to Operate (ATO). This authorization allows our Platform-as-a-Service (PaaS) to operate within the DoD network at Impact Levels (IL) 2, 4, and 5 for applications deployed to both the Staging (STG) and Production (PRD) environments. 2F develops, maintains, and operates the Game Warden platform.
Deployment Passport¶
The Security Compliance Policy applies to all 2F customers with applications hosted on our platform and deployed to STG or PRD at ILs 2, 4, and 5.
If you deploy applications to PRD at these ILs, you must have a signed Deployment Passport from the government’s Information Systems Security Manager (ISSM).
The Deployment Passport—a Game Warden–specific term—is a body of evidence containing the artifacts required to meet ATO requirements. An ISSM-signed Deployment Passport allows you to inherit our ATO, granting permission to deploy applications into both STG and PRD at the applicable ILs.
Warning
The ATO is non-transferable and valid only for applications hosted on Game Warden.
The Deployment Passport includes:
- Authorization Boundary Diagram
- Body of Evidence (BoE)
- Common Vulnerabilities and Exposures (CVE) summary
For more information, see Deployment Passport.
Policy definition¶
The Security Compliance Policy defines the actions 2F will take if your application does not meet CVE remediation timelines. All customers must review, acknowledge, and address CVEs in accordance with our Acceptance Baseline Criteria.
Policy requirements
| Requirement | Description |
|---|---|
| Ongoing maintenance | Application developers must regularly update and maintain PRD applications. |
| Notification of findings | 2F will notify developers when security findings are nearing the acceptable remediation timeline. Timely action is required to ensure applications can continue running in PRD. |
| Failure to remediate | If required actions are not completed within a reasonable timeframe—agreed upon by the ISSM, 2F, and the application developer—2F will follow its ATO guidelines. This may result in service interruption, including removal of the application from STG and PRD. |
| Service restoration |
Service will be restored only after all outstanding vulnerabilities are resolved and approved by the ISSM. If the previously issued Deployment Passport has expired, a new Deployment Passport must be obtained before service is restored. |
| RBAC on Game Warden Platform |
We enforce least-privilege RBAC in our platform clusters.
|