Skip to content

Common Vulnerabilities and Exposures 101

Vulnerabilities are weaknesses in software that attackers can exploit to gain unauthorized access to systems or data. As software and threat landscapes evolve, new vulnerabilities are discovered frequently by security researchers.

This guide explains the role of Common Vulnerabilities and Exposures (CVEs) in secure development within Game Warden, and how they apply across both Department of War (DoW) and FedRAMP environments. It also describes how Game Warden streamlines CVE management to support compliance with Authority to Operate (ATO) and software authorization requirements to enable faster, more secure deployment to production.

CVE management lifecycle

Managing CVEs in Game Warden follows a five-stage process. Each stage links to a dedicated guide:

Stage What happens Where to go
1. Understand CVEs Learn what CVEs are, how CVSS scoring works, and why they matter in DoW and FedRAMP environments. Common Vulnerabilities and Exposures 101
2. Choose secure containers Select base images (Chainguard, Iron Bank) that minimize inherited CVEs before you build. Recommended Containers
3. Review scan results After pushing images, view detected CVEs by severity across Development (DEV), Staging (STG), and Production (PRD) environments in the Findings tool. Findings Overview
4. Address vulnerabilities Remediate, mitigate, or justify each finding using the correct terminology and CVE statement format. Addressing Common Vulnerabilities
5. Meet compliance standards Confirm your resolutions satisfy Game Warden's scanning schedule, SLA timelines (Tables A–C), and exception criteria. Acceptance Baseline Criteria

CVEs in regulated environments

CVE management is a strict requirement for deploying to both DoW and FedRAMP environments. While the two frameworks have different authorization processes, they share the same underlying rationale for CVE management:

  • Awareness: CVEs provide a standardized way to identify and track known software vulnerabilities.
  • Risk prioritization: CVSS scoring allows teams to focus remediation efforts on the most critical exposures first.
  • System compatibility: Visibility into CVEs helps ensure interconnected systems remain secure across agency boundaries.
  • Regulatory compliance: CVEs support alignment with NIST SP 800-53, which is the foundation of both DoW and FedRAMP security controls.
  • Risk mitigation: Structured CVE tracking improves risk management across mission-critical and federal cloud systems.
  • Collaboration: CVEs are globally recognized, supporting coordination between government, industry, and partners.

Info

CVEs are scored using the Common Vulnerability Scoring System (CVSS) and listed in a global directory maintained by MITRE. CVEs are analyzed by NIST and published on several public registries.

For DoW deployments, reducing CVEs is a strict requirement when deploying to DoW environments. Unresolved vulnerabilities can block or delay an Authority to Operate (ATO) and prevent deployment to mission-critical systems.

For FedRAMP deployments, the authorization requires ongoing vulnerability management as part of Continuous Monitoring (ConMon). Unresolved CVEs must be tracked in a Plan of Action and Milestones (POA&M) and remediated within FedRAMP-defined timelines. Failure to maintain an up-to-date POA&M can result in loss of FedRAMP authorization.

Manage CVEs within Game Warden

Once images are pushed to the Harbor registry, Game Warden scans your application containers for CVEs. These results are accessible through Findings, a CVE management tool built into the Game Warden web app. Use it to:

  • Review CVE details and severity levels
  • Apply remediation or submit justifications
  • Request a security review within the platform

After deployment, Game Warden performs scans to ensure your containers remain secure and compliant with the Acceptance Baseline Criteria. Any new vulnerabilities must be resolved or justified within the required timelines.

Warning

Failure to remediate or justify vulnerabilities within the required SLAs may result in deployment delays or noncompliance status — including ATO impact for DoW and POA&M findings for FedRAMP.

Findings overview

The Findings page provides an aggregated view of all CVEs detected across your DEV, STG, and PRD environments. Use it to view, resolve, or justify CVEs, address security compliance results, and review security team responses to your proposed resolutions.

Free scanning tools: Trivy and Grype

Game Warden's scanning pipelines use open-source tools such as Syft, Grype, and Trivy to analyze containers. You can run these tools locally to preview your CVE posture before submission.

  • The Game Warden pipeline defines policy rules aligned with NIST SP 800-53, supporting compliance for both DoW and FedRAMP.
  • Trivy offers fast, lightweight container scanning for both vulnerabilities and compliance issues.
  • Grype offers fast scanning of container images and filesystems to find known vulnerabilities in operating system and language-specific packages.
  • Syft generates a comprehensive Software Bill of Materials (SBOM) for your container images.

Compliance justifications

The Game Warden pipeline detects compliance issues based on NIST 800-53 policies — the control baseline shared by both DoW and FedRAMP. These findings are treated similarly to CVEs and must be resolved or justified.

Severity levels:

  • Go – OK to proceed (Low severity)
  • Warn – Warning (Medium severity)
  • Stop – Critical finding; blocks deployment (High severity)

Warning

Second Front requires all vulnerabilities to be addressed unless a valid CVE statement and justification are provided.

Managing CVEs post-deployment

Applications deployed to staging or production are scanned daily. All new vulnerabilities must be addressed within the timelines specified in Tables A and B of the Acceptance Baseline Criteria.

Note

  • If remediation isn't possible for a critical/high vulnerability, a CVE justification and mitigation is required.
  • As the threat landscape evolves, new vulnerabilities may surface. It is essential that customers continuously update their applications and container dependencies.
  • FedRAMP customers must also reflect unresolved findings in their POA&M and report them as part of monthly ConMon deliverables.