The Department of Defense (DoD) and commercial companies have had a tough time overcoming the obstacles of working together to develop and provide the military with advanced modern software capabilities. Since its creation, software has delivered ever more utility in complimenting or even replacing humans in many tasks, but legitimate cybersecurity concerns and legacy processes have stunted the DoD’s efforts to capitalize upon these technologies from the private sector. The meticulous documentation, enumerable security requirements, and scarcity of centralized information on the subject of gaining an Authority to Operate (ATO) on government networks has made the path particularly difficult for commercial software companies. Luckily, Game Warden® was built to bridge that gap.
What is Game Warden?
Game Warden is a fully-managed and DoD-authorized DevSecOps platform accelerating software delivery to the government. It offers all the tooling needed to secure, harden, and run commercial software with alerting, monitoring, and incident response so companies can continuously deliver their software to government users in a production environment accredited at DoD Impact Levels (IL) 4/5.
Over the course of Game Warden 101, we’ll cover the following topics:
The Problem Game Warden Solves
Game Warden is built for Software as a Service (SaaS) companies struggling to deliver their solutions to the federal government due to challenging software acquisition processes and unique cybersecurity requirements. There are significant challenges involved in acquiring software solutions at the speed of relevance for the DoD. Using traditional acquisition methods makes it difficult to account for new entrants to the market (often commercial companies unfamiliar with defense requirements), their cybersecurity, and their underlying deployment models.
The government has taken steps to solve the problem by implementing the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized approach to security authorizations for commercial cloud solutions. Although FedRAMP brought much-needed changes to the way the federal government approaches technology acquisition, it has still struggled to match the speed and scale of the private technology sector.
The continuous ATO (cATO) model opened the door for DoD organizations like the Air Force's Cloud One (C1) and Platform One (P1) to focus on continuous integration and continuous delivery (CI/CD) methodologies, and automation. P1 provides an ecosystem and framework of DevSecOps capabilities to DoD software teams, while C1 provides DoD access to cloud services. Using hardened containers and Kubernetes, artifacts can be passed through automated security and functionality testing without forcing companies to fully expose their source code and intellectual property.
But while government organizations like P1 and C1 have been trailblazers, they are limited by federal funding cycles and processes. Many commercial companies were eager to receive an ATO through these routes, but the bureaucratic funding systems that support them have struggled to scale. Game Warden is a solution that solves for scalability for commercial companies seeking to rapidly accredit and run their software on government networks and for government users seeking to rapidly onboard commercial software applications.
The Business Case
It is important for companies to understand the concept of an authority to operate (ATO) when they are seeking to work with the government. ATOs are the government’s seal of approval for a company to operate their software application on government networks. There are a few different types of ATO including traditional ATOs, provisional ATOs, rapid ATOs, and continuous ATOs (cATO).
Traditional ATO paths, unique to each agency, can take a lot of time, money, and manpower—particularly challenging for resource-strapped small start-up businesses. Timelines often range from six months to two years and costs have been known to exceed $1 million. The extensive paperwork and manual testing of code involved in the process, and National Institute of Standards and Technology (NIST) compliance requirements can be daunting, particularly for companies that did not design for them at the outset. This can be a steep learning curve.
Provisional ATO’s are issued to companies that are still working on certain aspects of their software application and are valid for a finite amount of time. These ATOs are commonly granted by the FedRAMP Joint Authorization Board (JAB) to companies with one or more products actively in review for a FedRAMP ATO. Although JAB cannot issue an ATO on a specific agency’s behalf, its provisional ATO signifies that the DoD, Department of Homeland Security (DHS), and General Services Administration (GSA) have all reviewed the product and deemed it FedRAMP approved. Provisional ATO’s can shorten the individual agency review process but do not eliminate the requirement for agency-by-agency review.
The rapid or Fast Track ATO process allows an Authorizing Official (AO) “the discretion to make an authorization decision based on the review of the combination of a Cybersecurity Baseline, an Assessment (e.g. Penetration Test), and an Information Systems Continuous Monitoring Strategy.” The rapid ATO process cuts down on documentation by leveraging a “show, don’t tell” approach to security assessment.
CATOs seek to speed up the ATO process by standardizing requirements, automating security and functionality testing, and authorizing the development environment as a means to authorize individual applications developed within it. These environments enable DevSecOps and CI/CD best practices throughout the development process.
ATO Through Game Warden
Game Warden, a full-service Platform-as-a-Service (Paas) for companies seeking to deploy their software for government users, is a new pathway to a cATO. Game Warden bundles and provides a compliant, authorized environment as part of the platform offering. Companies choose Game Warden because it decreases their time to market significantly, cutting the time, labor, and associated costs of legacy ATO timelines.
IP and Security
Game Warden provides a new pathway to a cATO using a novel inherited security model that allows applications developed and deployed within the compliant Game Warden environment to inherit Game Warden’s own accreditation status. In short, the Game Warden environment is designed and accredited to connect to a government network and run compliant hardened containers. Game Warden customers can develop and deploy their software in this environment directly.
An inherited security model like Game Warden’s takes a load off of companies when it comes to passing government security standards. Game Warden’s platform, networking, and infrastructure are already accredited. Game Warden works with customers to set up processes and guards to ensure their applications pass security testing and hardening. When applications enter the Game Warden environment, they inherit Game Warden’s accredited security controls.
Game Warden has been architected from the beginning to meet commercial software businesses where they are. One of the most important differences from legacy government security models concerns intellectual property (IP) and source code. Some older accreditation models required a line-by-line review of source code. Game Warden does not need, never asks for—or even wants—access to a customer’s source code. Nor does the Game Warden model expose that source code to the government.
With hardened containerized artifacts, Game Warden can scan and test applications without the need to view source code directly. Application artifacts, containers, and architecture documentation are protected with strict access controls and policies to prevent third-party access. No companies will see another’s containers including the government. Security scan results are also confidential, but will be provided to directly to government accrediting officials as part of the Game Warden’s ongoing documentation for the maintenance of the cATO. Customers are also isolated from one another within the Game Warden platform, each having its own secure Nexus registries for containers and Kubernetes clusters.
Layered Security Measures
Game Warden is not a work-around. It is built with the latest tools and best practices to be faster, more automated, and more secure while rigorously addressing all government security requirements. We are continually engaged with our government accrediting officials to maintain our cATO including providing necessary documentation of both the underlying platform and new customer containers (a service the platform provides to our customers). As any commercial PaaS provider or other responsible organization, as well as in conformance with cATO requirements, we conduct rigorous third party penetration testing of the Game Warden environment on a recurring basis.
Game Warden Support
Although specialized to enable access to government and particularly national security customers, Game Warden provides all the services one would expect of any PaaS provider:
- 24-hour monitoring
- Incident response
- Customer support
- Continuous alert and security service
- Data backup and restoration
All of this is supported by Game Warden’s Customer Success and site reliability teams, which operate under strict Service-Level Agreements (SLAs). Customers are guided from onboarding, through application deployment, and into continued support by their dedicated Customer Success Representatives (CSRs). CSRs are connected via Slack to ensure seamless engagement and guidance throughout the process and host a regular meeting cadence with each customer to ensure they have what they need each step of the way.
Game Warden’s Availability
Game Warden is built to scan, harden, and deploy software into the government’s IL 4/5 environments, allowing it to run software on the Non-classified Internet Protocol Router Network (NIPRNet) where government customers can reach it. Game Warden currently runs on Amazon Web Services (AWS) and is expanding to support Microsoft Azure.
Game Warden is also building capabilities to reach the IL 6 Secret Internet Protocol Router Network (SIPRNet) environment, the Mission Partner Environment (MPE), and the Joint Worldwide Intelligence Communication System (JWICS).
Game Warden is in active development with a robust roadmap to add and continue to build out additional features and functionality to meet the DevSecOps needs of innovative software teams seeking to provide advanced capabilities to DoD users. Game Warden is in production now to support software that meets the requirements, below—and will continue to expand capabilities, availability, and customer support options to connect ever more modern commercial technologies to the DoD.
The Game Warden team will work directly with you to assess your suitability and the timeline necessary to launch your application on the platform.
Game Warden’s Technical Requirements Checklist
- Application is containerized
- Application is web-based
- Review of third party integrations, dependencies, and networking
- Support for relational databases at the data layer
- Basic, industry-standard security best practices (encryption, etc.)
- Review of controlled (government) information you are seeking for your application to interact with
Don't know if you’re a fit? Contact us at firstname.lastname@example.org to find out.
For software companies seeking to do business with the DoD, getting software products accredited and in the hands of users is vital. Ensuring that applications are up, running, secure, and reliable for the user is even more important.
Game Warden provides a path for modern applications to achieve software accreditation in addition to a DoD-compliant hosting platform with commercial-grade support.
The process starts with onboarding onto Game Warden with your CSM leading you through each step, beginning with a kickoff and technical review of your company’s application. During this step, goals are aligned and the Game Warden team works with you to better understand your application’s unique needs. Infrastructure is then built to suit and you can begin to push your containerized applications.
Afterwards, your containers are automatically hardened and scanned for security vulnerabilities. Once all of your container images have been uploaded, you can request deployment to the development environment and begin testing functionality. After you’ve squashed the bugs and remediated or mitigated any vulnerabilities, you’re ready to promote to test, staging, or production environments.
During the onboarding process, we’ll work together to complete your application’s first deployment to a staging environment that mirrors your production environment. Since the staging environment holds the same data classification as the production environment, software engineers can test and demo the application using production data sets.
This helps your team better understand and adapt to meet the needs of government users. Government users can connect with Game Warden customers’ commercial applications, and securely interact with their own data, and other government systems.
Once you’re ready, Game Warden can release the application into production. Here, you can continuously monitor as well as update and release new versions of your applications to end-users. Releasing new updates regularly improves user satisfaction because companies can adapt applications to mission changes at the speed of relevance.
The Game Warden customer experience is optimized to allow commercial software companies to focus on providing the best in class modern software capabilities to the DoD. The process enables this by providing dedicated customer support, removing obstacles to accreditation, and facilitating the use of modern DevSecOps and CI/CD best practices so companies can not only meet the rigorous security standards necessary for working with the DoD, but also continuously deliver those capabilities.
Game Warden in a Nutshell
Game Warden is a game-changer for organizations looking to provide their software products to the DoD. With a dedicated customer success team and 24-hour monitoring and alerting, teams can focus on developing their best software while Game Warden handles the cybersecurity grunt work. It’s a win-win solution. The DoD gets access to secure, regularly updated, accredited commercial software through an accredited platform. And private sector software teams get the opportunity to enter the public sector software market with significantly reduced barriers to entry and a fully-managed, DevSecOps-based development platform.