Accelerate SaaS Delivery onto DoD Networks with Game Warden from Second Front Systems
By Dylan Sims, Director of Solutions Engineering – Second Front Systems
By Chris Bryant, Content Producer – Second Front Systems
By Zach Green, Solutions Architect – AWS
|Second Front Systems|
Software-as-a-service (SaaS) products have revolutionized private sector business operations in recent years, with 94% of enterprises using cloud services as of 2022, according to zippia.com.
Despite the commercial sector’s demonstrated success with SaaS, the United States Department of Defense (DoD) has been slow to adopt this new delivery model, pushing many companies to deliver on-premises and hybrid solutions in addition to its purely SaaS offerings.
Despite the ease of use and favorable unit economics inherent to SaaS offerings, significant bureaucratic and cybersecurity barriers exist which prevent these products from reaching the DoD market.
The core issues associated with delivering software to the U.S. military are centered around contracting pathways and DoD cybersecurity requirements.
To solve this, Second Front Systems built the Game Warden platform, a DoD-compliant DevSecOps platform-as-a-service (PaaS) that accelerates software delivery onto DoD networks while supporting modern DevOps practices and adhering to stringent cybersecurity controls.
Game Warden is built on AWS GovCloud (US) and provides a pathway for containerized applications to receive a Certificate to Field (CTF) on the DoD’s Non-Secure Internet Protocol Router Network (NIPRNet). Game Warden enables hosted applications to inherit an Authority to Operate (ATO) while running on the platform.
Second Front Systems is an AWS Partner that helps organizations streamline software delivery with its fully managed and compliance DecSecOps platform Game Warden, which is available in AWS Marketplace.
Behind the Scenes
Game Warden leverages a suite of AWS services for development, compliance, operations, and monitoring.
Second Front Systems collaboration with AWS has helped industry-leading software companies scale their business across DoD by demystifying the ATO process and abstracting compliance requirements through an inherited security model.
Figure 1 – Game Warden’s shared responsibility model.
Here are some products powered by Game Warden on top of AWS that are working on DoD contracts today:
- Decision Lens: Decision Lens develops integrated planning software, modernizing how the government prioritizes, plans, and funds. Customers across the DoD, intelligence community, federal civilian agencies, and state and local governments have achieved sustained operational advantages through their long-term planning, continuous medium-term prioritization, and short-term funding execution.
- Collaboration.Ai: Collaboration.Ai builds products that enable intelligent collaboration and harness untapped networks with an emphasis on human connections. Its innovation management platform, CrowdVector, is the technology behind the well-known AFWERX Challenge, the U.S. Air Force Guardians and Airmen Innovation Network (GAIN), and the NASA Spark program.
- Systems Innovation Engineering (SIE): SIE built the Supplier Capabilities Analytics and Reporting (SCAR) application to help commercial and federal customers evaluate supply chain options, identify and reduce risk, and build resiliency through requirements trade-off and risk analysis.
Game Warden’s inherited security model and automated tooling is reducing ATO timelines from months to weeks, and will soon unlock new production environments in AWS Secret and Top Secret regions.
Figure 2 – Comparison of Game Warden vs. traditional ATO timelines.
Game Warden can be thought of as a set of interconnected systems that provide an accelerated pathway for deployment of containerized applications to DoD networks. The key systems include a DevSecOps pipeline, security and compliance architecture, and hosting platform.
Let’s dive into each system of Game Warden and how they integrate with AWS to provide a secure, DoD-compliant hosting environment and continuous Authorization to Operate (cATO) pipeline for modern SaaS applications.
Game Warden integrates with an organization’s existing CI/CD pipelines—automating vulnerability and malware scanning, container hardening, and deployments to hosting environments. This security and release pipeline is also an accredited pathway for cATO.
The Game Warden DevSecOps pipeline is a series of streamlined phases:
- Applications are developed and built external to Game Warden or using Game Warden Builder.
- Application components are packaged into Cloud-Native Computing Foundation (CNCF) containers pushed to the Game Warden Registry.
- Game Warden’s pipeline is automatically triggered with each image push. Images are scanned for malware and common vulnerabilities and exploits, hardened, and deployed to a development environment for functionality testing. Each container image is hardened with custom scripts that implement Secure Technical Implementation Guide (STIG) controls.
- After the image has met all of the DoD’s cybersecurity requirements, it can be promoted to staging or production environments at Impact Levels 2, 4, or 5.
The Game Warden pipeline emulates the Risk Management Framework process for securing software, while supporting modern CI/CD and DevSecOps practices. Software developers can fully automate their application deployments into the Game Warden development environment, with new releases taking just a few seconds before they’re ready for testing.
When a new version of the application is ready for release, its security posture is reviewed and the release is promoted into an accredited production hosting environment typically within 24 hours.
The following diagram displays the workflow of a containerized application going through the Game Warden CI/CD pipeline. For added coverage in the development phase, learn about the upcoming Game Warden Builder.
Figure 3 – Overview of the platform pipeline.
Security and Compliance Architecture
Using a combination of AWS services and platform features, Game Warden meets the compliance requirements for DoD Impact Levels 2, 4, and 5. The platform’s inherited security model saves customers substantial time and money by removing the infrastructure and platform compliance burden.
The DoD adheres to a select set of compliance frameworks that have overlapping requirements and security goals. Game Warden is adherent to these frameworks, allowing Second Front Systems to establish and maintain a continuous Authorization to Operate.
Customers operating on Game Warden benefit from inherited compliance with these standards while their application workloads are running on the Game Warden platform. DoD adopted compliance frameworks include:
- DoD CC SRG
- National Institute of Standards and Technology (NIST) 800-171, 800-53
- Center of Internet Security (CIS) Benchmarks
- DoD DevSecOps Reference Architecture
To aid in understanding and mapping components to compliance frameworks, AWS offers the AWS Services in Scope by Compliance Program, a directory that lists different compliance frameworks and the particular AWS services that meet each standard. Game Warden uses many AWS services and relies on this repository to ensure the services employed across the platform meet stringent DoD requirements.
Figure 4 – Game Warden’s security architecture on AWS.
In addition to providing a rapid pathway for SaaS offerings to be positioned to achieve a cATO, Game Warden includes a fully managed hosting environment built on AWS that includes development, staging, and production environments and has a connection to NIPRnet for IL4 and IL5 deployments.
In Game Warden, application workloads run on Big Bang, a DoD-accredited DevSecOps platform on Kubernetes, and are used in tandem with Amazon Elastic Kubernetes Service (Amazon EKS) to simplify the setup and management of secure Kubernetes clusters.
Game Warden supports both multi-tenant and single-tenant use cases, enabling customers to choose between individual clusters for their end users or a shared environment to reduce consumption costs and reduce deployment complexity.
After Game Warden engineers deploy applications into production, site reliability engineers (SREs) manage Day 2 operations using AWS services like CloudWatch to monitor CPU and memory utilization for core services. Game Warden also includes an observability stack in each environment which is used by customers to view application and cluster logs, and metrics.
All customers benefit from 24/7 helpdesk and incident response support as tenants on Game Warden’s fully managed hosting platform. Second Front Systems assumes most platform and infrastructure administrative and site reliability responsibilities, enabling customers to put more resources towards building great products.
Game Warden uses AWS Identity and Access Management (IAM) to grant service-level permissions to pods in each cluster, allowing customer applications to integrate directly with popular AWS services.
Figure 5 – Game Warden’s platform architecture on AWS.
The combination of Game Warden and AWS makes delivering modern software onto U.S. Department of Defense (DoD) networks faster and easier than ever before. This opens up exciting opportunities for commercial companies to unlock access to the vast DoD IT market.
Second Front Systems – AWS Partner Spotlight
Second Front Systems is an AWS Partner that helps organizations streamline software delivery with its fully managed and compliance DecSecOps platform Game Warden.