U.S Department of Veterans Affair

Compliance Review: Roles and Responsibilities


This content is no longer current.
Visit the new Developing VA Apps home page for updated processes and requirements for building your VA App

In this section:

Product Owner

  • A product owner or clinical unit executive shall be identified for each mobile application envisioned, completely developed, or in a stage of development, and present his or her request to the VA Mobile Applications Governance Board (MAGB) to proceed through all phases of the Software Development Life Cycle (SDLC): initiation, application design, development and testing, deployment and sustainment.
  • For an App that has already been developed or deployed, the product owner must request compliance review resources.
    • The product owner should be able to explain the purpose of the App, its intended audience of users, and its associated costs for development and sustainment, in accordance with the established policies and procedures outlined in this plan. Additionally, the product owner should either present a Commercial Off-the-shelf (COTS) product for approval, or show that there is no cost-effective alternative other than new development in order to meet its requirements.
    • This process is initiated by the product owner’s completion of a request to certify an App already built during the Mobile App Initiation Process. An App Profile is generated from the user’s response to the questions in that section. VA Web and Mobile Solutions (WMS) will create a Project for the App in the JIRA database if the Project is approved by the MAGB.
  • The product owner must also initiate new compliance reviews when a new release is under development or ready for deployment.
  • Upon project initiation, the product owner must provide a Sustainment Plan for submission to the MAGB for approval. A Sustainment Plan outline is described in Section 6. Sustainment must provide a minimum of two years support for each new App.
  • It is the product owner’s responsibility to participate in various stages of the SDLC to ensure the App conforms to intended functionality and compliance review requirements. If the Agile/Scrum methodology and framework are being employed, the developer would include the product owner in the development team, making it an active participant in Sprints and Sprint Reviews, with the ability to add and remove items from the Sprint Backlog and the Product Backlog. (Agile/Scrum activities are explained in more detail in Section 7).
  • It is the product owner’s responsibility to validate that the App’s functionality has gone through a rigorous test, works properly, and conforms to the VA’s compliance review requirements.

Mobile Applications Governance Board (MAGB)

The MAGB's role is to:

  • Review all mobile application development and compliance review requests and approve or deny the use of VA resources to develop, certify, and deploy the App.
  • Prioritize the requests, ordering them as it believes will most benefit the VA and its constituents.
  • Be the final decision point to determine whether compliance review has been achieved, based on the compliance review process results presented to it by the WMS.

Web and Mobile Solutions (WMS)

The WMS:

  • Reports to the Mobile Applications Governance Board (MAGB).
  • Maintains the inventory of all mobile applications and their status (inception, development, compliance review, deployment, sustainment) using JIRA, an automated system that holds all of the relevant status information and artifacts for each App.
  • Maintains a relationship with the product owner, the developer, and all compliance review bodies throughout the approval, SDLC, compliance review and deployment processes.
  • Requires an adequate sustainment plan for each proposed or completed mobile application.
  • Builds and maintains this public website to provide developers with current VA compliance requirements and compliance review processes.
  • Provides an alert mechanism to notify CBs that an App is ready to be reviewed for compliance, either because it is thought to be completed or has reached an incremental stage of development. This may also be accomplished by the developer contacting each CB directly.
  • Requires developers and CBs to update their respective data elements by submitting changes to the WMS Change Manager. WMS can provide direct access to the automated profile for this purpose.
  • Provides a reporting mechanism whereby the the mobile application inventory data can be sorted and filtered to produce the required management reports.
  • Ensures that CBs have provided current checklists and requirements documentation for developers. Such requirements will be updated from time to time based on input from the CBs.
  • The WMS Change Manager is the owner of the Mobile Applications inventory and compliance review statuses, and is assigned these responsibilities:
    • Setting up new Mobile Application profiles.
    • Generating reports to verify that the information is being updated by responsible parties.
    • Reporting to the MAGB on projects that are not in conformance with the compliance review process, or are not appropriately updating the JIRA Mobile Applications database.
    • Entering all of the information available from current Mobile Applications inventory.
    • Ensuring all App developers and CBs update their respective data.

Office of Information Technology (OIT)

OIT provides:

  • All security and application-performance-related compliance reviews.
  • All Independent Validation and Verification testing to ensure that the App is functionally sound.
  • The Mobile Device Manager (MDM) environment for internal App deployment. OIT will execute the deployment process determined for each App by the product owner.
  • The Mobile Application Environment (MAE) for development and testing of each App.
  • Management of the entire Authority to Operate (ATO) process to move the App into production, with the assistance and participation of the WMS and the Developer.
  • Deployment of Veteran-facing Apps through VA’s MDM or a public App store, as appropriate for the App.

Certifying Bodies (CBs)

The specific focus of each CB is detailed in Section 9. The general responsibilities of all CBs are to:

  • Develop and maintain the criteria for an App to be approved using the checklists that they have independently developed and must continue to maintain with the WMS.
  • Participate in various stages of the SDLC to ensure the App conforms to CB requirements. If the Agile/Scrum methodology and framework are being employed, this may include a Sprint Review, where the CB becomes an active participant. The developer may include the CB in the Development Team, making them an active participant in one or more Sprints, with the ability to add and remove items from the Sprint Backlog and the Product Backlog. (Agile/Scrum activities are explained in more detail in Section 7).
  • Review all completed Apps for conformance to their respective checklists, and provide a report to the WMS, the product owner and the developer of findings and overall compliance review preparedness for each App reviewed.
  • Interface with the product owner and the developer as necessary to resolve conflicts between the App's performance and the CB’s requirements.
  • Recommend changes and/or enhancements to improve product effectiveness or performance.
  • Submit to the WMS a final compliance review report, indicating a PASS or FAIL determination of compliance for the App. Any concerns regarding individual issues and their effect on the overall compliance review can be noted for resolution by the WMS and/or the MAGB.


The developer will:

  • Develop the App using the MAE.
  • Retrieve Compliance Review Checklists from this website.
  • Include CBs in Agile/Scrum processes where appropriate.
  • Submit artifacts for review by each CB during design, development and testing.
  • Apply changes requested by the CBs to meet compliance review requirements and continue to resubmit the App for compliance review until approved by all CBs.
  • Make the App available for testing in the MAE on a continuing basis for use by the product owner, the CBs, the Help Desk, and training personnel, so that they can validate functionality and test new scenarios, debug (recreate) failures, and build instructional materials.
  • Produce all required PMAS documentation required by the OIT compliance review process.