U.S Department of Veterans Affair

Compliance Review Process, SDLC, and PMAS

 

This content is no longer current.
Visit the new Developing VA Apps home page for updated processes and requirements for building your VA App

In this section:

The Compliance Review Process depends on several factors:

  1. How the App was or is being developed
  2. The phase of the Software Development Life Cycle (SDLC)
  3. The Classification of an App

The Classification of an App

The Classification of an App
1 - Very Low 2 - Low 3 - Medium 4 - High
Does not utilize VA resources Read only access to VA resources Write access to VA resources Read and/or write access to * VA sensitive resources

* VA sensitive resources include PII and PHI.

The Compliance Review Table below shows the compliance reviews required based on an App’s classification. Developers are encouraged to request compliance reviews during the development and testing of the App, reducing the overall time required to proceed from development to deployment.


Compliance Review Table

Compliance Review Table
Mobile Application Classification 1 - Very Low 2 - Low 3 - Medium 4 - High
Compliance Review Body Does not utilize VA resource Read only access to VA resources Write access to VA resources Read and/or write access to VA sensitive resources
Business Owner Acceptance REQUIRED REQUIRED REQUIRED REQUIRED
Patient Safety Assessment (OIA) REQUIRED REQUIRED REQUIRED REQUIRED
508 Accessibility (OIT) * REQUIRED REQUIRED REQUIRED REQUIRED
Code Review REQUIRED REQUIRED REQUIRED REQUIRED
Usability Testing (OIA) REQUIRED REQUIRED REQUIRED REQUIRED
User Interface (OIA) REQUIRED REQUIRED REQUIRED REQUIRED
VA Branding (OPIA) REQUIRED REQUIRED REQUIRED REQUIRED
Sustainment Plan * REQUIRED REQUIRED REQUIRED REQUIRED
System Performance Impact Assessment (OIT) *   REQUIRED REQUIRED REQUIRED
V&V REQUIRED REQUIRED REQUIRED REQUIRED
Data and Terminology Standards Compliance (OIA) *     REQUIRED REQUIRED
Privacy and Application Data Security (OIA) REQUIRED REQUIRED REQUIRED REQUIRED
Enterprise Security       REQUIRED

* Not Required for Pilot

Using the above table as a guide, the development and compliance review process proceeds as illustrated in the diagram below and described in detail in Section 4 Development Procedures for New Apps.


Mobile Applications Implementation Process

Mobile Applications Implementation Process

The process shows that the product owner is responsible for ensuring that the App is registered with Web and Mobile Solutions (WMS), and that he or she understands the requirements that meet the needs of each compliance review body. It is the developer’s responsibility to deliver the required artifacts to each compliance review body during the appropriate SDLC phase.

Each compliance review body delivers the results of its assessment to the WMS. The WMS interacts with the VA Mobile Applications Governance Board, delivering the on-going development status and the results of the compliance review process. NOTE: This process begins after the product owner and the VA Mobile Applications Governance Board provides approval to create or deploy a mobile application.

The WMS Change Manager sends results back to the developer, whether the results are pass or fail. In the case of failure to meet a compliance body’s requirements, it is the responsibility of the developer to contact the respective compliance body to achieve final approval.

The overall benefit to be achieved for newly approved Apps is that compliance issues can be addressed early on in the development process, saving the time and expense associated with attempting to fix shortcomings after development is completed.

This entire process is based on the premise that the product owner is responsible for Software Quality Assurance - fully testing and accepting the functionality of the App.


PMAS (Project Management Accountability System) Documentation Requirements

Mobile Application development teams are required to complete 6 artifacts and provide content changes or input to 3 additional artifacts.

6 Required Artifacts
  1. SDD Addendum for each Mobile App (or grouping of related Mobile Apps).
  2. RSD/ARD Addendum for each Mobile App1 (or grouping of related Mobile Apps).
  3. Requirements Traceability Matrix.
  4. IOC/Pre-production Test Results (Defect Log)(if applicable).
  5. User Guide (unique for each app).
  6. Test Team/Independent Verification Intake Form.

 

3 Additional Artifacts – Provide Content Changes
  1. SDD – Overarching program level document for MAE, VAMF, HealthAdapter (i.e. Code, Components, Architecture used by many and/or all mobile apps)
  2. RSD – Overarching program level document for Non- functional requirements common to all mobile apps
  3. Version Description Document

 

Links to these documents’ templates are located here.

  • 1. Requirements Specification Document/Agile Requirements Document