U.S Department of Veterans Affair

Compliance Requirements, Checklists & Questionnaires


This content is no longer current.
Visit the new Developing VA Apps home page for updated processes and requirements for building your VA App

This section details the compliance review bodies involved in the mobile applications certifications process, including, roles, responsibilities and documentation associated with each compliance review body. It also includes important information, logos and templates to ensure compliance with VA Mobile Branding. This section is a must read for anyone pursuing mobile application development for VA.

Compliance reviews will be performed after an App’s development is completed, starting with Validation and Verification (V&V). Ddvelopers are encouraged to engage these VA resources at the start of each development project and throughout development and testing cycles, in order to make sure they are developing their App in line with VA requirements. Such engagements could take place as follows:

  • Wireframes of new screens can be reviewed by User-Centered Design experts.
  • Privacy and Data Security considerations can be reviewed prior to programming, but after database design.
  • Overall design can be reviewed by Patient Safety prior to programming and/or while the app is in testing.

It is the developer and product owner’s responsibility to engage these compliance bodies when critical design decisions are being made, in order to avoid building an App that requires additional modifications or does not meet VA certification requirements.

Additionally, the development team is responsible for performing its own Software Quality Assurance (SQA). Apps presented for certification must be:

  1. Free of bugs.
  2. Working in accordance with its requirements and documentation.
  3. Installed in the Mobile Applications Development Environment (MAE) along with its available test data.
  4. Set up as a project in the mobile apps management system (JIRA), with all required artifacts (documentation, test scripts, project plans, and PMAS documentation). Please refer to the Initiation section of this website for more information regarding App registration with VA Web and Mobile Solutions (WMS).


V&V is the starting point for final certification of an app that is ready to be released. Using the test scripts provided by the development team, the app is tested to see that it meets all functional requirements. The VA Project Manager will be required to complete these V&V Intake Forms (V&V Intake Form and Addendum), upload them to the app’s JIRA project and notify the Mobile Health External Development (MHED) Project Manager.

Once the V&V process is completed, the VA Project Manager will initiate a final compliance review with all of the VA compliance bodies. The complete list of VA compliance bodies that will review the app after V&V is completed to ensure it meets all Department of Veterans Affairs (VA) software standards are:

  • Usability Testing – Ensures a positive user experience through App flow and navigation, including features such as language, graphics, and areas for input. At a minimum, this must include a heuristic evaluation (Requirements). It is also recommended that testing with end users be conducted. (Documentation is developed on an App-by-App basis.)
  • User Interface (Checklist) – Verifies that the Application meets all required User Interface standards for mobile devices.
  • VA Branding (Requirements and Resources) - Ensures that the use of logos and trademarks associated with the Department of Veterans Affairs and VA Mobile are used consistently and appropriately within an Application.
  • Data and Terminology Standards Compliance (Questionnaire) - This team evaluates and interprets your app's data terms and ensures they map to industry-standard terms. The review team follows VA data and terminology standards, and Health Level 7 (HL7) data and terminology standards. Read more details....
  • Enterprise Security – OIT determines whether the App is suitable to operate in the VA network (WASA Questionnaire). Additionally, depending on the connectivity to internal VA systems, the System Engineering Design Review (SEDR) – a customized review created with the developer and the Office of Information Technology prior to granting the Authority to Operate – may be required:
    1. The purpose of a SEDR review is to assess the impact of an App on the VA’s wide area Network.
    2. Veteran-facing mobile Apps that will not touch the VA’s wide-area network (e.g. clinic-in-hand) do not require a SEDR review.
    3. Provider-facing mobile Apps and Veteran-facing mobile apps, intended to run using the VA’s wide-area network require a SEDR review if the App usage increases traffic on the network. If the mobile app does not increase the traffic on the network, an Assumptions Verifications letter is required from the Product Owner.
    4. The Mobile Application Environment (MAE) has a Performance Testing Environment that is designed to test the load on the system.
    5. The reports that will be generated as part of MAE performance testing may be able to be substituted for a SEDR review.
  • Code Review – OIT uses automated tools (Fortify) to determine that there are no security leaks in the App. In an effort to minimize time to market and surprises late in the SDLC, developers can use the tool on their workstation and developers must have a build job that includes automatic fortify SCA scanning prior to an App being released from test to the pre-production environments. The developer will need to complete this Code Review Questionnaire. (Code Review Questionnaire).
  • Privacy and Application Data Security (Questionnaire) – Ensures that Personal Health Information (PHI) and Personal Identification Information (PII) are appropriately protected in the application and ensures that the data entered into the mobile device is appropriately secured.
  • Patient Safety Assessment (Checklist) - Reviews documentation of development and testing processes that have already been conducted or are planned to ensure there is appropriate and sufficient consideration of patient safety. This certification will occur after the usability testing certification and clinical review certification so that the results of those reviews can be utilized and redundancy avoided.
  • 508 Accessibility (Questionnaire and Checklist) - Reviews applications for conformance to Section 508 accessibility requirements.
  • Clinical Review for Medical Apps (not required for new App release) - Review is performed after the App is in use for some time to ensure that the quality of clinical/medical content is:
    • Consistent with available current scientific evidence and clinical best-practices; while Apps do not need to be empirically validated at time of release, they should be consistent with the evidence base and informed by available clinical and scientific knowledge.
    • Consistent with all available VA treatment guidance (including, but not limited to, Clinical Practice Guidelines)
    • Consistent with all relevant FDA guidelines
    • Sufficient to maintain a high quality of medical care (functions sufficiently well to avoid degrading quality of care)
    • Limiting potential risk to the health and safety of the user including unintended consequences.

Upon completion of the compliance reviews, the VA Project will present the App for release by confirming with the MHED Project Manager that all of the following artifacts are loaded to the JIRA project:

  1. V&V reports
  2. Compliance reports
  3. PMAS documents
  4. Release plans

The MHED Release Manager will proceed to final pre-production testing and release, working with the VA Project Manager and the WMS team.