VA App Verification and Validation


Before an app can move from Staging to Production, it must pass a thorough review by the VA Office of Connected Care's Verification and Validation (V&V) team. The app team can submit a V&V Review Request anytime after an app reaches Staging in the VA External Cloud (VAEC). The app team creates the request by filling out a V&V wiki template. After the V&V receives the request from the app team, the V&V team does the following:

  1. Complete a thorough documentation review.
  2. Arrange for the app team to demonstrate the app's features and capabilities.
  3. Provide recommendations to the app's Business Owner.

Based on the V&V team's recommendations, the System Owner determines if the app is ready to move from Staging to Production. 

V&V Intake Documents

Below is the current full set of documentation and compliance artifacts developers submit to V&V for review. Depending on the application, this list may vary if the app does not integrate with external systems. See Getting Started Developing Mobile Apps  for additional details.

Development Project Documents

OCC provides instructions for drafting app development records on the MAP Documentation Guidance wiki page. Development project documents include the following:

  • Jira Epic Report
  • Jira Project Stories Report
  • Technical Debt Report
  • CodeRepo release Notes .md file
  • Test Execution Log (TEL)
  • Defect Log
  • System/Service Design Document (SRVDD/SDD)
  • Deployment, Installation, Backup, Rollback (DIBR) Guide
  • Risk Log

Compliance Documents

OCC provides instructions for creating and submitting compliance review documentation. Compliance documents include the following:

The V&V Team reviews all the required documentation and creates a Review Findings Report (RFR) that provides information on the application or service and whether the supplied information passed or failed the V&V review. V&V creates a Jira ticket for documentation that fails and assigns it to the App team for resolution. V&V emails the RFR to the System Owner and the app development team. Final approval to deploy the app to Production lies with the app owner.

About the WASA& MASA Questionnaire

The Office of Information & Technology (OIT) Network Security Operations Center (NSOC) frequently conducts Web Application Security Assessment (WASA) scans of all VA internet content. The WASA provides an in-depth penetration test for common vulnerabilities, such as SQL Injection, Authorization Bypass and Cross-Site Scripting (XSS).

About IAM: Identity and Access Management shared services

VA apps may utilize two Identity and Access Management network services (IAM) to simplify accessing the apps. The two service types are:

  • Single Sign-on Authentication services, which simplify accessing the apps.
    • Single Sign-on External (SSOe) provides authentication services for Veterans.
    • Single Sign-on Internal (SSOi) provides authentication services for Staff.
  • Access via the Master Veteran Index (MVI) to retrieve identifiers for a Veterans known to the VA by other identity systems VA recognizes, like: ICN, EDIPI, or VistA DFN.

If an app utilizes these services, the development team must submit requests before the app moves to Production.