U.S Department of Veterans Affair

Introduction: Certification Process


This website describes the process for certification of mobile applications.

Currently, there are multiple areas within VA that have already developed or are developing mobile applications for providers and staff, as well as those for use by Veterans to supplement their health care.

Some of these Apps have already been deployed using commercially available storefronts, including iTunes and the Google App store. This approach may continue to be the best deployment methodology for stand-alone Apps that do not connect to VA internal systems and are only for use by Veterans.

VA requires all Mobile Apps to go through a defined certification process to ensure usability, reliability, privacy, security, safety and other factors that reflect on the VA’s sponsorship and approval of the App.

Office of Information Technology (OIT) Review Responsibilities

The Office of Information Technology (OIT) is responsible for reviewing all mobile applications that are developed by external entities (e.g., contractors, vendors). The OIT certification process includes compliance reviews performed by OIT and various departments within the Veterans Health Administration (VHA). These requirements are explained further in Section 3 - The Certification Process, the SDLC and PMAS.

Apps Initiated or in Software Development Life Cycle (SDLC)

Beginning January 1, 2013, for an App that is being initiated or still within the development and testing stage of its Software Development Life Cycle (SDLC), VA prefers that the VA’s Compliance Review Bodies (CBs) be included in the SDLC processes. Apps can be developed and reviewed for compliance to VA requirements simultaneously, allowing them to be ready for deployment upon user acceptance and completion of Software Quality Assurance testing. It is the developer’s or the product owner’s responsibility to coordinate with each of the CBs to address specific compliance criteria, and to incorporate the CBs into the App development process.

Completed Apps Requiring VA Certification

For Apps that are in a state of completion and, the product owner desires the App to be certified by VA, the owner must follow the compliance review process outlined in Section 3. Such products must have already gone through a rigorous test, work properly and conform to VA’s compliance requirements (Section 9), before being presented to the Mobile Applications Governance Board (MAGB) for authorization to make use of VA’s compliance review resources. When an App is approved for development or certification by the Governance Board, a VA Project Manager is assigned.

Compliance Review Bodies (CBs) and Requirements

The requirements of each compliance review body are described in Section 9. You will find either a checklist of criteria that will be used to evaluate the conformance to VA’s requirements, or a list of questions that each certifying body needs answered.

The compliance review bodies are shown below and fully described in Section 9:

  • Sustainment Plan (reviewed by WMS)
  • Usability Testing
  • User Interface
  • VA Branding
  • Code Review
  • Data and Terminology Standards
  • Enterprise Security
  • Privacy and Application Data Security
  • Patient Safety Assessment
  • 508 Accessibility
  • Validation and Verification
  • System Performance Impact Assessment

PMAS (Project Management Accountability System) Documentation Requirements

In addition to compliance reviews, documentation must be provided in accordance with VA’s PMAS (Project Management Accountability System) requirements. PMAS artifacts should be developed during the development process and presented at the time of the V&V compliance review. OIT will review PMAS documentation and perform Independent Validation and Verification of each application submitted for compliance review.

Upon successful completion of all of the above compliance reviews, and mitigation of the exceptions found by those reviews, and acceptance of PMAS documentation, the App will be considered certified, and can move forward for deployment. Such deployment will be managed by VA’s Office of Information Technology (OIT) with the participation of the VA Project Manager assigned to the App.