Skip to main content
Skip table of contents

Privacy, security, infrastructure readiness review

Privacy, security, infrastructure readiness reviews (PSIRR) are required for all products launching on VA.gov.

Owner

Platform Security

Timing

Request this touchpoint when your product is in staging and before you begin rollout, allowing enough time to implement feedback. PSIRR reviews are not required for static pages (or iterations/updates to static pages).

Format

Asynchronous review. A synchronous 30-minute meeting may be requested.

Objective

To ensure your feature meets Platform's privacy and security standards.

Request

VFS Lead Engineer or Product Manager submits a Privacy, security, infrastructure readiness review ticket in va.gov-team-sensitive repository.

Attendees

VFS participants:

  • Lead engineer (required)

  • Product manager (required)

  • OCTO-DE product lead (required)

  • Anyone else on your team whose presence is needed to speak to the technical architecture and security concerns (required)

Platform participants:

  • Platform Security team

  • OCTO-DE Platform Security Lead

Artifacts

VFS provides:

  • Link to product outline

  • Ensure Product Outline contains Incident Response info, including:

    • Points of contact for your system and dependent VA backends

    • Links to dashboards that help identify and debug application issues

  • Links to technical diagrams (checked into GitHub alongside your product documentation), including:

    • An architecture diagram, showing involved systems and how they connect.

    • For non-trivial flows (i.e. more than a single round-trip call from frontend → vets-api → VA Backend), a sequence diagram showing the ordered flow of data and operations between systems.

  • Describe any new publicly-exposed endpoints (vets-api or otherwise):

  • Describe any new interactions with dependent VA backends

  • Describe any other security hotspots you're concerned about / want extra attention on

  • Link to Release Plan with the "Planning" sections completed (in each section: Phase I, Phase II, Go Live)

  • Refer to additional guidance found in the Privacy, security, infrastructure readiness review request form

Outcome

Platform provides a list of concrete action items in a GitHub ticket that need to be addressed before you roll out your product.

When your team has completed action items, assign the ticket back to the Platform Security team and the OCTO-DE Platform Security Lead, who will confirm completion and close out the issue, signaling approval of the Privacy and Security review.

If no issues are raised during the Privacy, security, infrastructure readiness review, then Platform will approve your product for launch.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close