Privacy, security, infrastructure readiness reviews are required for all products launching on VA.gov.
Request this touchpoint when your product is in staging and before you begin rollout, allowing enough time to implement feedback.
Asynchronous review. A synchronous 30-minute meeting may be requested.
To ensure your feature meets Platform's privacy and security standards.
VFS Lead Engineer or Product Manager submits a Privacy, security, infrastructure readiness review ticket in va.gov-team-sensitive repository.
Lead engineer (required)
Product manager (required)
OCTO-DE product lead (required)
Anyone else on your team whose presence is needed to speak to the technical architecture and security concerns (required)
Platform Security team: Troy Mosher
OCTO-DE Platform Security Lead: @a user
Link to product outline
Ensure Product Outline contains Incident Response info, including:
Points of contact for your system and dependent VA backends
Links to dashboards that help identify and debug application issues
Links to technical diagrams (checked into GitHub alongside your product documentation), including:
An architecture diagram, showing involved systems and how they connect.
For non-trivial flows (i.e. more than a single round-trip call from frontend → vets-api → VA Backend), a sequence diagram showing the ordered flow of data and operations between systems.
Describe any new publicly-exposed endpoints (vets-api or otherwise):
Describe any new interactions with dependent VA backends
Describe any other security hotspots you're concerned about / want extra attention on
Link to Release Plan with the "Planning" sections completed (in each section: Phase I, Phase II, Go Live)
Review the guidance on hosting a security review
Platform provides a list of concrete action items in a GitHub ticket that need to be addressed before you roll out your product.
When your team has completed action items, assign the ticket back to Troy Mosher and @a user, who will confirm completion and close out the issue, signaling approval of the Privacy and Security review.
If no issues are raised during the Privacy, security, infrastructure readiness review, then Platform will approve your product for launch.