Privacy, security, infrastructure readiness reviews are required for all products launching on VA.gov.

Owner

Platform Security

Timing

Request this touchpoint when your product is in staging and before you begin rollout, allowing enough time to implement feedback.

Format

Asynchronous review. A synchronous 30-minute meeting may be requested.

Objective

To ensure your feature meets Platform's privacy and security standards.

Request

VFS Lead Engineer or Product Manager submits a Privacy, security, infrastructure readiness review ticket in va.gov-team-sensitive repository.

Attendees

VFS participants:

  • Lead engineer (required)

  • Product manager (required)

  • OCTO-DE product lead (required)

  • Anyone else on your team whose presence is needed to speak to the technical architecture and security concerns (required)

Platform participants:

  • Platform Security team: Troy Mosher

  • OCTO-DE Platform Security Lead: @a user

Artifacts

VFS provides:

  • Link to product outline

  • Ensure Product Outline contains Incident Response info, including:

    • Points of contact for your system and dependent VA backends

    • Links to dashboards that help identify and debug application issues

  • Links to technical diagrams (checked into GitHub alongside your product documentation), including:

    • An architecture diagram, showing involved systems and how they connect.

    • For non-trivial flows (i.e. more than a single round-trip call from frontend → vets-api → VA Backend), a sequence diagram showing the ordered flow of data and operations between systems.

  • Describe any new publicly-exposed endpoints (vets-api or otherwise):

  • Describe any new interactions with dependent VA backends

  • Describe any other security hotspots you're concerned about / want extra attention on

  • Link to Release Plan with the "Planning" sections completed (in each section: Phase I, Phase II, Go Live)

  • Review the guidance on hosting a security review

Outcome

Platform provides a list of concrete action items in a GitHub ticket that need to be addressed before you roll out your product.

When your team has completed action items, assign the ticket back to Troy Mosher and @a user, who will confirm completion and close out the issue, signaling approval of the Privacy and Security review.

If no issues are raised during the Privacy, security, infrastructure readiness review, then Platform will approve your product for launch.