Platform Security and Authority to Operate (ATO)

Last Updated: February 20, 2025

All teams building on the Platform have a responsibility to make sure that the products they are building are secure and operate within the bounds of the Platform’s ATO. This page provides an overview of Platform security the ATO process.

Platform security

Platform Security Team (PSEC)

PSEC is responsible for maintaining the Platform's ATO and ensuring the Platform's compliance with it. To maintain the ATO, any major changes or modifications to the systems built on the Platform must be communicated to PSEC. Contact PSEC using the #platform-security channel in Slack.

Veterans-Facing Services (VFS) teams and the ATO

VFS teams are included in the Platform's ATO (discussed below).

Every VFS team should participate in an ATO orientation hosted by PSEC as part of their onboarding. This is usually scheduled as part of the Collaboration Cycle.

Collaboration Cycle

PSEC will be your partner throughout the Collaboration Cycle. We are here to answer any of your security-related questions.

Design intent and architecture intent

As you move forward through the Collaboration Cycle, please be aware of these requirements:

• Collecting, storing, or sharing personally identifiable information (PII) or protected health information (PHI).

• Connecting to a new external service.

• Building outside the Platform’s dev/staging/production VPCs.

If any of the above apply to your intended product or feature, please contact PSEC to schedule a meeting to discuss the specifics before the Staging Review.

Privacy, Security, Infrastructure, and Readiness Review (PSIRR)

Finally, a PSIRR must be completed in GitHub before your team’s product/feature can be released to production. The GitHub ticket serves to capture essential details that PSEC uses to update the Platform ATO and supporting documents.

Technical findings

Once your product/feature is in staging, it must be tested.

• If significant changes are made to the website's frontend or backend, PSEC may need to request a Web Application Security Assessment (WASA) scan. This process can take up to a month to complete, so please plan accordingly.

• If any high to medium findings are identified in CodeQL, they must be remediated before any code can be released into production.

ATO

An ATO is a formal approval that allows a system to operate within a certain security environment. It is used to manage risk when building, buying, or using software or IT systems. VA requires that systems on the Platform leverage the VFSP-va.gov ATO to ensure that they meet Federal Information Security Modernization Act (FISMA) standards.

To get an ATO, the system goes through a detailed review and approval process. A designated Authorizing Official (AO) checks the systems security measures, ensuring it follows relevant rules and regulations and assessing the manageability of potential risks. The resulting ATO is given an expiration date before which the system must be rereviewed by the AO for approval.

Enterprise Mission Assurance Support Service (eMASS)

VA manages documentation related to the applications and systems built on the Platform using the eMASS tool. PSEC is responsible for ensuring that the information in eMASS is accurate and up to date.

Important contacts

Each system has a team responsible for it, including an Information System Owner (ISO), an Information System Security Officer (ISSO), and a System Steward. These roles help ensure the system operates securely and effectively.

Help and feedback

• Suggest content changes to this page.

• Submit new Platform Website content.

• Get help from the Platform Support Team in Slack.

• Submit a feature idea to the Platform.