Platform Security and Authority to Operate (ATO)

Last Updated: December 12, 2025

All teams building on the Platform have a responsibility to make sure that the products they are building are secure and operate within the bounds of the Platform’s ATO. This page provides an overview of Platform security the ATO process.

Platform security

Platform Security Team (PSEC)

PSEC is responsible for maintaining the Platform's ATO and ensuring the Platform's compliance with it. To maintain the ATO, any major changes or modifications to the systems built on the Platform must be communicated to PSEC. Contact PSEC using the #platform-security channel in Slack.

Veterans-Facing Services (VFS) teams and the ATO

VFS teams are included in the Platform's ATO (discussed below).

Every VFS team should participate in an ATO orientation hosted by PSEC as part of their onboarding. This is usually scheduled as part of the Collaboration Cycle.

Collaboration Cycle

PSEC will be your partner throughout the Collaboration Cycle. We are here to answer any of your security-related questions.

Design intent and architecture intent

As you move forward through the Collaboration Cycle, please be aware of these requirements:

• Collecting, storing, or sharing personally identifiable information (PII) or protected health information (PHI).

• Connecting to a new external service.

• Building outside the Platform’s dev/staging/production VPCs.

If any of the above apply to your intended product or feature, please contact PSEC to schedule a meeting to discuss the specifics before the Staging Review.

Staging Review

Once your product/feature is in staging, it must be tested.

• If significant changes are made to the website's frontend or backend, PSEC may need to request a Web Application Security Assessment (WASA) scan. This process can take up to a month to complete, so please plan accordingly.

• If any high to medium findings are identified in CodeQL, they must be remediated before any code can be released into production.

Launch-Blocking Security Issues

Platform Security considers the following unresolved issues to be launch-blocking for VFS teams trying to release to Staging or Production.

• Missing or incomplete security documentation

  • A list of necessary security documentation is available in the Engineering and Security Checklist

    • This checklist is also linked in your Collaboration Cycle Kickoff Github ticket

    • All information in the checklist is required before Staging Review

• New infrastructure that has not received approval, including new AWS Services, buckets, instances, etc.

  • A new service is a major architectural and security-relevant change

  • Platform approves new services by exception only

  • New services must receive explicit approval from both Government and Platform Engineers through the Collab Cycle

• Lack of appropriate information-sharing agreements to support the functionality

  • VA Policy requires documented agreements for all information systems that do not share the same Authorizing Official Note: This Standard Operating Procedure (SOP) is only available on the VA Network

    • Memorandum of Understanding (MOU)

    • Information Sharing Agreement (ISA)

    • Inter-Agency Agreement (IAA)

    • Note: A Plan of Action and Milestones (POA&M) can be established as a temporary substitution for a signed MOU/ISA

• Misuse or abuse of private information

  • Personally Identifiable Information (PII), or

  • Personal Health Information (PHI), or

  • Sensitive Personal Information (SPI).

  • Note: PII/PHI/SPI can be incidentally created depending on how certain data is used. Contact the Platform Security team or the VA Privacy Office if you have a concern.

An unresolved issue will be documented and approved by the Information System Owner (and possibly the Authorizing Official) in a Plan of Actions and Milestones (POA&M).

Note: This list of launch-blocking items is not exhaustive. Platform Security reserves the right to recommend launch-blocking status if they feel the deployment adversely affects the security posture of VA.gov.

ATO

An ATO is a formal approval that allows a system to operate within a certain security environment. It is used to manage risk when building, buying, or using software or IT systems. VA requires that systems on the Platform leverage the VFSP-va.gov ATO to ensure that they meet Federal Information Security Modernization Act (FISMA) standards.

To get an ATO, the system goes through a detailed review and approval process. A designated Authorizing Official (AO) checks the systems security measures, ensuring it follows relevant rules and regulations and assessing the manageability of potential risks. The resulting ATO is given an expiration date before which the system must be rereviewed by the AO for approval.

Enterprise Mission Assurance Support Service (eMASS)

VA manages documentation related to the applications and systems built on the Platform using the eMASS tool. PSEC is responsible for ensuring that the information in eMASS is accurate and up to date.

Important contacts

Each system has a team responsible for it, including an Information System Owner (ISO), an Information System Security Officer (ISSO), and a System Steward. These roles help ensure the system operates securely and effectively.

Help and feedback

• Suggest content changes to this page.

• Submit new Platform Website content.

• Get help from the Platform Support Team in Slack.

• Submit a feature idea to the Platform.