Modernization improves secure service delivery for Veterans

The Challenge

To improve the way Veterans access services, VA’s technology organization launched an initiative to make critical data available through open APIs. These APIs help Veterans access their health records, benefit information, and services more easily while allowing developers to build tools that improve Veterans’ experiences.

Supporting this effort is a delivery platform designed to simplify the development, deployment, and operation of critical VA applications to help deliver digital services faster to Veterans while maintaining a healthy security and privacy posture. Through these efforts, VA strives to provide Veterans more control over their health information, improve digital services, and accelerate the delivery of valuable software without sacrificing quality.

While the program has always adhered to the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) to achieve an Authorization to Operate (ATO) for platforms and applications, VA's waterfall approach to assess and authorize federal systems often conflicts with continuous delivery models. In fact, these longer cycles actually lead to poor security and privacy posture, expensive rework, and ultimately delay value realization for Clinical Teams, Veterans, their Families, and Caregivers.

• ATO took an average of 568 days to complete, with teams waiting months (sometimes years) before releasing software
• Security vulnerabilities remained unresolved, with critical issues taking 143 days on average to be addressed
• These delays created risk exposure with 74 Plan of Action & Milestone (POA&M) deficiencies per system in production
• Teams often get stuck waiting in queue when responding and validating compliance tasks
• Security and Privacy teams required longer cycles because of a lack of system context
  

These software bottlenecks had real consequences: Veterans with service-connected injuries waited longer for treatment authorizations, claims for benefits sat unprocessed as Veterans struggled financially, and innovations that could improve the quality of life for disabled Veterans remained stuck in security approval limbo. Meanwhile, VA staff were overwhelmed by manual paperwork rather than focusing on direct Veteran care and support.  

With a growing demand for secure digital services, the VA needed to find a more efficient way to serve Veterans that prioritized both security and speed, or risk further delays in Veterans’ access to care, increased security vulnerabilities, and continued failure to meet congressional mandates for improved service delivery.

The Approach

We partnered with VA’s technology leadership to transition assessment and authorization (A&A) from annual or lower frequency ATO renewals to a modern Continuous Risk Management Framework (cRMF) that aligns with agile software development lifecycle (SDLC) practices.  This accelerated software delivery without sacrificing security or compliance. We validated our strategies in three phases:

1. Demonstrate immediate impact by building and delivering one greenfield Clinician-facing application to production in 90 days or less.
2. Onboard three additional Clinician/Veteran-facing applications following agile practices within the first year.
3. Scale adoption and operations of cATO by providing capabilities for self-service, real-time continuous monitoring, and Key Performance Indicator dashboards.
   

We embedded cRMF into the agile SDLC practices via a comprehensive shift in culture, process, and technology. For the latter, we fully digitized the workflow and then added automation via our SecRel Pipeline. Specifically, the pipeline automated the attestation of crucial security and compliance checks with every code change, including Static Application Security Testing (SAST) and Software Composition Analysis (SCA), container scanning, and runtime monitoring.

We also eliminated roughly 70% of security and privacy control response effort for application development teams by establishing component-based system authorization boundaries and a controls inheritance model that pre-validated security and privacy controls at the infrastructure and platform layers. This reduced the compliance burden on application teams and accelerated delivery.

Rather than managing project-based scheduling for assessing federal systems, we embedded technical assessors with delivery teams, reducing schedule-based queuing problems, decreasing batch sizes, and shortening feedback loops with development teams. This created shared learning environments where developers, security, and privacy personnel could collaborate in real-time. The cultural shift improved quality, reduced risk, accelerated continuous delivery of secured software, and enhanced employee/contractor morale.

At the infrastructure level, we deployed a Continuous Integration/Continuous Delivery (CI/CD) pipeline using AWS Elastic Kubernetes Service (EKS), Terraform for Infrastructure as Code (IaC), and ArgoCD to create a highly available environment with automated backups, encryption, and storage autoscaling.

To improve risk management assurance and security workflows, we:

• Conducted stakeholder interviews with Authorizing Officials (AOs) and mapped user journeys to improve interactions between developers, security assessors, and privacy officers.
• Embedded technical security control assessors alongside developers to provide real-time feedback and cybersecurity education.
• Authored a custom cATO Playbook, a guide standardizing best practices for continuous compliance, risk assessment, and security automation.

Interested in adopting your own cATO Playbook? Check out our Continuous Delivery Risk Management Framework (CD-RMF) Playbook, derived from our internal Rise8 playbook and continuously improved by the government IT community.

Mission Results

As a result of our partnership, we captured the following improvements:

• 84% faster approvals: ATO time dropped from 568 days to 87 days
• 75% faster security fixes: Vulnerability remediation improved from 143 days to 35 days
• 97% fewer security issues: POA&Ms dropped from 74 to just 2 per system
• Government milestone: VA became the first non-DoD agency to achieve continuous ATO (cATO)
  

And for the Veterans and VA staff who rely on these applications every day, these outcomes supported the following VA mission impacts:

• Faster benefits processing: Veterans submitting claims on VA.gov now experience fewer delays due to improved classification accuracy (from 50% to 75%), reducing processing time from weeks to days. This means fewer follow-up calls, external record reviews, and exam reorders to verify legitimate claims.
  

• Improved claims handling: Manual claim merging previously took VA staff 10 minutes per claim. Automation now handles this instantly, saving 149 hours over three months.
  

• More accurate claim approvals: Automated claim classification prevents processing delays, reducing stress for Veterans Service Representatives and allowing cases to move forward faster.
  

• Congressional mandate fulfilled: One of the first systems to go live under the cATO model was authorized release to production in just 87 days with only two PO&Ms and no critical/high vulnerabilities, directly addressing a congressional mandate to improve disability claim processing time before the end of 2022.

VA’s Chief Information Officer granted Ongoing Authorization after reviewing these results from the first four systems using our cATO approach. For the first time, VA application development teams can release software changes quickly and securely, focusing more on improving Veteran experiences and spending less time getting through the accreditation and approval process.

Veteran-Facing Impact*

cATO doesn't just make life for IT better; our work strengthened the infrastructure, delivery pipelines, and secure development practices behind key Veteran-facing services. These improvements drove broad downstream impacts that continue to deliver value across the VA.

*These outcomes reflect cumulative totals as of March 2025.

Success by the Numbers

Tech Stack

• Compliance & Control Authorization Tooling: Secure Release Pipeline and Gate Checks, Automated Vulnerability Scanning, Common Control Inheritance Model, Secure Development (SD) Elements  
• CI/CD & Automation: GitHub & GitHub Actions, Terraform, ArgoCD, Python & Bash Scripting  
• Infrastructure: AWS, k8s, Helm, Vault
• Monitoring: Datadog, Splunk
• Security Vulnerability Tooling: Github Dependabot, CodeQL, and Secret Scanning, Snyk Code and SCA Scanning, Aqua Container Scanning and Runtime Monitoring

Key Practices

• Automated security testing (SAST, SCA, container scanning)
• Blue-Green Deployments for frictionless updates
• Embedded security assessors for compliance integration
• Continuous monitoring with live dashboards and alerts
• IaC for efficient provisioning and scalability
• User journey mapping and stakeholder interviews
• Phased release strategy with continuous user feedback

Contract Information

This work was completed as part of a federal digital modernization initiative focused on secure software delivery and continuous risk management, supported by Rise8 from 2021 to 2025.