Skip to main content

SaaS Playbook

How VA approaches the identification, acquisition and implementation of SaaS product.

Adopting SaaS solutions at VA shouldn’t be difficult, time-consuming, or stressful. It’s our job in the Office of Information Technology (VA OIT) to make sure the process is easy-to-understand, fast, and simple. This allows VA to tap into emerging technologies in the market and provide a digital experience that’s on par with the private sector. SaaS solutions are a critical tool in VA’s mission to provide Veterans with better access to health care and VA benefits.

1. Intake

To encourage the VA to adopt SaaS solutions, we must make it easy for front-line staff to connect with experts in technology and the SaaS process at VA. By lowering the barrier to entry for VA staff, we can encourage more requests and build momentum across the VA to use the best available tools for the problems at hand. We use the principles below to design an intake process that meets customers where they are and provides a clear path to achieving their goals.

Intake Checklist

  • Be transparent. Provide VA customers and the vendor community as much plain language information as possible early in the process.
  • Publish a public list of already approved SaaS products
  • Provide customers with a single point of contact who provides a "concierge" level of customer service throughout the entire process.
  • Ensure VA customers have the support they need with technical, security, and procurement expertise throughout the process.
  • Ensure everyone involved has a clear understanding of the problem.
  • Understand the types of data used in the solution to determine data security requirements.
  • Automate the process where possible.
  • Minimize the time, effort, and data you ask for from customers.
  • Provide weekly updates to customers on the status of intake requests.
  • Collect customer feedback on the intake process. Use this information to improve the process.

2. Acquisition

A smooth acquisition phase is critical to ensure customers get the SaaS products they need while meeting all relevant policies, laws, and regulations. This step often involves a number of teams and offices. VA OIT serves as the central organizing body to help coordinate the process even though the customer is responsible for creating the necessary acquisition documents. Below are the principles VA OIT uses to create a smooth, efficient process.

Acquisition Checklist

  • Ensure the solution will address the customer’s whole problem.
  • Provide templates for required acquisition documents.
  • Involve acquisitions experts early in the process.
  • Provide VA customers tailored SaaS language for procurements that ensures the best SaaS solutions that meet the real problem.
  • Provide plain language instructions for customers who may be unfamiliar with the acquisition process.
  • Help customers make sure they have all the appropriate funding required to buy and implement a SaaS product, including any funding required for integration with other systems.
  • Assist customers with coordination between multiple offices.

3. Security and Implementation

Protecting Veteran and stakeholder data is a top priority at VA. Because SaaS products are managed by a third party, VA OIT must ensure they meet federal and VA security requirements. FedRAMP compliance is a great way for vendors to meet these requirements and achieve faster implementation at VA.

VA follows Federal CIO and OMB guidance on FedRAMP, which provides agencies options to:

  • Leverage a Provisional Authority to Operate (P-ATO) completed by the Joint Authorization Board
  • Leverage an Authority to Operate (ATO) completed by another agency
  • Conduct their own ATO

However, if either the Joint Authorization Board or another agency has already gone through the risk management framework process with the cloud service provider it is encouraged the agency to leverage the work already done. This is less burdensome for both the agencies and the service providers. Regardless of the approach, VA will be using the FedRAMP baselines as a starting point, since they are specifically tailored for cloud services

Security and Implementation Checklist

  • Work with a small, empowered, cross-disciplinary team to expedite SaaS delivery using a process tailored from end-to-end for SaaS products.
  • Implement guidance from the Federal CIO and OMB that minimizes risk to you organization, while taking a common sense approach to delivering value to customers.
  • Eliminate unnecessary documentation.
  • Ensure customers understand security requirements and the process up front.
  • Complete a data security categorization to understand data types required for the solution and security compliance requirements.
  • Confirm whether the SaaS solution is FedRAMP compliant.
  • Provide SaaS vendors with clear guidance on organizational (e.g., VA) requirements and options for compliance.
  • Provide accessible, plain language information on organizational (e.g., VA) FedRAMP sponsorship.
  • Ensure VA security requirements are met during the organizational (e.g., VA) Authority to Operate process.

Page last updated on August 2, 2019