# Engineering and Security Checklist - Form 22-0976 Application for Approval of a Program in a Foreign Country ## Engineering Checklist ### Product Description Implementation of VA Form 22-0976 (Application for Approval of a Program in a Foreign Country) as a digital form on VA.gov. This form allows School Certifying Officials to submit applications digitally for VA approval of foreign educational programs, replacing the current manual PDF process. **Motivation:** Streamline the foreign program approval submission process, provide better tracking and validation, and reduce manual processing overhead for the Federal Approvals team. **Collaboration Cycle Request:** \[Link to GitHub issue\] ### UX Design Description - Digital form interface for School Certifying Officials - Multi-step form with sections for general information, degree programs, certifications, medical school info (if applicable), and contacts - Confirmation screen upon successful submission \[Link to Figma design\] **Engineering Challenges:** Form validation for complex institutional and program data, handling multiple application types (initial/reapproval/new programs/update), international address validation, medical school specific requirements, multiple degree program entries, branch campus handling. ### Frontend Changes **New Function:** Complete new form implementation for 22-0976 **Design System Components:** Leverages existing VA.gov form components **Shared Code:** No changes to shared frontend code **Analytics:** Standard form event tracking with GA, error monitoring via existing VA.gov analytics **Error Detection:** Frontend validation errors, submission failures tracked via Datadog ### Backend Changes **Infrastructure Dependencies:** Uses existing education benefits infrastructure **New Connections:** None - leverages existing VA.gov backend systems **API Polling:** Not required **Error Handling:** Standard form validation, database error handling **Shared Code:** No changes to shared backend code **Logging:** Form submission events, PDF generation status **User-uploaded Data:** No user file uploads **Temporary Files:** PDF files temporarily generated during processing, automatically cleaned up after delivery to FE ### Internal API Changes **New APIs:** (modified to add new form) POST /v0/education_benefits_claims/22-0976 **Deprecations:** None **Documentation:** Standard VA.gov API documentation patterns **Call Patterns:** Single submission per application, low volume expected **Rate Limiting:** Standard VA.gov rate limiting applies **Third Party Integrations:** None **Scheduled Jobs:** No new batch jobs required **Schema Validation:** Uses vets-json-schema validation ### External API Changes **External APIs:** None **PII/PHI Transmission:** No PII/PHI transmitted externally ### Background Jobs **Background Processing:** PDF generation **Error Handling:** Standard Rails job error handling ### Data Storage **Database Changes:** Uses existing education benefits claims table structure **Indexes:** Leverages existing indexes **PII/PHI:** Contains institutional contact information (names, email addresses, signatures) - not veteran PII/PHI **Data Volume:** Low volume - estimated \<500 submissions annually **Database Impact:** Minimal impact on existing systems **Data Expiration:** Standard VA.gov data retention policies apply **Cleanup:** Temporary PDF files cleaned up immediately after FE delivery ### Libraries and Dependencies **New Dependencies:** None - uses existing VA.gov technology stack **Updated Dependencies:** None required ### Metrics, Logging, Observability, Alerting **Key Monitoring Areas:** Form submission success/failure, PDF generation **Custom Metrics:** None beyond standard form metrics **Sensitive Data:** No sensitive data in logs **Alerting:** Uses existing Datadog education benefits monitoring ### Infrastructure and Network Changes **Changes:** None - uses existing VA.gov infrastructure ### Test Strategy **Automated Tests:** Unit tests, integration tests for controller and form validation **Front End:** E2E cypress testing with platform\'s form tester utility, a keyboard only cypress test, and unit testing in excess of 80% coverage goal **Manual Testing:** Form submission workflows, PDF generation, multiple program entries, medical school specific fields **UAT:** Testing with sample institutional and program data **Test Data:** Sample institution data, test facility codes, multiple degree programs, branch campus scenarios ### Rollout Plan **Feature Flags:** Every form uses a boolean in the content-build repo registry.json file to turn on the form in prod/turn it off. We would have to make another PR for this repo and get it approved by platform to flip this \"toggle\". **Team Coordination:** FE and BE **Rollback Plan:** Feature flag disable ### Internal Administration Tasks **Maintenance Tasks:** Standard VA.gov database maintenance, submissions monitoring **Administration Method:** Existing VA.gov administrative interfaces and Datadog monitoring ## Security Checklist ### Problem Statement Form 22-0976 digitizes the foreign program approval application submission process, allowing School Certifying Officials to generate applications digitally rather than manually completing PDFs, improving security and tracking. ### Monitoring Plan **Code Base Compromise Detection:** Datadog monitoring, abnormal traffic pattern detection **Disabling Process:** Feature flag capability **Process Execution:** Runs within existing education benefits infrastructure with standard authentication **Process Isolation:** Standard VA.gov application isolation **Additional Credentials:** Uses existing VA.gov service credentials ### Release Plan \[Link to detailed release plan with completed Planning sections\] ### Endpoint Security **New Endpoints:** (modified) POST /v0/education_benefits_claims/22-0976 **Abuse Scenarios:** - Form spam submissions (mitigated by rate limiting) - Invalid data submission (mitigated by input validation) - PDF generation abuse (mitigated by submissions rate limiting) - Malicious program data entry (mitigated by input validation and sanitization) **Mitigation:** Standard VA.gov security controls, input validation, rate limiting ### Logging Data **New Logging:** Form submission events, PDF generation status **Data Captured:** Institution identifiers, submission timestamps, application type **Storage:** Standard VA.gov logging infrastructure ### Personal Information **PII/PHI:** Contains institutional contact information (names, email addresses, signatures of school officials) - not veteran PII/PHI **Encryption:** Standard VA.gov database encryption **Data Scrubbing:** Standard data retention and cleanup policies apply ### Cookies **Cookie Usage:** Uses existing VA.gov session management **New Cookies:** None **Modified Cookies:** None ### Authentication **Authentication Status:** Institutional login optional ### Additional Focus Areas - PDF generation security and temporary file handling - Facility code verification and validation - International address validation - Digital signature handling for authorizing officials - Multiple degree program entry validation ## Artifacts ### Architecture Diagram ![Diagram AI-generated content may be incorrect.](./image1.png){width="6.0in" height="4.299305555555556in"} ### Security Approach - Leverages existing VA.gov security model - Standard authentication and authorization - Encrypted data storage - Input validation and sanitization ### Incident Response Plan **Primary Contact:** VEBT team **Slack Channels:** #vfep-developer-support **Security Timeline:** Standard VA.gov security patch process **Dashboards:** Education Benefits Claims Datadog dashboard ### Sequence Diagram ![Diagram AI-generated content may be incorrect.](./image2.png){width="6.95415791776028in" height="3.7636165791776026in"} ### Data Flow Diagram ![Diagram AI-generated content may be incorrect.](./image3.png){width="7.267221128608924in" height="3.200437445319335in"} ### API Documentation - Standard VA.gov API documentation - Endpoint: POST /v0/education_benefits_claims/22-0976 - Uses existing education benefits claims controller pattern ### Product Links **Release Plan:** \[Link\] **Product Outline:** \[Link to GitHub product outline\] **Incident Response:** Included in product outline **Product Playbook:** \[Link\]