Engineering and Security Checklist - Form 22-0976 Application for Approval of a Program in a Foreign Country
Implementation of VA Form 22-0976 (Application for Approval of a Program in a Foreign Country) as a digital form on VA.gov. This form allows School Certifying Officials to submit applications digitally for VA approval of foreign educational programs, replacing the current manual PDF process.
Motivation: Streamline the foreign program approval submission process, provide better tracking and validation, and reduce manual processing overhead for the Federal Approvals team.
Collaboration Cycle Request: [Link to GitHub issue]
-
Digital form interface for School Certifying Officials
-
Multi-step form with sections for general information, degree programs, certifications, medical school info (if applicable), and contacts
-
Confirmation screen upon successful submission
[Link to Figma design]
Engineering Challenges: Form validation for complex institutional and program data, handling multiple application types (initial/reapproval/new programs/update), international address validation, medical school specific requirements, multiple degree program entries, branch campus handling.
New Function: Complete new form implementation for 22-0976
Design System Components: Leverages existing VA.gov form components
Shared Code: No changes to shared frontend code
Analytics: Standard form event tracking with GA, error monitoring via existing VA.gov analytics
Error Detection: Frontend validation errors, submission failures tracked via Datadog
Infrastructure Dependencies: Uses existing education benefits infrastructure
New Connections: None - leverages existing VA.gov backend systems
API Polling: Not required
Error Handling: Standard form validation, database error handling
Shared Code: No changes to shared backend code
Logging: Form submission events, PDF generation status
User-uploaded Data: No user file uploads
Temporary Files: PDF files temporarily generated during processing, automatically cleaned up after delivery to FE
New APIs: (modified to add new form) POST /v0/education_benefits_claims/22-0976
Deprecations: None
Documentation: Standard VA.gov API documentation patterns
Call Patterns: Single submission per application, low volume expected
Rate Limiting: Standard VA.gov rate limiting applies
Third Party Integrations: None
Scheduled Jobs: No new batch jobs required
Schema Validation: Uses vets-json-schema validation
External APIs: None
PII/PHI Transmission: No PII/PHI transmitted externally
Background Processing: PDF generation
Error Handling: Standard Rails job error handling
Database Changes: Uses existing education benefits claims table structure
Indexes: Leverages existing indexes
PII/PHI: Contains institutional contact information (names, email addresses, signatures) - not veteran PII/PHI
Data Volume: Low volume - estimated <500 submissions annually
Database Impact: Minimal impact on existing systems
Data Expiration: Standard VA.gov data retention policies apply
Cleanup: Temporary PDF files cleaned up immediately after FE delivery
New Dependencies: None - uses existing VA.gov technology stack
Updated Dependencies: None required
Key Monitoring Areas: Form submission success/failure, PDF generation
Custom Metrics: None beyond standard form metrics
Sensitive Data: No sensitive data in logs
Alerting: Uses existing Datadog education benefits monitoring
Changes: None - uses existing VA.gov infrastructure
Automated Tests: Unit tests, integration tests for controller and form validation
Front End: E2E cypress testing with platform's form tester utility, a keyboard only cypress test, and unit testing in excess of 80% coverage goal
Manual Testing: Form submission workflows, PDF generation, multiple program entries, medical school specific fields
UAT: Testing with sample institutional and program data
Test Data: Sample institution data, test facility codes, multiple degree programs, branch campus scenarios
Feature Flags: Every form uses a boolean in the content-build repo registry.json file to turn on the form in prod/turn it off. We would have to make another PR for this repo and get it approved by platform to flip this "toggle".
Team Coordination: FE and BE
Rollback Plan: Feature flag disable
Maintenance Tasks: Standard VA.gov database maintenance, submissions monitoring
Administration Method: Existing VA.gov administrative interfaces and Datadog monitoring
Form 22-0976 digitizes the foreign program approval application submission process, allowing School Certifying Officials to generate applications digitally rather than manually completing PDFs, improving security and tracking.
Code Base Compromise Detection: Datadog monitoring, abnormal traffic pattern detection
Disabling Process: Feature flag capability
Process Execution: Runs within existing education benefits infrastructure with standard authentication
Process Isolation: Standard VA.gov application isolation
Additional Credentials: Uses existing VA.gov service credentials
[Link to detailed release plan with completed Planning sections]
New Endpoints: (modified) POST /v0/education_benefits_claims/22-0976
Abuse Scenarios:
-
Form spam submissions (mitigated by rate limiting)
-
Invalid data submission (mitigated by input validation)
-
PDF generation abuse (mitigated by submissions rate limiting)
-
Malicious program data entry (mitigated by input validation and sanitization)
Mitigation: Standard VA.gov security controls, input validation, rate limiting
New Logging: Form submission events, PDF generation status
Data Captured: Institution identifiers, submission timestamps, application type
Storage: Standard VA.gov logging infrastructure
PII/PHI: Contains institutional contact information (names, email addresses, signatures of school officials) - not veteran PII/PHI
Encryption: Standard VA.gov database encryption
Data Scrubbing: Standard data retention and cleanup policies apply
Cookie Usage: Uses existing VA.gov session management
New Cookies: None
Modified Cookies: None
Authentication Status: Institutional login optional
-
PDF generation security and temporary file handling
-
Facility code verification and validation
-
International address validation
-
Digital signature handling for authorizing officials
-
Multiple degree program entry validation
{width="6.0in"
height="4.299305555555556in"}
-
Leverages existing VA.gov security model
-
Standard authentication and authorization
-
Encrypted data storage
-
Input validation and sanitization
Primary Contact: VEBT team
Slack Channels: #vfep-developer-support
Security Timeline: Standard VA.gov security patch process
Dashboards: Education Benefits Claims Datadog dashboard
{width="6.95415791776028in"
height="3.7636165791776026in"}
{width="7.267221128608924in"
height="3.200437445319335in"}
-
Standard VA.gov API documentation
-
Endpoint: POST /v0/education_benefits_claims/22-0976
-
Uses existing education benefits claims controller pattern
Release Plan: [Link]
Product Outline: [Link to GitHub product outline]
Incident Response: Included in product outline
Product Playbook: [Link]