Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.
Graphic for the Veterans Crisis Line. It reads Veterans Cris Lins 1 800 273 8255 press 1
My healthevet badge

VA Enterprise Architecture

VA EA Security Domain

VA EA Security DomainProtecting our critical infrastructure, assets, networks, systems, and data is one of the most significant challenges our country faces in today’s Internet-based IT environment. Every day, our Nation experiences increasingly sophisticated cyber threats and malicious intrusions. Not surprisingly, in 1997 GAO designated Federal information security as a government-wide high-risk area (see GAO Report on Federal Information Security: Agencies Need to Correct Weaknesses and Fully Implement Security Programs).

Domain Scope

The Security Domain describes what VA must do to protect sensitive personal customer and employee information and ensure its cyberspace ecosystem is secure, ready, resistant, and resilient from threats, unauthorized access, and vulnerabilities. According to the Conceptual Metamodel below, the scope of this Domain includes security-related strategies, plans, laws, policies, regulations, capabilities, standards, practices, and performance measures.

Conceptual Metamodel – Security Domain View Conceptual Metamodel – Security Domain View

Conceptual Metamodel – Security Domain View


The Security Domain information is closely linked to all other domains because security is integral to the overall security posture and health of an organization and/or system. These linkages:

  • Describe the relationships between the Department’s cybersecurity strategy, goals, and objectives and enabling capabilities, functions, business processes, information, infrastructure, and technology needs
  • Identify the laws, policies and regulations, and technical standards that must be met to ensure a compliant and secure IT operating environment
  • Identify enterprise services that deliver security-related functions at lower cost than new development
  • Provide standards related to sharing of information among systems, lines of business, customers, and partner providers
  • Enable the establishment of a common “language” for information security within the Department

When this Metamodel and its relationships are fully developed, the information captured in this Domain can be used to enable the adoption of the latest technology innovations and help identify candidate systems, applications, and platforms for remediation or retirement due to security risks. By successfully addressing the cybersecurity risk in VA’s technology environment, VA will be able to provide trusted access and sharing of information within the ecosystem of Veteran service providers, thus ensuring confidence in VA.

Future Enhancements

As the Enterprise Cybersecurity Strategy continues to mature and evolve, the VA EA will be updated. This will include the addition and integration of all relevant security requirements to support critical aspects of the strategy that must be followed and enforced within VA business processes during the development, implementation, and execution of IT solutions.

Key EA Artifacts Currently Available

Strategic Guidance

White Papers/Tech Insights

  • List of security related Tech Insights:
    • A VA Executive’s Guide to Mobile Security (January 2016) – This Tech Insight highlights mobile security concerns and provides enterprise solutions, including a critical focus on Enterprise Mobility Management (EMM).
      • Cloud Privacy and Security (May 2015) – This Tech Insight discusses data privacy and security in a cloud computing environment.
      • Mobile Device Security (May 2014) – This Tech Insight discusses the increased use of mobile devices in the workplace and the many security issues raised by this trend.

    Models, Patterns, and Reports

    • Enterprise Design Patterns  – is a list of security-related Enterprise Design Patterns, and includes the following:
      • User Identity Authentication – This Enterprise Design Pattern describes the “To-Be” state for VA internal (Personal Identity Verification [PIV]-enabled VA employees, contractors, and volunteers), as well as external user identity authentication (business partners, Veterans, and others who access VA resources from outside VA’s networks).
      • External User Identity Authentication – This Enterprise Design Pattern supports VA’s goals of increasing security, decreasing total cost of ownership (TCO) and increasing information re-use/agility.
      • Enterprise Secure Messaging – This Enterprise Design Pattern implements the standards and protocols required for message-level security. It describes the message-level security standards needed to integrate the enterprise IT infrastructure and Enterprise Shared Services (ESS).
      • Mobile Veteran Facing Applications Security – This Enterprise Design Pattern provides enterprise-level capability guidance that identifies security best practices for Veteran-facing mobile applications used to access VA IT resources.
      • Non-Person Entity Security – This Enterprise Design Pattern describes the “To-Be” state for VA NPE security. It describes “adaptive” authentication tools that need to be implemented, and the need for authentication protocols that can support attribute- and risk-based access controls.

    VA Policies, Guidance, and Statutes

    • VA Directive 6500 – Information Security Program (20 Sep 2012)
    • VA Handbook 6500 – Risk Management Framework for VA Information Systems – Tier 3: VA Information Security Program (10 March 2015)
    • VA Directive 6517 – Risk Management Framework for Cloud Computing (15 Nov 2016)

    External References

    Compliance & Standards