A CERT-In Empanelled Auditing Organization
Home/Services/CERT-In Auditor Services/ABHA M1 Certification (WASA)
CERT-In Auditor Services

ABDM & ABHA M1 Certification — WASA & VAPT

The CERT-In empanelled Web Application Security Assessment (WASA) your digital health application needs to clear NHA’s Milestone 1 gate and go live on the ABDM production environment.

Overview

The security gate between your ABDM sandbox and production.

Every digital health application that integrates with ABDM must pass a Web Application Security Assessment (WASA), conducted by a CERT-In empanelled auditor, before the National Health Authority (NHA) grants Milestone 1 (M1) certification and production access. Without a passing WASA report, no application — however well-built or well-funded — can go live on the ABDM ecosystem.

As a CERT-In empanelled auditing organisation, SICHERTEN runs the full WASA on your sandbox build — covering ABHA flows, ABDM APIs, the OWASP Top 10, authentication, encryption and patient-consent journeys — and produces an NHA-formatted report, supporting you through remediation, closure and the Safe-to-Host certificate.

What’s covered

What the WASA assessment examines.

ABHA integration security

ABHA number creation, verification, linking and login flows.

ABDM API security

ABDM/FHIR endpoints, access control and secure communication.

OWASP Top 10 & app VAPT

Full vulnerability assessment and penetration testing of the app.

Authentication & sessions

Login, token, session and access-control hardening.

Health-data encryption

Protection of sensitive health data in transit and at rest.

Consent-flow testing

Patient consent journeys and artefact handling.

Who needs this

Is this the right fit?

Any application seeking to go live on the ABDM production environment.

Hospitals & HMIS/HIS vendorsABDM-enabling their software.
Health Information Providers (HIPs)Sharing digital health records.
Health Information Users (HIUs)Retrieving records with consent.
Health Locker / PHR appsABHA-linked personal records.
EHR/EMR & diagnostics platformsHandling sensitive health data.
Telemedicine & health-tech startupsPreparing a first ABDM go-live.
Regulatory drivers

Why this is required

ABDM production access is gated by the NHA. Beyond third-party functional testing, every integrating application must clear a CERT-In empanelled WASA — the security audit is mandatory and non-negotiable. Requirements are set by the NHA/ABDM and updated periodically, so we confirm the current scope against the live sandbox guidelines for your build.

NHA / ABDM milestones
M1 (ABHA creation & verification) is the foundational gate; a passing WASA is required before production access is granted.
CERT-In empanelment
Only a CERT-In empanelled auditor can issue the WASA report and Safe-to-Host certificate that NHA accepts.
ABDM Security Guidelines & HDM Policy 2020
The application must align with national health-data protection standards and the NDHM secure-development reference.
How we work

A clear path from sandbox to Safe-to-Host.

A methodical WASA lifecycle that produces an NHA-ready result.

Scoping & sandbox review

Mapping your M1 ABHA flows, ABDM APIs and application architecture.

Conformance & API check

Alignment with ABDM sandbox specifications and FHIR expectations.

WASA / VAPT execution

OWASP Top 10, API, authentication, encryption, consent and business logic.

Findings & risk rating

Prioritised, CVSS-scored findings mapped to ABDM expectations.

Remediation support & retest

Closing critical and high findings, then revalidating the fixes.

NHA-ready certification pack

WASA report, closure certificate and Safe-to-Host certificate for submission.

What you receive

Everything NHA needs to see.

  • Final WASA reportSigned by a CERT-In empanelled auditor.
  • Findings & evidenceEach issue with proof, OWASP mapping and CVSS.
  • Vulnerability Closure CertificateConfirming critical and high findings are remediated.
  • Safe-to-Host certificateRequired for ABDM production onboarding.
  • Remediation guidance & retestVerification of fixes for your NHA submission.

Standards & frameworks

We anchor the assessment to the standards and guidelines that govern the ABDM ecosystem.

CERT-InABDM / NHAOWASPFHIRHDM Policy 2020
Checklist

Are you ready? A quick checklist

What to have in place before the WASA begins.

M1 milestone approved in sandbox
Functional testing planned or complete
ABHA integration implemented
Sandbox / staging build ready to test
API & flow documentation available
Build version frozen for the audit
Remediation owner identified
NHA submission bundle owner
FAQ

Common questions

Is WASA required for M1 specifically, or for every milestone?
WASA assesses the application you intend to take to production, and M1 (ABHA creation & verification) is the first NHA gate. The audit covers your ABHA and ABDM flows as built; if the application changes materially for later milestones such as M2 or M3, those changes may need re-auditing. We scope the assessment to exactly what you are certifying.
Why must the auditor be CERT-In empanelled?
NHA only accepts a WASA report and Safe-to-Host certificate issued by a CERT-In empanelled auditor, and a report from a non-empanelled provider will not be accepted for ABDM production onboarding. SICHERTEN is a CERT-In empanelled auditing organisation — you can verify any auditor’s empanelment directly on the official CERT-In website.
How long does the WASA take?
The WASA itself typically runs about three to six weeks, depending on the scope of the application and how quickly findings are remediated, and it sits within a broader sandbox-exit pipeline alongside functional testing and NHA review. Starting early leaves time to fix issues before your NHA submission rather than under deadline pressure.
Related services

Continue exploring

Ready to clear your ABDM M1 gate?

Tell us about your digital health application and we’ll scope the WASA with you — and get you production-ready.