To ensure that university technology purchases meet federal, state, and board requirements for cybersecurity and accessibility, all university IT purchases are required to undergo cybersecurity and accessibility review before legal review or purchase (including renewals). Both a Higher Education Community Vendor Assessment Toolkit (HECVAT) and a Voluntary Product Accessibility Template (VPAT) (or Accessibility Conformance Report (ACR)) is required from the vendor for each individual product being purchased. These documents are reviewed to ensure they meet regulations and that we are providing a safe and accessible experience for our campus community.
If the software you wish to purchase is not listed as UARK Enterprise Software, you may still be able to purchase the software through the university if the software is deemed secure and accessible at an acceptable level. To determine this, the software purchase will require a VPAT and a HECVAT. First, you should check the VPAT/Accessibility and HECVAT/Security Review Compliance Catalog to see if a VPAT and a HECVAT have already been acquired for the software you wish to purchase.
Note: IT Services staff should use their departmental software request form.
Check the VPAT and HECVAT Review Compliance Catalog
Manufacturers or vendors may have already completed VPATs and/or created Accessibility Conformance Reports (ACRs) for their products. Check the VPAT/Accessibility and HECVAT/Security Review Compliance Catalog to see if a VPAT and a HECVAT have already been acquired for the software you wish to purchase.
VPAT and HECVAT Compliance Catalog
Include the IDs, Last Reviewed dates, and VPAT score from the Compliance Catalog when purchasing.
If the product is not listed in the VPAT and HECVAT Review Compliance Catalog
If the product is not listed, check the manufacturer/vendor’s website or contact the manufacturer/vendor to request the VPAT and HECVAT for the product. If the manufacturer, vendor, or reseller does not have a VPAT or HECVAT for the product you wish to purchase, you will need to request that these be completed for their product.
The vendor must complete:
If the software is not listed in the Compliance Catalog, you must request a fully completed HECVAT and VPAT/ACR from the vendor.
If the vendor does not have a current HECVAT and/or VPAT/ACR for the software, request that they complete:
Collecting and submitting these forms at the start of the quote process can help reduce purchasing delays. The review process can take 1 to 2 weeks, so plan accordingly when making IT purchases.
Submit for Review
As soon as the documents are received from the vendor, submit them for review.
Request a VPAT Review
Request a HECVAT/Cybersecurity Review
The review process can take several weeks, so plan accordingly.
Purchasing
You will include the ticket IDs from the VPAT Review and HECVAT Review tickets in the Workday purchase transaction.
Before submitting for legal review, the HECVAT and VPAT review must be complete. In the comment section you can add the ticket #s for HECVAT and VPAT reviews.
Submit the ticket numbers or Compliance Catalog information with the purchase requisition. When you have all appropriate reviews complete, include the following in your requisition memo/comment section or PCard transaction verification:
- IDs (from Compliance Catalog) or ticket numbers (if reviewed)
- Last Reviewed dates (from Compliance Catalog) or expiration dates (if reviewed)
- VPAT score
- any comments from the HECVAT or Cybersecurity reviews
Include all items so that IT and EProcurement teams can see that they have been successfully reviewed.
Review Request Services
Frequently Asked Questions
Updating this article
If this article needs to be updated, please leave feedback on this article and it will notify the owner of the article.