FAQs: Cybersecurity and Accessibility Requirements for Technology Purchases

Audience: Staff who make or request purchases

Responsible Group: Contract Team

Overview

To ensure that all technology purchases meet federal, state and board requirements for cybersecurity and accessibility, departments and requestors are required to submit vendor cybersecurity and accessibility documentation for review before sending to legal review or purchasing the product through PCard, Requisitions or Supplier Contracts in Workday. Below are frequently asked questions about the purchasing process. 

Frequently Asked Questions

What is a HECVAT and why do I need one?

 The HECVAT (Higher Education Community Vendor Assessment Toolkit) is a questionnaire designed for higher education to evaluate a vendor’s cybersecurity risks and confirm that the vendor has implemented data and security policies. When purchasing third-party software or hardware, university personnel must obtain a HECVAT for the product from the vendor to confirm that information, data, and cybersecurity policies are in place to protect university data when using the vendor’s product.

What is a VPAT/ACR and why do I need one?

  • A VPAT (Voluntary Product Accessibility Template) is a template used to document a product’s conformance with accessibility standards and guidelines. Once filled out it is generally referred to as an ACR (Accessibility Conformance Report).
  • The State of Arkansas is required to comply with the provisions of Arkansas Code Annotated §25-26-201 et seq., as amended by Act 308 of 2013 and the Government-wide Section 508 Accessibility Program prior to procuring a technology product or when soliciting the development of such a product. Arkansas Code §25-26-201 expresses the policy of the State to provide individuals who are blind or visually impaired with access to information technology purchased in whole or in part with state funds.
  • To reach this goal, those responsible for making decisions about which products to procure must consider accessibility as one of the criteria for acquisition. This is especially critical for enterprise-level systems and other technologies that affect a large number of students, faculty, and/or staff.

How do I get started?

You can visit the Cybersecurity and Accessibility Requirements for Technology Purchases Article to get an overview of the steps and work flow for technology purchases. 

Which IT products need a HECVAT and VPAT?

Almost all IT related purchases (software (desktop, cloud-based, or SaaS), hardware, etc.) require these documents. If you have questions, you can email the contracts team at contract@uark.edu for advice.

How can I see if the university already has an updated HECVAT or VPAT for this product?

You can view our Compliance Catalog that is updated regularly. You must be logged in with your UARK account to view the catalog. 

Would it be possible subscribe to updates for the compliance catalog? 

Yes! If you visit the Compliance Catalog, you can click subscribe on the right to get updates. The compliance catalog is updated at least once a week. You can see the last update under "modified" on the right.

Who fills out the HECVAT and VPAT?

The vendor is responsible for filling out the documents. Ideally the vendor's security team would fill out the HECVAT and the vendor's development team would fill out the VPAT.

Who is responsible for collecting the HECVAT/VPAT from the vendor?

The person requesting the software is the best person to request these documents in most cases as they are most familiar with the product and are already in contact with the vendor – in some cases your tech partner can assist if the vendor has technical questions. 

How do I ask the vendor for these documents?

You can send this template response to the vendor:  

Our University requires both a cybersecurity and accessibility review for technology. They use the Higher Education Community Vendor Assessment Toolkit (HECVAT) for cybersecurity and the Voluntary Product Assessment Template (VPAT) for accessibility. Please have your security team fill out the HECVAT Template and your development team fill out the VPAT template and send them to me. The templates can be found here:
HECVAT: https://www.educause.edu/higher-education-community-vendor-assessment-toolkit.  

VPAT: please use the one most closely related to your product:  

When in the procurement process should I request the documents?

VPATs and HECVATs should be requested when asking for a quote from the vendor. They should be obtained and reviewed before legal review, or a requisition is put in Workday. If you do not get the documents before, then you will be prompted to ask for them, and your purchase will be put on hold until the process is complete. We recommend getting these documents as soon as possible, if you know that a purchase or renewal is coming up, you can submit these documents for review in advance. You do not need to wait until the product is up for renewal but keep in mind that reviews expire after 12 months.

How long does the review process take?

The review process takes about a week or two but can vary. Plan for longer review times during busy purchasing periods such as July or the start of semesters.

Do these forms have to be completed each time technology is purchased?

If the technology is listed in the Compliance Catalog, you do not need to submit these forms but you do need to submit the ticket # in the table for both the HECVAT and VPAT as well as the date it was completed in the PCard transaction. Reviews are good for 12 months. If a technology is in the compliance catalog, you do not need to submit these documents for review. 

Are HECVATs and VPATs required for renewals? If we have used a vendor and product for many years, do I need a review?

If the item is not in the Compliance Catalog, then yes, these documents are required for renewals. This is a relatively new process so when you initially used a product on vendor, these documents may not have been required. 

What do I do if the vendor won’t provide a HECVAT or VPAT?

If the vendor won’t provide these documents, you can still submit review requests through the ticketing system without uploading the documents. The teams will reach out for more information and may be able to perform a risk assessment in a different manner. If you are purchasing hardware and a vendor will not fill out the HECVAT, see if they are willing to fill out the Cybersecurity Hardware Review Form. If you have questions or need advice, you can also always email the contract team at contract@uark.edu.

The vendor won't provide a HECVAT, but they will provide an alternate security document. Is that acceptable?

Yes, alternative security documentation is acceptable. Depending on the Data Classification level submitted on the Cybersecurity Review form, the alternative documentation may need to be approved by the Chief Information Security Officer (CISO) before being used. Below is a list of possible alternative documentation options you could ask the vendor to provide. Please note that this list is not exhaustive.

  • SOC 2 report
  • CAIQ report
  • SIG report
  • ISO 27001 Certification
  • ISO 27034 Certification for desktop software
  • Third-party security risk assessment
  • Network and infrastructure diagrams
  • Security audits and penetration test reports
  • The UARK Cybersecurity Hardware Review Form - To be used for hardware only

Alternatively, the vendor may provide a security document or statement that includes as much detailed information as possible on the following sections:

  • Security Features & Capabilities: The core security functions of the solution, such as encryption, authentication, access control, data protection, and user privacy.
  • Threat Detection & Response: An outline of how the product detects, responds to, and mitigates security threats, including malware, ransomware, and unauthorized access attempts.
  • Vulnerability Management: An explanation of the processes the solution employs to identify, assess, and address vulnerabilities, including patch management and system updates.
  • Compliance & Standards: Specify how the solution adheres to industry standards and regulations, such as GDPR, HIPAA, ISO 27001, and other relevant security frameworks.
  • Integration & Interoperability: Detail how the product integrates with existing IT infrastructure and other security systems, ensuring seamless compatibility with existing hardware, software, and network environments.
  • Monitoring & Reporting: Describe the monitoring capabilities, logging features, and reporting functionalities available to track and audit security events and activities.
  • Scalability & Performance: Provide information on how the solution can scale to meet the needs of growing organizations while maintaining performance and security.
  • Support & Maintenance: Outline the support services, updates, and maintenance processes, including response times, availability, and long-term reliability.

If a vendor provides a VPAT or HECVAT that is 2–3 years old, is it still considered valid for review, or would an updated version be required?

This depends. In many cases, if the product has not changed, vendors may have older versions of these documents that are still applicable. However, if the product has changed significantly, a new document may be needed.  

Before providing the HECVAT or VPAT, the vendor wants me to sign an NDA. Is there anyone I can contact about this?

Yes, please email General Counsel (Legal) at gckrev@uark.edu to inquire about how to handle NDAs.

I heard that I need an exemption to purchase technology with a PCard. Does an exemption just mean we can purchase with a PCard or can we request exemption from HECVAT/VPAT?

The exemptions only apply to PCard transactions. There are no blanket exemptions for the HECVAT and VPAT requirements. If you have questions or issues with vendor compliance with your request, questions can be sent to contract@uark.edu for advice and must be addressed on a case-by-case basis.  

After review of the HECVAT and VPAT does IT send the request to legal for review?

No, the requester will need to send the legal review form to Legal. You can include the ticket numbers for the HECVAT and VPAT on your legal review form. 

How does the HECVAT or VPAT review score affect a purchase?

If a technology does not meet cybersecurity standards, the cybersecurity team may ask to work with the vendor to remediate these issues before purchasing can occur. The score given for accessibility may not prohibit the continuation of a purchase, but it is something to take note of when using the technology. It’s important to keep in mind if something is not accessible for all users. If the technology is required for staff or students or it impacts a large number of campus users, we may need to work with the vendor to remediate accessibility issues.

Do we need a HECVAT and VPAT for purchases such as applications and subscriptions?

For applications, yes. Subscriptions are trickier. For example, a subscription to the New York Times would not require these documents but a subscription to a statistical software would. If you have questions about a specific product, email contract@uark.edu. 

Does HECVAT and VPAT also apply to app stores like Meta and Steam?

The HECVAT will not apply to Meta and Steam at this time but a VPAT may be required. 

When purchasing digital ad space from Google, LinkedIn, and Facebook is it required to have an HECVAT or VPAT?

No these reviews are not required when purchasing digital ad space.

I see that there are options for software that you download and software as a service (SaaS) that is online. Do both of these types of software require these documents?

Yes, both downloadable software and SaaS options require these documents.  

We have hardware such as microphones, USB drives, keyboard, and mouse that break and need to be replaced regularly. Will we need to request these every single time even if we use an approved vendor Amazon? How can we determine if we need a VPAT and HECVAT for hardware purchases? 

For some technology, such as the items listed in this question, you do not need to collect the HECVAT and VPAT, but for others, like Smart TVs, you will. See the Guidelines for Purchasing Technology Products for details. If you have questions about hardware standards you can email itam@uark.edu.

A cybersecurity review for a hardware purchase is required if any of the following are true:

  • the hardware contains a software component that allows a login or authentication capabilities
  • the hardware will connect to the University network
  • the hardware interacts with software on a computer

Is there a possibility to buy directly from vendor and not retailer? 

In many cases this is a possibility. You would need to reach out to the vendor/manufacturer. Some things are university standards and we should follow those processes where applicable.  

In some cases I am buying a product from a retailer or reseller. How can I get these documents?

Often resellers will not have these documents and you may need to reach out to the manufacturer to get these documents.

Is there a way for me to know what other departments are using the software?

This information is not always readily available but you can request this information by emailing contract@uark.edu.

Will these rules eventually be adopted by campus procurement to handle themselves within workday?

Because of the nature of these reviews and the teams that review them, this will remain the responsibility of IT and not procurement.  

Can we add these documents to Payment Works if they are necessary?

This question has been presented to procurement and at this time is not an option in the Payment Works system. 

If many departments and units are using the software, is IT Services Contract Team investigating enterprise level purchasing? If so, will they also handle the HECVAT and VPAT? Are we moving to a model where this will be centrally managed?

In some cases where this makes sense, we are exploring this option and working with campus users to determine cost sharing and assisting with negotiations to get better enterprise pricing. This does not make sense for all technology purchases and we are working through options for not only consolidating individual departmental options into a single contract but also looking at those functions and tools that do similar tasks to see if and when there are opportunities for streamlining support, adoption, and cost savings. In cases where IT Services manages enterprise licenses, we will collect these documents for review. 

I am having a difficult time understanding if I need these documents. What do I do?

You can check to Compliance Catalog to see if the product has already been reviewed and look at the Guidelines for Purchasing Technology Products for details.  If you still have questions, you can always email contract@uark.edu for questions on specific products. There are many different factors that we can discuss.  

Access

If this article needs to be updated, please leave feedback on this article and it will notify the owner of the article.

For any assistance with IT related purchases, please email contract@uark.edu

100% helpful - 1 review
Print Article

Related Articles (3)

Cybersecurity and Accessibility Requirements for Technology Purchases
Process for reviewing cybersecurity and accessibility of IT-related purchases.
Higher Education Community Vendor Assessment Toolkit (HECVAT)
When purchasing third-party software or hardware, university personnel must obtain a HECVAT for the product from the vendor .
Voluntary Product Accessibility Template (VPAT)
A VPAT is a template with testing criteria developed from accessibility requirements and standards to help buyers of technology confirm that the technology is accessible.

Related Services / Offerings (2)

HECVAT / Cybersecurity Review
The HECVAT is a questionnaire designed for higher education to evaluate a vendor’s security risks and confirm that the vendor has implemented data and security policies.
VPAT Review Request
Technology products (software and hardware) that are purchased through the university should have a VPAT acquired before purchase. The VPAT must then be reviewed before purchasing the technology product.
Loading...