FAQs: Cybersecurity and Accessibility Requirements for Technology Purchases

To ensure that all technology purchases meet federal, state and board requirements for cybersecurity and accessibility, departments and requestors are required to submit vendor cybersecurity and accessibility documentation for review before sending to legal review or purchasing the product through PCard, Requisitions or Supplier Contracts in Workday. Below are frequently asked questions about the purchasing process. 

Frequently Asked Questions

If a vendor provides a VPAT or HECVAT that is 2–3 years old, is it still considered valid for review, or would an updated version be required?

This depends. In many cases, if the product has not changed, vendors may have older versions of these documents that are still applicable. However, if the product has changed significantly, a new document may be needed.  

Before providing the HECVAT or VPAT, the vendor wants me to sign an NDA. Is there anyone I can contact about this?

Yes, please email General Counsel (Legal) at gckrev@uark.edu to inquire about how to handle NDAs. 

How does the HECVAT or VPAT review score affect a purchase?

If a technology does not meet cybersecurity standards, the cybersecurity team may ask to work with the vendor to remediate these issues before purchasing can occur. The score given for accessibility may not prohibit the continuation of a purchase, but it is something to take note of when using the technology. It’s important to keep in mind if something is not accessible for all users. If the technology is required for staff or students or it impacts a large number of campus users, we may need to work with the vendor to remediate accessibility issues.

Do we need a HECVAT and VPAT for purchases such as applications and subscriptions?

For applications, yes. Subscriptions are trickier. For example, a subscription to the New York Times would not require these documents but a subscription to a statistical software would. If you have questions about a specific product, email contract@uark.edu.

Does HECVAT and VPAT also apply to app stores like Meta and Steam?

The HECVAT will not apply to Meta and Steam at this time but a VPAT may be required. 

When purchasing digital ad space from Google, LinkedIn, and Facebook is it required to have an HECVAT or VPAT?

No these reviews are not required when purchasing digital ad space.

We have hardware such as microphones, USB drives, keyboard, and mouse that break and need to be replaced regularly. Will we need to request these every single time even if we use an approved vendor Amazon? How can we determine if we need a VPAT and HECVAT for hardware purchases? 

For some technology, such as the items listed in this question, you do not need to collect the HECVAT and VPAT, but for others, like Smart TVs, you will. See the Guidelines for Purchasing Technology Products for details. If you have questions about hardware standards you can email itam@uark.edu.

A cybersecurity review for a hardware purchase is required if the hardware will connect to the University network. 

Is there a way for me to know what other departments are using the software?

This information is not always readily available but you can request this information by emailing contract@uark.edu.

Will these rules eventually be adopted by campus procurement to handle themselves within workday?

Because of the nature of these reviews and the teams that review them, this will remain the responsibility of IT and not procurement.  

Can we add these documents to Payment Works if they are necessary?

This question has been presented to procurement and at this time is not an option in the Payment Works system. 

If many departments and units are using the software, is IT Services Contract Team investigating enterprise level purchasing? If so, will they also handle the HECVAT and VPAT? Are we moving to a model where this will be centrally managed?

In some cases where this makes sense, we are exploring this option and working with campus users to determine cost sharing and assisting with negotiations to get better enterprise pricing. This does not make sense for all technology purchases and we are working through options for not only consolidating individual departmental options into a single contract but also looking at those functions and tools that do similar tasks to see if and when there are opportunities for streamlining support, adoption, and cost savings. In cases where IT Services manages enterprise licenses, we will collect these documents for review. 

Support

If this article needs to be updated, please leave feedback on this article and it will notify the owner of the article.

For any assistance with IT related purchases, please email contract@uark.edu

100% helpful - 1 review
Print Article

Related Articles (3)

About HECVAT (Higher Education Community Vendor Assessment Toolkit)
When purchasing third-party software or hardware, university personnel must obtain a HECVAT for the product from the vendor .
About VPAT (Voluntary Product Accessibility Template)
A VPAT is a template with testing criteria developed from accessibility requirements and standards to help buyers of technology confirm that the technology is accessible.
Cybersecurity (HECVAT) and Accessibility (VPAT) Requirements for Technology Purchases
Process for reviewing cybersecurity and accessibility of IT-related purchases.

Related Services / Offerings (2)

HECVAT / Cybersecurity Review
The HECVAT is a questionnaire designed for higher education to evaluate a vendor’s security risks and confirm that the vendor has implemented data and security policies.
VPAT Review Request
Technology products (software and hardware) that are purchased through the university should have a VPAT acquired before purchase. The VPAT must then be reviewed before purchasing the technology product. Please include only ONE VPAT per form submission.