FAQs: Cybersecurity and Accessibility Requirements for Technology Purchases

Audience: Staff who make or request purchases

Responsible Group: Accessibility Review

Overview

To ensure that all technology purchases meet federal, state and board requirements for cybersecurity and accessibility, departments and requestors are required to submit vendor cybersecurity and accessibility documentation for review before sending to legal review or purchasing the product through PCard, Requisitions or Supplier Contracts in Workday. Below are frequently asked questions about the purchasing process. 

Frequently Asked Questions

1. What is a HECVAT and why do I need one?

 The HECVAT (Higher Education Community Vendor Assessment Toolkit) is a questionnaire designed for higher education to evaluate a vendor’s cybersecurity risks and confirm that the vendor has implemented data and security policies. When purchasing third-party software or hardware, university personnel must obtain a HECVAT for the product from the vendor to confirm that information, data, and cybersecurity policies are in place to protect university data when using the vendor’s product.

2. What is a VPAT/ACR and why do I need one?

  • A VPAT (Voluntary Product Accessibility Template) is a template used to document a product’s conformance with accessibility standards and guidelines. Once filled out it is generally referred to as an ACR (Accessibility Conformance Report).
  • The State of Arkansas is required to comply with the provisions of Arkansas Code Annotated §25-26-201 et seq., as amended by Act 308 of 2013 and the Government-wide Section 508 Accessibility Program prior to procuring a technology product or when soliciting the development of such a product. Arkansas Code §25-26-201 expresses the policy of the State to provide individuals who are blind or visually impaired with access to information technology purchased in whole or in part with state funds.
  • To reach this goal, those responsible for making decisions about which products to procure must consider accessibility as one of the criteria for acquisition. This is especially critical for enterprise-level systems and other technologies that affect a large number of students, faculty, and/or staff.

3. Which IT products need a HECVAT and VPAT/ACR?

Almost all IT related purchases (software, hardware, etc.) require these documents. If you have questions, you can email the contracts team at contract@uark.edu for advice.

4. How long does the review process take?

The review process takes about a week or two but can vary. Plan for longer review times during busy purchasing periods such as July or the start of semesters.

5. When in the procurement process should I request the documents?

VPAT/ACRs and HECVATs should be requested when asking for a quote from the vendor. They should be obtained and reviewed before legal review, or a requisition is put in Workday. If you do not get the documents before, then you will be prompted to ask for them, and your purchase will be put on hold until the process is complete.

6. Are HECVATs and VPAT/ACRs required for renewals?

Yes, these documents are required for renewals.

7. Who fills out the HECVAT and VPAT/ACR?

The vendor is responsible for filling out the documents.

8. What do I do if the vendor won’t provide a HECVAT or VPAT/ACR?

If the vendor won’t provide these documents, please email the contracting team at contract@uark.edu for assistance and advice in these cases.

9. How can I see if the university already has an updated HECVAT or VPAT/ACR for this product?

Email the contracting team at contract@uark.edu and request if an updated HECVAT or VPAT/ACR is already on file.

10. How does the HECVAT or VPAT/ACR review score affect a purchase?

If a technology does not meet cybersecurity standards, the cybersecurity team may ask to work with the vendor to remediate these issues before purchasing can occur. The score given for accessibility may not prohibit the continuation of a purchase, but it is something to take note of when using the technology. It’s important to keep in mind if something is not accessible for all users. If the technology is required for staff or students or it impacts a large number of campus users, we may need to work with the vendor to remediate accessibility issues.

Access

If this article needs to be updated, please leave feedback on this article and it will notify the owner of the article.

For any assistance with IT related purchases, please email contract@uark.edu

Print Article

Related Articles (1)

Cybersecurity and Accessibility Requirements for Technology Purchases
Process for reviewing cybersecurity and accessibility of IT-related purchases.

Related Services / Offerings (2)

HECVAT Review
The HECVAT is a questionnaire designed for higher education to evaluate a vendor’s security risks and confirm that the vendor has implemented data and security policies.
VPAT Review Request
Technology products (software and hardware) that are purchased through the university should have a VPAT acquired before purchase. The VPAT must then be reviewed before purchasing the technology product.