Body
For step-by-step instructions for handling VPAT and HECVAT requests, reviews, and submissions, see our Cybersecurity (HECVAT) and Accessibility (VPAT) Requirements for Technology Purchases article.
To ensure that university technology purchases meet federal, state, and board requirements for cybersecurity and accessibility, all university technology purchases (software and hardware) are required to undergo cybersecurity and accessibility review before legal review or purchase (including renewals). Both a Higher Education Community Vendor Assessment Toolkit (HECVAT) and a Voluntary Product Accessibility Template (VPAT) (or Accessibility Conformance Report (ACR)) is required from the vendor for each individual product being purchased. These documents are reviewed to ensure they meet regulations and that we are providing a safe and accessible experience for our campus community.
The ITI (Information Technology Industry) Voluntary Product Accessibility Template (ITI VPAT®) is a free template that presents testing criteria developed from accessibility requirements and standards to help buyers of technology confirm that the technology is accessible and has accessibility features. A VPAT is used to document a product’s conformance with accessibility standards and guidelines. Once filled out it is generally referred to as an ACR (Accessibility Conformance Report).Products and services are tested against each section of the VPAT, and the template is used to document results.
The person requesting the software is responsible for requesting the VPAT from the vendor. In some cases the requestor's tech partner can assist if the vendor has technical questions.
VPATs should be requested when asking for a quote from the vendor and must be obtained and reviewed before legal review or a Workday requisition. We recommend requesting the VPAT as soon as possible. If you know that a purchase or renewal is coming up, you can submit the VPAT review request in advance, instead of waiting until the product is up for renewal. Keep in mind that reviews expire after 12 months. The review process takes about a week or two but can vary. Plan for longer review times during busy purchasing periods such as July or the start of semesters.
Both downloadable desktop installed software and online software as a service (SaaS) require VPATs and HECVATs.
Ideally, the vendor's development team or a third party accessibility expert will complete the VPAT.
The State of Arkansas is required to comply with the provisions of Arkansas Code Annotated §25-26-201 et seq., as amended by Act 308 of 2013 and the Government-wide Section 508 Accessibility Program prior to procuring a technology product or when soliciting the development of such a product. Arkansas Code §25-26-201 expresses the policy of the State to provide individuals who are blind or visually impaired with access to information technology purchased in whole or in part with state funds. To reach this goal, those responsible for making decisions about which products to procure must consider accessibility as one of the criteria for acquisition. This is especially critical for enterprise-level systems and other technologies that affect a large number of students, faculty, and/or staff.
Technology products (software and hardware) that are purchased through the university should have a VPAT acquired before purchase. The VPAT must then be reviewed before purchasing the technology product.
A VPAT must be acquired for any new IT purchases of software or hardware.
See Cybersecurity (HECVAT) and Accessibility (VPAT) Requirements for Technology Purchases for the process for VPAT review for IT purchases.
Manufacturers or vendors may have already completed VPATs and/or created Accessibility Conformance Reports (ACRs) for their products. Check the university's VPAT/Accessibility and HECVAT/Security Review Compliance Catalog. If the product is not listed, check the manufacturer/vendor’s website or contact the manufacturer/vendor to request the VPAT for the product.
If the manufacturer or vendor does not have a VPAT for the product you wish to purchase, you will need to contact the manufacturer, vendor, or reseller and request that one be completed for their product.
The Original Equipment Manufacturer (OEM) is usually the best source to conduct the testing necessary to complete the VPAT, but a reseller may also complete the VPAT.
To create their product’s VPAT per your request, the manufacturer, vendor, or reseller will need to go to the ITI VPAT page and complete the VPAT 2.5 WCAG (November 2023) (Word DOCX) for web-based and mobile applications or the VPAT 2.5 508 (November 2023) (Word DOCX) for desktop applications. Instructions for completing the VPAT can be found at VPAT Training.
Once completed, the VPAT with documented testing results is referred to as an Accessibility Conformance Report (ACR) that details the accessible features of the tested product or service. If the vendor cannot provide a VPAT, or if the VPAT is delayed, submit a review request and explain the situation in the "Questions, Comments, or Details" field.
Complete the VPAT Review request form, attach the VPAT from the vendor, and submit the form.
See the Accommodations and Accessibility Services page on Procuring Accessible IT for more information.
VPAT Scoring
Our VPAT scoring is done using a rubric based on a rubric used by the state of Minnesota combined with other criteria specific to the needs of the university. The rubric balances two features of the VPAT, the number of WCAG 2.0 criteria that the vendor has marked as "Supported" and the evaluation methods and documentation that they include that shows that the software does indeed support these criteria.
The Total VPAT Score is and average of Criteria Score and Documentation Score. If the total score is 2.5 it should be rounded down to 2.
Criteria
- Clearly lacks significant accessible functionality. Supports 25% or less of applicable A, AA, and Revised Section 508* success criteria.
- Supports 26 - 49% of applicalbe A, AA, and Revised Section 508* criteria. A score of 2 indicates that the vendor has determined their software has major accessibility issues.
- This is an average score. Supports 50-75% of applicable A, AA, and Revised Section 508* criteria
- Supports more than 75% of applicable A, AA, and Revised Section 508* criteria
- Supports 95% or more of applicable A, AA, and Revised Section 508* criteria.
* Revised Section 508 is only required for non-web content
Documentation
- Provides little or no data. Has poor evaluation/documentation. Poor evaluation/documentation means that there is not enough data to be assured of accessibility or to be confident in the vendor’s ability to improve the solution’s accessibility.
- Has some evaluation/documentation, but lacks detail.
- Has good evaluation/documentation
- Vendor’s information indicates knowledge of how the solution supports each criterion and there is sufficient data to negotiate future improvements.
- The vendor demonstrates extensive knowledge of accessibility and is able to illustrate how the solution supports most or all criteria. Where the solution does not support criteria, the vendor provides a documented roadmap toward future compliance.
Please note the TDX ID for reference after receiving VPAT approval.
Digital Accessibility Meeting
This isn't currently done for VPAT Reviews. A more streamlined risk assessment and accessibility testing process is in development for cases of no VPAT or a VPAT with a score of 3/5 or lower.
Risk Assessment
The review process will begin with a meeting via Teams with a member of the Digital Accessibility Team and the asset owner and/or functional/technical lead to go through the risk assessment survey together.
The assessment result will be low risk or high risk:
- Low Risk = It will be approved for use but we will need a VPAT from the vendor prior to contract renewal next year.
- High Risk = It will only be approved once we get a written commitment from the vendor to provide an acceptable VPAT prior to contract renewal next year.
If access to the software has not been provided, the Digital Accessibility Team member will do an over-the-shoulder review during this meeting.
Hands-on testing, review, and scoring of the asset will then be completed by a Digital Accessibility Team member.
A hands-on review and testing of the asset will be completed using:
- JAWS screen reader
- NVDA screen reader
- if web-based: web browser plug-ins, such as WAVE, Colorzilla, and link checkers
- basic mobile tests with iOS and Android devices
Both JAWS and NVDA are used because even though they are similar there are different behaviors within the applications. If testing is done with only one screen reader, JAWS will be used since it’s the most commonly used screen reader for Windows PCs