Cybersecurity and Accessibility Requirements for Technology Purchases

Summary

Process for reviewing cybersecurity and accessibility of IT-related purchases.

Body

Audience: Staff who make or request purchases

Responsible Group:  Accessibility Review

Overview

To ensure that all technology purchases meet federal, state and board requirements for cybersecurity and accessibility, departments and requestors are required to submit vendor cybersecurity and accessibility documentation for review before sending to legal review or purchasing the product through PCard, Requisitions or Supplier Contracts in Workday.

Staff members should request both a Higher Education Community Vendor Assessment Toolkit (HECVAT) and a Voluntary Product Accessibility Template (VPAT), also known as an Accessibility Conformance Report (ACR), from the vendor.

The university has teams who review these documents to ensure they meet regulations and that we are providing a safe and accessible experience for our campus community.

This is a new process that you will encounter when submitting requisitions in Workday for IT related purchases. As our vendor/software database grows, the process should become more streamlined, especially with renewals. Details on this process are provided below.

To avoid purchase delays, please collect and submit these documents as early as possible. If you collect and submit these forms at the start of the quote process, it can help to reduce purchasing delays. The review process can take 1 to 2 weeks, so please plan accordingly when making IT purchases.

Note: 

  • All IT purchases must undergo a cybersecurity and accessibility review before the purchase can be completed.
  • HECVATs and VPAT/ACRs should be relevant and up to date for each purchase, including all renewals.
  • HECVATs and VPAT/ACRs are needed for each individual product being purchased by a vendor.

Process

Link to text version of HECVAT & VPAT Process

HECVAT and VPAT process for IT purchases

Updating this article

If this article needs to be updated, please leave feedback on this article and it will notify the owner of the article.

Review forms

Details

Details

Article ID: 785
Created
Wed 11/13/24 3:27 PM
Modified
Wed 11/13/24 3:46 PM
Audience
Staff
Related Policies
Procurement, Ark. Code Ann § 19-11-203(20)(A), Fayetteville Policies and Procedures 960.0, Fayetteville Policies and Procedures 204.2, General Data Protection Regulation (GDPR) Policy, University of Arkansas System Board Policy 285.1, Fayetteville Policies and Procedures 922.0, Fayetteville Policies and Procedures 900.0, University of Arkansas System Board Policy 280.1

Related Articles

Related Articles (2)

Frequently asked questions about IT purchases and their VPAT & HECVAT review process.
When purchasing third-party software or hardware, university personnel must obtain a HECVAT for the product from the vendor .

Related Services / Offerings

Related Services / Offerings (2)

The HECVAT is a questionnaire designed for higher education to evaluate a vendor’s security risks and confirm that the vendor has implemented data and security policies.
Technology products (software and hardware) that are purchased through the university should have a VPAT acquired before purchase. The VPAT must then be reviewed before purchasing the technology product.