Body
Audience: Staff who make or request purchases
Responsible Group: Contracts Team
Overview
To ensure that all technology purchases meet federal, state and board requirements for cybersecurity and accessibility, departments and requestors are required to submit vendor cybersecurity and accessibility documentation for review before sending to legal review or purchasing the product through PCard, Requisitions, or Supplier Contracts in Workday.
Staff members should request both a Higher Education Community Vendor Assessment Toolkit (HECVAT) and a Voluntary Product Accessibility Template (VPAT), also known as an Accessibility Conformance Report (ACR), from the vendor if the vendor is not listed in the Compliance Catalog.
The university has teams who review these documents to ensure they meet regulations and that we are providing a safe and accessible experience for our campus community.
This is a new process that you will encounter when submitting requisitions in Workday for IT related purchases. As our vendor/software database grows, the process should become more streamlined, especially with renewals. Details on this process are provided below.
To avoid purchase delays, please collect and submit these documents as early as possible. If you collect and submit these forms at the start of the quote process, it can help to reduce purchasing delays. The review process can take 1 to 2 weeks, so please plan accordingly when making IT purchases.
Notes:
- All IT purchases must undergo a cybersecurity and accessibility review before the purchase can be completed.
- HECVATs and VPAT/ACRs should be relevant and up to date for each purchase, including all renewals.
- HECVATs and VPAT/ACRs are needed for each individual product being purchased by a vendor.
Process
1. Check Compliance Catalog
View the VPAT/Accessibility and HECVAT/Security Review Compliance Catalog in the help.uark.edu knowledge base to see the list of software that has already been reviewed.
If the software is listed in BOTH the VPAT/Accessibility Reviews section and the HECVAT/Cybersecurity Review section of the Compliance Catalog, you may skip to legal review.
2. Collect documents from vendor
If the software is not listed in the Compliance Catalog, you must request a fully completed HECVAT and VPAT/ACR from the vendor.
If the vendor does not have a current HECVAT and/or VPAT/ACR for the software, request that they complete:
3. Submit completed documents for review
As soon as the documents are received from the vendor, submit them for review.
The review process can take several weeks, so please plan accordingly.
4. Submit for legal review
Fill out the legal review form and email this to legal. Before you submit for legal review, the HECVAT and VPAT review must be complete. In the comment section you can add the ticket #s for HECVAT and VPAT reviews. To avoid purchasing delays, submit VPAT and HECVAT review requests as soon as possible.
5. Submit ticket number and VPAT/HECVAT information with requisition
When you have all appropriate reviews complete, include the following in your requisition memo/comment section or PCard transaction verification:
- IDs (from Compliance Catalog) or ticket numbers (if reviewed)
- Last Reviewed dates (from Compliance Catalog) or expiration dates (if reviewed)
- VPAT score
- any comments from the HECVAT or Cybersecurity reviews
Include all items so that IT and EProcurement teams can see that they have been successfully reviewed.
Review Request Services
Frequently Asked Questions
Updating this article
If this article needs to be updated, please leave feedback on this article and it will notify the owner of the article.