Body
To ensure that university technology purchases meet federal, state, and board requirements for cybersecurity and accessibility, all software and hardware purchases are required to undergo cybersecurity and accessibility review before purchase (including renewals). Both a Higher Education Community Vendor Assessment Toolkit (HECVAT) and an ITI (Information Technology Industry) Voluntary Product Accessibility Template (ITI VPAT®) or Accessibility Conformance Report (ACR) is required from the vendor for each individual product being purchased. The VPAT presents testing criteria developed from accessibility requirements and standards to help buyers of technology confirm that the technology is accessible and has accessibility features. The HECVAT is a vendor questionnaire to evaluate the vendor’s security risks and confirm that the vendor has implemented information, data, and cybersecurity policies to protect university data when using the vendor’s product.
Both downloadable desktop installed software and online software as a service (SaaS) require VPATs and HECVATs.
Check the VPAT and HECVAT Review Compliance Catalog
Manufacturers or vendors may have already completed VPATs and/or created Accessibility Conformance Reports (ACRs) for their products. Check the VPAT/Accessibility and HECVAT/Security Review Compliance Catalog to see if a VPAT and a HECVAT have already been acquired for the software or hardware you wish to purchase. Any time software is purchased or renewed, the compliance catalog should be checked, and if the software is not currently listed, a new review request must be submitted. Reviews are valid for 12 months.
VPAT and HECVAT Compliance Catalog
Include the IDs, Last Reviewed dates, and VPAT score from the Compliance Catalog when purchasing.
If the product is not listed in the VPAT and HECVAT Review Compliance Catalog
If the product is not listed, check the manufacturer's or the vendor’s website or contact the manufacturer or vendor to request the VPAT and HECVAT for the product. Often resellers will not have these documents, and you may need to contact the manufacturer. If the manufacturer, vendor, or reseller does not have a VPAT or HECVAT for the product you wish to purchase, you will need to request that these be completed for their product.
The person purchasing the software or hardware is responsible for requesting the VPAT and HECVAT from the vendor. In some cases the requestor's tech partner can assist if the vendor has technical questions. Ideally the vendor's security team will complete the HECVAT and the vendor's development team or a third party accessibility expert will complete the VPAT.
If the software or hardware is not listed in the Compliance Catalog, request a fully completed HECVAT and VPAT/ACR from the vendor.
If the vendor does not have a current HECVAT and/or VPAT/ACR for the product, request that they complete:
We have available a vendor VPAT and HECVAT request template that you can use when requesting a VPAT and HECVAT from a vendor.
If a vendor is unable to provide a HECVAT and/or VPAT
Request alternative documents
If the vendor is unable to provide a HECVAT and/or VPAT, request that they send alternative cybersecurity and accessibility documents. Attach these documents to the HECVAT/Cybersecurity Review and VPAT/Accessibility Review tickets.
See a list of possible alternative documents that the vendor can provide.
Submit review requests without documentation
If a vendor is unable to provide alternative documentation, you can still submit the review requests with no attached documents, and the cybersecurity and accessibility teams will conduct a review without documentation.
Submit for Review
As soon as the documents are received from the vendor, submit them for review. We recommend requesting the VPAT and HECVAT reviews at the start of the quote process as HECVATs and VPATs must be obtained and reviewed before legal review or a Workday requisition.
If the vendor is in the process of preparing a HECVAT and VPAT, you can submit the review tickets without documents attached, and attach the HECVAT and VPAT to your tickets after you have obtained them from the vendor.
If you know that a purchase or renewal is coming up, you can submit the VPAT and HECVAT review requests in advance instead of waiting until the product is up for renewal. The review process can take 1 to 2 weeks, so plan accordingly when making IT purchases. Plan for longer review times during busy purchasing periods such as July or the start of semesters. Keep in mind that reviews expire after 12 months.
Request a VPAT Review
Request a HECVAT/Cybersecurity Review
The review process can take several weeks, so plan accordingly.
Purchasing
You will include the ticket IDs from the VPAT Review and HECVAT Review tickets in the Workday purchase transaction.
Before submitting for legal review, the HECVAT and VPAT review must be complete. In the comment section you can add the ticket #s for HECVAT and VPAT reviews.
Submit the ticket numbers or Compliance Catalog information with the purchase requisition. When you have all appropriate reviews complete, include the following in your requisition memo/comment section or PCard transaction verification:
- IDs (from Compliance Catalog) or ticket numbers (if reviewed)
- Last Reviewed dates (from Compliance Catalog) or expiration dates (if reviewed)
- VPAT score
- any comments from the HECVAT or Cybersecurity reviews
Include all items so that IT and EProcurement teams can see that they have been successfully reviewed.
Support
If you have questions, you can email the contracts team at contract@uark.edu.
If this article needs to be updated, please leave feedback, and the owner of the article will be notified.