Sonoma State University
computer cpu

Information Technology

Division of Administration & Finance

Get IT Help

IT Purchasing Requirements

Section 508 of the Rehabilitation Act mandates that agencies procuring Information and Communications Technology (ICT) products consider accessibility of the product before making the purchase.  Vendors are asked to use the Voluntary Product Accessibility Template (VPAT) to disclose the level of a product’s accessibility conformance, so that buyers can compare similar products and make informed purchasing decisions.

Reading and interpreting a VPAT can be challenging:

Don't Worry!

If you are making an ICT purchase for SSU, Information Technology will review the VPAT.

  • They use the language of technical specifications.
  • They refer to complicated US and European government codes and international accessibility guidelines.
  • They list and describe accessibility principles that buyers may not be familiar with.
  • Not all vendors are equally good at writing VPATs.
  • There are different versions of the VPAT template, so older VPATs include different information than newer VPATs.
  • There is no summary statement that says “Yes this is accessible!”

This document describes the parts of a VPAT, so reading and understanding them will be a little easier for SSU employees who purchase technology products.

Parts of a VPAT

Here is an example of a VPAT 2.x (PDF, 31 pages)

For information about VPAT 1.x, see below (link to anchor).

The VPAT includes several parts:

  • A summary of VPAT product details
  • Applicable Standards/Guidelines
  • Accessibility Conformance Report (ACR) table(s)  
  • Some VPATs also include information and instructions for the vendors who fill out the VPAT, but this is usually omitted.

Summary

The summary briefly lists several general details about the product and VPAT.

  • Product Name
  • VPAT Date
  • Contact information
  • Evaluation Methods used
  • Notes
  • Some vendors might add additional details.

Here’s a screenshot from the VPAT for Microsoft Word.

Screenshot of summary information in VPAT for Microsoft Word

Applicable Standards/Guidelines

This section indicates which standards and guidelines were used to develop the product. These will refer to Web Content Accessibility Guidelines (WCAG) 2.0, Section 508, and EN 301 549 (the European Union’s accessibility requirements).   

Some vendors will also include WCAG 2.0 levels of conformance used when developing the product, as well. There are three levels of conformance:  A, AA and AAA.

Note: This table does NOT summarize the overall accessibility of the product.

Here is a screenshot of the Applicable Standards/Guidelines section of the VPAT for Adobe Dreamweaver.

Screenshot of Applicable Standards/Guidelines table in VPAT for Adobe Dreamweaver

Accessibility Conformance Report (ACR)

The ACR is a table or series of tables listing each of the success criteria.

Usually, the ACR is organized by WCAG’s Principles, also known as POUR.

  • Principle 1: Perceivable - Information and user interface components must be presentable to users in ways they can perceive.
  • Principle 2: Operable - User interface components and navigation must be operable.
  • Principle 3: Understandable - Information and the operation of user interface must be understandable.
  • Principle 4: Robust - Content must be robust enough that it can be interpreted reliably by a wide variety of user agents, including assistive technologies.

The ACR has a table(s) comprised of three columns:

  • Success Criteria - a brief title or description of each applicable WCAG 2.0 criterion, often with a link to the full text of the criterion on WCAG’s website. Sometimes the related Section 508 and EN 301 549 criteria will be listed in the same table cell, especially if the product is a combination of multiple types of ICT (e.g. electronic content, software, hardware, and support documentation and services) and/or the product is sold in Europe.
  • Conformance Level - there are five standard levels of conformance.
    • Supports: The functionality of the product has at least one method that meets the criterion without known defects or meets with equivalent facilitation.
    • Supports with Exceptions: Some functionality of the product does not meet the criterion. Some vendors use the phrase “Partially Supports” instead of “Supports with Exceptions.”
    • Does Not Support: The majority of product functionality does not meet the criterion.
    • Not Applicable: The criterion is not relevant to the product.
    • Not Evaluated: The product has not been evaluated against the criterion. This can be used only in WCAG 2.0 Level AAA
  • Remarks and Explanations - this should be detailed remarks justifying a successful level, or explaining how the product does not meet the requirement.

Here is a sample screenshot of two rows from an ACR for a content repository product. This shows the response for WCAG criteria 1.1.1 Non-text Content, and 1.2.1 Audio-only and Video-only. You can view the same information in the product’s actual VPAT (PDF) here (scroll to page 3).

Screenshot of part of a conformance report table

Notice that in the Remarks and Explanations column, the vendor has described where the success criterion applies (“all images used to represent functionality…”), and where it does not (images that have been uploaded by users to the content areas).  

Older VPATs

Before Section 508 was updated in 2017 (knows as “Section 508 Refresh”), the VPAT had slightly different criterion, which were not closely associated with WCAG 2.0.  Some vendors have not updated their VPATs to the newer version, so you may encounter VPATs that refer to the following technology categories, each with their own success criteria.

  • 1194.21 - Software Applications and Operating Systems
  • 1194.22 - Web-based Intranet and Internet Information and Applications
  • 1194.23 - Telecommunications Products
  • 1194.24 - Video or Multimedia Products
  • 1194.25 - Self Contained, Closed Products
  • 1194.26 - Desktop and Portable Computers
  • 1194.31 - Functional Performance Criteria
  • 1194.41 - Information, Documentation, and Support

Older VPATs still require the vendor to indicate the level of conformance for each Section 508 criteria, using the same conformance levels: Supports, Supports with Exceptions, Does Not Support, Not Applicable and Not Evaluated.

Vital to the success of accessibility at Sonoma State University is the adoption of accessibility standards for purchasing electronic and IT systems including web applications, hardware, software, telecommunications, multimedia and products such as copiers, fax machines, information kiosks, etc. As the University acquires new resources, they must comply with Section 508 because we are using public funds.

Procurement Process for IT

Before making IT-related purchases, employees must follow the procedure below to initiate an accessibility review.

  1. Obtain a Voluntary Product Accessibility Template (VPAT) for all IT-related purchases, excluding standard IT Hardware.
  2. Fill out the online IT Purchase Review request form (Seawolf login).
    1. Upload or provide a URL for the VPAT in the IT Purchase Review request form.
    2. If you cannot find a VPAT, IT will search for one.
  3. For some Cloud storage & services only, you may also need to fill out the Department Cloud Usage Checklist (Seawolf ID required).  IT will let you know if this is required, and will provide assistance.  Additional information about the Cloud procurement process is available here.
  4. For some software and web procurements, an Equally Effective Accessible Alternate Access Plan (EEAAP) will need to be developed. IT will let you know if this is required, and will provide assistance.
  5. Once approved by IT, send the IT Purchase Review, VPAT, EEAAP, and CSU Data Requirements Checklist to Procurement & Contract Services along with your EREQ via email at ereq@sonoma.edu.
    1. If the product is free, you will submit an EREQ for zero dollars.

Please contact IT at technology.purchase@sonoma.edu with any questions about this process.

A flowchart of this process is also available.

 

IT Procurement Impact Matrix
Risk LevelImpact FactorsReview Level
Public FacingRequired for Class or Work# of Users
High
(If any of the impact factors is Yes)		YesYes≥100
  • Critical Review and file VPAT
  • EEAAP if VPAT is not available or fails to meet standards
  • Collaboration with DSS for product testing
  • Request  vendor to demo accessibility features
Low
(All impact factors match)		NoNo<100
  • Review and file VPAT
  • Or EEAAP if VPAT is not available
  • Request  vendor to demo accessibility features [optional]

 

 

This flowchart illustrates the Procurement Process for Accessible IT, using the IT Purchase Review Form (Seawolf ID required) and Department Cloud Usage Checklist (Seawolf ID required).

Purchase Review process flowchart. See description below.

Full Text

  1. Requester: Research and select a product
  2. Requester: Obtain a VPAT  (If you can not find a VPAT, skip to next step)
  3. Requester: Fill out IT Purchase Review Form (Seawolf ID required)
  4. IT: IT reviews request
  5. IT: Decision - Can it be supported by IT?
    • Yes: skip to next step
    • No: IT notifies you and indicate possible options (end)
  6. IT: Decision - Is product cloud-based?
  7. IT: Is an accessibility review required?
    • Yes: IT reviews the product and works with you to develop an EEAAP, if needed
    • No: skip to next step
  8. IT: IT sends you the approved review
  9. Requester: Send the approved review, DCUC and EREQ to Procurement
  10. Procurement: Procurement reviews the request and works with you on next steps.

 

  1. Once an IT Purchase Review request is submitted, IT reviews the request and creates a Help Desk Ticket for the requested product
  2. Freshservice generates the following message that is automatically emailed to the requester and the Software Procurement Team:

    We received your software purchase request and has passed our initial review.  To complete the procurement process, the software must go through an accessibility review. We will work with the software vendor to obtain a Voluntary Product Accessibility Template (VPAT).  If the vendor does not have a valid VPAT, we will contact you about creating a full Equally Effective Alternative Access Plan.

    Once completed, you will be cleared to submit the software in an EREQ to Contracts and Procurement for a final review.  More information is available on our IT Purchasing Requirements website.
  3. Upon receipt of the Help Desk Ticket email, the Software Procurement Team can now begin the review process
    1. For software that has been previously purchased and used on campus (standards/renewals):
      1. The Software Procurement Team will pull the most current VPAT on file for the product requested
      2. The VPAT must still be reviewed to be sure it applies to the version of the product being requested
    2. If the requester provides a VPAT from the vendor:
      1. The Software Procurement Team will review VPAT. (See How do I interpret a VPAT?)
    3. If the VPAT is not provided by the requester, the Software Procurement Team will work with the vendor on obtaining one.
    4. In the event that the vendor does not have a current VPAT on file or the VPAT provided is not fully compliant, the requester will be asked to provide a statement of responsibility in lieu of an Equally Effective Alternate Access Plan (EEAAP). The following message is sent to the requester.

      Unfortunately, the vendor has not provided me with a VPAT. Please provide a statement that you will be responsible for working with any users who require accommodation and will continue to work with the vendor to create a VPAT for the future. This is in lieu of creating a full Equally Effective Alternative Access Plan and to meet the requirements of the Sec 508 law stating that we will continue to work with suppliers to have their software be accessible for its users.
      1. If the requester knows ahead of time that the vendor does not have a VPAT, they can submit their statement of responsibility in the original IT Purchase Review request.
      2. Below is an acceptable statement:

        We will be responsible for working with any users who require accommodation and will continue to work with the vendor to obtain a VPAT. This is our plan in lieu of creating a full Equally Effective Alternative Access Plan and to meet the requirements of the Sec 508 law. 
  4. After review, the approved VPAT and/or statement of responsibility is attached to the Footprints Ticket.
    1. IT Purchase Reviews are logged in the IT Certification Record (includes both hardware and software)
    2. Copies are filed in the Procurement (IT Purchase Review, ATI, VPAT) Team Drive
    3. All VPATs are filed by product name
  5. If the software is deemed a cloud service, the requester will receive the following message.

    SOFTWARE NAME, for which you recently requested an IT Purchase Review, appears to be a cloud service. Per the SSU Cloud Procurement Standard and the CSU Cloud Storage and Security Standard, you are required to sign in and fill out the Department Cloud Usage Checklist (Seawolf ID required). The Department Cloud Usage Checklist elaborates on what kind of data is being stored or shared with a third party, and how it will be accessed. If you have any questions or need any assistance filling out the Department Cloud Usage Checklist, please contact us at iso-procurement@sonoma.edu. You are welcome to email us your questions, request a phone meeting, or request an in-person meeting.
     
    1. This part of the process is handled by the Security Procurement Team.
  6. Once all appropriate documents have been received and reviewed, the status of the Footprints ticket is updated by the Software Procurement Team and the following message is generated for the requester

    This software has successfully gone through the software procurement process and is certified for purchase by Information Technology.  You may now submit the software in an EREQ to Contracts and Procurement for a final contract review.
    1. The requester can attach the approval email from Freshservice to their EREQ. IT’s review process is now complete and the Help Desk ticket can be closed.

The items listed below require an IT Purchase Review regardless or whether the purchasing department is requesting support from IT for that equipment. IT Purchase Review is required to ensure that equipment meets SSU and CSU standards for computing, accessibility, and are compatible in Sonoma State's networked computing environment.  Contact technology.purchase@sonoma.edu for any questions regarding the IT Purchase Review process.

The IT Purchase Review request form is available on IT's Help site.

Computer and Audio/Video items:

  • Computers, servers, and internal computer hardware
  • Monitors
  • Printers, Fax Machines, Scanners
  • Tablets (iPads, Samsung Galaxy, Surfaces, etc.)
  • Video projectors

Network Devices:

  • Routers
  • Switches
  • Hubs
  • Firewalls

Software and Cloud Services:

SSU requires that all software and cloud service purchases receive an IT Purchase Review. This includes any software and cloud services that are free, require users to log in, or have an end user license agreement (EULA).

Websites

  • Custom website development
  • Mobile development
  • Off-campus website hosting
  • Domain name registration

VPAT, or Voluntary Product Accessibility Template, is a document prepared by a product developer or vendor.  It describes how well the product conforms to the accessibility standards of Section 508 of the Rehabilitation Act.

The purpose of a VPAT is to help buyers of Information and Communication Technology (ICT)  make informed decisions before purchasing a product:

  • Understand a product’s level of accessibility compliance.
  • Compare compliance of similar products.
  • Choose a product that best meets accessibility standards and the organization’s functional and legal requirements.
  • Plan for equally effective access when an accessible product is not available.

How do I get a VPAT?

Some vendors publish their VPATs on their website.  Others will provide the VPAT when you request it from their sales or support contact.

Make sure you get the VPAT 2.0 (or higher).  Section 508 was refreshed in 2017, and now measures accessibility using Web Content Accessibility Guidelines (WCAG) 2.0 criteria.  VPATs developed before 2017 may be out of date if the product has been updated since then.

Do we have to get a VPAT?

Section 508 of the Rehabilitation Act requires government agencies to make ICT accessible to people with disabilities.  The State of California applies Section 508 to the CSU. The CSU and SSU has policies and procedures to make ICT accessible to our employees, students and the broader campus community.

Obtaining and reviewing a product’s VPAT is one step in the accessible procurement process.

However, a VPAT is voluntary for vendors - they may choose to not create or provide a VPAT.