W3C home > Mailing lists > Public > w3c-wai-ig@w3.org > July to September 2018

RE: Procurement of 3rd party tools

From: Robert Jolly <robert@knowbility.org>
Date: Thu, 2 Aug 2018 09:42:38 -0700
Message-ID: <CAAXbX0P+kpk8DJfjj93WU+hfviv7H-1jcwHhVm1Wkzrd5Z0dZg@mail.gmail.com>
To: "Urban, Mark (CDC/OCOO/OCIO/ITSO)" <fka2@cdc.gov>, "Salazar, Joshua Allen" <salaz3j@cmich.edu>, "w3c-wai-ig@w3.org" <w3c-wai-ig@w3.org>
Hi Josh,

My only contribution to this would be to set the standard for what is
current (WCAG 2.0 which is what Section 508 aligns to now) and also ensure
that the VPATs that you’re requesting are also the current, updated version
(VPAT 2.1 <https://www.itic.org/policy/accessibility/vpat>). It is my
understanding that older VPAT versions align with the older Section 508
which is no longer current which can be problematic.

If you’re not doing much with VPATs other than requiring them from vendors,
then it may be a good time to begin evaluating what is in them to determine
if they are accurate and if using the products with known issues increases
your organization’s risk.

I think all of Mark Urban’s advice around setting your internal
requirements for compliance is really solid and his advice to “check with
your lawyer…” certainly bears repeating.

Hope this helps.


Robert Jolly
Technology Director
Knowbility, Inc. <https://knowbility.org/>

On August 2, 2018 at 9:38:01 AM, Urban, Mark (CDC/OCOO/OCIO/ITSO) (
fka2@cdc.gov) wrote:

Hi Josh,

There was a similar discussion a few weeks back on this list.  I’ll
reiterate the approach I recommend below.  Whether you use a third-party
vendor or use your own tool, it’s the platform AND actual content (or
authored output) that needs to be accessible to WCAG 2.0 or 2.1 BASED ON

<quote begins>

Speaking for myself, I try to keep these things easy.  The legal minutia
can get fuzzy, and frankly is not always clear from case to case.  So, in
layman’s terms:  If you are covered by the ADA and/or Rehab Act (State
Universities in the US are covered by both), then:

·         If you MADE the content or someone could reasonably assume it was
made by you, then it must be *fully accessible*.  (we often put this at CDC
in the terms,  “if it has our logo, it has our responsibility”)

·         If you REQUIRE content’s use as part of your service, then it
must be *either accessible or an accommodation provided*. (e.g. a course
homework to watch a YouTube video not made by you, a Doodle poll for
setting office hours)

·         If you NEITHER MADE NOR REQUIRE the content, then you do *not
generally need to ensure accessibility* (again, weird and extraneous case
law here, so check with a lawyer in your area), though of course I’d always
recommend it or at least ask the platform/creator to make it accessible.

Note that if you are using funds from HHS, we specifically state WCAG/508
conformance as our standard for meeting 504 responsibilities for
grant-funded activities.

<end quote>

Many third party vendors have VPATs for Federal 508 reporting.  Its always
worth asking if a VPAT isavailable for the platform when considering the
service.  The challenge in a lot of educational environs is that there is
no governance in the usage of anything.  I know security professionals who
lose a lot of sleep in this area – you may want to partner with them to get
a better handle on the toolsets being used and the process for approval.


*Mark D. Urban CDC/ATSDR Section 508 Coordinator*

Office of the Chief Information Officer (OCIO)

Office of the Chief Operating Officer (OCOO
*) **Murban@CDC.gov* <Murban@CDC.gov>* | 919-541-0562 office *

[image: file:///Users/robert/Library/Group

*From:* Salazar, Joshua Allen <salaz3j@cmich.edu>
*Sent:* Thursday, August 2, 2018 10:14 AM
*To:* w3c-wai-ig@w3.org
*Subject:* Procurement of 3rd party tools


I work in higher education and we’re currently going through a rather large
accessibility initiative right now. Yesterday something interesting came up
and I thought this group would be a good group to consult.

We have a process of requiring information from 3rd party vendors, but do
not have a set accessibility standard for which they must meet. We are
often finding all or a majority of vendors are not fully ADA compliant and,
up until recently, we’ve been okay with it. Since the vendors are meeting
all of our technical and business process requirements, we don’t want to
give up on them if they’re not ADA compliant. Currently, our process is
still very much up in the air since there are a lot of variables. We do
require a VPAT as part of the RFI but we don’t really do much with it right

I’m working with legal at my institution to find and define a standard for
which third party tools must meet. We are also working on communication
with the vendors to discuss remediation plans. My question for the group,
does anyone else have a similar process they would be willing to share? How
we might define “ADA compliance” as it relates to 3rd party tools?  Should
we develop our own instrument for assessing this, is there a minimum
score/response on the VPAT that we should require, or ???

Any information would be helpful.

Thank you!


Received on Thursday, 2 August 2018 16:43:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:37:20 UTC