Table of Contents
- HECVAT vs VPAT: What’s the Difference and When Do You Need Each?
- HECVAT vs VPAT: Quick Comparison
- What Is HECVAT?
- What Is VPAT?
- Why Higher Education Prioritizes Accessibility
-
Key Differences Between HECVAT and VPAT
- 1. Scope: Organizational Risk vs. Product-Level Accessibility
- 2. Vendor Organization vs Specific Product
- 3. Accessibility Coverage: Organizational Maturity vs. Criterion-Level Conformance
- 4. Assessment Model and Format
- 5. Governing Body
- 6. Sector Applicability and Geographic Reach
- 7. Standards and Framework Alignment
- Detailed Comparison: HECVAT vs VPAT
- When Institutions Need Both
- How Vendors Should Manage HECVAT and VPAT for Higher Education Procurement
- How Institutions Should Evaluate HECVAT and VPAT Responses
- How to Simplify HECVAT and VPAT Management
- Key Takeaways
- HECVAT vs VPAT FAQs
HECVAT vs VPAT: What’s the Difference and When Do You Need Each?
HECVAT and VPAT evaluate different aspects of higher education procurement risk. Both are vendor-completed documents, and with the introduction of HECVAT 4, both now address accessibility in some form. However, using one instead of the other can leave real compliance gaps.
- HECVAT evaluates vendor organizational maturity across security, privacy, governance, and operational risk. Institutions use it to determine whether a vendor meets their security, privacy, and risk requirements for handling institutional systems and data.
- VPAT documents product-level conformance to accessibility standards including Web Content Accessibility Guidelines (WCAG), Section 508, and EN 301 549. It helps determine whether users with disabilities can actually use the product.
This guide explains the difference between HECVAT vs VPAT: what each framework assesses, how they differ in scope and purpose, and when institutions need both. It also addresses how HECVAT 4‘s expanded accessibility section relates to, but does not replace, VPAT.
HECVAT vs VPAT: Quick Comparison
While the HECVAT is a standard requirement for vendor relationships in higher education, VPAT is the default accessibility documentation for user-facing digital products during procurement.
HECVAT (Higher Education Community Vendor Assessment Toolkit) is a standardized vendor review tool designed by EDUCAUSE for higher education procurement. Vendors complete the workbook to demonstrate compliance, and the institution evaluates the responses to assess whether the vendor meets its security, privacy, and risk requirements. The current version, HECVAT 4 released February 2025, covers more than 300 questions across security, privacy, accessibility, governance, AI/ML, and other solution-specific risk areas. HECVAT is free. Hundreds of universities require it as a standard condition of vendor procurement.
VPAT (Voluntary Product Accessibility Template) is a standardized accessibility reporting template developed by the Information Technology Industry Council (ITI). Vendors complete it to document how a product or service supports accessibility standards including WCAG, Section 508, and EN 301 549. Once completed, the VPAT becomes an Accessibility Conformance Report (ACR), which institutions review during procurement**.** The current version is VPAT 2.5Rev (April 2025), available in four editions (508, EU, WCAG, INT). Like HECVAT, VPAT is free and voluntary, but it is increasingly required in practice by public higher education institutions, particularly as the April 26, 2027 ADA Title II compliance deadline approaches.
In 2025, both frameworks underwent significant updates driven by regulatory change. HECVAT released its v4.1.5 overhaul on February 10, 2025, and ITI published VPAT 2.5 Rev across its four editions in April 2025, each aligned to the WCAG version its underlying standard references. For higher education vendors and institutions, both updates take effect against the backdrop of the ADA Title II compliance deadline of April 26, 2027.
What Is HECVAT? The Complete Guide for Higher Education covers everything you need before your first procurement conversation.
HECVAT vs VPAT: At a glance
| Attribute | HECVAT | VPAT |
|---|---|---|
| Primary Focus | Vendor security and procurement risk | Product accessibility conformance |
| Scope | Organizational assessment across security, privacy, governance, accessibility, and AI | Accessibility reporting against WCAG, Section 508, and EN 301 549 |
| Who Uses It | Higher education institutions | Government, enterprise, and higher education organizations |
| Maintained By | EDUCAUSE, Internet2, REN-ISAC | Information Technology Industry Council (ITI) |
| Current Version | HECVAT 4.1.5 (2025) | VPAT 2.5Rev (2025) |
| Regulatory Drivers | FERPA, GLBA, HIPAA, ADA, institutional procurement | ADA Title II, Section 508, EN 301 549 |
| Output | Completed HECVAT workbook | Accessibility Conformance Report (ACR) |
| Accessibility Coverage | Organizational accessibility maturity review | Criterion-level accessibility conformance detail |
| Cost | Free EDUCAUSE workbook | Free ITI templates |
| Relationship | Requests VPAT/ACR documentation within HECVAT 4 | Often submitted alongside HECVAT during procurement |
What Is HECVAT?
The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a standardized security assessment framework designed specifically for higher education. Colleges and universities use it to evaluate third-party vendors across security, privacy, accessibility, governance, and AI/ML risk in a consistent, structured way.
Key Characteristics:
- Self-assessment: The vendor fills out the questionnaire; the institution reviews responses using its own evaluation criteria and risk tolerance
- Higher-ed focused: Designed specifically for higher education procurement and risk management
- Broad scope: Covers security, privacy, accessibility, governance, AI/ML, and other solution-specific risk areas
- Free: Publicly available through EDUCAUSE.
- Not a certification: HECVAT is a review tool, not a certification or audit
The real cost is internal effort: vendors spend 8 to 20 hours gathering responses, attaching evidence, and coordinating across security, privacy, legal, and operations teams. On the institution side, procurement and security teams review every response manually, apply their own risk criteria, and follow up where evidence is missing or insufficient. No universal scoring standard exists, so each institution applies its own risk criteria.
For a full breakdown of how HECVAT works, how institutions use it, and what vendors need to know before completing it, see What Is HECVAT? The Complete Guide for Higher Education. For compliance requirements and common gaps, see the HECVAT Compliance Guide.
HECVAT Current Version
HECVAT 4 (v4.1.5, released February 10, 2025) is the most recent version. It consolidated the previous Full, Lite, and On-Premise versions into a single unified workbook with more than 300 questions across seven core sections. The new version introduced a dedicated IT Accessibility section for products with a user-facing interface, adding accessibility as a core part of the security and risk review.
For a detailed breakdown of what changed, see HECVAT 4: What’s New.
What Is VPAT?
The Voluntary Product Accessibility Template (VPAT) is a standardized accessibility reporting format that vendors use to report how a specific product or service supports relevant accessibility standards, including Section 508, WCAG 2.1, and EN 301 549.
Key characteristics:
- Product-specific: Documents how a particular product supports accessibility standards, not the organization that created it. If a vendor has multiple products, each gets its own VPAT.
- Standardized format: Includes fields for product description, evaluation methods, conformance levels, and explanatory notes. Conformance levels are described as supports, partially supports, does not support, and not applicable.
- Not a certification: No formal approval or submission process and no pass/fail outcome. It provides a structured picture of a product’s accessibility features and limitations.
- Vendor-completed: The vendor, product owner, or OEM completes it, with input from accessibility specialists or testing teams.
- Free templates: Available from ITI at no cost, including instructions and training materials.
- Public availability: VPATs and ACRs are often published on vendor websites or shared directly with prospective buyers during procurement.
VPAT Current Version
The current version, VPAT 2.5Rev (April 2025), comes in four editions depending on which standards apply:
- VPAT 2.5 508 for the Revised Section 508 standards (references WCAG 2.0)
- VPAT 2.5 EU for EN 301 549 (references WCAG 2.1)
- VPAT 2.5 WCAG for WCAG-based accessibility reporting (WCAG 2.2)
- VPAT 2.5 INT for all three standards combined (WCAG 2.0, 2.1, and 2.2)
VPAT vs. ACR: What Is the Difference?
A VPAT is the blank template. Once a vendor completes it for a specific product, it becomes an **Accessibility Conformance Report (ACR).** Buyers review the ACR to understand how an information and communication technology (ICT) product conforms to applicable accessibility standards. ACRs may be shared directly with buyers or posted publicly by vendors on their websites.
Why VPAT Matters for Higher Education
VPAT matters for higher education because
- Many institutions are Title II entities under the ADA, making digital accessibility a legal obligation, not just a best practice.
- Updated Title II regulations require them to confirm that digital content and services, including those provided through third-party vendors, conform to WCAG 2.1 Levels A and AA.
- The DOJ extended the original April 2026 deadline by one year: April 26, 2027 for large jurisdictions (population 50,000+) and April 26, 2028 for smaller entities, during which existing ADA obligations remain in effect.
Why Higher Education Prioritizes Accessibility
Updated ADA Title II regulations are reshaping higher education procurement workflows. 53% of higher education institutions now require third-party compliance with accessibility standards as part of their vendor risk management practices, according to an EDUCAUSE QuickPoll.
Actions Institutions Are Taking to Manage Third-Party Risks, EDUCAUSE
68% of institutions have faced at least one lawsuit, threat of legal action, or government investigation related to technology accessibility. More than a quarter have faced multiple challenges.
Occurrence of Legal and Government Accessibility Challenges, EDUCAUSE
Institutions exclude vendors without current ACRs from RFP shortlists to reduce legal exposure under ADA Title II.
Accessibility is now a core procurement requirement. The level of documentation an institution requires depends on whether the product has a user-facing interface. An institution procuring a backend data integration with no user-facing interface requires HECVAT to assess vendor security risk but has no need for a VPAT. An institution procuring a student-facing LMS needs both: HECVAT to assess the vendor and VPAT to confirm the product is accessible to every user.
Knowing what each framework covers determines how you use them together. The next section breaks down the differences between HECVAT and VPAT and defines exactly what each framework covers.
Key Differences Between HECVAT and VPAT
The core difference between HECVAT and VPAT is domain. HECVAT covers seven risk categories, accessibility is one of them. VPAT covers accessibility only, but in far greater detail than HECVAT does. Here is a closer look at each difference.
1. Scope: Organizational Risk vs. Product-Level Accessibility
- HECVAT evaluates vendor organizational maturity across seven risk categories: security, privacy, governance, AI/ML, infrastructure, operations, and accessibility. It answers one question: does this vendor have the organizational practices to handle institutional data and systems?
- VPAT covers accessibility at the criterion level. It answers a different question: does this specific product meet WCAG, Section 508, or EN 301 549 standards, feature by feature?
| Dimension | HECVAT | VPAT |
|---|---|---|
| Risk Evaluated | Organizational security, privacy, operational, and compliance risk | Accessibility barriers and ADA/Section 508 exposure |
| What Is Assessed | Security governance, access controls, encryption, incident response, business continuity, vendor practices | Accessibility features such as keyboard navigation, screen reader support, color contrast, captions, and accessibility API support |
| Primary Concern | Protection of institutional systems and sensitive data | Usability and accessibility for users with disabilities |
| Data / User Impact | Student records, financial data, health data, research data, and institutional operations | Accessibility for users with visual, auditory, motor, and cognitive disabilities |
| Regulatory Context | No direct legal mandate; widely used in higher education procurement | Supports compliance with WCAG, Section 508, ADA, and EN 301 549 accessibility requirements |
A vendor with strong security practices can ship an inaccessible product. A fully accessible product can come from a vendor with weak data governance. The institution’s question determines which framework applies.
2. Vendor Organization vs Specific Product
- HECVAT evaluates the entire vendor organization, its policies, processes, infrastructure, and people. One HECVAT applies to the vendor regardless of how many products it offers.
- VPAT evaluates a specific product. If a vendor has five products, each gets its own VPAT. The scope is feature-by-feature accessibility conformance for that product alone.
An institution evaluating a vendor that offers three tools, an LMS, a student portal, and a course authoring tool, needs one HECVAT to assess the vendor and three VPATs to assess the accessibility of each product.
3. Accessibility Coverage: Organizational Maturity vs. Criterion-Level Conformance
- HECVAT 4, released February 10, 2025, added a dedicated IT Accessibility section with 19 questions covering products with a user-facing interface, such as a learning management system, student portal, or classroom tool used by students, faculty, or staff, making accessibility a scored component of the vendor risk review. Four questions carry the highest weight:
| HECVAT Accessibility Questions | What it measures |
| ITAC-06 | Has a current VPAT or ACR been created or updated within the past 12 months? |
| ITAC-07 | Will the vendor commit to WCAG 2.1 AA conformance in the contract? |
| ITAC-08 | Does the solution substantially conform to WCAG 2.1 AA? |
| ITAC-09 | Is there a documented process for reporting and tracking accessibility issues? |
- Under VPAT, for every applicable WCAG, Section 508, or EN 301 549 criterion, the vendor must state exactly how the product performs: supports, partially supports, does not support, or not applicable. A completed VPAT tells an institution whether a student using a screen reader can navigate a course registration form, whether a keyboard-only user can complete a checkout flow, and whether captions are available on embedded video.
HECVAT’s IT Accessibility section confirms whether a vendor has accessibility processes and documentation in place. It does not evaluate the product itself. HECVAT can ask for the ACR, but it cannot replace it.
4. Assessment Model and Format
- HECVAT is a workbook-based self-assessment. Once the vendor completes it, the institution reviews the responses, applies its own risk criteria, and follows up where evidence is missing. It is an interactive, institution-led process with no standardized scoring across institutions
- VPAT is a vendor-completed accessibility disclosure informed by accessibility testing against recognized standards. When finalized, it becomes an ACR, a standardized document that enables consistent comparison across products and vendors.
HECVAT drives interactive, institution-led review. VPAT produces a standardized disclosure document that enables consistent cross-product comparison.
| Aspect | HECVAT | VPAT |
|---|---|---|
| Length | 300+ questions (HECVAT 4); 7–14 weeks to complete | 1–20 page document; typically a couple of weeks to complete |
| Question Type | Yes/no, multiple choice, text responses, evidence upload | Conformance statements (supports, partially supports, does not support, not applicable) |
| Output Format | Completed Excel workbook with vendor responses and institutional evaluation notes | Completed VPAT shared as Accessibility Conformance Report (ACR); standardized Word/PDF |
| Review Process | Institution asks clarifying questions; vendor provides evidence | Institution reviews product conformance; may test product independently |
5. Governing Body
- HECVAT is maintained by EDUCAUSE in collaboration with Internet2 and REN-ISAC. Updates are driven by the higher education community through working groups, institutional feedback, and sector-specific regulatory changes. HECVAT 4 was released on February 10, 2025, reflecting the community’s structured approach to versioning and release.
- VPAT is maintained by the Information Technology Industry Council (ITI), a global technology industry trade association. Updates are driven by changes to the underlying accessibility standards (WCAG, Section 508, and EN 301 549). The current version, VPAT 2.5Rev, added WCAG 2.2 support in its WCAG and INT editions, while the 508 and EU editions continue to reference WCAG 2.0 and 2.1 respectively.
For institutions, HECVAT reflects higher education’s compliance landscape. When regulations change, the EDUCAUSE community updates the tool. For vendors, a current VPAT signals that accessibility documentation meets the latest global standards, not just higher education requirements.
6. Sector Applicability and Geographic Reach
- HECVAT applies to higher education only. It has no regulatory standing outside the sector. The Consortium for School Networking (CoSN) adapted it to create the K-12 Cybersecurity Vendor Assessment Tool (K-12CVAT), a signal of how widely the framework’s approach has been recognized.
- VPAT is used broadly across federal, public sector, and international procurement.
- Section 508 requires federal contractors to provide an ACR.
- Used in enterprise software contracting globally.
- Increasingly required in higher education procurement worldwide.
- The European Accessibility Act (EAA), effective June 28, 2025, requires digital products and services sold in the EU to conform to EN 301 549. HECVAT does not address this.
- The VPAT INT edition covers WCAG, Section 508, and EN 301 549 in a single document, allowing vendors to produce one ACR that satisfies both U.S. higher education and EU procurement requirements.
7. Standards and Framework Alignment
- HECVAT aligns with NIST Cybersecurity Framework, HIPAA, GLBA, and FERPA. It is a self-assessment framework, not a regulatory standard, and has no mandatory standing outside higher education procurement.
- VPAT aligns with Section 508 (U.S. federal law), WCAG 2.1 (international standard), and EN 301 549 (European standard). These are formal accessibility standards with legal and regulatory backing across federal, public sector, and international procurement contexts.
Detailed Comparison: HECVAT vs VPAT
| Dimension | HECVAT | VPAT |
|---|---|---|
| Primary Purpose | Higher education vendor risk assessment during procurement | Accessibility conformance reporting for products and services |
| Assessment Scope | Organization-wide security, privacy, governance, accessibility maturity, AI, and operational review | Product-specific accessibility evaluation |
| What It Evaluates | Security controls, governance, privacy, operational resilience, accessibility processes | Accessibility against WCAG, Section 508, and EN 301 549 |
| Accessibility Coverage | Organizational accessibility maturity and documentation review | Criterion-level accessibility conformance detail |
| Accessibility Questions | ITAC questions covering VPAT existence, WCAG commitments, and accessibility issue tracking | Detailed “supports / partially supports / does not support” reporting per accessibility criterion |
| Risk Evaluated | Organizational security, operational, privacy, and compliance risk | Accessibility barriers and ADA/Section 508 exposure |
| Who Completes It | Vendor completes workbook; institution reviews responses | Vendor completes template, often with accessibility/testing input |
| Assessment Approach | Procurement-focused self-assessment workbook | Standardized accessibility disclosure template |
| Review Process | Institution reviews evidence and follows up with vendors | Accessibility reviewers evaluate conformance claims and may test independently |
| Length / Complexity | 300+ question workbook across multiple risk domains | 1–20 page accessibility conformance document |
| Output | Completed HECVAT workbook | Accessibility Conformance Report (ACR) |
| Maintained By | EDUCAUSE, Internet2, REN-ISAC | Information Technology Industry Council (ITI) |
| Sector Applicability | Higher education procurement only | Government, enterprise, public-sector, and higher education procurement |
| Regulatory Alignment | NIST CSF, HIPAA, GLBA, FERPA | WCAG, Section 508, EN 301 549 |
| Requirement Status | Voluntary framework commonly expected during higher education procurement | Voluntary framework commonly required during accessibility review |
| Current Version | HECVAT 4.1.5 (2025) | VPAT 2.5Rev (2025) |
| Global Reach | Primarily U.S. higher education | U.S., EU, and international procurement |
| What It Does Not Provide | Detailed accessibility conformance testing | Security, privacy, governance, or operational risk review |
When Institutions Need Both
HECVAT and VPAT address different parts of procurement review. A vendor can complete HECVAT without a VPAT, but in many higher education procurement contexts that is not enough on its own, and the reverse is equally true.
When VPAT Alone Is Not Enough
A current VPAT/ACR does not replace HECVAT. Accessibility is only one part of a broader institutional vendor review. VPAT does not address:
- Security controls and operational safeguards
- Privacy and data governance practices
- Governance, vendor management, and risk processes
- AI-related practices and other solution-specific institutional concerns
When HECVAT Alone Is Not Enough
HECVAT 4’s expanded accessibility section does not replace a VPAT. Under ADA Title II, public institutions bear legal responsibility for accessibility gaps in any content delivered through third-party vendors, including LMS platforms, library databases, and student portals. A VPAT or ACR is the only document that provides the criterion-level evidence needed to demonstrate that gap does not exist.
HECVAT alone falls short where:
- Accessibility conformance must be demonstrated against recognized standards such as WCAG or Section 508
- Accessibility reviewers need criterion-level detail about product usability
- Institutional procurement policies mandate formal accessibility documentation
What Each Framework Covers That the Other Does Not
Seven domains illustrate where each framework has coverage the other lacks and why neither can substitute for the other. Accessibility is the one domain both frameworks address, but at different levels.
| Domain | HECVAT Covers | VPAT Covers | Gap If Missing |
|---|---|---|---|
| Data encryption & security controls | Infrastructure, security, and operational safeguards | Not in scope | Institution lacks visibility into vendor security and data protection practices |
| Privacy & FERPA compliance | Privacy governance and institutional data handling practices | Not in scope | Institution cannot evaluate student data protection and regulatory risk |
| AI/ML governance | AI-related governance, risk, and transparency practices | Not in scope | Institution lacks visibility into AI risk and governance controls |
| WCAG criterion-level conformance | Accessibility governance and documentation practices | Detailed WCAG conformance reporting | Institution cannot evaluate actual product accessibility barriers |
| Section 508 accessibility detail | Requests whether VPAT/ACR documentation exists | Full accessibility conformance reporting against Revised Section 508 | Accessibility reviewers lack formal conformance evidence |
| Assistive technology compatibility | General accessibility review questions | Screen reader, keyboard navigation, and assistive technology support detail | Institution cannot assess usability for disabled users |
| EN 301 549 accessibility support | Not addressed | VPAT 2.5 EU accessibility reporting | No structured documentation for EU accessibility procurement requirements |
HECVAT and VPAT are complementary rather than interchangeable. HECVAT covers security domains that VPAT does not address, and VPAT provides accessibility depth that HECVAT cannot replicate.
HECVAT vs VPAT: Which Framework Is Required for Different Procurement Scenarios?
Three factors determine which framework applies, HECVAT or VPAT: product type, data sensitivity, and whether the tool has a user-facing interface. Products with no user-facing interface require HECVAT only. Products with a user-facing interface that handle institutional or student data require both. The table below maps common higher education procurement scenarios to the right framework.
| Scenario | HECVAT | VPAT / ACR | Why |
|---|---|---|---|
| LMS or SIS with student-facing UI | Required | Required | Handles sensitive student data and includes user-facing interfaces |
| Backend data integration (no UI) | Required | – | No end-user interface requiring accessibility evaluation |
| Classroom response tool | Required | Required | User-facing instructional tool requiring accessibility support |
| Research computing platform | Required | Conditional | Accessibility review depends on whether researchers interact through a UI |
| Video conferencing platform | Required | Required | Accessibility features such as captioning and keyboard navigation are critical |
| Low-risk marketing analytics tool | Required | Conditional | Accessibility review depends on public or student-facing functionality |
| Assistive technology platform | Required | Required | Accessibility conformance is central to procurement review |
Practical Scenarios When Institutions Require Both HECVAT and VPAT
Scenario 1: Institution requires both broad vendor review and accessibility documentation.
A college requires HECVAT for its overall procurement workflow while also requesting a VPAT/ACR to evaluate accessibility in a structured way.
- University of Michigan’s evaluation guidance reflects this dual-assessment approach.
- California Community Colleges provide a concrete example: the CCC Accessibility Center requires all 116 colleges in the system to procure accessible ICT under Section 508 and California Government Code 7405, with individual colleges like Cerritos requiring both VPAT and HECVAT documentation as part of their procurement process.
Scenario 2: Vendor has a VPAT but institution needs HECVAT.
The vendor maintains a current ACR demonstrating strong accessibility conformance, but the institution still needs HECVAT to assess security, privacy, governance, and operational resilience.
- The University of Arkansas requires both a HECVAT and a VPAT for every technology purchase, including renewals, before legal review or purchase can proceed.
- Colorado State University requires both VPAT and HECVAT as part of its ICT procurement process, with HECVAT confirming that cybersecurity and data protection policies are in place and VPAT confirming product-level accessibility conformance.
- Arapahoe Community College takes the same position, requiring both documents because software used at the institution may interact with institutional systems or data, making both accessibility and security review mandatory before any software can be approved.
Scenario 3: Vendor uses VPAT to support HECVAT accessibility responses.
HECVAT 4’s IT Accessibility section asks vendors whether a current VPAT/ACR exists and has been updated in the past 12 months (ITAC-06). A vendor with a current ACR can reference it directly in their HECVAT response, linking to the published document as supporting evidence. Doing so strengthens both submissions: HECVAT is backed by formal accessibility documentation, and the ACR gains direct visibility in the procurement workflow.
- As University of Michigan’s evaluation guidance notes, institutions review both the HECVAT accessibility score and the VPAT independently, meaning a vendor that maintains both creates a consistent, credible profile across security and accessibility review.
How Vendors Should Manage HECVAT and VPAT for Higher Education Procurement
For vendors, the most effective approach to manage HECVAT and VPAT is to maintain both documents proactively rather than waiting for institutions to ask.
Other best practices include:
- Keep your VPAT/ACR current and aligned with WCAG and Section 508
- Complete HECVAT proactively to speed up procurement conversations
- Coordinate internally so responses across both documents stay accurate and consistent
- Use VPAT and HECVAT together to address both accessibility review and broader institutional risk review
- Build a structured vendor risk management program that incorporates both security and accessibility review workflows
- Update both documents at least annually or when major product or system changes occur. HECVAT responses should reflect the current state of your security and privacy posture. VPAT/ACR can be updated within 18 months, but institutions increasingly expect documentation tied to the active product version. A VPAT that does not reflect the current release raises red flags during procurement review.
Recommended Approach:
- Complete HECVAT first. It is the broader assessment and applies to any vendor relationship.
- Complete VPAT for products with user interfaces.
- For critical vendors, run both in parallel.
VPAT/ACR Cost and Timeline
The cost of producing a credible ACR falls on the vendor. Institutions receive the ACR as part of the procurement process, they do not commission or pay for it. For vendors, a current ACR is a market access requirement. Higher education institutions and federal agencies decline to proceed with procurement when one is absent.
A credible VPAT/ACR costs $2,000–$30,000+ for a typical mid-size SaaS product, covering both the manual accessibility audit and the VPAT document itself.
| Component | Cost Range | Notes |
|---|---|---|
| Accessibility audit (manual, WCAG 2.1 or 2.2 AA) | $1,500 – $25,000+ | Scales with page/screen count and product complexity |
| VPAT document completion (WCAG edition) | $350 – $550 | Additional per edition: +$100 for 508, +$150 for EN 301 549, +$400 for INT |
| Total (typical mid-size SaaS product) | $2,000 – $30,000+ | Enterprise platforms with complex admin portals can exceed $75,000 |
Timeline for VPAT/ACR is 2–4 weeks for a typical SaaS product (manual audit plus VPAT completion), and 4–8 weeks for multi-component platforms covering mobile, web, and admin. Most specialized firms offer accelerated timelines at a premium.
How Institutions Should Evaluate HECVAT and VPAT Responses
Receiving a completed HECVAT and a current ACR from a vendor is the starting point. Both documents are vendor-completed self-assessments, and the quality, accuracy, and depth of responses varies significantly. Procurement and security teams need a structured approach to reviewing what vendors submit, identifying gaps, and knowing when to push back or request additional evidence.
How to Evaluate a HECVAT Response
The institution reviews every response, applies its own risk criteria, and follows up where evidence is missing or insufficient. Four things to check in every HECVAT submission:
- Completeness. All required sections should be answered. Questions marked “not applicable” should include a brief explanation of why they do not apply to the vendor’s product or service.
- Evidence. Where the assessment asks for supporting documentation, such as SOC 2 reports, penetration test results, or privacy policies, check that the vendor has attached or linked to current versions.
- Accessibility. Does the vendor have a current VPAT or ACR (ITAC-06) and have they committed to WCAG 2.1 AA in the contract (ITAC-07)?
- Version. Request a HECVAT completed within the past 12 months. The Community Broker Index retired on July 31, 2025. Vendors and institutions now exchange assessments directly.
How to Evaluate a VPAT/ACR
Not all VPATs are equally useful. A credible ACR is specific, current, and based on real testing. Procurement reviewers, particularly those using the BTAA Digital Accessibility Vendor Cookbook framework, consistently flag the same quality issues.
| Red Flag | What It Signals |
|---|---|
| Report date more than 12–18 months old | ACR does not reflect the current product version; especially problematic for SaaS products with frequent releases |
| “Not Evaluated” across multiple criteria | Vendor has not performed an accessibility audit; ACR is essentially a blank form |
| “Supports” with no supporting remarks | Unverifiable claim; no evidence of how the criterion is met |
| Testing method lists only automated tools | Automated tools detect only 25–40% of accessibility issues; no manual or assistive technology testing was performed |
| No third-party tester identified | Self-reported ACRs from non-specialists are generally less reliable than independent evaluations |
| Conformance references WCAG 2.0 only | WCAG 2.0 is no longer sufficient under ADA Title II or HECVAT 4; signals outdated accessibility practice |
| No accessibility roadmap for “Partially Supports” items | Vendor acknowledges gaps but has no documented remediation timeline |
The BTAA Vendor Cookbook sets three requirements for a valid ACR: it must be correctly and completely filled out, current within approximately 18 months for an active product version, and based on manual accessibility evaluation. Many WCAG 2.1 AA success criteria cannot be verified through automated tools alone and require manual testing with assistive technologies.
Common Accessibility Conformance Gaps in EdTech
EdTech products fail the same seven WCAG criteria repeatedly.
For institutions, the table identifies which criteria require closest scrutiny during VPAT review. For vendors, it identifies where to direct accessibility testing before completing a VPAT.
| Common Accessibility Gap | WCAG Criterion | Why It Recurs in EdTech | Accessibility / Procurement Impact |
|---|---|---|---|
| Insufficient color contrast | 1.4.3 / 1.4.11 | Modern UI themes often favor light gray text and low-contrast design choices | Low-vision users may struggle to read or navigate interfaces |
| Missing or inadequate alt text | 1.1.1 | Instructors frequently upload images, charts, and diagrams without accessibility review or training | Screen reader users cannot access visual instructional content |
| Keyboard navigation failures | 2.1.1 | Custom interactive components such as drag-and-drop tools, modal dialogs, and date pickers are often not keyboard accessible | Users unable to use a mouse may be blocked from core functionality |
| Missing focus indicators | 2.4.7 / 2.4.11 | CSS styling and theme overrides frequently remove visible keyboard focus outlines | Keyboard users may lose track of navigation position |
| Unlabeled form fields | 1.3.1 / 4.1.2 | Registration forms, quiz inputs, and filters often lack proper labels or ARIA attributes | Screen reader users may be unable to complete forms reliably |
| Video without captions | 1.2.2 / 1.2.3 | Lecture capture and embedded video workflows often lack captioning or transcript processes | Deaf and hard-of-hearing users cannot access instructional content |
| Inaccessible PDFs | 1.3.1 | Syllabi, scanned readings, and uploaded course documents frequently lack proper tagging and reading order | Screen readers cannot interpret document structure correctly |
Automated scanning detects 25–40% of accessibility issues. Many WCAG 2.1 AA criteria require manual testing with assistive technologies, which is why institutions give more weight to third-party ACRs than vendor self-reported ones.
How to Simplify HECVAT and VPAT Management
Isora GRC centralizes HECVAT questionnaires, VPAT/ACR documentation, and vendor risk data in one connected workspace, replacing spreadsheet-and-email management of security and accessibility assessments. The collaborative GRC Assessment Platform™ is built for security teams coordinating multi-framework vendor review.
- Assessment management: Organize assessments by compliance goal to run coordinated campaigns across HECVAT, accessibility, and other frameworks. Deploy HECVAT questionnaires to multiple vendors simultaneously and track status in one view. The purpose-built HECVAT Uploader lets vendors pre-fill responses directly.
- Inventory management: Reduce time spent managing inventory data with a centralized view of all vendor records linked directly to assessments, VPAT documentation, risk classifications, and remediation status.
- Questionnaires & surveys: Reduce time spent on assessment tasks with collaborative, structured questionnaires that lower training needs and increase response accuracy across security and accessibility review.
See how Isora GRC centralizes HECVAT, VPAT, and other vendor assessments →
Key Takeaways
HECVAT and VPAT are not competing frameworks. They were built to answer different questions, and higher education procurement increasingly requires both answers.
HECVAT evaluates vendor organizational security maturity across security, privacy, governance, and AI/ML. VPAT documents product-level accessibility conformance against WCAG, Section 508, and EN 301 549. HECVAT tells institutions whether a vendor can be trusted with their data, their systems, and their students. VPAT tells them whether every student, including those who rely on a screen reader, a keyboard, or captions, can actually use the product.
One without the other leaves a gap. A vendor with strong security practices can still ship an inaccessible product. A fully accessible product can still be built by a vendor with weak data governance.
With ADA Title II enforcement now driving accessibility documentation into standard procurement workflows, with a compliance deadline of April 26, 2027 for large jurisdictions (population 50,000+) and April 26, 2028 for smaller entities, and HECVAT 4 explicitly scoring whether a vendor has a current ACR, the two frameworks are more connected than ever. But connection is not the same as overlap. HECVAT can ask for the ACR. It cannot replace it.
For institutions, the practical approach is straightforward: HECVAT for every vendor relationship, VPAT for every product with a user-facing interface. For vendors, maintaining both proactively is the baseline expectation for doing business in higher education.
For the full HECVAT framework overview, see What Is HECVAT? The Complete Guide for Higher Education. For details on the latest version, see HECVAT 4: What’s New. For HECVAT compliance requirements and common gaps, see the HECVAT Compliance Guide.
See how Isora GRC centralizes HECVAT, VPAT, and other vendor assessments →
HECVAT vs VPAT FAQs
Does HECVAT replace VPAT?
No. HECVAT does not replace VPAT. The two frameworks serve different purposes. HECVAT assesses vendor organizational security maturity across multiple domains (security, privacy, governance, AI/ML). VPAT documents product-level accessibility conformance against standards like WCAG and Section 508. Even though HECVAT 4 includes a dedicated IT Accessibility section, it does not replace the structured, criterion-level accessibility documentation that a VPAT/ACR provides. They are complementary, not interchangeable.
Is VPAT required for higher ed vendors?
VPAT carries no universal legal mandate. Federal agencies and higher education institutions require it as a condition of procurement.
For higher education, updated ADA Title II requirements require public institutions to confirm that third-party tools conform to WCAG 2.1 Levels A and AA, with a compliance deadline of April 26, 2027 for large jurisdictions and April 26, 2028 for smaller entities. Institutions including the University of Arkansas and Colorado State University already require both HECVAT and VPAT before any technology purchase can proceed. Vendors without a current ACR are increasingly excluded from RFP shortlists.
Does HECVAT cover accessibility?
HECVAT 4 includes a dedicated IT Accessibility section with 19 questions. The section is triggered when a product has a user-facing interface, and covers accessibility governance, WCAG 2.1 AA conformance, third-party testing, and current VPAT or ACR status. It assesses organizational accessibility maturity: whether the vendor has accessibility processes, documentation, and commitments in place.
What comes first — HECVAT or VPAT?
Every higher education vendor requires a HECVAT. VPAT applies to vendors whose products include a user-facing interface. Not every vendor needs a VPAT, but every higher education vendor needs a HECVAT.
Where can institutions find a vendor’s VPAT?
Most vendors publish their VPATs and ACRs on their website in an “Accessibility” or “Compliance” section. Institutions can also request one directly during procurement. The ITI website provides the standardized VPAT templates, instructions, and training materials at no cost. Section508.gov provides guidance on how vendors create an ACR from a VPAT template. If a vendor cannot provide a current ACR, institutions can use the BTAA Vendor Cookbook framework to guide follow-up requests and evaluation.
Do vendors need both HECVAT and VPAT?
Vendors selling into higher education need HECVAT. Vendors whose products have a user-facing interface also need a current VPAT. HECVAT covers the full vendor organization across security, privacy, governance, and AI/ML. VPAT covers product-level accessibility conformance for a specific product. Maintaining both demonstrates commitment to security and accessibility, and vendors can use their current ACR to strengthen HECVAT’s IT Accessibility responses, creating a consistent and credible vendor profile across both documents.
How does the EU’s European Accessibility Act affect EdTech vendors?
The European Accessibility Act (EAA), which took effect June 28, 2025, requires digital products and services sold in the EU to conform to EN 301 549, which maps to WCAG 2.1 AA for web and mobile. Penalties are set by each member state rather than the Directive itself, so they vary widely — from tens of thousands of euros to as much as €1,000,000 in Spain, with some states such as Ireland also attaching criminal liability. The EAA does not require a VPAT, but vendors selling in the EU can use the VPAT 2.5Rev EU edition to document EN 301 549 conformance specifically. Vendors serving both U.S. higher education and EU markets can use the VPAT INT (International) edition, which covers WCAG, Section 508, and EN 301 549 in a single document, producing one ACR that satisfies both contexts.
This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.
Other Relevant Content 