Section 508 testing guide for government contractors and vendors
Section 508 of the Rehabilitation Act requires all information and communication technology (ICT) developed, procured, maintained, or used by federal agencies to be accessible to people with disabilities. Since the 2018 refresh, Section 508 technical standards directly reference WCAG 2.0 Level AA as the baseline for web content, software, and electronic documents.
For vendors and contractors, this means one thing: if you sell technology to the US federal government, your product must conform to Section 508. No conformance, no contract. The US federal government spent over $100 billion on IT in fiscal year 2024, according to the Federal IT Dashboard maintained by the Office of Management and Budget. That makes Section 508 compliance not just a legal obligation but a significant market access requirement.
What the 2018 refresh changed
Before 2018, Section 508 used its own technical standards, which were separate from WCAG and difficult to map to modern web technologies. The US Access Board published the final rule in January 2017 (effective January 2018) that replaced the original 1998 standards with a framework aligned to EN 301 549, the European accessibility standard.
Key changes in the refresh:
| Before 2018 | After 2018 (current) | |---|---| | Separate technical standards for web, software, telecom | Unified ICT framework based on EN 301 549 | | Web: Section 508 specific criteria | Web: WCAG 2.0 Level AA (38 success criteria) | | Software: functional performance criteria only | Software: WCAG 2.0 AA applied to software + additional requirements | | Documents: limited requirements | Documents: WCAG 2.0 AA applied to electronic documents | | No authoring tool requirements | Authoring tools must support accessible content creation |
Source: US Access Board, "Information and Communication Technology (ICT) Standards and Guidelines," 82 FR 5790 (January 18, 2017).
Who must comply
Section 508 applies to federal agencies and, by extension, to anyone who provides ICT to them:
- Federal agencies: All executive branch agencies must ensure their ICT is accessible
- Contractors and vendors: Any company selling software, websites, hardware, or electronic content to federal agencies
- Subcontractors: If your subcontract involves delivering ICT that the agency will use
- State agencies receiving federal funding: Section 508 applies when federal funds are involved (though Section 504 of the Rehabilitation Act is the broader mechanism here)
The General Services Administration (GSA) manages the government-wide Section 508 program through Section508.gov. GSA publishes testing guidance, procurement language templates, and conformance reporting tools.
Section 508 technical requirements mapped to WCAG
The following table maps Section 508 functional categories to the corresponding WCAG 2.0 Level AA success criteria:
| Section 508 requirement area | WCAG 2.0 criteria | Example tests | |---|---|---| | Perceivable: text alternatives | 1.1.1 Non-text Content | Images have alt text; CAPTCHAs have alternatives | | Perceivable: captions and audio descriptions | 1.2.1-1.2.5 Time-based Media | Videos have captions; audio descriptions available | | Perceivable: adaptable content | 1.3.1-1.3.3 Adaptable | Semantic HTML; meaningful sequence; sensory-independent instructions | | Perceivable: distinguishable content | 1.4.1-1.4.5 Distinguishable | 4.5:1 contrast ratio; text resizable to 200%; no images of text | | Operable: keyboard accessible | 2.1.1-2.1.2 Keyboard | All functionality available via keyboard; no keyboard traps | | Operable: enough time | 2.2.1-2.2.2 Enough Time | Adjustable time limits; pause/stop/hide moving content | | Operable: seizure prevention | 2.3.1 Seizures | No content flashing more than 3 times per second | | Operable: navigable | 2.4.1-2.4.7 Navigable | Skip links; descriptive page titles; focus visible | | Understandable: readable | 3.1.1-3.1.2 Readable | Page language declared; language of parts identified | | Understandable: predictable | 3.2.1-3.2.4 Predictable | No unexpected context changes on focus or input | | Understandable: input assistance | 3.3.1-3.3.4 Input Assistance | Error identification; labels/instructions; error prevention | | Robust: compatible | 4.1.1-4.1.2 Compatible | Valid HTML parsing; name/role/value for UI components |
For non-web software and electronic documents, Section 508 applies WCAG 2.0 AA criteria with modifications. Chapter 5 of EN 301 549 adds platform-specific requirements for closed functionality, biometric authentication, and hardware.
The VPAT: your procurement passport
The Voluntary Product Accessibility Template (VPAT) is the standard document vendors use to communicate their product's conformance status. Despite the word "voluntary" in the name, submitting a VPAT is effectively required for federal procurement. Agencies use VPATs during the evaluation phase of acquisitions to compare vendors on accessibility.
The current version is VPAT 2.4 (published by the Information Technology Industry Council). It comes in four editions:
| VPAT edition | Covers | When to use | |---|---|---| | Section 508 Edition | Revised Section 508 standards | US federal procurement only | | EU Edition | EN 301 549 | European public procurement | | WCAG Edition | WCAG 2.x Level AA | Private sector or international | | International Edition | All three above | Products sold globally |
For US government sales, use the Section 508 Edition at minimum. If you also sell to European governments, use the International Edition.
What a VPAT contains
For each applicable WCAG criterion:
- Conformance level: Supports, Partially Supports, Does Not Support, or Not Applicable
- Remarks and explanations: Specific details about how the product meets or fails to meet each criterion
- Evaluation methods: How conformance was tested (automated tools, manual testing, assistive technology testing)
A VPAT with "Supports" across all criteria and no explanatory remarks is a red flag to procurement officers. Honest, detailed VPATs with "Partially Supports" entries and clear remediation timelines are more credible than suspiciously perfect ones.
The federal procurement process
Here is how Section 508 fits into federal IT procurement:
- Requirements phase: The agency includes Section 508 requirements in the Statement of Work (SOW) or Statement of Objectives (SOO). FAR 39.203 requires agencies to address accessibility in ICT acquisitions.
- Solicitation: The Request for Proposal (RFP) or Request for Quotation (RFQ) specifies that vendors must submit a VPAT or Accessibility Conformance Report (ACR) with their proposal.
- Vendor response: The vendor submits their VPAT alongside their technical and cost proposals. The VPAT should reflect the current state of the product, not a future roadmap.
- Evaluation: The agency's Section 508 coordinator reviews submitted VPATs. Products with better accessibility conformance receive higher evaluation scores.
- Award and monitoring: After contract award, the agency may require ongoing conformance testing. Significant accessibility regressions can constitute a contract violation.
The Trusted Tester process
The Department of Homeland Security (DHS) developed the Trusted Tester Process as a standardized methodology for evaluating Section 508 conformance. Version 5.x is the current release and aligns with the 2018 refresh requirements.
What makes Trusted Tester different from ad-hoc testing
- Standardized test procedures: Each WCAG criterion has a defined test process with specific steps, expected results, and pass/fail criteria
- Reproducible results: Two certified testers evaluating the same product should reach the same conclusions
- Tool-agnostic: While it references specific inspection techniques, the process works with any combination of tools
- Recognized credential: The DHS Trusted Tester certification is accepted across federal agencies as proof of testing competency
Trusted Tester certification
To become a DHS Trusted Tester, individuals complete the DHS Section 508 training course and pass the certification exam. The training covers:
- Section 508 standards and WCAG 2.0 Level AA criteria
- Testing tools setup (ANDI, Color Contrast Analyzer, browser developer tools)
- Structured test procedures for each applicable criterion
- Reporting findings in the standardized Trusted Tester format
Federal agencies increasingly require that accessibility testing be performed by certified Trusted Testers or follow the Trusted Tester methodology.
The "undue burden" exception
Section 508 includes an exception for "undue burden," but this is far narrower than most vendors assume. The standard states that compliance is not required when it would impose a "significant difficulty or expense" on the agency.
Critical points about undue burden:
- It applies to agencies, not vendors. A vendor cannot claim undue burden to avoid making their product accessible.
- Each agency must make the determination on a case-by-case basis, documented in writing.
- Even when undue burden is claimed, the agency must provide alternative means of access for individuals with disabilities.
- The head of the agency (or designee) must sign off on the determination.
- Undue burden does not mean "it's expensive" or "it would delay the schedule." It means compliance is essentially impractical given the agency's resources.
In practice, agencies rarely invoke this exception because the documentation and approval requirements are significant, and the alternative access obligation remains.
How Auditi supports Section 508 testing
Auditi is built specifically for structured accessibility compliance testing, which aligns directly with how Section 508 conformance works.
Journey-based testing for real user scenarios
The Trusted Tester process evaluates how users actually interact with software, not just individual page states. Auditi's journey-based testing approach maps to this methodology: you define user flows (login, form submission, data retrieval, report generation) and test each step against WCAG criteria.
This produces evidence that directly feeds into VPAT documentation. Instead of "we ran an automated scan," your VPAT remarks can reference specific journey test results showing that keyboard-only users can complete critical workflows.
VPAT generation from audit data
Auditi generates Section 508 VPATs from your journey test results. Each WCAG criterion is mapped to your audit findings, with conformance levels and remarks populated from actual test data. This eliminates the manual process of translating test notes into VPAT format.
Multi-standard testing
Federal contractors often sell to both US and European governments. Auditi supports simultaneous testing against WCAG 2.1, WCAG 2.2, WCAG 3.0, FDA 21 CFR Part 11, and EU GMP Annex 11. One audit session produces conformance data for multiple regulatory frameworks.
CI/CD integration for ongoing compliance
Section 508 conformance is not a one-time event. Agency contracts typically require ongoing accessibility. Auditi's API imports results from axe, WAVE, Lighthouse, and pa11y, so automated scanning runs in your pipeline while journey-based manual testing covers the criteria automation cannot reach.
BetterQA, the software testing company that built Auditi, holds ISO 9001, ISO 13485, and NATO NCIA certifications. Their QA engineers test with actual assistive technologies: NVDA, JAWS, VoiceOver, and Dragon NaturallySpeaking.
Section 508 compliance checklist for vendors
Use this checklist before submitting a proposal for federal ICT procurement:
- [ ] Product tested against all 38 WCAG 2.0 Level AA success criteria
- [ ] Testing performed with keyboard-only navigation
- [ ] Testing performed with at least one screen reader (NVDA, JAWS, or VoiceOver)
- [ ] VPAT 2.4 (Section 508 Edition) completed with honest conformance levels
- [ ] VPAT includes specific remarks for all "Partially Supports" and "Does Not Support" entries
- [ ] Critical user journeys tested end-to-end (not just individual pages)
- [ ] Electronic documents (PDFs, Word docs) tested for accessibility
- [ ] Remediation roadmap prepared for any known conformance gaps
- [ ] Testing process documented (tools used, testers, dates, methodology)
- [ ] Accessibility statement published on product website
Frequently asked questions
What is the difference between Section 508 and the ADA? The ADA (Americans with Disabilities Act) is a civil rights law that broadly prohibits discrimination against people with disabilities in public accommodations, employment, and services. Section 508 is a procurement law within the Rehabilitation Act that specifically requires federal ICT to be accessible. The ADA applies to private businesses and state/local governments; Section 508 applies to federal agencies and their vendors. ADA lawsuits typically reference WCAG 2.1 AA as the technical standard, while Section 508 formally adopts WCAG 2.0 AA.
Do I need a VPAT to sell software to the government? In practice, yes. While the VPAT is technically "voluntary," federal acquisition regulations (FAR 39.203) require agencies to ensure ICT accessibility. Procurement officers request VPATs during the evaluation phase, and proposals without them are often excluded or scored lower. The VPAT is your primary mechanism for demonstrating Section 508 conformance.
Does Section 508 apply to mobile apps? Yes. The 2018 refresh applies WCAG 2.0 Level AA to all electronic content and software, including native mobile applications. For mobile apps, this means testing touch targets, screen reader compatibility (VoiceOver on iOS, TalkBack on Android), gesture alternatives, and orientation support. The EN 301 549 Chapter 11 (Software) requirements also apply.
How often should I update my VPAT? Update your VPAT with every major product release that changes functionality, user interface, or content structure. At minimum, review and update annually. A VPAT dated three years ago for a product that has had multiple releases signals to procurement officers that accessibility is not being actively maintained. Auditi tracks conformance across product versions so you can identify what changed between releases.
What happens if my product is not fully Section 508 compliant? Partial conformance does not automatically disqualify you from federal contracts. Agencies evaluate accessibility alongside other factors (cost, technical capability, schedule). A VPAT that honestly documents "Partially Supports" with specific remediation timelines is more credible than one that falsely claims full support. However, agencies may require remediation as a contract condition, and significant non-conformance can be grounds for contract termination.
Can automated scanning alone satisfy Section 508 testing requirements? No. Automated tools (axe, WAVE, Lighthouse) cover approximately 30-40% of WCAG success criteria, according to research by the UK Government Digital Service. The remaining criteria require manual testing: keyboard navigation, screen reader behavior, cognitive accessibility, and dynamic content interactions. The DHS Trusted Tester process explicitly combines automated inspection with manual evaluation. Federal agencies increasingly reject VPATs based solely on automated scan results.
Getting started with Section 508 testing
If you sell or plan to sell ICT products to US federal agencies, Section 508 compliance is a procurement requirement, not an optional feature. The testing methodology is well-defined through the Trusted Tester process, and the documentation format (VPAT) is standardized.
Start by identifying your product's critical user journeys and testing them against WCAG 2.0 Level AA. Use automated tools for the criteria they can detect, and supplement with manual testing for everything else. Document your findings in a VPAT 2.4 Section 508 Edition, and update it with each major release.
Auditi provides the structured testing workflow that maps to Trusted Tester methodology, generates Section 508 VPATs from your audit data, and tracks conformance across releases. For government contractors who need to demonstrate ongoing compliance, this replaces ad-hoc spreadsheets and manual VPAT authoring with an auditable, repeatable process. Federal procurement also requires security authorization (FedRAMP, FISMA): BetterQA's AI Security Toolkit runs 30+ security tools (SAST, DAST, SCA, secrets detection) to complement accessibility testing with vulnerability assessments in the same workflow.
Built by BetterQA, a software testing company with ISO 9001, ISO 13485, and ISO 27001 certifications. Clutch-rated 4.9/5 from 63 verified reviews.
© 2026 Auditi. A BetterQA project. | auditi.ro