Section 508 testing guide for government contractors and vendors

Section 508 of the Rehabilitation Act requires all information and communication technology (ICT) developed, procured, maintained, or used by federal agencies to be accessible to people with disabilities. Since the 2018 refresh, Section 508 technical standards directly reference WCAG 2.0 Level AA as the baseline for web content, software, and electronic documents.

For vendors and contractors, this means one thing: if you sell technology to the US federal government, your product must conform to Section 508. No conformance, no contract. The US federal government spent over $100 billion on IT in fiscal year 2024, according to the Federal IT Dashboard maintained by the Office of Management and Budget. That makes Section 508 compliance not just a legal obligation but a significant market access requirement.

What the 2018 refresh changed

Before 2018, Section 508 used its own technical standards, which were separate from WCAG and difficult to map to modern web technologies. The US Access Board published the final rule in January 2017 (effective January 2018) that replaced the original 1998 standards with a framework aligned to EN 301 549, the European accessibility standard.

Key changes in the refresh:

| Before 2018 | After 2018 (current) | |---|---| | Separate technical standards for web, software, telecom | Unified ICT framework based on EN 301 549 | | Web: Section 508 specific criteria | Web: WCAG 2.0 Level AA (38 success criteria) | | Software: functional performance criteria only | Software: WCAG 2.0 AA applied to software + additional requirements | | Documents: limited requirements | Documents: WCAG 2.0 AA applied to electronic documents | | No authoring tool requirements | Authoring tools must support accessible content creation |

Source: US Access Board, "Information and Communication Technology (ICT) Standards and Guidelines," 82 FR 5790 (January 18, 2017).

Who must comply

Section 508 applies to federal agencies and, by extension, to anyone who provides ICT to them:

The General Services Administration (GSA) manages the government-wide Section 508 program through Section508.gov. GSA publishes testing guidance, procurement language templates, and conformance reporting tools.

Section 508 technical requirements mapped to WCAG

The following table maps Section 508 functional categories to the corresponding WCAG 2.0 Level AA success criteria:

| Section 508 requirement area | WCAG 2.0 criteria | Example tests | |---|---|---| | Perceivable: text alternatives | 1.1.1 Non-text Content | Images have alt text; CAPTCHAs have alternatives | | Perceivable: captions and audio descriptions | 1.2.1-1.2.5 Time-based Media | Videos have captions; audio descriptions available | | Perceivable: adaptable content | 1.3.1-1.3.3 Adaptable | Semantic HTML; meaningful sequence; sensory-independent instructions | | Perceivable: distinguishable content | 1.4.1-1.4.5 Distinguishable | 4.5:1 contrast ratio; text resizable to 200%; no images of text | | Operable: keyboard accessible | 2.1.1-2.1.2 Keyboard | All functionality available via keyboard; no keyboard traps | | Operable: enough time | 2.2.1-2.2.2 Enough Time | Adjustable time limits; pause/stop/hide moving content | | Operable: seizure prevention | 2.3.1 Seizures | No content flashing more than 3 times per second | | Operable: navigable | 2.4.1-2.4.7 Navigable | Skip links; descriptive page titles; focus visible | | Understandable: readable | 3.1.1-3.1.2 Readable | Page language declared; language of parts identified | | Understandable: predictable | 3.2.1-3.2.4 Predictable | No unexpected context changes on focus or input | | Understandable: input assistance | 3.3.1-3.3.4 Input Assistance | Error identification; labels/instructions; error prevention | | Robust: compatible | 4.1.1-4.1.2 Compatible | Valid HTML parsing; name/role/value for UI components |

For non-web software and electronic documents, Section 508 applies WCAG 2.0 AA criteria with modifications. Chapter 5 of EN 301 549 adds platform-specific requirements for closed functionality, biometric authentication, and hardware.

The VPAT: your procurement passport

The Voluntary Product Accessibility Template (VPAT) is the standard document vendors use to communicate their product's conformance status. Despite the word "voluntary" in the name, submitting a VPAT is effectively required for federal procurement. Agencies use VPATs during the evaluation phase of acquisitions to compare vendors on accessibility.

The current version is VPAT 2.4 (published by the Information Technology Industry Council). It comes in four editions:

| VPAT edition | Covers | When to use | |---|---|---| | Section 508 Edition | Revised Section 508 standards | US federal procurement only | | EU Edition | EN 301 549 | European public procurement | | WCAG Edition | WCAG 2.x Level AA | Private sector or international | | International Edition | All three above | Products sold globally |

For US government sales, use the Section 508 Edition at minimum. If you also sell to European governments, use the International Edition.

What a VPAT contains

For each applicable WCAG criterion:

A VPAT with "Supports" across all criteria and no explanatory remarks is a red flag to procurement officers. Honest, detailed VPATs with "Partially Supports" entries and clear remediation timelines are more credible than suspiciously perfect ones.

The federal procurement process

Here is how Section 508 fits into federal IT procurement:

The Trusted Tester process

The Department of Homeland Security (DHS) developed the Trusted Tester Process as a standardized methodology for evaluating Section 508 conformance. Version 5.x is the current release and aligns with the 2018 refresh requirements.

What makes Trusted Tester different from ad-hoc testing

Trusted Tester certification

To become a DHS Trusted Tester, individuals complete the DHS Section 508 training course and pass the certification exam. The training covers:

Federal agencies increasingly require that accessibility testing be performed by certified Trusted Testers or follow the Trusted Tester methodology.

The "undue burden" exception

Section 508 includes an exception for "undue burden," but this is far narrower than most vendors assume. The standard states that compliance is not required when it would impose a "significant difficulty or expense" on the agency.

Critical points about undue burden:

In practice, agencies rarely invoke this exception because the documentation and approval requirements are significant, and the alternative access obligation remains.

How Auditi supports Section 508 testing

Auditi is built specifically for structured accessibility compliance testing, which aligns directly with how Section 508 conformance works.

Journey-based testing for real user scenarios

The Trusted Tester process evaluates how users actually interact with software, not just individual page states. Auditi's journey-based testing approach maps to this methodology: you define user flows (login, form submission, data retrieval, report generation) and test each step against WCAG criteria.

This produces evidence that directly feeds into VPAT documentation. Instead of "we ran an automated scan," your VPAT remarks can reference specific journey test results showing that keyboard-only users can complete critical workflows.

VPAT generation from audit data

Auditi generates Section 508 VPATs from your journey test results. Each WCAG criterion is mapped to your audit findings, with conformance levels and remarks populated from actual test data. This eliminates the manual process of translating test notes into VPAT format.

Multi-standard testing

Federal contractors often sell to both US and European governments. Auditi supports simultaneous testing against WCAG 2.1, WCAG 2.2, WCAG 3.0, FDA 21 CFR Part 11, and EU GMP Annex 11. One audit session produces conformance data for multiple regulatory frameworks.

CI/CD integration for ongoing compliance

Section 508 conformance is not a one-time event. Agency contracts typically require ongoing accessibility. Auditi's API imports results from axe, WAVE, Lighthouse, and pa11y, so automated scanning runs in your pipeline while journey-based manual testing covers the criteria automation cannot reach.

BetterQA, the software testing company that built Auditi, holds ISO 9001, ISO 13485, and NATO NCIA certifications. Their QA engineers test with actual assistive technologies: NVDA, JAWS, VoiceOver, and Dragon NaturallySpeaking.

Section 508 compliance checklist for vendors

Use this checklist before submitting a proposal for federal ICT procurement:

Frequently asked questions

What is the difference between Section 508 and the ADA? The ADA (Americans with Disabilities Act) is a civil rights law that broadly prohibits discrimination against people with disabilities in public accommodations, employment, and services. Section 508 is a procurement law within the Rehabilitation Act that specifically requires federal ICT to be accessible. The ADA applies to private businesses and state/local governments; Section 508 applies to federal agencies and their vendors. ADA lawsuits typically reference WCAG 2.1 AA as the technical standard, while Section 508 formally adopts WCAG 2.0 AA.

Do I need a VPAT to sell software to the government? In practice, yes. While the VPAT is technically "voluntary," federal acquisition regulations (FAR 39.203) require agencies to ensure ICT accessibility. Procurement officers request VPATs during the evaluation phase, and proposals without them are often excluded or scored lower. The VPAT is your primary mechanism for demonstrating Section 508 conformance.

Does Section 508 apply to mobile apps? Yes. The 2018 refresh applies WCAG 2.0 Level AA to all electronic content and software, including native mobile applications. For mobile apps, this means testing touch targets, screen reader compatibility (VoiceOver on iOS, TalkBack on Android), gesture alternatives, and orientation support. The EN 301 549 Chapter 11 (Software) requirements also apply.

How often should I update my VPAT? Update your VPAT with every major product release that changes functionality, user interface, or content structure. At minimum, review and update annually. A VPAT dated three years ago for a product that has had multiple releases signals to procurement officers that accessibility is not being actively maintained. Auditi tracks conformance across product versions so you can identify what changed between releases.

What happens if my product is not fully Section 508 compliant? Partial conformance does not automatically disqualify you from federal contracts. Agencies evaluate accessibility alongside other factors (cost, technical capability, schedule). A VPAT that honestly documents "Partially Supports" with specific remediation timelines is more credible than one that falsely claims full support. However, agencies may require remediation as a contract condition, and significant non-conformance can be grounds for contract termination.

Can automated scanning alone satisfy Section 508 testing requirements? No. Automated tools (axe, WAVE, Lighthouse) cover approximately 30-40% of WCAG success criteria, according to research by the UK Government Digital Service. The remaining criteria require manual testing: keyboard navigation, screen reader behavior, cognitive accessibility, and dynamic content interactions. The DHS Trusted Tester process explicitly combines automated inspection with manual evaluation. Federal agencies increasingly reject VPATs based solely on automated scan results.

Getting started with Section 508 testing

If you sell or plan to sell ICT products to US federal agencies, Section 508 compliance is a procurement requirement, not an optional feature. The testing methodology is well-defined through the Trusted Tester process, and the documentation format (VPAT) is standardized.

Start by identifying your product's critical user journeys and testing them against WCAG 2.0 Level AA. Use automated tools for the criteria they can detect, and supplement with manual testing for everything else. Document your findings in a VPAT 2.4 Section 508 Edition, and update it with each major release.

Auditi provides the structured testing workflow that maps to Trusted Tester methodology, generates Section 508 VPATs from your audit data, and tracks conformance across releases. For government contractors who need to demonstrate ongoing compliance, this replaces ad-hoc spreadsheets and manual VPAT authoring with an auditable, repeatable process. Federal procurement also requires security authorization (FedRAMP, FISMA): BetterQA's AI Security Toolkit runs 30+ security tools (SAST, DAST, SCA, secrets detection) to complement accessibility testing with vulnerability assessments in the same workflow.


Built by BetterQA, a software testing company with ISO 9001, ISO 13485, and ISO 27001 certifications. Clutch-rated 4.9/5 from 63 verified reviews.

© 2026 Auditi. A BetterQA project. | auditi.ro