HECVAT Category
IT Accessibility
IT Accessibility covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Solution Provider Accessibility Contact Name
This question is asking for the name of the designated person at your organization who serves as the point of contact for accessibility-related inquiries and issues. IT accessibility refers to ensuring that technology products and services can be used by people with disabilities. This contact person would typically be responsible for addressing questions about how your solution complies with accessibility standards (like WCAG, Section 508, ADA requirements, etc.).
Solution Provider Accessibility Contact Title
This question is asking for the job title of the person at your organization who serves as the primary contact for IT accessibility matters. IT accessibility refers to ensuring that your software, services, or products can be used by people with disabilities, including those with visual, auditory, physical, speech, cognitive, and neurological disabilities.
Solution Provider Accessibility Contact Email
This question is asking for the email address of the person or team responsible for accessibility concerns at your organization. IT Accessibility refers to ensuring that technology products and services can be used by people with disabilities. This contact would be responsible for addressing questions about how your solution meets accessibility standards (like WCAG, Section 508, ADA compliance, etc.).
Solution Provider Accessibility Contact Phone Number
This question is asking for the phone number of the person or team responsible for accessibility concerns at your organization. IT Accessibility refers to ensuring that technology products and services can be used by people with disabilities.
Web Link to Accessibility Statement or VPAT
This question is asking for a web link to your organization's Accessibility Statement or Voluntary Product Accessibility Template (VPAT).
Has a VPAT or ACR been created or updated for the solution and version under consideration within the past 12 months?
This question is asking whether your organization has created or updated a Voluntary Product Accessibility Template (VPAT) or Accessibility Conformance Report (ACR) for the specific version of your software solution that's being assessed, and whether this was done within the past 12 months.
Will your company agree to meet your stated accessibility standard or WCAG 2.1 AA as part of your contractual agreement for the solution?
This question is asking whether your company will contractually commit to meeting either your own stated accessibility standards or the Web Content Accessibility Guidelines (WCAG) 2.1 AA standards for the solution you're providing.
Does the solution substantially conform to WCAG 2.1 AA?
This question is asking whether your software solution complies with the Web Content Accessibility Guidelines (WCAG) 2.1 at the AA level of conformance.
Do you have a documented and implemented process for reporting and tracking accessibility issues?
This question is asking whether your organization has a formal, documented process specifically for handling accessibility issues in your software or services. Accessibility refers to how usable your product is for people with disabilities (visual, hearing, motor, cognitive, etc.).
Do you have documentation to support the accessibility features of your solution?
This question is asking whether your organization provides documentation that explains the accessibility features of your solution and how to use them. Accessibility features are those that make your product usable by people with disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities.
Has a third-party expert conducted an audit of the most recent version of your solution?
This question is asking whether your organization has engaged an independent third-party expert to conduct an accessibility audit of your solution's most recent version.
Do you have a documented and implemented process for verifying accessibility conformance?
This question is asking whether your organization has a formal, documented process for ensuring that your IT products and services meet accessibility standards, and whether you actually follow this process in practice.
Have you adopted a technical or legal standard of conformance for the solution?
This question is asking whether your solution (software, application, or service) adheres to recognized accessibility standards that ensure people with disabilities can effectively use your product. IT accessibility refers to designing technology that can be used by people with various disabilities, including visual, auditory, physical, speech, cognitive, and neurological disabilities.
Can you provide a current, detailed accessibility roadmap with delivery timelines?
This question is asking whether your organization has a documented plan (roadmap) for improving the accessibility of your IT systems or products, with specific timelines for when these improvements will be delivered.
Do you expect your staff to maintain a current skill set in IT accessibility?
This question is asking whether your organization requires and supports your staff in maintaining up-to-date knowledge and skills related to IT accessibility. IT accessibility refers to ensuring that technology products and services can be used by people with disabilities.
Do you have documented processes and procedures for implementing accessibility into your development lifecycle?
This question is asking whether your organization has formalized processes for incorporating accessibility considerations into your software development lifecycle (SDLC). Accessibility refers to designing and developing products that can be used by people with disabilities, including visual, auditory, physical, speech, cognitive, and neurological disabilities.
Can all functions of the application or service be performed using only the keyboard?
This question is asking whether the application or service can be fully operated using only a keyboard, without requiring a mouse, touchscreen, or other pointing device. This is a fundamental accessibility requirement that ensures users with motor disabilities or those who cannot use pointing devices can still access all functionality.
Does your product rely on activating a special "accessibility mode," a "lite version," or using an alternate interface (including “overlay” or AI-based alternates) for accessibility purposes?
This question is asking whether your product requires users to activate a special mode or use an alternative interface to access accessibility features, rather than having accessibility built into the core product experience.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
