ITAC-16

Do you have documented processes and procedures for implementing accessibility into your development lifecycle?

Explanation

This question is asking whether your organization has formalized processes for incorporating accessibility considerations into your software development lifecycle (SDLC). Accessibility refers to designing and developing products that can be used by people with disabilities, including visual, auditory, physical, speech, cognitive, and neurological disabilities. Why this is asked in a security assessment: 1. Compliance: Many organizations must comply with accessibility laws and regulations like the Americans with Disabilities Act (ADA), Section 508, or Web Content Accessibility Guidelines (WCAG). 2. Risk management: Failing to address accessibility can lead to legal risks, reputational damage, and exclusion of potential users. 3. Integration with development: Like security, accessibility is most effective and efficient when built in from the beginning rather than added at the end. The guidance is asking you to explain: - When accessibility considerations enter your development process (early vs. late) - How accessibility is incorporated into your development methodology (e.g., Agile) - Whether your external reporting on accessibility aligns with your internal development approach To best answer this question: 1. Be specific about documented processes that exist 2. Explain where in the SDLC accessibility is considered 3. Describe tools, testing methods, and standards you follow 4. Mention any training developers receive 5. Explain how you track and report on accessibility compliance

Guidance

Describe where accessibility falls in the development and product lifecycle. Is it at the beginning of your project development or after the product is otherwise complete before launch? Do you incorporate accessibility in your development methods, such as Agile scrums? Does your customer-facing accessibility reporting match your development processes (i.e., Agile methods are best represented using a roadmap and timeline; revised VPAT/ACRs provide a snapshot in time of a given release)?

Example Responses

Example Response 1

Yes, our organization has comprehensive documented processes for implementing accessibility throughout our development lifecycle Accessibility requirements are incorporated at the beginning of each project during the requirements gathering phase Our Product Requirements Documents (PRDs) include a specific section for accessibility requirements based on WCAG 2.1 AA standards During our Agile development process, each sprint includes accessibility-related user stories and acceptance criteria Our development teams use a combination of automated tools (Axe, WAVE) and manual testing procedures documented in our Accessibility Testing Handbook We conduct accessibility reviews at three key points: design review, pre-implementation review, and pre-release validation All developers and designers complete mandatory accessibility training annually, and we have designated Accessibility Champions on each team who receive advanced training We maintain a public-facing Voluntary Product Accessibility Template (VPAT) that is updated with each major release, and we publish an accessibility roadmap that aligns with our quarterly release schedule to communicate ongoing improvements to our customers.

Example Response 2

Yes, we have established accessibility processes integrated into our development lifecycle Accessibility is addressed from the initial design phase through a formal checklist of requirements based on WCAG 2.1 standards In our waterfall development methodology, we have specific accessibility checkpoints at each stage gate: requirements review, design review, code complete, and pre-release testing Our QA team uses a combination of automated scanning tools and manual testing procedures outlined in our Accessibility Compliance Manual We maintain a dedicated accessibility testing environment with various assistive technologies including screen readers, magnification tools, and alternative input devices Our development team receives accessibility training during onboarding and refresher courses annually We document all accessibility findings in our defect tracking system with specific severity ratings for accessibility issues For customer-facing documentation, we publish a comprehensive Accessibility Conformance Report (ACR) with each major version release that provides point-in-time compliance information, along with documentation of any exceptions and remediation timelines.

Example Response 3

No, we do not currently have formalized processes for implementing accessibility in our development lifecycle While we recognize the importance of accessibility, our current approach is more reactive than proactive We typically address accessibility concerns after the core functionality is developed and only if specifically requested by customers Our developers have some awareness of accessibility best practices but have not received formal training We do not currently incorporate accessibility requirements into our user stories or acceptance criteria in our Agile process We are planning to improve in this area by developing formal accessibility guidelines and integrating them into our development process within the next 6-12 months In the meantime, we conduct limited accessibility testing before major releases using basic automated tools, but we do not have a comprehensive testing protocol or documentation process We do not currently maintain a VPAT or other formal accessibility documentation for customers.

Context

Tab: IT Accessibility
Category: IT Accessibility