Federal accessibility law

Section 508 compliance, explained.

Section 508 of the US Rehabilitation Act requires federal agencies, contractors, and recipients of federal funds to make information and communication technology (ICT) accessible. This guide covers scope, the 2017 Refresh, WCAG mapping, testing methods, and the VPAT/ACR procurement workflow.

In this guide

  1. 01What is Section 508
  2. 02Who must comply
  3. 03How Section 508 maps to WCAG
  4. 04How Section 508 conformance is tested
  5. 05VPAT, ACR, and the procurement workflow
  6. 06What happens if you don't comply
  7. 07A practical Section 508 conformance checklist

What is Section 508

Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. § 794d), enacted by amendment in 1998, requires federal agencies to make their electronic and information technology accessible to people with disabilities. The standards are issued by the US Access Board.

The current standards — the Section 508 Refresh, in effect since January 2018 — incorporate WCAG 2.0 Level A and AA by reference, harmonized with the EU's EN 301 549 standard. The Access Board has not yet adopted WCAG 2.1 or 2.2 formally, but federal procurement increasingly references the newer versions as a best practice.

Section 508 covers four ICT categories:

  • Web content — websites, intranets, web applications.
  • Software — native applications, mobile apps.
  • Hardware — kiosks, ATMs, multifunction devices.
  • Documents — PDFs, Word documents, presentations, spreadsheets.

Who must comply

  • Federal agencies — All executive branch agencies must conform when developing, procuring, maintaining, or using ICT.
  • Federal contractors — Any vendor selling ICT to a federal agency must demonstrate Section 508 conformance through a VPAT/ACR.
  • Federally funded entities — Recipients of federal funds (universities, healthcare, state/local programs receiving federal grants) are required by their funding agency's implementing rules.
  • State governments — Many states have parallel laws ("mini-508s") referencing Section 508 or WCAG directly. Notable examples: California (Gov. Code § 7405), New York, Texas, Minnesota.

Section 508 itself does not create a private right of action — citizens cannot sue under it directly. Enforcement is administrative (through federal procurement reviews) and via Section 504 (program accessibility) which does allow private complaints.

How Section 508 maps to WCAG

The 2017 Refresh adopted WCAG 2.0 Level A and AA in full as the technical requirements for web content and software. This means:

  • Every WCAG 2.0 A and AA success criterion is also a Section 508 requirement.
  • WCAG 2.1 and 2.2 are not yet adopted, but federal RFPs increasingly request 2.1 AA conformance.
  • EN 301 549 (EU equivalent) is functionally harmonized with Section 508 Refresh — a single audit covers both.

AccessProof scans against WCAG 2.2 (a superset of 2.0 and 2.1) and explicitly cross-references each finding to Section 508 and EN 301 549 in every report.

How Section 508 conformance is tested

Section 508 conformance testing follows a three-layer approach:

Automated testing

Tools like AccessProof, axe-core, Pa11y, or Lighthouse run rule-based scans against the DOM. Roughly 30-40% of WCAG criteria are reliably automatable — color contrast, alt-text presence, ARIA validity, parsing, basic keyboard order. The remainder require manual or semi-automated testing.

Manual testing

Specialists use assistive technology — screen readers (JAWS, NVDA, VoiceOver), keyboard-only navigation, voice control — to test workflows. Visual and cognitive criteria (focus visibility quality, error prevention, motion alternatives) are evaluated.

User testing

Sessions with disabled users testing actual workflows. Required for high-stakes interactions (admissions forms, benefit applications, payment flows) and recommended for major releases.

The Trusted Tester Certification Program (run by the Department of Homeland Security) trains and certifies federal employees to perform Section 508 conformance testing using a standardized methodology.

VPAT, ACR, and the procurement workflow

The VPAT (Voluntary Product Accessibility Template) is the standardized document vendors use to report Section 508 conformance. The current version (VPAT 2.5 Rev 508, published by ITI) covers Section 508, WCAG 2.1, EN 301 549, and Section 504.

An ACR (Accessibility Conformance Report) is the completed VPAT for a specific product version. It typically includes:

  • Product name, version, vendor info.
  • Evaluation methods used (automated, manual, user testing).
  • For each applicable criterion: conformance level (Supports / Partially Supports / Does Not Support / Not Applicable / Not Evaluated).
  • Remarks and explanations for partial or non-support.

The audit substance — per-element findings, WCAG criterion mapping, dated evidence — feeds directly into the ACR. AccessProof's timestamped PDFs are designed to drop into the ITI VPAT template as the underlying conformance evidence.

In federal procurement, an ACR is typically a contract deliverable. Vendors with current ACRs win RFPs against vendors that cannot produce one.

What happens if you don't comply

Section 508 itself is enforced through procurement and administrative channels, not private litigation:

  • Federal procurement reviews — agencies can reject deliverables or withhold payment for non-conforming ICT.
  • GAO bid protests — competitors can challenge contract awards on Section 508 grounds.
  • Section 504 complaints — citizens can file complaints with the Office for Civil Rights (HHS) or with the funding agency directly. Section 504 has been the basis for private lawsuits and OCR resolution agreements.
  • ADA Title II / III parallel claims — for state-funded entities and contractors with public-facing websites, ADA exposure is independent and broader.

Practical penalty: lost contracts, OCR resolution agreements requiring remediation timelines, reputational cost in the federal market.

A practical Section 508 conformance checklist

  1. Identify scope — list every public-facing site, app, and document that's federally funded or sold to a federal customer.
  2. Run baseline automated scans — AccessProof or equivalent across every site. Document findings with dates.
  3. Triage by severity — critical and serious WCAG violations first; moderate and minor scheduled into normal sprints.
  4. Manual review on high-stakes flows — authentication, forms, payment, search.
  5. Produce a current VPAT/ACR — use the ITI VPAT 2.5 template; populate with audit data.
  6. Establish a remediation cadence — schedule automated scans weekly or per-deploy; archive PDFs as the audit trail.
  7. Train your team — Trusted Tester certification for in-house testers; design-system accessibility tokens for engineers.
  8. Maintain — VPATs need updates when products change materially. Re-run audits on every major release.
How AccessProof helps

Get a defensible Section 508 audit in 42 seconds.

Vendored axe-core 4.9.1 — same engine GOV.UK, W3C, and Deque use

Timestamped PDF with WCAG criterion citations + element selectors

Cross-mapped to WCAG 2.2 AA, Section 508, EN 301 549

Scheduled audits weekly or daily for ongoing remediation record

Zero JS on your site — read-only external scanner

REST API + CI/CD gate for shift-left compliance

Start free auditTry free scanner — no signup
FAQ

Section 508 questions.

Is Section 508 the same as ADA Title III?

No. Section 508 governs federal procurement and use of ICT. ADA Title III governs places of public accommodation (commercial businesses). For a federal contractor with a public-facing commercial site, both apply: Section 508 for the federally procured tools, Title III for the public website. The technical standard (WCAG) is the same; the legal frameworks and remedies differ.

Does Section 508 apply to my private SaaS company?

Only if you sell to a federal agency or receive federal funds. If you do, you'll need a VPAT/ACR to participate in procurement. If you don't, Section 508 doesn't apply directly — but ADA Title III likely does for your public-facing site, and the underlying WCAG conformance is the same.

How current does my VPAT need to be?

There's no statutory expiration, but federal procurement teams typically expect a VPAT updated within the last 12-18 months and reflecting the product version being purchased. For products with frequent releases (typical SaaS), running automated audits per major version and updating the VPAT annually is the de-facto standard.

Can AccessProof produce a complete VPAT for me?

AccessProof produces the audit evidence — timestamped PDF, per-element selectors, WCAG criterion mapping — that goes into a VPAT. Many teams paste the data directly into the ITI VPAT 2.5 template and add the narrative sections (evaluation methods, remarks) themselves. We do not currently sell VPAT formatting as a service; we focus on producing the underlying audit that makes the VPAT defensible.

Does Section 508 cover PDF documents?

Yes. PDFs published on federal sites must conform to the Section 508 standards for documents — tagging structure, alternative text, reading order, table structure. Acrobat Pro's accessibility checker, PAC (PDF Accessibility Checker), and CommonLook are the standard tools. AccessProof flags inaccessible-PDF link patterns on web pages but does not audit the PDFs themselves; PDF remediation is a separate workflow.