VPAT 2.0: Accessibility Compliance Reporting (IS AWESOME)

Okay folks, we’re going to go ahead and kick off the second to last presentation so work your way back to your seats Before we talk about the exciting topic of VPAT I first want to promote something and if I’m describing you this is your event. If you wake up at 1:30 in the morning and you realize that you’re just itching itching for some accessibility knowledge at 1:30 in the morning or you want to know a little bit more about inclusive design, well we’ve got the event for you October 11th 2018 we’re gonna have our inclusive Design #ID24 this is a completely free 24 1 hour webinars that are live, so whether you wake up at 6:00 in the morning or 2:00 in the afternoon, whatever your lifestyle is, there’s going to be plenty of content for you – so we just encourage you to check that out. It’s also www.inclusive design24. org. My name is Matt Feldman, I’m the director of services at The Paciello Group and when we decided to pull this together I was asked to speak. I thought to myself, “well what would the crowd really go crazy for” and I decided well if I just throw the word AWESOME at a title and then I throw the word awesome inside all its gonna fill the room. So the VPAT 2.0 accessibility compliance reporting is awesome! I’ve been doing this for about two decades and somebody earlier (Brooke) told me that I’m part of the old crew so I’m proud of being part of the old crew Today I’m promoting my avatar I decided to try to do my hair as close as possible but it was raining I apologize for that. Today we’ve got a fairly aggressive outline here. I’ll try to cover as much as I can before we can really kind of dig into the topic. We’re going to talk a little bit about the history, we’re gonna talk about some terminology changes, we’re gonna talk to the structure of the updated VAPT 2.0 template, and the output We’re gonna talk about more overview of the different pieces of content that would be within a VPAT, we’re going to talk about some internal preparation that your organization to do before you even tackle trying to fill one of these bad boys out because it is over 44 pages We’ve been offering clients VPATs in this new format since January, so we also have some lessons learned that we’d be happy to share with you based on some of those conversations we’ve had with clients. Then I’ve got some resources at the end. Now the other bonus of having awesome in the title of your presentation is the opportunity to throw in funny instances so pay attention because I have interlaced in my content some other slides of what I think are awesome things. Okay, so we’re gonna look at the history first. This is probably something many of you are familiar with I started my career in 1999 and in 1998 the Congress amended the Rehabilitation Act of 1973 to include the requirement for section 508, which was against electronic and information technology. In 2000 the US access board developed technical standards for NIT that would benefit hopefully meeting the needs of people with disabilities. 2001 ITI, GSA and Department of Justice partnered to develop the original VPAT format. This was this was essentially developed because procurement officers had to determine well what is the most compliant product that meets my business needs and we didn’t really have a way to do that. So the partnership of these three organizations resulted in the original VPAT format In 2006 when they recognized that the original standards just weren’t holding up. Technology moves at a pretty fast pace and we established the Telecommunications and Electronic and Information Technology Advisory Committee to start the process of developing the section 508 refresh – revised section 508. I should note that came later really when they released the final

rule January 9th 2017. I’m sure you guys all had banners and balloons and confetti as I did in my office that day And then in October of 2017 ITI released the updates of VPAT which was version 2.0. January 18 2018 is when we had delayed compliance date for section 508. Hopefully today everyone in the room is following the revised section of 508 requirements. If fully comfortable with them, they understand them in their methodology they’re in the documentation You’re all with me. And the the reign of VPAT 2.0 is short it’s now VPAT 2.1 there was some small updates to section 508 which resulted in some updates to the template. So henceforth, I’m gonna start to refer to this as a VPAT 2.X because I’m sure this is going to be some additional changes in the near future Thank you for going back in time with me As a kid here we have the DeLorean. The DeLorean is awesome okay? This was my dream car so from Back to the Future and today I still cannot buy this car. I don’t know where it lives but it’s still awesome. Ok terminology and structure. Cookie Monster loves VPATS as well and Cookie Monster tell us tells us that V is for voluntary. So just a reminder that this was initially a voluntary document. It has since then become an expected deliverable. So as as wonderful as VPAT is intended to be voluntary it’s something that’s that’s required really it’s something that’s being requested and it’s it’s becoming an integral aspect of your organization. The big change really is that we kind of refer to it as a VPAT (we probably will for years and years and years) but what’s really important is the accessibility compliance report that is generated as a result of following this template. So when you think of the VPAT in its new format think of the VPAT overall as a template and the output when that template is completed as your accessibility compliance report. And this is really what you’re delivering. So as a matter of fact you can actually delete the first couple pages of the VPAT which includes instructions and other details because what you’re really looking to deliver and post on your website is that accessibility compliance report. Now it’s okay if you still called a VPAT I’m not gonna tell anybody. Let’s look at the original VPAT format so this will give us some perspective where we are. We had the VPAT established in 2001 at that time it was 18 pages long Of course it was developed around the original section 508 technical standards It has been discontinued so if your organization is still using this we need to talk after the after the presentation It is discontinued. The template included details like the product name, the date, contact information It had a summary table kind of summarizing all your results as well as detailed tables for each of the provisions – the section 508 technical provisions. And it only included one standard which was section 508. So that was kind of the foundation for the template. So a lot of changes have occurred since then. One, and I’ve tried to do this throughout my presentation I encourage you as well we got our hand slapped because our website did include a federal registered service mark. Anytime you mentioned the VPAT or voluntary product accessibility template you need to include that now it is it is a registered partly to protect the consistency of the template. ITI and others have put a lot of work into it and they want to protect that. Some of the key changes include expanded instructions and best practices for authors. All together I think it’s nine pages of instructions, and there’s some pretty good stuff in there and I’m sure that that will continue to evolve There are are also some expanded standards and guidelines. I’m gonna look at those a little more detail in just a moment. Probably my favorite aspect or change here is the inclusion of evaluation methods used. This is an opportunity for some accountability. In the past it was common for VPATs to be generated or developed by somebody that had no knowledge of the product. Perhaps they were a sales person that

was told to create this because it was required to compete for an RFP or something. So this at least has some accountability where you you have to document or explain what your methodology is to actually come up with the with the details within the within the report itself. So I’ve got a slide later that I’ll talk a little bit about this some of the things you should be including in that section. And then finally you have a place for an optional legal disclaimer. This is really a legal document if you are communicating to a federal agency that your product is fully compliant. Well is it though? I mean that the real challenge now is I think people have have recognized that the accurate document the next problem we have to solve is well there’s not a whole lot of fully compliant solutions out there so how can we leverage as an industry and and actually use this document to drive innovation? And make these things more accessible? So I’ll talk a little bit about that later But here’s the way that visually the the excessively conformance report is broken out: this would assume that the instructions and everything was removed so this would actually be what the organization looks like after it was completed. So the title page should include your product as well as perhaps a company logo branded in addition to the product name version, and date, which are all extremely important by the way Many of us have different versions; hopefully you’re including that version As your product evolves so should your VPAT associate your documentation. So hopefully if if a federal agency receives a VPAT it has no version no date maybe they should ask for that because this will also enforce and you know require these these organizations to keep all of this stuff up to date and to ensure that they’re constantly testing and improving upon the accessibility of these products. There is an option here for a description we’ve done some VPATs recently for some android and native iOS mobile applications so there’s a place where you can list some of that information There’s a place of course for contact information and this should be somebody that can speak to the content within the VPAT. This should not be a salesperson this should not be a general person that you can contact within the company. If you have questions around the the remarks they’re supporting some of their determinations. This is the person that you should be be able to reach out to. They should be knowledgeable about the VPAT its content so that you have somebody to get answers from. And then the other piece there which I’ll talk about is the evaluation methods used. Now because we are introducing multiple guidelines and standards here, we have a new table so that you can document within that within that report which which standards you are detailing. You will see there that it is broken into three possible additional sub reports. I guess is what we’ll call them. You’ve got one for WCAG2.0 one for system revised section 508 and for EN 301 4059 and I’m gonna tell you what that means later. And then of course you have a legal disclaimer at the bottom as well. Here you get a peek at the update to 508 where we move from subparts the chapters so you can see that reflected here. And then just to highlight this, WCAG2.0 is broken into three levels: single A, double-A and triple-A. Both 508 and the European excessively requirements only require a single-A and double-A but it’s possible that you want to document the compliance against triple-A we haven’t had that request yet but it’s nice to have. So let’s talk a little bit about the valuation methods.This should be a description of what evaluation methods were used to complete the VPAT. I think this is the most important thing to prepare you to actually take on this challenge. It requires that you have a clear understanding of all the requirements that you’re documenting against. It requires that you have a process in place for your employees that are doing these audits. So there’s a lot there’s actually a lot of legwork involved to even be able to complete this portion of the report. This should include or could include things like the testing tools you took advantage of. For example we use the color contrast analyzer to test for a number of requirements. perhaps you use a web developer toolbar or other specific accessibility tools Assistive technology. Do you use assistive technology in your testing process? You should list that as well. For

The Paciello Group when we work with a client one of the things we like to define upfront is well what browsers what browser combination is we want to use, what operating system we want to specifically test with. All this information is relevant and should be included in your evaluation methods, so you can point back to a time in a place when all this occurred. And then additionally, testing methodology Hopefully this is also something we’re gonna see more people incorporate I don’t know Microsoft this year I thought they were earlier but um we I I I’m picking on I’m not taking on them I’m actually highlighting them in that they they they list the DHS trusted tester methodology on a lot of their VPATs which is a publicly available methodology you can go and research it look into today. So hopefully as your organization evolves their methodology to do these tests, I would encourage you to include enough detail so that procurement officers get a sense that you know what you’re talking about. This is this is your opportunity to really kind of promote your accessibility program, promote your methodology, and and make sure that before they even get into reading about well this is support or not support you know can I can I trust the authenticity of this? Can I trust the methodology? So I talked about the expanded guidelines. So standard EN 301 549 is the accessibility requirements for ICT products and services in Europe you’ve got the revised 508 from 2017, and then you got WCAG 2.0. So WCAG 2.0 was released in 2008 so I think we’re running on a decade here so it’s actually stood the test of time. WCAG 2.1 is right around the corner, but it is the one thing that really ties together many of the policies around accessibility globally. So on this slide I’ve got a globe in the background and you can see seventeen different policies and laws across a variety of countries.This ranges from Australia to Italy to Ireland to the United States of course New Zealand. So WCAG2.0 has established itself. It is a decade old and the US was a little late to that party but we got on board and I will be very interested to see what happens when WCAG 2.1 is more broadly used and see how that impacts things I’m not going to give a session on WCAG here you can talk to Billy about a course if you’d like later. It was developed by the W3C the world wide web consortium. It’s got three different levels there and it’s organized by four different principles: you’ve got perceivable, operable, understandable, and robust. Okay so I’m a dog lover okay Chris knows this I’ve actually babysat his dog before, I’m trying to convince my wife and we need to get a dog and I found this photo. This isn’t necessarily a dog I want. We’ve got a dog here with a gray sweatshirt on and a yellow beanie. I don’t know if he lives in Alaska I know what his situation is but he’s pretty cool all right This dog is awesome. I wanted to talk a little bit more about the detailed tables within the VPAT or within the accessibility compliance report format This is the meat of of your report and this is this is where all those pages come into play because you’ve got you’ve got depending on how you want to document this you could have multiple standards, multiple guidelines, and each one should include a table row that has information supporting a conformance level. so here we have an example on the right-hand side. We’ve got WCAG 2.0 level A and this is for one one one non-text content. Now because WCAG overlaps all these the other guidelines you can actually save a little time in that you can list the different portions of a European and section 508 where this overlaps. So here you are documenting it one time, but there is overlap to these other guidelines. The conformance levels have expanded just a little bit, not a whole lot, we still have a fully supports I would expect if you determine that it fully supports there are no accessibility problems against that particular criteria, I would hope. If there are one or two problems but for the most part most of your application or product is accessible against that criteria it can be supports with exceptions. Does not

support would be a scenario where you’ve got many issues; many documented issues in an audit and you of course recognize that you got some work to do to really consider yourself some level of supports. There there are many instances where it’s possible we have non- applicable based on your product. One of the big changes with section 508 is we shifted from organising things by categories, so is it is it a website or is it a telephone as the telecommunications, is it you know, all of that is blurred at this point so now we are focused on what does it do. It’s not what it is it’s what it what can it do So hopefully we’ll have some sustainability in the future because there’s always going to be you know what does it do and we can we can document that accordingly. The new one is not evaluated. This is different than not applicable. Not evaluated in this is the example here’s is WCAG 2.0 Triple A So we’ll talk a little bit more about that the need for this later but there is a conformance level of not evaluated for that particular reason. I want to show you an example of a result of a VPAT that we we developed for a client This is again one one one to be consistent and in this scenario we determined that the conformance level was “does not support”. The reason we came to that conclusion because we found many problems with their non-text content and we listed those examples. The difference between an audit and a VPAT is the audit should have all sorts of goodies right It should have code examples and screenshots really the kind of the heart of the details Whereas a VPAT or a conformance report is a summary of those results. So whereas we we may have found you know 50 issues with with images and CSS and SVG we’re really just kind of summarizing this here in the report. So in our example we that the logo images do not have text alternatives, we said that the CSS and button icons did not have text alternatives, and that the SVG decorative elements were not hidden from screen readers. So these are just some examples that would support our conformance level of those on support. There are two different ways if you if you do believe that you support you can try and summarize that. In many cases I see a lot of VPATs where they just say supports. Okay I hope that we see an evolution where you are trying to provide a little more detail as to why you came to that conclusion. I think this is an area where this can certainly improve and I hope that as more of the compliance reports in this format evolve that we’ll see more of that. Before I go on are there any questions I know I’m covering a ton of stuff here [guest] In the gov’t arena we are being told not to use the term VPAT, only ACR. Is that similar in the vendor arena? [Matt] What you’re asking for is the accessibility compliance report That’s what the actual deliverable is such as the document is. I think we’re still hearing the term VPAT all the time It might be the same output – hopefully it is we might even see it being named that way but that yeah that’s one of those terminology things I talked about tin the beginning – we have to relearn that talked about the beginning it’s like we have to kind of relearn that a little bit. use accessibility report term because it may mean things other than VPAT. Whatever you’re entering to if you may have and really we’re trying to focus on the difference between stating the requirement versus how a particular product stands up to the standards. How you compare that too a lot of the processes a lot of that language that but VPAT is fully ingrained in many lexicons People always call it a VPAT or anything like that. [Matt] If I had to describe it in a really odd way which I’ll do right now for you guys I would say that we’re gonna call it VPAT for a while because it’s like the nickname right? Like I went

to a friend’s wedding and I didn’t know that his real name was something different. Like my entire life I called him Bruce; his real name was Johnny and I didn’t learn that until his wedding. It was awkward for me. But so we have to relearn the names right it is the accessibility community one maybe maybe today we don’t call it even the full it we call it the ACR? Should we just do that today in celebration of GAAD? You know the awesome ACR? Alright so we’re gonna do a presentation on the awesome ACR next year. So what can you do to prepare for this? Right again I kind of harped on this a little bit beginning the real legwork is in defining your process but also understanding what has changed. We we have one of the other requirements for us is we had to relook at our methodology, look at our testing steps, the tools that we use because a lot has changed in Section 508. One of the one of the good things is the incorporation of WCAG was really easy but there’s more than that you know there there are significant differences in the requirements for documentation and support. For example in the original section 508 you had essentially to have a plan in place to provide some people if it was required or if it was asked for. Now you need you need to have accessible documents, you need to have accessible services, so a lot has changed so I would encourage that the first the first step is just to dig into the requirements. Truly understand the requirements before you try and apply these or fill out a VPAT or and ARC and awesome ARC. So that’s really important. I would also say that you have to define an internal process of policy for your authors Something that we have done: we’ve got a lot of different engineers across the globe and we want to make sure that we have some consistent language that is used so that as these are being developed. It’s it’s a similar level of detail, similar language we’re looking to make sure that there’s Quality Assurance involved so there’s a lot of different steps to actually get there. Usually the first hopefully is to do an audit, a comprehensive audit, and then based on the results of that on it you can go through and you can make your determination and summary on how you came to the determination. Yeah you’re gonna list there the other important thing is you have to maintain this entire process as I kind of showed you on our history slide, you know, we’re already aT 2.1 right? So you should make it a regular practice – somebody needs to own the process of this entire process within your organization if you are developing these because we can expect that it’s going to evolve we can expect that it will get better. Maybe we can influence that maybe we can make it better together based on the quality of what’s being delivered. So it sits in the original VPAT it was it was it was a decade before it got changed It’s only been three months since the the 2.0 version changed so if that gives you an example you know you really need to keep a pulse on this. So I encourage you to to visit that website often. Keep an eye on trends as well because WCAG 2.1 is right around the corner and how will that impact the VPAT template? Lessons learned: Okay so as I said and how am i doing on time okay we’ve been pretty good on time pretty proud of myself lessons learned: so as I as I stated we’ve been doing this since January and we’ve had some really important conversations with clients to understand, you know, what they need, but also I think the process of delivering a a VPAT to a client is is an important process, because in doing so there needs to be a recognition that there are portions of the VPAT that maybe we did not complete, or portions of the accessibility conformance report that we did not complete. The example would be: we were hired to do an audit for a product. What we did not audit was their support documentation. What we did not audit was their help services. So there may be aspects where you should not consider this thing completed until all of those pieces have been addressed and that could be either something that’s tied into an audit that we deliver for you, so we might be asking to you know for those types of elements as part of our audit process. Or we can also kind of walk you through and make sure you understand what the requirements are so that you can own the process of

documenting that internally before it’s shared. As I stated before I’m kind of harping on this it is a living document right, so recognize that the the WCAG guidelines are going to be updated to 2.1 so I’ll be very interested to see how it impacts the template, and then possibly other policies and standards around the world The other the other important piece is how many pages this thing is. So if you just fill out the template as it is today it’s 44 pages I think total. With content from it on it I mean we can push 75-80 pages really easily but do you really need all of those? You really don’t. For example section 508 all these guidelines don’t require Triple A, so in some cases maybe you do document that and you have that as part of your audit process it’s not necessary for you to, in my opinion, list all of those and as long as you clarify somewhere in the document well what the what it was tested against, you know, you can remove some of these things. There’s a big difference between saying something is not applicable, and something was not evaluated. Not applicable would mean of course that the overall requirement applies but maybe you don’t have any video content or maybe you don’t have any elements or functions that would be impacted by that criteria. So keep in mind that it’s it’s not just about you know we’re moving things that aren’t part of your application, in some cases it’s important and necessary to document where things are not applicable as well, Here’s another kind of lesson learned I think this is important one. An accessibility compliance report is not an endorsement of an end users experience, so keep in mind this is this is about meeting technical requirements. This is about documenting technical compliance. And there are certainly scenarios where you might have a fully compliant technical application but that user experience may not be great for for a low vision user or a keyboard-only user. So just because you might have VPAT or I’m sorry an accessibility compliance report that fully supports everything doesn’t mean it’s a great experience for users. So keep that perspective. And then maybe you have a scenario where you have a couple technical requirements but for the most part you have a really good user experience for most users. So I think another another part of this is the blend of those two. Hopefully your accessibility program is approaching things from a compliance standpoint, and a culture standpoint. From a technical standpoint and a user standpoint. Because that is where you have a sweet spot. And the other kind of piece here was in sharing the final report with a client because it was based on this audit that we did, it also dramatically impacted their product roadmapping. So after delivering the the reports a client and I spent an hour with them talking through everything and what it means, and at the end they said well this isn’t ready. We’re not proud of the results here and we don’t want to publish this, so what they did is they’re gonna take that report, they’re gonna share with leadership, and they’re gonna say we need to do better, and we need more funding to do better so it’s it’s actually being used for different things than just procurement. It’s it’s hopefully gonna drive the accessibility program that you’re trying to build. So I think that was a really important one and one that I kind of walked away like, wow there’s this great impact. This is this is the exact kind of thing that I would hope would happen: they didn’t just pay us to do an audit, we didn’t develop a report and walk away, we hope that it’s the evolution of a partnership and that I look forward to delivering another report to them that has improvements. And maybe we’ll get to a point where they decide well now we’re ready now we’re ready to go to the market; we think we can compete and we think we have something that can be used by all individuals I’m a Star Wars fan boy. I also like action figures if that’s you this line is for you. This is a stormtrooper doing a Superman BMX bike trick as Darth Vader is looking on so this is clearly awesome – at least I think so. Some resources: please go and really spend some time on ITI’s website. ITI stands for for the Information Technology Industry Council. They’ve done quite a bit of work and they’ve got

quite a bit of documentation as well, so just go go and spend an afternoon there if you if you really want to. But they’ve got some great frequently asked questions documents, as I said, the template is is gonna be constantly updated so make sure that you are incorporating that into your process Just so you know The Paciello Group has taken the VAPAT template and created our own version. To do so there are minimal elements that you have to incorporate. To to be considered really a as part of the the VPAT output there are minimum requirements. But there are different ways that you can organize your content as long as it’s all there, so we’ve kind of got our Paciello Group branded version that meets those minimum requirements and I think it’s also a good activity for your organization to do that, because it requires that you really dig into it and understand how its organized, what it means. So I think that’s a worthwhile exercise. If you’re an old dog like me as Brooke likes to call me the old crew/the old the old school crew, you might be familiar with the BauAccessible Wizard by GSA and they have an updated version of that tool called ART (don’t we love our acronyms): the accessibility requirements tool. The ART tool. You can use this tool in a variety of ways to determine which requirements apply to your product or service. Iit really kind of walks you through the revised section 508 to ensure that you’re considering what exceptions might apply and what those requirements are. To do so successfully I would strongly encourage that you have to know the ins and the outs of your actual solution you can’t go in with just a high-level knowledge or it’s just not going to generate things accurately for you. So I find that it’s most useful when you really do have a detailed understanding of what that product service is [inaudible] [guest] The ART tool the whole entire entire section508.gov website got reborn on June 1 So while currently the ART-tool uses the old BuyAccessible link that will be dead in 2 weeks Section 508.gov will get you there and on the actual tool the first generation that’s out there yeah definitely influenced by Bruce Bailey heavily. It’s really technical and so the next release of that is going to be much streamlined version much quicker a far few pages for an agency actually generate the requirements because we realize what we put out there is long to go through. It’s thorough So you’ll see improvements [Matt] Let me know we’ll do a blog together we’ll get that out there. Any other questions? Any other questions? [guest] What we’ve heard a lot is why do a US companies need to put European standards. As far as we are concerned we don’t require that part but it’s a very common question. [Matt] Yeah so that would just depend on your audience right? If you are a vendor who sells to the US and to other parts of the globe they’re gonna be asking for it. So I think it’s you know we haven’t seen in honestly we haven’t seen a lot of requests for that but, um when we do we’ll be ready obviously, to to develop the documentation around it. So we got one more question here again. [guest] Do you think the industry will ever move towards compliance certification rather than each individual vendor giving their feedback? People have to interpret what ever their certification means? Whether they’re second party certified? yeah that’s a tough one [Matt] I don’t know I don’t know we’re ready for that yeah how can we push that? Let’s talk after. See what we can come up with together

[guest] Probably the vein of certified financials. You actually trust in the test that was done that really accurately revealed those results to support the feedback. I think the problem right now is that you you submit your feedback and you say this is our statement, it’s up to you later on to challenge that statement, walk it back If it supports or doesn’t maybe then you can go back and say well show us the test process that came to this answer> Whether people will actually do that it puts the burden on the company rather than a vendor. I think that’s the problem this is the burden really should be on the vendor ]Matt] Yeah I mean procurement officers have full authority to question documentation that’s submitted. You should be able to question anything that you want, even if you even if you think you understand it did you just want to make sure that they’re being truthful or that they’re being comprehensive, you know, ask them. I mean that I think that’s an important part of this process to evolve as a community. [guest] I think the term is ‘with exceptions’ right? Whatever the counter is to that alright folks well thank you so much for your time. This has been great to have everybody here, and I think we got one more though so hold all that enthusiasm until we’re done