Validation Process for Applications, Website & Hardware

Any newly purchased or developed Information and Communication Technology (ICT) including new versions or releases, must be validated for 508 Compliance. This includes, but is not limited to, the following:

  • Commercial Off the Shelf (COTS) software
  • Hardware (scanners, printers, copiers, etc.)
  • Applications and systems developed for use by CMS
  • Websites including Portals, Exchanges, secure websites, the CMS Intranet, and public facing websites


The validation process is as follows:

  1. The CMS Application Owner requests a VPAT (Voluntary Product Assessment Template) from the ICT developer or ICT vendor or contractor. (Note: The VPAT can be found on the Information Technology Industry Council website or by visiting the CMS XLC Artifacts and Templates, Section 508 Assessment).
  2. The CMS Application Owner requests testing from the CMS IT Service Desk via a Remedy Helpdesk Ticket.
  3. The CMS Application Owner completes a Testing Plan and submits the Test Plan and VPAT to the Testing Team.
  4. The Testing Team will notify the Section 508 Coordinator (, and includes the VPAT.
  5. Section 508 Coordinator will review VPAT to determine whether the software is compatible with CMS infrastructure
    • If approved, the 508 Coordinator responds to the to the Testing Team to move forward with testing.
    • If additional information is needed, the 508 Coordinator will contact the CMS Application Owner.
  6. The Testing Team will schedule a 508 validation test with the CMS Application Owner, 508 Coordinator, and a 508 Accessibility Tester.
  7. Once the test is completed, the Testing Team will submit the Test Summary Report to the 508 Coordinator.
  8. The CMS 508 Coordinator reviews and submits the Test Summary Report to the CMS Application owner.
  9. If next steps are required, the 508 Coordinator will continue to communicate directly with the CMS Application Owner.

For more information refer to the CMS Validation Process and Procedure document.


In rare cases, 508 exceptions may be granted for COTS software. The exception granting process begins with the CMS component’s 508 Clearance Officer.  In order to be granted, an exception must fall within the following categories:

  • National Security System
  • Acquired by a Contractor Incidental to a Contract
  • Back-office Equipment
  • Undue Burden for CMS (e.g., extreme costs)
  • Fundamental Alteration

ICT exceptions are only valid for one release.  All subsequent releases must be re-evaluated for an exception.

Contact your CMS Section 508 Component Clearance Officer for more information on obtaining an exception. To apply for a Section 508 exception, please request an exception certification form.  The form must be submitted with a thorough justification to the Section 508 Clearance Officer.  The Section 508 Clearance Officer will submit it for appropriate reviews and approvals.

For more information refer to the "Procedure: Section 508 Exceptions" document. 

Page Last Modified:
11/01/2018 08:52 AM