Section 508 Compliance: Who It Covers and How to Test
Many businesses assume Section 508 only applies to federal agencies. That’s partly true, and partly not. Any company selling ICT products or services to..
Many businesses assume Section 508 only applies to federal agencies. That’s partly true, and partly not. Any company selling ICT products or services to the federal government must deliver Section 508-compliant deliverables. If you have a federal contract or receive federal funding and have not tested your digital content, you have a procurement liability, not a best-practice gap.
Video: Section 508 Compliance: Who It Covers and How to Test
This article covers both sides of that problem: who is actually covered under 29 U.S.C. § 794d, and a concrete four-step process for running section 508 compliance testing across your websites, documents, and multimedia content.
What Is Section 508?
Section 508 is a federal accessibility law (29 U.S.C. § 794d) that requires U.S. federal agencies, and the contractors and vendors they work with, to make their information and communications technology (ICT) accessible to people with disabilities. The law was significantly updated in 2018 under the Access Board’s regulatory refresh (36 CFR Part 1194) to require conformance with WCAG 2.0 Level AA as the technical benchmark. Section 508 compliance testing is the process of verifying that a website, application, or digital document meets these requirements, so that employees and members of the public with disabilities can access federal ICT on equal terms. Per Section508.gov, alignment with WCAG 2.1 is currently in progress.
Who Does Section 508 Apply To?
Section 508 primarily applies to four categories of organizations. Which category you fall into determines whether compliance is a legal obligation or a procurement preference.
- Federal agencies. All U.S. federal departments and agencies. Compliance is mandatory across all ICT they develop, procure, maintain, or use.
- Federal contractors and vendors. Any company selling ICT products or services to the federal government must ensure those deliverables conform to Section 508. This includes websites, software, SaaS platforms, documents, and applications delivered under contract.
- Federal grant recipients. State and local governments, universities, hospitals, and nonprofits that receive federal funding for programs involving ICT are covered. If federal money touches your technology, Section 508 follows. This is particularly relevant in sectors like housing and education. See Real Estate Website Accessibility: Listings, Tours, and Applications for a concrete example of how HUD-funded programs create digital accessibility obligations.
- Organizations using federally funded ICT. Less direct, but practically relevant in healthcare and education where federal reimbursements fund the systems employees use daily.
Does Section 508 apply to private companies? Not directly. If your business has no federal contracts and receives no federal funding, Section 508 does not apply. That said, large corporate procurement processes increasingly embed Section 508-style accessibility requirements in vendor contracts, so the standard is spreading beyond its statutory boundaries.
If you fall into any of the first three categories above, section 508 compliance testing is a legal obligation, not a best practice.
What Types of Digital Content Does Section 508 Cover?
Section 508 applies to information and communications technology broadly. The six content categories in scope under 36 CFR Part 1194 are:
- Websites and web applications. The primary testing surface for most contractors; governed by WCAG 2.0 Level A and AA success criteria.
- Software applications. Desktop and web-based software, including enterprise tools and SaaS platforms delivered under federal contracts.
- Electronic documents. PDFs, Word files, PowerPoint presentations, and Excel spreadsheets published or distributed in connection with federal programs.
- Multimedia and video content. Synchronized captions and audio descriptions are required for prerecorded and live video content.
- Mobile applications. Covered under both the Software and Web provisions of Section 508; tested against the same WCAG 2.0 AA standard.
- Hardware and ICT equipment. Kiosks, printers, telephones, and other physical ICT (36 CFR 1194.25-27); outside the scope of this article.
Section 508 compliance testing applies to all of these content types. This article focuses on website and document testing, the two content types most federal contractors encounter in day-to-day digital work.
Section 508 vs. WCAG vs. ADA: Key Differences
Three frameworks govern most digital accessibility obligations in the United States, and they are frequently confused. Section 508 uses WCAG 2.0 AA as its technical standard, incorporated by reference in the 2018 regulatory refresh. WCAG is the technical specification those laws point to. The ADA is a civil rights law with a different enforcement mechanism and a different covered-entity population.
The comparison matters practically: passing a Section 508 compliance test for web content also means meeting WCAG 2.0 Level AA, but Section 508 additionally covers non-web ICT that WCAG does not address. The DOJ’s final rule under ADA Title II requires state and local government websites to conform to WCAG 2.1 Level AA, with compliance deadlines of April 24, 2027 for entities serving populations over 50,000 and April 26, 2028 for smaller entities. That is a higher technical bar than Section 508’s current requirement.
| Framework | Type | Applies To | Technical Standard | Enforcement |
|---|---|---|---|---|
| Section 508 | U.S. Federal Law | Federal agencies, federal contractors, federal grant recipients | WCAG 2.0 Level A and AA | U.S. Access Board; agency CIOs; federal procurement requirements |
| WCAG 2.x | Technical Guidelines (W3C) | Global, no direct legal enforcement on its own | WCAG itself defines conformance levels A, AA, and AAA | No standalone enforcement; referenced by laws worldwide |
| ADA (Title II / Title III) | U.S. Civil Rights Law | State and local governments (Title II); places of public accommodation (Title III) | No explicit mandated standard; courts consistently cite WCAG 2.1 AA as the de facto benchmark | DOJ enforcement; private lawsuits under Title III |
For a fuller breakdown of how ADA obligations apply to private healthcare providers independently of Section 508, see Website Accessibility for Dentists: ADA Compliance Guide.
How to Test for Section 508 Compliance: A 4-Step Process
Effective section 508 compliance testing combines automated scanning with targeted manual checks. No single method catches everything. The process below covers the full range of WCAG 2.0 Level AA requirements across your web content and documents.
Step 1 – Run an Automated Accessibility Scan
Automated scanning is the correct first pass. It reliably catches a specific class of violations: missing alt text, empty form labels, color contrast failures, missing page language attributes, duplicate element IDs, empty table headers, and absent skip-navigation links.
The important limitation: automated tools detect only a subset of accessibility issues. Many WCAG criteria require human judgment, whether alt text is meaningful, whether reading order is logical, whether a keyboard trap is real. Use automated scanning as a filter, not a compliance certificate. Start with a free accessibility scan, which will surface the machine-detectable violations quickly and give you a prioritized issue list before manual work begins.
Step 2 – Manual Keyboard Navigation Testing
Keyboard testing requires no specialized tools. A standard keyboard and browser are sufficient. Work through five checks:
- Tab through all interactive elements and confirm the focus order is logical (WCAG 2.4.3 Focus Order).
- Verify a visible focus indicator appears on every focused element (WCAG 2.4.7 Focus Visible).
- Confirm there are no keyboard traps. The user must be able to navigate out of every component (WCAG 2.1.2 No Keyboard Trap).
- Test that all modals, dropdowns, and custom widgets are fully keyboard-operable (WCAG 2.1.1 Keyboard).
- Confirm the skip navigation link is present, focusable, and functional (WCAG 2.4.1 Bypass Blocks).
These five checks cover failures that automated scanners cannot reliably detect. A missed keyboard trap will strand assistive technology users on a page and it will not appear in an automated report.
Step 3 – Screen Reader Testing
Screen reader testing is where the specificity matters. Use these AT and browser combinations:
- NVDA + Mozilla Firefox (Windows): free, widely used in federal environments, and the practical baseline for most contractor testing workflows.
- JAWS + Microsoft Edge (Windows): the most common combination in federal agency environments and required for DHS Trusted Tester certification.
- VoiceOver + Safari (macOS and iOS): essential for Apple device coverage in any mixed-device federal environment.
For each combination, verify: heading hierarchy is logical and sequential; all images have meaningful alt text; form fields announce their associated labels; link text is descriptive (not “click here” or “read more”); error messages are announced when they appear; table headers are correctly associated with data cells. Budget 45-90 minutes per major page template.
Step 4 – Document and Multimedia Accessibility Checks
For PDFs delivered under federal contracts: the document must have structural tags; reading order must match visual order; images must carry alt text; form fields must be labeled; document language must be declared. Adobe Acrobat Pro’s built-in accessibility checker covers the basic requirements, but manual reading-order review is still required. The checker cannot confirm that the tagged order makes sense.
For video content: synchronized captions are required for all prerecorded multimedia (WCAG 1.2.2). Auto-generated captions alone do not meet Section 508. They must be reviewed and corrected. Audio descriptions are required for significant visual information (WCAG 1.2.5). For organizations whose federal contracts involve transactional web applications, see Checkout and Payment Accessibility for additional guidance on interactive form and document accessibility.
If you have just worked through this testing process for the first time, running a free accessibility scan on your primary URL will give you an automated baseline to compare against your manual findings.
The DHS Trusted Tester Standard and VPAT Documentation
The Department of Homeland Security’s Trusted Tester program is the federal government’s standardized conformance testing methodology. It combines specific testing tools (primarily JAWS plus the Inspect accessibility tool in Windows), a defined sequence of test procedures from the DHS Trusted Tester Conformance Test Process (v5.1.3), and a certification program for individual testers. Federal agencies frequently require contractor-submitted accessibility testing to be performed by a certified Trusted Tester, particularly for large IT procurements and enterprise software deliveries.
The Trusted Tester process is grounded in the ICT Testing Baseline for Web, a document co-developed by DHS and GSA that maps each WCAG 2.0 success criterion to a specific, repeatable test procedure. If your organization does significant federal contracting, aligning your internal testing process to the Baseline means your results are legible to agency reviewers, not just internally defensible.
The VPAT and ACR distinction is where most compliance professionals get it wrong. Here is the correct terminology:
- A VPAT (Voluntary Product Accessibility Template) is the blank document template issued by the IT Industry Council. It is an empty form.
- An ACR (Accessibility Conformance Report) is the completed VPAT: a filled-in document stating how your product conforms to each Section 508 and WCAG criterion, with supporting remarks.
When a federal procurement officer asks for your “VPAT,” they mean the completed ACR. Submitting the blank template, or a document that fills in “Supports” without remarks, signals immediately that the submitter does not understand the process. Every cell in a completed ACR should include a conformance level and a substantive remark explaining how conformance was tested and verified.
Common Section 508 Violations Found in Testing
According to the WebAIM Million 2025 Annual Report, just six recurring issues account for 96% of all accessibility errors detected across one million home pages, with low-contrast text appearing on 79% of pages. The violations below appear consistently in federal contractor section 508 compliance testing:
| Common Violation | WCAG Criterion | Quick Fix |
|---|---|---|
| Images without alt text | 1.1.1 Non-text Content | Add descriptive alt attributes; use empty alt=”” for decorative images |
| Color contrast below 4.5:1 ratio | 1.4.3 Contrast (Minimum) | Adjust text or background color; verify with a contrast checker tool |
| Form fields without labels | 1.3.1 Info and Relationships | Add <label> elements associated by for attribute, or aria-label attributes |
| Interactive elements not keyboard-accessible | 2.1.1 Keyboard | Replace div and span click handlers with native <button> or <a> elements |
| Videos without synchronized captions | 1.2.2 Captions (Prerecorded) | Add accurate closed captions; auto-generated captions require human review and correction |
| PDFs without accessibility tags | 1.3.1 Info and Relationships + PDF/UA | Re-export from source application with tagging enabled; repair in Acrobat Pro |
| Missing skip navigation link | 2.4.1 Bypass Blocks | Add a visible-on-focus “Skip to main content” link as the first focusable element on every page |
| Unclear link text (“click here”, “read more”) | 2.4.6 Headings and Labels | Rewrite link text to describe the destination or action in context |
How Often Should You Run Section 508 Compliance Testing?
Testing frequency should be tied to specific triggers, not a calendar-based “test regularly” policy. Five events warrant a formal testing cycle:
- Before a new contract award. Include testing results and a completed ACR in your procurement response. Agencies are increasingly requiring this at submission.
- After major site updates. Redesigns, CMS migrations, new feature launches, and template changes can introduce regressions across dozens of pages simultaneously.
- Quarterly automated scans. These catch regressions from content updates, plugin upgrades, and third-party widget changes that fall outside formal release cycles.
- Annually for full manual audits. Comprehensive keyboard, screen reader, and document review covering your full content inventory.
- After accessibility complaints or audit findings. Treat complaints as testing triggers. The finding tells you where to look, not just what to fix.
A quarterly section 508 testing checklist should include at minimum: an automated scan, a keyboard navigation check across your primary templates, and a review of any newly published documents or video content. Integrating automated scanning into your CI/CD pipeline catches violations at the code level, before they reach production and before an agency reviewer does.
Frequently Asked Questions About Section 508 Compliance
Does Section 508 apply to private companies?
Section 508 does not directly apply to private companies that have no federal contracts and receive no federal funding. However, organizations that sell products or services to federal agencies must deliver Section 508-compliant ICT. Private companies also increasingly face Section 508-style requirements embedded in large corporate procurement processes.
Is Section 508 the same as ADA compliance?
No. Section 508 is a procurement law requiring federal agencies to purchase accessible ICT; the ADA is a civil rights law covering places of public accommodation and state and local governments. They share WCAG as a common technical reference, but different entities are covered, different enforcement agencies apply, and different legal consequences follow from non-compliance.
What happens if you fail Section 508 compliance testing?
Federal agencies can face complaints filed with the U.S. Access Board or agency Inspector General. Contractors who deliver non-compliant ICT risk contract disputes, mandatory remediation, or disqualification from future procurements. There is no per-violation fine structure comparable to GDPR, but contract liability and loss of future business are the realistic consequences.
Do federal contractors need to be Section 508 compliant?
Yes. When a federal agency procures ICT, including websites, software, documents, or hardware, the contractor must ensure those deliverables meet Section 508 standards. Contracts typically require the vendor to provide a completed ACR (often called a VPAT) documenting conformance at or before the time of delivery.
This article is for general informational purposes and is not legal advice. For guidance specific to your contracts or procurement obligations, consult a qualified attorney or a certified Section 508 compliance professional.