Reading a Vendor's ACR: Ten Questions Before You Inherit the Liability

The Sentence Buried on Page Two

On page two of the Accessibility Conformance Report Tyler Technologies published for the Colorado.gov Drupal Component Library, there is a sentence most contractors never read. Tyler tells municipalities, in plain language, that the report is provided as-is, that Tyler cannot guarantee the information will remain accurate after the report date, and that any modification or customization to the subject product may render the document inapplicable.

Read that again. Tyler is telling you, in writing, that the moment you theme the CMS, modify the Munis screens, or wire the component library into your client's permit portal, the accessibility representations Tyler made to the State of Colorado no longer apply to the integrated experience you delivered. The ACR you inherited covers a product that no longer exists in the form Tyler tested it.

That sentence is not unusual. Granicus does not even publish the document — its public accessibility page tells municipalities that VPATs are released through a Customer Success Consultant on request. CivicPlus does publish, in a model library, but pairs every ACR with a companion document called an Accessibility Progress Report that most contractors never inspect. The municipal-software stack you assemble into your client's site is held together by vendor representations of varying age, varying rigor, and — in Tyler's case — explicit self-disclaimers.

You signed the ACR. You signed the indemnification clause. The inherited document is your problem now.

Last week's post walked through how a procurement officer reads your ACR. This post applies the same checklist back to the vendor's ACR. Read theirs the way the procurement officer will read yours. If their document fails the same ten questions, you have a decision to make before the bid goes out — not after the demand letter arrives.

Why This Is on Your Plate

The May 25 post in this series — third-party embedded content — established the legal mechanic. Title II covers what a public entity provides or makes available to the public. The municipality cannot delegate that obligation by contract. When the city embeds a Granicus video player, a Tyler payment widget, or an Esri map, the accessibility of those embedded components is part of what the city is offering — and through procurement and indemnification clauses, it becomes part of what you warranted you would deliver.

The June 1 post then established how procurement officers evaluate the document. The Massachusetts EOTSS Accessibility Conformance Report Review Checklist is eight to ten yes/no questions, every "No" is a concern, and the reviewer scores the bid against a confidence-level rubric where "Low Confidence" maps to "reconsider procurement."

Put those two posts together and the inheritance problem becomes operational. When your bid relies on a third-party component, the procurement officer is — directly or indirectly — evaluating that component's ACR as part of your submission. If the vendor's document is outdated, scope-limited, self-disclaimed, or gated, your bid carries that defect into the evaluation. The contractors who win in 2026 are the ones who read the vendor's ACR with the same rigor the procurement officer will eventually apply to theirs.

The Ten Questions, Applied to the Vendor's Document

The EOTSS checklist is published at mass.gov/info-details/accessibility-conformance-report-review. Below is the contractor-facing version of the same ten questions — what to ask about every vendor ACR you inherit before you build it into your bid documentation.

1. Who authored the document, and what is their accessibility credential? EOTSS instructs procurement officers to contact the person named in the Contact Information field if the report is internally authored, and to ask their title and their level of digital accessibility expertise. Apply the same drill. If the ACR was tested by Level Access, Deque, TPGi, Allyant, BarrierBreak, or another credentialed external firm, the firm's name and logo should be on the document. If the ACR is internally authored, look up the named author on LinkedIn. A "team" attribution with no individual name is a red flag.

2. Does the report measure WCAG 2.1 or 2.2 Levels A and AA — not WCAG 2.0 or Section 508 only? A WCAG 2.0 ACR is a 2017-era document. Municipal procurement in 2026 expects 2.1 minimum, and Washington moves to 2.2 AA on July 1, 2026. Tyler's portfolio is the worst offender here — its public ACR library mixes 2021-vintage VPAT 2.0 Beta 2 reports with current Level Access-tested VPAT 2.5 documents, and you cannot tell from the URL which you are inheriting. Open the file and check the title page.

3. Is the report dated within the past twelve months? Anything older than two years is unreliable for procurement purposes. Anything between twelve and twenty-four months is borderline and requires a written explanation from the vendor about what has changed in the interval.

4. Is the template VPAT 2.5? ITI published 2.5 in November 2023 to incorporate WCAG 2.2 and added a dedicated explanation column to each conformance row. Pre-2.5 templates lack that column, and a vendor still publishing on 2.4 or earlier is signaling that accessibility documentation is not actively maintained.

5. Does the scope statement clearly name the product and version tested? This is where Tyler's disclaimer cuts the deepest. The ACR may be valid for "Colorado.gov Platform Drupal Component Library v.x" as Tyler tested it — and inapplicable to your themed and customized integration. The contractor's job is to read the scope, then write their own scope statement that describes the integrated experience and notes the boundary.

6. Are "Partially Supports" rows accompanied by specific remarks — gap, criterion, user impact, target date? EOTSS scoring is binary: if the Remarks column is blank or filled with marketing language ("our product is committed to accessibility"), the answer is "No." A defensible Remarks entry names the function, ties it to the WCAG success criterion, names the affected users, and gives a remediation date.

7. Are "Supports" rows substantiated? EOTSS: if several criteria are marked "Supports" with no explanation or examples, the answer is "No." A vendor claiming uniform "Supports" across all of WCAG 2.1 AA without remarks is either lying or running automated scans only. Post-Bashin, that's not a defense — it's evidence.

8. Does the report identify evaluation methods? Look for: automated testing tool and version (axe-core, WAVE, Lighthouse), manual testing methodology, assistive technologies and versions (NVDA, JAWS, VoiceOver), and the user-flow sampling rationale. A blank Evaluation Methods section, or one that names only an automated tool, fails the check.

9. Is there a companion Roadmap for Partially Supports / Does Not Support findings? This is the question Virginia and Massachusetts care most about. The June 8 post will go deep on the Vendor Accessibility Roadmap as a separate contractual deliverable; for now, the absence of a Roadmap for any Partially Supports finding is the gap. CivicPlus partially addresses this with its companion Accessibility Progress Report. Most other vendors do not address it at all.

10. Is the ACR document itself accessible? Open the PDF in a screen reader. A vendor whose accessibility report fails its own accessibility checks is a credibility problem worth flagging in your delta document — and worth quoting back to your client if the vendor pushes back on remediation requests.

The Vendor Landscape, Briefly

The municipal-software stack a typical solo or small-firm contractor integrates against in 2026 includes Granicus, Tyler, CivicPlus, Esri, NEOGOV, OpenGov, Accela, Laserfiche, and a long tail of smaller specialty vendors. Their ACR practices vary by an order of magnitude.

Esri sets the bar. The ArcGIS Accessibility Conformance Reports library at esri.com/en-us/legal/accessibility/conformance-reports is a public, organized, current portal where every product's ACR is one click away. Each ACR identifies the conformance level, the assistive technologies tested against, and the evaluation methods used. If your client asks what a good vendor ACR practice looks like, point them here.

CivicPlus is the second-best in the stack. The accessibility help-center index at civicplus.help/hc/en-us/articles/25614046616983-CivicPlus-Public-Accessibility-Conformance-Reports publishes per-product ACRs — Web Central, Web Evolve, Web Open, Meetings Essential, SeeClickFix Mobile, MyAlerts, Open Archive — generally on VPAT 2.5. CivicPlus also publishes Accessibility Progress Reports that function as informal Roadmaps showing progress against the company's accessibility plan. The catch: CivicPlus explicitly states it does not accept third-party scans from vendors outside its approved network, which means if your audit finds an issue CivicPlus disagrees with, the resolution path runs through their process, not yours.

Tyler is fragmented. No central library. Documents live as PDFs on the relevant tylertech.com product page or, in some cases, on the customer state's CMS — the Colorado.gov example sits at cms.colorado.gov, not tylertech.com. Some current ACRs are credibly tested by Level Access against WCAG 2.2 A/AA; others are 2021-vintage VPAT 2.0 Beta 2 documents that fail multiple EOTSS checks on date and template version alone. The contractor's job is to ask, in writing, which is the current document for which version of the product they are integrating.

Granicus is gated. Per the public Accessibility for Government Agencies article at support.granicus.com, Granicus maintains VPATs and accessibility roadmaps for its products, but releases them only through a Customer Success Consultant on request. The marketing blog (granicus.com/blog/driving-toward-digital-accessibility-compliance) carries a disclaimer worth reading carefully: no single software solution can claim to offer 100 percent ADA-compliant accessibility. That admission is the vendor's own framing of the gap you are about to inherit.

NEOGOV, OpenGov, Accela, Laserfiche, Bang the Table, SeamlessDocs: no public ACR libraries comparable to CivicPlus or Esri. Treat as request-based via the account team and document each request in the audit defense log. The absence of a public library is itself a procurement-officer red flag, and you should flag it in your delta document.

The Federal Direction: Machine-Readable, Centralized

GSA's Fiscal Year 2025 Section 508 Assessment, published March 5, 2026 by the U.S. Access Board, announced completion of a beta version of a governmentwide Accessibility Conformance Report Repository. The repository is being built around the OpenACR machine-readable YAML schema, and GSA's own framing is that this will provide a centralized location to store, validate, and share ACRs across federal agencies — reducing duplicative testing, improving reliability, and strengthening acquisition-stage risk-management decisions.

GSA's recommendation in the report is explicit: use acquisition as the primary lever for Section 508 compliance. State and local procurement is on the same trajectory. Mike Gifford, the senior strategist at CivicActions who helped GSA develop the OpenACR format, told Federal News Network that the centralized repository will let procurement officers refer to standardized reports in a common location.

For contractors, this is the directional indicator. Any inherited ACR that cannot be reduced to structured data is, on the federal trajectory, already obsolete. Asking a vendor whether they have an OpenACR YAML version of their report is the cleanest way to expose whether the document is real procurement infrastructure or marketing PDF. A vendor whose ACR cannot survive structured-data scrutiny is one whose representations are about to age out of acceptability in the state markets that drive your bids.

Your Leverage When the Vendor's ACR Fails the Test

Three contractual mechanisms are available when a third-party component vendor's ACR fails one or more of the ten questions.

The flow-down clause from your subcontract. The May 28 post covered the structure: warranty of accessibility, ACR no older than twelve months, Vendor Accessibility Roadmap for any non-conforming criterion, cooperation with testing at no additional cost, indemnification for breach. If your subcontract with the component vendor contains these obligations, a deficient ACR is the trigger to demand cure. If it doesn't — and most do not, because the major vendors will not flow down — your fallback is the boundary-of-responsibility clause in your contract with the city.

The Virginia § 2.2-3501 "qualified neutral third party" requirement. In Virginia, the contractor can require the vendor to fund a third-party-evaluated ACR before integrating the component. Virginia's statute does this directly; in other states, the contractor can negotiate the same obligation contractually using the Virginia language as the model.

The EOTSS testing-cooperation clause. In Massachusetts, the Commonwealth's standard contract language obligates the vendor to cooperate with state-conducted or third-party-conducted accessibility testing at no additional cost. The contractor can invoke this — through the city — to force testing of a deficient vendor component.

The leverage is real, but only if used early. Once the bid is awarded and the integration is built, the contractor has materially less ability to demand vendor remediation. The right time to read the vendor's ACR is during the bid-preparation window, not during the demand-letter response.

The Delta Document

The practical output of running the ten-question checklist across every embedded component is what this series will call a delta document — a single sheet listing each third-party component, the date and version of its ACR, the questions it passed and failed, the contractor's compensating controls, and the boundary-of-responsibility language that flows into the contractor's own ACR scope statement.

Columns to include:

• Component name and vendor
• Vendor ACR URL or document reference
• Date and VPAT version of the vendor ACR
• WCAG version targeted by the vendor
• Authorship (internal vs. named third-party firm)
• Result against each of the ten EOTSS questions (pass / fail / partial)
• Identified gaps that may surface in the integrated experience
• Compensating control (your testing, your remediation, or formal disclosure in your scope)
• Notes for the boundary section of your own ACR

That sheet is two things at once. It is your reading of the vendor's documentation, applied during bid preparation. And it is the evidentiary record of why your integrated ACR draws its scope where it does — the document a procurement officer reads alongside your submission, and the document your attorney reads if a demand letter ever arrives.

What You Owe the Procurement Officer

A municipal contractor in 2026 is no longer simply integrating components. They are aggregating accessibility representations from a chain of vendors, applying their own testing, drawing a defensible scope around the integrated experience, and submitting a single ACR — plus, in Virginia and Massachusetts, a separate Vendor Accessibility Roadmap — that the procurement officer can pass through the EOTSS checklist.

The vendors above are not your enemies. They build the components municipal sites need and the alternatives are usually worse. But their ACR practices are uneven, their disclaimers are sometimes blunt about the limits of their representations, and their willingness to flow accessibility obligations down to themselves varies by vendor and by contract size. The contractor sitting between the vendor and the municipality is the party who has to read those documents critically — because no one else in the chain has the same incentive.

Read the vendor's ACR with the ten questions in hand. Build the delta document. Draw the boundary. Then write your own ACR for the integrated experience you are delivering — not the components you are inheriting.

Monday's post goes deep on the Vendor Accessibility Roadmap — the second document Virginia and Massachusetts both require alongside the ACR, and the document most contractors do not even realize is a separate deliverable until the procurement reject lands.