The Vendor Accessibility Roadmap: The Second Deliverable Most Contractors Don't Know They Owe

The Reject You Didn't See Coming

The first time most municipal contractors learn the Vendor Accessibility Roadmap is a separate procurement deliverable is when the bid comes back marked non-responsive. The cover letter from the procurement officer is short. The contractor submitted an Accessibility Conformance Report. The solicitation required an ACR and a Vendor Accessibility Roadmap. The Roadmap was missing. The bid is out.

This is happening in Virginia and Massachusetts right now, and it will happen in more states by year-end. Virginia § 2.2-3503, as amended by HB 2541 and operative through VITA's revised Mandatory Core Contractual Terms since April 24, 2026, requires that any vendor who cannot certify full accessibility conformance provide both a vendor-paid Accessibility Conformance Report and a vendor-paid Vendor Accessibility Roadmap. Massachusetts EOTSS Vendor Digital Accessibility Contract Language requires the same pairing — and binds the Roadmap explicitly to the agreement.

The ACR you spent four to eight weeks producing documents the state of conformance. The Roadmap documents the plan to remediate the gaps the ACR identifies. Two separate documents, two separate purposes, two separate deliverables. Most contractors think they're one. The procurement officer disagrees.

Last week the series walked through the ACR mechanics and how to read an inherited vendor ACR. This week is the document the ACR pairs with — what's in it, where the state requirements diverge, and how to author a single Roadmap that satisfies both Virginia and Massachusetts from one well-built artifact.

Snapshot vs. Plan

The functional distinction between the ACR and the Roadmap is straightforward once it's named. The ACR is a snapshot of conformance at a point in time. It tells the procurement officer what works, what partially works, what doesn't work, and what's not applicable across every WCAG success criterion at WCAG 2.1 (or 2.2) Levels A and AA. It is the document the procurement officer evaluates against the ten-question EOTSS checklist.

The Roadmap is the forward-looking plan. For every "Partially Supports" or "Does Not Support" row in the ACR, the Roadmap names the gap, the component affected, the severity, the target remediation date, the technique that will be used, and ultimately the date the gap was closed. The ACR identifies the problems. The Roadmap commits to the fixes.

Two distinct purposes mean two distinct lifecycles. The ACR is refreshed annually, or after a major product release, or whenever the standard the buyer requires changes. The Roadmap is a living document — updated quarterly (at minimum) as remediation work progresses, with rows closing and new rows opening as new findings emerge. The ACR is a representation about a past evaluation. The Roadmap is a series of commitments about future work.

That distinction matters legally as much as operationally. As the May 28 post on contract clauses covered, accessibility representations to a government client are now False Claims Act predicates after Bashin v. Conduent. The Roadmap is a representation of future intent. Every dated commitment in the Roadmap is a future representation the contractor will be measured against. That's where the sword-and-shield framing later in this post comes from.

What Virginia Requires

Virginia's statutory framework is the bluntest. Va. Code § 2.2-3501, as amended by HB 2541 (2025 c. 571), defines the Vendor Accessibility Roadmap as a document, prepared and provided by the vendor, that highlights the aspects and elements of the product that do not meet accessibility standards and includes the timelines for those aspects and elements to meet the standards. That's the entire statutory definition. Forty words.

Va. Code § 2.2-3503 then makes the Roadmap a procurement requirement. The substantive language: if a vendor cannot certify full conformance of the ICT being procured, the covered entity may require a current, vendor-paid ACR. Any areas of nonconformance shall be documented with a vendor-paid and completed Vendor Accessibility Roadmap highlighting areas requiring improved accessibility, including a timeline for each nonconforming area's completion.

Read those clauses together. Three things become true. First, the Roadmap is vendor-paid — same as the ACR, the cost falls on the contractor or the contractor's third-party evaluator, not the public entity. Second, every nonconforming area in the ACR must appear in the Roadmap with a timeline. Third, the document is separate by statute from the ACR, even if the contractor produces both in the same engagement.

VITA's April 14, 2026 implementation memo, summarized publicly at vita.virginia.gov, walked agency procurement officers through the operational reality: VITA revised its Mandatory Core Contractual Terms (Section 11) to incorporate the ITAA accessibility requirements; the revised requirements are included in RFP packages and contract templates for procurements negotiated or renegotiated on or after April 24, 2026; in-progress RFPs with award dates on or after April 24, 2026 were expected to be reviewed and updated by addendum where needed.

What Virginia does not publish is a Roadmap template. The statute names the deliverable. VITA's contract terms make it binding. But the format is left to the vendor. That is both a freedom and a trap — freedom in that the vendor can structure the document to match their internal remediation workflow, trap in that a Roadmap missing key elements gets rejected without a published checklist to grade against. The contractor's safest move is to adopt the Massachusetts template structure (below) as the de facto standard, since it exceeds Virginia's statutory minimum on every dimension and gives the procurement reviewer something they recognize.

What Massachusetts Publishes

Massachusetts is the state that did the work for the rest of the country. EOTSS publishes both the Vendor Digital Accessibility Contract Language at mass.gov/info-details/accessibility-contract-language-for-it-solutions and the Vendor Digital Accessibility Roadmap template at mass.gov/info-details/vendor-digital-accessibility-roadmap, with a downloadable XLSX file (58.5 KB) at mass.gov/doc/digital-accessibility-roadmap-template/download. The template is what Virginia would have published if Virginia had gotten to it first. Use it.

The Massachusetts contract language defines the Roadmap as something the vendor must provide on request by the Commonwealth for any known accessibility violation, including those marked "not met" or "partially met" on the ACR. The Roadmap becomes part of the Agreement once delivered — that phrasing matters, because it means missed Roadmap commitments are contract breaches, not just informal slippage. Successor Roadmaps based on new findings also become part of the Agreement.

The template has nine required columns. Every gap from the ACR gets one row:

1. WCAG success criterion. The specific criterion violated (e.g., 1.3.1 Info and Relationships, 2.4.7 Focus Visible, 4.1.2 Name, Role, Value). Cite the standard explicitly.
2. Component or element involved. The technical artifact — date picker, modal dialog, payment iframe, navigation menu, embedded video player.
3. Description. What is broken, in plain language. Not "fails 4.1.2" — that's already in column 1. Description is the operational reality: "Calendar day-buttons lack accessible names; screen reader announces 'button' with no date context."
4. Location or page name. Where on the site the gap appears. URL, page title, or component reference depending on whether the product is a website, an embedded component, or installed software.
5. Severity level. One of four values, defined by EOTSS (below).
6. Target date for remediation. Specific date, not "Q3 2026." Procurement reviewers and plaintiff attorneys both read vague dates as evasive.
7. Remediation status. Open, In Progress, Resolved.
8. Remediation technique. How the fix was implemented. "Added aria-label to calendar buttons; restructured heading hierarchy in modal."
9. Date remediated. When the fix shipped to production and was verified through retesting. Blank until resolved.

The four severity levels EOTSS publishes, with the technical thresholds:

• Critical — the gap blocks a user from completing a task or finding information, and no accessibility workaround is available. A blind user cannot pay a property-tax bill. A keyboard-only user cannot submit a permit application.
• Serious — the gap may prevent a user from completing a task, and only a complex workaround exists. The user can theoretically reach the goal, but the path is impractical for most affected users.
• Medium — the gap creates a moderate user impact. The task can be completed but with friction.
• Minor — the gap creates minimal user impact. Cosmetic issues, edge cases, best-practice gaps.

The severity rating drives the procurement decision. EOTSS's procurement guidance maps confidence levels to severity: a high-confidence bid has no Critical or Serious violations, and any Medium or Minor violation is on the Roadmap with a target date. A bid with unscheduled Critical findings, or with Critical findings whose target dates have already slipped, maps to "Low Confidence" — which is the procurement officer's instruction to reconsider the procurement.

The template's structure is what makes it the right default. Nine columns is enough to capture every dimension a procurement reviewer evaluates and a plaintiff attorney would cite. It is not so complex that a contractor cannot maintain it in a spreadsheet. And it is endorsed by a state agency, which means submitting a Roadmap in the EOTSS format to a Virginia, Colorado, or Washington procurement officer signals seriousness in a way a vendor-invented format does not.

What to Add Beyond the EOTSS Template

The EOTSS nine columns are the procurement-facing minimum. A defensible Roadmap — the kind that holds up if it ever becomes evidence — adds four more elements that EOTSS does not strictly require but that experience and post-Bashin litigation patterns argue for.

Responsible party identification. Every row should name which entity owns the fix. Prime contractor? Subcontractor? Third-party component vendor (Granicus, Tyler, CivicPlus, Esri)? This is the field most often missing from vendor Roadmap templates, and its absence creates ambiguity exactly where contractors need clarity. When a Critical row commits to a Q3 2026 remediation date and the responsible party is Tyler, the contractor's defensive posture is documented: the obligation flows down to Tyler under the subcontract's flow-down clause. When the responsible party field is blank, ambiguity becomes the contractor's problem by default.

Verification methodology. For every remediated row, document how the fix was verified — automated tool and version (axe DevTools 4.10, WAVE), manual screen-reader testing identifying the AT and version (NVDA 2024.x on Firefox 125, JAWS 2024 on Chrome 124), keyboard navigation walkthrough, and the date of verification. This converts the Date Remediated column from a claim into a representation backed by evidence. The verification record lives in the audit defense log; the Roadmap entry references it.

Reporting cadence commitment. Add a header section that commits to quarterly progress reports to the agency, annual Roadmap refresh aligned with the annual ACR refresh, and material-change notification within thirty days of any new "Partially Supports" or "Does Not Support" finding. The Massachusetts contract language obligates the vendor to provide updates on remediation progress and Written Validation when violations are resolved; defining the cadence in the Roadmap header preempts ambiguity later.

Sign-off block. The contractor signature, title, and date. Where a component-vendor-owned remediation is involved, the component vendor's signature as well. A government acceptance line for the agency to countersign. The sign-off block converts the Roadmap from a unilateral vendor document into a mutually acknowledged plan — which strengthens the contractor's posture in a procurement dispute and weakens a plaintiff's argument that the agency was misled about the timeline.

Those four additions — responsible party, verification methodology, reporting cadence, and sign-off — turn the EOTSS template from a procurement minimum into a litigation-defensible artifact.

Where Other States Stand

The May 18 state-laws map covered the broader procurement-language differential. Specifically on the Roadmap deliverable:

Colorado does not require a separate Vendor Accessibility Roadmap by name. The Office of Information Technology's HB21-1110 implementation framework instead requires government entities to submit a written plan to OIT as part of the agency's annual IT Roadmap for implementing the accessibility standards — an agency-facing plan, not a vendor-facing deliverable. The vendor-side analog in Colorado is the Equally Effective Alternate Access Plan (EEAAP), which the OIT Standard Operating Guide for Procuring Accessible Technology references when gaps exist. The EEAAP is narrower than a Massachusetts-style Roadmap (it focuses on alternative-access plans rather than dated remediation timelines), but it operates in the same conceptual space. A contractor submitting an EOTSS-format Roadmap into a Colorado procurement is over-delivering, which is the right posture.

Minnesota handles remediation timelines through exception filings within the procurement process rather than through a standalone Roadmap document. The Minnesota Digital Accessibility Standard, in effect since July 1, 2024 at WCAG 2.1 AA, requires VPAT submission and remediation plans where compliance gaps exist. There is no named "Vendor Accessibility Roadmap" deliverable, but a contractor submitting one preempts the exception-filing burden.

Washington requires agencies — not vendors — to develop, implement, and maintain an Accessibility Plan under WaTech's Digital Accessibility Standard USER-01-01-S, adopted December 10, 2024. Vendor accessibility obligations are imposed through contract language, but Washington does not impose a Virginia/Massachusetts-style separate vendor Roadmap. The state moves to WCAG 2.2 AA on July 1, 2026, which is twenty-three days from this post. Contractors with active Washington engagements should already be authoring Roadmaps that target 2.2 AA, not 2.1 AA.

California is contract-by-contract. There is no statewide Roadmap mandate, though Government Code § 11546.7's biennial certification regime and § 7405's Section 508 procurement compliance create the legal hooks individual agencies use to require remediation plans in their contracts. Orange County's procurement office has published its own VPAT/ACR review procedure, and other agencies are individually requiring remediation plans in their contracts.

The pattern across all six target markets: Virginia and Massachusetts are the cleanest examples of a separate, named, contractually-binding Vendor Accessibility Roadmap. Colorado, Minnesota, Washington, and California handle the same conceptual obligation through different instruments. The contractor who authors a single EOTSS-format Roadmap satisfies Virginia and Massachusetts directly and exceeds the requirement in the other four. That is the operational efficiency play.

The Federal Distinction That Matters

One important precision: the federal Section 508 Accessibility Roadmap referenced in Section508.gov's Technology Accessibility Playbook (Play 3) is an agency-internal program-management document, not a vendor deliverable. It is the document a federal agency creates to manage its own Section 508 compliance program — identifying program challenges, developing iterative plans, estimating budget, prioritizing milestones.

The federal vendor deliverable is the ACR, often supplemented by agency-specific remediation plans (DHS Trusted Tester reports, HHS internal review documents). There is no federal vendor Roadmap in the Virginia or Massachusetts sense.

Why this distinction matters for contractors: when a federal subcontractor or a state contractor reads federal Section 508 guidance and sees "Accessibility Roadmap," they are reading guidance about the agency's program-management document, not about a vendor deliverable they owe. The Virginia and Massachusetts Roadmaps are different documents serving a different purpose. Conflating them is the kind of category error that produces non-responsive bids.

The Roadmap × Audit Defense Log Workflow

The audit defense log and the Roadmap are different artifacts serving complementary purposes. The audit log is the historical record — what was found, when, by whom, what was fixed, and what evidence exists for each fix. The Roadmap is the forward-looking plan with dated commitments. Both documents are essential. Keeping them in sync is a workflow problem most contractors underestimate.

Three patterns make the synchronization sustainable:

Bidirectional ID linkage. Every Roadmap row gets a Defect-ID. The audit log uses the same Defect-ID for every entry related to that defect — initial finding, scoping conversation, remediation work, testing artifacts, verification. When a Roadmap row moves from "In Progress" to "Resolved," the audit log gets a paired entry with the test artifacts (axe scan, screen-reader recording, manual testing notes, screenshots). The pair of records — Roadmap commitment and audit log evidence — is the evidentiary unit that holds up if the Roadmap is ever scrutinized.

Quarterly reconciliation. At each quarterly reporting cycle, every Roadmap row is reconciled against the audit log. Slipped target dates require a written rationale in the audit log entry for that quarter. The pattern that loses cases — as the litigation defense section below explains — is silent slippage. The pattern that wins cases is dated, contemporaneously documented re-baselining.

Refresh cadence alignment. The Roadmap is published quarterly. The ACR is refreshed annually. When the ACR is refreshed, the Roadmap is republished simultaneously, and the audit log entry for that cycle documents the methodology. Resolved Roadmap rows from the prior period should be reflected in the new ACR's conformance levels — moving criteria from "Partially Supports" to "Supports" with documented evidence in the audit log.

The three patterns together turn the Roadmap and the audit log into a single defensible posture rather than two parallel documents that drift apart.

Sword and Shield: The Roadmap Post-Bashin

The Roadmap is a representation to the government client. Every dated commitment is a forward-looking representation. As the May 28 post on contract clauses covered, the Bashin v. Conduent settlement — $2 million paid by the contractor on the ReserveCalifornia.com engagement, brought under the California False Claims Act qui tam mechanism — established that accessibility representations to government clients are FCA predicates. The Roadmap is exactly the kind of representation Bashin teaches plaintiffs to look at.

How a documented Roadmap helps or hurts in litigation:

Helps when targets are met. A Roadmap with quarterly progress reports, third-party validation of each remediation, and dates that were met (or where slippage was documented with a written rationale) demonstrates the kind of good-faith effort that Conduent could not offer in Bashin. The court denied Conduent's motion to dismiss in part because the evidence showed pre-launch testing was inadequate and accessibility had been deliberately deferred. A contractor with a quarterly-reported Roadmap and a synchronized audit defense log has the opposite posture in writing.

Hurts when targets slip silently. If the contractor commits in writing to remediating a Critical finding by Q3 2026 and that date passes without action, the silent slippage is documentary evidence both of contract breach and — if the contractor continued to invoice during the slip — potential False Claims Act exposure. The Bashin qui tam mechanism is available in twenty-nine states plus DC, including all six BidShield target markets.

Neutral when dates are revised with cause. A Roadmap row that documents a Q3 2026 target being revised to Q1 2027 with a written rationale — "vendor X discontinued component Y; remediation now requires replacement of integration layer; new timeline reflects vendor X's published EOL schedule" — is defensible. The risk is not the revision. The risk is the silence.

The disciplined contractor publishes the Roadmap and the audit log in sync, treats every Roadmap commitment as a representation, and revises dates with documented rationale rather than letting them lapse. That is the posture that converts the Roadmap from sword (against the contractor) to shield (for the contractor).

What This Costs

Pricing for ACR + Roadmap engagements as of mid-2026, drawn from published vendor rates:

At the published budget end, Accessible.org offers ACR authoring at $350 to $950 depending on the edition, with the prerequisite WCAG audit running $1,250 to $7,500 based on page count and complexity. The Roadmap at this tier is essentially the audit report's findings reformatted into the nine-column structure — adding a few hundred dollars of consulting time to assign severity, set target dates, and document techniques. Total package for a small SaaS or municipal-website integration runs roughly $1,800 to $8,000.

DigitalA11Y publishes VPAT/ACR creation at $1,000 to $3,000, page-by-page audit pricing at $100 to $300, and validation re-testing at approximately half the original audit price. Assistive-technology user-session testing runs $800 per session.

Enterprise firms — Deque, Level Access, TPGi, Allyant, BarrierBreak, Converge Accessibility — quote by sales call. Market intelligence places comprehensive audit and VPAT creation at $25,000 to $100,000-plus for large digital properties. Roadmaps at this tier are typically a sub-deliverable within a broader remediation-support engagement, running $5,000 to $25,000 for the initial document plus quarterly maintenance.

Realistic budget for a solo or small-firm municipal contractor producing a defensible initial ACR plus Roadmap package for a single mid-complexity government integration: $4,000 to $12,000, with the audit being the bulk of the cost. Annual refresh runs roughly half. Quarterly Roadmap updates can be self-managed if the contractor maintains the audit defense log discipline described above.

For a Virginia or Massachusetts bid, this cost is now a cost of doing business. The alternative is non-responsiveness to the solicitation — which is the procurement reject this post opened with.

What to Do This Week

Three actions for any contractor with an active bid into a Virginia or Massachusetts entity, or with a renewal coming up in the other four target states:

Download the EOTSS Vendor Digital Accessibility Roadmap template from mass.gov/doc/digital-accessibility-roadmap-template/download. It is 58.5 KB, it is free, and it is the only government-published template available. Use the nine columns. Add the four supplemental elements — responsible party, verification methodology, reporting cadence, sign-off block — to the workbook header and structure.

For every active municipal contract, pull the current ACR. Identify every "Partially Supports" and "Does Not Support" row. Build the Roadmap entry for each one. Assign severity using the EOTSS thresholds. Commit to specific target dates. Tie each row to a Defect-ID that links to the audit defense log.

For any bid you are preparing into a Virginia, Massachusetts, or Washington entity in the next 90 days, audit your proposal package now for the Roadmap. If the solicitation references accessibility, the Roadmap is almost certainly required. Producing it before submission is materially cheaper than recovering from a non-responsive reject and rebidding the next round.

The procurement officer reads two documents. The plaintiff attorney reads the gap between what you committed and what you delivered. Author the Roadmap for both.