code/+/trust primary logo full color svg

Section 508

Definition

Section 508 of the Rehabilitation Act requires all software, websites, and electronic content procured, developed, or used by the U.S. federal government to meet accessibility standards equivalent to WCAG 2.0 Level AA. Non-compliance can disqualify a product from federal procurement and expose agencies to civil rights complaints under the Architectural Barriers Act.

Section 508 is not optional for any software sold to or used by the federal government. The Revised Section 508 Standards (2017) align with WCAG 2.0 Level AA and cover web content, software, hardware, support services, and documents.

Key Section 508 requirements for software

  • All UI components operable by keyboard alone (no mouse required)
  • Screen reader compatibility (ARIA labels, semantic HTML, focus management)
  • Sufficient color contrast (4.5:1 for normal text, 3:1 for large text)
  • Captions for all video content; audio descriptions for visual-only content
  • No content that flashes more than 3 times per second (seizure risk)

Testing for 508 compliance

Automated tools (axe, Lighthouse, WAVE) catch 30-40% of 508 issues. The remainder require manual testing with screen readers (JAWS, NVDA, VoiceOver) and keyboard-only navigation. Build 508 testing into CI/CD -- axe-core integrates with Jest and Playwright for automated accessibility regression detection.

Related terms

FedRAMP

FedRAMP (Federal Risk and Authorization Management Program) is the U.S. government''s standardized authorization framework for cloud services sold to federal agencies. A FedRAMP Moderate authorization covers 80% of federal civilian use cases, takes 12-24 months to achieve, and costs $500,000-$2,000,000 -- but unlocks a $100 billion+ federal cloud services market with a single reusable authorization.

ATO (Authority to Operate)

An Authority to Operate (ATO) is the formal approval granted by a federal Authorizing Official that allows a software system to operate within a government environment after completing the NIST Risk Management Framework assessment process. ATOs are required before any federal system goes live and must be continuously maintained -- typically reviewed annually and triggered by significant system changes.

CMMC (Cybersecurity Maturity Model Certification)

CMMC (Cybersecurity Maturity Model Certification) is the DoD''s third-party verification program for cybersecurity practices on defense contracts. CMMC Level 2 -- required on most DoD contracts handling Controlled Unclassified Information by 2026 -- mandates independent assessment of all 110 NIST SP 800-171 practices by a Certified Third-Party Assessment Organization (C3PAO).

HIPAA Software

HIPAA software is any application that creates, receives, maintains, or transmits Protected Health Information (PHI) and must comply with the HIPAA Security Rule''s administrative, physical, and technical safeguards. Healthcare software companies that handle PHI must sign a Business Associate Agreement (BAA) with covered entities -- violations carry fines of $100-$50,000 per violation up to $1.9 million annually.

← Back to full glossary

Need help implementing this in your business?

Code and Trust translates AI concepts like section 508 into working implementations — starting with a workflow audit that shows exactly where it creates ROI.

Schedule AI Audit →