Skip to secondary navigation Skip to main content

Section 508 Exceptions Request and Approval Process

Federal agencies are required to ensure that their information and communication technology (ICT) is accessible to individuals with disabilities, as mandated by Section 508 of the Rehabilitation Act (29 U.S.C. § 794d). This applies to all ICT that an agency procures, develops, uses, or maintains. However, the Section 508 Standards allow certain ICT to be exempt from these requirements under specific conditions.

The Section 508 Standards identify six General Exceptions that federal agencies may use to determine whether specific ICT, or components thereof, are exempt from full conformance with the standards; they are:

Except for the Undue Burden or Fundamental Alteration, and Best Meets exceptions, the Section 508 Standards do not specify how federal agencies must process exception requests. While the Standards require that a “responsible agency official” make exception decisions, only the Undue Burden, Fundamental Alteration, and Best Meets exception types require formal documentation.

The Standards do not define who the responsible official is or what their title should be. Each agency has the discretion to designate the responsible official and determine how that role is assigned.

While each agency should develop an exceptions process that aligns with its mission, resources, and business practices, this guidance offers recommendations on documentation, reporting metrics, and roles and responsibilities to help effectively manage Section 508 General Exceptions.

Exceptions Process Models

Because the Section 508 Standards do not specify how agencies must handle exceptions, the sample models in this article illustrate optional approaches agencies can use to meet legal and compliance requirements. Agencies may adapt these examples or develop their own, as long as they establish clear policies and procedures for reviewing exceptions.

All exception requests are submitted to a single "authorizing official" or centralized review board composed of key stakeholders such as legal, IT, Section 508, or Acquisition. Reviews are conducted using standardized evaluation criteria.

Benefits:

  • Ensures consistent decisions across the agency.
  • Enables centralized documentation, auditing, tracking, and reporting readiness.
  • Facilitates the involvement of subject matter experts in evaluations.

Potential Drawbacks:

  • May create bottlenecks due to limited reviewer capacity.
  • Slower turnaround times for urgent or time-sensitive requests.
  • Less flexibility for unique program or component needs.
  • Requires robust support infrastructure such as tracking systems or intake processes.

Best For Agencies:

  • With high-volume ICT procurements or a large, diverse user base requiring uniform oversight.
  • Without broad subject matter expertise.
  • With small to medium ICT procurements.
  • Without urgent or time sensitive needs.

Authority to review exceptions is delegated to program offices or subcomponents, following a common policy framework established by the central Section 508 Program Office. Periodic oversight helps ensure consistency and alignment with agency-wide standards.

Benefits:

  • Promotes responsiveness and context-specific decision-making.
  • Encourages operational ownership and accountability.
  • Scales well in agencies with decentralized components or diverse missions.

Potential Drawbacks:

  • Potential for inconsistent application of policy across components.
  • Challenging to centralize records for reporting, tracking, or auditing without a centralized portal or ticketing system.
  • Requires strong internal controls and training to ensure policy alignment.
  • Risk of varying documentation quality and interpretation of exceptions.

Best For Agencies:

  • With decentralized subcomponents, such as departments with diverse missions or IT systems.

Exception processing is integrated into existing acquisition and development workflows, including planning, design, and contract approval checkpoints.

Benefits:

  • Embeds accessibility planning early in the project lifecycle.
  • Aligns exceptions with risk assessments and mitigation strategies.
  • Streamlines decision-making and reduces standalone documentation.
  • Supports automation in modern procurement and development environments.

Potential Drawbacks:

  • May lack dedicated accessibility expertise at decision points.
  • Risk of exceptions being overlooked or inconsistently interpreted and documented.
  • Difficult to extract or aggregate data for enterprise-wide reporting and tracking.
  • Requires extensive coordination across multiple lifecycle checkpoints.

Best For Agencies:

  • Undergoing IT modernization or those with automated procurement and development platforms.
Selecting a Model: The models above are examples only. Each agency should design and implement an exceptions process that aligns with its mission, organizational structure, and business needs.

Policy and Process Considerations

Whether an agency uses a centralized, federated, or integrated model for Section 508 exception processing, certain core policy elements should be in place to ensure legal compliance, audit readiness, and operational consistency. The following are common elements to consider including in your agency’s exception process.

Process Workflow

Agency procedures should explain how to create and submit a Section 508 exception request, as well as how requests are reviewed, approved, and tracked. The following example can help your agency establish procedures that align with your organization’s goals and workflow efficiency.

  1. Initiate Request

    • Responsible Party: Requestor such as the program office, acquisition official, or IT team.
    • Actions:
      • Identify the need for a Section 508 exception.
      • Complete the standardized Section 508 Exception Request Form—or an equivalent document—that captures the following information:
        • Type of exception
        • Requestor's name
        • Requestor's contact information
        • Agency and component or bureau submitting the request
        • Requesting office
        • Name of ICT product or service
        • Documentation of mitigation strategies, such as alternative access or planned remediation
        • Submit the completed form and supporting documents to the designated Authorizing Official (AO).
        • Submission may occur via a centralized portal, ticketing system, or official email address.

  2. Evaluation and Documentation Determination

    • Responsible Party: Authorizing Official
    • Actions:
      • Evaluate the request using established evaluation criteria or decision questions.
      • Consult with stakeholders such as legal, Section 508, or IT Security, as needed.
      • Approve or deny the exception request.
      • Complete the submitted Exception Request Form—or equivalent document—that includes the following information:
        • Final determination or decision
        • Conditions, limitations, or extent of the exception granted
        • Documentation of mitigation strategies, such as alternative access methods and planned remediation
        • Name of the authorizing official
        • Signature of the authorizing official
        • Date of authorization
        • Expiration or renewal date
        • Exception tracking number
      • Notify the requestor of the outcome and next steps.

  3. Archive and Track

    • Responsible Party: Section 508 Program Office or AO Support Team
    • Actions:
      • Log the decision and supporting documents in the Section 508 Exception tracking system.
      • Tag entries for:
        • Exception type
        • Requesting agency and component or bureau
        • Requesting office
        • Specific product/services covered
        • Required mitigations such as alternative means or required remediation
        • Expiration date
      • Store all documentation for audit readiness.

  4. Reporting and Oversight

    • Responsible Party: Section 508 Program Office
    • Action:
      • Generate quarterly or annual reports summarizing:
        • The number and types of exceptions
        • The status of mitigations
        • Any expiring or lapsed exceptions
    • Submit the required information as part of the annual Governmentwide Section 508 Assessment per 29 U.S.C. 794d-1 and in any other situations where it is required.
    • Share summary reports with the CIO, CAO, legal, or other oversight bodies as needed.

  5. Renewal or Expiration Review

    • Responsible Party: Requestor, with AO support
    • Actions:
      • Before expiration, reassess the need for continued exception.
      • If an exception is still needed, complete the standardized Section 508 Exception Request Form from Step 1 with all required data.

Identify Authorizing Officials

Agency policy should clearly define who is responsible for managing Section 508 exception requests. These responsibilities may be assigned to existing roles—such as the Chief Information Officer (CIO), Chief Acquisition Officer (CAO), or Section 508 Program Manager—or to an Exceptions Review Board (ERB) made up of key stakeholders.

Table 1: Authorizing Officials by Exception
Exception Type Recommended Authorizing Official(s)
E202.2 Legacy System CIO, Section 508 PM, ERB
E202.3 National Security Agency Head, CIO, Section 508 PM, ERB
E202.4 Federal Contracts CIO, CAO, Section 508 PM, ERB, Acquisition Official
E202.5 ICT Functions Located in Maintenance or Monitoring Spaces CIO, CAO, Section 508 PM, ERB
E202.6 Undue Burden or Fundamental Alteration Agency Head, CIO, Section 508 PM, ERB
E202.7 Best Meets CIO, CAO, Section 508 PM, ERB

Exception Review Criteria 

Establish agencywide exception decision questions to help AOs systematically determine which ICT exceptions—if any—are applicable, ensuring thorough assessment, compliance, and supporting documentation.

Table 2: Exceptions Review Criteria
Exception Type Decision Questions
Legacy ICT (E202.2) If the answer to all questions is “yes”, then this exception applies:
  1. Did your agency deploy, maintain, or use the ICT on or before January 18, 2018?
  2. Is the ICT known to have conformed to the Electronic and Information Technology Accessibility Standards as originally published, prior to January 18, 2018?
  3. Since January 18, 2018, has the ICT remained unchanged regarding interoperability, the user interface, or access to information and data?
National Security Systems (E202.3) If any of the following apply, your ICT may qualify for this exception:
  1. Involves intelligence activities
  2. Involves cryptologic activities related to national security
  3. Involves command and control of military forces
  4. Involves equipment that is an integral part of a weapon or weapons system
  5. Is critical to the direct fulfillment of military or intelligence missions (does not include routine administrative and business applications such as payroll, finance, logistics, and personnel management)
Federal Contracts (E202.4) If the answer to all questions is “yes”, then this exception applies:
  1. Is the vendor or contractor procuring the ICT?
  2. Will ONLY vendor or contractor personnel access or use the ICT?
  3. Will ownership of the ICT remain with the vendor or contractor upon completion of the contract?
Maintenance/Monitoring Spaces (E202.5) If the answer to all questions is “yes”, then this exception applies:
  1. Does the ICT have status indicators or operable parts (i.e., physical controls)?
  2. Is the ICT located in spaces that are frequented only by service personnel for maintenance, repair, or occasional monitoring of equipment (i.e., on a rack mounted in a wiring closet)?
Undue Burden/Fundamental Alteration (E202.6) If the answer to all questions is “yes”, your ICT may warrant this exception:
  1. Have you determined that conformance for some or all features and functions of the ICT item would result in an undue burden on your agency or component?
  2. Have you quantified the resources available to the program or component for which the ICT is to be procured, developed, maintained, or used?
  3. Has the responsible agency official documented in writing how the difficulty or expense is significant, relative to the resources available? For example:
    1. What percentage of the total budget available would be spent on the expense?
    2. Explain exactly what is significantly difficult, and why.
  4. Does your documentation address whether the exception is being claimed for the entire ICT Item, or only specific features and functions?
  5. Will the agency provide an alternative means for users with disabilities to access the features and functions for which you are claiming this exception?
Best Meets (E202.7) If the answer to all questions is “yes”, your ICT item may warrant this exception:
  1. Have you completed market research addressing Section 508 compliance for the ICT Item?
  2. Did you evaluate Accessibility Conformance Reports or test results to validate 508 conformance claims?
  3. Did you document the market research performed to validate 508 conformance claims?
  4. Of the ICT items which met business needs, were there no options that fully conformed to the 508 Standards?
  5. Are you purchasing the ICT Item that best meets the 508 Standards?
  6. Will the agency provide an alternative means for users with disabilities to access the features and functions that do not conform to the 508 Standards?

Authorization and Expiration

Section 508 exceptions should be applied sparingly and only when Section 508 conformance cannot be achieved without causing undue burden, fundamental alteration, or when no fully conformant solution exists. To maintain accountability, exceptions must be time-bound and regularly reassessed.

All approved exceptions should:

  • Include an expiration or revalidation date between 12 to 36 months of issuance, unless a shorter interval is justified based on risk or planned upgrades.
  • Be reviewed annually: Ensure ongoing relevance, assess whether circumstances have changed, and evaluate any progress toward remediation, resolution, or mitigation.
  • Be sunsetted, revised, or rejustified when:
    • A conformant product or solution becomes available.
    • Technology, business needs, or accessibility standards evolve.
    • Mitigation strategies are no longer effective or required.
Tip: A centralized portal or ticketing system may support revalidation reminders and track exception lifecycles to prevent indefinite approvals.

Federal Contracts Exceptions

Section 508 E202.4 Federal Contracts, provides an exception for compliance for “[information and communication technology (ICT)] acquired by a contractor incidental to a contract shall not be required to conform to the Revised 508 Standards.”, where incidental to contract means all ICT that is exclusively owned and used by the contractor to fulfill the work statement does not require conformance with Section 508 Standards.

As contractors are at liberty to acquire ICT incidental to a contract, federal agencies may consider authorizing Federal Contracts Exceptions for all ICT procurements by including the following Section 508 Standards language in all ICT contracts:

E202 General Exceptions

E202.4 Federal Contracts. ICT acquired by a contractor incidental to a contract shall not be required to conform to the Revised 508 Standards.

Alternative Means Requirements

Granting a Section 508 exception does not eliminate the agency’s responsibility to ensure that individuals with disabilities can access the information or services with the exception:

  • For Undue Burden or Fundamental Alteration and Best Meets exceptions, the Section 508 Standards require that agencies provide alternate means of access to ensure individuals with disabilities receive the same information and services.
  • For other exception types, alternative means of access is not explicitly required by the Standards, but it is strongly recommended as a best practice where feasible.

Agencies should establish procedures to ensure that equivalent access is considered, documented, and communicated, as needed, whenever an exception is approved. Implementation considerations should include: 

  • Develop an internal checklist or template to capture alternate means planning as part of the exception review process.
  • Coordinate with communications and help desk teams to ensure messaging and support are in place.
  • Review alternative means solutions annually, or when user needs or technologies change.
  • Track user requests for alternate access to uncover common accessibility gaps and inform ongoing improvements.
Legal Consideration: Even when a Section 508 exception applies, providing alternative means is not optional—it is a continuing obligation under Section 504 of the Rehabilitation Act (29 U.S.C. 794) and other agency responsibilities.

Recordkeeping and Reporting

Agencies should maintain records for all Section 508 exception requests related to ICT that are procured, developed, used, or maintained. These records should be comprehensive enough to provide a clear historical trail, particularly in the event of staff turnover or personnel changes affecting familiarity with the ICT product or service.

At a minimum, exception records should:

  • Include documentation required under E202.6 Undue Burden or Fundamental Alteration and E202.7 Best Meets.
  • Be retained for at least five years after the exception expires, or longer in accordance with National Archives and Records Administration (NARA) retention records guidelines.
  • Be tracked and available for auditing, re-evaluations, and reporting.

Data Collection

Exception records should include standardized metadata fields, such as:

Table 3: Exceptions Recordkeeping Metadata
Metadata Label Description
Exception ID Number Assign a unique identifier to each approved exception. For example:
Format:
Agency-Component-Office-Date-Sequence-Type
Example:
DHS-FEMA-Recovery-2024-05-08-003-Best-Meets
Requestor’s Information Include name and contact details such as email, phone, agency, component, and office of the requestor.
Exception Type Identify the applicable exception type:
Legacy ICT, National Security Systems, Federal Contracts, ICT Functions Located in Maintenance or Monitoring Spaces, Undue Burden or Fundamental Alteration, or Best Meets.
ICT Name Name or title of the ICT product or service.
ICT Vendor Name of the vendor providing the ICT product or service.
ICT Description A meaningful description of the ICT, including intended use and user population.
Scope Define the scope of the exception, including boundaries, conditions, or limitations such as specific features, modules, or users to which the exception applies.
ICT Version Version number or identifier of the ICT product or service.
Acquisition Reference Number Provide the unique acquisition number associated with this exception.
Request Justification Provide rationale for the exception request, including:
  • Cost or technical limitations for Undue Burden
  • Risk assessment and mitigation plan
Alternate Means of Access Plan for providing equivalent access for users with disabilities if the ICT is not fully conformant.
Authorizing Official (AO) Name and title of the official responsible for reviewing and approving or denying the request.
Determination/Status Final status such as approved or denied, rationale for the decision, and any conditions imposed.
Expiration/Revalidation Date Set a date when the exception will expire or be re-evaluated, typically 12–24 months.

Sample Exception Request Forms

Agencies that currently use business process or workflow automation tools may consider developing a standardized process for submitting, reviewing, approving, and documenting exception requests. 

Agencies that do not utilize such systems may opt for a forms-based approach, such as creating an online form or a fillable PDF that can be routed to the appropriate stakeholders for review and approval. For these cases, the following sample forms are provided for consideration:

Reviewed/Updated: July 2025

Section508.gov

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit USA.gov