The Department of Justice finalized its Title II ADA rule in April 2024, establishing WCAG 2.1 Level AA as the enforceable accessibility standard for state and local government websites and mobile applications. Compliance deadlines depend on population size, but the direction is clear: WCAG 2.1 AA is now the legal floor, not a best-practice recommendation.
For government IT and web teams, the question is no longer whether to achieve compliance — it's how to maintain it continuously, because a one-time audit does not hold up under enforcement or litigation.
What Title II Now Requires
The rule applies to all state and local government entities covered by Title II of the ADA. This includes government agencies, public universities, public schools, and related entities. The enforceable standard is WCAG 2.1 Level AA.
Compliance deadlines under the final rule:
- April 24, 2026 — agencies serving populations over 50,000
- April 26, 2027 — agencies serving populations under 50,000
Limited exceptions exist for archived content, preexisting conventional electronic documents, and certain third-party content outside the agency's control. These exceptions are narrow and do not cover the primary website content.
Why a One-Time Audit Is Not Enough
The most common mistake agencies make is treating accessibility as a project with a completion date. An audit identifies issues at a point in time. A website is not static. Content is published, templates are updated, plugins are added, and third-party scripts are embedded — each of which can introduce new accessibility failures.
Common sources of accessibility regression after an audit
- CMS users publishing content with missing alt text or incorrect heading structure
- Plugin or theme updates that change interactive component behavior
- New third-party embeds (forms, maps, video players) that don't meet WCAG criteria
- JavaScript-heavy components that fail keyboard navigation after updates
- PDF documents added to the site that haven't been tagged for accessibility
An agency that passes an audit in January and publishes 200 new pages by July may have dozens of WCAG failures by the time anyone checks again. The audit was accurate. The website changed.
What Continuous Compliance Requires Operationally
Maintaining WCAG 2.1 AA compliance continuously — not just at audit time — requires operational processes, not just technical fixes.
Automated Scanning in the Development Pipeline
Automated accessibility tools (axe-core, Lighthouse, WAVE) catch a meaningful percentage of WCAG failures before they reach production. Integrating these into a CI/CD pipeline means new failures are caught at deployment rather than discovered months later.
Automated scanning does not catch everything — user interface interactions, focus management, and screen reader behavior require manual testing. But it catches the high-volume, deterministic failures that are easiest to introduce and easiest to fix.
CMS Governance for Content Editors
The largest source of ongoing accessibility failures is content, not code. Images published without alt text, heading levels skipped for visual styling, tables without headers, links labeled "click here" — these are content authoring failures that no development audit will prevent. For government agencies running Drupal, the platform's accessibility capabilities are part of why it dominates the sector. Our FedRAMP-aligned Drupal hosting practice operates the editorial workflow controls and continuous accessibility scanning that turn the platform's capability into sustained compliance.
Operational accessibility governance means:
- Editor training on WCAG content requirements
- CMS workflow controls that flag or block non-compliant content before publishing
- Periodic content audits targeting high-traffic pages
- A defined process for remediating flagged content
Document Accessibility
PDFs and Office documents posted to government websites are covered by Title II. A tagged, accessible PDF is not difficult to produce, but it requires a documented process and someone accountable for applying it before documents are posted.
Most agencies with accessible websites have significant accessibility debt in their document libraries. This is an often-overlooked compliance gap.
What Enforcement Looks Like
Title II enforcement happens through DOJ investigation and complaint resolution, or through private litigation under the ADA. Complaints are filed by individuals who encounter accessibility barriers on government websites.
The standard DOJ approach is a structured settlement — the agency agrees to a compliance plan with milestones, regular audits, and a monitoring period. Settlements typically require:
- A comprehensive accessibility audit within a defined timeframe
- A remediation plan with specific timelines for fixing identified issues
- Annual audits for a multi-year monitoring period
- Staff training requirements
- A public accessibility statement and feedback mechanism
The compliance plan becomes the enforcement mechanism. Agencies that treat it as a project rather than an operational change tend to return to non-compliance between audit cycles.
The Practical Path Forward
For government agencies approaching the Title II deadline, the practical path involves three parallel workstreams:
- Remediation of known failures — audit the current site, prioritize by severity and user impact, and fix the backlog before the deadline
- Operational changes — implement CMS governance, editor training, and automated scanning to prevent new failures from accumulating
- Documentation — maintain an accessibility statement, a feedback mechanism, and records of ongoing remediation activity
The third workstream is often underweighted. Demonstrating good-faith compliance effort matters in enforcement contexts. An agency with clear documentation of its accessibility program, active remediation activity, and a structured monitoring process is in a fundamentally different position than an agency with a dated audit report and no operational changes since.
Accessibility under Title II is not a one-time project. It's an operational responsibility — like patching or backups — that requires someone to own it continuously.