Blog

The 90-Day ADA Stabilization Roadmap for Public Agencies

A Governance-Driven Plan for Agencies That Need Structure, Not a Sprint

MAR 02, 2026 BY HAYDEN BAILLIO

Designers working on colorful UX sketches and wireframes on a table.
What we cover
Give me the TL;DR

If your agency is not fully aligned with WCAG 2.1 AA right now, you are not in a unique position. Most public agencies are not. What separates the agencies that manage this well from the ones that keep cycling through the same crisis is not how fast they moved. It is what they built when they did.

A 90-day stabilization plan is not a crash remediation sprint. It is not a website refresh. It is not publishing an accessibility statement and hoping the problem becomes someone else's.

It is the systematic construction of a defensible compliance posture — the kind that holds up when a complaint arrives, when a DOJ inquiry opens, when a council member asks in a public meeting how the agency is managing its ADA obligations.

Done right, 90 days accomplishes three things:

  1. Establishes a documented, honest baseline of where your agency actually stands
  2. Reduces the highest-impact accessibility barriers with evidence that the work was done
  3. Builds the operational foundation that sustains compliance after the 90 days end

That third piece is the one most agencies skip. It is also the one that determines whether any of it matters.

Before the Phases: Clarify the Objective

The goal of a 90-day stabilization plan is not perfect compliance. That is not a realistic objective in 90 days, and chasing it produces worse outcomes than pursuing the right objective clearly.

The actual objective is defensibility. And defensibility is made of five specific things:

An identifiable baseline. A documented audit that establishes where issues exist, how they are classified, and what the remediation priority order is. Without a baseline, there is no way to demonstrate progress, and there is no way to demonstrate that prioritization decisions were intentional rather than arbitrary.

Risk-based prioritization. Evidence that your agency made deliberate decisions about what to address first based on impact to residents, legal exposure, and service criticality — not based on what was easiest to fix.

Visible remediation progress. Documented, timestamped evidence that barriers were identified and addressed. Not a claim that things got better. A record that shows what changed, when, and who was responsible.

Documented effort. The full paper trail: audit report, remediation log, monitoring records, training documentation, vendor reviews, executive briefings. The documentation program is not administrative overhead. It is the compliance program.

Operational structure. Defined ownership, recurring monitoring, remediation allocation, governance framework. The infrastructure that makes compliance self-sustaining rather than person-dependent.

When an agency can demonstrate all five, it has moved from reactive posture to defensible posture. That distinction matters in enforcement proceedings, in complaint response, and in the internal conversation about whether accessibility deserves ongoing resources.

Now, the phases.

Days 1–30: Baseline, Triage, and Immediate Exposure Reduction

The first 30 days are about clarity. Not polish. Not redesign. Not cosmetic fixes that look like progress but don't reduce risk.

Clarity.

You cannot prioritize what you haven't identified. You cannot defend what you haven't documented. Everything in this phase is about establishing an honest, specific picture of where exposure lives and beginning to address the highest-risk items with evidence attached.

Conduct a Comprehensive Accessibility Audit

Not an automated scan. A real audit.

Automated scanning tools are useful for detecting pattern-level issues across large surfaces quickly. They are not sufficient alone. Automated tools miss the failures that matter most in enforcement contexts — form logic errors, keyboard trap behaviors, dynamic content that isn't announced to assistive technology, error messages that identify failure without explaining it.

A real audit includes:

  • Template-level evaluation of global components — navigation, header, footer, modal windows, form patterns — because template issues multiply across every page that inherits from them
  • Transactional workflow testing covering permit applications, payment portals, public records systems, license renewals, and any other workflow where a resident must complete a task to access government services
  • Keyboard navigation testing through all interactive components — can a user complete every action using only a keyboard, with a visible focus indicator at every step?
  • Screen reader validation using actual assistive technology to confirm that form fields are labeled, errors are announced, dynamic updates are communicated, and navigation is logical
  • Color contrast validation across text, interactive elements, and informational graphics
  • Document sampling review — a representative sample of the PDFs and downloadable documents most frequently accessed by the public
  • Third-party integration review — the payment gateway, the permit portal, the scheduling system, the GIS tool, the chat widget — all evaluated against WCAG 2.1 AA

Deliverable: A documented findings report classifying issues by WCAG criterion, severity level, affected surface, and estimated remediation effort. This report is the foundation of everything that follows. Its absence makes every subsequent action harder to defend.

Build a Risk-Based Prioritization Model

Not every accessibility issue carries the same weight. An inaccessible permit application that blocks a resident from submitting a required form is categorically different from a decorative icon missing alt text on a page with minimal traffic. Treating them as equivalent wastes resources and misrepresents where risk actually lives.

A mature prioritization framework considers:

  • Service criticality: Does this issue block access to a core government service? Permit applications, tax payments, utility services, public records requests, and emergency information sit at the top of every prioritization model.
  • User impact severity: Does this issue create a complete barrier, or does it create friction? Complete barriers — keyboard traps, CAPTCHA with no audio alternative, forms that cannot be submitted via screen reader — are always highest priority.
  • Traffic volume: A failure on a page accessed by 5,000 residents per month carries more aggregate impact than the same failure on a page accessed by 50.
  • Legal exposure potential: Transactional failures and missing document accessibility have historically received heightened scrutiny in enforcement proceedings. Weight accordingly.
  • Template scope: An issue in a global template affects every page inheriting from it. Template-level failures have outsized impact and therefore outsized priority.

Deliverable: A prioritized remediation roadmap that sequences issues by impact category, assigns ownership, and establishes a realistic timeline. This document is what transforms an audit from a findings list into a program.

Address Immediate High-Impact Barriers

Within the first 30 days, your team should be actively remediating the issues at the top of the priority model while the audit and prioritization work is being formalized. These are not the same thing as "easy fixes." They are the fixes that most reduce immediate exposure.

Focus on:

  • Critical form barriers — unlabeled fields, inaccessible error messaging, keyboard traps in date pickers or multi-step flows
  • Broken keyboard navigation on core transactional workflows
  • Major color contrast failures on primary text and interactive elements
  • Core template structural issues affecting global navigation, skip links, and landmark structure
  • High-visibility PDF barriers — scanned documents linked from primary service pages, forms required for public participation

Document every fix as it happens. Date, issue category, location, what was changed, who made the change. The remediation log starts now and runs for the duration of the program.

Deliverable: An active remediation log with timestamped entries. This is the beginning of your defensibility archive.

Brief Executive Leadership

Leadership should not learn about your agency's accessibility posture from a complaint. They should learn about it from you, in a structured briefing, before anything external forces the conversation.

Within the first 30 days, brief the relevant executive stakeholders — IT leadership, the city manager or administrator, legal counsel, communications — on what the audit found, how issues were prioritized, what the 60-day plan looks like, and what governance responsibilities need to be defined at the leadership level.

This briefing accomplishes two things. It creates executive visibility that sustains program support through the phases that follow. And it creates a documented record that leadership was informed and engaged — which matters in enforcement contexts where organizational accountability is evaluated.

Deliverable: Executive briefing documentation with attendance and key decisions recorded.

Days 31–60: Structured Remediation and Documentation Discipline

The second phase shifts from triage to systemization. The highest-impact fires are addressed. Now the work is building the structures that prevent the next set of fires.

Execute Template-Level Remediation

The most efficient remediation work in any web accessibility program is template-level work. Fixing an accessibility issue in a shared template or global component fixes it simultaneously on every page that inherits from that template — sometimes hundreds or thousands of pages at once.

Focus template remediation on:

  • Global navigation — keyboard accessibility, focus management, ARIA landmark structure, skip navigation links
  • Footer structure and secondary navigation
  • Form templates — label associations, error handling patterns, required field announcements, inline validation behavior
  • Table patterns — header associations, caption structures, summary logic for complex data tables
  • Modal window and dialog behaviors — focus management on open, escape key behavior, focus return on close
  • Dynamic content components — any element that updates without a page reload needs to announce those updates to assistive technology

Every template fix should be validated after implementation. Not assumed. Tested — keyboard navigation, screen reader, and automated scan — and the validation documented.

Deliverable: Validated template compliance documentation showing pre-fix state, remediation action, and post-fix validation results.

Validate Transactional Workflows End-to-End

With template-level fixes in place, re-test the core transactional workflows identified in Phase 1. This time the testing goes deeper — full end-to-end workflow completion using keyboard-only navigation and screen reader testing, not just component-level checks.

For each workflow, test and document:

  • Complete navigation from entry point through confirmation using keyboard only
  • Screen reader announcement of all field labels, error messages, status updates, and confirmations
  • Error state behavior — what happens when a required field is empty, when a format is incorrect, when a session expires
  • Time-out behavior — is the user warned before session expiration, and can they extend the session via keyboard?
  • Confirmation and success state accessibility — does the user receive a clear, announced confirmation that their transaction was completed?

Document the test results for every workflow, not just the failures. A record of what passed matters as much as a record of what failed — it demonstrates systematic evaluation rather than selective attention.

Deliverable: Transactional workflow testing documentation with keyboard and screen reader test results for each core workflow.

Launch the Document Accessibility Program

PDFs and public documents represent a persistent, growing source of accessibility exposure at most public agencies. Without a structured program, document risk compounds every week as new content is published.

Phase 2 is when the document program gets built. This includes:

  • A document inventory — a comprehensive list of publicly accessible PDFs and downloadable documents, classified by traffic volume, service criticality, and accessibility status
  • A risk categorization model that distinguishes active service documents (forms, public notices, meeting agendas) from archival content, and prioritizes accordingly
  • A remediation queue for high-priority documents, with assigned ownership and timelines
  • Accessible PDF creation guidelines distributed to every staff member who creates or uploads documents — what tagging is required, how to create accessible exports from Word and InDesign, how to verify before uploading
  • An upload review standard that defines what accessibility checks must happen before any new document is published

The document program does not need to remediate every historical document in 30 days. It needs to establish the inventory, address the highest-risk documents, and put a going-forward standard in place so that the problem stops growing while the backlog is addressed.

Deliverable: Document inventory with risk classification, remediation queue for priority documents, and accessible PDF creation guidelines distributed to content creators.

Build the Remediation Log and Evidence Archive

By Day 60, the remediation log that started in Phase 1 should be a structured, consistent record. Every action taken since the audit should be documented with:

  • Date of remediation
  • WCAG criterion addressed
  • Issue severity classification
  • Affected page, document, or workflow
  • Description of what was changed
  • Responsible party
  • Validation status — was the fix tested and confirmed?

This log is not an internal project management tool. It is your primary evidence document. If an enforcement body asks your agency to demonstrate good-faith compliance effort, this log — alongside the audit report, monitoring records, and executive briefings — is what that demonstration is built from.

Treat it accordingly from day one.

Deliverable: A complete remediation log covering all Phase 1 and Phase 2 actions, structured for external review.

Execute Internal Training

By Day 60, the people who create and publish content at your agency need to understand their accessibility responsibilities. Not a broad awareness session. Specific, role-appropriate training.

Content editors need to understand: how to write meaningful alt text, how to create accessible links, how to structure content with proper headings, how to check basic accessibility before publishing, and how to create accessible documents before uploading.

Developers need to understand: template-level accessibility expectations, how to validate new components before launch, what ARIA is and when to use it, and what keyboard and screen reader testing looks like.

Leadership needs to understand: the reporting cadence they will receive, the governance responsibilities assigned to their level, and how to respond if an accessibility complaint reaches them directly.

Document completion. Training that was not documented did not happen — at least not in any way that can be demonstrated.

Deliverable: Training completion records for content editors, developers, and relevant leadership.

Days 61–90: Governance Implementation and Sustainability

This is the phase most agencies skip. It is the phase that determines whether the previous 60 days of work compounds into a sustained program or collapses back to baseline within six months.

Stabilization without governance is expensive temporary relief. Stabilization with governance is the foundation of a compliance program.

Implement a Recurring Monitoring Cadence

Monitoring is what catches drift before it becomes exposure. Without it, new content, vendor updates, and template modifications introduce new issues silently — and the organization has no visibility until a complaint surfaces them.

A sustainable monitoring cadence for most public agencies includes:

  • Monthly automated scans across the primary website with human review of flagged findings — not just a report, a reviewed and actioned report
  • Quarterly manual QA of the core transactional workflows — keyboard navigation, screen reader testing, error state validation — because automated tools do not catch the failures that matter most in enforcement contexts
  • Annual comprehensive audit update — a full re-evaluation of the baseline, with findings compared to the prior year to demonstrate risk trend over time

Schedule these. Put them on a calendar. Assign ownership. A monitoring program that runs "when someone gets to it" does not run.

Deliverable: Documented monitoring schedule with assigned ownership and first monthly scan completed and reviewed.

Define Dedicated Remediation Allocation

This is where most programs fail quietly. Accessibility fixes compete with every other development priority, and without defined allocation — specific hours per month, specific budget, specific retainer — they consistently lose that competition.

Infrastructure means remediation capacity is planned and predictable, not improvised under urgency. Define:

  • Monthly remediation hours allocated to accessibility work, whether internal or through an external partner
  • A prioritization review process that evaluates new findings from monitoring against the existing remediation queue
  • An escalation process for high-severity findings identified through monitoring that cannot wait for the normal queue

Deliverable: Documented remediation allocation model included in the governance framework.

Formalize the Governance Framework

The governance framework is the document that defines how accessibility works as an ongoing operational function. It transforms effort into institutional structure — meaning the program can survive staff turnover, leadership changes, and budget cycles.

The framework should include:

  • A formal accessibility policy with scope, commitment statement, and executive approval
  • A role and ownership model that names who is accountable for what — not by person, but by role — at the IT level, the department level, and the executive level
  • The monitoring schedule and process
  • The remediation workflow from issue identification through validation and logging
  • The vendor accessibility review process — what happens when a new vendor is being evaluated, when a VPAT is reviewed, when a vendor update introduces new issues
  • The complaint intake and response process — how accessibility complaints are received, who reviews them, what the response timeline is, and how resolutions are documented
  • The reporting cadence — who reports to whom, on what schedule, using what template

Deliverable: A complete governance framework document, finalized and signed off by executive leadership.

Complete Vendor Accessibility Review

By Day 90, your agency should have reviewed the VPAT documentation for every significant third-party tool embedded in your digital services — payment processors, permit portals, scheduling systems, GIS tools, chat systems, form builders, and any other vendor integration a resident interacts with.

For each tool, document:

  • VPAT status — does a current VPAT exist, and does it demonstrate WCAG 2.1 AA conformance?
  • Known gaps — where does the VPAT identify partial or non-conformance?
  • Contractual accountability — does the vendor contract include accessibility requirements and remediation obligations?
  • Ongoing review cadence — when will this tool be tested again, and what triggers a re-review?

Vendors whose tools cannot demonstrate WCAG 2.1 AA conformance represent open compliance exposure. That exposure needs to be named, documented, and either remediated through vendor engagement or flagged for future procurement decisions.

Deliverable: Vendor accessibility review documentation for all embedded third-party tools.

Deliver the First Executive Compliance Report

By Day 90, leadership should receive a comprehensive report that covers:

  • Baseline audit findings summary — the scope of what was found and how issues were classified
  • Remediation progress — what was addressed in 90 days, measured against the prioritization model
  • Risk reduction summary — how the agency's compliance posture has changed from Day 1 to Day 90
  • Ongoing monitoring plan — the cadence, ownership, and reporting structure going forward
  • Outstanding items — what remains in the remediation queue, prioritized and with timelines
  • Resource and budget requirements — what sustaining the governance program requires going forward

This report serves two purposes. Internally, it demonstrates to leadership that accessibility is a managed operational function, not a technical mystery. Externally, it is the first entry in the executive reporting record that becomes part of the agency's defensibility documentation.

Deliverable: Day 90 executive compliance report distributed to agency leadership.

What Happens After Day 90

At the end of stabilization, every agency faces a decision. It is not complicated, but the consequences of getting it wrong are.

Option one: Declare success and move on. The immediate fires are out. Leadership has seen a briefing. Some things were fixed. The project is complete.

Within six months, new content has introduced new failures. A vendor update has broken the payment portal. The editor who was trained in accessibility left and her replacement was not. The monitoring scan that was supposed to run monthly hasn't been reviewed in two months. The program has quietly collapsed back toward baseline.

Option two: Transition to sustained governance. The 90-day roadmap is the bridge — the structure that moves an agency from no program to a functioning program. What comes after the bridge is the program itself. Monitoring on schedule. Remediation allocated and executed. Documentation maintained. Executive reporting delivered. Vendors reviewed on cadence.

Accessibility shifts from project to infrastructure. Cost becomes predictable. Exposure becomes manageable. Defensibility becomes real.

The 90-day roadmap is not the destination. It is how you get to the destination.

What a Defensible 90-Day Outcome Looks Like

At the close of 90 days, a well-executed stabilization program produces a specific, demonstrable set of outputs:

  • A documented baseline audit with WCAG criterion-level findings and severity classification
  • A risk-prioritized remediation roadmap with ownership and timelines
  • Critical transactional barriers addressed and validated with test documentation
  • Template-level fixes implemented and validated across affected pages
  • Core transactional workflows retested end-to-end with results documented
  • Document accessibility program established with inventory, risk classification, and going-forward standards
  • A complete remediation log covering all 90 days of activity
  • A recurring monitoring schedule implemented and first cycle completed
  • A governance framework document finalized and approved by leadership
  • Vendor accessibility review documentation for all embedded third-party tools
  • A Day 90 executive compliance report delivered to agency leadership

That is not perfection. That is structure. And structure is what defensibility is built from.

If Your Agency Needs a Structured Stabilization Plan

If your agency does not have a clear picture of its current accessibility posture — if the audit hasn't been done, the documentation doesn't exist, the monitoring isn't running — the first step is not building a 90-day plan from scratch. The first step is an honest assessment of where you actually are.

A governance-focused ADA risk assessment identifies:

  • Current compliance posture across primary web surfaces and transactional workflows
  • High-risk exposure areas requiring immediate remediation attention
  • Documentation gaps that create enforcement vulnerability
  • Governance maturity and structural weaknesses
  • Remediation capacity — what resources exist and what gaps need to be filled

From that baseline, your agency can build a 90-day plan calibrated to operational reality — not a generic template, but a program sequenced around your actual risk profile and your actual capacity.

Request an ADA Risk Assessment

Share this post