How We Score Compliance

We don't inflate scores. We don't hide methodology. Every number we give you traces back to a specific legal standard with a citation you can verify. If a regulation changes, we track it and proactively notify you before it affects your compliance status.

Our Scoring Framework

Every CC3PO compliance score is a weighted combination of five categories, each mapped to specific legal standards and industry benchmarks:

Category Weight Legal Standard Why
Accessibility 40% WCAG 2.1 AA + DOJ Final Rule Highest litigation risk, clearest legal standard
HIPAA * 30% 45 CFR Part 164 Subpart C Federal law, OCR enforcement, $100K+ penalties
Security 15% OWASP + Mozilla Observatory Prevents data breaches, supports HIPAA
Performance 10% Google Core Web Vitals UX impact, SEO ranking
Mobile 5% Responsive design standards Accessibility baseline

* HIPAA scoring only applies to websites and portals that handle electronic Protected Health Information (ePHI). A general business website is not subject to HIPAA.

1. Accessibility β€” WCAG 2.1 AA

What We Score

Accessibility of web pages for people with disabilities β€” visual, auditory, motor, and cognitive.

Legal Authority

  • ADA Title II (State & Local Governments): DOJ Final Rule (April 24, 2024) requires WCAG 2.1 AA. 89 FR 31298
  • 2026 IFR Extension: Compliance dates extended β€” entities with 50K+ population: April 26, 2027; under 50K: April 26, 2028. 91 FR 30143
  • ADA Title III (Private Businesses): No specific federal technical standard yet, but courts consistently use WCAG 2.1 AA as the benchmark
  • California Unruh Civil Rights Act (Cal. Civ. Code Β§ 51): Statutory damages of $4,000+ per violation. Applies to websites associated with businesses that have physical locations. CA Civil Rights Dept. FAQ

How We Test

We use Google Lighthouse (open-source, maintained by the Chrome team) which runs automated audits against WCAG 2.1 AA success criteria through the Axe-core accessibility engine.

What Lighthouse Checks

Lighthouse Check WCAG Criterion What It Tests
Image alt text1.1.1Non-text content has text alternatives
Link name2.4.4, 4.1.2Links have discernible text
Heading order1.3.1, 2.4.6Headings follow logical hierarchy
Color contrast1.4.3, 1.4.64.5:1 (normal) / 3:1 (large) ratio
Form labels1.3.1, 4.1.2Form elements have associated labels
ARIA attributes4.1.2ARIA roles and states are valid
Skip links2.4.1Bypass blocks available
Landmarks1.3.1, 2.4.1Main/navigation landmarks present
Document title2.4.2Pages have descriptive titles
Touch target size2.5.5Interactive elements meet minimum size

What Automated Testing Does NOT Cover

Lighthouse covers most WCAG success criteria detectable by automation. These require manual testing:

  • Screen reader compatibility (JAWS, NVDA, VoiceOver)
  • Keyboard-only navigation completeness
  • Cognitive accessibility (plain language, consistent navigation)
  • Video/audio content accessibility
  • Content readability level
  • Focus management in dynamic content (modals, dialogs)

We offer manual testing as an add-on for clients who need comprehensive coverage.

Score Interpretation

Score Status Meaning
95–100βœ… CompliantPasses all automated checks. Strong baseline accessibility.
90–94⚠️ Minor IssuesLikely still defensible, but should be addressed.
80–89πŸ”Ά Noticeable GapsRisk of ADA/Unruh claims increases. Fix within 30 days.
Below 80πŸ”΄ High RiskSignificant accessibility issues. Immediate remediation needed.

2. HIPAA β€” Healthcare Data Protection

What We Score

Security and privacy controls for websites that handle electronic Protected Health Information (ePHI).

Legal Authority

  • HIPAA Security Rule β€” 45 CFR Β§ 164.302–318 (administrative, physical, and technical safeguards)
  • HIPAA Privacy Rule β€” 45 CFR Β§ 164.502–534 (use and disclosure of PHI)
  • HIPAA Breach Notification Rule β€” 45 CFR Β§ 164.400–414
  • HHS NPRM (January 2025) β€” Proposed updates requiring encryption at rest, MFA, vulnerability scanning every 6 months, penetration testing annually, and 72-hour recovery objective. 80 FR 904

What We Check

HIPAA Control CFR Citation What We Verify
Access controlsΒ§ 164.312(a)(1)Unique user IDs, role-based access, emergency access
AuthenticationΒ§ 164.312(d)MFA for admin, strong passwords, session timeout
Encryption (transit)Β§ 164.312(e)(1)TLS 1.2+ on all pages with ePHI
Encryption (at rest)Β§ 164.312(a)(2)(iv)Database and storage encryption
Audit controlsΒ§ 164.312(b)Login logs, access logs, change logs
Integrity controlsΒ§ 164.312(c)(1)ePHI not improperly altered or destroyed
Business associate agreementsΒ§ 164.314(a)BAAs with all vendors handling ePHI
Security managementΒ§ 164.308(a)(1)Risk analysis, risk management plan

Important: HIPAA only applies to websites that handle ePHI. A general business website that doesn't collect patient data is not subject to HIPAA. Our HIPAA scoring only applies to healthcare clients whose websites or portals process protected health information.

3. Security Headers & HTTPS

Legal Authority

OWASP Secure Headers Project Β· owasp.org/www-project-secure-headers

Mozilla Observatory Β· observatory.mozilla.org

RFC 6797 (HSTS) Β· RFC 7034 (X-Frame-Options)

What We Check

  • Strict-Transport-Security β€” Forces HTTPS (RFC 6797)
  • Content-Security-Policy β€” Prevents XSS, clickjacking (OWASP)
  • X-Frame-Options β€” Prevents clickjacking (RFC 7034)
  • X-Content-Type-Options β€” Prevents MIME sniffing (OWASP)
  • Referrer-Policy β€” Controls referrer data (W3C)
  • Permissions-Policy β€” Limits browser features (W3C)

4. Performance & Core Web Vitals

Legal Authority

Google Core Web Vitals β€” web.dev/vitals

While not a legal requirement, Core Web Vitals directly impact user experience, SEO rankings, and accessibility for users on slow connections.

What We Check

Metric Good Needs Work Poor
LCP (Largest Content Paint)≀2.5s2.5–4s>4s
INP (Interaction to Next Paint)≀200ms200–500ms>500ms
CLS (Cumulative Layout Shift)≀0.10.1–0.25>0.25

5. State-Level Risk Assessment

State Risk Level Key Law Exposure
CaliforniaπŸ”΄ HighestUnruh Civil Rights Act (Cal. Civ. Code Β§ 51)$4,000+ per violation
New York🟠 HighNY Human Rights Law + ADA Title IIIMajor filing jurisdiction
Florida🟠 HighADA Title III (federal)2nd most active state for web suits
Illinois🟑 ModerateADA Title III (federal)No Unruh-equivalent statutory damages
Colorado🟑 ModerateADA Title III (federal)Lower litigation volume

Regulatory Changelog

We track every regulatory change that affects your compliance status. When the rules change, we notify you before it affects your score.

2026

Date Change Impact
Apr 20, 2026DOJ extended ADA Title II compliance dates by 1 yearLarge entities (>50K): April 26, 2027. Small: April 26, 2028
Jan 2025HHS published HIPAA Security Rule NPRMProposed: mandatory encryption at rest, MFA, vuln scanning every 6 months, 72-hour recovery

2024

Date Change Impact
Apr 24, 2024DOJ published ADA Title II Final RuleWCAG 2.1 AA now required for state/local government websites and mobile apps

Upcoming (Watching)

Expected Change Impact
2026HIPAA Security Rule final rule expectedMandatory encryption at rest, MFA, 72-hour recovery
Apr 26, 2027ADA Title II compliance deadline (large entities)State/local governments >50K must be WCAG 2.1 AA compliant
Apr 26, 2028ADA Title II compliance deadline (small entities)State/local governments <50K must be WCAG 2.1 AA compliant
TBDADA Title III web accessibility ruleNo federal standard for private businesses yet; DOJ may issue rule

Our Commitment

We sell compliance services. If we're not transparent about how we score, we're doing the exact thing we help clients avoid β€” operating in a black box.

Every number we give you traces back to a law, a regulation, or an industry standard. You can verify every citation. And when the rules change, we track it and proactively notify you before it affects your compliance status.

This is what trust looks like in compliance.

Source links: