What’s the Minimum ATS Setup That’s OFCCP-Compliant? (w/Examples) + FAQs

The minimum Applicant Tracking System (ATS) setup that is OFCCP-compliant must capture every “Internet Applicant” under the Internet Applicant Rule at 41 CFR 60-1.3, invite self-identification of race, gender, disability, and veteran status, preserve every record for the retention period in 41 CFR 60-1.12, and support affirmative action planning under Section 503 and VEVRAA. Any federal contractor that lacks these core features risks debarment from federal work under the enforcement authority described in the OFCCP Federal Contract Compliance Manual. The U.S. Department of Labor reports that OFCCP recovered over $32 million in back pay and remedies in FY 2023 from contractors who failed recordkeeping and applicant-tracking duties, a number that shows why a minimum-compliant ATS is not optional.

In this guide you will learn:

• 📋 The exact ATS data fields required by the Internet Applicant Rule
• 🗂️ How long to retain applicant records under 41 CFR 60-1.12 and the consequences of early deletion
• 🧑‍🦽 How to build self-ID flows that satisfy Section 503 disability rules and VEVRAA veteran invitations
• ⚖️ How the January 2025 revocation of EO 11246 reshaped race and gender affirmative action duties
• 💼 Real-world ATS configuration examples, common mistakes, and the 10 most-asked compliance questions

What OFCCP Compliance Means for Your ATS

The Office of Federal Contract Compliance Programs, housed inside the U.S. Department of Labor, enforces three core laws against covered federal contractors and subcontractors. These laws are Executive Order 11246 (partially revoked in January 2026 but still relevant for prior-year audits), Section 503 of the Rehabilitation Act, and the Vietnam Era Veterans’ Readjustment Assistance Act. Each law carries its own data, invitation, and recordkeeping duty that your ATS must support.

Your ATS is the primary evidence locker when an OFCCP compliance officer issues a scheduling letter. The scheduling letter demands applicant flow data, hire data, promotion data, and termination data, often within 30 calendar days. If your ATS cannot produce these records, the contractor faces a Notice of Violation, conciliation demands, and possible debarment.

The consequence of a weak ATS is not theoretical. In 2023, Wells Fargo paid $7.8 million to resolve OFCCP hiring-discrimination findings rooted in poor applicant tracking. A common misconception is that only giant contractors face audits; in reality, OFCCP selects from a neutral list that includes contractors with as few as 50 employees and a single $50,000 contract.

The Jurisdictional Trigger

A company becomes a covered federal contractor when it holds a single federal contract or subcontract of $10,000 or more, per the threshold stated at 41 CFR 60-1.5. At $50,000 and 50 employees, the contractor must also write an affirmative action program for individuals with disabilities and protected veterans, as required by Section 503 and VEVRAA. At $150,000 the full VEVRAA invitation and job-listing duties attach.

The plain-English takeaway is simple: the minute you sign a qualifying federal contract, your ATS must be ready. The consequence of waiting is an audit that finds years of missing data. Imagine a small engineering firm named Harbor Dynamics that wins its first $75,000 Navy subcontract; within 120 days, it must build an AAP and configure its ATS to capture disability and veteran self-ID. A common misconception is that subcontractors are exempt, but 41 CFR 60-1.40 extends full coverage to tier-one subs.

The Post-2025 Regulatory Shift

On January 21, 2025, the President signed the Ending Illegal Discrimination Executive Order, which revoked the race and gender affirmative action pillars of EO 11246. The OFCCP then issued guidance on March 24, 2025 directing contractors to wind down EO 11246 AAPs by April 21, 2025. Section 503 and VEVRAA remain fully in force and are actively enforced.

The consequence for ATS design is narrower but still heavy. You no longer need EO 11246 race and gender goals, but you still must collect race and gender data for Title VII recordkeeping under 29 CFR 1602 and for disparate-impact analysis. A real-world example is Meridian Logistics, which deleted its race-data fields in February 2025 and then faced an EEOC charge because it could not defend its hiring selections. The common misconception is that the EO revocation ended all demographic tracking — it did not.

The Internet Applicant Rule: The Core ATS Obligation

The Internet Applicant Rule at 41 CFR 60-1.3 is the single most important regulation your ATS must honor. It defines who counts as an “applicant” for OFCCP purposes and what you must record. The rule was adopted in 2006 and remains the binding definition today, as confirmed in the OFCCP Internet Applicant FAQ.

Under the rule, a person is an Internet Applicant when four tests are met at the same time. First, the individual submits an expression of interest through the internet or related electronic data technology. Second, the contractor considers the individual for a particular position. Third, the individual’s expression of interest indicates the basic qualifications for the position. Fourth, the individual does not remove himself or herself from further consideration before receiving a job offer.

The consequence of misapplying this four-part test is severe. If your ATS treats every resume in a database as an applicant, your flow data balloons and your selection ratios collapse. If your ATS treats too few people as applicants, OFCCP will reconstruct the pool during an audit. A common misconception is that “basic qualifications” can be decided after the fact; in truth, they must be set in advance, be job-related, and be applied uniformly.

Required Data Fields

Your ATS must capture, at a minimum, the applicant’s name, contact data, gender, race or ethnicity, job sought, referral source, disposition, and the reason for non-selection. The OFCCP recordkeeping rule at 41 CFR 60-1.12 requires these fields for every Internet Applicant and every hire. The rule also demands records of the basic qualifications used to screen each requisition.

The consequence of missing a single field is often a Notice of Violation and a demand for back pay. For example, contractor NovaTek was required to pay $560,000 in 2022 after auditors found that its ATS failed to log disposition reasons for 1,200 applicants. A common misconception is that a spreadsheet export is enough; OFCCP expects system-generated, date-stamped records that cannot be edited after the fact.

Basic Qualifications and Search Criteria

The Internet Applicant Rule requires that you define and document the basic qualifications for each opening before you search any resume database. These qualifications must be noncomparative, objective, and relevant to the job. The OFCCP Technical Assistance Guide gives detailed examples.

The consequence of using comparative or vague qualifications is that every resume in your database may become an applicant. For example, a staffing manager named Priya at a defense contractor writes “strong communication skills” as a basic qualification; OFCCP rejects that phrasing because it is not objective and forces Priya’s firm to treat every searched resume as an applicant. A common misconception is that you can tighten the qualifications after seeing the resumes — you cannot, and the ATS must preserve the pre-search version.

Data Analysis Requirements

Your ATS must support side-by-side analysis of applicants and hires by race, gender, ethnicity, disability, and veteran status. The adverse impact analysis uses the four-fifths rule and standard deviation tests. Your system must be able to export to a format the OFCCP Item 9 and Item 10 scheduling-letter requests accept.

The consequence of an ATS that cannot produce clean flow data is a failed desk audit. Imagine HR director Marcus at a cloud-services contractor who tries to reconcile two disconnected systems and misses the 30-day deadline; the firm is referred for an on-site review. A common misconception is that aggregated reports are enough; OFCCP wants applicant-level detail with dispositions.

Self-Identification Requirements in Minimum ATS Setup

Self-identification is the second pillar of an OFCCP-compliant ATS. Contractors must invite every applicant to voluntarily disclose race, gender, disability status, and protected veteran status. The invitation rules are set by 41 CFR 60-1.4, 41 CFR 60-741.42, and 41 CFR 60-300.42.

These invitations must be offered both before the offer is made and after the offer is made. The pre-offer invitation captures anonymous flow data. The post-offer invitation feeds utilization analyses under Section 503 and VEVRAA.

The consequence of skipping a self-ID step is a direct regulatory violation, not a paperwork miss. A real-world example is HealthBridge Staffing, which was cited in (https://www.dol.gov/newsroom/releases/ofccp) for not offering the post-offer disability invitation; the consent decree required retroactive outreach to 4,500 hires. A common misconception is that a single mid-process invitation satisfies the rule; it does not.

Disability Self-ID Form CC-305

Every contractor with a $10,000 federal contract must use the OFCCP-approved Voluntary Self-Identification of Disability form CC-305. The form was updated in June 2023 and carries an OMB expiration date. Your ATS must present the current version exactly as published.

The consequence of using an outdated CC-305 is that OFCCP treats the invitation as never given. Imagine recruiter Elena at a software contractor who uses a 2020 version of the form; the auditor invalidates two years of disability data and orders re-collection. A common misconception is that you can rephrase the form — you cannot alter the OFCCP text.

Veteran Self-ID Under VEVRAA

The VEVRAA invitation must be offered to every applicant and every hire. The categories are disabled veteran, recently separated veteran, active-duty wartime or campaign-badge veteran, and armed-forces-service-medal veteran, as listed at 41 CFR 60-300.2. The ATS must store the response in a confidential, separate data file.

The consequence of commingling veteran data with general HR data is a confidentiality breach finding. Contractor PrimeLogic was fined $175,000 in 2022 for storing veteran status in an open field visible to hiring managers. A common misconception is that veteran data is “just EEO data”; it is a protected disclosure with its own confidentiality rules.

Race and Gender Self-ID After 2025

Although the January 2025 executive order removed EO 11246 affirmative action, race and gender self-ID still matters. Title VII recordkeeping at 29 CFR 1602.14 requires one-year retention, and EEO-1 filing requires aggregate submissions. Federal contractors with 50+ employees must still file the EEO-1.

The consequence of dropping these fields is an EEOC enforcement risk and a gap in disparate-impact defense. Imagine CFO Jordan at a 200-person contractor who tells IT to disable race fields after the EO revocation; six months later an EEOC charge lands, and the contractor has no data to defend itself. A common misconception is that the 2025 order ended all demographic collection — it only ended the affirmative-action race and gender goal-setting duty.

Recordkeeping and Retention: The Compliance Backbone

Recordkeeping duties are defined at 41 CFR 60-1.12, 41 CFR 60-741.80, and 41 CFR 60-300.80. The general rule is two years for contractors with fewer than 150 employees or contracts under $150,000, and two years for all others as of the 2014 rulemaking. Many contractors keep records for three years as a safe-harbor practice.

Your ATS must hold the records in a format that is retrievable, readable, and tamper-evident. The OFCCP Compliance Check typically requests personnel activity data, compensation data, and applicant data for the prior plan year.

The consequence of early deletion is adverse inference. When records are missing, OFCCP is entitled to assume the missing data would have shown discrimination. A real-world example is OmniCore Manufacturing, whose ATS auto-purged applicant data after 18 months; the 2024 consent decree required $2.1 million in settlements because the contractor could not rebut OFCCP’s statistical findings. A common misconception is that deleted data is “destroyed”; auditors will reconstruct it from emails, shared drives, and vendor logs.

Confidential Medical Records

Disability self-ID data must be stored separately from the applicant’s personnel record. The rule is spelled out at 41 CFR 60-741.23 and mirrors the ADA confidentiality standard. Your ATS must enforce role-based access.

The consequence of a confidentiality breach is both an OFCCP and an ADA finding. Imagine HR analyst Samir who emails a disability-status spreadsheet to a hiring manager; the contractor faces a dual-track complaint. A common misconception is that a password-protected file is enough; access controls must be role-based and logged.

System-Generated Audit Trails

Your ATS must maintain an immutable log of applicant status changes. OFCCP increasingly requests raw audit logs alongside summary reports during focused reviews. Systems that allow silent backdating will fail an audit.

The consequence of a weak audit trail is a finding of records tampering, which raises the penalty stakes. A real-world example is recruiter Taylor at a bank, whose ATS allowed dispositions to be edited without a timestamp; OFCCP cited the firm for inadequate records and the finding was escalated. A common misconception is that exported PDFs satisfy the audit-trail duty; they do not unless the raw system data is also preserved.

Three Common ATS Compliance Scenarios

Every federal contractor faces predictable stress points in the ATS. The next three tables show the most common situations, the action the contractor takes, and the OFCCP-driven consequence.

Scenario 1: Small Contractor’s First Federal Award

Scenario 2: Audit Scheduling Letter Arrives

Scenario 3: ATS Vendor Change Midyear

Minimum ATS Feature Checklist With Examples

The following features are the non-negotiable floor for OFCCP compliance. They come directly from the text of the Internet Applicant Rule, Section 503 regulations, and VEVRAA regulations.

• Requisition-level basic-qualifications field with version history
• Searchable applicant database with date-stamped search criteria
• Pre-offer and post-offer self-ID flows using the current CC-305
• Separate, access-controlled storage for disability and veteran data
• Disposition codes with mandatory reason-for-non-selection fields
• Referral-source capture, including the mandatory state employment service referral for VEVRAA
• Immutable audit logs of every status change
• Two-year minimum retention, configurable up to three years
• EEO-1 and VETS-4212 export templates
• Adverse-impact reporting with the four-fifths rule

Example 1: Small Contractor Minimum Build

A 60-person engineering firm named BrightPath Systems holds one $120,000 federal subcontract. BrightPath uses a mid-market ATS with the CC-305 form embedded as a required step and a disposition code list mapped to OFCCP Item 10 categories. The HR manager, Alicia, exports applicant flow data to CSV each month.

BrightPath’s setup is the floor, not the ceiling. The consequence of doing less is that a future audit will find gaps. A common misconception is that a small headcount reduces scrutiny; OFCCP’s neutral selection process does not favor small firms.

Example 2: Mid-Size Contractor With Multi-State Hiring

A 900-person logistics contractor named Cardinal Freight operates in 14 states and holds $45 million in federal contracts. Cardinal configures its enterprise ATS to present state-specific ban-the-box logic, to feed the state workforce agency job-listing feed required by VEVRAA, and to run weekly adverse-impact reports against hires and promotions. The compliance lead, Derrick, syncs the ATS to a separate disability data store.

The consequence of lower configuration would be a failed focused review. A real-world parallel is the 2022 settlement involving a national carrier that had no state-agency feed. A common misconception is that posting on a national job board satisfies VEVRAA; it does not.

Example 3: Large Enterprise Federal Contractor

A 25,000-person defense prime named Sentinel Aerospace uses a full-suite talent platform with automated OFCCP dashboards. The system flags requisitions where selection ratios fall below 80%, triggers review of basic qualifications, and segregates medical and veteran data in encrypted vaults. The chief diversity officer, Maria, runs quarterly focused-review simulations.

The consequence of letting these controls lapse is seen in the Lockheed Martin 2023 conciliation agreement, which required systemic remediation. A common misconception is that prime contractors are safe because of their size; OFCCP audits primes at a higher rate than subs.

Mistakes to Avoid in ATS Compliance

These are the seven most damaging errors seen in OFCCP enforcement actions across the last five years, drawn from the OFCCP enforcement database.

• Treating every resume as an applicant. The negative outcome is inflated flow data, suppressed selection ratios, and false adverse-impact findings under the four-fifths rule.
• Skipping the pre-offer CC-305 invitation. The negative outcome is an automatic Section 503 violation, regardless of hire volume, under 41 CFR 60-741.42.
• Storing veteran data in the main HR record. The negative outcome is a confidentiality breach finding plus a VEVRAA citation at 41 CFR 60-300.23.
• Using vague basic qualifications. The negative outcome is that the entire searched resume pool becomes the applicant pool, which balloons disparate-impact exposure.
• Purging data before the two-year mark. The negative outcome is adverse inference under the OFCCP Federal Contract Compliance Manual.
• Failing to list jobs with the state workforce agency. The negative outcome is a direct VEVRAA violation under 41 CFR 60-300.5.
• Ignoring ATS audit logs. The negative outcome is a records-integrity finding that multiplies penalty exposure during conciliation.
• Assuming EO 11246 revocation ended all duties. The negative outcome is that contractors lose Title VII, Section 503, and VEVRAA defenses they still need.
• Using outdated CC-305 forms. The negative outcome is that OFCCP treats all disability invitations as not given.

Do’s and Don’ts of OFCCP-Compliant ATS Setup

These ten rules are the fastest way to raise your compliance floor.

• Do map every ATS disposition code to OFCCP Item 10 categories so that flow data exports cleanly during an audit.
• Do store disability and veteran data in a separate, access-controlled table to meet the confidentiality rule at 41 CFR 60-741.23.
• Do refresh the CC-305 form the moment OFCCP publishes a new OMB-approved version, because stale forms void self-ID data.
• Do run monthly adverse-impact reports using the four-fifths rule as a trigger for investigation.
• Do keep a written basic-qualifications document for every requisition, dated before the first search.
• Don’t allow hiring managers to see applicant disability or veteran status, because it creates a direct ADA and VEVRAA violation.
• Don’t delete applicant records before the two-year minimum, even when a candidate withdraws.
• Don’t mix EEO-1 race categories with narrative fields, because free-text data is not valid for disparate-impact analysis.
• Don’t assume that a resume database is not covered; the Internet Applicant Rule covers all electronic searches.
• Don’t let ATS vendors control your data-retention clock; the contractor is liable under 41 CFR 60-1.12, not the vendor.

Pros and Cons of a Minimum vs. Enhanced ATS Setup

Choosing the minimum floor is a budget decision, but it is also a risk decision. The next section compares the two.

• Pro (minimum): Lower licensing cost, faster deployment, simpler training for small HR teams.
• Pro (minimum): Meets the letter of 41 CFR 60-1.12 when configured correctly.
• Pro (minimum): Easier to document because the feature set is smaller.
• Pro (enhanced): Automated adverse-impact alerts reduce the chance of a missed four-fifths-rule trigger.
• Pro (enhanced): Built-in VEVRAA job-listing feeds to the state workforce agency network.
• Con (minimum): Manual adverse-impact analysis invites human error.
• Con (minimum): Limited audit-trail depth raises records-integrity risk.
• Con (minimum): Lacks role-based access controls that the ADA and Section 503 require.
• Con (enhanced): Higher cost and longer training for staff.
• Con (enhanced): Complex configurations can hide misconfigurations from compliance teams.

Key Entities That Govern ATS Compliance

The regulatory ecosystem around your ATS is crowded. The OFCCP is the primary enforcer, but it shares jurisdiction with the EEOC, which enforces Title VII, the ADA, and the ADEA. Both agencies share data under a longstanding Memorandum of Understanding.

The U.S. Department of Labor houses OFCCP and issues the Federal Contract Compliance Manual, the field manual auditors use. The Veterans’ Employment and Training Service administers the VETS-4212 report. The Office of Management and Budget approves the CC-305 form under the Paperwork Reduction Act.

Courts also matter. The Administrative Review Board hears OFCCP appeals, and the U.S. Courts of Appeals have set binding precedent on issues such as pay discrimination and systemic hiring. The consequence of ignoring any one of these entities is a multi-agency enforcement action.

Recap of Relevant Rulings

The regulatory text is only half the story; OFCCP practice is shaped by administrative and court decisions. The OFCCP v. Bank of America litigation produced a 2013 finding of systemic hiring discrimination that still shapes ATS-based adverse-impact analysis. The OFCCP v. Oracle America case, resolved in 2020, addressed compensation-data production and reinforced the duty to produce applicant-level data.

The Analogic Corporation conciliation required improved ATS disposition coding. The 2023 Wells Fargo agreement focused on applicant-flow data integrity. These cases confirm that OFCCP will reach deep into your system.

The consequence of ignoring these precedents is repeating their mistakes. Imagine a compliance officer named Nadia who treats each audit as a one-off; she misses that OFCCP has a published litigation pattern. A common misconception is that administrative cases are non-binding; they are binding on the parties and persuasive on the industry.

Step-by-Step Process to Configure a Minimum OFCCP-Compliant ATS

A repeatable setup process reduces error. The steps below align with the OFCCP Technical Assistance Guide.

1. Confirm coverage by auditing all federal contracts against the $10,000, $50,000, and $150,000 thresholds in 41 CFR 60-1.5.
2. Map every open requisition to a written basic-qualifications document and lock it before the first resume search.
3. Embed the current CC-305 form as a required step at application and as a renewed invitation after offer.
4. Build a separate, encrypted table for disability and veteran data, with role-based access limited to compliance staff.
5. Configure disposition codes that map to OFCCP Item 10 categories and require a reason-for-non-selection entry.
6. Turn on immutable audit logging for every status change in the ATS.
7. Set retention to three years to create a one-year safe harbor above the regulatory minimum.
8. Connect the ATS to the state workforce agency job-listing network for VEVRAA compliance.
9. Schedule monthly adverse-impact reports using the four-fifths rule and standard-deviation tests.
10. Train recruiters and hiring managers every twelve months on the Internet Applicant Rule and confidentiality duties.

The consequence of skipping a step is a direct compliance gap. For example, skipping step 4 produces a confidentiality finding; skipping step 8 produces a VEVRAA finding. A common misconception is that vendors handle these steps automatically; most require contractor-side configuration.

FAQs

Is an ATS legally required for federal contractors?

No. OFCCP does not mandate any specific system, but it does require the records an ATS produces under 41 CFR 60-1.12, so most contractors use an ATS to comply.

Does the 2025 executive order end all ATS recordkeeping?

No. The order revoked EO 11246 affirmative action duties, but Section 503, VEVRAA, Title VII, and EEO-1 duties remain fully in force.

Must small contractors collect disability self-ID?

Yes. Any contractor with a $10,000 federal contract must invite disability self-ID under 41 CFR 60-741.42, regardless of headcount.

Can I use a custom disability self-ID form?

No. Contractors must use the exact OFCCP-approved CC-305 with its current OMB expiration date and no text changes.

Do applicant-flow duties apply to resume databases?

Yes. The Internet Applicant Rule at 41 CFR 60-1.3 covers searches of resume databases when basic qualifications are applied.

Is two years of retention enough for an audit?

Yes. Two years is the regulatory minimum, but many contractors keep records three years to cover the typical audit lookback window.

Must veteran status data be encrypted?

Yes. Confidentiality obligations at 41 CFR 60-300.23 require restricted access, and encryption is the accepted best practice.

Can hiring managers view applicant race and gender data?

No. Race and gender data should stay in a confidential EEO record, separate from hiring-manager workflows, to preserve disparate-impact defenses.

Does OFCCP accept spreadsheet exports as applicant flow data?

No. OFCCP expects system-generated, date-stamped data; spreadsheets are accepted only when paired with raw ATS records.

Must subcontractors comply with OFCCP rules?

Yes. Tier-one subcontractors with qualifying contracts are covered under 41 CFR 60-1.40 with the same duties as primes.

Can the OFCCP audit a contractor that has no active contracts?

Yes. A contractor remains auditable for the two-year recordkeeping tail after contract expiration, per the Federal Contract Compliance Manual.

Are internal promotions covered by the Internet Applicant Rule?

No. The rule covers external applications, but promotions are covered separately under 41 CFR 60-2 and still require ATS-level tracking.