HECVAT FAQs for Corporations

Overview
How to Use the HECVAT
FAQs for Higher Ed
FAQs for Corporations
Volunteer Information

The Higher Education Community Vendor Assessment Toolkit (HECVAT) is the higher education sector's preferred evaluation framework for selecting technology tools and services for campuses. It is designed by the community for the community. It is an efficient way for the companies that serve higher education to showcase their data protection practices and answer higher education's most important questions when determining which companies and solutions they plan to partner with.

Here, you will find resources for better understanding what the HECVAT is, why and how you should use it, and more.

If you have questions about the HECVAT or need help navigating it, contact us at [email protected]. If your company is an EDUCAUSE member, you may also join the HECVAT Users Community Group on EDUCAUSE Connect to ask questions and stay up-to-date on the toolkit.

The HECVAT, designed by higher education leaders in collaboration with EDUCAUSE, Internet2, and REN-ISAC, is a questionnaire that allows college and university professionals to easily evaluate third-party providers, address potential risks to their institution, and select the right solutions for their campus.

It is the higher education sector's preferred evaluation framework for selecting technology tools and services for campuses, and it functions as an efficient way for your company to showcase your data protection practices and answer higher education's most important questions when determining which companies and solutions they plan to partner with.

In HECVAT 4, we have continued to incorporate feedback from the community to improve the tool and give more stakeholders a seat at the table. In HECVAT 4, the Full, Lite, and On-Premise versions have all been rolled into one, and we have included questions on privacy and AI. Read, HECVAT 4: Better than Ever, for additional details.

The HECVAT is a common framework that has been widely adopted across higher education. It helps college and university leaders select the companies and technology solutions that best align with their campus policies and needs, and it speeds up the procurement process for companies and institutions. It also:

  • Helps cybersecurity, IT, data, privacy, accessibility, procurement, and legal departments work together effectively and transparently.
  • Allows institutions to meet various regulatory requirements while streamlining the vendor assessment process.
  • Is flexible and integrates into existing vendor assessment workflows.
  • Is specifically designed to address the needs of higher education to ensure data is appropriately secured.

The HECVAT questions should be answered by whoever has the most complete knowledge of the product at your organization. This may mean the questionnaire passes between several people to accurately answer the cybersecurity, infrastructure, privacy, and IT accessibility questions. Once the HECVAT is complete, it should be made available to whoever works with colleges and universities in the proposal process.

We provide several kinds of support for the transition:

With HECVAT 4, all versions (previously known as the full, lite, and on-prem) have been rolled into one file. Solution providers should complete all questions in HECVAT 4 that apply to their product or service (as indicated by the Required Questions section on the “Start Here” tab). The institution can do a lite evaluation of your solution based on the needs of their HECVAT evaluation.

The questions and scoring of the HECVAT are developed and maintained by dedicated volunteers from colleges, universities, and companies that serve higher education. Our volunteers act as the voice of the higher education community to ensure the questions and scores represent the needs of institutions. Some questions are weighted to impact the score more than others. Questions marked with an asterisk (*) are critical questions that are most important to institutions and carry the most weight in the score.

Not to worry! Your score isn’t complete until the institution has evaluated your answers against their own policies and appetite for risk.

The HECVAT is constantly evolving to meet the needs of higher education. Based on feedback from those who use the HECVAT, privacy and IT accessibility have been added as key dimensions in the procurement process. Solution providers should complete all questions that apply to your product.

Solution providers should update their HECVAT at least once per year. An institution may ask for an updated version if you submit one that is not current.

Most colleges and universities will accept a recent SOC2 Type 2 report as a thorough and authoritative review by an objective third-party auditor. Many institutions will consider alternate documentation, such as the CAIQ. Sales literature may be offered in addition to the HECVAT, CAIQ, or SOC, but it is not a substitute for those security-focused reviews.

If you are filling out the HECVAT to share with institutions, you can use the HECVAT at no cost. If you have a Third Party Risk Management platform and would like to incorporate the HECVAT into your tool, you can do so with a no-cost license. Email us at [email protected] to learn more.

We’d love to hear it! You can email any questions or feedback to [email protected]. If your company is an EDUCAUSE member, you can also post questions in the HECVAT Users Community Group on EDUCAUSE Connect.