HECVAT FAQs for Higher Education

The HECVAT, designed by higher education leaders in collaboration with EDUCAUSE, Internet2, and REN-ISAC, is a questionnaire that allows you to easily evaluate third-party providers, address potential risks to your institution, and select the right technology solutions for your campus. Before you purchase a third-party solution, ask the solution provider to complete a HECVAT to confirm that information, data, and cybersecurity policies are in place to protect your sensitive institutional information and constituents' PII.

In HECVAT 4, we have continued to incorporate feedback from the community to improve the tool and give more stakeholders a seat at the table. In HECVAT 4, the Full, Lite, and On-Premise versions have all been rolled into one, and we have included questions on privacy and AI. Read, HECVAT 4: Better than Ever, for additional details.

The HECVAT is a common framework that has been widely adopted across higher education. It helps college and university leaders select the companies and technology solutions that best align with their campus policies and needs, and it speeds up the procurement process for companies and institutions. It also:

• Helps cybersecurity, IT, data, privacy, accessibility, procurement, and legal departments work together effectively and transparently.
• Allows institutions to meet various regulatory requirements while streamlining the vendor assessment process.
• Is flexible and integrates into existing vendor assessment workflows.
• Is specifically designed to address the needs of higher education to ensure data is appropriately secured.

We provide several kinds of support for the transition:

• Review the HECVAT 4 change log for details on what has been updated.
• Join your peers in the HECVAT Users Community Group to ask questions and follow conversations about the toolkit.
• Contact us at [email protected]. We're happy to help!

With HECVAT 4, all versions (previously known as the full, lite, and on-prem) have been rolled into one file. To do a “lite” evaluation of the tool, only review those questions marked with an asterisk in the “Institution Evaluation” and “Privacy Analyst Evaluation” (if applicable) tabs, adding notes, and using the compliance and importance overrides where necessary.

Once you have reviewed all questions with an asterisk, you can see a score for the Critical Importance/Lite questions and an aggregated list of those questions in the “High Risk Evaluation” tab.

The questions and scoring of the HECVAT are developed and maintained by dedicated volunteers from colleges, universities, and companies that serve higher education. Our volunteers act as the voice of the higher education community to ensure the questions and scores represent the needs of institutions. Some questions are weighted to impact the score more than others. Questions marked with an asterisk (*) are critical questions that are most important to institutions and carry the most weight in the score.

A HECVAT security review is best practice before adding any new system or service to your campus network. This is especially true for IoT devices, ICS, and SCADA systems. Vendors of these products and systems can be evaluated in the same way using the HECVAT. A careful review of IoT products and communication hubs is especially important because IoT devices are typically not designed to meet security standards. Often ICS and SCADA systems support critical services to which vendors may need physical access on campus, so a HECVAT security review, which includes personnel security questions, is essential.

Yes! The HECVAT is the result of countless volunteer hours, so the HECVAT name has been trademarked and a copyright has been attained to protect the work of the community. This does not change how institutions or solution providers use the tool, and we will work with Third Party Risk Management platforms who have integrated the HECVAT into their tool to ensure they have the proper license to continue using it at no cost.

We’d love to hear it! You can email any questions or feedback to [email protected]. You can also post questions in the HECVAT Users Community Group on EDUCAUSE Connect.