Vendor Risk Assessment Program | Frequently Asked Questions

Whether you're with a higher education institution or a company that serves the higher ed IT market, the Vendor Risk Assessment Program can help. Find answers below to some of our most common questions about the program and how to participate.

General Program-Related FAQs

The EDUCAUSE Vendor Risk Assessment Program is focused on addressing the consistency of vendor questionnaires and validation of a company's cybersecurity posture for the higher education community, while leveraging the HECVAT. It allows higher education institutions to more quickly and easily consume the data provided and build it into their vendor risk management programs—saving time reviewing and responding to vendor questionnaires and RFPs.

This program is beneficial for a broad spectrum of companies that serve higher education IT.

Completed vendor risk assessments will be accessible by EDUCAUSE institutional members only (and only if a participating company decides to publish its results). Any supporting documentation related to the risk assessment will be covered under the NDA between a participating company and GreyCastle Security. Completed HECVATs (if a company decides to publish its results) will be accessible by anyone.

The intent of the Vendor Risk Assessment Program is to standardize vendor questionnaires and responses and thereby take a step closer to risk reduction for the higher education community.

No, the HECVAT is a component of the program but is not the entire program.

GreyCastle Security will not complete the HECVAT on behalf of a company. GreyCastle Security will offer consulting support for vendors that request help, whether in the context of this program or other related security needs.

All alternate security and vendor related attestations and certifications can be used to validate a company's security posture.

No, SOC 2 can help portray an organization's overall information security management system, but it does not focus on the vendor risk component captured in the HECVAT on behalf of institutions. SOC 2 may also be used to feed the risk assessment.

We require visibility into vendor policy and program but do not collect FedRAMP data. To support CMMC and other future regulations, we are considering leveraging a government exchange.

Vendors can share their completed assessment outside the EDUCAUSE Vendor Risk Assessment Program Reports Hub; however, this may invalidate the validation status because there is no change control process when utilized independently.

Participating in the Program

The Vendor Risk Assessment Program will streamline the vendor review process for all higher education institutions, creating a standardized means of understanding a vendor's risk profile. For vendors, this will streamline the purchasing process and shorten sales cycles. The higher education community has been eager for this service for a long time, and we've worked to establish a cost-effective, standardized, and thorough process to support the companies that serve higher education and the broader higher education community.

Yes, this program leverages a company's HECVAT to produce an assessment. To ensure the company's risk assessment is current, the company's HECVAT cannot be more than six months old at the start of conducting the assessment. The results of the assessment will be good for one year (pending no incident or breach), and participating companies will need to reassess annually (or upon incident or breach).

If a participating company decides to publish its results, the completed assessment will be available for EDUCAUSE institutional members to access for one year. To maintain a completed assessment in the EDUCAUSE Vendor Risk Assessment Program Reports Hub, companies will need to have their risk reassessed annually. If a company decides not to have its company reassessed the following year, EDUCAUSE will unpublish the report.

Correct.

Yes.

Yes, participating companies will have the opportunity to provide feedback on assessments one time prior to publishing them on the EDUCAUSE Vendor Risk Assessment Program Reports Hub for institutional members to view. And they will also have the opportunity to choose whether or not to include the completed assessment on the hub.

EDUCAUSE corporate members and nonmembers can participate in this program each year for an annual fee. Costs to access completed HECVATs and risk assessments are covered in EDUCAUSE membership fees for all institutional members.

  • Any corporation can participate in this program and must sign the EDUCAUSE Terms and Conditions in order to have its completed HECVAT and risk assessment posted to the assessments hub.*
  • EDUCAUSE institutional members have access to completed assessments (if a company decides to publish its report) via their current membership with EDUCAUSE. (Login will be required.*) Those from organizations that are not a member of EDUCAUSE or who are from any organization that isn’t a higher education institution will not have access to published assessments.
* EDUCAUSE members enjoy special pricing on all of our programs and services, including the Vendor Risk Assessment Program. Not a member? Learn more about the benefits of membership.

Vendor risk assessments take approximately 30 days to complete. Adoption across the higher education community will be a long-term effort of EDUCAUSE in partnership with GreyCastle Security.

Interested companies can anticipate hearing from the GreyCastle Security team in less than five business days.