What are the different versions of HECVAT?

What are the different versions of HECVAT?What are the different versions of HECVAT?
Rebecca KappelRebecca Kappel Staff asked 9 months ago

1 Answers
Rebecca KappelRebecca Kappel Staff answered 8 months ago
The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a risk assessment template created in 2016 specifically for higher education institutions to assess vendor risk. HECVAT assessments were made by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group in collaboration with Internet2 and REN-ISAC. 

Its purpose is to provide a baseline assessment for evaluating vendor-provided services and resources in higher education. The framework is relevant to anyone who works in higher education or for a solution provider that serves colleges and universities.

Over the years, universities have become more agile and efficient as they migrate their solutions to the cloud and employ third-party services for everything from maintenance work and administration to student recruitment and alumni engagement. Data protection and security are becoming top priorities for school IT teams and their leaders as technology evolves. This means that HECVAT compliance, as well as HECVAT certification, will quickly become a necessity for many institutions.

The latest version for vendors (Full, Lite and/or On-Premise) is v.2.11 – 2019 and the latest version for institutions (Triage) is v.2.1 – 2019.

What Are the Versions of HECVAT?

HECVAT is a suite of tools that allows colleges and universities to select the correct assessment for their needs. It is completely free of charge. There are four HECVAT tools: Full, Lite, On-Premise, and Triage. 

The Full, Lite, and On-Prem worksheets are for vendors to complete. Vendors that want to provide an Institution with software and/or a service must comlete these worksheets. An Institution entity should not complete the three worksheets. The purpose of these worksheets is for the vendor to submit robust security safeguard information regarding the product (software/service) being assessed in the Institution’s assessment process. 

  • HECVAT – Full: Robust questionnaire for the most critical data-sharing engagements (over 250 questions)
  • HECVAT – Lite: A lightweight version of the full assessment used for an expedited or less-critical process 
  • HECVAT – On-Premise: A unique questionnaire for evaluating on-premise appliances and software 

The Triage tool is an option for institutions to complete if they are interested. 

  • HECVAT – Triage: This worksheet is for Institution requestors interested in sharing institutional data with third-party software and/or a service. It should not be completed by a vendor. The purpose of this form is to document and summarize data sharing intents, data sharing scope, data elements, and technology requirements. Populating a HECVAT Triage is a prerequisite to initiate a risk/security assessment. It helps to determine assessment requirements.

Related Content

Authorization to Operate (ATO)

Authorization to Operate (ATO)

What is an ATO? An ATO is a hallmark of approval that endorses an information system…


What is StateRAMP? In 2011, the Federal Risk and Authorization Management Program (FedRAMP) laid the groundwork…
Segregation of Duties

Segregation of Duties

What is the Segregation of Duties? Segregation of duties (SoD) is like a game of checks…
Skip to content