SME Vendors

Need help with the HECVAT?

HECVAT Assistance: Expert Support from HECVAT Pro This article provides

HECVAT Assistance: Expert Support from HECVAT Pro

This article provides some perspectives along with frequently asked questions to assist with your application.

What is the HECVAT?

The Higher Education Information Security Council (HEISC) Shared Assessments Working Group created the HECVAT to streamline vendor risk assessments.

EDUCAUSE, an education-technology non-profit, maintains the HECVAT.

Why does it matter?

HECVAT improves the engagement process between solution providers and education institutions.

Institutions (the colleges or universities)

The HECVAT helps higher education institutions make more efficient risk decisions when procuring third-party products and services. Before HECVAT, institutions created and managed their own questionnaires. Maintaining risk questionnaires is very time-consuming. By standardizing the questionnaire, institutions have improved the quality and performance of vendor risk assessments.

Solution Providers (software vendors and cloud service providers)

Before HECVAT, vendors completed a unique questionnaire for each institution they sold to, resulting in a high cost of sales. Since HECVAT, completed questionnaires can be submitted to a cloud broker (sharing portal) so other institutions can securely access them. Solution providers save a lot of time and sales expense with this approach.

What is vendor risk management?

Vendor Risk Management, or VRM, is the process of vetting vendor solutions to ensure that they do not pose an unacceptable risk to an organization.

What is the difference between HECVAT Lite and Full?

HECVAT v3.05 (released in November 2023) comes in three types:

  • Full – 237 questions.
  • Lite – 77 question subset of the full.
  • On-premise – 55 questions. For evaluating on-premise appliances.

Do I need Lite or Full?

Ultimately, it is up to the higher education institutions to determine assessment requirements and whether you need to complete the Lite or Full version. However, in 2023, we have observed institutions being more risk-averse and requiring the HECVAT Full.

How to comply with HECVAT

Firstly, it’s worth noting that there is no HECVAT certification or compliance process per se. Instead, each institution performs a subjective analysis of your completed HECVAT to determine the risk of using your product or service. Passing the assessment is an essential gate to the procurement process.

Do we have to comply with every requirement?

No, every application gets assessed on its own merits. Solution providers can add remarks (justifications) where they cannot answer as the institution prefers. These justifications include:

  • Stating a plan to fix the gap (e.g., in the roadmap).
  • Articulating the business reason why you do not plan to fix the gap.
  • These statements enable the institution analyst to make risk-scoring adjustments.

We are ISO 27001 certified. Do we still need to submit HECVAT?

No matter what security framework you may have, you are required to complete the HECVAT. However, solution providers with a security program based on an industry framework such as ISO 27001, will be able to complete the questionnaire faster.

HECVAT is in the process of completing “crosswalks” that map the questions to existing industry control frameworks. Once completed, this will save time for solution providers with an established security program.

If our HECVAT is successful with one institution is it automatically accepted by others?

No, each institution will perform its security assessments and risk analysis to measure vendor risk. However, leveraging HECVAT success with one institution in your response to multiple institutions is possible by referencing the approved institution.

HECVAT for small to medium business (SMB)

Completing the questionnaire can seem like a daunting task for small business owners. Most SMBs don’t have an information security program with dedicated staff. Trying to complete the HECVAT without the necessary experience will be likely lead to a disappointing outcome. If you’re facing this issue and selling to the US education market is essential, consider contracting external professionals.

Who should answer the HECVAT?

The questions can be challenging to interpret; however, most information risk professionals will have experience with compliance questionnaires similar to HECVAT. If you don’t have one on staff, consider engaging external experts.

How long will it take and how much will it cost to comply?

The time it will take will vary significantly depending on the nature of your business, the types of data collected, and the state of your existing information security program.

Completing the HECVAT typically involves the following steps:

  • Assessing the current state.
  • Determining the goal state for HECVAT submission.
  • Identifying the gaps between the present and goal states.
  • Prioritizing gaps in a plan of action and milestones roadmap.
  • Fixing gaps or providing business justifications

There are many factors that affect the cost, including:

  • Is your product entirely cloud-based?
  • Do you have an up-to-date security risk register?
  • Does your product store sensitive data, sensitive institutional information, or personally identifiable information (PII)?
  • How mature are your data security and privacy controls?
  • Does your product store health information or process payments?

We highly recommend scoping the project with a professional so you can use that information to determine the investment required.

What are the main challenges to completing the HECVAT?

  • Correctly interpreting questions in the context of your business
  • Writing effective responses with the institution analyst in mind.
  • Prioritizing gaps, roadmap, and work plan

Key Takeaways

HECVAT is an education community vendor assessment toolkit. While completing the questionnaire is time-consuming, it is essential if you plan to sell to the US higher education market.

If you’re unable to meet a requirement, either add it to your roadmap or write thoughtful justifications to help the analyst understand the reasoning.

Feeling Overwhelmed?

HECVAT Pro can help speed up your assessment process. We provide professional assessment preparation for cloud services, as well triage and related tools.


Picture of David Clarkson

David Clarkson

Related Post

SME Vendors
David Clarkson

Overcoming the Primary HECVAT Completion Challenge 5 HECVAT compliance obstacles The obstacles lies in the complexity and thoroughness of the assessment process. While the HECVAT

Read More
David Clarkson

HECVAT Pro: Your Reliable Partner for HECVAT Compliance At HECVAT Pro, we understand that achieving Higher Education Community Vendor Assessment Tool (HECVAT) compliance can be

Read More
SME Vendors
David Clarkson

Understanding HECVAT: Essential Insights from HECVAT Pro Higher education institutions often outsource various services, from accounting to procurement, to third-party vendors. While outsourcing can provide

Read More
Skip to content