The HECVAT is a questionnaire designed for higher education to evaluate a vendor’s security risks and confirm that the vendor has implemented data and security policies.
When purchasing third-party software or hardware, university personnel must obtain a HECVAT for the product from the vendor to confirm that information, data, and cybersecurity policies are in place to protect university data when using the vendor’s product. The completed HECVAT must be attached to the request for the product. However, the request for the product can be submitted before the HECVAT is obtained, with the understanding the completed HECVAT will be provided as soon as possible thereafter.
Check to see if the vendor has a HECVAT on their website or in the Cloud Broker Index. If not, a HECVAT must be requested from the vendor. Contact contract@uark.edu for help with this.
Vendors must complete the assessment tool to provide this information. The vendor should select HECVAT Full from The HECVAT Tools section. After obtaining the vendor’s HECVAT, a HECVAT Review must be requested and completed. The requestor will then submit the vendor's completed HECVAT for HECVAT review and approval. Note the TDX ID for reference after receiving the HECVAT approval form. Once the VPAT and HECVAT are approved, the documents will be submitted to Legal for review.