For step-by-step instructions for handling VPAT and HECVAT requests, reviews, and submissions, see our Cybersecurity (HECVAT) and Accessibility (VPAT) Requirements for Technology Purchases article.
To ensure that university technology purchases meet federal, state, and board requirements for cybersecurity and accessibility, all university technology purchases (software and hardware) are required to undergo cybersecurity and accessibility review before legal review or purchase (including renewals). Both a Higher Education Community Vendor Assessment Toolkit (HECVAT) and a Voluntary Product Accessibility Template (VPAT) (or Accessibility Conformance Report (ACR)) is required from the vendor for each individual product being purchased. These documents are reviewed to ensure they meet regulations and that we are providing a safe and accessible experience for our campus community.
The HECVAT is a questionnaire designed for higher education to evaluate a vendor’s security risks and confirm that the vendor has implemented data and security policies. A HECVAT must be obtained from the vendor to evaluate and confirm that the vendor’s security risks and confirm that the vendor has implemented information, data, and cybersecurity policies to protect university data when using the vendor’s product.
When purchasing third-party software or hardware, university personnel must obtain a HECVAT for the product from the vendor to confirm that information, data, and cybersecurity policies are in place to protect university data when using the vendor’s product. The completed HECVAT must be attached to the request for the product. However, the request for the product can be submitted before the HECVAT is obtained, with the understanding the completed HECVAT will be provided as soon as possible thereafter.
The person requesting the software is responsible for requesting the HECVAT from the vendor. In some cases the requestor's tech partner can assist if the vendor has technical questions.
HECVATs should be requested when asking for a quote from the vendor and must be obtained and reviewed before legal review or a Workday requisition. We recommend requesting the HECVAT as soon as possible. If you know that a purchase or renewal is coming up, you can submit the HECVAT review request in advance, instead of waiting until the product is up for renewal. Keep in mind that reviews expire after 12 months. The review process takes about a week or two but can vary. Plan for longer review times during busy purchasing periods such as July or the start of semesters.
Vendors must complete the assessment tool to provide this information. Ideally, the vendor's security team will complete the HECVAT. The vendor should select HECVAT Full from The HECVAT Tools section. After obtaining the vendor’s HECVAT, a HECVAT Review must be requested and completed. The requestor will then submit the vendor's completed HECVAT for HECVAT review and approval. Note the TDX ID for reference after receiving the HECVAT approval form. Once the VPAT and HECVAT are approved, the documents will be submitted to Legal for review.
Both downloadable desktop installed software and online software as a service (SaaS) require VPATs and HECVATs.