The HECVAT is a questionnaire designed for higher education to evaluate a vendor’s security risks and confirm that the vendor has implemented data and security policies.
When purchasing third-party software or hardware, university personnel must obtain a HECVAT for the product from the vendor to confirm that information, data, and cybersecurity policies are in place to protect university data when using the vendor’s product. The completed HECVAT must be attached to the request for the product.
Check to see if the vendor has a HECVAT on their website or in the Cloud Broker Index. If not, a HECVAT must be requested from the vendor.
Vendors must complete the assessment tool to provide this information. The vendor should select HECVAT Full from The HECVAT Tools section. After obtaining the vendor’s HECVAT, a HECVAT Review must be requested and completed. The requester must also fill out a Triage HECVAT in The HECVAT Tools section after receiving the vendor's completed HECVAT. The requestor will then submit both the vendor's completed HECVAT and the completed Triage HECVAT for HECVAT review and approval. Note the TDX ID for reference after receiving the HECVAT approval form. Once the VPAT, HECVAT and HECVAT Triage are approved, the documents will be submitted to Legal for review.