The HECVAT is a questionnaire designed for higher education to evaluate a vendor’s security risks and confirm that the vendor has implemented data and security policies.
When purchasing third-party software or hardware, university personnel must obtain a HECVAT for the product from the vendor to confirm that information, data, and cybersecurity policies are in place to protect university data when using the vendor’s product. The completed HECVAT must be attached to the request for the product. However, the request for the product can be submitted before the HECVAT is obtained, with the understanding that the completed HECVAT will be provided as soon as possible thereafter.
Vendors must complete the assessment tool to provide this information. The vendor should download the HECVAT template from The HECVAT Tools section. After obtaining the vendor’s HECVAT, a HECVAT / Cybersecurity Review must be requested and completed. The requestor will then submit the vendor's completed HECVAT for HECVAT / Cybersecurity review. Note the TDX ID for reference after receiving the HECVAT / Cybersecurity review form. Once the VPAT and HECVAT are reviewed, the documents will be submitted to Legal for review.