{"id":12947,"date":"2019-08-08T14:36:36","date_gmt":"2019-08-08T18:36:36","guid":{"rendered":"http:\/\/www.montclair.edu\/information-technology\/?page_id=12947"},"modified":"2025-09-16T16:05:32","modified_gmt":"2025-09-16T20:05:32","slug":"hecvat","status":"publish","type":"page","link":"https:\/\/www.montclair.edu\/information-technology\/security\/hecvat\/","title":{"rendered":"Vendor Assessment (HECVAT)"},"content":{"rendered":"<p style=\"text-align: center\"><span class=\"prpl-button ghost-red\"><a href=\"https:\/\/www.montclair.edu\/information-technology\/security\/?wp_logged_in=true\">Return to Information Security Home<\/a><\/span><\/p>\n<p>A security review is required for all ÌÇÐÄvlog <strong>cloud and SaaS services<\/strong> that integrate with internal systems or collects, stores, and processes private data for University students, staff, alumni, parents, clients, or guests.<\/p>\n<p>Prior to the purchase, renewal, pilot program, or signing of a contract for a cloud service, it must pass a security review using the <strong>Higher Education Community Vendor Assessment Toolkit (HECVAT)<\/strong> to ensure it protects University data and meets compliance standards.<\/p>\n<p><strong>Start your request now<\/strong>:<\/p>\n<p><a href=\"https:\/\/docs.google.com\/forms\/d\/e\/1FAIpQLSdgDi10eAP8aPF_ZfVXWMQDwsht7bitHay1LfyTRcw7EMqK_A\/viewform?usp=dialog\">Vendor Security Request<\/a> &#8211; This google form will help determine if a HECVAT review is required for the purchase. The form should be filled out by the department contact responsible for the purchase so Montclair IT can reach out directly with any questions.<\/p>\n<hr \/>\n<p><a name=\"what-is-mfa\"><\/a><div class=\"prpl-drawer\"><div class=\"prpl-drawer-header\">What is a HECVAT<\/div><div class=\"prpl-drawer-content\">\n<p>The HECVAT is a standardized security questionnaire developed specifically for higher education institutions to assist in evaluating a vendor\u2019s data protection practices, system security, and compliance with regulations such as <strong>FERPA<\/strong>, <strong>HIPAA<\/strong>, and <strong>PCI-DSS<\/strong>. The HECVAT is used by many higher education institutions and it is common for vendors to complete a HECVAT when requested to do so. Some vendors already have a HECVAT available by request.<\/p>\n<p>The HECVAT review ensures that vendors meet University security requirements, protect sensitive and confidential data, and comply with applicable laws. It helps safeguard University systems from risks like data breaches, service disruptions, and unauthorized access.<\/p>\n<\/div><\/div>\n<p><a name=\"why-mfa\"><\/a><div class=\"prpl-drawer\"><div class=\"prpl-drawer-header\">Who needs to complete this review<\/div><div class=\"prpl-drawer-content\">\n<p>Any ÌÇÐÄvlog department planning to use a <strong>cloud or SaaS service<\/strong> for University business must fill out the form to see if a HECVAT review is required.<\/p>\n<p>This <strong>includes<\/strong> services for prospective and current students, faculty, staff, alumni, or any other constituents.<\/p>\n<p>You <em><strong>will need<\/strong><\/em> a HECVAT review if your procurement request matches any of the following questions:<\/p>\n<ul>\n<li>Will the vendor see or store university information (eg. student, employee, research, financial, or health data)?<\/li>\n<li>Will people log in with their university account?<\/li>\n<li>Will the vendor need access to Montclair systems?<\/li>\n<li>If this service went down, would it disrupt important work (teaching, research, or daily business operations)?<\/li>\n<li>Is this a cloud or web-based service (accessed over the internet instead of installed on a computer)?<\/li>\n<li>Will the vendor handle personal or confidential information\u00a0 (eg. names, addresses, grades, medical info, or payment data)?<\/li>\n<\/ul>\n<\/div><\/div>\n<p><a name=\"authentication-options\"><\/a><div class=\"prpl-drawer\"><div class=\"prpl-drawer-header\">What you will need<\/div><div class=\"prpl-drawer-content\">\n<p>Document required for all reviews (<strong>if you meet the requirements above<\/strong>):<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.google.com\/forms\/d\/e\/1FAIpQLSdgDi10eAP8aPF_ZfVXWMQDwsht7bitHay1LfyTRcw7EMqK_A\/viewform?usp=dialog\">Vendor Security Request<\/a> &#8211; This google form will help determine if a HECVAT review is required for the purchase. The form should be filled out by the department contact responsible for the purchase so Montclair IT can reach out directly with any questions.<\/li>\n<li><a href=\"https:\/\/library.educause.edu\/-\/media\/files\/library\/2022\/6\/hecvat303.xlsx\">HECVAT 3.x<\/a> or newer from <a href=\"https:\/\/www.educause.edu\/-\/media\/files\/educause\/hecvat\/hecvat410.xlsx\">Educause<\/a> in Microsoft Excel format &#8211; A blank copy of the HECVAT can be found here if needed, however vendors usually have them filled out and will provide one by request.<\/li>\n<\/ul>\n<p><strong>Note<\/strong>:\u00a0 The \u201cLite\u201d version may be used only with prior approval from the <a href=\"https:\/\/www.montclair.edu\/information-technology\/security\/\">Information Security<\/a> team.<\/p>\n<\/div><\/div>\n<p><a name=\"when-to-submit\"><\/a><div class=\"prpl-drawer\"><div class=\"prpl-drawer-header\">When to submit<\/div><div class=\"prpl-drawer-content\">\n<p><strong>Submit your request before<\/strong>:<\/p>\n<ul>\n<li>Purchasing or renewing software<\/li>\n<li>Signing a contract or agreement<\/li>\n<li>Launching a pilot program or trial<\/li>\n<\/ul>\n<p><strong>Typical review times<\/strong>:<\/p>\n<ul>\n<li>Vendor Review: 5 to 10 business days<\/li>\n<\/ul>\n<\/div><\/div>\n<p><a name=\"hecvat-process\"><\/a><div class=\"prpl-drawer\"><div class=\"prpl-drawer-header\">How the process works<\/div><div class=\"prpl-drawer-content\">\n<h3>Step 1: Confirm Requirements<\/h3>\n<p>If you answered \u2018<em><strong>yes<\/strong><\/em>\u2019 to any of the questions in <em><strong>Who needs to complete this review<\/strong><\/em> section above, you will likely need a HECVAT from the vendor.<\/p>\n<p>Please obtain it before starting this form, since you\u2019ll be asked to upload the HECVAT as part of your submission.<\/p>\n<h3>Step 2: Submit Your Forms<\/h3>\n<p>Determine if the service for purchase qualifies as cloud or SaaS and is being used for University business by completing the <a href=\"https:\/\/docs.google.com\/forms\/d\/e\/1FAIpQLSdgDi10eAP8aPF_ZfVXWMQDwsht7bitHay1LfyTRcw7EMqK_A\/viewform?usp=dialog\">Vendor Security Request<\/a>.<\/p>\n<p>Attach the vendor completed HECVAT form IF prompted in the <a href=\"https:\/\/docs.google.com\/forms\/d\/e\/1FAIpQLSdgDi10eAP8aPF_ZfVXWMQDwsht7bitHay1LfyTRcw7EMqK_A\/viewform?usp=dialog\">Vendor Security Request<\/a>.<\/p>\n<h3><strong>Step 3: Security Team Review<\/strong><\/h3>\n<p>The <a href=\"https:\/\/www.montclair.edu\/information-technology\/security\/\">Information Security<\/a> team reviews the forms for completeness, assesses data handling practices, and evaluation risks across six areas:<\/p>\n<ul>\n<li>Data Protection<\/li>\n<li>Authentication<\/li>\n<li>Audit<\/li>\n<li>Encryption<\/li>\n<li>Access Control<\/li>\n<li>Disaster Recovery<\/li>\n<\/ul>\n<h3>Step 4: Receive Outcome<\/h3>\n<p>You will receive an email with the decision: approved, approved with conditions, rejected, or request for more information.<\/p>\n<ul>\n<li>Vendor Review: 5 to 10 business days<\/li>\n<\/ul>\n<\/div><\/div><a name=\"authentication-options\"><\/a><\/p>\n<p><a name=\"duo-faq\"><\/a><a href=\"#hecvat-faq\"><div class=\"prpl-drawer\"><div class=\"prpl-drawer-header\">FAQ<\/div><div class=\"prpl-drawer-content\">\n<ul>\n<li><a href=\"#free-tools\"><strong>Do I need this review for free tools?<\/strong><\/a><\/li>\n<li><a href=\"#process-time\"><strong>How long will the process take?<\/strong><\/a><\/li>\n<li><a href=\"#start-use-in-review\"><strong>Can I start using the service while it is being reviewed?<\/strong><\/a><\/li>\n<li><a href=\"#file-formats-accepted\"><strong>Which file formats are accepted?<\/strong><\/a><\/li>\n<li><a href=\"#lite-version-use\"><strong>Can I use the Lite version of HECVAT?<\/strong><\/a><\/li>\n<li><a href=\"#vendor-refusal\"><strong>What if the vendor refuses to complete HECVAT?<\/strong><\/a><\/li>\n<li><a href=\"#well-known-vendor\"><strong>Does a large, well-known vendor still need a review?<\/strong><\/a><\/li>\n<li><a href=\"#vendor-renewal\"><strong>How do renewals work?<\/strong><\/a><\/li>\n<li><a href=\"#hecvat-other-university\"><strong>Can I use a HECVAT the vendor completed for another university?<\/strong><\/a><\/li>\n<li><a href=\"#cover-contract-requirements\"><strong>Will the review cover contract requirements?<\/strong><\/a><\/li>\n<\/ul>\n<hr \/>\n<h3><strong><a name=\"free-tools\"><\/a>Do I need this review for free tools?<\/strong><\/h3>\n<p>Yes, if they handle University data, they must be reviewed.<\/p>\n<hr \/>\n<h3><strong><a name=\"process-time\"><\/a>How long will the process take?<\/strong><\/h3>\n<div>Vendor Review: 5 to 10 business days<\/div>\n<hr \/>\n<h3><strong><a name=\"start-use-in-review\"><\/a>Can I start using the service while it is being reviewed?<\/strong><\/h3>\n<p>No, you must wait for an official approval.<\/p>\n<hr \/>\n<h3><a name=\"file-formats-accepted\"><\/a><strong>Which file formats are accepted?<\/strong><\/h3>\n<p>Excel for the HECVAT Full form.<\/p>\n<p><a href=\"https:\/\/library.educause.edu\/-\/media\/files\/library\/2022\/6\/hecvat303.xlsx\">HECVAT Full Form<\/a> \u2013 Excel<\/p>\n<hr \/>\n<h3><a name=\"lite-version-use\"><\/a>Can I use the Lite version of HECVAT?<\/h3>\n<p>Only if you receive prior written approval from <a href=\"https:\/\/www.montclair.edu\/information-technology\/security\/\">Information Security<\/a>.<\/p>\n<hr \/>\n<h3><a name=\"vendor-refusal\"><\/a>What if the vendor refuses to complete HECVAT?<\/h3>\n<p>You will need to work with Information Security to resolve the issue.<\/p>\n<hr \/>\n<h3><a name=\"well-known-vendor\"><\/a><strong>Does a large, well-known vendor still need a review?<\/strong><\/h3>\n<p>Yes, all vendors must be assessed to meet ÌÇÐÄvlog\u2019s specific requirements.<\/p>\n<hr \/>\n<h3><a name=\"vendor-renewal\"><\/a><strong>How do renewals work?<\/strong><\/h3>\n<p>If your <a href=\"https:\/\/www.montclair.edu\/workday\/\">Workday<\/a> record already has valid security forms with future expiration dates, a full reassessment may not be required. Generally, vendor security reviews are valid for two years. A renewal will only require a new assessment if:<\/p>\n<ul>\n<li>The vendor changes (new provider or ownership).<\/li>\n<li>The software\/service itself changes significantly (e.g., new modules, new data types handled).<\/li>\n<li>The University process or data involved changes (e.g., handling different categories of sensitive information).<\/li>\n<\/ul>\n<p>If none of these apply and your current forms are still valid, you can continue without a full reassessment until the two-year renewal period.<\/p>\n<hr \/>\n<h3><a name=\"hecvat-other-university\"><\/a><strong>Can I use a HECVAT the vendor completed for another university?<\/strong><\/h3>\n<p>Yes, if it is for the same service, is <a href=\"https:\/\/library.educause.edu\/-\/media\/files\/library\/2022\/6\/hecvat303.xlsx\">version 3.x<\/a> or newer from <a href=\"https:\/\/www.educause.edu\/-\/media\/files\/educause\/hecvat\/hecvat410.xlsx\">Educause<\/a>, and in <strong>Excel<\/strong> format.<\/p>\n<hr \/>\n<h3><a name=\"cover-contract-requirements\"><\/a><strong>Will the review cover contract requirements?<\/strong><\/h3>\n<p>No. The <a href=\"https:\/\/www.montclair.edu\/information-technology\/security\/\">Information Security<\/a> review does not replace or overlap with the <strong>contract review performed by <a href=\"https:\/\/www.montclair.edu\/president\/university-counsel\/\">University Counsel (Legal)<\/a><\/strong>. Our assessment focuses on the vendor\u2019s security posture (e.g., controls, compliance, and risk considerations).<\/p>\n<p><a href=\"https:\/\/www.montclair.edu\/president\/university-counsel\/\">University Counsel<\/a> handles all contract language and ensures standard University terms and conditions, including security requirements, are included.<\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A security review is required for all ÌÇÐÄvlog cloud and SaaS services that integrate with internal systems or collects, stores, and processes private data for University students, staff, alumni, parents, clients, or guests. Prior to the purchase, renewal, pilot program, or signing of a contract for a cloud service, it must pass a [&hellip;]<\/p>\n","protected":false},"author":111,"featured_media":23151,"parent":448,"menu_order":6,"comment_status":"closed","ping_status":"closed","template":"","meta":{"inline_featured_image":false,"footnotes":""},"class_list":["post-12947","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/pages\/12947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/users\/111"}],"replies":[{"embeddable":true,"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/comments?post=12947"}],"version-history":[{"count":37,"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/pages\/12947\/revisions"}],"predecessor-version":[{"id":25712,"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/pages\/12947\/revisions\/25712"}],"up":[{"embeddable":true,"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/pages\/448"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/media\/23151"}],"wp:attachment":[{"href":"https:\/\/www.montclair.edu\/information-technology\/wp-json\/wp\/v2\/media?parent=12947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}