Vendor Assessment (HECVAT)

The HECVAT is a standardized security questionnaire developed specifically for higher education institutions to assist in evaluating a vendor’s data protection practices, system security, and compliance with regulations such as FERPA, HIPAA, and PCI-DSS. The HECVAT is used by many higher education institutions and it is common for vendors to complete a HECVAT when requested to do so. Some vendors already have a HECVAT available by request.

The HECVAT review ensures that vendors meet University security requirements, protect sensitive and confidential data, and comply with applicable laws. It helps safeguard University systems from risks like data breaches, service disruptions, and unauthorized access.

Any Montclair State University department planning to use a cloud or SaaS service for University business must fill out the form to see if a HECVAT review is required.

This includes services for prospective and current students, faculty, staff, alumni, or any other constituents.

You will need a HECVAT review if your procurement request matches any of the following questions:

• Will the vendor see or store university information (eg. student, employee, research, financial, or health data)?
• Will people log in with their university account?
• Will the vendor need access to Montclair systems?
• If this service went down, would it disrupt important work (teaching, research, or daily business operations)?
• Is this a cloud or web-based service (accessed over the internet instead of installed on a computer)?
• Will the vendor handle personal or confidential information  (eg. names, addresses, grades, medical info, or payment data)?

Document required for all reviews (if you meet the requirements above):

• Vendor Security Request – This google form will help determine if a HECVAT review is required for the purchase. The form should be filled out by the department contact responsible for the purchase so Montclair IT can reach out directly with any questions.
• HECVAT 3.x or newer from Educause in Microsoft Excel format – A blank copy of the HECVAT can be found here if needed, however vendors usually have them filled out and will provide one by request.

Note:  The “Lite” version may be used only with prior approval from the Information Security team.

Submit your request before:

• Purchasing or renewing software
• Signing a contract or agreement
• Launching a pilot program or trial

Typical review times:

• Vendor Review: 5 to 10 business days

Step 1: Confirm Requirements

If you answered ‘yes’ to any of the questions in Who needs to complete this review section above, you will likely need a HECVAT from the vendor.

Please obtain it before starting this form, since you’ll be asked to upload the HECVAT as part of your submission.

Step 2: Submit Your Forms

Determine if the service for purchase qualifies as cloud or SaaS and is being used for University business by completing the Vendor Security Request.

Attach the vendor completed HECVAT form IF prompted in the Vendor Security Request.

Step 3: Security Team Review

The Information Security team reviews the forms for completeness, assesses data handling practices, and evaluation risks across six areas:

• Data Protection
• Authentication
• Audit
• Encryption
• Access Control
• Disaster Recovery

Step 4: Receive Outcome

You will receive an email with the decision: approved, approved with conditions, rejected, or request for more information.

• Vendor Review: 5 to 10 business days

• Do I need this review for free tools?
• How long will the process take?
• Can I start using the service while it is being reviewed?
• Which file formats are accepted?
• Can I use the Lite version of HECVAT?
• What if the vendor refuses to complete HECVAT?
• Does a large, well-known vendor still need a review?
• How do renewals work?
• Can I use a HECVAT the vendor completed for another university?
• Will the review cover contract requirements?

Do I need this review for free tools?

Yes, if they handle University data, they must be reviewed.

How long will the process take?

Can I start using the service while it is being reviewed?

No, you must wait for an official approval.

Which file formats are accepted?

Excel for the HECVAT Full form.

HECVAT Full Form – Excel

Can I use the Lite version of HECVAT?

Only if you receive prior written approval from Information Security.

What if the vendor refuses to complete HECVAT?

You will need to work with Information Security to resolve the issue.

Does a large, well-known vendor still need a review?

Yes, all vendors must be assessed to meet Montclair State University’s specific requirements.

How do renewals work?

If your Workday record already has valid security forms with future expiration dates, a full reassessment may not be required. Generally, vendor security reviews are valid for two years. A renewal will only require a new assessment if:

• The vendor changes (new provider or ownership).
• The software/service itself changes significantly (e.g., new modules, new data types handled).
• The University process or data involved changes (e.g., handling different categories of sensitive information).

If none of these apply and your current forms are still valid, you can continue without a full reassessment until the two-year renewal period.

Can I use a HECVAT the vendor completed for another university?

Yes, if it is for the same service, is version 3.x or newer from Educause, and in Excel format.

Will the review cover contract requirements?

No. The Information Security review does not replace or overlap with the contract review performed by University Counsel (Legal). Our assessment focuses on the vendor’s security posture (e.g., controls, compliance, and risk considerations).

University Counsel handles all contract language and ensures standard University terms and conditions, including security requirements, are included.