Image of a circle

Vendor Assessment (HECVAT)

Return to Information Security Home

All Software as a Service (SaaS), otherwise referred to as “Cloud”, solutions used for Montclair State University related business must have their cybersecurity practices reviewed and approved by Information Technology.

Approval must be obtained prior to the completion of a Contract Approval Sign-off or purchase process.

This is required irregardless of whether or not:

  • The service is being used to transfer, process, or store any University related data
  • The service is provided for free or at cost

The IT Information Security team is responsible for performing these reviews and have adopted the EDUCAUSE Higher Education Community Vendor Assessment Toolkit (HECVAT).

One advantage of the HECVAT is that many popular higher education service providers/vendors may have already completed the form. To see if a provider/vendor you are interested in has completed a HECVAT, check the REN-ISAC HECVAT Community Broker Index.

If you are in the process of engaging in the proposed use or procurement of a SaaS/Cloud solution, the following two forms are required. Both forms must be returned to the IT security official ( in order for a review to be performed. Reviews typically take 10-15 business days, so please plan accordingly:


The requesting department is responsible for ensuring the following criteria is met for all HECVAT submissions:

HECVAT (version 3.x)

      • To be completed by the provider/vendor. Must be returned in the original Microsoft Excel format or it will not be accepted. (No PDFs or other exports.)
      • We do not accept HECVAT forms older than at least version 3.0.
        • The current version is listed on the right hand side of the title row in the HECVAT document. The last 2.x form version is 2.11 and is now over three years old. And the 3.x form version has had significant improvements in content and usability. As vendors are expected to provide the latest and most relevant responses to the questionnaire, we can no longer accept versions older than 3.0.
      • We do not accept the “Lite” version of the HECVAT form for most submissions. If you wish to discuss an exception to accept the Lite version from a service provider, you must contact the security official at the address above before submitting for additional guidance.
HECVAT Review Request Form

HECVAT Review Request Form (Current version 2.x)
    • To be completed by the requesting Montclair State University department. Must be returned in the original Microsoft Word format or it will not be accepted. (Note: This form is only accessible if you are logged into your MSU Google account using your NetID.)