three large binders filled with documents and papers

Higher Education Cloud Vendor Assessment

All Software as a Service (SaaS), otherwise referred to as “Cloud”, solutions used for Montclair State University related business must have their cybersecurity practices reviewed and approved by Information Technology. Approval must be obtained prior to the completion of a Contract Approval Sign-off or purchase process.

This is required irregardless of whether or not:

  • The service is being used to transfer, process, or store any University related data
  • The service is provided for free or at cost

The IT Information Security team is responsible for performing these reviews and have adopted the EDUCAUSE Higher Education Cloud Vendor Assessment Tool (HECVAT).

One advantage of the HECVAT is that many popular higher education cloud service providers/vendors may have already completed the form. To see if a provider/vendor you are interested in has completed a HECVAT, check the REN-ISAC HECVAT Cloud Broker Index.

If you are in the process of engaging in the proposed use or procurement of a Cloud solution, the following two forms are required:

  • HECVAT (Current version 3.0)
    • To be completed by the provider/vendor. Must be returned in Microsoft Excel format or it will not be accepted.
    • We do not accept HECVAT forms older than version 2.x. The current version is listed on the right hand side of the title row in the document.
    • We do not accept the “Lite” version of the HECVAT form for most submissions. If you wish to discuss an exception for a service provider, please contact the security official at the address below before submitting.
  • HECVAT Review Request Form (Current version 1.9.9)
    • To be completed by the requesting Montclair State University department. Must be returned as a Microsoft Word document or it will not be accepted. (Note: This form is only accessible if you are logged into your MSU Google account using your NetID.)

Both forms must be returned to the Director of Information Security in order for a review to be performed. Reviews typically take 7-10 business days so please plan accordingly.

You may contact the Director of Information Security directly or via: