Table of Contents
- HECVAT Compliance: Requirements, Certification, and Getting Started
- What Does HECVAT Compliance Mean?
- Is HECVAT a Certification?
- HECVAT Compliance Requirements by Category
- How to Download the HECVAT
- How HECVAT Aligns With Other Regulatory Frameworks
- How to Simplify HECVAT Compliance
- Key Takeaways
- HECVAT Compliance FAQs
HECVAT Compliance: Requirements, Certification, and Getting Started
HECVAT compliance is the voluntary completion of the Higher Education Community Vendor Assessment Toolkit and alignment of a vendor’s responses with the reviewing institution’s risk and procurement standards. The term appears across higher education RFPs, vendor communications, and security team discussions, and it is widely misunderstood because it carries regulatory connotations it does not actually have.
EDUCAUSE developed HECVAT to help higher education institutions evaluate vendor security. It is not a regulation, and no “HECVAT certification” exists. Understanding how to be compliant with HECVAT helps institutions set realistic procurement expectations and helps vendors communicate their security posture accurately.
This guide covers what HECVAT compliance actually means, how requirements are organized by assessment domain, how the toolkit maps to regulatory frameworks, and how to access HECVAT 4.
New to HECVAT? Start with What Is HECVAT? The Complete Guide for Higher Education.
What Does HECVAT Compliance Mean?
HECVAT compliance is not a formal legal status. It means a vendor seeking to work with a higher education institution has completed the HECVAT questionnaire and their responses satisfy the reviewing institution’s security, privacy, accessibility, and operational standards.
HECVAT Compliance is the voluntary completion of the Higher Education Community Vendor Assessment Toolkit questionnaire and alignment of a vendor’s responses with the reviewing institution’s risk and policy expectations. HECVAT is not a regulatory mandate, certification, or audit standard. It is a standardized assessment framework developed by EDUCAUSE that institutions use to evaluate third-party vendors’ cybersecurity, privacy, accessibility, and related practices.
The Two Primary Requirements
HECVAT compliance comes down to two requirements:
- Completion of the applicable workbook. A vendor works through the HECVAT 4 assessment tool containing around 321 questions across 7 primary sections, completing only the tabs that apply to their solution. This involves gathering internal documentation, attaching supporting evidence, and coordinating across security, legal, privacy, and IT teams. Most organizations require 8 to 20 hours to complete the workbook thoroughly.
- Alignment with institutional review requirements. The reviewing institution uses HECVAT’s evaluation tabs (Institution Evaluation, High Risk Evaluation, Privacy Analyst Evaluation) to assess responses against its own policies, risk tolerance, and procurement standards. Institutions may request follow-up evidence, override vendor answers, or adjust the importance of specific questions based on their own risk appetite.
Being HECVAT-compliant means:
- Complete responses: Providing complete, credible, and well-documented proof across all applicable sections
- Institutional alignment: Satisfying the reviewing institution’s risk and policy expectations
- Follow-up readiness: Being prepared to respond to follow-up questions or provide additional evidence
- Institution-specific acceptance: There is no centralized HECVAT authority, each institution determines acceptance based on its own standards
Is HECVAT a Certification?
No, HECVAT is not a formal certification program. EDUCAUSE provides the workbook and guidance but does not certify vendors. The process resembles a compliance audit, but there is no third-party auditor, no “HECVAT credential,” and no universal scoring system.
A De Facto Procurement Requirement
HECVAT completion is completely voluntary, but many higher education institutions treat it as a standard requirement in vendor procurement. EDUCAUSE’s FAQ for vendors describes the HECVAT as higher education’s “preferred evaluation framework” for showcasing data protection practices. Vendors that skip the assessment risk additional scrutiny or rejection during an institution’s review process. Kent State University, for example, requires vendors whose products access or host university data to complete a HECVAT in all Request for Proposal (RFP) processes.
HECVAT compliance does not mean:
- Mandatory requirement: HECVAT is voluntary, not a regulatory mandate
- Third-party audit: HECVAT is a self-assessment, not an external certification
- Universal score: Acceptance is institution-specific, not centrally determined
- EDUCAUSE credential: EDUCAUSE provides the tool, not a certification
| HECVAT Requirement / Claim | HECVAT Compliance |
|---|---|
| Detailed self-assessment responses | ✓ |
| Supporting documentation and evidence | ✓ |
| Institution review and approval | ✓ |
| Follow-up validation discussions | ✓ |
| Government-mandated certification | ✗ |
| Independent external audit | ✗ |
| Standardized industry-wide scoring | ✗ |
| Official EDUCAUSE certification | ✗ |
HECVAT Compliance Requirements by Category
HECVAT 4 organizes the questionnaire into eight domains within a single unified workbook. Vendors begin with the Start Here tab, which contains eight required questions (REQU-01 through REQU-08) that act as a routing mechanism. The answers to these questions determine which sections apply to their vendor’s solution based on type, deployment model, and data types handled. Not every domain applies to every vendor.
START HERE TAB, HECVAT 4.1 EDUCAUSE
Questionnaire Completion Guidance
- Start Here and Organization are universal: Every vendor completes these two tabs regardless of solution type.
- Remaining sections are conditional: They activate based on the vendor’s solution type, deployment model, and data types handled.
- Perfect controls are not required: HECVAT captures maturity progression and gives institutions structured data to compare vendors.
- One workbook, multiple institutions: A completed workbook can be shared with multiple institutions without modification.
HECVAT 4 Assessment Domains
HECVAT 4’s eight domains range from universal company and governance questions to conditional technical, privacy, and AI controls. Each domain’s focus, applicability, and key topics appear below.
| Domain | Focus Area | Universal vs. Conditional | Key Topics |
|---|---|---|---|
| Start Here (Required Questions) | Solution scoping and routing | Universal/Mandatory | Solution type, deployment model, data types, section applicability |
| Organization | Company profile and governance | Universal/Mandatory | Ownership, internal policy frameworks, risk management, compliance programs |
| Product | Operational resilience and technical safeguards | Conditional | Business continuity, disaster recovery, change management, identity/access management, application security |
| Infrastructure | Hosting environment and operations | Conditional | Data center security, network controls, encryption, monitoring, backup strategy |
| IT accessibility | User interface accessibility requirements | Conditional | WCAG alignment, VPAT/ACR documentation, assistive technology support, accessible interfaces |
| Case-Specific Questions | Regulatory and context-specific requirements | Conditional | HIPAA (HIPA-01–HIPA-29), PCI DSS (PCID-01–PCID-12), on-premises deployment |
| Artificial Intelligence | AI governance and model usage | Conditional | AI training data, model risk, automated decision-making, NIST AI RMF alignment (AIPL-05) |
| Privacy | Data stewardship and privacy practices | Conditional | Data lifecycle management, FERPA (PRGN-01), GDPR/PIPL (INTL-01–INTL-05), third-party privacy (PTHP-01) |
For a complete breakdown of how HECVAT 4 restructured these domains from the legacy Full, Lite, and On-Premise versions, see HECVAT 4: What’s New in the Latest Version.
How HECVAT Reviews Work
Institutions score completed HECVAT workbooks using three built-in evaluation tabs in HECVAT 4:
- Institution Evaluation: The primary review tab where analysts assess every vendor response, add notes, override answers, and adjust question importance based on their institution’s risk priorities. This tab drives the final compliance decision.
- High Risk Evaluation: A streamlined view used when institutions need to quickly identify critical or non-negotiable gaps in a vendor’s security posture. A single high-risk gap can be enough to reject a vendor.
- Privacy Analyst Evaluation: A dedicated tab used by privacy professionals to evaluate data protection and AI-specific questions without reviewing all technical infrastructure questions. Privacy findings from here influence the institution’s overall decision.
How Institutions Determine Compliance
HECVAT responses are reviewed directly by the requesting institution. A vendor’s compliance outcome depends on how their responses perform across each scoring criteria.
- Each vendor response is scored based on whether it matches the compliant answer determined by HECVAT’s authors.
- Institutions can override compliance determinations, adjust the importance level of individual questions, and flag non-negotiable questions that automatically surface in the High Risk Evaluation tab.
- Analysts add notes directly in the workbook, which vendors can see if the workbook is returned for clarification.
There is no universal standard. Acceptance is based on each institution’s own risk tolerance and procurement requirements, so the same submission may be accepted by one institution and rejected by another.
Accurate HECVAT Terminology
Vendors should avoid describing themselves as “HECVAT certified,” since no official HECVAT certification or accreditation exists. Use the following language instead:
| Recommended HECVAT Language | Avoid |
|---|---|
| “We completed a HECVAT assessment.” | “We are HECVAT certified.” |
| “We submitted a HECVAT workbook for institutional review.” | “We passed HECVAT.” |
| “Our HECVAT responses were accepted by the institution.” | “We received HECVAT accreditation.” |
How to Download the HECVAT
- Download location: HECVAT 4 is publicly available on the official EDUCAUSE HECVAT page. Click the Download HECVAT 4 link to access the current version.
- Current version: HECVAT 4.1.5, released February 10, 2025.
- Format: Microsoft Excel workbook (.xlsx). The format supports conditional logic, automated scoring, and built-in evaluation tabs.
- Cost: Free download.
- Older versions: HECVAT v3 may still be requested by some institutions, but v4 is the current standard.
Supporting Guidance
EDUCAUSE provides separate guidance for each audience:
- For institutions: How to use the evaluation tabs, interpret vendor responses, and integrate HECVAT into procurement workflows
- For vendors: How to complete the questionnaire accurately, share results with multiple institutions, and transition from HECVAT 3
Time to complete: Most organizations require 8 to 20 hours to complete HECVAT thoroughly. A single completed workbook can be shared with multiple requesting institutions.
How HECVAT Aligns With Other Regulatory Frameworks
HECVAT does not replace legal or regulatory frameworks. It functions as a structured due-diligence tool that consolidates security controls, privacy practices, governance, and case-specific requirements into a single assessment, helping institutions ask structured questions and compare vendors more efficiently.
Completing a HECVAT indicates that a vendor has relevant controls in place, but it does not establish legal compliance, certification, or conformance under any separate framework like HIPAA, FERPA, GDPR, or NIST. Some framework requirements appear directly through case-specific questions. Others are reflected indirectly through broader privacy, governance, and security prompts.
HECVAT 4 addresses the following regulatory frameworks across its workbook tabs.
| Framework | Type | HECVAT Location | Specific Coverage |
|---|---|---|---|
| HIPAA & HITECH | Regulatory mandate | Case-Specific tab: HIPA-01 through HIPA-29 | Business Associate Agreements, risk analysis, technical controls, audit logging for health records |
| PCI DSS | Industry standard | Case-Specific tab: PCID-01 through PCID-12 | Attestations of Compliance, cardholder data environments |
| FERPA | Regulatory mandate (US) | Privacy tab: PRGN-01; Case-Specific: OPEM-06 | FERPA-related data processing; on-premises FERPA-compliant handling |
| GDPR / PIPL | Regulatory mandate (EU/China) | Privacy tab: PRGN-02, PDOC-02, INTL-01 through INTL-05 | Data protection laws, third-party privacy obligations, processor terms aligned with GDPR Article 28 |
| NIST CSF / CIS Controls / ISO 27001 | Framework / compliance program | Organization tab: DOCU-04 | Vendors are asked whether they conform to a specific industry standard security framework such as NIST CSF, CIS Controls, or ISO 27001 |
| NIST AI RMF | Voluntary framework | Artificial Intelligence tab: AIPL-05 | Alignment with the NIST AI Risk Management Framework and the Generative AI Profile (NIST AI 600-1) for third-party AI supply chain and model risk |
GLBA and Vendor Assessment Obligations
GLBA’s Safeguards Rule does not name HECVAT, but it requires Title IV institutions to assess service providers, and HECVAT is the standard tool institutions use to meet that obligation. The Safeguards Rule (16 CFR 314.4) requires Title IV colleges and universities to “periodically assess service providers based on the risk they present” and select providers capable of maintaining appropriate safeguards. HECVAT provides the structured assessment format that satisfies this obligation.
An EDUCAUSE Review analysis of GLBA pitfalls in higher education explicitly recommends asking vendors for “a SOC 2 report or a completed HECVAT” to satisfy Safeguards Rule vendor oversight requirements. A Thompson Coburn GLBA FAQ for higher education further explains how the FTC enforces Safeguards Rule violations at Title IV institutions through annual compliance audits. A May 2024 amendment to the Safeguards Rule also requires Title IV institutions to report qualifying data breaches to the FTC within 30 days, adding urgency to proactive vendor assessment practices.
The Department of Education’s Federal Student Aid office reinforced these obligations in Electronic Announcement GENERAL-24-46 (April 2024), which addresses how Title IV institutions must structure relationships with third-party service providers, building on its February 2023 cybersecurity requirements update. The FTC’s June 2025 Safeguards Rule FAQ further clarifies service provider oversight duties, and the FTC’s first enforcement action against an education technology vendor, Illuminate Education (December 2025), signals that inadequate vendor security controls now carry direct federal enforcement risk for the institutions that contract with them.
How to Simplify HECVAT Compliance
Managing HECVAT assessments across dozens of vendors creates coordination challenges that spreadsheets and email cannot solve at scale. An EDUCAUSE QuickPoll on third-party risk management found that 63% of higher education institutions lack a formal TPRM process and only 22% regularly monitor third-party performance. Isora GRC is the collaborative GRC Assessment Platform™ built for security teams to manage HECVAT assessments in one connected workspace.
- Assessment management: Organize assessments by compliance goal to streamline complex campaigns. The purpose-built HECVAT Uploader ingests completed vendor spreadsheets, maps answers, and auto-populates scores and evidence, eliminating manual entry and version drift.
- Questionnaires & surveys: Reduce time spent on assessment tasks with collaborative, structured questionnaires. Multiple contributors answer the questions closest to their area of responsibility, upload evidence inline, and route for approval without email back-and-forth.
- Inventory management: Reduce time spent managing vendor records across disconnected spreadsheets and procurement systems. A centralized vendor inventory links each vendor product, data classification, and owning unit directly to its assessment history and risk posture.
Streamline HECVAT compliance with Isora GRC. Higher education institutions managing GLBA-driven vendor oversight can also explore IT Risk Management Software for Higher Education.
Key Takeaways
EDUCAUSE develops and maintains HECVAT as a structured due-diligence tool that higher education institutions use to evaluate vendor security, privacy, accessibility, and operational practices. HECVAT is not a regulation, certification, or legal status. HECVAT compliance means a vendor has completed the HECVAT questionnaire and their responses satisfy the reviewing institution’s security, privacy, accessibility, and operational standards.
Acceptance is institution-specific. Each reviewer applies its own risk tolerance and procurement criteria, so the same completed workbook may be approved by one institution and flagged for remediation by another. HECVAT 4 addresses HIPAA, PCI DSS, FERPA, and GDPR through dedicated question sets and aligns with NIST CSF, CIS Controls, and ISO 27001 through governance documentation, but completing a HECVAT does not establish compliance with those frameworks. The Safeguards Rule requires Title IV institutions to assess service providers, and HECVAT is the tool higher education uses to meet that obligation.
For a full overview of the toolkit, including versions, scoring, the assessment process, and framework comparisons, see What Is HECVAT? The Complete Guide for Higher Education. To streamline HECVAT assessments at scale, explore Isora GRC.
HECVAT Compliance FAQs
Is HECVAT compliance mandatory?
No. HECVAT is a voluntary assessment tool with no regulatory mandate. Most colleges and universities still require vendors to complete it as part of procurement, and vendors that skip the assessment risk being unable to progress through institutional review.
Is HECVAT a certification?
No. HECVAT is not a certification. EDUCAUSE provides the workbook and guidance but does not certify vendors. Institutions evaluate completed responses against their own risk tolerance and procurement standards, and no credential is issued.
Where can I download HECVAT?
HECVAT 4 (current version: 4.1.5) is available directly from EDUCAUSE. Click the Download HECVAT 4 button on the page to access the Microsoft Excel workbook (.xlsx). It is free for everyone.
How does HECVAT relate to FERPA?
FERPA is a federal law protecting student educational records. HECVAT addresses FERPA through Privacy tab question PRGN-01 (whether the solution processes FERPA-related data) and Case-Specific question OPEM-06 (on-premises FERPA-compliant handling). Completing HECVAT does not establish FERPA compliance, but it helps institutions identify vendors with the right controls to protect student records.
What compliance frameworks does HECVAT align with?
HECVAT 4 includes specific question sets for HIPAA (HIPA-01–HIPA-29), PCI DSS (PCID-01–PCID-12), FERPA (PRGN-01), and GDPR/PIPL (INTL-01–INTL-05). For NIST CSF, DOCU-04 asks vendors whether they conform to a specific industry standard security framework such as NIST CSF, CIS Controls, or ISO 27001. AIPL-05 asks whether the vendor’s AI practices align with the NIST AI Risk Management Framework. GLBA lacks dedicated question IDs in the workbook, but its broader security and privacy requirements are reflected indirectly across the Organization, Product, and Infrastructure tabs.
Do institutions need both HECVAT and SOC 2?
Many higher education institutions request both, since they serve different purposes. SOC 2 is an independent third-party audit that verifies a vendor’s controls; HECVAT is a self-assessment covering security, privacy, accessibility, and operations in the higher education context. A vendor’s SOC 2 report can support HECVAT review but does not replace the questionnaire.
This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.
Other Relevant Content 