HECVAT 4: What’s New in the Latest Version

HECVAT 4 (v4.1.5), released February 10, 2025, is the largest update to the Higher Education Community Vendor Assessment Toolkit since its initial publication in 2016.

With its launch, three questionnaire versions became one, AI governance became a conditional assessment domain, and privacy received a dedicated section. Meanwhile, the Community Broker Index (CBI) was retired on July 31, 2025 — institutions and vendors now exchange assessments directly.

This guide covers what changed in HECVAT 4, how the new AI and ML requirements work, and what institutions and vendors need to do to prepare.

What Is HECVAT 4?

HECVAT 4 is the latest version of the Higher Education Community Vendor Assessment Toolkit, released February 10, 2025 by EDUCAUSE (current version: v4.1.5).

Developed in collaboration between higher education institutions, community volunteers, Internet2, and REN-ISAC, the HECVAT 4 consolidates Full, Lite, and On-Premise versions into a single unified workbook with conditional logic. It also adds new assessment domains for AI/ML governance, expanded privacy controls, and dedicated IT Accessibility evaluation.

HECVAT 4.1.5 is the most current version of the Higher Education Community Vendor Assessment Toolkit, published in 2025, consolidating the previous HECVAT versions (Full, Lite, and On-Premise) into one workbook.

Even though cloud services, AI-driven tools, and data-intensive platforms now underpin most campus operations, 63% of institutions still lack a formal third-party risk management process. At the same time, the 2026 EDUCAUSE Top 10lists vendor risk management as a top institutional IT priority. HECVAT 4 addresses these gaps by expanding assessment scope to cover security, privacy, accessibility, and AI governance in a single framework.

Instead of selecting between Full, Lite, or On-Premise questionnaires, vendors now complete a core set of questions. The workbook’s “Start Here” tab then routes them through additional sections based on solution type, deployment model, and data types. Institutions tailor evaluation scope based on risk tolerance and review requirements.

EDUCAUSE holds the copyright for the toolkit and provides it free of charge to institutions and vendors. HECVAT has 240+ institutional adopters, 41,000+ downloads between 2019 and 2023, and 39,000 additional downloads in 2024 alone.

For a full overview of the HECVAT framework, versions, scoring, and assessment process, see our complete HECVAT guide.

Key Changes in HECVAT 4

HECVAT 4 changes how institutions and vendors complete, review, and interpret the questionnaire across structure, scope, and evaluation workflow.

The consolidated structure organizes the assessment into 7 primary sections with 321 total questions. Institutions that previously used HECVAT Lite can replicate that approach by focusing on “Critical Importance” questions — the High-Risk Evaluation view aggregates these for faster review, providing lightweight assessment capability without a separate workbook.

EDUCAUSE also obtained trademark and copyright protection for the HECVAT brand, signaling long-term commitment to maintenance and development.

HECVAT 4 vs Previous Versions

HECVAT has evolved through four major versions since its 2016 launch. Each version expanded assessment scope, but HECVAT 4 represents the most significant structural shift — from static version selection to dynamic conditional logic.

The shift from HECVAT 3 to HECVAT 4 goes beyond updated question content — it changes the fundamental assessment model. In HECVAT 3, the structure depended on which workbook an institution selected. In HECVAT 4, the structure is dynamic: the Start Here tab functions as a triage mechanism, filtering irrelevant sections and tailoring the questionnaire to each solution’s characteristics.

New AI and ML Requirements in HECVAT 4

The AI/ML domain is HECVAT 4’s most significant addition. No prior version assessed AI practices, even though 63% of institutions’ procurement processes now account for or plan to account for AI products and only 39% have AI-related Acceptable Use Policies. The section operates as a conditional domain, triggered by the Start Here triage tab only when a vendor indicates AI features are in use or planned within 12 months.

Once triggered, the workbook requires vendors to classify their technology as Machine Learning (ML), Large Language Models (LLMs), or both. This classification dynamically routes vendors to the relevant sub-sections.

AI Capability Classification

Vendors describe their AI capabilities — text, image, audio, video, or code generation; visual interpretation; predictive analytics; or other automated processing. This classification enables institutions to understand not just what the AI does, but how it operates within the solution’s architecture.

Governance Expectations

HECVAT 4 requires evidence that AI systems are governed within a formal risk and accountability framework:

• Formal AI risk frameworks: Alignment with NIST AI Risk Management Framework or equivalent structured methodologies
• Formal AI policies: Clearly defined, publicly articulated, and effectively implemented
• Risk identification and measurement: AI risks identified, assessed, and actively managed
• Operational controls: AI features capable of being disabled in a timely manner (“kill switch” for risk containment)
• Responsible AI training: Staff in AI development or oversight roles must receive responsible AI training

Risk Considerations

Beyond governance structure, HECVAT 4 evaluates how AI systems interact with sensitive institutional environments:

• Data unlearning and removal: Sensitive data must be traceable and removable from training sets, vector stores, and memory components
• Institutional data use: The questionnaire explicitly asks whether user inputs (queries, uploads) are used to fine-tune or influence AI model behavior
• Auditability and logging: AI activity must be logged with sufficient detail for compliance and incident response
• Input validation: Mechanisms to detect anomalous or harmful inputs
• Supply chain risk: Third-party AI provider risks must be disclosed and addressed

ML-Specific Requirements

When a vendor identifies their solution as using Machine Learning, additional disclosures are required:

• Separation of training and production data; institutional data segregation
• Training data validation, vetting, and data poisoning mitigation
• Monitoring and auditability of training datasets over time
• Access controls restricting ML training data to defined business need
• Model integrity controls (adversarial training, defensive mechanisms) — aligned with the NIST AI 100-2 adversarial ML taxonomy (updated March 2025), which now covers prompt injection, AI supply chain risks, and data poisoning
• Training data watermarking and provenance controls (dataset fingerprinting)

LLM-Specific Requirements

Vendors using Large Language Models face a parallel set of controls:

• Default privilege limitations and trust boundaries between model, data sources, and plugins
• Training data sourcing, licensing, validation, and refresh practices
• Human-in-the-loop controls for sensitive or high-impact downstream actions
• Plugin and tool invocation restrictions (chained automation risk)
• Resource usage controls (tokens, API calls, CPU/memory quotas)
• Model tuning and validation mechanisms (retrieval augmentation, human review workflows)

Both affirmative and negative responses trigger expanded disclosure. Vendors answering “No” must explain compensating safeguards, governance alternatives, or current management practices. This accountability model moves beyond check-the-box compliance — institutions can assess not only the controls themselves but the vendor’s overall AI maturity and risk posture.

HECVAT 4’s AI section aligns with the NIST AI RMF and its companion Generative AI Profile (AI 600-1), which provides 200+ suggested actions across Govern/Map/Measure/Manage for generative AI risks. EDUCAUSE’s AI Ethical Guidelines working group paper (June 2025) provides additional context for AI vendor collaboration and transparency expectations in higher education.

How to Prepare for HECVAT 4

The transition from HECVAT 3 to HECVAT 4 requires more than remapping questions — internal documentation needs to support HECVAT 4’s broader expectations around AI, privacy, and accessibility.

Emerging state AI governance laws add further urgency to the transition. Colorado SB 24-205 (effective February 2026) requires deployers of high-risk AI systems to conduct annual impact assessments and review vendor contracts for downstream compliance. Two Illinois AI laws effective January 2026 restrict AI as sole instruction and prohibit discriminatory AI in HR decisions at educational employers. These laws create procurement due diligence obligations that HECVAT 4’s expanded framework directly supports.

EDUCAUSE provides a HECVAT 4 change log / migration guide that maps HECVAT 3 questions to their v4 counterparts, identifying where questions were consolidated, restructured, expanded, or removed. The pre-launch article “Coming in January: HECVAT 4” provides additional context on the design goals behind the consolidation.

For Institutions

1. Review the migration guide (Weeks 1–2). Map HECVAT 3 questions to v4 counterparts. Use the Issue Tracker tab for post-launch refinements and guidance updates.
2. Audit the current vendor portfolio (Weeks 1–2). Map existing vendors against the new framework structure. Identify which vendors trigger the AI, Privacy, or Accessibility sections.
3. Define institutional scoring (Weeks 2–4). Identify “non-negotiable” controls and customize weight categories in the Institution Evaluation tab.
4. Train the assessment team (Week 4). Provide EDUCAUSE HECVAT 4 training; leverage the HECVAT Users Community Group.
5. Plan vendor communication (Weeks 5–6). Update assessment process documentation. Note that CBI retirement means direct HECVAT exchanges only.
6. Implement in a GRC platform (Weeks 6–8). Deploy the v4 template and begin sending assessments. Internet2’s NET+ program launched UpGuard (April 2026) as a community-vetted, HECVAT-integrated TPRM platform specifically designed for research and education institutions.

Why It Matters

HECVAT 4’s consolidated format produces stronger assessment outcomes for institutions and vendors alike. Vendors complete one questionnaire instead of juggling multiple versions, which means more thorough, consistent responses. Institutions gain a single evaluation framework that surfaces compliance gaps more clearly — the unified scoring model and role-specific evaluation views make it easier to identify where vendors excel and where remediation is needed. The adaptive structure also lowers the barrier for smaller vendors, expanding the pool of assessable providers without sacrificing evaluation depth.

For Vendors

The transition raises the bar for vendor preparedness. Vendors that lack documentation for AI governance, privacy practices, or accessibility testing may face delays or disqualification during procurement. Institutions increasingly treat HECVAT completion as a prerequisite for contracts involving FERPA, GLBA, HIPAA, or emerging state AI regulations — incomplete or outdated responses can remove a vendor from consideration before the evaluation begins.

1. Review the migration guide. Use the section-level crosswalk tabs (Organization, Product, Infrastructure, IT Accessibility, Case-Specific) to map legacy responses to HECVAT 4 designations.
2. Update internal documentation. Review and refresh AI governance policies, data retention and minimization practices, accessibility testing documentation, logging and monitoring procedures, and third-party supply-chain risk disclosures.
3. Prepare for conditional sections. Answer the Start Here qualifying questions (REQU-01 through REQU-08) to determine which assessment tabs apply to the solution.
4. Address the CBI retirement. Since the Community Broker Index was retired on July 31, 2025, institutions now request current HECVATs directly. Ensure the assessment reflects current operational practices, not legacy responses.

Full transition typically takes 8–10 weeks from planning to deployment for most institutions.

For broader context on building a vendor risk management program around the HECVAT, see Establishing a VRM Program with the HECVAT.

How to Simplify the HECVAT

HECVAT 4’s expanded scope — 321 questions across seven sections, new AI and privacy domains, dedicated evaluation views — increases assessment complexity. Isora GRC is the collaborative GRC Assessment Platform™ built for security teams to manage HECVAT assessments in one connected workspace.

Assessment management: Organize assessments by compliance goal to streamline complex campaigns. The purpose-built HECVAT Uploader ingests completed vendor spreadsheets, maps answers, and auto-populates scores and evidence — eliminating manual entry and version drift. Institutions migrating from HECVAT 3 can upload existing assessments and have responses automatically mapped to v4 counterparts, reducing duplicate work during the transition.

Questionnaires & surveys: Reduce time spent on assessment tasks with collaborative, structured questionnaires. Multiple contributors answer the questions closest to their area of responsibility, upload evidence inline, and route for approval without email back-and-forth.

Inventory management: Maintain a centralized record of all vendor products, deployment details, documentation, and risk data — linked directly to assessment results for full visibility into vendor risk posture across the portfolio.

Learn more about how to streamline your HECVAT 4 rollout with Isora GRC →

Key Takeaways

HECVAT 4 consolidates Full, Lite, and On-Premise into a single unified workbook — replacing static version selection with dynamic conditional logic that routes assessment scope based on solution type, deployment model, and data types.

The update adds dedicated assessment domains for AI/ML governance, privacy, and IT accessibility, expanding institutional visibility into vendor practices that no prior HECVAT version evaluated at this depth.

Full transition from HECVAT 3 typically takes 8–10 weeks. For a complete overview of the HECVAT framework, versions, and scoring, see our complete HECVAT guide.

Simplify the HECVAT with Isora GRC →

HECVAT 4 FAQs

When was HECVAT 4 released?

HECVAT 4 was released on February 10, 2025 by EDUCAUSE. The current version is v4.1.5. The toolkit was downloaded 41,000+ times between 2019 and 2023.

Does HECVAT 4 still have Lite and Full versions?

No. HECVAT 4 consolidated Full, Lite, and On-Premise into a single unified workbook. The Start Here tab dynamically routes assessment scope. Institutions can replicate the legacy Lite approach by focusing on “Critical Importance” questions in the High-Risk Evaluation view.

What AI questions does HECVAT 4 include?

HECVAT 4 introduces a conditional AI/ML domain (32 questions) triggered by the Start Here tab. It distinguishes between Machine Learning and Large Language Model implementations, covering AI governance, risk management, training data practices, and operational controls.

Is the HECVAT crosswalk still available?

No. HECVAT 4 removed the NIST/ISO/COBIT standards crosswalk to streamline the questionnaire. The Community Broker Index (CBI) was also retired on July 31, 2025.

How do institutions transition from HECVAT 3 to HECVAT 4?

Start with the EDUCAUSE HECVAT 4 change log / migration guide, which maps v3 questions to v4 counterparts. Review the Issue Tracker for post-launch refinements, then update internal documentation for AI governance, privacy, and accessibility. Full transition typically takes 8–10 weeks.

Do vendors need to reassess on HECVAT 4 immediately?

Not immediately. Vendors assessed recently on HECVAT 3 can wait until the standard re-assessment cycle. However, since the CBI was retired, institutions now request current assessments directly — stale legacy responses may not reflect HECVAT 4’s expanded expectations.

This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.