HECVAT stands for Higher Education Community Vendor Assessment Toolkit. It attempts to generalize higher education information security and data protections and issues for consistency and ease of use.

Of course, some institutions may have specific issues that must be addressed in addition to the general questions sets provided in the toolkit, however it is meant to address as many key questions as possible to ensure strong security. It is anticipated that the HECVAT will be revised over time to account for changes in services provisioning and the information security and data protection needs of higher education institutions.

HECVAT addresses a handful of needs for higher education institutions:

  • Helps higher education institutions ensure that vendor services are appropriately assessed for security and privacy needs, including some that are unique to higher education
  • Allows a consistent, easily-adopted methodology for campuses wishing to reduce costs through vendor services without increasing risks
  • Reduces the burden that service providers face in responding to requests for security assessments from higher education institutions

How is Black Kite implementing HECVAT compliance automation in the Black Kite intelligence platform?

Black Kite automates the entire vendor risk management process including HECVAT compliance. HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group and was specifically designed for higher education to measure vendor risk.

Before working with a third-party vendor, the REN-ISAC recommends that organizations have vendors complete a HECVAT questionnaire. This confirms that information, data, and cybersecurity policies are in place to protect your sensitive institutional information and students’ PII.

Currently, Black Kite offers HECVAT Lite 3.03 for automatic compliance mapping in addition to full continuous monitoring of each third-party vendor.

HECVAT compliance levels are presented based on the correlation between Black Kite’s technical report and requirements from international standards such as ISO27001, NIST 800-53, NIST CSF, and PCI DSS 3.2.1.

Parse, analyze and map results to HECVAT controls in less than 30 seconds using Black Kite’s automated parser

Using the UniQuE Parser, upload vendor HECVAT questionnaires or any security policy documents to:

  • Understand which HECVAT controls are met and which need more work
  • Piece together existing gaps within the organization
  • Compile Request for Information/Proposal (RFI/RFP) quickly, without having to review documents line-by-line

By exploring further past the dashboard in the platform, you can discover how each category and its findings map back to specific HECVAT controls and if information overlaps with other security frameworks.

Who is utilizing the HECVAT questionnaire?

  • Aims Community College
  • Adelphi University
  • American University
  • Amherst College
  • Angelo State University
  • Appalachian State University
  • Art Institute of Chicago
  • ​​Auburn University
  • Baldwin Wallace University
  • Bates College
  • Baylor University
  • Berry College
  • Black Hills State University
  • Boston College
  • Bowling Green State University
  • Brown University
  • Bucknell University
  • Buena Vista University
  • California Baptist University
  • California State University, all Campuses and System
  • Carnegie Mellon University
  • Carthage College
  • Central Washington University
  • Champlain College
  • City College of San Francisco
  • Clark College
  • Clarkson University
  • Colgate University
  • College of St. Benedict
  • Columbia University – Teachers College
  • Columbus State Community College
  • Cornell University
  • Daemen College
  • Davidson College
  • Denison University
  • DeSales University
  • Drake University
  • Drexel University
  • Duke University
  • Duquesne University
  • East Carolina University
  • Emporia State University
  • Ferris State University
  • Florida Atlantic University
  • Florida Gulf Coast University
  • Florida International University
  • Foothill-De Anza Community College District
  • Franklin & Marshall College
  • Gallaudet University
  • Georgia Institute of Technology
  • Griffith University (Australia)
  • Hamilton College
  • Hamline University
  • Harper College
  • Hillsborough Community College
  • Husson University
  • Indiana University
  • Indiana Wesleyan University
  • Institute for Advanced Study
  • Ithaca College
  • James Madison University
  • John Carroll University
  • Kent State University
  • Lamar University
  • Lehigh University
  • LeTourneau University
  • Linfield College
  • Longwood University
  • Loyola Marymount University
  • MacEwan University
  • Madison College
  • Methodist University
  • Metropolitan Community College
  • Miami University
  • Michigan State University
  • Middle Tennessee State University
  • Montclair State University
  • Montgomery College
  • Moravian University
  • Morgan State University
  • Niagara College
  • North Carolina Central University
  • Northern Arizona University
  • Norwich University
  • Oakland University
  • Ohio Northern University
  • Oregon State University
  • Pace University
  • Pacific University Oregon
  • Pennsylvania College of Health Sciences
  • Pepperdine University
  • Princeton University
  • Radford University
  • Rice University
  • Rider University
  • Rochester Institute of Technology
  • Rowan University
  • Rutgers University
  • Saint Elizabeth University
  • Saint John’s University
  • Sam Houston State University
  • San Diego State University
  • Southern Alberta Institute of Technology
  • Southeastern Community College
  • Springfield College
  • St. Petersburg College
  • State University of New York at New Paltz
  • Stony Brook University
  • Suffolk County Community College
  • Susquehanna University
  • Tennessee Tech University
  • Texas A&M University
  • Texas State University
  • The State University of New York – System Administration
  • Thomas Jefferson University
  • Trinity University (San Antonio, Texas)
  • Troy University
  • Truman State University
  • Tufts University
  • University of Arizona
  • University of Baltimore
  • University of California
  • University of California, Davis
  • University of California, Riverside
  • University of Cincinnati
  • University of Central Florida
  • University of Delaware
  • University of Denver
  • University of Detroit Mercy
  • University System of New Hampshire
  • University of Idaho
  • University of Maine System
  • University of Maryland Baltimore
  • University of Massachusetts Amherst
  • University of Nebraska System
  • University of North Carolina Wilmington
  • University of Oregon
  • University of Portland
  • University of Rhode Island
  • University of Richmond
  • University of Tennessee, Knoxville
  • University of Texas at Austin
  • University of Toledo
  • University of Utah
  • University of Virginia
  • Virginia Community College System
  • Virginia Tech
  • West Texas A&M University
  • West Virginia University
  • Western Carolina University
  • Western Connecticut State University
  • Western Michigan University
  • William & Mary
  • Williams College
  • Winthrop University
  • Worcester Polytechnic Institute (WPI)
  • Yavapai College
  • York University