HECVAT 3.0 Launches … to Outer Space?

min read

Updates to the Higher Education Community Vendor Assessment Toolkit modernize the questions, improve usability, and add accessibility as a new dimension for product assessment.

HECVAT 3.0 Launches … to Outer Space?
Credit: ker_vii / Shutterstock.com © 2021

The Higher Education Community Vendor Assessment Toolkit (HECVAT) team is launching HECVAT Lite 3.0! We mentioned in our last articleFootnote1 that the update was in development, and the updates drove us to do a major new release this year. Working on community projects such as HECVAT has many similarities to projects on a campus, and it feels good to get something new released and make progress addressing the needs of the community!

One of the most important parts of a project is to thank the hardworking project team. For HECVAT, the project team is all volunteers working to improve cloud security and vendor risk management across the research and higher education communities. Many thanks to the group! We list all the contributors in the Acknowledgments worksheet in HECVAT. The list keeps getting longer and longer, with many people from across the higher education landscape.

The HECVAT team recognizes the reliance the higher education and vendor communities have on the toolkit. We also realize that each release requires significant resource investment to bring it into full production. We are committed to having just this one release over the next twelve months. Any additional releases in 2022 will only encompass bug fixes and grammatical corrections identified by the community.

On some of the presentations by the HECVAT team, we've heard about interesting HECVAT uses, including one about a HECVAT salad robot—check it out in this video! You can watch the whole video for other examples. With all the recent rocket launches and knowing that lots of campuses do launch things into outer space, let us know if your campus has done a HECVAT for something launched into outer space or your most interesting HECVAT so we can include it in the next article or presentation.

HECVAT Updates

Let's get into the updates:

  • Question Revisions: Most of the questions have been updated to better reflect the modern cloud. Some of the questions were older than HECVAT itself because they came from the original campus questionnaires used to build HECVAT. Some of these updates were to clarify the shared responsibility for cloud security and supply-chain security. The team critically scrutinized each question. They looked at how to reduce confusion and eliminate any unnecessary questions. The language changed, but the intent and context remain the same. Some questions were removed by adding better guidance in other questions. Much of the feedback we received from the community concerned the questions, and most of the changes were made based on this feedback.
  • Expansion to Include Accessibility: An additional question section with accompanying guidance was added to specifically address the accessibility of technology solutions. These questions were developed—and will be maintained—by the EDUCAUSE IT Accessibility Community Group. Find out all the details in the EDUCAUSE Review article "Asking the Right Questions for Procuring Inclusive, Accessible Technology."
  • Updates to Identity and Access Management: We took a deep dive with the InCommon Technical Advisory Committee (TAC) for a redesign of the identity and authentication of the HECVAT. The section is now reflective of expectations and assessment requirements for identity, authentication, and authorization.
  • Reorganization for Ease of Use: Moved authoritative content (e.g., questions, guidance, crosswalks) to the Questions worksheet to make it easier to maintain and easier for campuses to export the questions to a third-party tool.
  • New Crosswalks: We have updated the crosswalks that were developed by community volunteers.

Similar updates for HECVAT Full are under way and will be released after the EDUCAUSE Annual Conference.

We recognize that updating all the questions is a major change, and the potential impact on service providers and campuses is substantial. As we worked through this update and received preliminary feedback, we came to realize how significant this update is for the community and the service providers partnering with higher education. We know it takes time for the community, service providers, and individual campuses to update their processes, documentation, and existing HECVATs.

We expect that service providers using HECVAT Lite will migrate to using HECVAT 3.0 during their next regularly scheduled update of their security documentation (hint to vendors: we recommend updating your HECVAT on a yearly basis or, if appropriate, more often). This update doesn't invalidate previous work, and that previous work streamlines completing the updated HECVAT. So if you're in the middle of completing a HECVAT 2.0, wrap that up and let us know so it can be shared in the REN-ISAC Community Broker Index (CBI). We'll be reaching out to service providers in the CBI to request updates of the listed HECVATs.

Future Work

There's more to come on this update as we work through publishing the update, creating more documentation and FAQs, conducting outreach, and fostering community engagement. If you're interested in helping work on the documentation into 2022, please reach out to us. After the new version is released, we're going to work on how to assess app stores, LTI, and integrations. With EDUCAUSE moving Community Groups to the new and exciting EDUCAUSE Connect platform, we're hoping to have a more centralized place to collect feedback, share documentation, and engage with the community.

If you have any questions, please reach out to us at [email protected] or through the EDUCAUSE Connect platform in the HECVAT Users Community Group.

Our next presentation is a session at the EDUCAUSE Annual Conference called "HECVAT Transforms Third-Party Risk Assessments," on Friday, October 29, 8:30 a.m. Eastern time, in Philadelphia! We will focus on updating the community on the new release, but having a fun example of HECVAT would be great! We hope to see you there, answer your questions, and hear your feedback.


  1. Nick Lewis, "The HECVAT: A 5-Year Anniversary Update," EDUCAUSE Review, July 26, 2021. Jump back to footnote 1 in the text.

Nick Lewis is Program Manager for Security and Identity at Internet2.

© 2021 Nick Lewis. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.