The HECVAT: A 5-Year Anniversary Update

min read

As the Higher Education Community Vendor Assessment Toolkit (HECVAT) celebrates its five-year anniversary in 2021, it is undergoing a major makeover.

The HECVAT: A Five-Year Anniversary Update
Credit: Ink Drop / © 2021

It seems like the rest of the world is moving fast when you're focused on local priorities and getting your day job done. The Higher Education Community Vendor Assessment Toolkit (HECVAT) team has stayed busy since our last update in late 2020,Footnote1 and we have plans to share for 2021.

Developments Since October 2020

Things are developing so quickly that the HECVAT team almost missed the fact that the HECVAT is now five years old! We're trying to transition from an early-stage start-up to a more mature start-up that still moves fast. While looking at the past five years, we realized that over 100 community volunteers have participated in the HECVAT, contributing thousands of hours to this community project and making it the success that it is now. Many thanks to everyone who participated over the last five years and special thanks to the members of the core team for their continuing work: Jon Allen from Baylor University (co-chair), Josh Callahan from Humboldt State University, Charlie Escue from Indiana University (co-chair), Brian Kelly from EDUCAUSE, Sheryl Swinson from the REN-ISAC, and myself. We keep an updated list of the more than 120 US and international campuses that are using the HECVAT, along with a list of 30-plus vendors in the REN-ISAC Community Broker Index. (Let us know if you want to be added to either list.) We're also looking at how to keep the HECVAT sustainable for the next five years.

As a part of further engaging with the community, we've built the HECVAT Users email list for members to discuss use of the HECVAT and support each other using the HECVAT. We also presented at the EDUCAUSE Cybersecurity and Privacy Professionals Conference and gave an update to the community during the "Stump the HECVAT Team!" session. We also had a couple of Braindates at the conference to encourage small group and one-on-one discussions on the HECVAT.

2021 Plans

The HECVAT is getting a major makeover this year. Most of the questions are being updated. We're starting with the condensed HECVAT Lite because we know that's used the most, and then we'll make changes in the full HECVAT. This will be the biggest modification since we added scoring in 2019. We're partnering with the InCommon Technical Advisory Committee on the questions related to identity and access management and with the EDUCAUSE IT Accessibility Community Group to add some accessibility questions. We've also talked with members of the EDUCAUSE Higher Education Chief Privacy Officers (HE-CPO) Community Group, and it sounds like there's future interest there as well. Over the next month or so, members of the HECVAT subgroup working on the tools will finish finalizing the questions and adding the weighting. We're potentially incorporating a tab to make it easier to export the questions out of the HECVAT and import them into other tools a campus may be using. We'll send an update to the HECVAT Users email list when we're ready for some Q&A, and we may ask for volunteers to spend four to eight hours doing new crosswalk mappings. As we did in 2020, we may also do another community call to go over the updates, or we may have a session at the EDUCAUSE Annual Conference in Philadelphia in October. Stay tuned to the HECVAT Users email list for updates.

The documentation group is compiling FAQ questions, and then we'll work on documentation for the new version. We're sensitive to the significance of this change and are determining how best to work with the community to transition everyone to the new version once it comes out. We know documentation will be needed to ensure smooth transitions from the old version to the new version.

After the new version is released, we're going to work on how to assess app stores, LTI, and integrations. We're currently looking at what some other groups have done around similar topics to see if we can adapt their work, and we're looking to partner with other groups to help meet this community need. We've talked with those at the NET+ Cloud Scorecard, the EDUCAUSE Vendor Risk Assessment Program [], and other groups to ensure we're coordinating across the community.


In closing, the past five years have been great, and we're planning for the next five years! We have a big makeover coming and will share updates once it's ready. We appreciate all the suggestions, feedback, and sharing of how people are using the HECVAT. In the meantime, please reach out to the HECVAT team at [email protected] with questions.


  1. Nick Lewis, "HECVAT 2020 and Beyond," EDUCAUSE Review, October 13, 2020. Jump back to footnote 1 in the text.

Nick Lewis is Program Manager for Security and Identity at Internet2.

© 2021 Nick Lewis. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.