Moving the HECVAT from Cloud to Community

min read

The HECVAT has a new name (Higher Education Community Vendor Assessment Toolkit), two updated versions of the questionnaire (full and lightweight), and two new tools (on-premises and triage).

virtual locking padlock on cityscape background
Credit: Khakimullin Aleksandr / © 2019

It's been quite a while since the last Higher Education Community Vendor Assessment Toolkit (HECVAT) update, so I'll try to provide some highlights of the Phase IV working group's accomplishments over the past year.1 Space does not allow me to address in this blog post many of the questions the HECVAT core team frequently hears from community members, but we are developing an FAQ for the HECVAT website and planning for more communication with the community. Please stay tuned!

Who Is Using the HECVAT?

The list of organizations using the HECVAT continues to grow as more campuses and corporate partners learn about this resource developed by and for the higher education community. Currently, eighty-five colleges and universities in the United States and Canada and more than twenty-five service providers have formally acknowledged that they are using the HECVAT.

We've been busy talking with service providers that are interested in the HECVAT. We were thrilled when Google announced in May that it had completed a HECVAT for Google Cloud Platform and G Suite.2 We've also received great feedback from Sona Systems, West Arete, and other service providers about the benefits they've experienced. Service providers primarily report that the HECVAT saves them time because they do not need to fill out unique questionnaires for each potential campus customer. The Cloud Broker Index (CBI) provides a list of service providers that have completed assessments, as well as a list of IT governance, risk, and compliance (GRC) vendors that are using the HECVAT in their products.3

What Was New in 2019?

In 2019, Josh Callahan and Charlie Escue led a group that focused on creating two new versions of the HECVAT (on-premises and triage) in addition to updating the full and lightweight versions. This work was based on requests and feedback from the community and completed by community volunteers. More details on these updates will be forthcoming. The HECVAT also formed several subgroups to work on communications, contract language, and partnerships. These groups will be doing more work in 2020 to help with adoption, scaling, and risk management for cloud services.

One of the most interesting things that we worked on during this phase is the on-premises version. Having an on-premises version of a cloud tool seems to be a contradiction in terms, but this new tool is a unique questionnaire that can be used to evaluate the security of vendors that offer on-premises appliances. It can also be used to evaluate the security status of software managed by a vendor. Many campuses have told us that they need the ability to compare security between potential on-premises or vendor-supported local systems, and having an on-premises version of the HECVAT meets that need.

A new prioritization tool (not intended to be completed by a vendor) was created to help campuses determine assessment requirements if the institution is interested in sharing institutional data with a third-party software and/or service. Completing the "triage" questionnaire is considered a prerequisite to initiating a security risk assessment.

We also partnered with the EDUCAUSE IT Accessibility Community Group to discuss IT accessibility suggestions from the community. We discussed how to partner and how we can potentially make the HECVAT questionnaires more accessible. We are drafting a position statement and will continue to work on this effort in 2020. Our goal is to be inclusive and make the HECVAT a community resource that can be used by the widest audience possible.

What's Next in 2020?

Since 2016, the HECVAT has become a strong brand with a unique name. Originally, HECVAT stood for the Higher Education Cloud Vendor Assessment Tool. Since the working group has significantly expanded and enhanced the tool over the past few years, we recently changed the name to the Higher Education Community Vendor Assessment Toolkit to better reflect the nature and spirit of a project that is created by and for the higher education community.

As we wrapped up our 2019 work, the HECVAT 2020 planning had already started! One goal discussed for 2020 is to raise awareness about this valuable community resource and make it easier for campuses to adopt. As more campuses and service providers adopt the HECVAT, it becomes more than a toolkit. The HECVAT is an example of how increasing collaboration across higher education institutions and organizations can facilitate advances in security risk management and streamline procurement processes. In a recent EdScoop article, "Higher Ed Cyber Assessment Tool Approaches Evangelism Phase," Brian Kelly, director of the Cybersecurity Program at EDUCAUSE, is quoted as saying, "The HECVAT is really a shining example of providing value, instead of security being viewed as something that adds friction in an environment. [As we are] focused on things like student success and sustainable funding, positioning security to enable those is really important."4

How Can You Learn More and Engage?

We continue to use conference presentations as an opportunity to engage with the community and get a better understanding of how campuses are using the HECVAT and what campuses need when it comes to shared cloud security assessments. During these events, we ask the community for specific feedback, which we use to add new functionality, fix issues, and prioritize updates. Most recently, we hosted two sessions at the 2019 EDUCAUSE Annual Conference in Chicago, Illinois: a half-day workshop to help attendees work through the tool with hands-on examples and discussion; and a 45-minute track session that included a case study from Princeton University presented by Daphne Ireland.5 If you missed these sessions, you will have the opportunity to hear HECVAT updates and engage with the HECVAT team during the EDUCAUSE Security Professionals Conference, April 21–23, 2020, in Bellevue, Washington.

Phase IV Working Group Members

In 2019, we expanded the working group to include a more diverse range of campuses, as well as people with expertise in areas like procurement, accessibility, and communications. The enhancements to the HECVAT would not be possible without our Phase IV working group members. We'd like to thank these volunteers because without them, we wouldn't exist!

  • Jon Allen, Baylor University (working group and core team chair)
  • Matthew Buss, Internet2
  • Josh Callahan, Humboldt State University (core team member)
  • Andrea Childress, University of Nebraska
  • Tom Coffy, University of Tennessee
  • Susan Cullen, California State University Office of the Chancellor
  • Michael Cyr, University of Maine System
  • Debra Dandridge, Texas A&M University
  • Niranjan Davray, Colgate University
  • Charles Escue, Indiana University (core team member)
  • Carl Flynn, Baylor University
  • Ruth Ginzberg, University of Wisconsin System
  • Sean Hagan, Yavapai College
  • Daphne Ireland, Princeton University
  • Amy Kobezak, Virginia Tech
  • Sue McGlashan, University of Toronto
  • Hector Molina, East Carolina University
  • Mark Nichols, Virginia Tech
  • Laura Raderman, Carnegie Mellon University
  • Kyle Shachmut, Harvard University
  • Bob Smith, Longwood University
  • Kyle Smith, Georgia Institute of Technology
  • Christian Vinten-Johansen, Penn State University
  • Brian Kelly, EDUCAUSE (core team member)
  • Valerie Vogel, EDUCAUSE (core team member)
  • Nick Lewis, Internet2 (core team member)
  • Susan Coleman, REN-ISAC (core team member)

If you have any questions, feedback, or comments for the working group, please reach out to us. Your strong engagement is what drives our efforts!

For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page.

Access the Higher Education Community Vendor Assessment Toolkit through the HECVAT page.


  1. Jon Allen, Josh Callahan, Charlie Escue, Nick Lewis, Kim Milford, and Valerie Vogel, "What's Next for HECVAT," Security Matters (blog), EDUCAUSE Review, February 25, 2019.
  2. Edward Doan, "Demonstrating Our Commitment to Protecting User Privacy and Student Data," Education (blog), Google Cloud, May 31, 2019.
  3. REN-ISAC, "HECVAT CBI," Research & Education Networks Information Sharing & Analysis Center, accessed December 17, 2019.
  4. Jake Williams, "Higher Ed Cyber Assessment Tool Approaches Evangelism Phase," EdScoop, November 13, 2019.
  5. Josh Callahan, Susan Coleman, Charlie Escue, Brian Kelly, and Nick Lewis, "Strategies for Streamlining Security Assessments Using the HECVAT," workshop presented at the EDUCASE Annual Conference, Chicago, IL, October 14, 2019; Josh Callahan, Susan Coleman, Charlie Escue, Daphne Ireland, and Nick Lewis, "Shared Cloud Security Assessments Working Group Update 2019," EDUCAUSE Annual Conference, Chicago, IL, October 16, 2019.

Nick Lewis is Program Manager for Security and Identity at Internet2.

© 2019 Nick Lewis. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.