Image of a circle

Vendor Assessment (HECVAT)

Return to Information Security Home

All Software as a Service (SaaS), otherwise referred to as “Cloud”, solutions used for Montclair State University related business must have their cybersecurity practices reviewed and approved by Information Technology.

Approval must be obtained prior to the completion of a Contract Approval Sign-off or purchase process.

This is required irregardless of whether or not:

  • The service is being used to transfer, process, or store any University related data
  • The service is provided for free or at cost

The IT Information Security team is responsible for performing these reviews and have adopted the EDUCAUSE Higher Education Community Vendor Assessment Toolkit (HECVAT).

One advantage of the HECVAT is that many popular higher education service providers/vendors may have already completed the form. To see if a provider/vendor you are interested in has completed a HECVAT, check the REN-ISAC HECVAT Community Broker Index.

IMPORTANT INSTRUCTIONS

1) SUBMITTING A REQUISITION for initial purchase or renewal, please DO NOT send the completed forms to the information security team via email. The Workday requisition process for all SaaS/Cloud software purchases will require you to upload the forms as part of the requisition submission process.

PLEASE NOTE that all review requests typically take 10 -15 business days, so please plan accordingly!

2) EVALUATING VENDOR SOLUTIONS and want to have a vendor’s HECVAT reviewed prior to a purchasing decision/requisition submission, please e-mail the two completed forms below to sec-official@dos5.net. Be sure to include a note that you are looking for a “pre-purchase assessment” and any context you can provide regarding requesting the assessment.

PLEASE NOTE that all review requests outside of the requisition process typically take 15 – 30 business days, so please plan accordingly!

HECVAT


The requesting department is responsible for ensuring the following criteria is met for all HECVAT submissions:

HECVAT (version 3.x)

      • To be completed by the provider/vendor. Must be returned in the original Microsoft Excel format or it will not be accepted. (No PDFs or other exports.)
      • We do not accept HECVAT forms older than at least version 3.0.
        • The current version is listed on the right hand side of the title row in the HECVAT document. The last 2.x form version is 2.11 and is now over three years old. And the 3.x form version has had significant improvements in content and usability. As vendors are expected to provide the latest and most relevant responses to the questionnaire, we can no longer accept versions older than 3.0.
      • We do not accept the “Lite” version of the HECVAT form for most submissions. If you wish to discuss an exception to accept the Lite version from a service provider, you must contact the security official at the address above before submitting for additional guidance.
HECVAT Review Request Form


HECVAT Review Request Form (Current version 2.x)
    • To be completed by the requesting Montclair State University department. Must be returned in the original Microsoft Word format or it will not be accepted. (Note: This form is only accessible if you are logged into your MSU Google account using your NetID.)