How to Comply with HECVAT in 2026 (Free Checklist)

To streamline your next onboarding with a higher-ed instiution, use this checklist to track how well your cybersecurity program aligns with HECVAT 4 standards.

To be applicable for most use cases, this checklist has been adapted to the following responses in the "Required Questions" section of the HECVAT toolkit:

This checklist aligns with the seven HECVAT assessment categories:

• Organization
• Product
• Infrastructure
• IT Accessibility
• Case-Specific
• AI
• Privacy

We’ve broken these down into subsections to give you actionable compliance guidance exactly where you need it.

HECVAT 4 compliance checklist

Use this checklist to understand how prepared you are for your next HECVAT assessment.

1. Organization

Business resilience

• Formal Business Continuity Plan (BCP) document exists
• Formal Disaster Recovery Plan (DRP) document exists
• Named individual or role is responsible for maintaining BCP/DRP plans
• Evidence of testing performed within the last 12 months is available for both plans

External audits & frameworks

• Current SSAE 18/SOC 2 audit report is available for sharing
• Specific industry standard (NIST, ISO, CIS, etc.) followed by the organization is identified
• Documentation shows internal control alignment with the chosen framework (if not certified)

Architecture & data flow

• Visual diagram of the overall system and application architecture is provided
• Diagram specifically traces data movement through every system component
• Text-based description exists for every component shown in the diagrams

Policies & HR

• Formal, documented Data Privacy Policy is in place
• Documented process for new hire security setup is established
• Documented process for immediate access revocation upon employee departure is established
• Samples or logs are available showing HR policies are actively followed

Third-party security assessments

• Complete list of all third-party companies with access to institutional data is maintained
• Vendors are categorized based on data sensitivity (High, Medium, Low risk)
• Security reviews (SOC 2, HECVAT, or questionnaires) are performed and documented before onboarding and at regular intervals

Learn how you can streamline your assessment process with Trust Exchange.

Contractual safeguards

• Specific language defining and limiting vendor access to institutional data is included in all contracts
• Contracts with third-parties with access to institutional data explicitly address financial/legal liability, notification timelines, and remediation responsibilities for breaches
• Security Addendum or Data Processing Agreement (DPA) is used to maintain consistency

Management strategy

• High-level strategy document outlines third-party risk management throughout the relationship lifecycle
• Procedure for reviewing vendor performance and security posture changes is implemented

Hardware supply chain

• Record of all critical hardware (telecom and computing) is maintained
• Documentation exists showing hardware is vetted and purchased through authorized, trusted channels
• Process to verify export licensing and screen against restricted entity lists is implemented

Change control & governance

• Documented outline for handling all system changes is maintained
• Change process includes four mandatory steps: Authorization, Impact Analysis, Testing, and Validation
• Specific path for urgent fixes exists with after-the-fact approval and documentation
• Check is implemented to verify third-party libraries/dependencies remain supported after updates

Configuration & systems management

• Gold Images or Infrastructure as Code (IaC) are used to ensure secure baselines
• Management strategy covers physical servers, cloud services, and mobile devices
• Mechanism exists to migrate client-side customizations safely between version releases

Patching & vulnerability mitigation

• Timeline and procedure for applying critical security patches is documented
• Pre-patch protection methods (WAF rules, port disabling, etc.) are defined

Release strategy & communication

• Formal channel (email, portal, RSS) is established to notify clients of security-impacting changes
• Public or shareable Release Schedule for upcoming updates is maintained
• 2-Year Technology Roadmap showing planned enhancements and fixes is available
• Number of concurrent supported software versions is formally defined
• Mandatory vs. optional update status is documented for clients
• Requirement for institutional involvement in updates is specified
• Procedures mandate changes occur during off-peak hours or via Zero-Downtime methods

2. Product

Authentication, authorization, and account management

Federated & Single Sign-On (SSO):

• Solution supports standard protocols (SAML2, OIDC, or CAS) for both users and admins
• Organization’s participation in InCommon or eduGAIN is identified
• System maps custom attributes (e.g., eduPerson, ePPN) beyond basic user ID
• System distinguishes between user email addresses and unique internal identifiers

Local authentication (Non-SSO):

• Secure local authentication protocols are supported for non-SSO environments
• System enforces custom password/passphrase complexity and length requirements
• Documented procedures for password resets are active
• Application integrates with local directories (LDAP/AD) if web-based SSO is not used
• Local login portal supports Multi-Factor Authentication (MFA)

Credentials & session security:

• No passwords or secret keys are hard-coded in application code or configuration files
• All passwords are encrypted/hashed (no plaintext storage)
• System automatically locks or logs out users after a period of inactivity

Logging & monitoring:

• Logs capture Login, Logout, Actions Performed, and Source IP
• System logs failed logins, access denials, and authorization changes
• Requirements for log collection and SIEM integration are documented
• Log retention period, tamper protection, and customer access methods are documented

Data

Storage & encryption:

• Data storage locations/IP addresses are identified regarding public routability
• Sensitive data is encrypted in motion using secure protocols (TLS 1.2+)
• Data is encrypted at rest (disk or database level)
• Encryption modules conform to FIPS 140-2 or 140-3 standards
• Cryptographic key lifecycle process is documented

Data ownership & lifecycle:

• Institution retains full ownership of all data, inputs, outputs, and metadata
• Data remains available for a specific window after contract termination for retrieval
• Formal process exists to return data and securely delete copies upon termination
• Contract guarantees at least 90 days for data migration in the event of business closure

Backups & disaster recovery:

• Backups are stored off-site and protected from modification/deletion
• Backups include all components needed for full recovery (OS, apps, security software, data)
• Backup files are encrypted during storage and transport
• Institution has the ability to trigger and extract its own partial or full backup
• Instances where backups leave the institutional data zone are identified

Media handling & workstation security:

• Media handling (end-of-life) follows NIST SP 800-88 or DoD 5220.22-M
• Employee workstation security for remote work is documented
• Logical or physical controls prevent data leakage between customers in multi-tenant environments
• Staff or third-party contractor access to sensitive institutional data is explicitly documented

3. Infrastructure

Application and service security

Access control & logic:

• Access for users and staff is governed by a formal model (RBAC, ABAC, or PBAC)
• Technical barriers prevent single individuals from holding multiple critical admin roles
• Policy details how employees obtain administrative access to client instances
• Application performs data input validation and provides sanitized error messages

Secure development & supply chain:

• Records show developers are trained in secure coding (e.g., OWASP Top 10)
• Static Application Security Testing (SAST) is performed prior to every release
• Dynamic Application Security Testing (DAST) or similar processes are implemented
• Procedures for vetting third-party libraries and frameworks are documented
• Only currently supported OS, software versions, and libraries are used

Operational defenses:

• Active WAF is configured to protect against common web exploits
• Mobile apps are distributed only via trusted sources (Apple App Store / Google Play)
• GPS/location data requirements and justifications are explicitly documented

Datacenter

Hosting & audits:

• Hosting option (Public Cloud, Private Cloud, On-Prem) is clearly identified
• SOC 2 Type 2 report for the hosting environment is provided
• Ability to store data within the institution’s specific geographic region is confirmed

Physical & environmental security:

• Physical barriers (cages/walls) prevent unauthorized contact in non-cloud hosting
• 24x7x365 staffing and MFA are required for physical administrative access
• Redundant power, cooling, and fire-suppression systems are documented and tested

Network & cloud integrity:

• HA environment architecture and geographic diversity are documented
• ISP redundancy and multiple network provider entrances are verified
• Cloud provider hardening tools or pre-hardened images are utilized
• Cloud provider access status to encryption keys is explicitly stated

Firewalls, IDS, IPS, and networking

• Firewalls are stateful and monitor active connection states
• Firewall Change Request Policy for rule modifications is maintained
• Authority for approving firewall changes is formally documented
• NIDS/NIPS is implemented at the network boundary
• HIDS/HIPS or EDR is implemented on individual servers
• Next-Generation Persistent Threat (NGPT) or ATP monitoring is deployed
• 24x7x365 monitoring by internal SOC or third-party MSSP is documented
• Logs capture every change to network devices, firewalls, and IDS/IPS

Incident handling

• Written Incident Response Plan (IRP) defines containment, eradication, and recovery steps
• Dedicated Incident Response Team (internal or external) is established
• IR Team is reachable and ready to act 24x7x365
• Current Cyber-Risk Insurance policy covers data loss, theft, and outages

Vulnerability management

• Vulnerability scans are performed using authenticated accounts
• Regular scans cover OWASP Top 10 and common web flaws (SQLi, XSS, XSRF)
• Third-party security assessment/penetration test was completed within the last 12 months
• Systems are scanned externally for vulnerabilities on a recurring schedule
• Clean scan is performed before every new software release
• Summarized vulnerability scan results are available for sharing
• Institution is permitted to perform their own scheduled vulnerability testing under NDA

4. IT accessibility

Accountability & documentation

• Specific person is designated for accessibility inquiries
• VPAT or ACR updated within the last 12 months is available for the current version
• Public-facing Accessibility Statement or current VPAT link is maintained
• User-facing documentation explains the software's accessibility features

Standards & legal commitment

• Technical standard (e.g., WCAG 2.1 Level AA) is formally adopted
• Legal commitment to meet stated accessibility standards is included in the MSA
• Detailed, time-bound Accessibility Roadmap for fixing gaps is maintained

Audit & verification

• Third-party accessibility audit has been conducted on the most recent version
• Internal procedures for verifying accessibility are documented
• Formal system for reporting and tracking accessibility barriers is implemented

Development & design lifecycle

• Accessibility check processes are documented for design, development, and QA phases
• Evidence of ongoing accessibility training for staff is provided
• 100% of application functions are performable using only a keyboard
• Product is natively accessible without requiring overlays or widgets

5. Case-specific

Consulting services

• Consultant requirements for network, domain, or hardware access are documented
• Proof exists of consultant training for sensitive data (HIPAA, PCI, FERPA, etc.)
• Data on consultant machines/environments is encrypted at rest
• Consultant access is limited to specific Source IP addresses
• On-site vs. remote work status is clearly stated

HIPAA compliance

• Formal HIPAA Privacy and Security Officers are appointed
• Annual HIPAA/HITECH training records are maintained for all employees
• Willingness to sign a Business Associate Agreement (BAA) is confirmed
• BAAs are in place with all subcontractors touching PHI
• Most recent HIPAA Risk Analysis and mitigation actions are documented
• Maximum 90-day password rotation is enforced for users and admins
• Users must set their own password immediately following an admin reset
• Lockout is implemented after a defined number of failed login attempts
• Inactive sessions automatically terminate after a set period
• Passwords are never visible in plaintext
• RBAC supports varying access levels for health records and admin tasks
• Logs capture Who, What, When, and Where for record access
• Archiving and SIEM integration meet HIPAA’s 6-year retention requirement
• Backup and retention practices meet HIPAA/HITECH standards

Payment Card Industry (PCI DSS)

• Current (within 1 year) Attestation of Compliance (AoC) or RoC is provided
• Organization’s status as Service Provider or Merchant (and Level) is identified
• Use of third-party payment gateways (Stripe, Touchnet, etc.) is disclosed
• Application is listed as an approved PA-DSS solution
• Data flow diagram for credit card data is provided
• PCI Deployment Guide for compliant installation is provided

6. AI

AI qualifying & general questions

• Current or planned use of ML or LLMs (within 12 months) is documented
• Formal AI Risk Model is maintained for development/implementation
• AI features can be disabled at the Tenant and/or Individual User level
• Records of Responsible AI training for stakeholders are provided
• Business rules (DLP) prevent institutional data ingestion by AI models
• Plain-language description of AI features is available

AI Policy & risk management

• Policies for mapping, measuring, and managing AI risks are implemented
• Capability to disable and re-enable AI features during incidents is tested
• Documentation aligns with the NIST AI Risk Management Framework (RMF)

AI data security

• Technical process exists to remove sensitive data from AI models upon request
• Disclosure states if user data is used to fine-tune or influence base models
• Logs capture User, Date, and Action for AI-triggered events
• Sanitization process for user inputs prevents prompt injection/malicious code
• Vetting process for third-party AI providers and models is documented

AI Machine Learning (ML)

• Training Data is physically or logically separated from Production Data
• Vetted, Validated, and Verified workflow for training data is implemented
• Access to training data is limited to Need-to-Know staff
• Watermarking is used for training data provenance
• Adversarial Training (defense against poisoning/evasion) is implemented
• Model architecture documentation and input/output logs are maintained

AI Large Language Model (LLM)

• LLM operates with minimum system privileges by default
• Human intervention is required for high-risk actions taken by the LLM/plugins
• Number of plugin calls per single input is limited
• Hard caps on resource use (tokens, memory, compute) are set per request
• Use of Fine-Tuning or RAG and validation mechanisms for accuracy are documented

7. Privacy

General & company privacy profile

• Processing of data regulated by FERPA, GDPR, PIPL, or State Laws is documented
• Direct web link to current Privacy Notice is provided
• Dedicated Data Privacy Officer (DPO) or privacy office is identified
• Personal data breaches or privacy violations within the last 36 months are disclosed

Privacy documentation & third parties

• Privacy Trust Service Principle is included in SOC 2 scope
• Privacy program aligns with NIST Privacy Framework, ISO 27701, or GDPR
• Privacy-specific clauses are included in all third-party contracts
• Privacy Impact Assessments (PIAs) are performed on third parties

Privacy lifecycle & change management

• Privacy principles are integrated into the SDLC
• Formal Privacy Review and Approval is required for every major system change
• Annual privacy awareness training is mandated for all employees
• Specific AI Privacy & Ethics training is implemented for relevant staff

Privacy of sensitive data & tracking

• Collection of demographic, biometric, or device information is documented
• All web/app tracking components (cookies, pixels) are disclosed
• Instances where data leaves the U.S. are documented
• Use of de-identified or masked data combined with other sources is disclosed

International privacy (GDPR/PIPL)

• Data collection or processing in the EEA or China is identified
• Willingness to sign SCCs for GDPR and comply with PIPL is confirmed

Data subject rights & automated processing

• Data Privacy Impact Assessment (DPIA) is documented for the solution
• Procedures allow users to access, review, update, or erase their data
• 100% automated processes (no human involvement) are identified
• Monitoring and validation for automated decision-making are documented
• Personal data retention schedule is documented and enforced

Privacy and AI

• Technical guards prevent unintended AI queries from exposing institutional data
• Processing is limited to fully licensed commercial enterprise AI services
• Clear Opt-Out mechanism for AI processing is provided to users
• Code and AI prompts are reviewed for ethical considerations and bias

Law enforcement & incident response

• Policy for sharing data with authorities (warrants/subpoenas) is documented
• Privacy Analyst/Officer is included in the Incident Response Team for breach notification