AWS Public Sector Blog
Higher Education Community Vendor Assessment Toolkit now available on AWS Artifact
Higher education institutions are required to meet a variety of stringent compliance standards when building and hosting applications for student and employee use. These requirements include protection of student records in accordance with the Family Educational Rights and Privacy Act (FERPA), ensuring user accessibility as required by the Americans with Disabilities Act (ADA), and the Payment Card Industry Data Security Standard (PCI DSS).
EDUCAUSE and the Shared Assessments working group collaborated with Internet2 and REN-ISAC, to create the Higher Education Community Vendor Assessment Toolkit (HECVAT). EDUCAUSE is a non-profit association committed to advancing the use of technology and data in higher education. The HECVAT is a third-party, vendor questionnaire framework designed for higher education institutions to evaluate the security and privacy posture of cloud and technology providers. It is intended to centralize vendor security and compliance information for ease of use.
Amazon Web Services (AWS) now offers both the HECVAT Lite version and Full version to customers on-demand. The Lite version provides AWS approved answers to 70-plus questions about vendor systems management, networking, encryption, backups, and more; which is typically required for lower risk workloads. The Full version is comprehensive with more than 250 questions assessing AWS’ ability to handle sensitive data or support critical workloads. Additional categories covered by the Full version include: change management, vulnerability scanning, third-party assessments, and PCI DSS.
The EDUCAUSE Cloud Computing Community Group (CCCG) addresses and educates participants on the challenges and opportunities with cloud computing adaption in higher education.
“With most of our contract reviews focused on SaaS [software as a service] solutions, the HECVAT plays a crucial role in our technology and security evaluation process,” said James Monek, former co-chair of the CCCG, director of technology infrastructure and operations at Lehigh University, member of the Internet2 NET+ AWS Service Advisory Board (SAB), and advocate for the HECVAT.
“It provides a consistent framework for assessing vendor security posture, best practices, and compliance, enabling more efficient vendor approval reviews. Having the HECVAT in AWS Artifact provides quick and easy access to AWS assessments, especially as updates are made for future services.”
How to access HECVAT
Customers can access the HECVAT via AWS Artifact. AWS Artifact is a self-service portal that allows customers to access AWS compliance documentation and agreements on-demand. These include: AWS ISO certifications, System and Organization Control (SOC) reports, and now, the HECVAT. To download reports via AWS Artifact, customers must have an AWS account and agree to the terms of the AWS Artifact nondisclosure agreement (NDA) or have an existing NDA that covers the same confidential information as that provided in Artifact.
Customers that do not have an AWS account, can contact their account team for support in accessing the HECVAT. If you are not actively connected with your account team, please fill out the AWS Public Sector – Contact Us form.
Please note, AWS responses to the HECVAT are confidential. The answers provided in the Lite and Full versions are not intended to be used by customers as part of an effort for them to complete their own HECVAT.