HECVAT v3.05—What’s Changed?

Introduction

The latest version of the Higher Education Community Vendor Assessment Toolkit, HECVAT v3.05, signifies a significant step forward from its previous iteration, v3.04. Our in-depth analysis aims to demystify the intricacies of this update, offering a clear and practical guide for information security professionals in higher education responsible for conducting and evaluating HECVAT assessments and vendor risk, as well as for third-party vendors and cloud service providers who complete the HECVAT on behalf of their organizations.

What’s New in HECVAT v3.05?

• v3.04: “Numerous scoring fixes and grammar refinements.”
• v3.05: “Fixed issue with scoring from unselected QUALs adding to overall score, wording and scoring fixes, added alt text to images.”

In this analysis, we will unpack the significant updates from HECVAT v3.04 Full to v3.05 Full. Those using versions before 3.4 should note additional changes from versions 3.0, 3.1, 3.2, and 3.3. Our focus here is on question text, logic, response choice, and weighting, excluding any potential updates in the response guidance section. Notably HECVAT released updated v3.05 versions of HECVAT Full, Lite and On Prem question sets. Our analysis will focus on the HECVAT Full.

Version 3.05 does not introduce any changes to question numbering and weighting but instead focuses on question text and preferred response logic. Overall there were 70 questions with text changes, mostly minor textual tweaks. Additionally, 5 questions had changes in their favorable responses, significantly altering the underlying logic and impact of these questions.

Summary

Minor Changes

68 questions underwent minor changes. These modifications, while small, are significant in ensuring the clarity and precision of the questionnaire. It’s important to understand that these minor changes do not alter the core substance or the response logic of the questions. Rather, they refine the presentation, making the questionnaire more user-friendly and less prone to misinterpretation.

One illustrative example of such a minor change is seen in QUAL-02:

• V3.05 Version: “Will institutional data be shared with or hosted by any third parties? (Any entity not wholly owned by your company is considered a third-party.)”
• V3.04 Version: “Will institution data be shared with or hosted by any third parties? (e.g., any entity not wholly-owned by your company is considered a third-party.)”

This single question showcases four distinct yet subtle changes:

1. The shift from “institution” to “institutional” refines the focus on the type of data in question.
2. Elimination of “e.g.” from the parentheses simplifies the text without losing meaning.
3. Capitalization of “Any” at the start of the parenthesis for grammatical consistency.
4. Introduction of a period within the parenthesis to complete the sentence structure properly.

Major Changes

In the latest version of HECVAT, v3.05, several significant modifications have been made, warranting a closer examination. These “Major Changes” are not mere textual adjustments but substantive revisions that fundamentally alter how certain questions are framed and scored.

Question Text Change (n=2)

Two questions in the HECVAT v3.05 underwent a text change. These “text changes” involve significant modifications to the essence of the questions, altering their focus and framing to better assess vendor risk.

1. DOCU-05 Update:
   • V3.05 Question: “Can the systems that hold the institution’s data be compliant with NIST SP 800-171 and/or CMMC Level 2 standards?”
   • Change Explained: This update realigns the question with the current Cybersecurity Maturity Model Certification (CMMC) v2.0 standards. Previously, the question was based on CMMC v1.0, which had 5 levels. The release of CMMC v2.0, just a month before HECVAT v3.0, restructured these levels from 5 to 3. Consequently, the alignment with NIST 800-171 (Controlled Unclassified Information or CUI) shifted from Level 3 in CMMC 1.0 to Level 2 in CMMC 2.0. This adjustment in HECVAT ensures the question stays current and relevant with these changes in cybersecurity standards.
2. AAAI-19 Update:
   • V3.05 Question: “Describe or provide a reference to the retention period for those logs, how logs are protected, and whether they are accessible to the customer (and if so, how).”
   • Change Explained: The change in AAAI-19 is specifically in the analyst report tab of HECVAT. In v3.04, AAAI-19 was a duplicate of AAAI-18, leading to redundancy. The v3.05 revision removes this duplication, ensuring each question is unique and relevant to the assessment.

Question Response Logic/Favorability Change (n=3)

Three key questions in the HECVAT v3.05 had changes in the core response logic or favorability. These changes significantly impact how responses are interpreted and scored.

1. CONS-03 Update:
   • V3.05 Question: “Will the consultant require access to hardware in the institution’s data centers?”
   • Change Explained: The favorable response switched from “Yes” to “No.” This revision acknowledges the added risk of allowing consultants access to institutional hardware. The previous logic, favoring a “Yes” response, was reassessed to better reflect the security concerns associated with external access to critical hardware.
2. AAAI-12 Update:
   • V3.05 Question: “If you don’t support SSO, does your application and/or user-frontend/portal support multi-factor authentication? (e.g., Duo, Google Authenticator, OTP, etc.)”
   • Change Explained: The favorable response here changed from “No” to “Yes.” This update highlights the added security value of implementing multi-factor authentication (MFA) when single sign-on (SSO) isn’t supported, aligning the question with current cybersecurity best practices.
3. CHNG-09 Update:
   • V3.05 Question: “Is institutional involvement (i.e., technically or organizationally) required during product updates?”
   • Change Explained: The favorable response has been revised from “Yes” to “No.” This change prompts further discussion in the security community. While non-involvement of the institution in updates can save time and ensure currency, it might pose concerns for institutions that prefer involvement in significant updates. This change reflects the trend towards more agile development processes in SaaS products, where frequent updates can limit the feasibility of institutional review.

Questions with Potential Errors (n=2)

Two questions in HECVAT v3.05 with changes in response logic potentially introduce errors, raising concerns about the accuracy of scoring.

1. DCTR-08 and DCTR-12 Updates:
   • V3.05 Questions:
     • DCTR-08: “What tier level is your data center (per levels defined by the Uptime Institute)?”
     • DCTR-12: “Describe or provide a reference to the availability of cooling and fire-suppression systems in all data centers where institution data will reside.”
   • Change Explained: The favored response in both questions has been modified from “Qualitative Question” to “Yes.” However, this presents a challenge as “Yes” is not an applicable response for either question. DCTR-08 calls for a choice between Tier I – Tier IV, while DCTR-12 requires a free-text response. This shift seems to have led to a scoring anomaly in the v3.05 version. Through our testing, we observed that neither question accommodates this new preferred response, resulting in a score of 0/20 regardless of the answers provided. In light of this, we respectfully suggest that the HECVAT team revisit these two questions, considering the restoration of “Qualitative Question” as the preferred response to preserve the integrity and utility of the assessment. We shared these putative scoring logic errors with the HECVAT working group, but have not as yet received a response.

Guidance for Third-Party Vendors

Updating your HECVAT from version 3.04 to 3.05 is a straightforward process. You can begin by directly copying and pasting your answers from the previous version. The key area to focus on is the response to question DOCU-05; ensure it aligns with the CMMC v2.0 level 2 standards, which correlate with the 110 controls of NIST 800-171. Most other changes in this update are minor or relate to logic outside the scoring page, so they shouldn’t materially affect your responses on the vendor response tab.

Conclusion

To summarize, the transition from HECVAT v3.04 to v3.05 involves 75 changes affecting question texts and favorable responses. Among these, 70 are minor textual edits with two notable exceptions: the update of DOCU-05 for CMMC compliance and the replacement of a duplicate question in AAAI-19 (in the analyst tab). The five changes in response logic correct the scoring for three questions but introduce potential errors in two others.

If you are looking for a more detailed guidance on specific question by question changes, be on the lookout for a detailed change log from the HECVAT working committee that is reportedly coming soon.

Still using spreadsheets to manage your HECVATs? Join dozens of established higher education institutions who trust Isora to help them build and scale their Third-Party Security Risk Management (TPSRM) programs. Get a demo to learn how Isora can help your team scale its efforts using the HECVAT.