FillBase
Back to blog
·Educational

HECVAT Full vs Lite — What universities actually send you and why

HECVAT Full has 250+ questions across 22 domains. HECVAT Lite has 62. But since HECVAT 4, they're merged into one tool. Here's what that means for vendors selling to higher education.

HECVAT Full vs Lite — What universities actually send you and why

You just got a HECVAT from a university's IT security team. The procurement email says "please complete the attached vendor assessment." You open the Excel workbook and stare at 321 questions across seven tabs.

If you've sold SaaS to higher education before, you might remember the days when universities sent either a "HECVAT Full" or a "HECVAT Lite" — two separate files, two very different levels of pain. That distinction still matters, even though EDUCAUSE merged them into a single tool in 2025. Whether a university scopes you for 60 questions or 270+ depends on how they classify your product's risk — and getting that classification wrong can cost you weeks.

This guide breaks down what Full and Lite actually mean in 2026, why universities pick one over the other, and how to stop spending entire sprints on a questionnaire that should take days.

A quick history: why there were two HECVATs

The Higher Education Community Vendor Assessment Toolkit was created in 2016 by EDUCAUSE, Internet2, and REN-ISAC. The goal was simple: give universities one shared questionnaire so vendors could complete it once and share it across multiple institutions. Before HECVAT, every university wrote their own custom security questionnaire, which meant vendors selling to ten schools filled out ten different forms asking the same questions in slightly different ways.

By HECVAT 3 (released 2020), the toolkit had split into four versions:

VersionQuestionsSectionsWho it was for
Full250+All 22Mission-critical systems handling PII, PHI, FERPA data
Lite6214 of 22Lower-risk vendors with limited access to sensitive data
On-Premise~200AdaptedSoftware installed on institutional infrastructure
Triage~15ScreeningPre-qualification to determine which version to send

The idea was that a university's CISO would triage incoming vendor requests: if your product touches student records, financial aid data, or health information, you get the Full. If you're a scheduling tool that doesn't store PII, you get the Lite.

In practice, this got messy. Some institutions sent the Full to everyone by default because they didn't have bandwidth to triage. Others sent the Lite for products that probably warranted a Full assessment. Vendors who completed a Full for one university couldn't easily reuse it when another school sent the Lite, because the question IDs didn't always align.

What HECVAT 4 changed (and what it didn't)

In 2025, EDUCAUSE released HECVAT 4 (current version: 4.1.5). The biggest change: Full, Lite, and On-Premise are no longer separate files. Everything lives in one unified Excel workbook with 321 questions across 7 sections:

SectionQuestionsWhat it covers
Organization43Company structure, governance, financial stability
Product42Architecture, data handling, integrations
Infrastructure52Hosting, network security, encryption, access controls
IT Accessibility19WCAG 2.1 AA, Section 508, assistive tech
Case-Specific64Conditional questions triggered by your Triage answers
AI32AI/ML practices, training data, output transparency
Privacy69FERPA, GDPR, state privacy laws, data retention

Two sections are entirely new: AI (32 questions about whether you train models on institutional data, how you handle AI output transparency) and an expanded Privacy section (69 questions, up from a handful in v3). The Accessibility section also grew significantly — universities take ADA/Section 508 compliance seriously because they're legally required to.

The "Core 60" — HECVAT Lite's spiritual successor

Here's the part most vendors miss: HECVAT 4 still has a Lite mode. It's just not a separate file anymore.

Within the unified workbook, approximately 61 questions are marked with an asterisk (*). EDUCAUSE calls these the "Core 60." They cover baseline security controls — authentication, encryption, incident response, data handling — and they're the only questions a vendor needs to answer for a low-risk assessment. If a university determines your product is low-risk based on the Triage tab, they may only review your answers to these starred questions.

The Full assessment is everything else: all 250–270 applicable questions (the exact count depends on which conditional sections your Triage answers activate). Universities use this for products that handle student records (FERPA), health data (HIPAA), financial information (GLBA), or research data.

The Triage tab — how universities scope you now

Instead of choosing a file to send, universities now send every vendor the same workbook. You start on the "START HERE" tab, which asks 8–10 high-level screening questions:

  • Is this a SaaS or on-premise product?
  • Does it handle personally identifiable information (PII)?
  • Will it store or process protected health information (PHI)?
  • Does it handle financial data subject to GLBA or PCI DSS?
  • Does it use AI or machine learning features?

Based on your answers, the workbook uses conditional logic to show or hide relevant sections. A cloud-only analytics tool that doesn't touch PII might see 80–100 questions. A student information system that stores Social Security numbers, health records, and financial aid data will see 270+.

This is significantly better than the old system, but it introduces a new problem: some vendors are tempted to downplay their data access in the Triage tab to reduce their question count. University security teams know this, and they verify Triage answers against your product documentation, privacy policy, and SOC 2 report. If they find discrepancies, you'll get flagged and asked to redo sections — adding weeks to the process.

When you'll get the Full treatment

After talking to dozens of vendors who sell to higher education, here are the scenarios that virtually always trigger a full 250+ question assessment:

Student Information Systems (SIS): If your product is the system of record for student enrollment, grades, or transcripts, expect the Full plus heavy scrutiny on FERPA compliance and data portability.

Learning Management Systems (LMS): Products like Canvas, Blackboard, or Moodle alternatives that store student work, grades, and participation data. Universities will also ask detailed accessibility questions because LMS platforms must meet WCAG 2.1 AA.

Financial aid and payment processing: Anything touching student financial data triggers both GLBA and PCI DSS domains. Universities have been burned by payment processor breaches and they're thorough.

Health and counseling platforms: Telehealth, student wellness apps, or counseling scheduling tools that handle PHI. These trigger HIPAA-specific questions on top of the standard HECVAT domains.

Research data platforms: Tools handling research data, especially in fields with export controls (ITAR, EAR) or NIH-funded research with data sharing requirements.

Identity providers and SSO: If you're authenticating students or faculty, you'll face deep questions on credential storage, MFA, session management, and federation standards (SAML, OIDC).

AI-powered tools: New in HECVAT 4 — any product using AI or ML triggers the 32-question AI section. Universities want to know if you train models on institutional data, how you handle bias, and whether students can opt out.

When you might get away with Lite (Core 60)

The Core 60 assessment is typically sufficient for:

  • Marketing or CRM tools that receive institutional contact information but don't store student records
  • Scheduling and room booking systems with minimal PII
  • Content delivery platforms that don't require authentication
  • Communication tools where the university controls data retention
  • Event management platforms with basic attendee information

The key factor is data sensitivity, not product complexity. A simple form builder that collects student health information will get a Full assessment. A sophisticated analytics platform that only processes anonymized, aggregated data might get the Core 60.

The 22 HECVAT 3 domains — what each one actually asks

If you encounter a university still using HECVAT 3 (some institutions haven't migrated yet), here's what to expect in the Full assessment. These domains map roughly to the consolidated HECVAT 4 sections but are more granular:

  1. Company Information — Legal name, headquarters, number of employees, financial stability
  2. Documentation — Links to your SOC 2 report, security policies, privacy policy, VPAT
  3. IT Accessibility — VPAT availability, WCAG conformance level, assistive technology testing
  4. Security Program — Do you have a CISO? Written security policy? Security awareness training?
  5. Policies & Procedures — Acceptable use, data classification, change management
  6. Risk Management — Formal risk assessment process, third-party risk management
  7. Physical Security — Data center access controls, environmental controls, visitor management
  8. Network Security — Firewalls, IDS/IPS, network segmentation, DDoS protection
  9. Application Security — SDLC practices, code review, penetration testing, OWASP Top 10
  10. System Security — OS hardening, patch management, endpoint protection
  11. Data Security — Encryption at rest and in transit, key management, data loss prevention
  12. Identity & Access Management — Authentication methods, MFA, RBAC, privileged access
  13. Incident Response — IR plan, breach notification timeline, forensics capabilities
  14. Business Continuity — DR plan, RTO/RPO, backup frequency and testing
  15. Compliance — SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP
  16. Subcontractor Management — How you vet your own vendors and subprocessors
  17. Privacy — Data collection practices, FERPA compliance, data subject rights
  18. Data Center — Hosting provider, data residency, certifications
  19. Change Management — Change control processes, testing, rollback procedures
  20. Vulnerability Management — Scanning frequency, remediation SLAs, responsible disclosure
  21. Logging & Monitoring — SIEM, log retention, alerting, audit trails
  22. Cloud Security — Multi-tenancy isolation, shared responsibility model, API security

The Lite version in HECVAT 3 covered 14 of these 22 sections, skipping the deeper technical domains like Application Security, System Security, Subcontractor Management, Change Management, Vulnerability Management, Logging & Monitoring, Cloud Security, and the detailed Data Center questions.

Practical tips from vendors who've done dozens of HECVATs

Pre-fill and maintain a master HECVAT. Whether you're working with HECVAT 3 or 4, keep a completed master copy with your best answers. When a new university request comes in, start from the master and customize. Most answers (80–90%) won't change between institutions.

Map your SOC 2 controls to HECVAT questions. If you have a SOC 2 Type II report, most of the HECVAT Full can be answered by referencing specific controls. Universities know this and actually prefer citations to your SOC 2 over generic yes/no answers. "Yes — see SOC 2 Section CC6.1" is a stronger answer than just "Yes."

Don't leave anything blank. Every unanswered question will come back as a follow-up. If a question genuinely doesn't apply (e.g., on-premise hosting questions for a purely SaaS product), write "N/A — [product name] is a SaaS-only platform hosted on AWS" rather than leaving the cell empty.

Answer the AI section proactively. Even if the Triage tab doesn't trigger the AI section, consider filling it out anyway. Universities are increasingly concerned about AI, and a complete AI section signals maturity. If you use any third-party AI APIs (OpenAI, Anthropic, etc.), disclose them and explain your data handling.

Prepare your VPAT before you need it. The IT Accessibility section asks for a Voluntary Product Accessibility Template (VPAT). If you don't have one, this will hold up procurement. Universities are legally required to evaluate accessibility, and "we're working on it" isn't an acceptable answer for most institutions.

Know your subprocessors. The Subcontractor Management domain asks you to list every third-party service that processes institutional data. This means your hosting provider, email service, analytics tools, error tracking, payment processor — all of it. Have this list ready and updated.

Get your HECVAT reviewed before submission. Have someone who didn't write the answers review them. Security teams at universities are experienced reviewers — they'll spot inconsistencies between your answers and your SOC 2, privacy policy, or product documentation.

The Community Broker Index is gone — what replaces it

Until July 2025, EDUCAUSE ran the Community Broker Index (CBI), a shared database where vendors could publish completed HECVATs for any university to access. Companies like Google Cloud and Box posted their assessments publicly through the CBI, which meant universities could review their security posture without sending a questionnaire at all.

The CBI was retired in July 2025. Assessments are now exchanged directly between vendors and institutions. This is worse for vendors who previously benefited from the "complete once, share with everyone" model. If you're a vendor selling to multiple universities, you now need to maintain your own mechanism for sharing completed HECVATs — whether that's hosting your assessment on your website, sharing through a trust center, or responding to individual requests.

Some third-party platforms (SafeBase, Whistic, Conveyor) now serve as de facto trust centers where vendors can publish security documentation including completed HECVATs. This is the closest replacement for the CBI model.

HECVAT vs other security questionnaires

If you sell to both higher education and enterprise, you'll encounter HECVAT alongside other standard questionnaires:

QuestionnaireCreated byQuestionsFocus
HECVAT FullEDUCAUSE250–270Higher education — FERPA, accessibility, student data
HECVAT Core 60EDUCAUSE~61Quick higher ed screening
SIG CoreShared Assessments850+Enterprise third-party risk — broadest scope
SIG LiteShared Assessments~330Enterprise screening
CAIQCloud Security Alliance~260Cloud provider security — CSA STAR Registry
VSAQVendor Security Alliance100–300Tech company vendor risk — GDPR/CCPA focus

HECVAT is unique in its focus on education-specific regulations (FERPA, GLBA for financial aid, WCAG accessibility) and its new AI/ML section. If you've already completed a SIG or CAIQ, about 60–70% of a HECVAT Full will feel familiar — the core security domains overlap significantly. The education-specific questions around student data privacy, accessibility, and AI governance are what you'll need to prepare for specifically.

How to automate HECVAT completion

A full HECVAT assessment typically takes 3–6 weeks when done manually. Most of that time isn't spent answering questions — it's spent tracking down the right person to answer each section, waiting for them to respond, and then formatting everything into the workbook.

AI-powered tools can cut this to hours by pulling answers from your existing security documentation. If you have a SOC 2 report, security policies, and a privacy policy, most HECVAT questions can be auto-filled with source-cited answers that reference the specific document and section. This is exactly what FillBase does — upload your knowledge base, submit the HECVAT, and get draft answers with citations in minutes instead of weeks.

The key advantage of automation isn't just speed. It's consistency. When your HECVAT answers are generated from the same source documents, they'll be consistent with your SOC 2, your privacy policy, and every other questionnaire you've completed. University reviewers notice when answers contradict each other — and automation prevents that.

Frequently asked questions

Is there still a separate HECVAT Lite file I can download?

No. Since HECVAT 4 (released 2025), Full and Lite are merged into one unified workbook. The "Core 60" — approximately 61 questions marked with an asterisk — serves the same purpose as the old Lite. Universities determine the scope based on the Triage tab, not by sending a different file.

How many questions is HECVAT Full in 2026?

HECVAT 4 has 321 total questions across 7 sections. Depending on your Triage answers, you'll see 250–270 questions for a full assessment. The legacy HECVAT 3 Full had 250+ questions across 22 sections. Some universities still use v3.

Can I reuse my HECVAT across multiple universities?

Yes, but check the version. If one university uses HECVAT 3 and another uses HECVAT 4, you'll need separate responses. Even within the same version, some institutions customize importance levels or add supplemental questions. Maintain a master copy and customize per institution.

What happens if I fail a HECVAT assessment?

You don't "pass" or "fail" a HECVAT. The university's security team assigns a risk rating: Approved, Approved with Conditions, Requires Remediation, or Not Approved. Most vendors land in "Approved with Conditions" on first submission, with the institution requiring specific remediations (like adding MFA or updating a data retention policy) within a set timeline.

How long does a HECVAT assessment take?

Manual completion typically takes 3–6 weeks. With AI-assisted tools, the initial draft can be completed in hours, with 1–2 days for internal review and customization. The university's review process after submission adds another 2–4 weeks.

Do I need a SOC 2 to complete a HECVAT?

No, but it helps significantly. A SOC 2 Type II report provides evidence for roughly 60–70% of HECVAT questions. Without one, you'll need to provide alternative documentation — written security policies, penetration test reports, compliance certifications — for each domain. Universities strongly prefer vendors with a current SOC 2.

Related tools & resources

All Questionnaire Types DDQ, SIG, CAIQ, HECVAT, and more Compare DDQ Tools See how FillBase stacks up All Features Explore FillBase features

Related articles

Guides Complete a HECVAT online — Higher education security assessment in minutes
Complete a HECVAT online — Higher education security assessment in minutes Need to complete a HECVAT online? Auto-fill your HECVAT Full or HECVAT Lite from your SOC 2 and policies. Source-cited answers for every question.
Guides CAIQ vs SIG vs custom DDQ — What's the difference?
CAIQ vs SIG vs custom DDQ — What's the difference? CAIQ, SIG, and custom DDQs explained. Learn the differences between security questionnaire types, when you'll encounter each one, and how to handle them efficiently.
Educational Security questionnaires for startups — the post-Series A survival guide (2026)
Security questionnaires for startups — the post-Series A survival guide (2026) The moment B2B startups move upmarket after raising Series A or B, security questionnaires become the #1 deal blocker. Here's exactly what happens, what it costs, and how to stop losing enterprise deals to compliance gaps.

Your next enterprise deal shouldn't wait on a spreadsheet

Get started