What is the K-12CVAT?

For K-12 Schools and Districts

  • The K-12 Community Vendor Assessment Tool or K-12CVAT, is a questionnaire framework specifically designed for K-12 schools, districts and education service districts to measure vendor risk. Before you purchase a third-party solution, ask the solution provider to complete a K-12CVAT tool to confirm that information, data, and cybersecurity policies are in place to protect your sensitive school system information and constituents’ PII. It is recommended that you use the K-12CVAT as part of procurement processes, including having potential solution providers complete the questionnaire as part of RFP processes and purchase evaluations.

For K-12 Solution Providers

  • The K-12CVAT offers a consistent and single questionnaire for solution providers to complete for potential and current K-12 organization clients to support evaluation and understanding of the risks and opportunities of your product. The advantage of the K-12CVAT is that, once completed, your assessment can be used by multiple K-12 organizations to streamline procurement processes with your K-12 clients
  • The K-12CVAT is based off the Educause Higher Education Community Vendor Assessment Tool – Lite (HECVAT-Lite), however, the questions are geared specifically towards K-12 education. Please make sure to use the K-12 questionnaire for your K-12 clients.

k 12cvat

The K-12CVAT provides our district with a new view of our vendors and affords us the ability to make better informed decisions due to the easy to understand Summary Report generated when the vendor completes it. It highlights areas of strength and weakness and will allow us to perform a higher quality risk assessment prior to engaging with the vendor. This is because the vendor information provided on the K12-CVAT is not always covered in our normal RFP process and includes areas such as their approach to securing their data center, the application/system and access to our data by their employees; their overall security policy and procedures; and, their disaster recovery, business continuity and change management procedures. Ultimately, it provides me with greater confidence in the decision-making process – whether I’m recommending that we select or reject the vendor.”

Deborah Ketring, CETL
CIO, Rockwood School District (MO)
CoSN Cybersecurity Advisory