CBI retired July 31, 2025. Ten months in, the direct-sharing model is the operational reality. The rep who treats it as a new development has already lost a step on the institutions that have been living in it since August.
The honest picture at Tier 2 is uneven. Some institutions built internal workflows within the first quarter after CBI retired. Most didn't. That unevenness is not just an institutional readiness story — it's a timing signal for how you run the procurement conversation.
What improvised looks like versus mature
| Mature workflow | Improvised workflow | |
|---|---|---|
| Request | Standardized intake from procurement or IT security | Ad hoc email to vendor contact |
| Review | Checklist-based, repeatable, lightweight but defined | No standard process or timeline |
| Documentation | Tracked system with sign-off, reviewable on demand | PDF on a shared drive, findability uncertain |
| Expiration tracking | Institution knows when the response expires | Not tracked |
| Escalation | Defined path when response raises questions | None |
The institution with an improvised workflow is technically doing direct sharing; it's just doing it badly, and the people doing it know it.
Read which situation you're walking into before the conversation starts. A Tier 2 institution with a mature HECVAT workflow will have questions about the response content. An institution still improvising will have questions about the process itself. Conflating the two wastes everyone's time.
The proactive-sharing move and when it lands
Arriving at a Tier 2 procurement conversation with a completed HECVAT 4.1.5 response already in hand is a timeline compressor. The request-and-wait cycle — which at improvised-workflow institutions can run four to six weeks — disappears. The institution moves directly to review. If the review is lightweight, the vendor can clear the procurement gate before the formal RFP stage closes.
The moment proactive sharing lands hardest is before the evaluation committee is assembled — when the institution is still deciding who belongs on the shortlist.
The AI/ML conditional domain in HECVAT 4.1.5 deserves specific attention. Most institutions are still developing internal criteria for evaluating AI/ML responses — they know the questions are there, they're not always sure what a good answer looks like. A rep who can walk through the AI/ML domain responses with the reviewer, not just hand over the document, is operating at a different level. The domain covers training data governance, model transparency, and data residency for AI-processed inputs. If your product touches any of those, the reviewer will have follow-up questions. Have the answers ready before they ask.
What to say when procurement asks for the HECVAT before you've offered it
This happens at institutions with mature workflows. The request comes early, sometimes before the first meeting. The wrong response is to say you'll get it to them. The right response signals that you already have it.
"We have a completed 4.1.5 response ready — including the AI/ML conditional domain. I can send it today, or if it's easier, I can walk your security reviewer through the sections that typically generate questions before you start the formal review. That usually saves a round of follow-up."
That response removes the wait, demonstrates familiarity with the document's structure rather than just its existence, and offers to accelerate the institution's review process — which is what the procurement contact actually cares about.
What to say when you're offering it proactively
Frame it as a process move, not a deliverable.
"Before we get into the evaluation, I want to make sure we're not creating a bottleneck on your end. We have a current 4.1.5 response — I can get it to your IT security contact today so the review can run in parallel with the rest of your process. Who should I send it to?"
The question at the end moves the conversation forward and identifies the right internal contact without requiring the procurement lead to manage the handoff.
The read on where Tier 2 is heading
Institutions with mature direct-sharing workflows are starting to treat HECVAT response quality as a vendor signal, not just a compliance checkbox. A response that is complete, current, and clearly written by someone who understands the institution's context reads differently than a boilerplate response that answers every question with the minimum required text. That gap will widen as institutions get more comfortable with the direct-sharing model and less tolerant of vendors who treat the assessment as a form to be filed.
Freshness note: HECVAT 4.1.5 is current as of early 2025 and reflects the consolidated 4.x format. CBI retirement date (July 31, 2025) and current version status should be verified against EDUCAUSE documentation before use in customer-facing materials.