Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for identity management

Requirements, questions, and evaluation criteria specific to identity management procurement

8 min read

Identity management RFPs are critical because they address both security and operational efficiency, requiring a nuanced understanding of evolving threats and complex integration landscapes. A well-crafted RFP ensures the selected solution aligns with an organization's specific risk profile and business requirements, preventing costly security breaches and streamlining user access.

What makes identity management RFPs different

Identity management RFPs are unique due to the intricate balance between security, user experience, and compliance. Unlike other software procurements, identity solutions directly impact every user in the organization, making usability and adoption key success factors.

Furthermore, the constantly evolving threat landscape and increasingly stringent regulatory requirements necessitate a forward-looking approach that considers emerging technologies like AI-driven threat detection and decentralized identity models.nnTechnical complexity also sets identity management RFPs apart.

Integrating with a diverse ecosystem of applications, directories, and cloud platforms requires deep technical expertise and a thorough understanding of protocols like SAML, OIDC, and SCIM. The RFP must clearly articulate integration requirements and validate the vendor's ability to seamlessly connect with existing infrastructure.nnFinally, compliance mandates such as HIPAA, SOX, and PCI-DSS add another layer of complexity.

The RFP must address specific compliance needs and ensure the vendor can provide the necessary controls and reporting capabilities to meet regulatory obligations.

  • Scalability to accommodate future growth and evolving business needs
  • Integration with existing IT infrastructure and applications
  • Compliance with relevant industry regulations and data privacy laws
  • User experience and adoption to minimize help desk requests and shadow IT

RFP vs RFI vs RFQ

Here's when to use each document type when procuring identity management software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

In the context of identity management, an RFI is useful for exploring the breadth of available solutions and understanding emerging trends in areas like passwordless authentication and AI-driven security. An RFP is essential for a detailed evaluation of specific vendor capabilities and their alignment with the organization's security and operational requirements. An RFQ is typically not suitable due to the complexity and customization inherent in identity management deployments.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Authentication

  • Multi-factor authentication (MFA) support (specify methods: SMS, authenticator app, biometrics, hardware tokens)
  • Passwordless authentication options (FIDO2, WebAuthn)
  • Adaptive authentication based on risk factors (location, device, behavior)
  • Single sign-on (SSO) capabilities for cloud and on-premise applications

Identity Governance and Administration (IGA)

  • Automated user provisioning and deprovisioning
  • Role-based access control (RBAC)
  • Access certification and review workflows
  • Segregation of duties (SoD) enforcement
  • Entitlement management for cloud infrastructure (CIEM)

Privileged Access Management (PAM)

  • Vaulting and management of privileged credentials
  • Session monitoring and recording
  • Just-in-time (JIT) access for privileged accounts
  • Least privilege enforcement
  • Privilege elevation and delegation

Integration

  • Integration with HR systems (e.g., Workday, BambooHR)
  • Integration with directory services (e.g., Active Directory, LDAP)
  • Integration with SIEM and SOAR platforms
  • API integration capabilities for custom applications
  • Support for SCIM (System for Cross-domain Identity Management)

Reporting and Analytics

  • Pre-built reports for compliance audits (e.g., SOX, HIPAA)
  • Customizable reporting dashboards
  • Real-time monitoring of identity-related events
  • User activity tracking and audit logging
  • Identity threat detection and response (ITDR) capabilities

Questions to include in your RFP

Architecture & Deployment

  • Describe your solution's architecture, including its scalability, redundancy, and security features.
    Understanding the architecture is crucial for assessing the solution's ability to handle current and future needs.
  • What deployment models are supported (cloud, on-premise, hybrid), and what are the requirements for each?
    Deployment options impact cost, maintenance, and integration complexity.
  • How does your solution ensure data privacy and compliance with relevant regulations (e.g., GDPR, CCPA)?
    Data privacy is a critical concern, and the solution must meet regulatory requirements.
  • What is your solution's disaster recovery and business continuity plan?
    Ensures minimal downtime and data loss in case of unforeseen events.

Authentication

  • Describe your multi-factor authentication (MFA) capabilities, including supported methods and adaptive authentication features.
    MFA is a fundamental security control, and adaptive authentication enhances security based on risk.
  • What passwordless authentication options are supported, and how do they comply with FIDO2 standards?
    Passwordless authentication reduces the risk of password-based attacks.
  • How does your solution handle compromised credentials and detect account takeover attempts?
    Proactive detection and response are essential for mitigating security breaches.
  • Explain your single sign-on (SSO) capabilities and supported protocols (e.g., SAML, OIDC).
    SSO simplifies user access and improves security.

Identity Governance & Administration

  • Describe your automated user provisioning and deprovisioning processes, including integration with HR systems.
    Automation reduces manual effort and ensures timely access revocation.
  • How does your solution enforce role-based access control (RBAC) and manage user entitlements?
    RBAC simplifies access management and minimizes the risk of excessive privileges.
  • Explain your access certification and review workflows, including the ability to delegate reviews to business owners.
    Regular access reviews ensure that users have the appropriate access rights.
  • How does your solution address segregation of duties (SoD) conflicts and prevent unauthorized access?
    SoD enforcement prevents fraud and errors.

Privileged Access Management

  • Describe your privileged access management (PAM) capabilities, including vaulting, session monitoring, and just-in-time (JIT) access.
    PAM protects privileged accounts from misuse and abuse.
  • How does your solution enforce the principle of least privilege for privileged accounts?
    Least privilege minimizes the attack surface.
  • Explain your approach to managing and securing non-human identities (e.g., service accounts, API keys).
    Non-human identities are often overlooked but can be exploited by attackers.
  • How does your solution integrate with DevOps environments and support secure access to cloud infrastructure?
    DevOps environments require specialized security controls.

Integration

  • Describe your solution's integration capabilities with our existing IT infrastructure, including HR systems, directory services, and cloud platforms.
    Seamless integration is crucial for automation and data consistency.
  • What pre-built connectors are available, and how easy is it to create custom integrations?
    Pre-built connectors accelerate deployment, while custom integrations provide flexibility.
  • How does your solution support SCIM (System for Cross-domain Identity Management) for automated provisioning?
    SCIM simplifies user management across different systems.
  • Explain your API integration capabilities and provide documentation for developers.
    APIs enable custom integrations and automation.

Reporting & Analytics

  • Describe your reporting and analytics capabilities, including pre-built reports for compliance audits and customizable dashboards.
    Reporting and analytics provide visibility into identity-related events and compliance status.
  • How does your solution monitor user activity and detect anomalous behavior?
    Anomaly detection helps identify potential security threats.
  • Explain your identity threat detection and response (ITDR) capabilities.
    ITDR proactively identifies and responds to identity-based attacks.
  • How does your solution support compliance reporting for regulations such as SOX, HIPAA, and PCI-DSS?
    Compliance reporting simplifies audits and ensures regulatory compliance.

Pricing & Licensing

  • Provide a detailed breakdown of your pricing model, including licensing fees, implementation costs, and ongoing maintenance fees.
    Transparent pricing is crucial for budgeting and cost management.
  • What are your licensing options (e.g., per-user, per-device, concurrent users), and which is most suitable for our organization?
    Licensing options impact cost and scalability.
  • Are there any hidden costs or additional fees that we should be aware of?
    Hidden costs can significantly increase the total cost of ownership.
  • What discounts are available for multi-year contracts or volume purchases?
    Discounts can reduce the overall cost of the solution.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

SOX

Required for publicly traded companies. If applicable, request documentation on how the solution supports separation of duties and access controls required by SOX.

HIPAA

Required for organizations handling protected health information (phi). If applicable, request a Business Associate Agreement (BAA) and documentation on HIPAA compliance measures.

PCI-DSS

Required for organizations processing, storing, or transmitting credit card data. If applicable, request a current PCI-DSS Attestation of Compliance (AOC) and documentation on how the solution protects cardholder data.

GDPR

Required for organizations processing personal data of eu residents. If applicable, request documentation on GDPR compliance, including data privacy and consent management features.

CCPA

Required for organizations processing personal data of california residents. If applicable, request documentation on CCPA compliance, including data subject access rights and opt-out mechanisms.

Evaluation criteria

Here is the suggested weighting for identity management RFPs.

Functionality Fit How well the solution meets the stated requirements and addresses the organization's specific needs.
25%
Integration Capabilities The ease and completeness of integration with existing IT infrastructure and applications.
20%
Security Features The strength and breadth of security features, including authentication, access control, and threat detection.
20%
Total Cost of Ownership (TCO) The total cost of the solution over its lifecycle, including licensing, implementation, and maintenance fees.
15%
Vendor Reputation and Experience The vendor's track record, customer references, and industry recognition.
10%
Usability and User Experience The ease of use for both administrators and end-users.
10%

Some weights were adjusted based on your priorities.

  • Increase if the organization has unique or complex identity management requirements.
  • Increase if the organization has a complex and heterogeneous IT environment.
  • Increase if the organization operates in a high-risk industry or handles sensitive data.
  • Increase if budget constraints are a significant factor.
  • Increase if the organization is risk-averse and prefers a proven vendor.
  • Increase if user adoption is a critical success factor.

Red flags to watch

  • Lack of support for modern authentication protocols

    Indicates the solution may be outdated and unable to support modern security requirements.

  • Vague or incomplete security documentation

    Suggests the vendor may not have a strong security posture or be transparent about their security practices.

  • High implementation costs or long implementation timelines

    Indicates the solution may be complex to deploy and require significant resources.

  • Limited integration capabilities with existing systems

    Suggests the solution may not be able to seamlessly integrate with the organization's IT environment.

  • Poor customer reviews or lack of references

    Indicates potential issues with the vendor's product quality or customer service.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Average time to provision a new user account

Indicates the efficiency of the automated provisioning process.

Percentage of users with multi-factor authentication enabled

Measures the adoption of a critical security control.

Number of orphaned or inactive user accounts

Highlights potential security vulnerabilities.

Number of password reset requests per month

Indicates the usability of the solution and the level of user frustration.

Time to detect and respond to identity-related security incidents

Measures the effectiveness of the ITDR capabilities.