Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for NAC

Requirements, questions, and evaluation criteria specific to NAC procurement

8 min read

Network Access Control (NAC) RFPs are critical due to the complex interplay between network infrastructure, security policies, and user access rights. A well-defined RFP ensures comprehensive visibility, granular control, and automated response capabilities, safeguarding against evolving cyber threats and compliance mandates. Failing to secure network entry points can lead to systemic financial risk, making a thorough RFP process essential.

What makes NAC RFPs different

NAC RFPs differ significantly from general software RFPs due to their deep integration with existing network infrastructure and identity management systems. A poorly chosen NAC solution can disrupt network operations and create significant business continuity issues. The RFP must address vendor-agnostic interoperability, scalability, and the ability to handle diverse device types, including IoT and BYOD devices.

Modern NAC solutions must also offer continuous verification and integration with technologies like SASE and XDR, requiring a forward-looking approach in the RFP.

  • Interoperability with existing network hardware (switches, routers, wireless access points) from multiple vendors
  • Scalability to accommodate future growth and increasing device density
  • Comprehensive device profiling and fingerprinting capabilities, including agentless discovery for IoT devices
  • Integration with identity providers (IdPs) and endpoint detection and response (EDR) tools

RFP vs RFI vs RFQ

Here's when to use each document type when procuring NAC software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

For Network Access Control, an RFI is useful for initial market research and understanding the range of available solutions. An RFP is essential for a detailed evaluation of technical capabilities, security features, and integration options. An RFQ is generally not suitable due to the complexity and customization required for NAC deployments.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Device Visibility and Profiling

  • Agentless device discovery and profiling
  • Identification of device type, OS, and manufacturer
  • Real-time visibility into connected devices
  • Automated device categorization and policy assignment

Access Control and Segmentation

  • Role-based access control (RBAC)
  • Dynamic network segmentation and VLAN steering
  • Guest network access management
  • BYOD device management

Posture Assessment and Remediation

  • Automated device health checks (patch status, AV status, disk encryption)
  • Compliance with security policies before granting access
  • Automated remediation of non-compliant devices
  • Quarantine network for non-compliant devices

Integration and Interoperability

  • Integration with existing network infrastructure (switches, routers, wireless)
  • Integration with Identity Providers (IdP) such as Okta or Azure AD
  • Integration with Endpoint Detection and Response (EDR) tools
  • SIEM integration for logging and reporting

Security and Compliance

  • Multi-factor authentication (MFA) for administrative access
  • Data encryption at rest and in transit
  • Compliance with industry regulations (HIPAA, PCI-DSS, GDPR)
  • Role-based access control for administrative functions

Questions to include in your RFP

Architecture & Deployment

  • Describe your solution's architecture (cloud-native, on-premises, hybrid) and its scalability capabilities.
    Understanding the architecture helps determine deployment flexibility and long-term scalability.
  • Explain your solution's fail-open versus fail-closed behavior in the event of a network outage or system failure.
    This is crucial for balancing security with business continuity.
  • Detail your solution's disaster recovery and business continuity plans.
    Ensures minimal disruption in case of unforeseen events.
  • What are the hardware and software requirements for deploying your solution in our environment?
    Helps assess compatibility and potential infrastructure upgrades.

Device Discovery & Profiling

  • How does your solution discover and profile devices without requiring agents?
    Agentless discovery is crucial for IoT and unmanaged devices.
  • What is the accuracy rate of your device fingerprinting capabilities?
    High accuracy ensures proper policy enforcement.
  • Can your system identify and secure devices that do not support 802.1X, such as legacy medical equipment or industrial sensors?
    Tests the depth of their agentless discovery and AI profiling capabilities.
  • How does your solution handle device profiling updates and threat intelligence feeds?
    Ensures continuous protection against emerging threats.

Access Control & Segmentation

  • Describe your solution's dynamic segmentation capabilities and how it prevents lateral movement.
    Segmentation is critical for containing breaches and ransomware attacks.
  • How does your solution handle guest and BYOD device access?
    Ensures secure access for non-corporate devices.
  • Explain your solution's role-based access control (RBAC) capabilities and how they integrate with identity providers.
    RBAC simplifies access management and improves security.
  • How does your solution integrate with our existing Active Directory and Azure AD infrastructure?
    Seamless integration is essential for efficient user management.

Posture Assessment & Remediation

  • What device health checks does your solution perform before granting network access?
    Ensures devices meet minimum security requirements.
  • How does your solution remediate non-compliant devices?
    Automated remediation reduces IT burden.
  • Can your solution enforce specific security settings (e.g., disk encryption, patch levels) on connecting devices?
    Enforces compliance with security policies.
  • Describe the self-service remediation options available to end-users.
    Empowers users to resolve issues and reduces helpdesk tickets.

Integration & Automation

  • What integrations does your solution offer with SIEM, EDR, and other security tools?
    Integration enhances threat detection and response capabilities.
  • How does your solution automate policy enforcement and incident response?
    Automation reduces manual effort and improves efficiency.
  • Describe your solution's API capabilities and how they can be used to integrate with custom applications.
    API access enables flexible integration with existing systems.
  • What percentage of our total connected asset inventory can your platform automatically classify and apply policy to without any manual intervention from our IT staff?
    Reveals the level of automation and the potential labor savings the solution offers.

Reporting & Analytics

  • What reporting and analytics capabilities does your solution offer?
    Provides insights into network access patterns and security posture.
  • Does your solution provide pre-built reporting templates for industry-specific regulations (e.g., HIPAA, PCI-DSS)?
    Reduces the burden on compliance officers.
  • Can your solution generate custom reports to meet specific business requirements?
    Flexibility in reporting is crucial for diverse needs.
  • How does your solution track and report on device compliance and policy violations?
    Provides visibility into security risks and compliance gaps.

Pricing & Support

  • Describe your pricing model (per user, per device, subscription-based) and provide a detailed breakdown of all costs.
    Transparency in pricing is essential for accurate TCO calculations.
  • What level of technical support is included with your solution?
    Adequate support is crucial for successful implementation and ongoing maintenance.
  • What is the process for escalating support issues and what are the guaranteed response times?
    Ensures timely resolution of critical issues.
  • Are there any additional costs for professional services, training, or infrastructure upgrades?
    Identifies potential hidden costs and budget overruns.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

HIPAA

Required if handling protected health information (phi). If applicable, request a Business Associate Agreement (BAA) and documentation of HIPAA compliance measures.

PCI-DSS

Required if processing, storing, or transmitting cardholder data. If applicable, request a current Attestation of Compliance (AOC) and documentation of PCI-DSS controls.

GDPR

Required if processing personal data of eu residents. If applicable, request documentation of GDPR compliance measures, including data privacy policies and data breach notification procedures.

SOC 2 Type II

Required for saas providers and organizations handling sensitive customer data. If applicable, request a SOC 2 Type II report to assess the vendor's security, availability, processing integrity, confidentiality, and privacy controls.

NIS2

Required if operating in critical infrastructure sectors within the eu. If applicable, request documentation outlining compliance with the NIS2 directive and its cybersecurity requirements.

Evaluation criteria

Here is the suggested weighting for NAC RFPs.

Functionality Fit How well the solution meets the stated requirements and use cases.
25%
Integration Capabilities The ease and completeness of integration with existing network infrastructure, identity providers, and security tools.
20%
Scalability and Performance The solution's ability to handle current and future network traffic and device density without performance degradation.
15%
Security and Compliance The strength of the solution's security features and its compliance with relevant industry regulations.
15%
Total Cost of Ownership (TCO) The overall cost of the solution, including licensing, implementation, maintenance, and support.
10%
Vendor Reputation and Support The vendor's track record, customer references, and the quality of their technical support.
10%
Ease of Use and Management The intuitiveness of the solution's interface and the simplicity of its management tools.
5%

Some weights were adjusted based on your priorities.

  • Increase if the solution offers unique or innovative features.
  • Increase if complex integrations with multiple systems are required.
  • Increase for organizations experiencing rapid growth or significant device proliferation.
  • Increase for organizations in highly regulated industries (e.g., healthcare, finance).
  • Decrease if the organization has significant internal expertise or resources.
  • Increase if the vendor is relatively new to the market.
  • Increase if the IT team has limited experience with NAC solutions.

Red flags to watch

  • Agent Required for All Devices

    A solution that requires agents for all devices, including IoT devices, is not a viable modern solution.

  • Proprietary Protocols

    Vendors that use custom versions of standard protocols may create interoperability issues with existing network infrastructure.

  • Complex, Manual Onboarding

    A solution that requires more than a few manual steps to onboard new devices or guests will not scale effectively.

  • Lack of SOC 2 or HIPAA Compliance

    A security vendor that hasn't audited its own data practices presents a significant third-party risk.

  • Vague Pricing Responses

    Vendors who can't provide clear pricing often have hidden costs or complex fee structures that inflate TCO.

  • Limited Integration Options

    A lack of integration with existing security tools and identity providers can create silos and reduce overall security effectiveness.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Implementation Timeline for Similar Customers

Helps set realistic expectations and identify potential delays.

Average Time to First Value

Indicates how quickly you'll see ROI from the investment.

Percentage of Devices Automatically Profiled

Measures the effectiveness of agentless discovery and profiling capabilities.

Reduction in Manual Port Security Tickets

Quantifies the efficiency gains from automated access control.

Time to Detect and Contain a Data Breach

Demonstrates the solution's ability to minimize the impact of security incidents.

Customer Satisfaction Scores

Provides insight into the vendor's overall performance and customer support quality.