Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for SASE

Requirements, questions, and evaluation criteria specific to SASE procurement

7 min read

Procuring a Secure Access Service Edge (SASE) solution requires a comprehensive RFP due to the convergence of networking and security functions. The complexity of integrating these disparate capabilities, coupled with evolving threat landscapes, necessitates a well-defined RFP to ensure alignment with organizational needs and strategic goals.

What makes SASE RFPs different

SASE RFPs are unique because they demand a holistic approach that spans both network infrastructure and cybersecurity domains. Unlike traditional software procurements focusing on a single function, SASE requires evaluating a converged platform integrating SD-WAN, ZTNA, CASB, FWaaS, and other security services.

This convergence introduces complexity in defining requirements, assessing vendor capabilities, and ensuring seamless integration with existing IT infrastructure.nnFurthermore, the shift from perimeter-based security to identity-based security necessitates careful consideration of access control policies, data protection measures, and compliance requirements.

SASE solutions must adapt to dynamic user access patterns, diverse device types, and distributed application environments, making the RFP process more intricate than standard software acquisitions. The evaluation of AI-driven automation and autonomous digital experience management (ADEM) also adds a layer of sophistication to the procurement process.nnFinally, SASE deployments are often phased, multi-year projects.

The RFP needs to address not just the immediate requirements but also the long-term scalability, flexibility, and adaptability of the solution to accommodate evolving business needs and emerging threats.

  • Integration capabilities with existing identity providers (IdP), SIEM tools, and XDR platforms
  • Deployment flexibility to support various on-ramps (software agents, thin-edge hardware, clientless access)
  • Total Cost of Ownership (TCO) transparency, including implementation services, training, and data egress charges
  • Global performance and SLAs based on application performance (latency, jitter, packet loss)

RFP vs RFI vs RFQ

Here's when to use each document type when procuring SASE software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

When procuring SASE, an RFI is useful for initial market research to understand vendor offerings and architectural approaches. An RFP is essential for a detailed technical and commercial evaluation, ensuring the solution meets specific networking and security requirements. An RFQ is generally not suitable due to the complexity and customization involved in SASE deployments.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Networking Capabilities

  • SD-WAN functionality with application-aware routing
  • Quality of Service (QoS) and traffic prioritization
  • Bandwidth aggregation and dynamic path selection
  • Support for multiple WAN links (MPLS, broadband, 5G)
  • Network segmentation and micro-segmentation

Security Features

  • Zero Trust Network Access (ZTNA) with continuous authentication
  • Cloud Access Security Broker (CASB) with inline and API-based controls
  • Secure Web Gateway (SWG) with URL filtering and threat intelligence
  • Firewall as a Service (FWaaS) with Layer 7 inspection
  • Data Loss Prevention (DLP) with content inspection and data classification

Identity and Access Management

  • Multi-Factor Authentication (MFA) integration
  • Single Sign-On (SSO) support
  • Role-Based Access Control (RBAC)
  • Device posture assessment and compliance checks
  • Integration with existing Identity Providers (IdPs)

Management and Monitoring

  • Centralized management console with unified policy enforcement
  • Real-time monitoring and alerting
  • Reporting and analytics dashboards
  • Integration with SIEM/XDR platforms
  • Automated incident response capabilities

Deployment and Architecture

  • Cloud-native architecture with global Points of Presence (PoPs)
  • Support for various deployment models (cloud, hybrid)
  • Scalability and elasticity to accommodate growing user base
  • Resiliency and redundancy for high availability
  • Single-pass architecture for low latency

Questions to include in your RFP

Architecture & Deployment

  • Describe your SASE architecture, including the location and density of your Points of Presence (PoPs).
    PoP density impacts latency and performance.
  • Is your SASE solution built on a single-pass architecture, or does it use service chaining?
    Single-pass architectures minimize latency.
  • What deployment options are available (cloud, on-premise, hybrid)?
    Ensures alignment with your infrastructure strategy.
  • How does your solution ensure data sovereignty and compliance with regional regulations?
    Critical for organizations operating in multiple geographies.
  • Describe your disaster recovery and business continuity approach.
    Ensures minimal downtime in case of outages.

SD-WAN Capabilities

  • Describe your SD-WAN capabilities, including application-aware routing and dynamic path selection.
    Ensures optimal performance for critical applications.
  • How does your solution handle bandwidth aggregation and traffic prioritization?
    Maximizes network efficiency and user experience.
  • What types of WAN links are supported (MPLS, broadband, 5G)?
    Ensures compatibility with existing network infrastructure.
  • Does your solution support network segmentation and micro-segmentation?
    Enhances security by isolating sensitive data and applications.

ZTNA & Access Control

  • Describe your Zero Trust Network Access (ZTNA) implementation, including continuous authentication and device posture assessment.
    Ensures secure access to applications based on verified identity and device health.
  • How does your solution integrate with existing Identity Providers (IdPs) such as Okta or Azure AD?
    Streamlines user management and authentication processes.
  • Does your solution support multi-factor authentication (MFA) and single sign-on (SSO)?
    Enhances security and improves user experience.
  • How does your solution handle access control for different user roles and device types?
    Ensures granular control over access to sensitive resources.

Security Service Edge (SSE)

  • Describe your Secure Web Gateway (SWG) capabilities, including URL filtering and threat intelligence.
    Protects users from web-based threats and enforces acceptable use policies.
  • How does your Cloud Access Security Broker (CASB) secure SaaS applications?
    Secures data and prevents unauthorized access to cloud applications.
  • Describe your Firewall as a Service (FWaaS) capabilities, including Layer 7 inspection and threat prevention.
    Provides advanced threat protection at the network edge.
  • What Data Loss Prevention (DLP) features are included in your solution?
    Prevents sensitive data from leaving the organization.

Management & Reporting

  • Describe your centralized management console and its capabilities for policy enforcement and monitoring.
    Provides a single pane of glass for managing the entire SASE solution.
  • What types of reports and analytics dashboards are available?
    Provides insights into network performance, security threats, and user behavior.
  • How does your solution integrate with SIEM/XDR platforms for threat correlation and incident response?
    Enables proactive threat detection and incident response.
  • Does your solution offer automated incident response capabilities?
    Reduces the time to detect and respond to security incidents.

Pricing & Licensing

  • Describe your pricing model, including all licensing fees and potential overage charges.
    Ensures transparency and avoids budget surprises.
  • Are there any data egress fees associated with your cloud-based services?
    Data egress fees can significantly impact the total cost of ownership.
  • Do you offer flexible pricing options based on consumption or usage?
    Allows organizations to align costs with actual business needs.
  • What is included in your base price, and what are the costs for additional features or services?
    Provides a clear understanding of the overall investment.

Support & SLAs

  • Describe your support services, including response times and escalation procedures.
    Ensures timely assistance in case of technical issues.
  • What Service Level Agreements (SLAs) do you offer for uptime, performance, and security?
    Defines the vendor's commitment to service quality and availability.
  • Do you offer dedicated support engineers or account managers?
    Provides personalized support and proactive account management.
  • What training and documentation resources are available for your solution?
    Enables organizations to effectively manage and maintain the SASE platform.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

PCI-DSS

Required if handling payment card data. If applicable, request current PCI-DSS compliance certificate and AOC.

HIPAA

Required for healthcare data. If applicable, request BAA template and HIPAA compliance documentation.

SOC 2 Type II

Required for saas providers and data processors. If applicable, request SOC 2 Type II report.

GDPR

Required if processing data of eu citizens. If applicable, request information on GDPR compliance measures and data protection policies.

ISO 27001

Required general security best practice. If applicable, request ISO 27001 certification.

Evaluation criteria

Here is the suggested weighting for SASE RFPs.

Functionality Fit How well the solution meets stated requirements.
25%
Security Efficacy Effectiveness in preventing and mitigating threats.
20%
Total Cost of Ownership Implementation, licensing, and ongoing costs.
15%
Integration Capabilities
15%
Performance and Scalability Ability to handle current and future network traffic.
10%
Vendor Reputation and Stability Financial health and market position of the vendor.
10%
Ease of Management Simplicity of the management interface and policy configuration.
5%

Some weights were adjusted based on your priorities.

  • Increase if replacing a highly customized legacy system.
  • Increase for highly regulated industries.
  • Increase if complex integration landscape exists.

Red flags to watch

  • Vague pricing responses

    Vendors who can't provide clear pricing often have hidden costs or complex fee structures that inflate TCO.

  • No customer references in your industry

    Lack of relevant references suggests limited experience with your specific requirements and use cases.

  • Inability to provide detailed SLAs

    Weak SLAs indicate a lack of confidence in the solution's performance and reliability.

  • Stitched-together solution

    Solutions that are merely bundled rather than natively integrated may suffer from performance and management issues.

  • Limited global PoP presence

    Insufficient PoPs can lead to increased latency and poor user experience for remote users.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Implementation timeline for similar customers

Helps set realistic expectations and identify potential delays.

Average time to first value

Indicates how quickly you'll see ROI from the investment.

Uptime and availability

Ensures business continuity and minimizes downtime.

Latency for key applications

Impacts user experience and productivity.

Threat detection and prevention rates

Measures the effectiveness of the security controls.