Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for DaaS and VPN

Requirements, questions, and evaluation criteria specific to DaaS and VPN procurement

7 min read

Procuring DaaS and VPN solutions requires careful consideration due to the critical role they play in secure remote access and business continuity. A well-crafted RFP is essential to evaluate the diverse range of solutions and ensure alignment with an organization's specific needs, security posture, and infrastructure requirements. The unique complexities of these network solutions necessitate a thorough RFP process.

What makes DaaS and VPN RFPs different

RFPs for DaaS and VPN solutions differ significantly from general software RFPs because they involve core network infrastructure and security considerations. Unlike application-specific software, these solutions directly impact network performance, data security, and user experience across the entire organization.

The choice between VPN, DaaS, or a hybrid approach depends on factors like data sensitivity, regulatory compliance, existing infrastructure, and the level of control desired over the desktop environment.nnFurthermore, the rise of Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) architectures adds another layer of complexity.

Organizations must carefully evaluate how potential solutions integrate with these modern security frameworks and whether they offer the granular access control and threat prevention capabilities required in today's threat landscape.

Legacy VPNs, for example, may not provide the same level of security as ZTNA solutions, which focus on identity-based access and continuous authentication.nnFinally, DaaS solutions introduce unique considerations related to cloud infrastructure, virtualization technologies, and digital employee experience (DEX) monitoring.

The RFP should address topics such as data residency, service level agreements (SLAs), and the vendor's ability to provide high-performance virtual desktops with minimal latency.

  • Security requirements, including data encryption, multi-factor authentication (MFA), and compliance with relevant regulations (e.g., HIPAA, PCI-DSS)
  • Network performance and latency, especially for users in geographically diverse locations
  • Integration with existing IT infrastructure, including identity management systems, security tools, and cloud platforms
  • Scalability and flexibility to support fluctuating user demands and future growth

RFP vs RFI vs RFQ

Here's when to use each document type when procuring DaaS and VPN software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

For DaaS and VPN solutions, an RFI is useful for initial market research to understand available technologies and vendor capabilities. An RFP is crucial for a detailed evaluation of specific solutions against defined requirements, while an RFQ is less common due to the complexity and customization often involved.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Security Requirements

  • Data encryption in transit and at rest
  • Multi-factor authentication (MFA) support
  • Integration with SIEM/SOAR platforms
  • Compliance certifications (SOC 2, HIPAA, PCI-DSS)
  • Zero Trust Network Access (ZTNA) capabilities

Network Performance

  • Low-latency access for remote users
  • Support for various network protocols
  • Bandwidth optimization techniques
  • Quality of Service (QoS) features
  • Global network coverage

DaaS Specific Requirements

  • Support for various operating systems (Windows, macOS, Linux)
  • GPU workload support
  • Digital Employee Experience (DEX) monitoring
  • Multi-broker freedom (Citrix, AVD, Omnissa)
  • Predictive scaling and AI-driven provisioning

VPN Specific Requirements

  • Support for various VPN protocols (e.g., OpenVPN, IPSec)
  • Split tunneling capabilities
  • Integration with endpoint management (UEM) systems
  • Centralized management and monitoring
  • Automatic failover and redundancy

Integration Requirements

  • Integration with identity providers (e.g., Active Directory, Azure AD)
  • Integration with security information and event management (SIEM) systems
  • API availability for custom integrations
  • Integration with existing network infrastructure
  • Integration with cloud platforms (AWS, Azure, GCP)

Questions to include in your RFP

Architecture & Deployment

  • Describe your solution's architecture, including all components and their functions.
    Understanding the architecture ensures it aligns with your infrastructure and security requirements.
  • What deployment options are available (cloud, on-premise, hybrid)?
    Different deployment models have different cost, security, and management implications.
  • What is your disaster recovery and business continuity approach?
    Essential for ensuring minimal downtime and data loss in case of an outage.
  • How does your solution handle data residency and compliance with regional regulations?
    Critical for organizations operating in multiple jurisdictions.

Security

  • Describe your security measures for protecting data in transit and at rest.
    Ensures data confidentiality and integrity.
  • What multi-factor authentication (MFA) methods are supported?
    MFA adds an extra layer of security to prevent unauthorized access.
  • How does your solution address common security threats, such as malware and phishing?
    Understanding the threat protection capabilities is crucial for a secure environment.
  • Do you have any third-party security audits or certifications (e.g., SOC 2, ISO 27001)?
    Validates the vendor's commitment to security best practices.
  • Explain your incident response plan in the event of a security breach.
    Knowing the vendor's response plan helps minimize the impact of a potential breach.

Performance & Scalability

  • What is the expected latency for users in different geographic locations?
    Low latency is essential for a good user experience.
  • How does your solution scale to support a growing number of users?
    Ensures the solution can handle future growth without performance degradation.
  • What monitoring and reporting tools are available to track performance?
    Allows you to identify and address performance bottlenecks.
  • Can you provide performance benchmarks from similar customer deployments?
    Provides real-world evidence of the solution's performance capabilities.

Integration

  • What integration options are available with our existing identity management system?
    Seamless integration simplifies user management and improves security.
  • Does your solution offer an API for custom integrations?
    Allows you to connect the solution with other business applications.
  • How does your solution integrate with our existing network infrastructure?
    Ensures compatibility and avoids conflicts.
  • What pre-built integrations are available with common cloud platforms?
    Simplifies integration with cloud services like AWS, Azure, and GCP.

Pricing & Licensing

  • Describe your pricing model and all associated costs.
    Understanding the pricing model helps you budget accurately.
  • What are the licensing options available (e.g., per user, concurrent user, device-based)?
    Choosing the right licensing model can optimize costs.
  • Are there any additional fees for implementation, training, or support?
    Uncovering hidden costs is essential for accurate TCO calculation.
  • Do you offer volume discounts or other incentives?
    Negotiating discounts can reduce overall costs.
  • What are the payment terms and cancellation policies?
    Understanding the terms and policies protects your organization's interests.

Support & Maintenance

  • What support channels are available (e.g., phone, email, chat)?
    Ensures timely assistance when needed.
  • What is the guaranteed response time for support requests?
    Minimizes downtime and disruption.
  • Do you offer 24/7 support?
    Critical for organizations with global operations.
  • What is your maintenance and update schedule?
    Keeps the solution up-to-date with the latest features and security patches.
  • Do you provide training and documentation for users and administrators?
    Facilitates adoption and reduces support requests.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

SOC 2 Type II

Required for organizations requiring assurance over data security, availability, processing integrity, confidentiality, and privacy. If applicable, request a copy of the latest SOC 2 Type II report

HIPAA

Required for organizations handling protected health information (phi). If applicable, request a Business Associate Agreement (BAA) and documentation of HIPAA compliance measures

PCI-DSS

Required for organizations processing, storing, or transmitting credit card data. If applicable, request a copy of the Attestation of Compliance (AOC) and documentation of PCI-DSS compliance measures

GDPR

Required for organizations processing personal data of individuals in the european union (eu). If applicable, request information on GDPR compliance measures, including data protection policies and procedures

ISO 27001

Required for organizations requiring a comprehensive information security management system (isms). If applicable, request a copy of the ISO 27001 certification

Evaluation criteria

Here is the suggested weighting for DaaS and VPN RFPs.

Functionality Fit How well the solution meets the stated functional requirements
25%
Security Strength of security measures and compliance with relevant standards
20%
Performance and Scalability Ability to deliver low-latency access and scale to support growing user demands
15%
Integration Capabilities Ease of integration with existing IT infrastructure and applications
15%
Total Cost of Ownership (TCO) Implementation, licensing, and ongoing operational costs
15%
Vendor Support and Reliability Quality of vendor support and track record of reliability
10%

Some weights were adjusted based on your priorities.

  • Increase if specific niche features are critical
  • Increase for highly regulated industries
  • Increase for organizations with geographically dispersed users
  • Increase if complex integration landscape exists

Red flags to watch

  • Vague pricing responses

    Vendors who can't provide clear pricing often have hidden costs or complex fee structures that inflate TCO

  • No customer references in your industry

    Lack of relevant references suggests limited experience with your specific requirements and use cases

  • Hesitation on data practices

    If a vendor cannot clearly explain where data is stored or how it is handled, it signals a lack of commitment to privacy

  • Weak financial stability

    Signs of operational or financial instability are a long-term risk for a category that requires a partnership, not just a product

  • Vague SLAs

    Service level agreements that lack specific penalties or remediation steps for downtime

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Implementation timeline for similar customers

Helps set realistic expectations and identify potential delays

Average time to first value

Indicates how quickly you'll see ROI from the investment

Uptime percentage

Measures the reliability and availability of the solution

Number of support tickets per month

Indicates the level of support required and potential issues

Customer satisfaction score

Provides insight into the overall customer experience