Vulnerability Scanning Tool RFP Template

Introduction: How to Use This Template

A request for proposal (RFP) is a formal invitation issued by a business or agency requesting interested
vendors to submit written proposals meeting a particular set of requirements. If interested in bidding for the
project, vendors respond with a description of the techniques they would employ to meet the requirements, a
plan of work, and a detailed budget for the project, along with supporting information. An RFP may form part of
the final contract once negotiations between the enterprise and the vendor are completed.

Delete all information where text is colored GREY (such as this paragraph). Fill in or delete all form fields
shaded in GREY (such as the “Insert Company Name Here” field below). Form shading is not visible in
printouts.

Change all necessary text to BLACK before printing or sending.

1
Info-Tech Research Group
Table of Contents
1. Statement of Work............................................................................................................................................... 3
1.1. Purpose....................................................................................................................................................... 3
1.2. Coverage & Participation............................................................................................................................ 3
2. General Information............................................................................................................................................. 3
2.1. Original RFP Document.............................................................................................................................. 3
2.2. The Organization........................................................................................................................................ 3
2.3. Existing Technology Environment............................................................................................................... 3
2.4. Obligations and Objectives for Vulnerability Scanning Tool........................................................................4
2.5. Schedule of Events..................................................................................................................................... 4
3. Proposal Preparation Instructions........................................................................................................................ 4
3.1. Vendor’s Understanding of the RFP............................................................................................................ 4
3.2. Good Faith Statement................................................................................................................................. 4
3.3. Communication........................................................................................................................................... 4
3.4. Proposal Submission.................................................................................................................................. 5
3.5. Criteria for Selection.................................................................................................................................... 6
3.6. Selection and Notification............................................................................................................................ 6
4. Scope of Work, Specifications, and Requirements.............................................................................................. 6
4.1. Functional Requirements............................................................................................................................ 6
4.2. Technical Specifications............................................................................................................................ 14
4.3. Architecture............................................................................................................................................... 14
4.4. Training, Installation, and Maintenance Support.......................................................................................14
4.5. Engagement Methodology........................................................................................................................ 15
5. Vendor Qualifications and References.............................................................................................................. 15
6. Budget and Estimated Pricing........................................................................................................................... 15
6.1. Pricing and Licensing................................................................................................................................ 15
6.2. Estimated Costs........................................................................................................................................ 15
7. Additional Terms and Conditions....................................................................................................................... 17
7.1. Personal Information................................................................................................................................. 17
7.2. Non-Disclosure Agreement....................................................................................................................... 17
7.3. Costs......................................................................................................................................................... 17
7.4. Intellectual Property.................................................................................................................................. 17
7.5. Respondent’s Responses......................................................................................................................... 17
7.6. Governing Law.......................................................................................................................................... 17
7.7. No Liability................................................................................................................................................ 17
7.8. Entire RFP................................................................................................................................................ 18
8. Vendor Certification........................................................................................................................................... 18

2
Info-Tech Research Group
 3
Info-Tech Research Group
 [Insert Company Name Here]
Request for Proposal for Vulnerability Scanning and Assessment Tool

Insert Date of Issue Here

1. Statement of Work
1.1. Purpose
The purpose of this request for proposal (RFP) is to invite prospective vendors to submit a proposal to supply
vulnerability scanning and assessment tool solutions to [Organization Name]. The RFP provides vendors with
the relevant operational, performance, application, and architectural requirements of the system.

1.2. Coverage & Participation

The intended coverage of this RFP, and any agreement resulting from this solicitation, shall be for the use of all
departments at [Organization Name] along with any satellite offices. [Organization Name] reserves the right not
to enter into any contract, to add and/or delete elements, or to change any element of the coverage and
participation at any time without prior notification and without any liability or obligation of any kind or amount.

2. General Information
1.3. Original RFP Document
[Organization Name] shall retain the RFP, and all related terms and conditions, exhibits, and other
attachments, in original form in an archival copy. Any modification of these, in the vendor’s submission, is
grounds for immediate disqualification.

1.4. The Organization

Describe the organization in a few brief paragraphs. Include a description of the business and location,
including any satellite offices that will be involved in the project. Also include the objectives of the groups who
will be using the system, the number of users for the system, expected growth, and what you hope to achieve
with the system.

[Organization Description]

Example: We are an international wholesaler and distributor of business paper products. Our product line
includes such items as business cards, stationery, envelopes, printer/copier paper, pens/pencils, and file
folders. In total, we offer over two thousand products. We have over 100 physical locations, with software
developers in 15 of those locations, and contractors who work remotely.

Currently, we use [Sample Vendor] for Vulnerability Assessment and Scanning, but the low ease of use and
difficulty of implementation have been barriers to widespread implementation. We are looking for a solution that
is more user-friendly and requires less administration.

1.5. Existing Technology Environment

The following is a listing of our current technology environment:

4
Info-Tech Research Group
 [Existing Technology Environment]

Example:
LAN type
Server operating system
Desktop operating system
Development platforms

1.6. Obligations and Objectives for Vulnerability Scanning Tool

From the business
From customers
From compliance or regulatory
From IT

1.7. Schedule of Events

The following is a tentative schedule that will apply to this RFP, but may change in accordance with the
organization’s needs or unforeseen circumstances. Changes will be communicated by email to all invited
bidders.

List all major dates or milestones below. Include the issuance of the RFP, the technical questions closing
dates, the RFP response closing date (including an exact time and time zone), the end of evaluation date, and
the final award notification date.

Issuance of RFP [Date]

Technical Questions/Inquiries Due [Date, Time, and Time Zone]
RFP Closes [Date, Time, and Time Zone]
Complete Initial Evaluation [Date]
Final Award Notification [Date]

3. Proposal Preparation Instructions

1.8. Vendor’s Understanding of the RFP
In responding to this RFP, the vendor accepts full responsibility to understand the RFP in its entirety, and in
detail, including making any inquiries to [Organization Name] as necessary to gain such understanding.
[Organization Name] reserves the right to disqualify any vendor who demonstrates less than such
understanding. Further, [Organization Name] reserves the right to determine, at its sole discretion, whether the
vendor has demonstrated such understanding. That right extends to cancellation of award, if award has been
made. Such disqualification and/or cancellation shall be at no fault, cost, or liability whatsoever to [Organization
Name].

1.9. Good Faith Statement

All information provided by [Organization Name] in this RFP is offered in good faith. Individual items are subject
to change at any time. [Organization Name] makes no certification that any item is without error. [Organization
Name] is not responsible or liable for any use of the information or for any claims asserted there from.

1.10. Communication
Verbal communication shall not be effective unless formally confirmed in writing by a specified procurement
official in charge of managing this RFP process. In no case shall verbal communication govern over written
communication.

5
Info-Tech Research Group
 1.10.1. Vendors’ Inquiries. Applicable terms and conditions herein shall govern communications and
inquiries between [Organization Name] and vendors as they relate to this RFP. Inquiries, questions,
and requests for clarification related to this RFP are to be directed in writing to:

[Organization Name]
[Department Name]
[Address]
[City, State, Postal Code]

Attention: [Contact Name]

Telephone: [(Area Code) Phone Number]
Fax: [(Area Code) Fax Number]
Email: [Contact Email Address]

1.10.2. Informal Communications shall include, but are not limited to:
 Requests from/to vendors or vendors’ representatives in any kind of capacity.
 Requests from/to any [Organization Name] employee or representative of any kind or capacity with
the exception of [Contact Name] for information, comments, speculation, etc.
 Inquiries for clarifications and information that will not require addenda may be submitted verbally
to the above named at any time.

1.10.3. Formal Communications shall include, but are not limited to:
 Questions concerning this RFP must be submitted in writing and be received prior to [Date, Time,
and Time Zone].
 Errors and omissions in this RFP and enhancements. Vendors shall recommend to [Organization
Name] any discrepancies, errors, or omissions that may exist within this RFP. With respect to this
RFP, vendors shall recommend to [Organization Name] any enhancements, which might be in
[Organization Name’s] best interests. These must be submitted in writing and be received prior to
[Date, Time, and Time Zone].
 Inquiries about technical interpretations must be submitted in writing and be received prior to [Date,
Time, and Time Zone]. Inquiries for clarifications/information that will not require addenda may be
submitted verbally to the buyer named above at any time during this process.
 Verbal and/or written presentations and pre-award negations under this RFP.
 Addenda to this RFP.

1.10.4. Addenda: [Organization Name] will make a good-faith effort to provide a written response to each
question or request for clarification that requires addenda within [Number of Days (#)] business days.
All questions, answers, and addenda will be shared with all recipients.
[Organization Name] will not respond to any questions or requests for clarification that require
addenda, if received by [Organization Name] after [Date, Time, and Time Zone].

Indicate how written responses will be addressed.

Example:
All addenda will be posted to our website only:
[Link]

1.11. Proposal Submission

Proposals must be delivered sealed to:

[Contact Name and Title]

[Organization Name]

6
Info-Tech Research Group
 [Department Name]
[Address]
[City, State, Postal Code]

on or prior to [Date, Time, and Time Zone]. [Organization Name] shall not accept proposals received by fax.

Vendors are to submit [Number of Copies (#)] original copy of proposal marked “Original” and [Number of
Copies (#)], marked “Copy.” Each original and copy must be individually bound. Please provide one electronic
copy on a CD. [Organization Name] will not accept proposals delivered via email.

1.12. Criteria for Selection

The evaluation of each response to this RFP will be based on its demonstrated competence, compliance,
format, and organization. The purpose of this RFP is to identify those suppliers that have the interest,
capability, and financial strength to supply [Organization Name] with a [System Type] identified in the Scope of
Work.

Evaluation Criteria:
1. [Criteria]
2. [Criteria]
3. [Criteria]
4. [Criteria]
5. [Criteria]

Example:
1. Capability of vendor to meet or exceed requirements set forth in Scope of Work.
2. Expressed interest in working with [Organization Name].
3. Financial stability of vendor.
4. Ability of vendor to communicate its vision and capacity for establishing a relationship that addresses
current and future needs and trends in the industry.
5. Apparent likelihood and desirability of proposed system.

1.13. Selection and Notification

Vendors determined by [Organization Name] who possess the capacity to compete for this contract will be
selected to move into the negotiation phase of this process. Written notification will be sent to these vendors via
mail. Those vendors not selected for the negotiation phase will not be notified.

4. Scope of Work, Specifications, and Requirements

Include a detailed list of the business and technical requirements. Include a further description for each
requirement (typically, in order of importance or in logical categories with importance ranked), and ask the
vendor to describe how they will fulfill each requirement.

1.14. Functional Requirements

This section should contain a detailed description of the essential characteristics of the product or service.
Identify special or distinctive requirements that differentiate the organization’s needs from other buyers. Avoid
making the specifications unnecessarily specific; this can eliminate viable suppliers.

1.14.1. Asset Discovery and Information Gathering

 Information Gathering. Indicate if your tool can gather information about a system. Indicate what
techniques your tool supports, such as whois, DNS, and IP assignments.
 Asset Identification.
o Indicate if your tool can perform identification of organization assets such as:
- Traditional network devices: workstations, servers, desktops, copiers, routers,
switches, etc.

7
Info-Tech Research Group
 - Mobile devices: smart phones, laptops, tablets, etc.
- Cloud environments: web applications, hosted storage, hosted platforms, etc.
- Hosts in targeted subnets
 Asset Information.
o Indicate if your tool can identify information and systems on the identified assets such as:
- Latest OS
- All applications on a device/host
- All devices/hosts
- Services
- Vulnerabilities
 Asset Discovery Techniques.
o Indicate your tool’s asset discovery techniques and methods. Indicate which of the
following discovery techniques your tool supports:
- Banner grabbing and binary grabbing
- OS-specific protocols
- TCP/IP stack fingerprinting
- Passive techniques such as packet spoofing
- Data fingerprinting
 Asset Categorization. Indicate if your tool can support categorizing of identified assets. Indicate if
asset categorization is done in real time or near real time. Indicate what attributes are used to
categorize an asset (e.g. OS, location, MAC address, types of device).
 Asset Tagging.
o Indicate if your tool is able to tag and thus organize assets into groups such as device
type, similar business impacts, or some other organization-defined characteristics. The
tool must be able to:
- Assign tags in real time
- Modify and customize tags
- Automatically tag assets based on some predefined attributes
- Dynamically tag assets with customizable rules
- Automatically group assets based on characteristics
- Enable group scanning, reporting, and remediating based on asset tags
 Asset Cataloging.
o Indicate if your tool can support cataloging of identified assets into a native asset
database that exists on the tool itself. Indicate which of the following attributes are
recorded as part of the cataloging of assets:
- IP address ranges
- Corresponding systems
- System owners
- Latest OS
- All applications on a device/host
- All devices/hosts
- Services
- Vulnerabilities

1.14.2. Vulnerability Database Coverage

 Database Support.
o Indicate which of the following third-party vulnerability databases or third-party
information databases your tool supports to enhance vulnerability detection:
- Common Vulnerabilities and Exposures (CVE)
- Open Vulnerability and Assessment Language (OVAL)
- Open Source Vulnerability Database (OSVDB)
- SANS Institute
- FBI Top 20
- United States Government Configuration Baseline (USGCB)

8
Info-Tech Research Group
 - Center for Internet Security (CIS)
- Defense Information Systems Agency (DISA) Security Technical Implementation
Guide (STIG)
- Open Web Application Security Project (OWASP)
- National Vulnerability Database (NVD)
- United States Computer Emergency Readiness Team (CERT) Vulnerability
Database
- Exploit database that collects Proof of Concepts (e.g. [Link])
 Frequency of Updates. Indicate how frequently the tool will be updated with identified vulnerability
signatures or other detection attributes. Specify how these update frequencies vary based on the
deployment option of the tool.
 Vendor Vulnerability Research. Indicate your in-house vulnerability research efforts such as how
many full-time threat and vulnerability research staff you have, whether you have a dedicated
research facility, and what this team’s history of collaboration with law enforcement agencies is.
 Emergency Updates. Indicate if there is a process for emergency updates to your tools in the
face of high-impact vulnerabilities (e.g. Heartbleed).

1.14.3. Vulnerability Detection

 Indicate which of the following detection methods your tool supports. If you support any of the
following, please describe how:
o Configuration auditing
o Patch auditing
o Target profiling
o Browser-based scanning
o Perimeter monitoring
o SSL Validation
- Certificate validation
- Incorrect configuration uses
- Expired/outdated
- Self-authenticated
- Weak ciphers
- Certificates signed by untrusted third parties
o Web log analysis
o File integrity monitoring
o Process and system monitoring
o Endpoint monitoring
o Application monitoring
o User activity monitoring
o Configuration assessment/policy configuration assessment/policy configuration
management
- Remotely assess and verify settings, such as configuration settings or password
complexity of a domain group policy
o OS discovery and assessment techniques
- Banner grabbing
- Binary grabbing
- OS specific protocols
- TCP/IP stack fingerprinting
- OS fingerprinting – identifying the version type and any services running on the
system
- Packet spoofing
o TCP and UDP service checking including those on non-default ports and with fake
banners
o HTTP Application Fingerprinting

9
Info-Tech Research Group
 - Leverage software ID, service pack ID, installed patches, etc.
o OS and HTTP fingerprint data correlation
o Port scanning
o Custom generated vulnerability signature detection by the client
o Correlation of detected vulnerabilities across the IT stack
o Back door detection
o Baseline vulnerability conditions for network devices, applications, and databases
 Please note any other vulnerability detection methods your tool may support.
 Detection Support Length. Indicate how long you will support a vulnerability detection method or
a specific environment. This includes operating system versions, devices, and detection
methods.
 False Positive. Indicate how your tool will lessen false positives.

1.14.4. Scanning Method

 Agent-Based Scanning
o Indicate if your tool supports agent-based scanning. Indicate if the agent is a persistent
software/permanent agent or dissolvable temporary agent. Indicate if your tool supports
the following:
- Vulnerability analysis performed on the endpoint itself (data is evaluated on the
endpoint rather than being sent somewhere else for analysis)
- Directing endpoint data to another place for analysis (data is taken from the
endpoint and forwarded onto a vulnerability analysis engine)
- Continuous scanning when connected to the internet without the need for a VPN
- Limited endpoint footprint
- Ease of agent installation
- Frequency of agent updating
 Authenticated Active Scanning
o Indicate if your tool supports the use of authenticated credential login to devices to
perform vulnerability scanning. Indicate and please describe how you support the
following:
- Secure management of credentials
- Integration with a credential management tool
- Authenticated scans of devices, applications, and web applications
- Limited device, application, or web application resource (memory, CPU, etc.)
impact
 Unauthenticated Active Scanning. Indicate if your tool supports unauthenticated scans of devices
that are performed actively to detect vulnerabilities.
 Passive Scanning. Indicate if your tool supports passive scanning of network traffic and other
network components to detect vulnerabilities.
 Scanning Support
o Indicate if your tool supports the following:
- Scheduled scans
- Ability to stop and restart scans
- Ability to scan multiple network segments simultaneously
- Ability to scan a system with changing IP addresses

1.14.5. Environment Support

 Virtual Environment Scanning Support
o Indicate your tool’s ability to scan virtual environments.
o Indicate if this support is limited to predefined environments that are established by
virtual machine vendors.
o Indicate if you support customizable scans based on policy profiles or templates per
multi-tenant customer in virtual environments.

10
Info-Tech Research Group
  Application Scanning Support
o Indicate your tool’s ability to scan applications.
o Indicate if this functionality is met through an add-on module or feature.
o Indicate your tool’s ability to scan web-based applications.
 Device Support
o Indicate what types of devices your tool supports scanning for. This includes:
- Network devices: Routers, switches, servers, databases, wireless access points,
etc.
- Security technologies: SIEM, NAC, Web Gateways, Email Gateways, Firewalls,
IDPS, DLP, GRC, etc.
- Network services
 Mobile Device Support
o Indicate what types of mobile devices your tool supports scanning for. This includes
laptops, smart phones, and tablets.
 Cloud Environment Support
o Indicate what instances of cloud environments your tool supports scanning for. This
includes:
- Infrastructure as a Service Environments (AWS, Azure, etc.)
- Platform as a Service (Office 365, Salesforce, etc.)
- Software as a Service (NetSuite, Workday, Dropbox, etc.)
 Platform Support
o Indicate what platform types your tool supports scanning for. This includes:
- Operating system support for Windows, Linux, Unix, MAC OS X, iOS, Android
- IPv6 support
 Operating Technologies Support
o Indicate what specific operating technology instances your tool supports scanning for.
This includes:
- SCADA specific systems
- ICS specific systems

1.14.6. Prioritization Methods

 Indicate how your solution prioritizes detected vulnerabilities.
 Indicate if your tool’s vulnerability prioritization supports the following:
o Vulnerability with known exploits. The solution must allow for filtering and prioritization
based on:
- Exploits in use in the world (ExploitKits and zero days)
- Commercial exploits tools (Canvas, Core, Metasploit)
- Proof of concepts (Exploit DB)
o Business system criticality. The solution must allow for filtering and prioritization based
on the criticality of the affected system. The criticality of the system is:
- Determined and provided by the client (through some asset tagging)
- Determined by real-time business criticality assessment capabilities
o Data sensitivity. The solution must allow for filtering and prioritization based on the
sensitivity of the affected data. The data sensitivity is:
- Determined and provided by the client
- Determined by real time data sensitivity assessment capabilities

1.14.7. Remediation Capabilities

 The tool must provide remediation with recommendations and information on patches,
configuration changes, and other workarounds as well as remediation options through integration
with various technologies (see Integration requirements).
 Patching. Indicate if the tool can support the efficient identification of patches to apply.

11
Info-Tech Research Group
 o Indicate how this patching is performed, i.e. whether it is through authenticated remote
management, agent-based patching, or some other functionality.
o Indicate which of the following applies to your solution for management of the patches
before deployment:
- The tool generates connections with patch sources to allow a direct patching
from the source to the asset requiring patching.
- The tool pre-downloads patches from sources based on its asset inventory
knowledge of the organization’s assets.
o Indicate if the tool’s patching functionality includes:
- Knowledge of which patches are cumulative and contain or supersede older
patches (take this information into consideration when providing remediation
options and prioritization of the remediation).
- “One click” remediation options for patches.
- Integration with dedicated patch management systems or service management
solutions where your tool identifies missing patches and the integrated solutions
manage and push out the actual patches.
 Configuration Changes. Indicate how your tool supports the identification and recommendation to
perform configuration changes to an asset in order to remediate its vulnerabilities.
 Remediation Tracking. Indicate how your tool supports the tracking of vulnerability remediation
efforts. Indicate if your tool supports:
o A native ticketing system that allows tracking of remediation efforts
o Tagging of vulnerabilities with defined timeframes to ignore
o Integration with third-party ticketing systems to support vulnerability remediation tracking
 Automated Remediation. Indicate if the tool supports automated remediation capabilities that are
defined and customizable by the user.
 Vulnerability/Exploit Testing. Indicate if the tool supports vulnerability/exploit testing after
detection but before remediation efforts. This is to allow the client to validate the
vulnerability/exploit themselves.
 Remediation Validation. Indicate if the tool supports any validation or checking of remediation
efforts to see if the remediation efforts worked.

1.14.8. Management
 Centralized Management. Indicate if your solution supports the ability to centralize the
management and reporting of more than one scanning engine to a centralized module.
 Compliance Support. Indicate which of the following compliance and regulatory frameworks your
tool supports through out of the box scanning rules, reports, and management capabilities:
o PCI
o SOX
o HIPAA
o NIST
o ISO
o COBIT
 User Access. Indicate how your tool supports multiple user interface views for different user
groups. Indicate if your tool supports role-based access control (RBAC) of the system allowing
multiple groups to use the system in different ways. Indicate how many failed login attempts are
allowed to the tool before an account lockout. Indicate what the process is for account lockout to
the tool.
 Vulnerability Tracking. Indicate how vulnerabilities are tracked over time, whether or not they are
remediated. Indicate what the mechanism is to support this tracking capability. Indicate how
hosts with changing IP addresses are managed for reporting and tracking.
 Exception Management. Indicate how the tool tracks exceptions for not remediating a
vulnerability. Indicate if the tool supports the following:
o Recording who approves the exception

12
Info-Tech Research Group
 o Management of multiple exceptions to the same asset as the same exception (e.g.
another exception for a Windows 2003 server is managed together rather than
separately)
 Policy Engine. Indicate which of the following the tool supports:
o Out-of-the-box policy rule templates
o Customization of existing templates
o Custom defined scanning modules
o Scan scheduling
o Original policy generation including policies based on:
- What is being scanned
- When it is being scanned
- What the reports are that are being generated by the scan
- Specific vulnerability scanning (e.g. Heartbleed)
 Multi-Tenancy. Indicate how multitenant hosts with the same IP address are managed from a
tracking and reporting perspective.
 Storage Requirements. Indicate if the tool supports native storage of scanned asset information
and reports. Indicate what the size and length limitations of the tool’s native storage capabilities
are. Indicate if extended storage can be added onto the tool. Indicate if separate storage can be
integrated to the tool. Indicate if any data protection occurs such as data encryption for data that
is being stored at rest.
 Data in Transit Protection. Indicate if the tool supports encryption of data moving from agents or
endpoints to the appliance or hosted cloud environment.
 Tool Logging. Indicate if the tool supports logging of tool activity or user activity monitoring of the
tool.

1.14.9. Reporting
 Reporting Coverage. Indicate if your tool includes the following when generating reports:
o Description of the vulnerability
o Severity of the vulnerability
o The threat of the vulnerability to the system it was detected on
o Detailed steps on remediation
o Information about if exploit kits exist for the vulnerability
o Host IP address
o Domain name
o How the vulnerability was identified.
o Reference IDs of the vulnerability (e.g. CVE or NVD ID numbers)
o CVSS and reference
o Anything unique about the vulnerability
o Determination of whether the vulnerability is confirmed or whether it is potential, including
test command to validate the vulnerability
o Data flow information of connected systems
 Reporting Categorization. Indicate if the tool can support reporting of vulnerabilities by
vulnerability categorizations. Indicate which of the following is supported:
o Reporting by exploits in use in the wild – ExploitKits and zero days
o Reporting by commercial exploit tools – Canvas, Core, Metasploit
o Reporting by proof of concepts – Exploit DB
o Reporting of vulnerability by asset
o Reporting of vulnerability by asset inventory
o Reporting of vulnerability by prioritization
o Reporting of vulnerability by remediation
o Reporting of vulnerability by control standard
o Reporting of vulnerability by baseline comparison

13
Info-Tech Research Group
 o Reporting of vulnerability by custom definition
 Compliance Reporting. Indicate if out-of-the-box reporting templates exist for any of the following
compliance or regulatory frameworks:
o PCI
o SOX
o HIPAA
o NIST
o ISO
o COBIT
 Report Types. Indicate which of the following report types the tool supports. Please provide a
description of what is included for each report type:
o Executive reports
o Trending reports
o Baseline reports
o Vulnerability reports
o Asset reports
 Report Customization. Indicate if the tool supports customized reporting based on user-defined
parameters. Indicate if out-of-the-box reporting templates can be customized. Indicate if
advanced customization via SQL statements is supported. Indicate if there is easy data
manipulation for reporting purposes.
 Report Format. Indicate which of the following format types are supported:
o HTML
o PDF
o CSV
o XML
 Report Generation. Indicate which of the following reporting functionalities are supported:
o Automatic report generation and distribution to selected individuals
o The setup of multiple rules for different reporting timeframes and different audiences
o Multiple options for distribution (e.g. email)
o Google-like search of results and reports for keywords
 Describe what happens if a report is interrupted or if a scan is incomplete when a report is meant
to be generated.

1.14.10. Scalability
 Indicate which of the following ways the tool can scale:
o Addition of modules or components to the main appliance
o Additional appliances
o Additional sensors or aggregators
 Indicate how the tool can scale up to scan more of each of the following. Indicate specific
thresholds that require scaling for each:
o Systems/assets
o IP addresses
o Network segments
o Physical locations

1.14.11. Integration
 Indicate which of the following tools or systems your tool can integrate with:
o Ticketing and workflow systems
o IDPS
o Web application firewalls
o Patch management systems

14
Info-Tech Research Group
 o Mobile device management (MDM) systems
o Credentials management tools
o Governance, risk, and compliance (GRC) systems
o Configuration management databases (CMDB)
o Network topology and risk analysis products
o Security information event management (SIEM) systems
o Penetration testing platforms
o Hardware/asset inventory systems
 Indicate which of the following describes your integration capabilities:
o An out-of-the-box open API was developed to enable custom integrations by the user
o Specific partner relationships have been developed with other vendors for integration
purposes

1.15. Technical Specifications

This section should describe any technical standards or interconnection requirements that the product must
address, or skill requirements for technical staff. Make it clear if some technical standards are preferred but not
compulsory.

Example:
 The application software must operate on Windows Server 2008.
 The application must utilize Windows SQL Server 2008.

1.16. Architecture

1.16.1. Modules and Components

 Indicate what modules or components are included or are part of the tool to provide the
aforementioned functionality.

1.16.2. Deployment Options. Indicate which of the following deployment options the tool supports:
 Cloud Hosted Scanner. Indicate which of the following apply to your tool:
o Delivered “as-a-service” model in which the vendor hosts the scanner in a cloud
environment.
o The scanner can be deployed to a third-party hosted infrastructure environment such
as AWS or Azure.
 On-Premises. Indicate if your tool can be delivered as an on-premises appliance that will be
hosted, managed, and owned by the client.
 Virtualized. Indicate if your tool can be delivered in a virtualized environment that will be
hosted, managed, and owned by the client. State specific virtual machines that are supported.
 Managed Service. Indicate if your tool can be remotely managed and monitored by a managed
security service provider (MSSP). Specify who can provide this service (e.g. the vendor,
dedicated MSSPs, security consulting and service firms).

1.17. Training, Installation, and Maintenance Support

1.17.1. Installation Support

 Indicate which of the following installation support services you offer as part of a vulnerability
scanner purchase:
o Initial setup
o System configuration
o Knowledge transfer to client administrators

15
Info-Tech Research Group
 1.17.2. System Training
 Indicate if formal in-house training for eight hours to be completed on three separate occasions
is performed.
 Indicate which of the following topics will be covered in system training:
o Administrative capabilities
o System management
o Performing scans
o Policy writing and customization
o Report generation and customization
o Integration with other systems

1.17.3. Maintenance and Operations Support

 Indicate which of the following maintenance and operations support functions are provided:
o 24x7x365 customer support
o Tiered support levels – at least three levels
o Support provided either by manufacturer or fully qualified third-party vendor technician
o Technical support or troubleshooting support within 12 hours of request time
o Phone, email, web portal, and onsite support solicitation options
o Hardware replacement
o Software upgrades

1.18. Engagement Methodology

This section should identify any special requirements for how and where the vendor is to carry out work, key
responsibilities of the vendor, and any special terms and conditions that are to be included in the contract but
are not covered in Section 7, Additional Terms and Conditions.

For example, the vendor staff will work at our development center at 2500 Main Street, Palo Alto, CA. The
purchaser can, at its convenience, terminate the development contract with one month’s notice.

5. Vendor Qualifications and References

All vendors must provide the following information for their proposal to be considered:

Example:
1. A brief outline of the vendor company and services offered, including:
 Full legal name of the company
 Year business was established
 Number of people currently employed
 Income statement and balance sheet for each of the two most recently completed fiscal years
certified by a public accountant
2. An outline of the product line-up and/or services it currently supports.
3. A description of its geographic reach and market penetration.
4. An outline of its partnerships and relationships to date.
5. An outline of its current and future strategies in the marketplace.
6. Information on its current clients, including:
 Total number of current clients
 A list of clients with similar needs using similar products and/or services
 Evidence of successful completion of a project of a similar size and complexity
7. References: Contact information for five references (if possible) from projects similar in size,
application, and scope and a brief description of their implementation.

16
Info-Tech Research Group
6. Budget and Estimated Pricing
All vendors must fill out the following cost breakdown for the implementation of their solution for [Organization
Name]’s project as described in this RFP. Costs should be identified as either capital or non-capital in nature.
The vendor must agree to keep these prices valid for [Number of Days (#)] days as of [Date, Time, and Time
Zone].

1.19. Pricing and Licensing

Indicate the pricing and licensing model that is provided.
Example: pricing based on the number of IP addresses to be scanned or number of endpoint devices.

1.20. Estimated Costs

For all available deployment models, provide a five-year cost summary as displayed below.

Five-Year Total Cost Summary

Costs Total Year 1 Year 2 Year 3 Year 4 Year 5
Hardware
Software Licensing
Third-Party Software
(Middleware)
Installation
Legacy Data Loading
Maintenance
Documentation & Training
Project Management
Miscellaneous

Total:

Suggested Cost Categories:

Hardware: List, describe, and record the cost of each piece of hardware that is required to optimally run the
software.

Software Licensing: List, describe, and record the licensing, implementation, maintenance, support, and
training fees associated with your proposed software.

Third-Party Software (Middleware): List, describe, and record the cost of each piece of software (including
operating systems) that is required to optimally run the software.

Installation: Describe any labor, equipment, supplies, or other costs associated with installing your proposed
software.

Integration: Describe any labor, equipment, supplies, or other costs associated with integrating [Insert
Proposed Solution] into our current architecture and back-end systems.

Legacy Data Loading: Describe any labor, equipment, or other costs associated with importing legacy data
from current systems into the new system.

Maintenance: Describe and cost out any other ongoing costs associated with the operation and maintenance of
your proposed [Insert System Solution].

17
Info-Tech Research Group
 Documentation & Training: If there are fees associated with your user or technical documentation, list them
here.

Project Management: If there are project management fees associated with your proposed software, list and
describe them here.

Miscellaneous: List and describe any other costs associated with your proposed software solution.

7. Additional Terms and Conditions

1.21. Personal Information

1.21.1. General
Depending on the circumstances, [Organization Name] may require information related to the qualifications
and experience of persons who are proposed or available to provide services. This may include, but is not
limited to, resumes, documentation of accreditation, and/or letters of reference. The Respondent should not
submit as part of its Response any information related to the qualifications, experience of persons who are
proposed or available to provide services unless specifically requested. Unless specifically requested, any
such information, whether in the form of resumes or other documentation, will be returned immediately to
the Respondent. [Organization Name] will treat this information in accordance with the provisions of this
Section [Section Number].

1.21.2. Requested Personal Information

Any personal information as defined in the [Applicable Legislation] that is requested from each Respondent
by [Organization Name] shall only be used to consider the qualified individuals to undertake the
project/services and to confirm that the work performed is consistent with these qualifications. It is the
responsibility of each Respondent to obtain the consent of such individuals prior to providing the
information to [Organization Name]. [Organization Name] will consider that the appropriate consents have
been obtained for the disclosure to and use by [Organization Name] of the requested information for the
purposes described.

1.22. Non-Disclosure Agreement

[Organization Name] reserves the right to require any Respondent to enter into a non-disclosure agreement.

1.23. Costs
The RFP does not obligate [Organization Name] to pay for any costs, of any kind whatsoever, which may be
incurred by a Respondent or any third parties, in connection with the Response. All Responses and supporting
documentation shall become the property of [Organization Name], subject to claims of confidentiality in respect
of the Response and supporting documentation.

1.24. Intellectual Property

The Respondent should not use any intellectual property of [Organization Name] including, but not limited to,
all logos, registered trademarks, or trade names of [Organization Name], at any time without the prior written
approval of [Organization Name], as appropriate.

1.25. Respondent’s Responses

All accepted Responses shall become the property of [Organization Name] and will not be returned.

1.26. Governing Law

This RFP and the Respondent’s Response shall be governed by the laws of [Relevant Jurisdiction].

18
Info-Tech Research Group
 1.27. No Liability
[Organization Name] shall not be liable to any Respondent, person, or entity for any losses, expenses, costs,
claims, or damages of any kind:
 Arising out of, by reason of, or attributable to, the Respondent responding to this RFP; or
 As a result of the use of any information, error, or omission contained in this RFP document or
provided during the RFP process.

1.28. Entire RFP

This RFP, any addenda to it, and any attached schedules, constitute the entire RFP.

8. Vendor Certification
This certification attests to the vendor’s awareness and agreement to the content of this RFP and all
accompanying calendar schedules and provisions contained herein.

The vendor must ensure that the following certificate is duly completed and correctly executed by an authorized
officer of your company.

This proposal is submitted in response to [RFP ID] issued by [Organization Name]. The undersigned is a duly
authorized officer, hereby certifies that:

(Vendor Name)

agrees to be bound by the content of this proposal and agrees to comply with the terms, conditions, and
provisions of the referenced RFP and any addenda thereto in the event of an award. Exceptions are to be
noted as stated in the RFP. The proposal shall remain in effect for a period of [Number of Days (#)] calendar
days as of [RFP Due Date].

The undersigned further certify that their firm (check one):

□ Is

□ Is not

currently debarred, suspended, or proposed for debarment by any federal entity. The undersigned agree to
notify [Organization Name] of any change in this status, should one occur, until such time as an award has
been made under this procurement action.

Person[s] authorized to negotiate on behalf of this firm for purposes of this RFP are:

Name: Title:
Signature: Date:
Name: Title:
Signature: Date:

Signature of Authorized Officer:

Name: Title:
Signature: Date:

19
Info-Tech Research Group
 Schedule “A” Notice of Intention

[RFP ID]

Notice of intention

Request for proposal

From:
[Vendor organization name]
[Authorized representative]
[Telephone no.]
[Fax no.]
[Email]

Please state your intention with regard to the Request for Proposal [RFP ID] by selecting one of the
following:

[ ] Intends to respond to [Organization Name] Request for Proposal

[ ] Does not intend to respond to [Organization Name] Request for Proposal

TO:
[Client organization name]
[Client name, title, and address]
[Telephone no.]
[Fax no.]

_____________________________________________________

For acceptable use of this template, refer to Info-Tech's Terms of Use. These documents are intended to
supply general information only, not specific professional or personal advice, and are not intended to be used
as a substitute for any kind of professional advice. Use this document either in whole or in part as a basis and
guide for document creation. To customize this document with corporate marks and titles, simply replace the
Info-Tech information in the Header and Footer fields of this document.

20
Info-Tech Research Group