Most IT RFPs are so vague that every MSP responds with the same templated proposal, and you end up with five PDFs that all say the same things. An effective RFP is specific enough that a provider can't respond to it from a template — they have to actually read your environment and answer your questions.
Section 1: Your Environment
Start with a precise description of what you have today:
- User count and expected headcount in 12 months
- Device inventory: workstations (Windows/Mac split), servers (on-premise and cloud), mobile devices under management
- Network equipment: firewalls, switches, wireless access points, and approximate age
- Primary productivity platform: Microsoft 365 (which tier) or Google Workspace
- Line-of-business applications: name, version, vendor support status
- Cloud infrastructure: AWS, Azure, GCP, or none
- Backup platform: what's currently in place and whether it's working
- Current security tooling: what EDR, email filtering, MFA status
- Compliance requirements: list all applicable frameworks
- Current MSP/IT provider: how long you've been with them and why you're changing
Section 2: What's Not Working
Be direct about the problems you're trying to solve. "We need managed IT" is not a problem statement. "We had a phishing incident last quarter that exposed three employees' email, our backups haven't been tested in two years, and our current provider takes 6 hours to respond to P1 issues" is a problem statement.
This section should scare off MSPs who can't solve your actual problems — and attract ones who can. A provider who doesn't address your specific problems in their response isn't paying attention.
Section 3: Required Capabilities (Non-Negotiable)
List what must be included in the base proposal. If a provider can't include these, they shouldn't bid:
- Specific SLA response times by severity level (list your requirements explicitly)
- 24/7 emergency coverage for P1 issues (define what coverage means)
- Named technicians or dedicated account team
- Security stack (list what must be included at the base rate: EDR brand requirements if any, email filtering, managed backup with tested restores, MFA enforcement)
- Compliance program (list any specific requirements — BAA for healthcare, CMMC for defense contractors)
- Monthly reporting (what you want to see in the report)
Section 4: Specific Questions You Require Answered
This is the most important section. Don't let vendors respond generically — require answers to these specific questions:
- "How many clients do you currently serve in [your industry], and what are their names/contact information for references?"
- "What is your client-to-technician ratio across your current account portfolio?"
- "Describe your patch management process: how long after a critical CVE disclosure are your clients patched?"
- "When was the last time you tested a restore from backup for a client? What was the RTO?"
- "What security incident have you handled for a client in the last 12 months, and what was the outcome?"
- "Describe your onboarding process for the first 60 days. What do you deliver, and on what timeline?"
Section 5: Pricing Format Requirements
Don't let vendors use different pricing formats — standardize the comparison:
- Require a per-user-per-month all-inclusive base rate
- Require a separate line-item list of anything NOT included in the base rate with associated costs
- Require a project fee estimate for onboarding/migration
- Require contract length options: 12-month and 24-month
Evaluation Criteria
Tell vendors how you're evaluating proposals: "We will score proposals on SLA quality (30%), security stack completeness (25%), industry experience (20%), pricing (15%), and contract terms (10%)." This prevents price-only competition and signals what matters to you.
Use the free IT RFP Generator to generate a complete RFP document in minutes — it walks through all of these sections and produces a formatted document you can send directly to vendors.