A copy-into-Word RFP scaffold for selecting a PAM platform (CyberArk, BeyondTrust, Delinea, HashiCorp Vault). Focuses on the differentiating questions auditors care about.
Who uses it
CISO / Identity Architect at regulated enterprises selecting or replacing a PAM platform.
Typical timeline
8-12 weeks RFP → shortlist → bake-off → award
23 questions across 8 sections. CC BY 4.0 — copy freely.
Company background + ownership + financial stability.
Customers in our size + industry. Provide 3-5 reference customers willing to take a 30-minute call.
12-month product roadmap, especially around JIT, secrets management, and AI-agent identities.
Describe the vault architecture — on-prem, SaaS, hybrid. HA + DR posture.
List supported credential types — Windows local, Unix root, AD accounts, database, network device, cloud (AWS / Azure / GCP), application service accounts, certificates, SSH keys.
Describe rotation capabilities — frequency, error handling, exception management.
Describe approval workflows — request, multi-approval, escalation.
Describe session-recording capabilities for Windows RDP, SSH, web console, database client.
Describe session replay UX. Searchable by keyword inside the session?
Describe live session monitoring + interruption capabilities.
Describe JIT capabilities — both ephemeral credential creation + role-based time-bound elevation.
How is policy expressed? Native UI, API, infrastructure-as-code?
For cloud (AWS/Azure/GCP) — describe just-in-time access to cloud privileged roles.
Describe secrets management for DevOps + non-human identities. Application API. Kubernetes / Docker support.
Describe integration with CI/CD pipelines (GitHub Actions, GitLab, Jenkins, Azure DevOps).
Describe endpoint privilege management (least-privilege enforcement on workstations + servers).
OS coverage (Windows, macOS, Linux distributions).
Describe audit-log emission. Integration with SIEM (Splunk, Sentinel).
List supported compliance frameworks. Most recent third-party audit reports.
Describe evidence-collection patterns for FedRAMP CA-7 (continuous monitoring) and SOC 2 CC6.
Pricing model — per vaulted account, per session, per endpoint, hybrid.
3-year TCO for our environment size.
Implementation services pricing + recommended professional services scope.
| Criterion | Weight | How to score |
|---|---|---|
| Vault coverage depth | 15% | Score against credential-type list — broader is better. |
| JIT maturity | 20% | Score against time-bound + ephemeral credential capabilities. |
| Session monitoring quality | 15% | Recording fidelity + replay UX + alerting. |
| Cloud-native posture | 15% | AWS / Azure / GCP JIT depth. |
| DevOps secrets integration | 10% | Kubernetes + CI/CD integration depth. |
| TCO (3yr) | 15% | Including implementation services. |
| Reference customer signal | 10% | 3-5 reference calls. |
Vendor-neutral procurement assistance — from RFP to shortlist to bake-off to negotiation. We’ve seen every vendor pitch + every contract structure.