Tool · client-side · no signup

IAM RFP — generated, ready to copy.

Generate a vendor-neutral IAM RFP from your program inputs — scope (IGA / PAM / CIAM / zero-trust), scale, regulations, integrations, timeline. Output a markdown draft ready to refine with procurement. Your inputs never leave the browser.

RFP draft · markdown

# Request for Proposal — IAM platform

**Issued by:** Acme Corporation
**Issued:** 2026-06-04
**Response deadline:** [TBD]

---

## 1. About Acme Corporation

[Add 2-3 paragraphs: who you are, what you do, why now. Be concrete about
the operational pain that triggered this RFP. Vendors respond better to
context than to lists of requirements.]

---

## 2. Scope

This RFP covers procurement and implementation of: **IAM platform**.

In-scope:
- Platform license + first-year support
- Implementation services or partner enablement
- Data migration from incumbent (if applicable)
- Training for internal team (administrator + operator paths)
- Audit-evidence enablement (controls, reporting, retention)

Out-of-scope (separate procurement):
- Network / endpoint security tooling
- SIEM / SOAR
- Hardware (vault HSM acquisition; pursue separately)

---

## 3. Environment

| Dimension | Profile |
|---|---|
| Identity scale | Not specified |
| Cloud posture | Not specified |
| Compliance scope | None declared |
| Implementation timeline | Not specified |
| Budget envelope | (specify range or "to be discussed") |

### Critical integrations
(list 5-10 critical applications here)

### Existing identity infrastructure
- IdP: [Okta / Entra / Ping / other]
- Directory: [AD / Entra / LDAP]
- HRIS source of truth: [Workday / SuccessFactors / BambooHR]
- Existing IGA / PAM / CIAM (if any): [vendor + version]

---

## 4. Functional requirements

Vendors should respond with a fit assessment (full / partial / no) and a
brief rationale per requirement.

### Core functional
- **F1.** Connector library covers the integrations listed in §3 (Critical integrations)
- **F2.** Joiner / mover / leaver workflows are configurable without code
- **F3.** Access certification campaigns run on a cadence with reviewer reminders
- **F4.** Privileged credential vaulting with HSM-backed encryption (if PAM in scope)
- **F5.** OIDC + OAuth 2.1 + PKCE compliant authentication (if CIAM in scope)
- **F6.** SCIM 2.0 (and roadmap to 2.1) for downstream provisioning

### Operational
- **O1.** Multi-region deployment with data residency controls
- **O2.** Audit log retention configurable per regulation (e.g. 7 years for SOX)
- **O3.** Sandbox / test tenant provided for pre-production change validation
- **O4.** Native SIEM forwarding (Splunk, Sentinel, Sumo Logic, Datadog)
- **O5.** Disaster recovery RTO < 4 hours, RPO < 15 minutes

### Compliance
- **C1.** SOC 2 Type II attestation current within last 12 months
- **C2.** ISO 27001 certification
- **C3.** Vendor processes for our compliance scope: None declared
- **C4.** Customer data residency commitments (EU / US / sovereign)

---

## 5. Commercial

Vendors should provide:

- **Pricing model:** Per-identity, per-account, per-application, or other.
- **Tiered breakdown:** What's included in the base tier vs add-ons.
- **Renewal terms:** Year 2 + 3 pricing protections (CPI-cap, etc.).
- **Implementation services:** Fixed-fee proposal for stand-up + first
  business workflow live in production.
- **Reference deployments:** Three customers at similar scale and
  compliance scope; willing to take a 30-minute reference call.

---

## 6. Evaluation criteria

Responses will be evaluated against (weights subject to refinement):

- Functional fit (35%)
- Operational maturity (20%)
- Compliance alignment (15%)
- Commercial structure (15%)
- Reference checks (10%)
- Implementation partner ecosystem (5%)

---

## 7. Timeline

| Milestone | Date |
|---|---|
| RFP issued | [date] |
| Vendor Q&A window closes | [date + 2 weeks] |
| Responses due | [date + 4 weeks] |
| Shortlist + demos | [date + 6 weeks] |
| Reference + commercial conversations | [date + 8 weeks] |
| Selection decision | [date + 10 weeks] |
| Contract signature | [date + 14 weeks] |

---

## 8. Contact

[Procurement lead name, title, email]
[IAM program lead name, title, email]

All vendor questions must be submitted through the procurement portal /
this email address. Direct outreach to other Acme Corporation employees during
the response window is grounds for disqualification.

---

*Generated with the askmeidentity IAM RFP Template Generator —
https://askmeidentity.com/tools/iam-rfp-template/*

What this is good for

Typical use cases.

Draft an IAM RFP without starting from a blank page
Pressure-test the scope of a forthcoming IGA or PAM procurement
Brief procurement on the right questions to ask each vendor

More tools

PAM vendor selector. JWT decoder. SAML response decoder.

The full set of free IAM tools — decoders, validators, generators — is at /tools/.

See all toolsTry the PAM vendor selector

# Request for Proposal — IAM platform **Issued by:** Acme Corporation **Issued:** 2026-06-04 **Response deadline:** [TBD] --- ## 1. About Acme Corporation [Add 2-3 paragraphs: who you are, what you do, why now. Be concrete about the operational pain that triggered this RFP. Vendors respond better to context than to lists of requirements.] --- ## 2. Scope This RFP covers procurement and implementation of: **IAM platform**. In-scope: - Platform license + first-year support - Implementation services or partner enablement - Data migration from incumbent (if applicable) - Training for internal team (administrator + operator paths) - Audit-evidence enablement (controls, reporting, retention) Out-of-scope (separate procurement): - Network / endpoint security tooling - SIEM / SOAR - Hardware (vault HSM acquisition; pursue separately) --- ## 3. Environment | Dimension | Profile | |---|---| | Identity scale | Not specified | | Cloud posture | Not specified | | Compliance scope | None declared | | Implementation timeline | Not specified | | Budget envelope | (specify range or "to be discussed") | ### Critical integrations (list 5-10 critical applications here) ### Existing identity infrastructure - IdP: [Okta / Entra / Ping / other] - Directory: [AD / Entra / LDAP] - HRIS source of truth: [Workday / SuccessFactors / BambooHR] - Existing IGA / PAM / CIAM (if any): [vendor + version] --- ## 4. Functional requirements Vendors should respond with a fit assessment (full / partial / no) and a brief rationale per requirement. ### Core functional - **F1.** Connector library covers the integrations listed in §3 (Critical integrations) - **F2.** Joiner / mover / leaver workflows are configurable without code - **F3.** Access certification campaigns run on a cadence with reviewer reminders - **F4.** Privileged credential vaulting with HSM-backed encryption (if PAM in scope) - **F5.** OIDC + OAuth 2.1 + PKCE compliant authentication (if CIAM in scope) - **F6.** SCIM 2.0 (and roadmap to 2.1) for downstream provisioning ### Operational - **O1.** Multi-region deployment with data residency controls - **O2.** Audit log retention configurable per regulation (e.g. 7 years for SOX) - **O3.** Sandbox / test tenant provided for pre-production change validation - **O4.** Native SIEM forwarding (Splunk, Sentinel, Sumo Logic, Datadog) - **O5.** Disaster recovery RTO < 4 hours, RPO < 15 minutes ### Compliance - **C1.** SOC 2 Type II attestation current within last 12 months - **C2.** ISO 27001 certification - **C3.** Vendor processes for our compliance scope: None declared - **C4.** Customer data residency commitments (EU / US / sovereign) --- ## 5. Commercial Vendors should provide: - **Pricing model:** Per-identity, per-account, per-application, or other. - **Tiered breakdown:** What's included in the base tier vs add-ons. - **Renewal terms:** Year 2 + 3 pricing protections (CPI-cap, etc.). - **Implementation services:** Fixed-fee proposal for stand-up + first business workflow live in production. - **Reference deployments:** Three customers at similar scale and compliance scope; willing to take a 30-minute reference call. --- ## 6. Evaluation criteria Responses will be evaluated against (weights subject to refinement): - Functional fit (35%) - Operational maturity (20%) - Compliance alignment (15%) - Commercial structure (15%) - Reference checks (10%) - Implementation partner ecosystem (5%) --- ## 7. Timeline | Milestone | Date | |---|---| | RFP issued | [date] | | Vendor Q&A window closes | [date + 2 weeks] | | Responses due | [date + 4 weeks] | | Shortlist + demos | [date + 6 weeks] | | Reference + commercial conversations | [date + 8 weeks] | | Selection decision | [date + 10 weeks] | | Contract signature | [date + 14 weeks] | --- ## 8. Contact [Procurement lead name, title, email] [IAM program lead name, title, email] All vendor questions must be submitted through the procurement portal / this email address. Direct outreach to other Acme Corporation employees during the response window is grounds for disqualification. --- *Generated with the askmeidentity IAM RFP Template Generator — https://askmeidentity.com/tools/iam-rfp-template/*