Procurement and Request for Proposal (RFP)

Meet Frankie, her boss Jules has just asked her to reach out to a handful of solution providers to participate in an RFP for a new IT system. The business team are expecting results, and Frankie is going to need to pull out all the stops to make sure that the software that's selected meets all the requirements.

Problem statement

Evaluating the security and privacy posture of a solution provider within the RFP process can be challenging:

  • Measuring the security and maturity of possible solutions requires large and complex questionnaires, as well as a solid understanding of the subject matter to evaluate them effectively.
  • Filling these questionnaires is a time-consuming process for both the solution provider (responding to custom questions generally involves detailed discussions across multiple departments), and the team reviewing the responses.
  • For the above reasons, security and privacy aspects are often excluded from the initial RFP process, or ad-hoc questions are employed that do not cover all areas that matter to your organization.

Overall, these issues extend the sales cycle, make RFPs resource intensive for all parties, and result in increased costs.

How MVSP can help

MVSP addresses these issues by providing a simple, repeatable, and measurable set of minimum controls that are both easy for the solution provider to understand and complete, and are easy to review and filter on at the procurement side. While MVSP controls are designed to be a baseline, they are built from the ground up to represent the building blocks and industry best practices expected to be present in a secure and mature enterprise solution.

In detail, using MVSP means:

  • No need to reinvent the wheel – Using MVSP means you don’t have to design and maintain your own custom questionnaire. Although custom questionnaires can be tailored to your specific needs, they do not always map to the root-cause areas that result in solutions failing in-depth due diligence processes. Custom RFPs are also harder to manage, and may cause increased length of the sales cycles.
  • Timely Feedback – Identifying gaps in the MVSP controls at an early stage allows for more effective decision making, and enables positively influencing the quality of software and services.
  • Flexibility – MVSP controls are released under a Creative Commons license, which means there are no restrictions on how you use them, and you don't have to share your data with anyone else. In contrast, existing standards like ISO, SOC 2, PCI DSS, and CAIQ-Lite can be expensive and time-consuming to comply with, and require regular audits. Additionally, these standards are often broad and can be difficult to understand and apply at the software or service level.
  • Standardization – Solution providers can present the MVSP controls on their website or information portal to demonstrate that they are meeting the controls, further reducing the load involved with asking/responding to/evaluating RFP questions.
  • Industry influence – As the ubiquity of MVSP increases within the industry, these controls become table stakes for software and services, driving the broader industry to improve and adapt to the ever growing security and privacy requirements of modern systems.

Useful links