What is a SASE RFP?
A SASE RFP (Secure Access Service Edge Request for Proposal) is a structured procurement document that organisations use to evaluate and compare SASE vendors against specific technical, security, and commercial requirements. It covers:
- Security architecture — zero trust network access (ZTNA), cloud-access security broker (CASB), secure web gateway (SWG), and firewall-as-a-service (FWaaS)
- Network connectivity — SD-WAN underlay options, global PoP coverage, latency SLAs, and last-mile diversity
- Management and visibility — single-pane dashboard, policy orchestration, real-time analytics, and API integrations
- Compliance alignment — mapping to NHS DSPT, PCI DSS, ISO 27001, SOC 2, and sector-specific frameworks
- Commercial terms — per-user vs per-site licensing, contract flexibility, SLA guarantees, and total cost of ownership
How to Create a SASE RFP in 5 Steps
- Define your requirements — Document current network topology, user counts by location, application dependencies, and compliance obligations.
- Map evaluation criteria — Weight each pillar (security, networking, management, compliance, commercial) according to organisational priorities.
- Select your vendor shortlist — Use market data and independent reviews to identify 3-5 vendors that match your sector, scale, and geography.
- Issue and score responses — Send the RFP to shortlisted vendors with clear deadlines, then score responses against your weighted criteria matrix.
- Run proof of concept — Validate the top-scoring vendor with a limited deployment before committing to a full rollout.
SASE RFP Evaluation Criteria
| Pillar | Key Evaluation Areas | Example RFP Questions |
|---|---|---|
| Security | ZTNA, CASB, SWG, FWaaS, DLP, threat intelligence | How does the platform enforce zero trust per-application access? |
| Networking | SD-WAN, global PoP coverage, latency SLAs, QoS | What is the PoP-to-PoP backbone latency SLA? |
| Management | Centralised console, policy automation, API, RBAC | Can policies be managed via API and CI/CD pipeline? |
| Compliance | ISO 27001, SOC 2, PCI DSS, HIPAA, NHS DSPT | Which compliance certifications does the platform hold? |
| Commercial | Licensing model, TCO, contract terms, SLA penalties | What is the per-user and per-site licensing structure? |
What is a SASE RFP Template?
A SASE RFP template is a structured procurement document used by enterprise IT teams to evaluate Secure Access Service Edge vendors against standardised technical, security, and commercial criteria. The Netify 20-Pillar SASE Procurement Framework provides a methodology covering architecture, security posture, deployment model, compliance, and commercial terms — used by IT teams across Manufacturing, Retail, Healthcare, and Financial Services.
Why Do Most SASE RFPs Fail to Produce Results?
Most SASE RFP templates and processes produce inconclusive results because the evaluation was compromised before a single vendor responded. The following table identifies the five structural failures observed in traditional SASE procurement and how the Netify 20-Pillar SASE Procurement Framework addresses each.
| Failure Mode | What Happens | Impact on Evaluation | Netify Framework Response |
|---|---|---|---|
| Vendor-led question bias | RFP questions drawn from vendor sales materials or pre-sales documentation rather than business requirements | Evaluation criteria favour the incumbent or preferred vendor; competing providers cannot differentiate on genuine capability | Pre-built requirement modules developed from cross-vendor evaluation experience across 30+ SASE providers |
| No scoring model | Responses evaluated subjectively by individuals without agreed weighting or criteria | Shortlist determined by presentation quality or existing relationships rather than technical merit | 1–10 per-requirement scoring with cumulative totals and automated vendor ranking |
| No compliance mapping | Security requirements written without reference to NHS DSPT, PCI DSS, SOC 2, FCA or sector-specific standards | Vendor responses cannot demonstrate regulatory alignment; compliance gaps discovered post-contract | Compliance framework mapping built into each module covering UK GDPR, PCI DSS 4.0.1, ISO 27001, DSPT, FCA PS21/3, NIS2, IEC 62443 and HIPAA |
| No stakeholder alignment | IT, security, procurement and business stakeholders not agreed on evaluation priorities before vendor engagement begins | Conflicting scoring, disputed shortlists and procurement delays as teams revisit criteria mid-evaluation | Modular requirement selection allows stakeholders to agree scope before publication; each module independently activated or deactivated |
| No structured comparison | Vendor responses arrive as PDFs, slide decks and spreadsheets in incompatible formats | Evaluation teams spend weeks normalising responses rather than assessing capability; like-for-like comparison is impossible | Platform-enforced response structure where providers address each requirement independently within a common format |
The Netify 20-Pillar SASE Procurement Framework eliminates these failures structurally. Requirements are standardised, responses are comparable, scoring is quantified and compliance alignment is pre-mapped — before the first vendor receives your RFP.
How Does the SASE RFP Builder Work?
A SASE RFP template through Netify is built through five phases: choosing the right questions for your business, security requirement specification, marketplace publication, response management and scoring.
- Introduce your Company & Environment — input your industry, company overview and primary contact details.
- Define your Security Posture & Access Patterns — input your existing identity provider, user types, device posture requirements and application access policies.
- Specify ZTNA, SWG, CASB, FWaaS and DLP requirements — detail which security components you need vendors to address and your organisation’s specific compliance obligations.
- Collect structured submissions in-platform — providers respond to each security requirement with standardised, directly comparable results. Monitor responses, request clarifications and RFP progress in the dashboard.
- Evaluate, rank and build shortlists — score vendor responses, assess security capabilities and produce a shortlist highlighting capability differences.
The Netify 20-Pillar SASE Procurement Framework
Developed by Netify for enterprise IT procurement teams, the Netify 20-Pillar SASE Procurement Framework evaluates vendors across standardised pillars spanning identity, threat prevention, network connectivity, operations and commercial terms.
Identity & Access
- Pillar 1 — Zero Trust Network Access (ZTNA): user authentication, device posture, per-app micro-tunnels, least-privilege enforcement.
- Pillar 2 — Identity Integration & Authentication: SSO, MFA, Azure AD / Okta / on-prem AD compatibility, conditional access.
- Pillar 3 — Third-Party Access Management: contractor access, vendor remote sessions, temporary credentials, session recording.
Threat Prevention
- Pillar 4 — Secure Web Gateway (SWG): URL filtering, TLS inspection, malware scanning, bandwidth controls.
- Pillar 5 — Cloud Access Security Broker (CASB): shadow IT discovery, inline / API modes, DLP for SaaS, OAuth app control.
- Pillar 6 — Firewall as a Service (FWaaS): L3–L7 policy enforcement, IPS/IDS, DNS security, micro-segmentation.
- Pillar 7 — Data Loss Prevention (DLP): content inspection, regex/fingerprint matching, exact data match, OCR.
- Pillar 8 — Encryption & TLS Inspection: TLS 1.3 decryption, certificate management, bypass policies, performance impact.
Network & Connectivity
- Pillar 9 — SD-WAN Convergence: path selection, application-aware routing, WAN optimisation, branch connectivity.
- Pillar 10 — Global Backbone & PoP Distribution: PoP locations, peering arrangements, latency SLAs, regional redundancy.
Operations & Governance
- Pillar 11 — Logging, Monitoring & SIEM Integration.
- Pillar 12 — Implementation & Migration Methodology.
- Pillar 13 — Service Model & Support.
- Pillar 14 — Resilience & Business Continuity.
- Pillar 15 — Compliance & Certification Validation.
- Pillar 16 — Policy Governance & Audit Trail.
- Pillar 17 — Data Residency & Sovereignty.
- Pillar 18 — Commercials & Licensing.
- Pillar 19 — AI-Assisted Custom Requirements (Netify AI Helper).
Evaluation & Selection
- Pillar 20 — Provider Evaluation & Shortlisting: per-requirement scoring, cumulative ranking, weighted priorities, shortlist generation.
How Does the Netify Framework Compare to a Generic SASE RFP Template?
| Dimension | Generic RFP Template | Netify 20-Pillar Framework |
|---|---|---|
| Format | Static Word document or PDF | Structured 20-pillar methodology with modular requirement selection |
| Scoring | No scoring automation; ad-hoc spreadsheets | Built-in 1–10 per-requirement scoring with weighted priorities and automated ranking |
| Responses | Vendor-written in inconsistent formats | Standardised structured responses within enforced common format |
| Benchmarking | No benchmarking capability | Marketplace comparison built-in across 30+ pre-vetted vendors |
| Compliance | Manual compliance checking | Pre-mapped to NHS DSPT, HIPAA, PCI DSS 4.0.1, SOC 2, ISO 27001, FCA PS21/3, NIS2 |
| Vendor access | Limited to known contacts; manual outreach | 30+ curated SASE vendors and managed service providers matched algorithmically |
Major SASE Platforms Evaluated in Enterprise RFPs
Enterprise SASE RFPs typically shortlist a small number of major platforms representing different architecture models. The table below shows commonly evaluated SASE platforms and the security components typically included in enterprise SASE evaluations.
| Vendor | ZTNA | SWG | CASB | FWaaS | DLP | Global Backbone | Architecture Model |
|---|---|---|---|---|---|---|---|
| Cato Networks | Yes | Yes | Partial | Yes | Yes | Yes | Single-vendor SASE |
| Zscaler | Yes | Yes | Yes | Partial | Yes | Yes | SSE Platform |
| Netskope | Yes | Yes | Yes | Yes | Yes | Yes | SSE Platform |
| Palo Alto Prisma | Yes | Yes | Yes | Yes | Yes | Yes | SASE Platform |
| Fortinet | Yes | Partial | Partial | Yes | Yes | Limited | SD-WAN + Security |
| Cisco | Yes | Yes | Yes | Yes | Partial | Yes | SSE + SD-WAN |
| Cloudflare | Yes | Yes | Partial | Yes | Partial | Yes | Cloud Security Edge |
Which SASE RFP Approach Is Right for You? Platform vs Traditional vs Consultant
| Evaluation Dimension | Traditional (Manual RFP) | Consultant-Led RFP | Netify RFP Builder |
|---|---|---|---|
| Time to publish RFP | 4–12 weeks | 3–8 weeks | Minutes (module selection to publication) |
| Vendor distribution | Manual outreach, typically 3–5 vendors | Consultant network, typically 5–10 vendors | 30+ pre-vetted SASE vendors and MSPs |
| Response collection | Email attachments, spreadsheets, PDFs | Consolidated by consultant into report | Unified in-platform structured responses |
| Requirement standardisation | Varies by author | Depends on consultant | Pre-built module library |
| Response comparability | Incompatible formats | Normalised post-submission | Enforced common structure |
| Scoring methodology | Ad-hoc spreadsheets | Consultant-defined weightings | 1–10 per-requirement scoring with totals |
| Shortlist generation | Manual comparison | Consultant recommendation | Automated ranking |
| Typical cost | Internal resource time only | £15,000–£50,000+ engagement | Free — no cost to publish and evaluate |
| RFP reusability | Start from scratch | If consultant retains docs | Duplicate and republish |
| NDA management | Manual execution | Via consultant | Platform-managed NDA gates |
SASE RFP Requirements by Industry
Healthcare
A SASE RFP for healthcare must emphasise clinical application access controls, medical IoT device segmentation, patient data protection within cloud services, and demonstrable compliance with DSPT and Caldicott Principles. Clinical staff require seamless access to EPR and PACS systems whilst maintaining strict data protection standards.
| SASE Component | Healthcare-Specific Requirement | Compliance Driver | Priority |
|---|---|---|---|
| ZTNA | Policies for managed devices and clinician-owned smartphones accessing EPR and PACS | DSPT, Caldicott Principles | Critical |
| CASB | Capabilities demonstrated with clinical SaaS platforms and patient data workflows | UK GDPR, DSPT | Critical |
| FWaaS | IoMT device segmentation with auditable policy enforcement | DSPT, NHS Digital | Critical |
| DLP | Patient data protection across cloud applications and email | UK GDPR, Caldicott | High |
| Logging | Retention periods satisfying DSPT evidence requirements | DSPT | High |
| Service Model | Managed service capabilities for clinical sites without on-site security specialists | Operational | High |
Retail
A SASE RFP for retail must prioritise consistent policy enforcement across distributed branches, third-party vendor access controls, payment network segmentation, and rapid deployment capability.
| SASE Component | Retail-Specific Requirement | Compliance Driver | Priority |
|---|---|---|---|
| ZTNA | Third-party contractor access without persistent VPN tunnels | PCI DSS, Least Privilege | Critical |
| SWG / FWaaS | Centralised policy management scaling across hundreds of endpoints | Operational | Critical |
| FWaaS | PCI DSS-compliant payment network segmentation with audit trails | PCI DSS 4.0.1 | Critical |
| Resilience | Failover mechanisms with documented RTO for store connectivity | Operational | High |
| Deployment | Zero-touch provisioning for rapid multi-site rollout | Operational | High |
Manufacturing
A SASE RFP for manufacturing must prioritise OT/IT network separation, global PoP coverage for plant-to-cloud connectivity, device posture controls for industrial systems, and operational models suited to sites with limited security staff.
| SASE Component | Manufacturing-Specific Requirement | Compliance Driver | Priority |
|---|---|---|---|
| ZTNA | OT access with least-privilege enforcement for third-party equipment vendors | IEC 62443, NIS2 | Critical |
| FWaaS | Clear policy boundaries between production OT and corporate IT networks | IEC 62443, Purdue Model | Critical |
| Global PoP | Distribution adequate for multinational plant operations with predictable latency | Operational | High |
| Service Model | Managed service offerings reducing burden on plant-level teams | Operational | High |
| Resilience | Maintenance window scheduling aligned to production schedules | Operational | High |
Financial Services
A SASE RFP for financial services must prioritise comprehensive security stack integration, stringent identity and device controls, complete audit trail generation, and low-latency connectivity for trading platforms.
| SASE Component | Financial Services-Specific Requirement | Compliance Driver | Priority |
|---|---|---|---|
| Integrated SASE | ZTNA, SWG, CASB, FWaaS and DLP within a unified management plane | FCA PS21/3, Operational Resilience | Critical |
| ZTNA | Strong authentication and device posture checks for trading systems | FCA, PRA | Critical |
| CASB / DLP | Prevention of unauthorised data exfiltration from cloud applications | FCA, UK GDPR | Critical |
| Logging | Comprehensive audit trails with retention periods meeting regulatory needs | FCA, PCI DSS 4.0.1 | Critical |
| Encryption | TLS inspection without introducing unacceptable latency for trading | FCA, PCI DSS 4.0.1 | High |
| Governance | Role-based access, approval workflows and immutable audit logs | FCA PS21/3, SOX | High |
SASE RFP Scoring: Vendor Evaluation Methodology
| Score | Classification | Evaluation Criteria | Vendor Response Characteristics |
|---|---|---|---|
| 9–10 | Exceeds Requirements | Vendor demonstrates capability beyond stated requirement with evidence | Detailed technical response, reference architectures, proven deployments in comparable environments |
| 7–8 | Fully Meets Requirements | Vendor addresses all elements of the requirement with supporting detail | Clear capability statements, configuration examples, compliance evidence provided |
| 5–6 | Partially Meets Requirements | Vendor addresses core elements but gaps exist in coverage or evidence | General capability confirmed but lacking specificity, roadmap items included, limited evidence |
| 3–4 | Minimally Meets Requirements | Vendor acknowledges requirement but response lacks substance or relies on third parties | Vague statements, partner/integration dependencies, no evidence of deployed capability |
| 1–2 | Does Not Meet Requirements | Vendor cannot address the requirement or response is non-substantive | No capability, future roadmap only, or requirement deflected without addressing core need |
SASE RFP Compliance: Regulatory Framework Mapping
| Compliance Framework | ZTNA | SWG | CASB | FWaaS | DLP | Logging |
|---|---|---|---|---|---|---|
| UK GDPR | Yes | Yes | Yes | Yes | Yes | Yes |
| PCI DSS 4.0.1 | Yes | Yes | Partial | Yes | Yes | Yes |
| ISO 27001:2022 | Yes | Yes | Yes | Yes | Yes | Yes |
| Cyber Essentials Plus | Yes | Yes | Partial | Yes | Partial | Partial |
| SOC 2 Type II | Yes | Yes | Yes | Yes | Yes | Yes |
| DSPT (NHS) | Yes | Yes | Yes | Yes | Yes | Yes |
| FCA PS21/3 | Yes | Yes | Yes | Yes | Yes | Yes |
| NIS2 Directive | Yes | Yes | Yes | Yes | Yes | Yes |
| IEC 62443 (Industrial) | Yes | Partial | Partial | Yes | Partial | Yes |
| HIPAA (US Healthcare) | Yes | Yes | Yes | Yes | Yes | Yes |
Common SASE RFP Questions
How many vendors should you include in a SASE RFP?
The Netify 20-Pillar SASE Procurement Framework recommends inviting 3–5 vendors to respond to a structured RFP. This allows meaningful comparison without overwhelming evaluation teams. Netify’s platform provides access to 30+ curated vendors, with algorithmic matching to identify the best-fit shortlist based on site count, region and security requirements.
What should a SASE RFP cover?
A comprehensive SASE RFP should evaluate vendors across architecture, security integration, deployment model, compliance alignment, commercial terms and ongoing support. The Netify 20-Pillar Framework standardises this evaluation so procurement teams can compare vendors on a consistent basis rather than relying on vendor-led marketing responses.
How long should a SASE RFP process take?
A structured SASE RFP process typically takes 4–8 weeks from requirements definition to vendor shortlist. The Netify RFP Builder accelerates this by providing pre-built question sets, AI-assisted requirement generation and automated response scoring — reducing the typical timeline to days rather than months.
What is the difference between an RFI and an RFP?
An RFI (Request for Information) gathers general vendor capabilities and market intelligence. An RFP (Request for Proposal) is a formal procurement document requesting detailed, structured responses against specific technical and commercial requirements. Netify supports both — the RFI Builder for early-stage research and the RFP Builder for formal procurement.
Free Sector SASE RFP Templates: Manufacturing, Healthcare & Retail
Three sector-specific SASE RFP templates produced by the Netify research team — covering Manufacturing, Healthcare and Retail. Each template contains expert RFP questions written from both the buyer and supplier perspective, and includes a guide to running your evaluation through the Netify marketplace, giving you access to 30+ curated vendors and managed service providers.
Build Your SASE RFP in Minutes
Select your security requirements using the Netify 20-Pillar SASE Procurement Framework, define access policies, publish to over 30 vetted SASE vendors and managed service providers, then evaluate and rank submissions — all within the Netify platform.