# Privileged Access Management RFP Template **Version 1.0 — April 2026** *Released by Innovexus under CC BY 4.0. Use it freely. Edit it for your environment. Send it to any vendor — including us.* --- ## How to use this template This template is designed to give you a vendor-neutral starting point for evaluating PAM platforms. It is **not** a sales document. The questions are written to surface real capability gaps, hidden costs, and operational realities that vendor decks rarely address. **Recommended approach:** 1. Customise the **Scope** section to match your environment (device counts, regulatory frameworks, deployment constraints). 2. Send the questionnaire to 3–4 vendors with a 2-week response window. 3. Score responses on a 0–3 scale per question (0 = does not support, 1 = partial / requires customisation, 2 = supported, 3 = supported and audit-grade). 4. Hold scoring sessions with NOC, SOC, and compliance representatives separately, then reconcile. 5. Validate top 2 vendors with a 5–10 day technical proof-of-concept against your real environment before contract. **A note on honest answers.** Some questions below have answers that no vendor wants to give. We've included them anyway. If a vendor refuses to answer a question or answers vaguely, that's signal — not noise. --- ## 1. Scope and environment Customise this section before sending the RFP. - **Total privileged users (humans)**: ___ - **Total managed devices/systems**: ___ - **Device categories**: ___ (e.g., network devices, Linux servers, Windows servers, databases, cloud workloads) - **Geographic distribution**: ___ (single region, multi-region, global) - **Regulatory frameworks in scope**: ___ (SOC 2, ISO 27001, PCI DSS, HIPAA, NERC CIP, IEC 62443, FedRAMP, CMMC, GDPR, etc.) - **Existing identity provider(s)**: ___ (Okta, Azure AD, Google Workspace, AD/LDAP, JumpCloud, etc.) - **Existing SIEM**: ___ - **Deployment constraints**: ___ (cloud-allowed, on-prem-required, air-gapped, hybrid) - **Decision timeline**: ___ - **Budget range**: ___ (if disclosable) --- ## 2. Identification and authentication The foundation of any PAM evaluation. If you can't trust the identity of the person making a privileged request, nothing else matters. 1. Does the platform support SAML 2.0 SSO? Which identity providers are tested in production? 2. Does the platform support OIDC SSO? 3. Does the platform support SCIM 2.0 for user and group provisioning? 4. What multi-factor authentication options are supported? (TOTP, SMS, push, FIDO2/WebAuthn, smart card, biometric) 5. Is FIDO2 hardware authentication supported as a primary factor — not just secondary? Which hardware keys are tested? 6. How are service accounts authenticated? Can they be vaulted and rotated through the same platform? 7. Are passwordless authentication flows supported end-to-end? 8. How is authentication state preserved across user sessions? What is the default session timeout, and is it configurable? 9. Does the platform enforce step-up authentication for high-risk actions (e.g., emergency-access workflow, vault retrieval, privilege elevation)? 10. How does authentication work when the platform's network connectivity is degraded? Is there a documented degraded-mode behaviour? --- ## 3. Credential vaulting and rotation The vault is the most security-critical component. Bad answers here are disqualifying. 11. What encryption algorithm is used at rest? Is it AES-256 in an authenticated mode (GCM, CCM)? 12. How are master encryption keys protected? Specifically, is HSM-backed key custody available? Which HSMs are supported? 13. What is the key rotation policy for the master keys? Customer-controlled or vendor-controlled? 14. Can the customer take custody of their own encryption keys (BYOK)? Under what conditions? 15. Is the vault per-tenant isolated, or shared multi-tenant infrastructure? 16. What credential types are supported in the vault? (SSH passwords, SSH keys, RDP credentials, database credentials, API keys, X.509 certificates, custom credential schemas) 17. Is automated credential rotation supported? On what schedule? Can rotation be triggered ad-hoc? 18. How is rotation failure handled? Specifically: if a rotation attempt partially succeeds, how is the credential state recovered? 19. Can the vault hold credentials for shared accounts (e.g., a router's local `admin` user)? How is attribution preserved when shared accounts are used? 20. What happens to vaulted credentials when a user is deactivated in the IdP? Is the access revoked atomically? 21. How are emergency-access workflows (break-glass) handled? Specifically, how is human approval recorded, and what is the time-to-access in a real emergency? 22. Are there published SOC 2 controls covering vault integrity? Can the vendor provide the audit report under NDA? --- ## 4. Privileged session management This is where most "PAM" evaluations lose nuance. Specific questions matter more than feature checkboxes. 23. What protocols are supported for session brokering? (SSH, RDP, VNC, Telnet, console/serial, database protocols, web-based console) 24. Is full session video recorded by default? What is the retention period and is it configurable? 25. Is the recorded session text-searchable? Can the customer search across all sessions for a specific command or output pattern? 26. How is recorded session integrity protected? Is the recording cryptographically signed? Can a vendor employee tamper with the recording without leaving an audit trail? 27. Is real-time session viewing supported (for spectating or training)? Can a senior engineer terminate an active session from the console? 28. What is the typical added latency for a brokered session vs direct access? Specifically, what is the P95 latency at the protocol layer? 29. Are sessions recorded even when the user has elevated privileges (root, enable, super-user)? 30. How are paste-events (e.g., pasting a multi-line config block) handled in the recording? Are they captured as a single event or expanded? 31. Can the customer export raw session data for long-term archive in their own systems? In what formats? 32. How does the platform handle clipboard, file transfer, and screen-sharing in RDP sessions? --- ## 5. Authorisation and role-based access control Coarse-grained PAM (read/write per device) is the floor. Real evaluations need finer-grained answers. 33. What is the granularity of access control? Is it per-device, per-device-group, per-command, or per-session-attribute (time, source, etc.)? 34. How are roles defined and managed? Is there an external policy-as-code option (e.g., OPA, Cedar)? 35. Can access be time-bounded (e.g., 4-hour temporary access, scheduled access windows for change windows)? 36. Can access be conditional on device state (e.g., engineer can SSH to a device only if the device is in a specific maintenance window)? 37. How is just-in-time (JIT) access requested and approved? What is the typical request-to-access latency? 38. How are vendor and contractor accounts handled? Specifically: time-bounded credentials, scoped to specific assets, fully audited, revocable on engagement end. 39. Does the platform support segregation of duties (e.g., the same person cannot both approve and consume access)? 40. How are privilege escalation paths recorded? If a user starts with read-only and elevates mid-session, is the elevation event in the audit trail with explicit approval? --- ## 6. Audit, accountability, and compliance Evidence quality is the auditor's first concern. Vendor should be able to demonstrate, not just describe. 41. Is the audit trail tamper-evident? How is integrity demonstrated to an auditor? 42. What is the default audit log retention? What is the maximum supported retention? 43. Is the audit log exportable in real-time to a customer SIEM (Splunk, Elastic, Sentinel, Datadog, Sumo Logic)? Via what mechanism — syslog, webhook, native connector? 44. What audit events are recorded? (Authentication, authorisation decisions, vault access, session start/end, command execution, configuration change, system event) 45. Does the platform provide pre-built compliance evidence exports for the frameworks in scope? Specifically: SOC 2 (CC6, CC7, CC8), ISO 27001 (A.9, A.12), PCI DSS (sections 7, 8, 10), HIPAA Security Rule (164.308), NERC CIP (005, 007, 010), IEC 62443 (FR 1, FR 2)? 46. Can the auditor be granted read-only access to the platform with a scoped role? 47. How are audit events correlated across the vault, session, and IAM layers? Single signed audit chain or multiple separate logs? 48. Is the vendor's own infrastructure SOC 2 Type II certified? Can the vendor produce the report under NDA? 49. Is the vendor's underlying infrastructure ISO 27001 certified? In which regions? 50. Has the vendor undergone a penetration test? When was the most recent test, and is the report available under NDA? --- ## 7. Deployment, operations, and resilience The product has to actually run. These questions surface ops realities vendor decks gloss over. 51. What deployment models are supported? (SaaS multi-tenant, SaaS per-tenant dedicated, customer-managed cloud, on-premises, air-gapped) 52. For SaaS deployments, what is the published SLA? What is the historical uptime over the past 12 months, with specific incident references? 53. For SaaS, is there a published status page? Is the data on it generated from automated monitoring or manually updated? 54. What is the disaster recovery posture? RPO and RTO? 55. Is multi-region failover supported? How is data residency handled in a failover scenario? 56. How are platform upgrades handled? Customer-controlled, vendor-pushed, scheduled maintenance windows? 57. What is the typical implementation timeline for a deployment of similar scope to ours? Specifically: weeks from kickoff to production cutover, with named milestones. 58. Is implementation self-serve, or does it require vendor or partner-led services? If services, what is the typical cost? 59. What ongoing operational burden is on the customer? Specifically: agent management, server patching, vault custody, certificate renewal, etc. 60. How is platform health monitored? Are health metrics exported to the customer's monitoring tooling? --- ## 8. Integrations and ecosystem PAM does not exist in isolation. Integration depth is a real differentiator. 61. List the supported network device platforms by vendor and OS family. Specifically: Cisco IOS / IOS-XE / NX-OS / IOS-XR / IOS Classic / Catalyst, Juniper Junos, Arista EOS, Fortinet FortiOS, Palo Alto PAN-OS, HPE Aruba ArubaOS, Extreme EXOS. 62. List the supported server platforms. Specifically: Linux distributions (RHEL, Ubuntu, SUSE, Debian, Alpine), Windows Server versions, AIX, Solaris, IBM z/OS. 63. List the supported database platforms. Specifically: PostgreSQL, MySQL, MariaDB, Oracle, SQL Server, MongoDB, Redis, Snowflake, BigQuery. 64. List the supported cloud platforms for credential management. Specifically: AWS IAM, Azure AD, Google Cloud IAM. 65. What ITSM integrations are available for change-ticket reference? (ServiceNow, Jira, Linear, Zendesk, Freshservice, ManageEngine ServiceDesk Plus) 66. What SIEM integrations are available for audit forwarding? Pre-built connectors vs syslog/webhook. 67. What identity governance / IGA integrations are available? (SailPoint, Saviynt, Microsoft Entra) 68. Is there a public REST API? Is it versioned? What are the rate limits? 69. Is there a Terraform provider? CLI tool? Python SDK? 70. What webhook events are emitted, and to which destinations? --- ## 9. Pricing and commercial terms Vendors hate this section. That's why it's here. 71. Is list pricing published? If not, why? 72. What is the pricing unit? (Per user, per device, per session, flat tier, custom) 73. For our specific scope (defined in Section 1), what is the all-in annual cost? Please break down: base licence, modules/add-ons, professional services, support tier, third-party costs (HSM, IdP-side fees, etc.). 74. What is the contract minimum term? What are the renewal terms? 75. Is there a price escalator clause in multi-year contracts? What is the typical year-2 and year-3 price? 76. What are the cancellation terms if the platform doesn't meet expectations? 77. Is data export at termination supported? In what formats? At what cost? 78. What is the support tier structure? What is included at the base tier vs premium? 79. What is the typical response time SLA for P1 / P2 / P3 issues at each support tier? 80. Are there volume discounts? At what thresholds? --- ## 10. Honest scoring guide When you receive vendor responses, score each answer on a 0–3 scale: - **0 — Not supported.** Vendor admits the gap or answers with a roadmap promise. - **1 — Partial / customisable.** Capability exists but requires customer engineering work, professional services, or a specific configuration. - **2 — Supported.** Capability is in the product as documented. - **3 — Supported and audit-grade.** Capability is in the product, has been audited (SOC 2 control reference, public security review, third-party report), and the vendor will demonstrate it during the POC. **Section weights for scoring**: identity (10%), vault (15%), sessions (15%), authorisation (10%), audit (20%), operations (10%), integrations (10%), pricing (10%). **Disqualifying answers**: - Vague or unanswered questions on Section 3 (vault). The vault is the most critical component. Vendors who can't speak precisely about encryption, key custody, or rotation should not advance. - Pricing refused entirely or contingent on a sales call before disclosure. Some vendors (CyberArk, BeyondTrust, Delinea) will negotiate but should provide ranges. - No SOC 2 Type II report available, or report older than 12 months. This is table stakes for any PAM evaluation in 2026. --- ## 11. POC validation checklist If a vendor scores well in the questionnaire, validate with a 5–10 day proof-of-concept. The POC should test: - **End-to-end onboarding**: Can your team get a working pod from kickoff to first authenticated session in under one business day? - **One real workflow**: Pick the most common privileged workflow your team actually does. Validate that the platform makes it materially better, not the same with extra steps. - **Failure modes**: Disconnect the network, kill the platform's connectivity, simulate a vendor-side outage. Confirm the documented degraded-mode behaviour. - **Audit export**: Generate a 30-day audit bundle as the auditor would receive it. Hand it to your compliance lead. Have them confirm the format and content meet their needs. - **Pricing model under load**: Compute the year-2 and year-3 cost based on documented growth assumptions (headcount, device count, etc.). Verify the price doesn't surprise procurement. --- ## Appendix A: Vendor disqualification flags The following vendor behaviours are red flags during evaluation: 1. **Refuses to provide SOC 2 report** under NDA. Stops the evaluation. 2. **Cannot answer Section 3 questions precisely.** Vault opacity is unacceptable. 3. **Pricing changes by more than 25% between initial discussion and contract.** Indicates either undisclosed costs or sales-team gaming. 4. **POC requires partner-led services** for basic functionality. Indicates the product is not actually self-serve. 5. **Audit bundle format requires manual assembly.** If the vendor cannot produce auditor-ready exports natively, the operational burden falls on you. 6. **Pre-built compliance playbooks are roadmap items, not shipped features.** Roadmap promises are not procurement criteria. 7. **Vendor employees can technically access customer vault contents.** Verify encryption-at-rest and key custody architecture rules this out. --- ## Appendix B: Innovexus's own answers In the spirit of practising what we preach, here is how Innovexus answers a sample of the most-asked questions in this template. We invite you to compare these answers to other vendors you receive responses from. - **Q11 (encryption at rest)**: AES-256-GCM with authenticated mode. Master keys held in HSM-backed AWS KMS with FIPS 140-2 Level 3 modules. - **Q15 (per-tenant isolation)**: Per-tenant dedicated pods. Each customer gets isolated compute, vault, and audit infrastructure on Tier 3/4 SOC 2 audited data centres. No shared multi-tenant vault. - **Q26 (recording integrity)**: Each session recording is hash-chained and signed by the per-tenant pod's identity key at creation. Integrity is verifiable cryptographically; tampering is detected on audit. - **Q41 (tamper-evident audit)**: Yes. Audit chain is signed by the pod identity key; integrity verifiable via the signing chain. Detailed architecture available under NDA. - **Q45 (compliance evidence exports)**: Pre-built export templates for SOC 2 (CC6.1, CC6.6, CC7.2, CC8.1), ISO 27001 (A.9.4.3, A.12.1.2), PCI DSS (sections 7, 8, 10), HIPAA Security Rule (164.308 a.4), NERC CIP-005-7 R2, NERC CIP-007-6 R5, NERC CIP-010-3 R1, IEC 62443-3-3 FR 1 / FR 2. Custom frameworks supported via the platform's audit-export API. - **Q48 (SOC 2)**: Yes, SOC 2 Type II certified. Report available under NDA. - **Q57 (implementation timeline)**: Self-serve. Per-tenant pod provisions in minutes; SAML/OIDC and SCIM wired in a day; full production cutover typically 1 business week for a 50-admin / 200-device deployment. No partner-led services required. - **Q71 (pricing transparency)**: Three flat tiers published at innovexus.io/pricing — Operations $199/mo, Professional $499/mo, Enterprise $999/mo. Same price for everyone. Cancel anytime. We expect vendors to answer the rest of this template directly. If you'd like to evaluate Innovexus against your environment, start a 5-day free trial — no card required, runs against your real fleet. --- ## Licence and revisions This template is released under [Creative Commons Attribution 4.0 International (CC BY 4.0)](https://creativecommons.org/licenses/by/4.0/). You are free to use, adapt, and distribute it, including commercially, with attribution. **Revision history:** - **v1.0 (April 2026)** — Initial release. 80 evaluation questions across 9 sections plus 2 appendices. Includes Innovexus reference answers in Appendix B. **Source and updates:** [innovexus.io/resources/pam-rfp-template](https://innovexus.io/resources/pam-rfp-template) **Feedback or suggested questions:** [hello@innovexus.io](mailto:hello@innovexus.io)