A managed IT services RFP exists to do one job: surface the differences between providers that all sound the same in the sales process. This template is the working version we’d hand a Dallas mid-market company running a serious provider selection — 42 questions across 8 categories, plus a scoring rubric. Copy it, edit it for your environment, send it to three to five providers, and use it to compare answers side-by-side. The point is not the document; it’s the conversation it forces.
Most published MSP RFP templates are too generic to be useful (think “describe your services”) or too procurement-heavy to inform real evaluation. The template below is calibrated to the questions that actually separate a true IT consulting firm from a helpdesk-with-monitoring. Pair it with the 12-point buyer’s framework for the scoring rubric.
How to Use This Template
The workflow takes about three weeks to run cleanly:
- Edit for your environment. Replace
[YOUR COMPANY],[NUMBER OF USERS],[INDUSTRY],[COMPLIANCE FRAMEWORK], and the response deadline with your specifics. - Send to 3–5 providers. Two is too few for comparison; six is too many for a serious side-by-side. Three to five gives you real choice without drowning in proposals.
- Give providers 10 business days to respond. Less than that and you’ll get template responses; more than that and the process loses momentum.
- Score every answer 0 to 3 using the rubric at the end of this guide. Total possible: 126 points. Anything below 90 is a “thanks but no thanks”; the top scores deserve a deep evaluation including reference checks.
- Reference-check the finalists. Three calls per provider, with clients in your size range and industry.
The whole sequence from RFP send to signed contract should run 30 to 45 days. Less is rushed; more is drift.
The 42 Questions
Copy everything below the line into your RFP document.
1. Company Profile (4 questions)
1.1. How long have you been delivering managed IT services in the Dallas-Fort Worth market? Provide your founding date and a brief firm history.
1.2. How many full-time employees do you have today, broken down by function (helpdesk, engineering, security, vCIO/strategy, sales, administration)?
1.3. What is your client retention rate over the last three years? What’s your average client tenure?
1.4. Describe your ideal client profile. Be specific about industries, company size, and geographic coverage. Where are you not a fit?
2. Service Model (6 questions)
2.1. Do you offer fully managed IT, co-managed IT, or both? Describe the difference in your model.
2.2. What is included in your base monthly per-user fee? Provide a complete services list.
2.3. What services are billed separately from the base fee? Provide examples of typical out-of-scope work and how it is priced.
2.4. Describe your standard onboarding plan from contract signature through full operational handover. What milestones do you commit to, and over what timeframe?
2.5. Is a Virtual CIO (vCIO) included in your base service? How many clients does each vCIO support?
2.6. Is a Virtual IT Manager (vITM) or equivalent on-site operational owner included in your base service? How many days per month on-site, per client?
3. Support Operations (5 questions)
3.1. What is your average response time across all tickets for the most recent 90 days? How is response time measured?
3.2. What are your published service-level goals for critical, high, medium, and low priority incidents? Provide your SLO document.
3.3. Where is your helpdesk physically located? Is it staffed by employees or by outsourced/offshore providers?
3.4. What is your support availability (hours of operation)? Describe your after-hours and weekend coverage model.
3.5. How does a typical end-user open a support ticket? List all supported channels and any limitations by tier or hour.
4. Cybersecurity (6 questions)
4.1. What cybersecurity capabilities are included in your base service? Provide a complete list.
4.2. Do you operate a 24/7 Security Operations Center (SOC) or partner with a third-party SOC? If partnered, who?
4.3. Describe your Managed Detection and Response (MDR) capability. What endpoint protection platform do you use, and how do you respond to detected threats?
4.4. Do you provide employee security awareness training? Phishing simulation? At what cadence?
4.5. Walk us through how you would respond to a confirmed ransomware incident at our environment. Provide a sanitized incident response runbook.
4.6. Do you maintain cyber insurance? What is the coverage amount?
5. Compliance and Certifications (4 questions)
5.1. Is your firm SOC 2 Type II attested? Provide the most recent attestation letter under NDA.
5.2. Is your firm ISO 9001 certified? Provide the certificate and date of last surveillance audit.
5.3. We are subject to [COMPLIANCE FRAMEWORK — HIPAA, SOC 2, PCI-DSS, CMMC, etc.]. Describe your experience delivering services under this framework and what compliance artifacts you would maintain on our behalf.
5.4. Will your firm sign a Business Associate Agreement (BAA), Data Processing Agreement (DPA), or equivalent? Provide your standard template.
6. Strategic Services (5 questions)
6.1. Describe your Quarterly Business Review (QBR) format. Who attends from your side and from the client’s side? Provide a sample QBR deliverable.
6.2. What does a 12-month technology roadmap look like in your service? Provide a sanitized sample.
6.3. How do you handle IT budgeting? Do you provide an annual budget proposal aligned to our fiscal year?
6.4. Describe how you manage third-party vendor relationships (ISP, telecom, SaaS, hardware). What level of authorized representation do you take on?
6.5. How do you handle procurement (hardware purchasing, configuration, shipping, inventory)?
7. References and Track Record (4 questions)
7.1. Provide three client references from companies between [YOUR COMPANY EMPLOYEE COUNT - 30%] and [YOUR COMPANY EMPLOYEE COUNT + 30%] employees, ideally in [INDUSTRY] or adjacent industries. Provide name, role, company, and contact information.
7.2. Provide three case studies showing measurable business outcomes from your engagements, with verifiable results.
7.3. What awards or recognitions has your firm received in the last five years? Provide sources.
7.4. Describe a recent client departure. Why did they leave, and what would you do differently?
8. Commercial Terms (8 questions)
8.1. Provide a complete pricing schedule for our environment based on the inventory provided in Appendix A.
8.2. What is your minimum contract length? Provide standard and extended-term pricing.
8.3. What is your standard payment term? Are discounts available for annual prepayment?
8.4. What is your notice period for termination? Are there off-boarding fees? Describe the off-boarding process.
8.5. Who owns documentation, configurations, scripts, and runbooks during and after the engagement?
8.6. What does a price increase look like at renewal? Are increases tied to CPI, capped, or negotiable?
8.7. Describe your insurance coverage (general liability, professional liability/errors and omissions, cyber). Provide certificates of insurance.
8.8. Are you willing to negotiate a Master Services Agreement (MSA) plus Statements of Work (SOW) structure, or do you operate on a single integrated agreement? Provide your preferred contract structure.
Scoring Rubric
Score each of the 42 answers from 0 to 3 using this rubric:
- 0 — Provider did not answer, gave a non-answer, or claimed the question wasn’t applicable.
- 1 — Vague or generic answer. Marketing language. Could apply to any provider.
- 2 — Specific, complete answer. Addresses the actual question with provider’s particular approach.
- 3 — Specific, complete answer with documentation, data, or examples attached. Goes beyond what was asked because the firm has thought deeply about the topic.
Maximum possible score: 126 points (42 questions × 3 points each).
Interpretation:
- 108–126 (86%+) — Strong provider, worthy of finalist evaluation. Schedule reference calls and a working session.
- 90–107 (71–85%) — Capable provider with gaps. Decide whether the gaps are dealbreakers for your business.
- 70–89 (55–70%) — A helpdesk vendor or a junior MSP. Likely not a fit for a mid-market Dallas company.
- Below 70 — Eliminate.
The point of the rubric is not the math; it’s the discipline of scoring every answer the same way for every provider. Once you’ve done that, the right choice usually surfaces by itself.
Common RFP Mistakes Dallas Buyers Make
A few patterns we see repeatedly when Dallas mid-market companies run MSP RFPs:
Too many questions, not enough of the right ones. A 100-question RFP gets thoughtful answers on the first twenty and copy-paste answers on the rest. Stay focused.
No environment inventory attached. Providers can’t quote accurately without a user count, server inventory, application list, and current security tooling. Build an Appendix A with that data before sending.
Treating it as a procurement exercise. RFPs that focus only on price and contract terms miss the operational substance. The questions in this template are weighted toward what matters in year two, not just year one.
No deadline, no process. RFPs without a published response deadline drift indefinitely. Set 10 business days, hold the line.
Not running references. RFP answers describe what providers say they do; references describe what they actually do. Skip the reference calls and you’ve wasted the RFP.
Choosing on price. The cheapest provider almost always becomes the most expensive provider once the gaps surface. Use the scoring rubric, not the bottom line.
What an Honest MSP RFP Response Looks Like
For perspective, here’s how GXA® would answer a few of the questions above:
- 2.4 (Onboarding): A 60-day documented onboarding plan with a hard go/no-go gate at day 30. Day 60 deliverables: complete documentation, security baseline assessment, first 12-month roadmap, first monthly executive summary. Methodology documented and shared in the sales process.
- 3.1 (Response time): 15-minute average across all priority tickets for the most recent 90 days. Measured from ticket creation to first human response. Reported monthly to clients.
- 4.1 (Cybersecurity): gShield™ bundled in base service — MDR, 24/7 SOC, email security with phishing protection, employee security awareness training with quarterly phishing simulation, dark web monitoring, vulnerability management with monthly scans, endpoint protection.
- 5.1 (SOC 2): SOC 2 Type II attested. Letter available under NDA.
- 5.2 (ISO 9001): ISO 9001:2015 certified since January 10, 2019. JAS-ANZ certified. Annual surveillance audits.
- 6.6 (QBR): Quarterly 90-minute working session with the client’s CEO, CFO, and operations lead. Standard deliverable: ticket trend report, project progress, security event summary, vendor status, roadmap update, recommended priorities for the next quarter. Sample available under NDA.
- 7.2 (Case studies): Briggs Freeman Sotheby’s International Realty (real estate), Covenant Church (multi-campus faith), Data-Matique (manufacturing) — verifiable case studies with named clients and contacts.
That’s the calibration. A provider that scores 3 on the dimensions above is a serious firm; one that scores 1 across the same questions is selling a different product than they claim.
When You’re Ready to Run It
Pull this article into a Google Doc or Word file, customize the bracketed sections, attach an environment inventory, and send to three to five providers with a 10-business-day deadline. Score each response against the rubric. Reference-check the finalists.
If you want a working session to walk through your environment before sending the RFP, or you’d like GXA to participate in the process, schedule a consultation with our Dallas team. With 21 years serving the Dallas-Fort Worth market — and clients who’ve stayed with us through three growth cycles — we welcome the comparison. The point of the RFP is to find the right partner; whether or not that’s GXA, the rigor is worth it.
Frequently Asked Questions
Do I need to issue a formal RFP, or can I just take meetings?
For companies above 50 employees, a formal RFP is worth the effort. The structured comparison surfaces differences that informal meetings hide, and the written responses become part of the contract negotiation later. For smaller companies, a structured discovery call against the 12-point framework is usually enough.
How long should we give providers to respond?
Ten business days is the right window. Less and you’ll get rushed, template-heavy responses. More and the process loses momentum and the providers prioritize fresher opportunities.
Can we send the same RFP to a national MSP and a local Dallas provider?
Yes — and you should. The comparison usually reveals which provider has thought through your specific environment vs. dropped in boilerplate. National providers often score well on commercial terms and poorly on response operations; local providers often score the inverse. The right answer depends on which dimensions matter most for your business.
Should pricing be included in the initial RFP response?
Yes. Initial pricing — even if marked “indicative” — is critical for comparison. Vague answers like “we’ll quote after a discovery call” delay decision-making and make finalists impossible to rank.
What if all three responses are weak?
If your top three scored under 90, you have a sourcing problem, not a process problem. Most likely you sent the RFP to providers in the wrong size class for your business. Ask peers in Dallas-Fort Worth for referrals, look at clients of complementary firms (your accounting firm, your legal firm), and re-run with a better candidate pool.
Take the Next Step
The template above is the working version. The customization is yours to do. If you’d rather skip the procurement exercise and just talk to a Dallas IT consulting firm directly, that’s also a legitimate path — but bring the same questions to the working session.
Schedule a consultation with GXA® to discuss managed IT services for your Dallas company. With over 21 years in the Dallas-Fort Worth market, SOC 2 Type II attestation, ISO 9001:2015 certification, and 44,810 problems solved for clients in 2025 alone, we’re confident enough in the answers to encourage you to ask them.
