by Scott Jack
Content Contributor, E-N Computers
15 years of experience in technical support, endpoint management, and documentation.
You want to make sure you’re asking the right questions when you’re sending out an RFP or evaluating proposals. But many buyers, even if they’re using an RFP template, don’t focus on the things that go wrong in MSP relationships.
Some templates are written by vendors who will bid on your contract. Others are recycled from a previous procurement or pulled from a generic source online. Often, they look thorough without covering questions that would prevent real problems like a help desk quietly moving offshore, a billing structure that changes three times in 18 months, or a vendor who deletes a departing employee’s email account instead of forwarding it.
This post gives you the questions most buyers skip — drawn from what we’ve seen go wrong in real IT relationships — and explains what to do with the answers.
QUICK ANSWER:
What do you need to know when preparing RFPs and evaluating proposals?
Focus on friction points that derail partnerships. Make sure that response times aren’t based on automated responses, and seek full transparency about staff and subcontractor locations. Know what’s included in monthly costs, what costs extra, whether there’s a contractual limit on price increases, and whether there’s a mature offboarding roadmap. Pay attention to how they think about system design and processes, especially when it comes to compliance. Find out if they have an AI policy and ask to see it.
Table of Contents
- Before you use a template from a vendor, read this
- Questions about response time
- Questions about staff and subcontractor location
- Questions about billing, contracts, and what happens when you leave
- Questions about compliance and CMMC
- Questions about AI use
- Signs of a weak proposal
- How to compare multiple vendors
- Frequently asked questions
Before you use a template from a vendor, read this
Putting an RFP together is overwhelming. Reaching for a template is the natural first move. Some vendors offer RFP templates, but they’re often designed to favor what they’re good at and downplay their weaknesses. But this doesn’t mean they’re all bad.
“A vendor-written template is better than nothing because it helps you put things down in writing and get more involved in the process,” said Ian MacRae, E-N Computers president. Just make sure you’re asking the questions that matter to your business.
What’s your response time, and how do you measure it?
Many IT RFPs mention response time without clearly defining it. An automated email confirming your request was received is not the same as a human reviewing it, assigning it a priority level and a technician, and reaching out. A receipt is useful — but you’re probably more interested in how quickly a real person will get back to you.
E-N Computers considers the first response to be when a member of our team tries to contact you. A competent MSP should be able to reach you within 15 minutes of receiving your request. We hold ourselves to that standard and document it in every service agreement.
Pay attention to vendors who are unusually flexible on questions about response time and service level objectives. “If somebody can be really flexible on meeting some weird custom SLA,” MacRae said, “they really don’t know what they’re doing.” A quality MSP has built its operations around a standard it can keep.
What to ask about staff and subcontractor location
You can get surprisingly far into evaluating a vendor before finding out that the help desk, after hours staff, or engineers are overseas. This may not be disclosed by the salesperson or in the service agreement. Many clients find out too late, after the contract is signed and service quality declines. Even with the lower cost, many businesses find that the downsides of offshore support outweigh the savings.
Two businesses that became E-N Computers clients switched because their previous provider moved support offshore after an acquisition. In one case, the MSP had served the client for eight years before being bought. Within months, engineers left, billing became chaotic, and the relationship fell apart. In another situation, the client’s offshore help desk carried four-hour response times, unnecessarily delaying resolution. Then, when an employee departed, they deleted her email account instead of forwarding it, taking legal correspondence with it.
Unfortunately, it’s almost impossible to know what will happen post-acquisition. That’s why you should get a clear idea of what happens if you decide to leave. All of our support staff are US-based, and we put that in the contract.
Questions about billing, contracts, and what happens when you leave
Billing problems tend to show up after the contract is signed, once the relationship is established and switching costs have gone up. By then, surprise charges and unexplained price increases are harder to push back on. One E-N Computers prospect had their pricing changed three times in 18 months by their previous MSP. Another received invoices for equipment ordered in March that didn’t arrive until October — a different fiscal year — and described the billing team as “outright hostile” when they raised questions.
Ask vendors, ‘What is your per-user monthly fee, and what does it include? Are there additional charges for after-hours support, onboarding, or hardware procurement? How are price increases handled — is there a cap, and how much notice do you give?’
You should also ask about contract length and the offboarding process. What is the contract length, and what are the terms for early termination? How do you handle offboarding — specifically, what happens to our data, our licenses, and our email accounts if we leave?
Get the offboarding process in writing before you sign. A competent MSP will have an offboarding process as mature as onboarding. We want to keep you happy, but circumstances change, some clients will leave, and that process should be as smooth and professional as possible.
Questions about compliance and CMMC
If your business works in the defense supply chain, CMMC compliance is now a contractual requirement, not just a recommendation. The final rule published in October 2024, and the DFARS interim rule making it enforceable took effect November 10, 2025. Defense contractors must post CMMC Level 1 or Level 2 self-assessments to SPRS before contract award, which means the MSP managing your systems has a direct impact on your compliance posture.
The mistake most buyers make at this stage is jumping straight to specific controls — asking vendors to confirm particular tools, configurations, or checkbox items — without understanding whether those controls fit together into a coherent system. Ian describes this as the P-trap problem.
“The building code says you have to have a P-trap on your sink. But you don’t look at a real estate listing and say, ‘Oh look, this is a 14 P-trap house’”, he says. “Defense contractors think they’re interested in P-traps — FIPS-validated encryption, for example — but what they really want is a compliant system that fits their needs.”
When you buy a house, you want to know whether the house is well built, the right size, and in the right location. So before you start assessing against regulations, it’s worth defining what a right-sized solution looks like, and where your data needs to be stored. Start by thinking about usability. Later, you can get down in the weeds about specific regulations.
Ask vendors, ‘Are you a CMMC Registered Practitioner Organization (RPO)? Can you support systems that process Controlled Unclassified Information (CUI)? Do you currently support businesses that handle CUI?’
Even more important, ask how they approach scoping a compliant system and how compliance responsibilities are divided between you and them. You need insight into their process and what they’re like to work with, more than whether they can check a box.
If your business works in the defense supply chain, CMMC compliance is now a contractual requirement, not just a recommendation. The final rule published in October 2024, and the DFARS interim rule making it enforceable took effect November 10, 2025. Defense contractors must post CMMC Level 1 or Level 2 self-assessments to SPRS before contract award, which means the MSP managing your systems has a direct impact on your compliance posture.
The mistake most buyers make at this stage is jumping straight to specific controls — asking vendors to confirm particular tools, configurations, or checkbox items — without understanding whether those controls fit together into a coherent system. Ian describes this as the P-trap problem.
“The building code says you have to have a P-trap on your sink. But you don’t look at a real estate listing and say, ‘Oh look, this is a 14 P-trap house’”, he says. “Defense contractors think they’re interested in P-traps — FIPS-validated encryption, for example — but what they really want is a compliant system that fits their needs.”
When you buy a house, you want to know whether the house is well built, the right size, and in the right location. So before you start assessing against regulations, it’s worth defining what a right-sized solution looks like, and where your data needs to be stored. Start by thinking about usability. Later, you can get down in the weeds about specific regulations.
Ask vendors, ‘Are you a CMMC Registered Practitioner Organization (RPO)? Can you support systems that process Controlled Unclassified Information (CUI)? Do you currently support businesses that handle CUI?’
Even more important, ask how they approach scoping a compliant system and how compliance responsibilities are divided between you and them. You need insight into their process and what they’re like to work with, more than whether they can check a box.
Questions about AI use
The main concern is what happens at the technician level. All the major AI chatbots offer free plans that come at a cost: they can use any input to train their models. Only the paid tiers come with a promise to not use your data for training purposes. There’s a high likelihood that an MSP, like your own company, will have some shadow AI. For example, Google Search now has an AI Mode that employees are likely to use.
Ian cautions against blocking AI entirely. Instead, ask if they have an AI use policy that they can produce. “You want to have an organization with some sort of a corporate AI policy,” he said. “Maybe that’s something that they’re able to show you — how their team is going to manage accessing AI systems.”
Signs of a weak proposal
Vague commitments, generic language about “best-in-class service”, and breezing through staffing and compliance are red flags. Here are a few other things to watch out for.
Service objectives that treat automated responses as meeting response time.You want to know when a human will start helping you, and in what timeframe they will aim to resolve your request. Don’t settle for automated responses as fulfilling a service objective.
Offshore staffing disclosed late or not at all. If you ask directly and the answer is ambiguous — for example, “we use a mix of resources” — ask them to be more specific.
CMMC answered with a tool list. A vendor who responds to compliance questions by quoting specific security products hasn’t understood the question. You want to know about design philosophy and process before any discussion of specific controls.
Billing described in the aggregate only. “All-inclusive managed IT” isn’t a pricing structure. Find out what’s included and what costs extra.
Missing or vague exit terms. If the proposal doesn’t address offboarding, ask for it in writing before you sign. It should be about as easy to leave as it is to sign up.
How to use this list when comparing multiple vendors
An RFP works best when it requires every vendor to answer the same questions in a form you can compare side by side. The questions in this post are worth including directly in your RFP as required responses, not just background context you’re carrying into conversations.
When proposals come back, pay attention to which vendors answer specifically versus which ones speak in generalities. A thorough, direct response to a hard question signals that the vendor has done this before and knows what they’re committing to. A vague response signals the opposite. The effort a vendor puts into the proposal itself also tells you something — MacRae noted that responding thoughtfully to an RFP, especially one that asks for a fresh approach rather than just a quote on the existing setup, takes real work. A vendor who has done that work has already demonstrated something about how they treat a client relationship.
E-N Computers is a Virginia-based MSP with nearly 30 years of experience serving defense contractors and high-compliance businesses. We’ve been asked every question in this article, and probably a few that aren’t here. If you’re comparing proposals right now and want to know exactly where we stand, including the questions most vendors find ways to dodge, schedule a call with our team. We’ll give you straight answers.
Not sure if you need managed IT services?
Take the IT Maturity Self-Assessment
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
Frequently asked questions
Do I need an RFP to hire a managed IT provider?
No. Many small businesses hire an MSP through a direct conversation and a standard service agreement. An RFP makes more sense when you’re comparing multiple vendors simultaneously, have compliance requirements that need to be documented, or are replacing an existing MSP and want a structured process. If you do use an RFP, keep it focused — a checklist of key questions will serve you better than a 20-page document that vendors answer with boilerplate.
What should an IT RFP include?
At minimum: response time commitments with a clear definition of what “response” means, staffing location for support staff and subcontractors, compliance qualifications (CMMC RPO status if relevant), billing structure and price escalation terms, contract length and exit conditions, and an AI use policy. The downloadable RFP template on this page covers each of these with instructions for the buyer and space to record vendor responses.
How do I evaluate managed IT proposals once they come in?
Compare responses to the same questions across vendors. Look for specificity — vendors who answer directly, with detail, are telling you they’ve done this before. Look at contract terms and billing structure carefully; these are where surprises tend to surface later. And check references, specifically from businesses in your industry or of similar size.
What is a CMMC Registered Practitioner Organization?
An RPO is a company that has been vetted and listed by the Cyber AB (the accreditation body for CMMC) as qualified to provide CMMC consulting and advisory services. For defense contractors evaluating MSPs, RPO status is one signal that the vendor understands the compliance requirements — though it’s not the whole picture. See our full explanation of CMMC Registered Practitioners for more detail.
What is a reasonable response time SLA for managed IT support?
For critical issues, 15 minutes or less to human triage is a reasonable benchmark. That means a technician has reviewed the problem and has a plan — not that an automated system has logged the ticket. Ask vendors specifically how response time is defined and documented in their agreement.
