Vendor Risk Management Software
Project Information
- Bid Title
- Vendor Risk Management Software
- Issuing Agency
- State Government of Tennessee
- Location
- Tennessee
- Published Date
- Nov 20, 2025
- Closing Date
- Jan 8, 2026
- Government Level
- State & Local
- Status
- Closed
- Ref. #
- RFI 31701-03813
- Original Source
- Join to Access Full Details
- Bid Inquiries
- Join to Access Full Details
- Bid Documents
- Join to Access Full Details
- Project Description
-
Document ID & Hyperlink: RFI 31701-03813 Event Start - Response Due: 11/20/2025
01/08/2026Event Name: Vendor Risk Management Software Last Updated:
- Attachment Preview
-
STATE OF TENNESSEEDepartment of Finance & Administration, Strategic Technology SolutionsREQUEST FOR INFORMATIONFORVendor Risk Management SoftwareRFI # 31701-03813Thursday, November 20, 20251. STATEMENT OF PURPOSE:The State of Tennessee, Department of Finance & Administration, Strategic TechnologySolutions (“State” or “STS”) issues this Request for Information (“RFI”) for the purpose ofidentifying a vendor risk management software platform that can support the full lifecycle of third-party risk management. We appreciate your input and participation in this process.2. BACKGROUND:The purpose of this Request for Information (RFI) is to gather detailed information from qualifiedvendors regarding Vendor Risk Management (VRM) solutions. Strategic Technology Solutions isseeking to identify a platform that can support the full lifecycle of third-party risk management—from vendor onboarding and due diligence to continuous monitoring, compliance management,and offboarding. This RFI is intended to inform our understanding of the current capabilitiesavailable in the market, assess alignment with our operational and regulatory requirements, andguide future procurement decisions.We invite vendors to provide comprehensive responses that outline their solution’s functionality,technical architecture, integration capabilities, support services, and pricing models.3. PROPOSED SOLUTION(S): The State is seeking information on software solutions andcapabilities that currently exist from qualified vendors for a vendor risk management platform.Table 3.1 below represents the State’s List of Business Requirements for which the vendorshould provide proposed solutions in their response. In accordance with Section 7. InformationalForms, Technical Information Form Question 4, please demonstrate in your response how yoursolution meets our requirements, if there is a feature that doesn’t currently meet therequirements, but is in development, or if your solution provides alternative functionality that mayyield a similar outcome.Table 3.1: List of Business RequirementsNO. Requirement DescriptionYour SolutionResponse11. Vendor Onboarding & Due Diligence1.a. Support automated onboarding workflows for newvendors1.b. Allow for customizable due diligence questionnaires1.c. Support risk tiering based on vendor criticality, dataaccess, and service type1.d. Allows for different processes and questionnairesdepending on risk tier/agency/group2. Risk Assessment & Scoring2.a. Provide configurable risk assessment templates alignedwith industry standards (e.g., NIST, ISO 27001, SIG)2.b. Support multi-dimensional risk scoring (e.g.,cybersecurity, financial, operational, compliance)2.c. Allow for visual representation of risk (e.g., heatmaps,dashboards)3. Continuous Monitoring3.a. Support all-source monitoring of vendor risk posture,pulling data from multiple sources to continuouslyevaluate our vendors3.b. Generate alerts for changes in vendor risk status orknown incidents4. Contract & SLA Management4.a. Provide a centralized repository for vendor contracts andSLAs4.b. Support tracking of SLA compliance and flagging ofviolations4.c. Link risk assessments to contractual obligations4.d. Structured vendor oversight functionality that enablescollaboration between separate divisions utilizingworkflows with assigned responsibility tracking5. Workflow Automation5.a. Support automated and customizable workflows forapprovals, reassessments, and remediation5.b. Allow task assignments and tracking for internal andexternal stakeholders5.c. Maintain an auditable history of all actions and decisions6. Regulatory Compliance6.a. Map vendor controls to regulatory frameworks (e.g.,NIST, ISO, GDPR, HIPAA, SOX)6.b. Support evidence collection and audit reporting6.c. Provide compliance dashboards and reporting tools forongoing contract monitoring6.d. Demonstrate ADA accessibility compliance (WCAG 2.1AA)7. Reporting & Dashboards7.a. Offer customizable dashboards for different user roles(e.g., executives, risk managers)7.b. Support exportable reports (PDF, Excel) and scheduledreporting7.c. Allow filtering and segmentation by vendor, risk level,department, etc.8. Integration Capabilities8.a. Provide APIs for data exchange & automation8.b. Support single sign-on (SSO) and role-based accesscontrol9. Vendor Offboarding9.a. Support secure offboarding workflows, including accesstermination9.b. Archive vendor risk history and documentation9.c. Trigger compliance and data retention checklists duringoffboarding10. Pre/Post-Engagement Due DiligenceManage requests to vendors for security requirement validationdocumentation such as:10.a. System configuration requirements10.b.Required annual security documentation (i.e. SOC 2Type II reports, Disaster Response and BusinessContinuity Plans, Cyber Incident Response Plan,FedRAMP Certification, Third-Party Penetration TestingReport and Attestations, Vulnerability Scan Schedules,Media Sanitization Policy and Procedures, AttestationStatements, GovRAMP, CJIS)10.c.Includes an automated process for vendors to completeportal forms and upload new certifications, reports andattestations annually with system-generated notificationsfor missing or expired certifications10.d. Vendors that are out of compliance are flagged forreview11. Enterprise Licensing11.a. Ability for multiple state agencies to use the solutionunder one master account and the creation ofsubaccounts for each agency to manage their vendors11.b. Support account scalability4. COMMUNICATIONS:4.1. Please submit your questions and response to this RFI to:Shannon Keefe, Contract SpecialistFinance and Administration, Strategic Technology Solutions901 Rep. John Lewis Way North, Nashville, TN 37243(615) 350-4244Shannon.Keefe@tn.gov4.2. Please reference RFI # 31701-03813 with all communications to this RFI.4.3. Please limit all questions to one submission per vendor.5. RFI SCHEDULE OF EVENTS:EVENT1.RFI IssuedTIME(CentralTimeZone)DATE(all dates are State businessdays)Thursday, November 20, 20252.Written Questions & Comments Deadline 2:00 PMTuesday, December 9, 20253.State Response to Written Questions &CommentsWednesday, December 17, 20254.RFI Response Deadline2:00 PMThursday, January 8, 20266. GENERAL INFORMATION:6.1. Please note that responding to this RFI is not a prerequisite for responding to any futuresolicitations related to this project and a response to this RFI will not create any contractrights. Responses to this RFI will become property of the State.6.2. The information gathered during this RFI is part of an ongoing procurement. In order toprevent an unfair advantage among potential respondents, the RFI responses will not beavailable until after the completion of evaluation of any responses, proposals, or bidsresulting from a Request for Qualifications, Request for Proposals, Invitation to Bid or otherprocurement method. In the event that the state chooses not to go further in theprocurement process and responses are never evaluated, the responses to theprocurement including the responses to the RFI, will be considered confidential by theState.6.3. The State will not pay for any costs associated with responding to this RFI.6.4. Any services or products proposed in this RFI, must be in compliance with the followingsecurity policy: all State data must remain in the United States, regardless of whether thedata is processed, stored, in-transit, or at rest. Access to State data shall be limited to US-based (onshore) resources only. Configuration or development of software and code ispermitted outside of the United States, however, software applications designed,developed, manufactured, or supplied by persons owned or controlled by, or subject to thejurisdiction or direction of, a foreign adversary, which the U.S. Secretary of Commerceacting pursuant to 15 C.F.R. 7 has defined to include the People's Republic of China,among others are prohibited. Any testing of code outside of the United States must use fakedata. A copy of production data may not be transmitted or used outside the United States.6.5. The State may request demo presentations from select RFI respondents.6.6. Responses should be prepared, with emphasis on completeness and clarity, and shouldNOT exceed twenty-five (25) pages in length. Responses, as well as any reference materialpresented, must be written in English, and must be written on standard 8 ½” x 11” pagesand all text must be at least a 12-point font. All pages must be numbered.7. INFORMATIONAL FORMS:The State is requesting the following information from all interested parties. Please fill out thefollowing forms:RFI #31701-03813TECHNICAL INFORMATIONAL FORM1. RESPONDENT LEGAL ENTITY NAME:2. RESPONDENT CONTACT PERSON:Name, Title:Address:Phone Number:Email:3. Provide a brief description of company background and experience providing similar scope ofsolutions that have been implemented in other states or local governments.3.a. Include descriptions of the experience and challenges in those states and any relevantinformation regarding implementation, integration and customer satisfaction.4. Demonstrate how your solution meets the List of Business Requirements identified in Table 3.1of this RFI, if there is a feature that doesn’t currently meet the requirements, but is indevelopment, or if your solution provides alternative functionality that may yield a similaroutcome.4.a. In your response, identify any developed templates on measuring success, SLAcompliance and security and risk monitoring compliance.5. Provide recommendations or best practices for designing a scalable vendor oversight modelthat can be applied across state agencies into a future statewide solution.6. Provide a proposed overall project timeline to implement a solution that meets therequirements in the State’s List of Business Requirements in Table 3.1, including phases,milestones, and State resource obligations. Please include knowledge transfer, training, andpost-implementation technical support into your timeline.7. Outline your technical roadmap for your solution, which includes information on anticipatedfeatures and support of emerging standards.8. Based on your experience, describe any risks and/or challenges and potential mitigationstrategies that you would advise the State to consider when implementing a vendor riskmanagement solution.9. Is your solution available for purchase through public sector cooperative agreements (NASPO,GSA, etc.)?COST INFORMATIONAL FORM1. Please provide the typical price range for the State to procure all necessary licensing and fullyimplement your solution2. What licenses and/or subscription fees or hosting fees will be needed to build, operate, andmaintain your solution?2.a. Do you offer pricing options such as tiered pricing, usage-based/subscription-based pricing,one-time licensing models?2.b. What insight can you provide into licensing costs and expected increases year-over-year?
- Commodity Codes
-
- NAICS 511210Software Publishers
- NAICS 541511Custom Computer Programming Services
- NAICS 541512Computer Systems Design Services
- NAICS 541519Other Computer Related Services
- NAICS 541611Administrative Management and General Management Consulting Services
* Disclaimer: Government BidHub provides information on bids, RFPs (Requests for Proposals), and RFQs (Requests for Qualifications) solely for convenience and informational purposes. This site is not an official public notice board. For official details, responses, or inquiries, please contact the relevant government agency directly.
Empower Your Bidding Strategy
Unlock Government BidHub's unparalleled access to high-quality, tailored bid information.
- Access an extensive database of bids, including comprehensive local and state opportunities.
- Receive customized alerts for the bids that matter most to your business.
- Explore detailed specifications to ensure precise and competitive submissions.
- Gain a competitive edge with up-to-date information and exclusive opportunities.
See Also
RFQ - Point-of-Sale Hardware ...
Due Date Description Purchasing Contact 7/23/2026 RFQ - Point-of-Sale Hardware & Technology Tina
Tennessee Tech University
Bid Due: 7/23/2026
RFQ - Point-of-Sale Hardware ...
Due Date Description Purchasing Contact 7/23/2026 RFQ - Point-of-Sale Hardware & Technology Cost
Tennessee Tech University
Bid Due: 7/23/2026