EXPERT SERIES

RFP TEMPLATE:
ACCESS CONTROL
The IT Pro’s Blueprint for
Writing an Access Control RFP
RFP TEMPLATE: ACCESS CONTROL
The IT Pro’s Blueprint for Writing an Access Control RFP
Writing a request for proposal (RFP) is a complicated endeavor that should leave
no stone unturned, so as to facilitate the best possible outcome from the result-
ing specification. Access control security—identity and visitor management, is a
balancing act between convenience and security. How much is enough and how
much is too much are questions looming in the user’s mind. It’s an interesting
dilemma, as threats increase yet employees and consumers increasingly want
to move to frictionless access control, a phrase becoming synonymous with an
effortless user experience during the act of entering and occupying a space.
As with the other technologies we have been discussing, effective physical secu-
rity requires input by all stakeholders, including security managers, CSOs, CIOs, IT,
facility managers, service providers, consultants, architects, designers and speci-
fiers. If it’s a new building, the earlier all parties come together the better the out-
come. Together, and only in collaborative effort, can the most effective system
come to be—taking into consideration wide-ranging aspects of the facility and its
daily population. There’s the added threat today of data security and cyber crimi-
nals, now included in the long-list of outsiders—and insiders—to be considered.

2 TechDecisions: Expert Series: The IT Pro’s Blueprint for Writing an Access Control RFP www.mytechdecisions.com
There’s also terrorism and the need to protect executives—while at work, home and
travelling. Then there’s critical information security, protecting data, sensitive areas,
laboratories or testing facilities. The list goes on.
The access control solution RFP needs to be a highly detailed document that out-
lines a company’s general requirements, products and expectations for technology
and service. It needs to address the current risk landscape and threats, even those
that may be emerging.
Do your research ahead of time so you can tailor your RFP to your facility. Talk to
other users in similar vertical markets about what kinds of access control solutions
they have deployed and how it fit their needs--or didn’t. There are many different
kinds of access control technologies on the market, but don’t start with hardware.
Think about what you want to accomplish, the challenges or issues you may have
faced previously, or how your company may be changing in the future and what
your system needs to provide in terms of overall security, business operations, intel-
ligence or management safeguards and controls.
In any case, you want expert help from the beginning. Unless the person writing
Access control
your RFP is an expert, you want to make sure you’ve engaged with a qualified con- security—identity and
sultant to talk through your risk profile, help you understand best practices and ulti- visitor management,
mately learn how you can properly apply the right technology in your space.
A proactive plan requires additional deep-dive into your organization, the way
is a balancing act
you do business, your vertical market and other parameters. The potential service between convenience
provider needs as much information as possible to streamline the process and and security. How much
design with your end goal in mind. If you have a healthcare facility, certainly privacy
regulations and compliance take command—as well as providing proper protection
is enough and how much
for pharmaceuticals and emergency rooms. If your business is critical infrastructure, is too much are questions
make sure you and your provider are aware of any rules, regulations or other com- looming in the user’s
pliance and regulatory profiles that must be met.
We’ve assembled a list of open-ended questions that, once answered, will allow
mind. It’s an interesting
your company to address primary areas of consideration in constructing your RFP dilemma, as threats
for an access control project. These questions are an effort to cover the major areas increase yet employees
a provider will need to know in order to form a bid for the service project. Answer-
ing these questions will result in a detailed snapshot of your organization or busi-
and consumers
ness, helping the provider shape the initial and ongoing nature of the bid for the increasingly want to move
project. Be candid, specific and involve other decision makers, stakeholders, secu- to frictionless access
rity officers, personnel and management in the process. But there’s another impor-
tant aspect to this—establishing a relationship with a service provider who will have
control.
the expertise to guide you effectively and maintain a partnership that will address
current and future security concerns and challenges.

Company Background
1. What is our company’s primary business?
2. What’s the mission and company objective? Are we a C Corp., S Corp., LLC, or
privately owned?

3 TechDecisions: Expert Series: The IT Pro’s Blueprint for Writing an Access Control RFP www.mytechdecisions.com
3. What is our company’s geographical area of coverage (local, national or global
business with multiple facilities)?
4. What are the primary services and products our company provides?
5. What is our primary vertical market and other key characteristics of the busi-
ness and our customer base?
6. What are critical details about the physical space(s) in which our business is
conducted?
7. Have we conducted a site survey and security audit?
8. What is our risk, compliance and security posture? What current security poli-
cies and operating standards are in place for physical security?
9. What is the fluency of the employee population—do they frequently work off-
hours or on weekends?
10. What kinds of doors and locks are currently installed and how will they play
into the new specification?
11. What is the landscape of installed systems, including access control, surveil-
lance, intercoms and paging or mass notification solutions?
12. What type of credential(s) are we using (card, badge, PIN, biometrics)? How
many are issued? What type of format are they?
13. What is the current or necessary amount of daily users and what is the poten-
tial for growth in number of users?
14. What is the base of legacy solutions that will be upgraded or replaced and/or
will migration and longer-term strategies be necessary?
15. Will the access control system integrate with intrusion detection, surveillance,
time and attendance or other installed solutions?
16. What access control management software platform manages current solu-
tions and will the new or upgraded system readily integrate?
17. Will turnstiles or other pedestrian barriers be deployed and what is the rate of
through-put we require for unimpeded or desired egress?
18. Will we require reasonable accommodation for the handicapped to ensure
compliance with the Americans with Disabilities Act (ADA)?

4 TechDecisions: Expert Series: The IT Pro’s Blueprint for Writing an Access Control RFP www.mytechdecisions.com
Project Overview
19. What are the most important features and characteristics we are looking for in
our purchase and installation or upgrade of the access control solution?
20. What are our project’s primary objectives and overall what should our access
control solution accomplish?
21. What specifically would be our greatest risk with regards to an access control
breach—what is at stake?
22. What specific threats or recent security incidents have been identified as
a failure or potential failure of the physical security solution and how does
access control play into a remedy for that lapse?
23. Will we require lockdown capability and where specifically?
24. Is real-time communications to the access control system a critical require-
ment and for perimeter doors only and/or interior ones?
25. Are there high-security or classified areas where two-factor authentication
might be required, such as a combination of card, PIN or biometric verification?

Existing Environment
26. What specific brand(s) of access control technology products/systems/ser-
vices have been purchased and deployed in the past if any? Will this RFP
upgrade or incorporate new technology?
27. How many entrances, doors or openings will require access control? The access control
28. How many people need to be processed and at what rate? What is the rate of solution RFP needs to
through-put for each proposed access control location? be a highly detailed
29. What kinds of credentials will we require, such as cards, identification badges
and smartphone apps? What about keypads, PINs or biometrics for multi-factor document that outlines
authentication? a company’s general
30. Will we require logical access control for computers or data centers? requirements, products
31. Will the system be hardwired or wireless? Is the building historical or does the
structure prevent drilling or otherwise necessitate a wireless approach? Will a and expectations for
hybrid system work—hardwired in some locations and wireless in others? technology and service.
32. How is signal penetration in the building and has a wireless signal strength It needs to address the
study been conducted?
33. What is the makeup of our current network system so providers know what current risk landscape and
they need to build around or into? threats, even those that
34. Will the access control solution be IP in nature and how will we want it seg- may be emerging.
mented on the network? Will we build out a separate network?
35. If considering IP, what is the network coverage and has a formal study been
conducted? Do we have IP connectivity drops available where necessary or
will they need to be added?
36. What is the specific configuration of the network? Is it cloud-hosted or on-site
servers? VPN? IPV4 versus IPV6?
37. Will we desire an in house or co-located access control server configuration or
will access control be managed and administered in the cloud?

5 TechDecisions: Expert Series: The IT Pro’s Blueprint for Writing an Access Control RFP www.mytechdecisions.com
38. If a local server, will the servers and access control updates, backup be man-
aged by in-house staff? Or, will a managed services contract be necessary?
39. What kind of history reporting and recordkeeping will we require and will the sys-
tem need to integrate with time and attendance functions for human resources?
40. Will we desire to work with an outside consultant in the deployment and for ongo-
ing execution and management or do we have an employee(s) with expertise to
assess and implement proposed products and services on an ongoing basis?
41. What technical expertise do we have inside the company to help execute the
contract—CSO, CIO, IT technicians, facility executive managers?
42. Have we completed a physical security risk and threat assessment and what
was the date/results?
43. What other compliances and regulations must be addressed and adhered
to specific to our business or vertical market such as HIPPA, Transportation
Worker Identification Credential (TWIC) or PCI?
44. Will the solution meet National Fire Alarm and Signaling Code NFPA 72 and
NFPA 101 Life Safety Code as required for egress?

Service Expectations
45. Will we need to execute a monthly or annual service agreement contract to
maintain the system? Or will this be a project-based bid only?
46. What will we expect from the provider in terms of ongoing service? Will we
require 24/7 managed services or will we do basic programming such as pro-
visioning and creating and deleting access permissions? What parts of the
access control solution will we manage ourselves?
47. Does the potential installation provider offer managed services; what features
are available and what is the approximate monthly cost?
48. Will we require compliance and regulatory assessments and at what intervals?
49. What is our budget, timeline, when the provider can work on the project (after
work hours or during or other constraints, such as in healthcare)?
50. Who is our designated security manager who will be involved in the process
(include the name and title in the RFP)?
51. Will the potential service provider agree to sign a non-disclosure agreement?
52. What is our deadline for responses and what is the contact information for
whom the proposal should be sent to?

We at My TechDecisions understand that writing RFPs is a critical component

of your job but also one of the most dreaded. That is why over the past year,
we have created a series of guides to help define your needs and then actu-
ally write the RFP. These resources cover a total of nineteen different solutions,
including: access control, audio, building control & automation, campus safety,
cloud email, collaboration, communication, cybersecurity, digital signage,
energy management, hardware, interactive whiteboards, networking, projectors,
storage & backup, videoconferencing, video surveillance, video wall and VoIP.
You can see our entire library of RFP resources at: mytechdecisions.com/rfp

6 TechDecisions: Expert Series: The IT Pro’s Blueprint for Writing an Access Control RFP www.mytechdecisions.com