IT managed services contracts run for 3 to 5 years, cover thousands of endpoints, and carry security risk that the MSP frequently underprices. This template makes four things explicit: the SLA tiers the MSP commits to, the security framework they operate against, the support model and on-call structure, and the transition plan. Each one has been a source of post-signature surprise on enough engagements to deserve its own RFP section.
MSP SLAs are easy to write and hard to operate. Most MSPs publish standard SLA tables that look identical across the industry; the differentiator is not the published number but the operational posture behind it. The RFP requirement is to specify the SLA by ticket priority, define the priority taxonomy in operational terms (not adjectives), and require the MSP to disclose the SLA achievement percentage they hit for their existing client base over the past 12 months. Vendors who cannot show the data have not measured it.
| Priority | Definition | First response | Resolution target |
|---|---|---|---|
| P1 (Critical) | Production system down; multiple users affected | 15 min | 4 hours |
| P2 (High) | Major function impaired; workaround painful | 1 hour | 8 hours |
| P3 (Medium) | Minor function impaired; workaround viable | 4 hours | 24 hours |
| P4 (Low) | Cosmetic / request / scheduled change | 1 business day | 5 business days |
Service credits if missed: typically 5 percent of monthly fee per missed P1, 2 percent per missed P2, capped at 25 percent of monthly fee per month. Demand monthly reporting on SLA attainment with raw ticket data accessible to the client, not just the summary number. Reference frameworks: ITIL 4 service management, NIST SP 800-145 for cloud terminology if the MSP includes cloud operations.
MSPs are increasingly the attack vector in supply chain breaches. The 2021 Kaseya / REvil incident remains the canonical example: a single MSP RMM tool compromise affected 1,500 downstream organisations. The RFP requirement is not just that the MSP follows good security practice but that they operate against a recognised framework with auditable evidence.
MSP maps their operating practices to the six NIST CSF functions (Govern, Identify, Protect, Detect, Respond, Recover). They provide a self-assessment scorecard against each function and disclose where they are externally audited vs self-attest. The 2024 update to CSF added Govern as an explicit function; require the MSP's mapping to use the 2.0 version.
Top 18 CIS Controls operationalised across the MSP's tool stack. Particularly important: Control 5 (account management), Control 6 (access control), Control 8 (audit log management). Ask for the MSP's CIS Controls Self-Assessment Tool output for the past 12 months.
The MSP's remote monitoring and management tool is the attack surface that matters most. Ask: which RMM (ConnectWise Automate, NinjaOne, Datto RMM, Atera, etc.), the MFA enforcement on RMM admin access, the privileged-access management for technician credentials, and the most recent vulnerability disclosure response time for their RMM vendor.
MSP carries a SOC 2 Type II report covering the period including the past 6 months minimum. Provided under NDA. Particularly relevant trust service criteria: Security (mandatory), Availability (relevant given the SLA commitments), Confidentiality (relevant given client data access).
MSP's documented IR plan including: detection capability (EDR, SIEM, logs), escalation matrix, customer notification SLA (typically 24 hours for security incidents affecting client data), and the post-incident review process. Plan tested annually (tabletop exercise or full simulation).
Specific to client data and infrastructure managed by the MSP: backup frequency, retention, encryption, off-site copies, and quarterly restore testing. The MSP should restore a sample restore monthly as a routine practice, not just on incident.
Reference documents: NIST CSF 2.0, CIS Controls v8, and CISA on protecting against MSP supply-chain threats.
Every MSP claims a tiered support model. The differentiator is which tickets resolve at L1 vs escalate. A mature MSP resolves 70 percent of tickets at L1; an immature MSP escalates 50 percent or more, which means slower resolution, more handoffs, and higher overall cost. Ask the MSP to disclose their actual L1 resolution percentage from the past 12 months and the distribution of ticket types across tiers.
The model the RFP should anchor on:
Transitioning to a new MSP is high risk. The new MSP does not yet understand your environment; the old MSP has limited motivation to support the handover. A documented transition plan in the RFP avoids the worst-case scenario where the new MSP turns up day one with no documentation and the old MSP has already disabled their accounts.
MSP shadows existing IT operations, conducts environment discovery (Lansweeper or similar tooling deployed), and produces an as-built network and infrastructure document. Old MSP cooperation is required; build a contractual exit-assistance clause into the outgoing contract before issuing the new RFP.
MSP deploys their RMM, MDM, EDR, and backup tooling onto your environment. Old tooling continues to run in parallel. PSA (professional services automation) configured for ticket intake. Initial knowledge-base population from discovery.
Both MSPs receive tickets; new MSP takes increasing share. Daily handover calls. Runbook documentation refined as edge cases surface. Outgoing MSP contractually committed through day 60 (typically a 30-day extension at standard rate).
New MSP takes full responsibility. Old MSP available on a defined consultation basis for previously-undocumented issues, typically at hourly rate. Cutover communication to all internal users on a defined date.
Heightened monitoring of SLA attainment and ticket categorisation. Weekly review meetings between client and new MSP. End-of-period review confirms transition successful or identifies gaps for remediation.
Per endpoint pricing is the cleanest model. $75 to $200 per user or device per month is the typical 2026 range. Variability is driven by inclusion: does the rate cover unlimited tickets or a capped allotment, is after hours included or upcharged, is project work bundled or billed separately. The RFP requirement is a transparent breakdown of what each per endpoint dollar buys.
See the master template at requestforproposaltemplate.com and the broader scoring guidance at RFP Evaluation Criteria.