Vendor Risk Management Software

Location:	Tennessee
Posted:	Nov 20, 2025
Due:	Jan 8, 2026
Agency:	State Government of Tennessee
Type of Government:	State & Local
Category:	70 - General Purpose Information Technology Equipment (including software). D - Automatic Data Processing and Telecommunication Services
Solicitation No:	RFI 31701-03813
Publication URL:	To access bid details, please log in.

Attachment Preview

STATE OF TENNESSEE

Department of Finance & Administration, Strategic Technology Solutions

REQUEST FOR INFORMATION

FOR

Vendor Risk Management Software

RFI # 31701-03813

Thursday, November 20, 2025

1. STATEMENT OF PURPOSE:

The State of Tennessee, Department of Finance & Administration, Strategic Technology

Solutions (“State” or “STS”) issues this Request for Information (“RFI”) for the purpose of

identifying a vendor risk management software platform that can support the full lifecycle of third-

party risk management. We appreciate your input and participation in this process.

2. BACKGROUND:

The purpose of this Request for Information (RFI) is to gather detailed information from qualified

vendors regarding Vendor Risk Management (VRM) solutions. Strategic Technology Solutions is

seeking to identify a platform that can support the full lifecycle of third-party risk management—

from vendor onboarding and due diligence to continuous monitoring, compliance management,

and offboarding. This RFI is intended to inform our understanding of the current capabilities

available in the market, assess alignment with our operational and regulatory requirements, and

guide future procurement decisions.

We invite vendors to provide comprehensive responses that outline their solution’s functionality,

technical architecture, integration capabilities, support services, and pricing models.

3. PROPOSED SOLUTION(S): The State is seeking information on software solutions and

capabilities that currently exist from qualified vendors for a vendor risk management platform.

Table 3.1 below represents the State’s List of Business Requirements for which the vendor

should provide proposed solutions in their response. In accordance with Section 7. Informational

Forms, Technical Information Form Question 4, please demonstrate in your response how your

solution meets our requirements, if there is a feature that doesn’t currently meet the

requirements, but is in development, or if your solution provides alternative functionality that may

yield a similar outcome.

Table 3.1: List of Business Requirements

NO. Requirement Description

Your Solution

Response

1. Vendor Onboarding & Due Diligence

1.a. Support automated onboarding workflows for new

vendors

1.b. Allow for customizable due diligence questionnaires

1.c. Support risk tiering based on vendor criticality, data

access, and service type

1.d. Allows for different processes and questionnaires

depending on risk tier/agency/group

2. Risk Assessment & Scoring

2.a. Provide configurable risk assessment templates aligned

with industry standards (e.g., NIST, ISO 27001, SIG)

2.b. Support multi-dimensional risk scoring (e.g.,

cybersecurity, financial, operational, compliance)

2.c. Allow for visual representation of risk (e.g., heatmaps,

dashboards)

3. Continuous Monitoring

3.a. Support all-source monitoring of vendor risk posture,

pulling data from multiple sources to continuously

evaluate our vendors

3.b. Generate alerts for changes in vendor risk status or

known incidents

4. Contract & SLA Management

4.a. Provide a centralized repository for vendor contracts and

SLAs

4.b. Support tracking of SLA compliance and flagging of

violations

4.c. Link risk assessments to contractual obligations

4.d. Structured vendor oversight functionality that enables

collaboration between separate divisions utilizing

workflows with assigned responsibility tracking

5. Workflow Automation

5.a. Support automated and customizable workflows for

approvals, reassessments, and remediation

5.b. Allow task assignments and tracking for internal and

external stakeholders

5.c. Maintain an auditable history of all actions and decisions

6. Regulatory Compliance

6.a. Map vendor controls to regulatory frameworks (e.g.,

NIST, ISO, GDPR, HIPAA, SOX)

6.b. Support evidence collection and audit reporting

6.c. Provide compliance dashboards and reporting tools for

ongoing contract monitoring

6.d. Demonstrate ADA accessibility compliance (WCAG 2.1

AA)

7. Reporting & Dashboards

7.a. Offer customizable dashboards for different user roles

(e.g., executives, risk managers)

7.b. Support exportable reports (PDF, Excel) and scheduled

reporting

7.c. Allow filtering and segmentation by vendor, risk level,

department, etc.

8. Integration Capabilities

8.a. Provide APIs for data exchange & automation

8.b. Support single sign-on (SSO) and role-based access

control

9. Vendor Offboarding

9.a. Support secure offboarding workflows, including access

termination

9.b. Archive vendor risk history and documentation

9.c. Trigger compliance and data retention checklists during

offboarding

10. Pre/Post-Engagement Due Diligence

Manage requests to vendors for security requirement validation

documentation such as:

10.a. System configuration requirements

10.b.

Required annual security documentation (i.e. SOC 2

Type II reports, Disaster Response and Business

Continuity Plans, Cyber Incident Response Plan,

FedRAMP Certification, Third-Party Penetration Testing

Report and Attestations, Vulnerability Scan Schedules,

Media Sanitization Policy and Procedures, Attestation

Statements, GovRAMP, CJIS)

10.c.

Includes an automated process for vendors to complete

portal forms and upload new certifications, reports and

attestations annually with system-generated notifications

for missing or expired certifications

10.d. Vendors that are out of compliance are flagged for

review

11. Enterprise Licensing

11.a. Ability for multiple state agencies to use the solution

under one master account and the creation of

subaccounts for each agency to manage their vendors

11.b. Support account scalability

4. COMMUNICATIONS:

4.1. Please submit your questions and response to this RFI to:

Shannon Keefe, Contract Specialist

Finance and Administration, Strategic Technology Solutions

901 Rep. John Lewis Way North, Nashville, TN 37243

(615) 350-4244

Shannon.Keefe@tn.gov

4.2. Please reference RFI # 31701-03813 with all communications to this RFI.

4.3. Please limit all questions to one submission per vendor.

5. RFI SCHEDULE OF EVENTS:

EVENT

RFI Issued

TIME

(Central

Time

Zone)

DATE

(all dates are State business

days)

Thursday, November 20, 2025

Written Questions & Comments Deadline 2:00 PM

Tuesday, December 9, 2025

State Response to Written Questions &

Comments

Wednesday, December 17, 2025

RFI Response Deadline

2:00 PM

Thursday, January 8, 2026

6. GENERAL INFORMATION:

6.1. Please note that responding to this RFI is not a prerequisite for responding to any future

solicitations related to this project and a response to this RFI will not create any contract

rights. Responses to this RFI will become property of the State.

6.2. The information gathered during this RFI is part of an ongoing procurement. In order to

prevent an unfair advantage among potential respondents, the RFI responses will not be

available until after the completion of evaluation of any responses, proposals, or bids

resulting from a Request for Qualifications, Request for Proposals, Invitation to Bid or other

procurement method. In the event that the state chooses not to go further in the

procurement process and responses are never evaluated, the responses to the

procurement including the responses to the RFI, will be considered confidential by the

State.

6.3. The State will not pay for any costs associated with responding to this RFI.

6.4. Any services or products proposed in this RFI, must be in compliance with the following

security policy: all State data must remain in the United States, regardless of whether the

data is processed, stored, in-transit, or at rest. Access to State data shall be limited to US-

based (onshore) resources only. Configuration or development of software and code is

permitted outside of the United States, however, software applications designed,

developed, manufactured, or supplied by persons owned or controlled by, or subject to the

jurisdiction or direction of, a foreign adversary, which the U.S. Secretary of Commerce

acting pursuant to 15 C.F.R. 7 has defined to include the People's Republic of China,

among others are prohibited. Any testing of code outside of the United States must use fake

data. A copy of production data may not be transmitted or used outside the United States.

6.5. The State may request demo presentations from select RFI respondents.

6.6. Responses should be prepared, with emphasis on completeness and clarity, and should

NOT exceed twenty-five (25) pages in length. Responses, as well as any reference material

presented, must be written in English, and must be written on standard 8 ½” x 11” pages

and all text must be at least a 12-point font. All pages must be numbered.

7. INFORMATIONAL FORMS:

The State is requesting the following information from all interested parties. Please fill out the

following forms:

RFI #31701-03813

TECHNICAL INFORMATIONAL FORM

1. RESPONDENT LEGAL ENTITY NAME:

2. RESPONDENT CONTACT PERSON:

Name, Title:

Address:

Phone Number:

Email:

3. Provide a brief description of company background and experience providing similar scope of

solutions that have been implemented in other states or local governments.

3.a. Include descriptions of the experience and challenges in those states and any relevant

information regarding implementation, integration and customer satisfaction.

4. Demonstrate how your solution meets the List of Business Requirements identified in Table 3.1

of this RFI, if there is a feature that doesn’t currently meet the requirements, but is in

development, or if your solution provides alternative functionality that may yield a similar

outcome.

4.a. In your response, identify any developed templates on measuring success, SLA

compliance and security and risk monitoring compliance.

5. Provide recommendations or best practices for designing a scalable vendor oversight model

that can be applied across state agencies into a future statewide solution.

6. Provide a proposed overall project timeline to implement a solution that meets the

requirements in the State’s List of Business Requirements in Table 3.1, including phases,

milestones, and State resource obligations. Please include knowledge transfer, training, and

post-implementation technical support into your timeline.

7. Outline your technical roadmap for your solution, which includes information on anticipated

features and support of emerging standards.

8. Based on your experience, describe any risks and/or challenges and potential mitigation

strategies that you would advise the State to consider when implementing a vendor risk

management solution.

9. Is your solution available for purchase through public sector cooperative agreements (NASPO,

GSA, etc.)?

COST INFORMATIONAL FORM

1. Please provide the typical price range for the State to procure all necessary licensing and fully

implement your solution

2. What licenses and/or subscription fees or hosting fees will be needed to build, operate, and

maintain your solution?

2.a. Do you offer pricing options such as tiered pricing, usage-based/subscription-based pricing,

one-time licensing models?

2.b. What insight can you provide into licensing costs and expected increases year-over-year?

This is the opportunity summary page. It provides an overview of this opportunity and a preview of the attached documentation.

Document ID & Hyperlink:	RFI 31701-03813
Event Start - Response Due:	11/20/2025 01/08/2026
Event Name:	Vendor Risk Management Software
Last Updated:

Vendor Risk Management Software

Attachment Preview

See also