# MFT Vendor RFP Template

Use this template to compare managed file transfer vendors for regulated file-transfer workflows. Replace every example with your own workflow, owner, deadline, and evidence requirement.

This template is operational guidance. It is not legal advice, not a compliance certification, and not an audit opinion.

## 1. Vendor Identity

- Legal entity:
- Operating region:
- Support timezone:
- Security contact:
- Subprocessors or infrastructure providers:
- Data residency options:
- Incident contact and escalation path:

## 2. Critical Transfer Flow

- Business process:
- Flow owner:
- Counterparty:
- Protocol or storage target:
- Data class:
- File size and frequency:
- Required retention period:
- Audit or review deadline:

## 3. Access And Authentication

- SSO support:
- MFA support:
- Role model:
- Partner access model:
- Emergency access process:
- Access review cadence:
- Exportable evidence required:

## 4. Audit Evidence

Ask each vendor to provide sample evidence for:

- Upload and download events.
- Failed authentication events.
- Approval or rejection events.
- Admin permission changes.
- Retention policy changes.
- Transfer retry and failure handling.
- Export format for auditor review.

## 5. DORA, NIST, And CIS Mapping

For every response, ask which evidence supports:

- DORA ICT risk management.
- DORA ICT third-party risk.
- DORA contractual and exit evidence.
- NIST CSF Govern, Protect, Detect, Respond, Recover.
- CIS access control, data protection, audit log management, and service provider management.

## 6. Exit Path

- How do we export files?
- How do we export logs?
- How long are logs retained after termination?
- Who owns migration support?
- What alternate route keeps the critical workflow running?
- What evidence proves exit readiness?

## 7. Pilot Acceptance Criteria

The pilot should prove one real transfer flow, not a generic demo.

- Flow owner named.
- Counterparty connected.
- Data class recorded.
- Access scoped.
- Audit log export reviewed.
- Incident owner named.
- Exit path documented.
- Evidence pack accepted by security or compliance owner.

## 8. Scoring

Score each vendor from 0 to 3.

- 0: Not answered.
- 1: Marketing answer only.
- 2: Feature exists but evidence is weak.
- 3: Evidence is exportable and usable in a review.

Prioritize vendors that can prove the exact flow you need to defend.