Creating a comprehensive Request for Proposal (RFP) for IT Asset Disposition (ITAD) services is crucial for organizations seeking to securely and efficiently manage the retirement of their IT assets. A well-structured RFP clarifies your company’s unique needs and ensures potential vendors can provide tailored solutions that align with your objectives.

Understanding IT asset disposition (ITAD) Services

IT Asset Disposition involves the processes required to responsibly retire outdated or unwanted IT equipment such as computers, phones, storage drives, and other office electronics. These devices often contain sensitive data, so these services should ensure compliance with stringent environmental and data security regulations. Partnering with a qualified ITAD provider helps mitigate risks associated with data breaches and environmental liabilities.  Read on to learn more about what to ask in an RFP for ITAD Services.  

Key Components of an ITAD RFP

1. Introduction and Company Overview:
   • Purpose of the RFP: Clearly state the objective of the ITAD services needed.
   • Company Background: Provide insights into your organization’s size, industry, and IT infrastructure to help vendors understand your needs.
2. Scope of Work:
   • Services Required: Detail the ITAD services you need, such as data destruction, asset remarketing, recycling, and reporting.
   • Volume and Types of Assets: Specify the quantity and categories of IT assets to be disposed of, including computers, servers, mobile devices, etc.
3. Vendor Qualifications: E-waste companies have caused horrific environmental disasters.   When fly-by-night companies struggle financially, they have been known to cut corners, resulting in superfund sites and data breaches.   Examples include subcontracting to the lowest-cost downstream vendors and failure to follow strict security procedures.  We recommend checking:
   • Experience and Expertise: Request information on the vendor’s history in IT asset disposition services and their expertise in handling similar projects. 
     • Does the vendor have a Certified Secure Destruction Specialist® (CSDS®) on staff?
     • Are they committed to continuous improvement and innovation in their services? 
     • Are they willing to share high-level reports on financial stability?
     • How long has the company been in business?  
   • Certifications: Does the vendor hold relevant certifications, such as: 
     • R2v3 Environmental Compliance:  Ensure the vendor follows environmentally responsible recycling methods and has certification from R2v3. This certification requires the vendor to have an Agreement for Responsible Disposal of Sensitive Materials for all downstream vendors. 
     • Mobile and Plant-based NAID AAA certification: NAID is a third-party association that provides unannounced audits annually to validate media sanitization companies’ security processes and compliance. The vendor should have NAID certification (not just membership in Isigma). 
     • Defense Logistics Agency (DLA): Program managers should require a disposition vendor to be certified by the DLA to transport military critical data. This vetting process helps protect data during transport to minimize data breach risk. The program manager should also confirm that the disposition vendor’s certification is current and has not expired.
     • Department of Transportation: Is the vendor certified to transport e-waste materials?
     • Additional certifications: ISO 14001 (environmental), ISO 9001(QMA), and ISO 45001(safety) certifications.
     • Is the vendor a GSA contract holder?
   • Compliance: Different compliance standards may apply depending on the client industry. Make sure your vendor ensures your compliance with whichever applies to you.
     • Compliance standards that relate to all industries include: NIST 800-88, OSHA, the FACTA Disposal Rule, the Identity Theft and Assumption Deterrence Act, the US Safe Harbor Provisions, the PCI Data Security Standard, and the Basel Action Network.
     • Compliance standards that relate to Healthcare companies: HIPPA, HITECH, FDA Security Regulations (21 C.F.R. part 11).
     • Compliance standards that apply to Financial Services Companies: The Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Bank Secrecy Act, and the Patriot Act of 2022.
     • Compliance standards that apply to government agencies or contractors:  NISPOM 32 CRF Part 117 (which has replaced DoD 5220.22-M) data sanitization, DFARS, NIST SP 800-171 (Requirement 3.8.3), and CMMC 2.0. Certificates of Destruction are provided as critical proof for DCMA DIBCAC audits and cybersecurity risk mitigation efforts. GSA Bulletin FMR B-34 e-waste standards.
   • Service Capabilities: Does the vendor cover the regions where your company operates? Do they offer both on-site and off-site data destruction and asset disposal? Is the vendor capable of scaling the service to handle large volumes? Does the vendor have logistics and transportation capabilities for asset collection needs?  Are Secure Storm Cases or lockable bins available for safe asset collection and storage? 
   • Customer Service: Is customer support available and responsive?  Will you be assigned a dedicated project manager? Can site visits be arranged to determine logistic and security requirements?
4. Data Security Measures:
   • Data Destruction Methods: Inquire about the processes to ensure complete data erasure or destruction. Are methods used up to strict NSA standards? Are certifications and compliance standards met and/or exceeded? (see above) Does the vendor stay current with the most technologically advanced methods of destruction? How much experience does the vendor have with classified, CUI or other federal government data?
     • Software Wiping – Is wiping done with certified data erasure software? 
     • Shredding  – Is shredding available for various devices and drives both on and offsite? 
     • Degaussing – Does the vendor have NSA-approved degaussing equipment? Can mass quantities of media be degaussed quickly?
     • Disintegration – Is Vendor able to disintegrate to an NSA approved 2mm? 
     • Incineration – Is incineration available for SAP Classified Data
     • Mobile – Are all data destruction methods available at the client site?
   • Chain of Custody: Seek details on how the vendor secures the handling and tracking of assets from collection to final disposition.
   • Employees: Are employees pre-screened and given background checks with fingerprints and drug testing? Is there Intense and ongoing Employee Security Training?
5. Reporting and Documentation:
   • Detailed and Timely Reporting: Does the vendor measure the timeliness of inventory reporting, and do reference checks validate their metrics?
   • Accurate Reporting: Can the vendor prove scanning accuracy or more than 99% and demonstrate a methodology to correct errors
   • Weight and LEED Reporting: Does the vendor provide weight and LEED Reporting?
   • Double Check: Does the vendor provide a two-step verification of captured data?
   • Audit Trail: Does the vendor provide a comprehensive audit trail for all processed assets?
   • Client Portal: Does the vendor provide a client portal for access to inventory reporting, allowing for search by variables such as serial numbers, asset tags, etc?   Does the portal support single sign-on?
   • ITAM Integration: Does your organization require integration with an IT Asset Management system like ServiceNow?
   • Certificate of Destruction: Does the vendor provide a Certificate of Destruction that verifies data destruction and environmentally compliant recycling?
   • Detailed Reporting: Ensure you receive comprehensive reports outlining each asset’s disposition process and outcomes.
6. Service Level Agreements (SLAs):
   • Performance Metrics: Define the expected service levels, including timelines for asset pickup, data destruction, accuracy, and reporting
7. Pricing Structure:
   • Cost Breakdown: Request a detailed pricing model, including any fees for transportation, data destruction, and other services.
   • Value Recovery: Inquire about the vendor’s approach to asset remarketing and how recovered value is shared. Evaluate your vendor’s market reach and ability to sell refurbished assets. When assessing value recovery, be sure the ITAD vendor is an experienced NAID AAA and R2v3 certified ITAD service provider who can ensure proper data sanitization and recycling. Ask about the vendor’s capabilities to repair or refurbish sanitized assets to maximize value and minimize e-waste.
8. References and Testimonials:
   • Client Testimonials: Check reliable sources such as Gartner reviews for references from previous clients, particularly those in similar industries or with comparable project scopes.
   • Interview References: Develop a list of questions in advance, such as those about accuracy, security, volumes, security procedures, etc.
9. Site Visits or Trial Runs:
   • Conduct a site visit to the vendor facility or schedule a trial project and have your team audit the vendor’s work.

Best Practices for Developing Your ITAD RFP

• Be Specific: Clearly articulate your requirements to enable vendors to provide precise and relevant proposals.
• Encourage Transparency: Seek openness from vendors regarding their processes, certifications, and any potential subcontractors involved.
• Evaluate Sustainability: Consider vendors’ commitments to environmental sustainability and how their practices align with your company’s green initiatives.
• Assess Flexibility: Determine the vendor’s ability to scale services and adapt to your organization’s evolving needs.

By meticulously crafting your IT asset disposition RFP with these components and best practices, your company can identify a partner that meets your technical and security requirements and aligns with your organizational values and goals. This strategic approach ensures a successful IT asset disposition process, safeguarding data and contributing to environmental sustainability.