Most disqualifications happen before a buyer reads a single sentence of your bid. They happen because a checkbox got missed, a form was wrong, or a signature was on the wrong page. This checklist is the safety net.
We pulled it from analyzing dozens of RFPs across commercial, federal-light, and EU public-sector buyers. Use it as your final pass before submission — or, better, as the spine of your compliance grid from day one.
Want the printable version? Grab the editable template (PDF + DOCX + Google Docs).
Compliance is anything the RFP says you must do, attach, or sign — independent of the actual content of your bid. Two flavors:
- Mandatory — failure = automatic disqualification. (Insurance, certifications, signatures.)
- Required-but-soft — failure = points deducted, sometimes a chance to remedy. (Page count, font, section order.)
The list below covers both. If you can check off all 27, your bid is structurally sound — even before the writing has been touched.
These apply regardless of buyer type.
- Cover letter signed by an authorized officer
- Vendor information form (legal name, EIN/VAT, address)
- Executive summary within page limit
- Pricing in the requested currency and tax treatment
- Proposal validity period stated and acceptable
- References — quantity, recency, and contact details
- Insurance certificates within 30 days of bid date
- Conflicts of interest disclosure
- All required signatures and initials on every required page
- File format, file naming, and submission method match the spec
Get the printable version
The full 27-item checklist as a downloadable template.
PDF + DOCX + Google Docs. Free, editable. Drop your email, we send it.
Get the template →Private-sector buyers — software, services, consulting, managed services. The compliance bar is lower than government, but the contractual scrutiny is higher.
- MSA / SOW template acceptance (or redlines documented)
- SLAs and penalty clauses acknowledged
- Liability cap aligned with the request
- Payment terms (NET-30 unless explicitly different)
- Data residency commitments (EU / US / region-specific)
- Sub-contractor disclosures
- Delivery timeline and key milestones
Sub-federal contracts — state, county, university — and smaller federal task orders. Far easier than full FAR/DFARS compliance, but still demanding around certifications and past performance.
- FAR / DFARS clauses incorporated by reference (where applicable)
- SAM.gov registration current
- Small business / set-aside certifications attached
- Past Performance Information Reports (PPIRs) referenced
- Section 508 / accessibility compliance statement
Tenders published via TED, national e-procurement portals, or framework agreements. Strict on data protection, language, and standardized forms.
- GDPR data processing addendum signed
- Local content / regional sub-contractor disclosures (where applicable)
- ESPD / standard tendering form completed
- Tax compliance certificate within validity
- Tender language matches required language(s)
A flat list is fine for a final-pass review. For real bid management, turn each item into a row in a compliance matrix:
- Item— verbatim from the RFP (don’t paraphrase — it’s how the buyer will check)
- Status — open / drafted / locked
- Owner— who’s responsible
- Evidence — link or reference to the attached document, signed form, or section of the response
- Last verified — date + by whom
Updated continuously, this matrix becomes the source of truth for “are we ready to submit?”. When every row is locked with evidence, you are.
A 100-page RFP has 30-50 mandatory items buried in clauses, appendices, and small-print. Doing the extraction by hand takes 4-8 hours. Doing it twice (once at intake, once at submission QA) doubles that.
Automation pays off when:
- You respond to 4+ RFPs per month
- Your bids exceed 50 pages on average
- You’ve been disqualified for compliance once before
qlows extracts the compliance grid automatically and surfaces edge cases for human review. We’re happy to demo on a live RFP — see what your real bid looks like through the grid before you commit to the writing. Book a demo →
US federal-light is one tier. Actual federal contracting (DoD, GSA Schedules, SBIR/STTR, sub-tier prime contracts) is a different category — the compliance surface is regulatory, not just procedural. The checklist above is necessary but not sufficient. Here’s what gets added:
FAR (Federal Acquisition Regulation) clauses that recur
The FAR has 53 parts. You don’t need to know all of them, but four families show up in nearly every federal response and need named handling:
- FAR 52.204-21 — basic safeguarding of covered contractor information systems. If you handle any government data, this baseline applies. Fifteen controls, all auditable.
- FAR 52.204-25 — prohibition on Huawei/ZTE/Hytera and similar covered telecom equipment. You attest by representation in SAM.gov; the language still has to appear in your response.
- FAR 52.219-x — small business set-aside clauses. If the RFP is set aside (8(a), HUBZone, SDVOSB, WOSB), your size and status need to be current in SAM.gov and named in the response, not just inherited from the CCR pull.
- FAR 52.222-x — labor standards (Service Contract Act, Davis-Bacon, E-Verify requirements). On services contracts these dominate execution risk. Confirm wage determinations against DOL before pricing the bid.
NIST 800-171 — the CMMC bridge
If the RFP references DFARS 252.204-7012, you’re in NIST 800-171 territory. 110 security controls across 14 families. Three execution-tier signals:
- A current System Security Plan (SSP) — required documentation, not just an attestation
- A Plan of Action & Milestones (POA&M) for any controls not fully implemented — partial maturity is acceptable, partial documentation is not
- SPRS score posted within 12 months — many primes won’t consider subs without one
CMMC adds third-party assessment on top. If the RFP names CMMC Level 2, the response either certifies an existing C3PAO assessment or commits to one with a credible date. Hand-waving here is grounds for elimination.
Section 508 accessibility
Often missed in non-IT bids: any deliverable that includes an electronic document or interface needs Section 508 conformance. WCAG 2.1 AA is the operational standard. Add a one-paragraph statement of conformance to the response and a path-to-conformance for new deliverables.
EU public procurement runs on the Directives (2014/24/EU and the procurement code descendants in each member state). What that means operationally — three artifacts that show up on every bid above threshold:
CPV codes (Common Procurement Vocabulary)
Every notice on TED carries one or more CPV codes — eight digits identifying what’s being procured. Match your response’s positioning to the CPV code, not just the plain-English title. Buyers can search vendor histories by CPV; your past-performance summary should call out prior contracts under the same code where they exist.
ESPD (European Single Procurement Document)
Self-declaration that you meet eligibility (no bankruptcy, no criminal convictions in the firm, tax/social security current). Filed at bid time. The buyer can ask for evidence on the winning bid only — but the declaration commits you to producing it. Don’t over-declare capabilities you can’t evidence; ESPD inconsistency is grounds for elimination at evaluation.
GDPR — data processing in the SOW
If the engagement processes personal data of EU residents, the bid needs a named data-processing posture: roles (controller/processor/sub-processor), legal basis, transfer mechanism (SCCs, adequacy decision), retention, sub- processor list, and DPIA-triggering criteria. A Data Processing Agreement annex is increasingly expected pre- contract, not post-award. Have a template ready.
Country-level overlays
Germany, France, and Spain layer national rules on top of EU Directives. France’s BOAMP requires specific dossier formats. Germany’s VgV has named exclusion grounds. Spain’s LCSP has detailed local-content provisions. Read the country guide for the buyer’s jurisdiction before you respond — generic EU responses read as outsider responses.
Healthcare RFPs and tenders are their own compliance domain. The procurement document might be 60 pages; the regulatory subtext is twice that. Three layers to handle explicitly:
Data residency and patient privacy
US healthcare engagements default to HIPAA — BAA in place before any PHI touches the engagement, audit logs, breach-notification protocols. UK and EU engagements add GDPR special-category-data rules: explicit basis, enhanced DPIA, often a requirement that data never leaves national jurisdiction. The bid response needs to name the basis and the transfer mechanism specifically — “we comply with applicable regulations” doesn’t score.
Clinical-safety case (UK NHS, MHRA)
UK NHS contracts increasingly require DCB 0129 (clinical safety case for the manufacturer) and DCB 0160 (deployment safety case for the deployer). Even non-clinical IT bids touching patient pathways need a Clinical Safety Officer named and a hazard log opened pre-contract. EU MDR/IVDR applies to anything classed as a medical device — software included.
Evidence packs vs claims
Healthcare buyers — public and private — have learned to treat unsupported claims with suspicion. The response that attaches the SOC 2 Type II report, the ISO 27001 certificate, the Cyber Essentials Plus attestation, and the most recent penetration-test summary as appendices beats the equivalent response that asserts the same in prose. Build the evidence pack once; reuse on every healthcare bid.
Even teams with strong checklists fail compliance. Three patterns recur:
The version-drift failure
The cover letter, the executive summary, the SOW response, and the pricing schedule each name a slightly different contract title or RFP number — because they were drafted over different days from slightly different templates. Buyers notice. A central document-control row in the compliance matrix (one row, one value, every artifact inherits it) prevents this.
The implicit-requirement miss
The RFP says “all responses must include three references” on page 12 and “each reference must be from within the past five years” on page 47. The team meets the first requirement and misses the second. Implicit and cross-referenced requirements are where most compliance failures live. The compliance grid should flag the cross-references explicitly, not just the standalone shalls.
The signature-and-date failure
The submission has every required form except one — the authority-to-sign attestation, the conflict-of-interest declaration, the cyber-incident-reporting acknowledgment. One missing signature can disqualify an otherwise winning bid. The compliance matrix’s “owner + evidence + last verified” row structure is designed specifically to catch this — every form has a row, every row has an owner, no row goes to submission without evidence.
The compliance grid isn’t about scoring more points; it’s about not losing the bid for an administrative miss. Get the grid right and you’re in the evaluation. Get it wrong and you’re not — no matter how good the prose is.