Technical Support Service

The Massachusetts Clean Energy Technology Center (MassCEC) is issuing this Request for Proposals (RFP) to solicit bids from qualified vendors to provide Level 1 technical support services and limited Microsoft 365 operational support. MassCEC is transitioning to a governance-led hybrid IT operating model, where MassCEC retains internal IT leadership and employs its own on-site support technician. Under this model, the selected vendor will provide remote Level 1 ticket handling and Microsoft 365 support limited to user access, permissions, and service availability. This RFP does not seek full managed Microsoft 365 services or deep platform configuration.

Eligibility

To be eligible, Applicants must:

  • Demonstrate experience providing managed Microsoft Entra ID (Azure AD) and Microsoft 365 support services.
  • Demonstrate the ability to support public sector, quasi-government, or regulated organizations.
  • Provide references for similar engagements.
  • Maintain staff with appropriate Microsoft certifications and/or demonstrated equivalent experience.
Closed
Program Area
Corporate
Questions? Contact

MassCEC seeks a vendor to act as a Level 1 support provider delivering the following outcomes:

  • Reliable day-to-day Level 1 support for Identity and Microsoft 365 focused on access, permissions, and service availability.
  • Clear governance, accountability, and disciplined change control.
  • Improved security posture through least-privilege administration and auditability.
  • Transparent, unbundled pricing aligned to the defined scope.

This RFP is not seeking deep re-architecture or tenant redesign. The focus is limited to routine operational support, including access and permissions management, user lifecycle tasks, and coordination of Microsoft 365 service availability.

Timeline

Release of RFP April 27, 2026
Questions due to MassCEC via email to jhanrahan@masscec.com May 18, 2026
Questions with Answers Posted to MassCEC Website May 25, 2026
Proposals Due June 5, 2026
Interviews of Top Applicants Week of June 22, 2026
Notification of Award Week of June 29, 2026

 

Apply

Application Instructions

Applicants must submit the following by the deadline stated in this RFP:

  • Technical Proposal describing approach, staffing, service model, and relevant experience.
  • Security and Access Management approach (least privilege, auditability, and administrative controls).
  • Service Level approach (hours of coverage, response targets, escalation process).
  • Pricing Proposal with unbundled and transparent costs aligned to the Scope of Work.
  • At least three (3) references for comparable engagements.
  • Completed Authorized Applicant’s Signature and Acceptance Form.

Under no circumstances will MassCEC accept responses past the deadline.

Please disclose any use of, or planned use of, generative AI either in responding to this RFP or in carrying out the scope of work if awarded.

Application Materials

Frequently Asked Questions

1. Incumbent Vendor & History

What is the scope, duration, and value of the incumbent contract (if applicable)?

The current contract is finished

Is the incumbent vendor eligible to respond to this RFP?

Yes, this is an open RFP

FAQs continues...

2. Budget & Commercials

What is the estimated or approved budget for this engagement?

This is an open item; we are waiting to receive proposals for the service to establish this number.

3. Service Delivery Model

Will services be delivered onsite, remotely, or via a hybrid model?

The primary delivery model will be remote.

Is there a preference for local (Massachusetts-based) vendors?

Having a presence in Massachusetts is a plus.

Are offshore or non-U.S.–based delivery models permitted?

At the current stage we are willing to receive all proposals.

4. Environment Size & Activity Levels

What is the total number of supported users?

The user base is approximately 150.

How are users distributed (employees, contractors, guest/external accounts)?

Employees.

Are there anticipated increases or decreases in user counts (e.g., due to organizational changes)?

None at this time.

What is the average monthly ticket volume?

Approximately 100 tickets per month.

What is the breakdown of ticket categories (e.g., access, MFA, M365 issues, onboarding/offboarding)?

Ticket categories are across all of these categories.

What volume of onboarding and offboarding activities occurs monthly?

The average onboarding and offboarding activities is approximately 2.

5. Microsoft 365 & Identity Environment

What Microsoft 365 license SKUs are currently deployed?

The primary license in use is Microsoft 365 Business Premium.

Is Entra ID P1 or P2 licensing included?

We are primarily P1.

Is the environment cloud-only or hybrid (e.g., Entra Connect with on-premises AD)?

Cloud only.

Who is responsible for managing and procuring Microsoft 365 licenses?

Our CSP.

6. Identity, Security & Access Management

Are Conditional Access policies currently in place?

Yes, there are Conditional Access policies currently in place.

Will the vendor be expected to operate within these policies or recommend changes?

Where applicable, yes.

Is Privileged Identity Management (PIM) in use, and how is administrative access managed (e.g., JIT)?

No, not at this time.

What MFA methods are currently enabled, and is passwordless authentication planned?

Authenticator app is favored, passwordless authentication is in use.

How are emergency ("break-glass") accounts managed?

Emergency access credentials are stored in a secured password vault.

What are the SLAs for user provisioning and deprovisioning?

3 days.

How does MassCEC define or measure "least privilege administration" and auditability?

MassCEC implements least privilege through:

  • Role-based access control (RBAC)
  • Segregation of administrative duties
  • Group-based authorization using Microsoft Entra ID
  • Conditional Access policies
  • Elimination of global administrative privileges whenever possible

Is MassCEC open to vendor-led security assessments or recommendations?

While we always are open to recommendations, a vendor-led security assessment is out of scope for this RFP.

7. Microsoft 365 Collaboration & Data Protection

How many SharePoint sites, hub sites, and Microsoft 365 Groups are in scope?

  • 350 SharePoint sites
  • 180 groups

Are sensitivity labels and DLP policies currently implemented?

Not at this time.

What is the external sharing posture (anonymous, guest-only, internal-only)?

Guest-only.

Is a backup solution in place (Microsoft-native or third-party)?

There is currently a third party solution in place.

Will Level 1 support include backup and restore operations?

Yes.

8. Teams Phone & Communications

What Teams Phone deployment model is used (Calling Plan, Direct Routing, Operator Connect)?

Direct routing.

How are auto-attendants, call queues, and resource accounts managed?

Through the phone service provider portal.

Are E911 or dynamic emergency calling policies configured?

E911 policies.

9. Device & Endpoint Management

What endpoint management tools are currently used (e.g., Intune, SCCM)?

Intune is in place.

Who manages Autopilot profiles, Intune configuration, and device provisioning?

This is currently a hybrid between the current MSP and internal resources.

Will the vendor be expected to deploy or distribute devices onsite?

No.

Will MassCEC consider procuring end-user devices through the vendor?

No.

Is there an existing asset management or CMDB system, or is the vendor expected to provide one?

The vendor is not expected to provide this.

Will the vendor be expected to maintain buffer stock or loaner devices?

This will be handled by an internal company resource.

Are mobile devices (phones/tablets) in scope, or only laptops/desktops?

Mobile devices are in scope.

What role will the vendor play in device lifecycle management (provisioning, refresh, disposal)?

The vendor could be seen as part of the lifecycle management along with internal staff.

Who is responsible for device retrieval during offboarding, especially for remote employees?

This will be done with internal staff.

Who is responsible for secure data wipe and certified destruction?

This will be handled by internal staff members.

Is BYOD permitted, and are MDM/MAM-related support activities in scope?

Phones only.

10. Service Management, Ticketing & SLAs

What ticketing/ITSM platform is currently in use?

The current MSP at this time. Transitioning to a hybrid.

Will the vendor operate within MassCEC's platform or provide their own?

TBD.

Will the vendor have full access to configure workflows, queues, and SLA timers?

Yes.

Will MassCEC staff and the vendor operate in a shared system or separate integrated systems?

This is open at this time and the model is developing.

What are the expected response and resolution SLAs by priority level?

Priority Initial Response Target Resolution Target
P1 Critical 15–30 minutes Best effort / business dependent
P2 High 1 hour 1 business day target
P3 Medium 4 business hours 3 business days target
P4 Low 1 business day Scheduled / best effort

Are there defined SLAs/SLOs today, or should the vendor propose them?

See above.

Are there penalties or performance metrics tied to SLA compliance?

Material or repeated failure to meet agreed-upon service levels may be addressed through corrective action planning, vendor review processes, or contractual remedies as appropriate.

Do established escalation and assignment processes exist?

MassCEC does not have any official established escalation process currently and has relied on the vendors internal processes.

11. Network Services

Will the vendor be responsible for network monitoring and patch management?

No.

If so, what tools, coverage hours, and patching cadence are expected?

N/A.

12. Governance, Processes & Scope Expansion

Are governance, change control, and operational processes currently established, or is the vendor expected to define and improve them?

MassCEC is currently formalizing governance, operational, and change management processes as part of its ongoing IT maturity efforts.

Beyond the stated Microsoft 365 scope, are additional applications expected to be supported?

No enterprise applications, but there are other applications used by end users that users may reach out for assistance with.

While the RFP is focused on Level 1 support, is there potential future scope for Level 2 or Level 3 services?

While the current RFP is primarily focused on Level 1 support services, MassCEC may consider future expansion into Level 2 and/or Level 3 support capabilities based on organizational needs, vendor performance, and evolving business requirements.

13. Contracting & Administrative Requirements

Must vendors be registered with the Massachusetts Secretary of the Commonwealth prior to proposal submission, or only prior to award?

Vendors are generally expected to comply with all applicable Commonwealth of Massachusetts business registration and legal authorization requirements necessary to conduct business in Massachusetts.

Should past performance references be provided at the company level, or can individual leadership experience be included?

MassCEC prefers references that reflect the experience and performance of the proposing company or organization. However, relevant experience of key personnel and leadership team members may also be included, particularly where those individuals would have significant involvement in the delivery of services under the proposed engagement.

14. Procurement Process & Timeline

Will MassCEC consider extending the proposal submission deadline?

Not at this time.