The annual security-questionnaire cycle, four industries
SaaS, healthcare, defense, finance. How the timing, volume, and question distribution differ across four regulated B2B industries, and why the cycle shape matters for staffing.
The annual security-questionnaire cycle looks very different depending on which industry your buyers sit in. A SaaS vendor selling to tech companies gets a steady stream with a Q4 peak. A healthcare vendor gets a different shape. A defense contractor’s cycle is driven by a government fiscal calendar nobody else uses. A financial-services vendor answers questionnaires that cite regulations none of the others care about.
This post pulls apart four industries. It draws on our own observations working with customers across those industries — a small sample at the company level, with some variation within each industry — plus public regulatory calendars. We cannot publish buyer-level data, and we are not claiming statistical coverage. What we can publish is the aggregated shape we see across the customers we work with, cross-checked against the regulatory calendars. The volume and operational numbers below are directional, not benchmarks.
SaaS selling to SaaS
Volume shape. Steady baseline with a sharp peak in November and a smaller peak in March. The November peak is year-end procurement and new vendor onboarding before the winter freeze. The March peak tracks fiscal-year-start vendor reviews at enterprises on a calendar fiscal year.
Framework distribution. SOC 2-aligned questionnaires dominate. Custom questionnaires that map to SOC 2 make up the plurality; SIG and CAIQ together make up a meaningful secondary share.
Growing categories. AI and LLM usage questions. Supply-chain security. Subprocessor transparency. All three have grown visibly as question categories in recent cycles.
Operational shape. A SaaS vendor at steady volume can typically run a small team of DDQ specialists plus an SME network. Volume is predictable enough to plan against.
Healthcare selling to providers
Volume shape. Bimodal. A spring peak tied to the start of most hospital systems’ fiscal years (July 1 is common in not-for-profit health systems) and a fall peak for calendar-year systems. Volume is often higher per capita than SaaS — a healthcare-IT vendor can receive multiple questionnaires per customer per year as systems cycle through their vendor-risk review calendars.
Framework distribution. HIPAA-aligned questionnaires account for the plurality. HECVAT (Higher Education Community Vendor Assessment Toolkit, used by health systems because the academic medical-center overlap is substantial) shows up often. SOC 2 still present but less dominant than in pure SaaS.
Distinctive categories. PHI handling, BAA (business associate agreement) terms, minimum necessary access, breach notification timelines tied to the HIPAA 60-day rule. Questions about PHI retention and de-identification practices. Questions about medical-device integration for vendors who touch device data.
Growing categories. AI in clinical decision support. Telehealth expansion questions. Questions about state-level health privacy laws layered on top of HIPAA (Washington My Health My Data Act, state-level genetic privacy laws).
Operational shape. Longer per-questionnaire turnaround than SaaS. The HIPAA-specific content is harder to auto-draft without a healthcare-trained verifier.
Defense and federal contractors
Volume shape. Driven by federal fiscal year, which ends September 30. Peak questionnaire volume is July–September. Very low baseline volume in Q2 of the calendar year.
Framework distribution. Custom questionnaires dominate, but the content clusters around NIST SP 800-171, NIST SP 800-53 (at FedRAMP Moderate or High baselines), CMMC levels, and ITAR/EAR export-control provisions for defense-specific work.
Distinctive categories. CUI (controlled unclassified information) handling. US-person-only staffing attestations. FedRAMP authorization boundary descriptions. CMMC certification level attestations. ITAR-registered status for defense contractors.
Growing categories. CMMC 2.0 rollout questions are expanding rapidly — the program is formally rolling out through 2028 but contractors are getting questions now. Supply-chain provenance (tracking which components in the software bill of materials originated in adversary nations). AI governance tied to the 2023 executive order and its 2024 implementation guidance.
Operational shape. Extremely tight response windows — defense RFPs often have 14-to-21-day turnaround from question-receipt to final submission, and the security-questionnaire portion can be half the document by page count. Staffing ramps hard in July.
Financial services selling to banks
Volume shape. Cycle shape tied to bank regulatory exam cycles rather than buyer fiscal years. Exams happen on rolling schedules; vendor-risk reviews cluster around exam preparation.
Framework distribution. Custom questionnaires dominate almost entirely. Structured frameworks (SOC 2, SIG) show up but most banks supplement with regulator-mandated questions of their own. NY DFS 23 NYCRR 500 is frequently the single most-cited regulation in custom questionnaires from US banks.
Distinctive categories. Separation of duties. Privileged access management with extreme specificity. Outsourcing controls. Model risk management for any vendor providing models or analytics. Questions about third-party oversight depth (“describe how you assess your subprocessors’ own third parties”).
Growing categories. Model risk management around LLMs. Operational resilience (inspired by UK FCA rules bleeding into US bank vendor practice). Quantum-readiness of encryption (not yet mandated but starting to appear).
Operational shape. The longest per-questionnaire turnaround of the four industries we track. The custom-heavy distribution means the auto-answer rate is lower, and the SME network skews toward regulatory-compliance specialists who are expensive and in short supply.
What the cycle differences mean for staffing
Three practical readings.
Peak-staffing is industry-specific. A SaaS vendor should staff up for November. A federal contractor should staff up for July through September. A healthcare vendor with a mix of fiscal-year buyers should plan two smaller peaks rather than one large one. Generic “Q4 is busy” advice is too coarse; the actual peak is industry-dependent.
Tooling tuning is industry-specific. A retrieval system trained entirely on SOC 2 blocks will underperform on HIPAA or CMMC questions. A KB that was built for a SaaS vendor and then inherited by an acquired healthcare-IT team will refuse more auto-answers than it should until the healthcare blocks get written. The 80/20 pillar describes the general shape; the 80/20 is domain-specific in practice.
The tail is growing in all four industries. The fastest-growing question categories — AI/LLM usage, supply-chain provenance, state-level regulatory additions — are all in the 20% that does not yet map cleanly to the existing KB. Teams in all four industries need to be investing in block-authoring throughput, not just auto-answer throughput.
For the industry-cycle detail on the government-specific piece, see the October federal FY clock post. For the healthcare-specific compliance patterns, see healthcare RFP compliance patterns.