Blog · Pillar
Procurement.
48 posts in this archive.
The evidence vault, a year in: attestations, tests, audits
What lives in the evidence vault, what expires, and the alerting that catches expirations before a DDQ cites a stale attestation.
April DDQ patterns, a year later
A field note on the questionnaires that landed this week — what's repeating from last April, what's new, and the two categories that are quietly eating the most response time.
DDQ season is now year-round
In 2025 the DDQ volume showed a clear seasonal peak — Q4 renewal cycles, January onboarding. A year later the seasonality has flattened. What changed and what it means for capacity planning.
Vendor risk management, patterns we see on the procurement side
A cross-cut of roughly 200 DDQs from the last six months — the fields that repeat, the fields that vary, and what the repetition tells us about how vendor risk teams actually operate.
A 2026 map of enterprise procurement platforms
Coupa, Ariba, Workday, Ivalua, GEP, and the newer entrants. Where AI shows up in each platform's RFP workflow, what's real, what's marketing, and what it means for vendors who have to respond through these systems.
DDQs from non-US buyers are shaped differently
A field note on three field-level differences between US, UK/EU, and APAC DDQs. Different privacy regimes, different data-residency framings, different evidence conventions. Small shifts that bite if you answer them on autopilot.
The DDQ evidence-provenance API
External auditors can now walk from a DDQ answer back to the source evidence without opening the KB. The endpoints, the auth model, and what we hardened before shipping.
A cross-cut of 30 municipal RFPs
Patterns in sub-state procurement across 30 municipal RFPs posted in Q4 2025. Where buyer-side guidance is catching up to federal norms, where it's still behind, and what the data says for a vendor deciding whether to chase this tier.
The weekly DDQ evidence-freshness sweep
A 20-minute weekly routine that catches stale evidence links before a reviewer does. What the sweep covers, what it skips, and why we recommend it for teams that answer more than one DDQ a month.
Civic RFP transparency trends, state by state
We scored 50 state procurement portals on five transparency criteria — addenda visibility, debrief access, vendor Q&A publication, awarded-vendor disclosure, and data-portability. Wide variance, four leaders, and a long tail.
DORA compliance showing up in DDQs
The EU's Digital Operational Resilience Act shows up in a visible fraction of recent DDQs. What the regulation asks for, what buyers actually want, and how to structure the response without inventing posture.
Federal spending cycles, 2025 to 2026
Continuing resolutions, shutdowns, reopenings. How the federal fiscal calendar actually shapes RFP cadence, and what proposal functions that touch federal work should plan for through mid-2026.
RFIs and RFPs are distinct work
Why treating an RFI like an early draft of an RFP response loses the relationship. RFIs are informational for the buyer, not a preview of evaluation. Respond to them as such.
Procurement budget forecasts for 2026
An early read on federal, state, and enterprise procurement budgets for 2026. Where the RFP dollars are moving, what categories are expanding, and what that implies for the proposal teams covering them.
The security-questionnaire closeout list
Ten fields security teams should confirm before signing off on a DDQ. A single-page closeout checklist, written for the person whose name goes on the submission and whose audit exposure is real.
The DDQ evidence-gap audit before year-end
A 60-minute audit that surfaces the DDQ answers you can no longer support with current evidence. Run it before the auditor in February asks. The answers that survive the audit are the ones worth keeping in the library.
The December DDQ panic day
A field note on the second Monday of December: what buyers send, why they send it then, and what the vendor side should do about it.
Q4 2025 RFP volume retrospective
A sector-by-sector look at what the final quarter of 2025 told us about buyer priorities, AI-disclosure requirements, and where volume landed versus Q4 2025.
Year-end DDQ surge: how to staff it
The operational playbook for running 40 to 60 due-diligence questionnaires through a small security and proposal team in the last six weeks of the year, without losing the team.
Black Friday, but for B2B procurement
A quirky pattern from our own inbox: new-vendor DDQs spike in the week after Thanksgiving. A short note on why, and what the seasonality does to team planning.
Multi-tenant DDQ templates across customer accounts
How one SOC 2 answer shape generalizes across many customer tenants without leaking tenant-specific facts. The separation between template structure and tenant content, explained.
The DDQ wave: what the inbox looks like this week
Mid-November volume snapshot across our own fleet. Volume, topic distribution, and the two categories growing fastest this week compared to the baseline.
DDQ answer voice: why consistency beats polish
Buyers forgive plain writing. They do not forgive a questionnaire that reads like it was stitched from eight different people. How to keep 300 DDQ answers sounding like one voice.
The annual security-questionnaire cycle, four industries
SaaS, healthcare, defense, finance. How the timing, volume, and question distribution differ across four regulated B2B industries, and why the cycle shape matters for staffing.
The recycled-DDQ-answers audit
A one-afternoon audit that finds the 40 recycled answers in last year's questionnaires that are silently wrong now. What to look for, what to rewrite, what to retire.
Security questionnaires: the 80% that's really retrieval
The canonical Engineering pillar on DDQ automation. A 300-question security questionnaire is not 300 unique questions — it's mostly retrieval against a corpus that's already written, plus a small tail that isn't.
The security-questionnaire response team that actually ships
Three roles, one DRI, a 48-hour SLA. How regulated vendors staff the Q4 questionnaire wave without shipping stale answers or missing deadlines.
The DDQ evidence-attachment API
How buyer-side evidence-request fields get auto-populated from a KB evidence vault. The schema, the matching logic, and the human-in-the-loop step we will not remove.
The Q4 DDQ surge is almost here
Procurement-side patterns for Q4 2025: what buyers are sending right now, what volume looks like at the question level, and what to expect in the next eight weeks.
The federal fiscal-year clock just reset
The federal fiscal year started yesterday. Here is what Q1 procurement volume actually looks like, what bids land in the next 90 days, and how a small proposal team should staff for it.
Security questionnaires: linking answers to evidence
How a SOC 2 attestation PDF becomes a citation source for DDQ answers. The ingest pipeline, the per-control extraction, and the per-claim linking that makes 'yes' answers verifiable instead of theatrical.
Vendor onboarding DDQs across four industries
Finance, healthcare, SaaS, and defense. The same 200 questions in four different rephrasings. A teardown of how the category-specific framing changes what the buyer expects to see in the answer — and what stays the same underneath.
Procurement-side pain is real — and underserved
Buyers also hate the category. Three quotes from public procurement blogs and what they tell us about how the industry has under-served the buyer side of the RFP relationship.
The DDQ review cycle you can actually finish
Two rounds, not four. The structure that keeps security questionnaires from missing deadlines, and what to drop when you cut the ceremony.
The Friday DDQ batch we process in under an hour
What automation does to a weekly batch of security questionnaires, and the four things it still can't do.
The DDQ answer-reuse myth
The pitch is: every DDQ is mostly the same, so reuse the answers. The reality is: every DDQ is mostly similar but just different enough that naive reuse fails. The gap between similar and identical is where the work lives.
Reading an RFP like the procurement lead who wrote it
RFPs are procurement documents written by named humans with known constraints, drafted from templates reused for fifteen bids. Read them that way and the response writes itself differently. The canonical long version.
Ingesting a 300-question security questionnaire
A 300-question security questionnaire is a throughput problem, not a writing problem. The ingest pipeline has five stages: extract, classify, dedupe against the last one, retrieve, assemble. Here is what each one does and where it costs.
Reading the RFP the procurement lead actually wrote
RFPs are procurement documents written by named humans with known constraints, not sales documents. Read them that way and you respond 40 to 60 percent better. A preview of next week's pillar piece.
DDQ Anatomy, Part 4 of 4: operations and vendor management
The closing section of a vendor DDQ. Incident response from the operational side, business continuity, vendor risk management, and the questions that decide whether you're a vendor procurement will renew.
DDQ Anatomy, Part 3 of 4: the security section
The security section is 60 questions long, mostly SOC 2-shaped, and it's where vendors most often ship answers that won't survive the buyer's actual security review. Here's what's asked and how to respond.
DDQ Anatomy, Part 2 of 4: legal and privacy
The legal and privacy section of a vendor DDQ is where 45 questions repeat bid-to-bid. Here's what they ask, what evaluators check, and how to answer without losing a week to it.
SAM.gov RFP volume, Q1 2025
What the federal procurement portal published in the first quarter of 2025. Public data only — directional signals on volume, agency mix, and category drift, with the SAM.gov citations to verify each claim.
The DDQ response playbook, end to end
A canonical playbook for due-diligence questionnaires. Seven stages from intake to post-mortem write-back, what each stage owns, where each one breaks, and why the same DDQ next year should take half the time.
DDQ Anatomy, Part 1 of 4: the finance section
What the finance section of a DDQ asks — SOC audit history, revenue recognition, debt covenants, parent-company financials. What evaluators want, where questions repeat, and what good answers look like.
In preview: DDQ question classification
Every question in an ingested DDQ is classified at intake into finance, legal/privacy, security, or operations buckets. In preview behind a feature flag — DDQ is a pursuit-type the marketed platform does not yet describe.
Anatomy of a 40-ish-page state RFP: a composite teardown
A structural walk through a typical mid-sized state RFP — modal-verb density, scoring rubric, buried disqualifiers. Composite teardown built from public state procurement patterns, not one specific document.
The unwritten rules inside every RFP (Part 3 of 4)
Procurement leads write RFPs in a particular dialect. Once you can read it, the scoring rubric, the disqualifiers, and the actual priorities surface within the first 20 pages.
See the proposal workflow
Take the 5-minute tour, then start a trial workspace when you're ready to run a real pursuit against your own source material.