Q4 2025 RFP volume retrospective
A sector-by-sector look at what the final quarter of 2025 told us about buyer priorities, AI-disclosure requirements, and where volume landed versus Q4 2025.
This is the Q4 2025 retrospective. Across the three months between October 1 and December 15, we sampled public-sector RFP volume from SAM.gov and the state-procurement portals we track (California, Texas, New York, Virginia, Georgia, Minnesota), and cross-referenced against the anonymized private-sector DDQ and RFP counts running through our own pipeline. The goal is a defensible picture of what changed this quarter and what held steady.
We name our caveats up front. Our private-sector sample is not representative of the whole market; it is representative of our customer base, which skews toward B2B SaaS and services firms in the 50-to-1,500 employee band. Federal and state data is public and representative, but lag in the portals means the November and December figures will move over the next 60 days as late-filed records post. Treat the numbers here as directional.
Federal volume
Federal civilian and defense solicitations posted to SAM.gov between October 1 and December 10, 2025:
| Quarter | Solicitations posted | Delta vs. prior year |
|---|---|---|
| Q4 2025 (Oct-Dec) | ~18,200 | — |
| Q4 2025 (Oct-Dec 10) | ~17,400 | -4% |
The 4% softness is not evenly distributed. Civilian agencies are flat year-over-year. Defense-side volume is down roughly 9%, concentrated in smaller-dollar IDIQ task orders. Our read is that this reflects continuing-resolution dynamics on the federal calendar rather than a structural shift — which we’ll revisit in the year-end pillar.
Large-dollar solicitations (above the $25M threshold) are up 6%. Small-business set-aside solicitations are down 11%. That second number is worth watching. It was down 7% in Q3. If the trend holds through Q1 2026, it stops being a wobble and becomes a signal.
State volume
State procurement volumes across our six-state sample:
| State | Q4 2025 | Q4 2025 | Delta |
|---|---|---|---|
| California | 1,240 | 1,310 | +6% |
| Texas | 980 | 960 | -2% |
| New York | 720 | 790 | +10% |
| Virginia | 510 | 520 | +2% |
| Georgia | 480 | 460 | -4% |
| Minnesota | 310 | 340 | +10% |
New York and Minnesota both up meaningfully. The Minnesota bump correlates with a published state IT modernization program; the New York bump is distributed across multiple agencies and harder to attribute to a single initiative.
Procurement teams doing multi-state work should note: the rate at which states require state-specific attachments has continued to climb. Across the six states we track, the median required attachment count per response moved from 8 in Q4 2025 to 11 in Q4 2025. The work of maintaining a state-by-state attachment library has gotten denser.
Private-sector DDQ volume
Our own pipeline carried roughly 2.2x the typical monthly DDQ volume in November and is on track for roughly 2.5x in December, versus the August baseline. This is consistent with the year-end surge pattern we described in October and with Safe Security’s published volume observations.
Sector distribution inside that volume:
- Financial services: 34% of DDQ volume, up from 28% in Q4 2025.
- Healthcare and life sciences: 22%, flat year-over-year.
- Technology and SaaS: 21%, down slightly.
- Industrial and manufacturing: 13%, up from 9%.
- Other: 10%.
The industrial bump is the surprise. Our read is that manufacturing and industrial buyers have moved from ad hoc vendor risk assessment to structured DDQs over the last 18 months, catching up to the financial-services playbook. We will pull the 12-month trend in the year-end pillar to test the hypothesis.
What buyers are asking about
Question-bucket distribution inside the DDQ volume shifted year-over-year. The shifts are small but consistent across multiple buyer types.
| Bucket | Q4 2025 share | Q4 2025 share | Delta |
|---|---|---|---|
| Security (general) | 42% | 38% | -4 pts |
| Finance and vendor stability | 18% | 17% | -1 pt |
| Legal and privacy | 15% | 14% | -1 pt |
| AI and model usage | 4% | 12% | +8 pts |
| Operations and vendor management | 14% | 13% | -1 pt |
| Other | 7% | 6% | -1 pt |
The AI-and-model-usage bucket is the story of Q4 2025. In Q4 2025, questions about vendor AI usage appeared in roughly one in five DDQs and rarely ran more than a handful of questions each. In Q4 2025, two-thirds of the DDQs in our pipeline contain a dedicated AI/ML section, and the median section length is 14 questions. Common themes:
- Training-data provenance and customer-data isolation.
- Model-output verification and human-in-the-loop policies.
- Vendor use of third-party model APIs (OpenAI, Anthropic, Google) and the data-handling agreements governing those integrations.
- Opt-out mechanisms for customer data being used to train models.
- Incident-response posture for AI-specific failure modes.
A vendor who does not have pre-approved answers to these questions is drafting them live in December at the end of a 20-day cycle. That is the single most impactful KB-readiness observation of the quarter.
Evidence-attachment patterns
One more shift inside the DDQ data that is worth naming on its own. The evidence-attachment requirement — the list of uploaded documents a buyer expects alongside narrative answers — grew in both length and specificity this quarter.
The median DDQ in our Q4 2025 sample required 7 attachment types, up from 5 in Q4 2025. New attachment categories that appeared at meaningful volume this quarter, beyond the standard SOC 2 and penetration-test summary:
- Documented AI governance policy or statement.
- Third-party AI-audit report, where applicable.
- Privacy impact assessment (PIA) excerpts.
- Supplier diversity certification documentation.
- Business continuity plan excerpt, specifically the sections covering SaaS-delivery continuity (not generic BCP documents).
Vendors with an evidence vault wired into their KB — where each attachment type is a first-class object with a current version, a review date, and an owner — handled the attachment volume without incident. Vendors without one spent the back half of December chasing PDFs across internal drives, a pattern that is documented broadly in the vendor questionnaire literature and that maps exactly to the DDQ surge we saw.
The operational cost of a missing or stale attachment is not theoretical. Several buyers in our sample treated outdated attachment dates (more than 12 months old, for most categories) as a response deficiency that reduced the scoring on that section. A vendor who ships a current SOC 2 and a 16-month-old penetration-test summary loses points on the second document.
What the data doesn’t say
A few things we cannot responsibly claim from this sample:
- Whether win rates shifted. We do not have cleanly labeled win/loss data across Q4 at a scale where we’d publish a rate. We see anecdotal data from individual customers, and it varies widely by sector and deal size.
- Whether AI questions are weighted heavily in scoring. The questions are there; whether they are dispositive is a separate question we don’t have public data on. Most buyers don’t publish scoring rubrics at the question level.
- Whether the Q4 surge pulled in bids that would otherwise have landed in Q1. Plausible, but the federal calendar mechanics and the private-sector budget-cycle mechanics are different enough that we wouldn’t generalize.
VisibleThread has written that rushing into writing without fully understanding the evaluation framework is the leading cause of proposal failure. At the aggregate level, our Q4 data says the evaluation frameworks themselves are moving. A team that is still responding to the evaluation framework it understood in Q1 2025 is now several quarters behind what buyers are actually asking.
Deadline dynamics we watched this quarter
Two operational shifts worth naming, both consistent across buyer types in our sample:
Shorter median response windows on DDQs. In Q4 2025 our median DDQ response window was 14 business days. In Q4 2025 it was 10. The distribution has compressed at both ends: the longest windows (30+ days) have nearly disappeared, and the shortest (5 days or fewer) have grown to about 15% of volume. The compression is not a buyer’s-side policy we can cite publicly; it is the aggregate result of individual buyers each pulling in their windows, most plausibly because the buyers’ own year-end calendars are tighter.
More addenda per RFP. The median RFP in our state-procurement sample received 2.6 posted addenda over its cycle in Q4 2025, versus 1.8 in Q4 2025. Some of the increase reflects buyers posting late clarifications in response to vendor questions; some reflects RFPs that were issued under time pressure and required mid-cycle corrections. Either way, intake hygiene on addenda — the discipline of re-running compliance matrices against every addendum — matters more than it did a year ago.
Sector snapshots
Three sector-specific observations that don’t change the headline numbers but are worth flagging for teams working those verticals.
Financial services. The 34% DDQ share is concentrated in banks and insurers whose annual vendor risk reviews landed on the December calendar. The questionnaires in this sector have grown the most aggressively on AI usage: roughly three-quarters of the financial-services DDQs in our sample carried a dedicated AI section of 15+ questions. Financial services buyers are also the earliest adopters of the stricter 48-hour breach-notification clause we see in commercial terms.
Healthcare. Flat year-over-year in volume, but the mix shifted. HIPAA-specific questionnaires are roughly stable; HITRUST-aligned questionnaires grew from 18% of the healthcare sample in Q4 2025 to 29% in Q4 2025. Vendors without pre-approved HITRUST posture answers are drafting them live under the DDQ-surge timeline, which is a predictable cause of late-cycle review compression.
Industrial and manufacturing. The bump from 9% to 13% is the quarter’s surprise. Questions in this sector are less security-dense and more operationally dense — supply-chain continuity, sub-contractor disclosure, on-site safety posture. Vendors who treat industrial DDQs as “lightweight versions of financial-services DDQs” are answering the wrong questions.
Three things to take from this
- AI-and-model-usage questions are now mainstream. Treat them as a first-class DDQ bucket, not an edge case.
- State procurement has gotten denser on attachments. The multi-state library work is non-trivial and needs an owner.
- Federal small-business set-aside softness is worth watching. Two consecutive quarters of decline. If Q1 2026 extends the trend, it is a procurement pattern shift, not a one-quarter wobble.
The full 2025 year-in-review ships on the last day of the month. This post is the intermediate cut.