Here's my list of the top 10 mistakes organizations make when crafting a security RFP:

1. Create the RFP in a silo, without considering input from stakeholders throught the organization.
2. Provide very little information about the infrastructure in scope for the security solution.
3. Use the RFP process in situations where it slows you down, without offering substantial benefits.
4. Avoid defining a criteria for objectively evaluating RFP responses.
5. Select the solution or vendor in advance, using the RFP to mark a checkbox.
6. Underestimate the time your staff needs to devote to processing RFP responses.
7. Don't define a process for allowing RFP responders to ask clarifying questions.
8. Don't ask detailed clarifying questions after receiving RFP responses.
9. Forget to define your business requirements, hoping that RFP responders will do that for you.
10. Issue the RFP before your organization is ready to make use of the requested solution.

If this is useful to you, you may also benefit from the longer "cheat sheet" I created for issuing RFPs specific to security assessments.

If you're not familiar with the services you need, consider issuing an RFI, rather than an RFP.

Examine the vendor's project management capabilities.