2024-0332 Cyber Security Concept Developer services (NS) - WED 2 Jul RELAUNCH

Subject RFQ was relaunched for one more round as candidate submitted in the first round were considered not compliant due to the following:

• His background is less focused on cryptographic topics, does not have a recent position related to cryptography.
• Does not comply with the strategic level of the job requirement. His background is more technical which is suitable for operational level.

Due date: Wednesday 2 July 2025

Requirement Title: Provision for SHAPE J6 - Cyber Security Concept Developer services

Location of Performance: 100% On-site at SHAPE, Mons-Belgium

Period of Performance:

2025 BASE: As soon as possible and not later than 04 August 2025 – 31st December 2025 with possibility to exercise sprints from the following options:

2026 Option: 1st Jan - 31st Dec 2026

2027 Option: 1st Jan - 31st Dec 2027

2028 Option: 1st Jan - 31st Dec 2028

Required Security Clearance: NATO SECRET

1. INTRODUCTION

To strengthen the Alliance through connecting its forces, the NCI Agency delivers secure, coherent, cost effective and interoperable communications and information systems in support of consultation, command & control and enabling intelligence, surveillance and reconnaissance capabilities, for NATO, where and when required. It includes IT support to the Alliances’ business processes (to include provision of IT shared services) to the NATO HQ, the Command Structure and NATO Agencies.

NCI Agency CIS Support Unit (CSU) Mons enables end-to-end CIS services as it maintains and supports a range of CIS capabilities during peacetime, crisis and war throughout its allocated Area of Responsibility (AOR) and as otherwise directed as specified in the extant Supreme Headquarters Allied Powers Europe (SHAPE) Service Level Agreement (SLA).

NCIA is continuously supporting SHAPE J6 Cyberspace in the Cryptographic modernization effort in the areas of cryptographic equipment procurement and technical consultancy, and in the role of the cryptographic inventory manager. NCIA is also supporting SHAPE in its role of the cryptographic controlling authority.

Local Subject Matter Expertise is provided to SHAPE J6 Cyberspace, through SHAPE SLA, NCIA CSU MONS.

The service is to be contracted, to support ACOS J6 Cyberspace in the ongoing cryptographic modernization process for the whole Alliance.

SHAPE J6 Cyberspace is the Cryptographic Authority for the Crypto Modernisation program of the Alliance. Allied Cryptographic Task Force (ACTF) has been established under Military Committee (MC) as the main venue to tackle all the related to Cryptography issues. The Cyber Security Concept Developer is considered as one of the main contributors to this task having specific deliverables to provide as addressed below.

2. SCOPE OF WORK

Under the direction of the SHAPE J6 SPP BH, the contractor will provide services related to the following activities:

• Assistance in drafting and updating the annual ACO Cryptographic Modernisation Timed Roadmap

• Assistance in planning and implementing Alliance-wide operational contingencies as a result of delays in the delivery of Crypto Modernisation projects

• Support to the Allied Crypto Task Force (ACTF) secretariat, in organising the respecting meetings

• and drafting reports to inform discussions with the Nations on cryptographic issues

• Assistance in developing the operational requirements of the Cryptographic Situation Awareness as described in the relevant procurement processes.

• Assistance in the planning and implementation of lifecycle management projects of NATO on-line and off-line crypto equipment for accountability, serviceability and re-use.

• Assistance in preparing the annual CIS Security Audit Program of Work

• Produce meeting reports for attended meetings (format: internal template), which include detail of activities performed and issues or concerns impacting J6 Cyberspace.

• Participate in meetings and boards on as-needed basis, or as requested by J6 Cyberspace SPP BH.

High-level definition of deliverables:

Situational Awareness — Cryptographic: Each sprint

Risk Assessment — Risk registry: Each sprint

Risk Assessment — Risks and Issues Assessment report: 1/ year

Cryptographic Timed Roadmap: 1 / year

Meeting presentations and updates: Each sprint

NSAB boards contribution (2x): 2 / year

ACTF (2) - Calling notice, Agenda, Action: 2 / year

ACTF (2) - ACO updates and presentations (SA, Risks, Mitigation actions): 2 / year

ACTF (2) - Meeting report: 2 / year

CSAT project database population: After delivery of project for database implementation

All of the deliverables and underliving work under this contract will be in English. Unclassified deliverables will be sent via e-mail or removable media. Disclosure of any or all of the deliverables to another third party besides NCIA Agency will require the prior agreement of NCI Agency

The Contractor’s personnel will be part of a team under the supervision of the NCIA project manager (PM) and SHAPE J6 Cyberspace SPP CSRM Head and will provide services using an agile and iterative approach using multiple sprints. Each sprint is planned for a duration of 4 weeks, following the team’s business hours.

The content and scope of each sprint will be agreed with the project manager and technical staff during the sprint-planning meeting, in writing.

The services shall be provided in close collaboration between the Contractors and NCI Agency project manager as described below:

NCIA: PM Project lead and main stakeholder

SHAPE/J6 Cyberspace/SPP/Cyberspace Security and Risk Management Section (CSRM) Head: Responsible for Cryptographic Modernisation for ACO

Contractor/ Contractor’s personnel: To provide services and deliverables as identified above

3. PAYMENT SCHEDULE

All Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS, Annex B) signed by the Contractor and project authority.

The payment shall be dependent upon successful acceptance of the sprint report (as mentioned in para. 4) and Delivery Acceptance Sheet (DAS) — (Annex B).

The NCIA team reserves the possibility to exercise a number of options, based on the same deliverables timeframe and cost, at a later time, depending on the project priorities and requirements.

In 2025, the following deliverables are expected from the service as set in this statement of work:

Deliverable: Sprints (1-5)

Quantity: 5 (Estimated qty considering tentative start date. Number of sprints will be adjusted based on actual starting date.)

Payment Milestones: Upon completion of each sprint and at the end of the work.

2026 OPTIONS: 01 January 2026 to 31 December 2026

Deliverable: Up to 12 sprints

Cost Ceiling: Price per sprint will be determined by applying the price adjustment formula as outlined in CO-115786-AAS+ Special Provisions article 6.5.

Payment Milestones: Payment Milestones will be end of each sprint completion, based on successful acceptance of the sprint report and Delivery Acceptance Sheet

2027 OPTIONS: 01 January 2027 to 31 December 2027

Deliverable: Up to 12 sprints

Cost Ceiling: Price per sprint will be determined by applying the price adjustment formula as outlined in CO-115786-AAS+ Special Provisions article 6.5.

Payment Milestones: Payment Milestones will be end of each sprint completion, based on successful acceptance of the sprint report and Delivery Acceptance Sheet

2028 OPTIONS: 01 January 2028 to 31 December 2028

Deliverable: Up to 12 sprints

Cost Ceiling: Price per sprint will be determined by applying the price adjustment formula as outlined in CO-115786-AAS+ Special Provisions article 6.5.

Payment Milestones: Payment Milestones will be end of each sprint completion, based on successful acceptance of the sprint report and Delivery Acceptance Sheet

4. COORDINATION AND REPORTING

The Contractor shall provide services on-site, in Mons (BE) at SHAPE J6 Cyberspace.

The Contractor shall participate in monthly status update meetings and other meetings, physically in the office, or in person via electronic means using Conference Call capabilities, according to service delivery manager’s instructions. For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in writing within three (3) days after the sprint' s end date. A report in the format of a short email shall be sent to the nominated point of contact of the NCI Agency, mentioning briefly the work held and the development achievements during the sprint.

5. SCHEDULE

It is expected the service starts as soon as possible but no later than 4th d of August 2025 and ending no later than 31 December 2025.

If the 2026 option is exercised, the period of performance is 01 January 2026 to 31 December 2026

If the 2027 option is exercised, the period of performance is 01 January 2027 to 31 December 2027.

If the 2028 option is exercised, the period of performance is 01 January 2028 to 31 December 2028.

The services will be provided during normal office hours following the SHAPE calendar, as well as outside office hours and on weekends, if necessary. Outside office hours and on weekend is exceptional, and in these cases the sprint price remain unchanged.

6. SECURITY

Services to be provided under this SOW require valid NATO SECRET security clearance prior to the start of the engagement.

7. CONSTRAINTS

All the documentation provided under this statement of work will be based on NCI Agency templates and/or agreed with the NCIA service delivery point of contact. All support, maintenance, documentation and required code will be stored under configuration management and/or in the provided NCI Agency tools.

8. PRACTICAL ARRANGEMENTS

The contractor is expected to provide services on-site in Mons (BE) at SHAPE J6 Cyberspace .

9. TRAVEL

There may be requirements to travel to other sites within NATO for completing these tasks. Travel requires the prior coordination with and approval of the NCIA Service Delivery Manager/Project Manager.

Travel costs are out of scope and will be borne by the NCI Agency separately in accordance to the provisions of the AAS+ Framework Contract.

Travel arrangements will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article 5.5 of AAS Framework Contract and within the limits of the NCIA Travel Directive.

10. REQUIREMENTS

[See Requirements]

Requirements

10. REQUIREMENTS

ONE contractor must provide services under this SOW, with the following qualifications/ requirements:

• Nationally recognized/certified university qualifications on information management or database administration.
• Or exceptionally, the lack of a university degree may be compensated by the demonstration of a candidate’s particular abilities or experience that is/are of interest to NATO, that is, at least 3 years extensive and progressive expertise in duties related to the function of the post;

• Background knowledge and multiyear experience in organization, management and support of various (international) operations, activities, units and projects related to defense, security, electronics and communications, in the national and NATO environments.
• Master’s degrees in electronic engineering
• International experience and NATO
• Previous experience within NATO dealing with Crypto implementation and standards
• Deep knowledge of Maritime Cryptographic issues, including training, CONOPS, key management
• Experience with Risks Management as applied to Cryptographic and Cyber Security Fields
• Experience in leading staff work on Large and complex projects or responsible for significant projects
• Valid security clearance at minimum NATO SECRET level.
• NATO and/or military experience desired.
• Motivated, good communication skills, team player.
• Strong technical skills in English.
• Knowledge of NATO responsibilities and organization.
• Advanced research and analytical skills.
• Familiar with Risk Assessment frameworks (ISO-27XXX, EBIOS, etc,)
• Experience of NATO C3/ CIS systems.