2025-0210 Cyberspace Operations Malware and Digital Forensics (CTS) - MON 7 Jul

Deadline Date: Monday 7 July 2025

Requirement: Support to Cyberspace Operations Malware and Digital Forensics

Location: Mons, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: 1 SEP 2025 to 31 DEC 2025, with the possibility to exercise following options:

• 2026 option: 1 JAN 2026 to 31 DEC 2026

• 2027 option: 1 JAN 2027 to 31 DEC 2027

• 2028 option: 1 JAN 2028 to 31 DEC 2028

Required Security Clearance: NATO COSMIC TOP SECRET

1. BACKGROUND

The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

2. INTRODUCTION

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services.

The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework  (CFCDGM).

In order to execute this work, the NCI Agency requires support with the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience.

3. PURPOSE

The NCSC and more specifically the DEFEND branch is responsible to defend NATO networks on a 24/7 basis and to support incident response by performing malware analysis and digital forensics. This involves among other things: the analysis of malicious emails and payloads, the retrieval of forensics artefacts in a sound manner, the reverse engineering of binaries and continuous improvements of scripting, automation and the environment.

4. OBJECTIVES

This Statement of Work (SoW) outlines the services to be provided by the Contractor to NCSC for providing support to Cyber Operations malware and digital forensics.

5. DELIVERABLES

The service is executed in sprints, each sprint is planned for a duration of 5 working days.

The Contractor’s personnel shall deliver the following functions:

D1. Based on a specific malware analysis task (TASK) received via the NCSC COMS system. Analyse what is required (malicious email, URL, binary…) and perform a comprehensive analysis using automated and manual approaches.

D1 Outcome: The analysis is presented in the updated TASK following the template.

D1 Acceptance Criteria:

1. Regular updates are provided via “comments” on the task once assigned, at least daily
2. The format of the analysis follows the agreed template
3. The relevant Standard Operating Procedures (SOP) and Standard Operating Instructions(SOI) are followed
4. Work on the task should start within 2 hours of being assigned
5. A maximum of 1 day for email/URL analysis is foreseen, up to 5 days for a complex binary. If a longer time is required, a detailed justification is to be provided and accepted by management.

D2. Malware analysis research on samples of particular interest. When such a research is required, the provider will perform additional tasks to analyse in depth the sample and produce rules to better detect it.

D2 Outcome: A page in the NCSC wiki containing a detailed research  about the samples including links to Yara rules and IOCs created

D2 Acceptance Criteria:

1. The page documenting the research follows the template
2. If applicable, the Yara rules were created in the repository
3. If applicable, extracted IOCs (indicators of compromise) were recorded in a MISP event

D3. Create, update and modify existing SOI/SOPs to reflect the current best practices.

D3 Outcome: The SOI/SOP has been updated, created or modified to reflect the current practices.

D3 Acceptance Criteria:

1. The template has been followed
2. Links with other relevant SOI/SOPs have been made

D4. Acquire and analyse digital forensics evidence following the forensics task (TASK) raised in NCSC COMS

D4 Outcome: The evidence has been acquired, analysed and the analysis outcome has been documented in COMS

D4 Acceptance Criteria:

1. The acquisition has been performed using the fastest methods available
2. The acquisition is forensically sound and follows existing SOP/SOIs
3. Regular updates on the task are provided via “comments”, at least daily
4. The evidence has been stored in the centralized evidence storage

D5. Use and configure security tools such as Microsoft Defender for Endpoint, Fidelis Endpoint Security, F-Response as well as supporting scripting and tools.

D5 Outcome: Documentation about the configuration change.

D5 Acceptance Criteria:

1. The change of configuration has been documented in the knowledge base (Confluence). When the tool is using configuration as code, the appropriate documented pull request in the Git repository must also be raised.
2. The format should follow the template already in use by NCSC.
3. The change should be documented at least 24 hours before the change is expected to take place.
4. For bigger changes, the NCSC change management process must be followed, including the submission of a change request as well as supporting documents

D6. Brainstorm during weekly meetings with the rest of the Cyber Threat Investigation Team how to improve the services delivered by the team.

D6 Outcome: Participation in the meetings

D6 Acceptance Criteria: Participation is reported and tracked in the meeting minutes which need to be prepared before the meeting and updated during the meeting (Confluence). Weekly participation is expected.

D7. Perform supporting activities around malware and digital forensics such as informing relevant stakeholders, liaising with other teams in the NATO enterprise, preparing administrative documents and technical implementation to assist with continuous service improvements.

D7 Outcome: Updated “Routine Task (ORT)” containing regular updates and the final outcome of the task given.

D7 Acceptance Criteria:

1. The task tracker is updated regularly, at least once every week with the latest status
2. The blocking points are clearly identified
3. Subtasks are created proactively if required

Rejection Criteria:

• The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.

• A rejected deliverable must be corrected and resubmitted within 1 (one) business day.

Further details:

• Each deliverable will be assessed by a supervisor or team member on a scale from 1 to 5 based on the criteria defined above. This score is used for the monthly KPI, an overall score below 80% introduces a financial penalty. Further, the contractor must conduct the following reviews:

• A bi-weekly ‘touch point’ between NCSC – Technical Analysis Service Delivery Manager, or any other NCSC personnel designated by NCSC.

Structure and formatting of the deliverables:

In addition to their specific acceptance criteria, each deliverable shall meet the following requirements:

• Language: the product shall be written in English, meeting the NATO STANAG 6001 Level 3 “Professional Proficiency”.

• Intended Audience: the product shall be intended for Cyber Security Professional, Senior Military personnel and decision makers in the field of Cyber Security and Cyberspace Operations.

• Accuracy: the product shall accurately reflect what was done.

• Clarity and Conciseness: Information shall be presented clearly and concisely, avoiding unnecessary jargon or complex language.

• Objectivity: the content shall be impartial and objective, presenting information without bias or personal interpretation.

• Structure: the product shall follow a logical structure such as template when available.

• Timeliness: the product shall be prepared and distributed promptly after the assignment, ensuring that information is fresh and actionable.

• Formatting: Consistent formatting shall be used throughout the document, including font style, size, headings, and spacing further directed by the Information and Knowledge Management Steering Group.

• Confidentiality: Information processed by analysing threat intelligence reports or acquired during threat hunting campaigns shall be handled in accordance with the NATO policy on Information Management.

6. PENALTIES

The penalties defined below will apply to the payment amount based on the performance results measured through R1 - Monthly Service Performance (Annex A)

Each deliverable will be assessed by a supervisor or team member on a scale of 1 to 5 based on the criteria defined above. If the score is below 4/5, a justification is provided by the assessor. This score is used for the monthly KPI reported in R1 (Annex A) which is the sum of all the deliverables scores divided by the number of deliverables and transformed into percentage, an overall score below 80% introduce financial penalty. This score is computed in the “sprint review” phase detailed in Section 7.

The grade are to be understood as follows:

1 (20%): Unsatisfactory: The deliverable is completely off-target

2 (40%): Lacking: The deliverable doesn’t meet 1 or more acceptance criteria

3 (60%): Substandard: The deliverable didn’t meet an acceptance criteria or the deadline communicated

4 (80%): Acceptable: The deliverable meets all acceptance criteria however some structure and formatting could be improved

5 (100%): Satisfactory: The deliverable perfectly meets the expectations

Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: >=80% = 0% Penalty

Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: 60 - 79% = 25% Penalty

Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: 40 - 59% = 50% Penalty

Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: < 40% = 75% Penalty

Method of Surveillance: The overall satisfaction for the month is reported on the R1 - Monthly Service Performance (Annex A)

7. COORDINATION AND REPORTING

Due to the AGILE approach of this project, there is a need to define a set of specific arrangements between the NCIA and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning, execution and review processes, which are detailed below:

Sprint Planning:

Objective: Plan the objectives for the upcoming sprint.

Kick-off meeting: Conduct a bi-weekly (every two weeks) meeting with the contractor to plan the objectives of upcoming sprint and review contractor`s manpower to meet the agreed deliverables.

Set sprint goals: Define clear, achievable goals for the sprint and associated acceptance criteria, including specific delivery targets, Quality standards as well as Key Performance Indicators (KPIs) for each task to be recorded in the sprint meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritise the backlog of tasks, issues, and improvements from previous sprints.

Assess each payment milestone cycle duration of two sprints. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 4.

Sprint Execution

Objective: Contractor to execute the agreed “sprint plans” with continuous monitoring and adjustments.

Regular meetings between NCIA and the contractor to review sprint progress, address issues, and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office.

Continuous improvement: Contractor to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.

Quality Assurance/Quality Check: Contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.

Sprint Review

Objective: Review the sprint performance and identify areas for improvement.

R1-monthly performance report (see Annex A), provided at the end of the month, in NCSC tool and using NCSC provided template, containing the number of each deliverable provided during the month.

The report will be prefilled by the Contractor’s personnel and includes as supporting documentation the list of deliverables produced during that month including references to NCSC tools containing the information.

The report will be completed by NCSC to include the overall score received for the deliverables in that month. It is computed as follows: the sum of the score for each deliverable (from 1 to 5) divided by the number of deliverables and converted in percentage.

At the end of each sprint, there will be a meeting between the NCI Agency and the Contractor’s Personnel to review the outcomes against the acceptance criteria comprising sprint goals, agreed quality criteria and Key Performance Indicators (KPIs).

Define specific actions to address issues and enhance the next sprint.

Sprint Payment

For each 4 (four) consecutive sprints to be considered as complete and payable, the contractor must report the outcome of their work during the sprint, first verbally during the retrospective sprint review meeting and then in writing within five days after the 4th sprint’s end date. A report must be sent by email to the NCI Agency service manager, listing all the work achieved against the agreed tasking list set for the sprint.

The contractor's payment for each set of 4 sprints will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the sprint planning stage. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task.

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed R1 - Monthly Performance Report (Annex A).

Invoices shall be accompanied with a R1 - Monthly Performance Report (Annex A) signed by the Contractor and project authority.

If the contractor fails to meet the agreed Acceptance criteria for any task, the NCI Agency reserves the right to withhold payment for that task/sprint.

If, due to unavailability of the contractor, a sprint is not delivered or delivered incomplete by the end of the sprint period, it will be considered as void and no payment will occur.

8. DELIVERABLES MILESTONES AND PAYMENT SCHEDULE

Payment will be done after completion of four (4) consecutive sprints, following the acceptance of the sprint report.

The payments shall be dependent upon successful acceptance of the R1 – Monthly Performance Report (Annex A).

Invoices shall be accompanied with the R1 - Monthly Performance Report (Annex A) signed by the Contractor’s personnel and project authority.

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same scrum deliverables, at a later time, depending on the project priorities and requirements, at the following cost: for base year (2025) at the same cost, for outer years (2026, 2027 and 2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

2025 BASE: 1 September 2025 to 31 December 2025

Deliverable: Up to 14 sprints (Number of sprints is calculated considering a starting date 1 September 2025. This will be adjusted based on actual starting date.)

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 - Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractor’s personnel.

2026 OPTION: 01 JANUARY 2026 TO 31 DECEMBER 2026

Deliverable: Up to 46 sprints

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 - Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractor’s personnel.

2027 OPTION: 01 JANUARY 2027 TO 31 DECEMBER 2027

Deliverable: Up to 46 sprints

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 - Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractor’s personnel.

2028 OPTION: 01 JANUARY 2028 TO 31 DECEMBER 2028

Deliverable: Up to 46 sprints

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 - Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractor’s personnel.

9. SCHEDULE

The 2025 BASE period of performance starts as soon as possible and no later than 1 September 2025 and will end no later than 31 December 2025

If the 2026 option is exercised, the period of performance is 1 January 2026 to 31 December 2026.

If the 2027 option is exercised, the period of performance is 1 January 2027 to 31 December 2027.

If the 2028 option is exercised, the period of performance is 1 January 2028 to 31 December 2028.

10. SECURITY AND NON-DISCLOSURE AGREEMENT

Any contracted individuals of the Contractor’s personnel must be in possession of a security clearance by their National Authority of NATO COSMIC TOP SECRET or above. The signature of a Non-Disclosure Agreement between any Contractor’s personnel contributing to this task and NCIA will be required prior to execution.

11. PRACTICAL ARRANGEMENTS

Services under the current SOW are to be delivered by ONE resource.

The services will be mainly executed on premise in SHAPE, Mons Belgium.

The services may optionally be executed remotely during part of the duration of the contract, given prior written pre-approval from NCSC and only for specific durations.

The services can only be executed from NATO member countries.

NCIA IT equipment will be provided (NCSC NROP laptop and/or NCIA NRAIS laptop will be provided) + access to NCSC NSOP workstation.

Daily presence on SHAPE, Mons Belgium is expected to deliver according to performance goals. Maximum 2 travels per month to other locations in Belgium (NATO HQ in Brussels, NCIA offices in Braine L’Alleud) for meetings might be requested. No overnight stay required.

All travel costs are included in the quoted price. No additional cost for travel (including accommodation, per diem, travel expenses, etc.,) will be claimed separately. All travel arrangements are the responsibility of the Contractor’s personnel.

No extra cost can be associated to the presence of any team member on SHAPE, Mons, Belgium.

For the extraordinary travel to other NATO locations, the expenses will be reimbursed in accordance with Article 5.5 of AAS Framework Contract and within the limits of the NCIA Travel Directive. They will be invoiced separately to the purchaser by the service provider, in accordance with the terms and conditions of the framework agreement.

These additional travel costs are considered an extra charge to the overall bid price.

The first 5 working days of a new resource (starting at the date the SHAPE ID was obtained) are considered familiarisation and handover/takeover period for which no payment will be made as no deliverable can reasonably be expected during that time.

The provider must communicate the starting date and all on boarding documents, at least 3 weeks prior to the starting date to the NCSC point of contact.

It is the responsibility of the provider to inform and make sure each resource can comply with the requirements to obtain a SHAPE ID on their starting day. This includes among others the clearance (RFV) and the mandatory registration in a Belgium commune. The list of documents required can be consulted here:

https://www.shape2day.com/arrivingleaving/inprocessing/are-you-a-national-civilian-component/contractorconsultant

12. QUALIFICATIONS SKILLS

[See Requirements]

Requirements

10. SECURITY AND NON-DISCLOSURE AGREEMENT

• Any contracted individuals of the Contractor’s personnel must be in possession of a security clearance by their National Authority of NATO COSMIC TOP SECRET or above.

12. QUALIFICATIONS SKILLS

The Contractor’s Personnel must meet the following experience, qualities and qualifications:

• Experience of at least 2 years in malware analysis techniques and technologies;
• Experience of at least 2 years in analysis of digital forensic artefacts in the context of cyber security
• Experience of at least 2 years in cyber security in cloud-based environments
• Experience of at least 2 years in analysing Windows forensics artefacts such as Windows Event logs, UAL, MFT…
• Experience of at least 2 years in writing scripts (Python, Powershell) and building automation workflows
• Experience of at least 2 years in report writing about a technical task and communication with stakeholders
• Excellent ability to recognise when an IT network/system has been attacked, be able to take immediate action to limit damage and to escalate the event to higher authority;
• Good knowledge of the principles of computer and communications security, networking, and vulnerabilities of modern operating systems and applications;
• Good understanding of the MITRE ATT&CK framework and its applicability in Cyber;
• Good knowledge of cyber security incident handling;
• Knowledge of Azure Sentinel, Microsoft Defender for endpoint
• Good knowledge of networking protocols
• Knowledge of Fidelis EDR is an asset
• Language proficiency in English meet or exceed the NATO STANAG 6001 Level 3 “Professional Proficiency”.
• The contractor shall be dressed suitably for meetings with high ranked officials. No religious sign shall be worn during such meeting.
• The contractor shall actively collaborate during internal meeting and touch-points discussions to improve the quality of services.
• Strong reporting skills to various levels of seniority,
• Accuracy and attention to detail.
• Previous experience in working for or supporting a military or governmental organization is an asset.