2025-0221 NATO Restricted (NR) Business Network Accreditation (NS) - MON 28 Jul

Deadline Date: Monday 28 July 2025

Requirement: NATO Restricted (NR) Business Network (REACH) Accreditation

Location: Mons, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: As soon as possible but not later than 01 Sep 2025 until 31 Dec 2025.

2026 OPTION: 1 January 2026 until 31 December 2026

Required Security Clearance: NATO SECRET

1. PURPOSE

The objective of Statement of Work (SoW) is to support NR Business Network (REACH) Accreditation process.

The support will be given to NATO Cyber Security Centre (NCSC) to fulfil the identified REACH accreditation activities effectively.

2. BACKGROUND

REACH refers to the mobile workspace services including the NR client devices, underlying infrastructure, LAN and service desk services.

To support NATO Cyber Security Centre (NCSC) for the execution of tasks identified in the Statement of Work (SoW), the NCIA is looking for a subject matter expertise in the delivery of complex, foundational and novel accreditation support capability.

This contract is to provide consistent support to NCSC with a deliverable-based (completion- type) contract contributing to the deliverables that are described in the scope of the work below.

3. SCOPE OF WORK

Identified activities will be performed under the direction / guidance of the NCSC Point of Contact (PoC), and the contractor will be a member of the NCSC Team.

The breakdown of requested activities is the following:

3.1 General

• Support Communication Information Systems (CIS) Security assurance of all REACH services,

• Contribute to the enforcement of NATO Policy, Agency Directives and Standard Operating Procedures (SOPs),

• Liaise with all stakeholders to provide operational CIS security support to all REACH services,

• Provide subject matter expert knowledge to assist REACH accreditation process,

• Support information security processes for REACH CIS within the Agency, both for internal operations and for Agency’s customer-funded networks,

• Contribute to the resolution of security requirement conflicts and collaborate with Project Managers (PM), Service Delivery Managers (SDM) and engineers to appropriately convert customer requirements into secure services,

• Coordinate with systems administrators in support of security architecture requirements,

• Identify cyber security-related Key Performance Indicators (KPI) and generate reports to ensure full visibility of all REACH CIS,

• In coordination with NCSC Accreditation Support Office, support all phases of security accreditation processes required to maintain operation status.

3.2 Information Security

• Communicate security risks and issues to business managers and others,

• Perform basic risk assessments for large scale enterprise information systems,

• Contribute to the identification of risks that arise from potential technical solution architectures,

• Suggest alternate solutions or countermeasures to mitigate risks,

• Support investigation of suspected attacks and security breaches.

3.3 Information Assurance

• Follow standard approaches for the technical assessment of information systems against information assurance policies and business objectives.

• Recognise decisions that are beyond their scope and responsibility level and escalates according.

• Review and performs risk assessments and risk treatment plans.

• Identify typical risk indicators and explains prevention measures.

3.4 Vulnerability Management

• Execute Vulnerability Management duties, based on the Security findings reported from the assessment campaigns. This includes: Validating the severity of discovered vulnerabilities; Contextualising the vulnerabilities in the light of NATO policies and best practices; Determining possible remediation and mitigation measures; Defining / Assigning priorities; Contacting and liaising with relevant system owners and proposing a remediation plan; Track and trace all remediation actions and report to the relevant stakeholders;

• Collect and consolidate the vulnerabilities discovered with the assessment services.

• Support NCIA CIS Support Units and other NATO entities and customers in the process of vulnerability remediation.

• Compile draft, review, develop, and provide input on all relevant aspects relating to vulnerability management and mitigation process in NATO CIS.

• Brief at both executive and technical levels on Vulnerability Management reports and mitigations status, including at flag officer level.

3.5 Specialist Advice

• Provide security consultancy and advice to projects, plans and teams.

The measurement of execution for this work is sprints, with each sprint planned for a duration of 5 working days.

4. DELIVERABLES AND PAYMENT MILESTONES

The following deliverables are expected from the work on this SoW:

2025 BASE: from 01 September 2025 to 31 December 2025:

Deliverable: 17 sprints to support NR Business Network (REACH) Accreditation Support as per  described in Para 3 (Number of sprints is calculated considering a starting date 01 September 2025. This will be adjusted based on actual starting date.)

Payment Milestones: Monthly payment for the completed and accepted sprints within the month. Completion of each sprint shall be accompanied documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor.

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables, at a later time, depending on the project priorities and requirements, at the following cost: for base year (2025) at the same cost, for following year (2026) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B).

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and the project authority.

2026 Option: 1 January 2026 to 31 December 2026:

Deliverable: 46 sprints to support NR Business Network (REACH) Accreditation Support as per  described in Para 3

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Monthly payment for the completed and accepted sprints within the month. Completion of each sprint shall be accompanied documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor.

5. COORDINATION AND REPORTING

Due to the agile approach of this project, there is a need to define a set of specific arrangements between the NCIA and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning, execution and review processes, which are detailed below:

5.1 Sprint Planning

Objective: Plan the objectives and deliverables for the upcoming sprint;

At the start of each sprint, a sprint planning meeting will be conducted with the contractor to discuss and plan the objectives and deliverables of the upcoming sprint;

Define clear, achievable objectives for the sprint and associated acceptance criteria, including specific delivery targets and quality standards for each task, to be recorded in the sprint planning meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritize the backlog of tasks, issues, and improvements from previous sprints.

Assess and validate the status of completion of the previous sprint and sign off sprints to be submitted for payment as covered in Section 5.4.

5.2 Sprint Execution

Objective: Contractor to execute the agreed “sprint plans” with continuous monitoring and adjustments.

Regular meetings: The contractor shall participate in status update meetings to review sprint progress, to address issues, and to make necessary adjustments to the processes or objectives.

Those sprint meetings will be via electronic means using Conference Call capabilities. On rare occasions, there may be a requirement to attend a physical meeting in the office, or in person, as requested by the project manager.

Continuous improvement: The contractor will establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to track and share the status of the sprint deliveries and any risks/issues.

Quality Assurance / Quality Check: The contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA will perform the quality control of the agreed deliverables and provide feedback on any issues.

5.3 Sprint Review

Objective: Review the sprint performance and identify areas for improvement.

At the end of each sprint, there will be a meeting to review the deliverables and outcomes against the acceptance criteria.

Define specific actions to address issues and enhance the next sprint.

5.4 Sprint Payment

Progress on the above deliverables will be checked and approved on a per sprint basis.

For each sprint to be considered as complete and payable, the contractor must report the outcome of their work during the sprint, first verbally during the sprint review meeting and then in writing within three days after the sprint’s end date. The format of this report shall be an email to the NCIA Point of Contact mentioning briefly the work performed and the development achievements during the sprint against the agreed tasking list set for the sprint.

At the end of the project, the Contractor shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.

The payment of each sprint will be depending upon the achievement of agreed acceptance criteria for each task, defined at the sprint planning stage.

If the contractor fails to meet the agreed acceptance criteria for any task, the NCIA reserves the right to withhold (partial) payment for that sprint.

Invoices shall be accompanied by a Delivery Acceptance Sheet (DAS), signed by the contractor and the project manager, and shall follow the payment milestones.

6. PENALTY AND REJECTION PROCESS

If the contractor does not meet the expected service delivery level based on the CV presented, the assigned tasks are not performed as expected based on NATO standards or the finalization of the assigned tasks are not done within the given time, the sprint will not be accepted and the service will not be paid.

If any of the above mentioned issues persist, the outsourcing partner will be asked to provide a replacement.

7. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The period of performance is as soon as possible but not later than 01 Sep 2025 and will end no later than 31 December 2025.

If the 2026 option is exercised, the period of performance is 01 January 2026 to 31 December 2026.

8. CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the project point of contact.

All documentation etc. will be stored under configuration management and/or in the provided NCIA tools.

9. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task and NCIA will be required prior to execution.

10. PRACTICAL ARRANGEMENTS

The contractor will be required to work 100% onsite at NCIA Headquarters in Mons / BELGIUM as part of this engagement. Working hours to be adjusted accordingly. Incident resolution activities may be requested during the out of business hours as part of deliverable-based sprints.

The contractor may be required to travel to other NATO locations as part of his role. Travel expenses for missions to other NATO/NCIA locations rather than Mons / BELGIUM will be reimbursed to the individual directly (outside this contract).

Travel arrangements will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article 5.5 of the AAS+ Framework Contract and within the limits of the NCIA Travel Directive.

This work must be accomplished by one contractor for the entire performance period.

The Purchaser will provide the contractor with the following Purchaser-Furnished Equipment (PFE):

• Access to NATO sites, as required, for the purpose of executing this SOW.

• Workspace (needed business IT for both on- and off-site work, hot-desk at NCSC facility).

• NCIA “REACH” laptop to be used by the contractor for the execution of the contract.

11. REQUIRED PROFILE

[See Requirements]

Requirements

9. SECURITY AND NON-DISCLOSURE AGREEMENT

• It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

11. REQUIRED PROFILE

The contractor who is going to deliver the identified services as an SME of REACH Accreditation Support must have demonstrated skills, knowledge and experience listed below.

11.1 Education, Experience and Training (Essential):

• A minimum requirement of a bachelor’s degree at a nationally recognised/certified University in a related discipline and 2 years post-related experience,
• Or exceptionally, the lack of a university degree may be compensated by the demonstration of a candidate’s particular abilities or experience that is/are of interest to NCIA, that is, at least 6 years extensive and progressive expertise in duties related to the function of the post.

11.2 Technical Skills (Essential):

• Several years of experience (at least two years) with system security, security architecture, network security engineering, and security governance including policy alignment, risk management, performance management and value delivery,
• Minimum 5 years proven experience in CIS Security,
• Minimum 5 years proven experience in modern CIS secure deployment and configuration troubleshooting,
• Minimum 2 years of extensive experience in the contextual interpretation of Vulnerability Assessments results,
• Comprehensive understanding of the principles of computer and communications security, networking, and the vulnerabilities of modern operating systems and applications acquired through a blend of academic or professional training coupled with practical professional experience,
• Proven minimum 5 years professional experience and knowledge in at least three of the following:
• Implementation and integration of Information Assurance protective measures,
• Security mechanisms and administration of LAN and WAN in the large enterprise environment,
• Private and public cloud security,
• Enterprise system administration experience of Windows Active Directory concepts and architecture.
• Enterprise system administration experience of VMWare vSphere environment and architecture, with emphasis on security concepts design and implementation.

11.3 Technical Skills (Desirable):

• AWS Certified Cloud Practitioner, Certificate of Cloud Security Knowledge, or other cloud/cloud security certifications,
• ISSACA CISM, and/or ISC2 CISSP, CCSP Certification,
• Good knowledge of containerized micro services and applications, Kubernetes, Docker, etc.,
• Good knowledge of main public cloud ecosystems,
• Good knowledge and exposure to cloud standards, architecture, and models,
• Knowledge of industry standard DevSecOps tools and frameworks,
• Knowledge of cloud networking architecture, cloud operations, security, automation, and orchestration,
• Excellent knowledge of, and experience using, common security tools Tenable Nessus, NMAP, Tanium endpoint management, Microsoft Defender, Trelix ePO etc.,
• Knowledge of common MS and Linux updating and patching systems,
• Knowledge of common IT security frameworks and governance models,
• Knowledge of CVSS V2 and V3,
• Knowledge of NATO responsibilities and organization to include NATO Security Policy and supporting directives,
• Understanding of Cyber issues within NATO or NATO member nation environment,
• Prior experience of working in an international environment comprising both military and civilian elements;
• Knowledge of NATO responsibilities and organization, including ACO and ACT,
• Knowledge about risk management related to Artificial Intelligence tools and developments and its impact on cyber security.

11.4 Automation Skills:

• Proficiency in automation to create workflows and automate repetitive processes with minimum 2 year experience,
• Ability to identify and implement automation opportunities to enhance efficiency.

11.5 Communication and Interpersonal Skills:

• Excellent verbal and written communication skills,
• Full proficiency in English,
• Ability to communicate technical information to non-technical users in a clear and concise manner,
• Ability to communicate effectively orally, using tact and diplomacy, and in writing with effective briefing skills.

11.6 Customer Service Orientation:

• Strong customer service focus with a commitment to user satisfaction,
• Patience and empathy when dealing with user issues and concerns.

11.7 Organizational Skills:

• Ability to manage and to prioritize tasks effectively,
• Attention to detail in documenting support activities and maintaining accurate records.

11.8 Team Collaboration:

• Ability to work effectively as part of a team and share knowledge and resources,
• Willingness to collaborate with colleagues to solve complex issues.

11.9 Others:

• The candidate has strong customer relationship skills, including negotiating complex and sensitive situations under pressure,
• The candidate must have the nationality of one of the NATO nations.

12. Others (Desirable)

The candidate should also ideally have knowledge and experience in the following areas:

• Experience in working with NATO,
• Experience of working with NATO Communications and Information Agency,
• Experience of working with national Defence or Government entities.