2025-0216 Cyber Security Accreditation Support (NS) - FRI 8 Aug

Deadline Date: Friday 8 August 2025

Requirement: Cyber Security Accreditation Support

Location: The Hague, NL

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: As soon as possible but not later than 1 September 2025 until 31 DEC 2025 with the possibility to exercise following options:

• 2026 option: from 01 JAN 2026 to 31 DEC 2026

• 2027 option: from 01 JAN 2027 to 31 DEC 2027

• 2028 option: from 01 JAN 2028 to 31 DEC 2028

Required Security Clearance: NATO SECRET

Special Terms and Conditions: A Non-disclosure Undertaking will have to be signed before the start of the service delivery

1 INTRODUCTION

Supporting NATO throughout all its geographical locations, NCIA is looking for service delivery in Cyber Security Accreditation Support, to support NATO’s modernisation of IT services, through leveraging the public cloud (Microsoft Azure, M365 and Amazon AWS), delivering managed, protected, security-centric and reliable IT Services.

NCIA – Cloud Operations Team

The NATO Communications and Information Agency (NCIA) is dedicated to supporting NATO's strategic objectives, including the ambitious NATO 2030 agenda. As part of this commitment, we are spearheading the modernization and digital transformation of NATO’s IT services. Our focus is on leveraging public cloud technologies like Microsoft 365 and Intune, incorporating a security-by-design approach, and ensuring a seamless transition to a modern, collaborative workplace environment.

To achieve these goals, we are building a Cloud Operations team under the Cloud Center of Excellence, operating under the NATO Enterprise Cloud Operating Model (NECOM). The NECOM framework provides a standardized approach for cloud service management, ensuring interoperability, scalability, and security across NATO's IT infrastructure. The Cloud Center of Excellence will serve as a hub for best practices, innovation, and expertise, driving the adoption and optimization of cloud technologies within NATO. This team will play a crucial role in our journey towards providing managed, protected, and reliable End User Services.

Embracing the latest technological advancements, this initiative will foster innovation and ensure NATO remains at the cutting edge of IT capabilities. By continuously evolving and integrating new technologies, we aim to enhance operational efficiency and readiness for future challenges. This remote position offers an exciting opportunity to be at the forefront of NATO's technological evolution and contribute to the security and efficiency of our operations.

NCIA – Cloud Centre of Excellence (CCoE)

The Cloud Centre of Excellence (CCoE) within NCIA is focused on driving successful cloud adoption and maximizing the potential of cloud technologies across the organization. It serves as a central governing body, promoting best practices, enabling knowledge sharing, and ensuring alignment between business objectives and cloud initiatives. The CCoE supports various cloud-based solutions, ensuring their effective and efficient implementation and management. By fostering a culture of continuous improvement and innovation, the CCoE helps NCIA leverage cloud technologies to enhance operational efficiency, scalability, and agility.

NCIA is seeking highly skilled service delivery in Cyber Security Accreditation Support to support our team within the NATO Cyber Security Centre (NCSC). The contractor will be responsible for supporting the accreditation of NATO CIS systems and public cloud services, ensuring full compliance with NATO security policies and directives. These services involve preparing security documentation, conducting risk assessments, and serving as the liaison between project teams and Security Accreditation Authorities. The contractor will contribute to the secure delivery of IT capabilities by developing Security Accreditation Plans, Security Risk Assessments, and managing stakeholder engagement throughout the accreditation lifecycle.

These services require expertise in NATO accreditation standards, cyber security policies, and secure solution design. The contractor will deliver services in close relation to cross-functional teams to assess risks, implement mitigation strategies, and ensure security-by-design is applied across all systems. The contractor shall have a strong background in accreditation processes, system security planning, and stakeholder communication. The contractor will also provide technical advice during architecture reviews, document compliance evidence, and participate in Security Accreditation Boards.

Contractor’s responsibilities will include aligning solutions with NIST, ISO, and NATO frameworks, automating compliance reporting, and supporting audits. You will also stay current with emerging cyber security standards and technologies, advising on their integration into accreditation practices.

Furthermore, the contractor will be responsible for generating and analyzing reports on device compliance and usage, providing valuable insights into the health and security of our device fleet.

2 OBJECTIVES

NCIA is embracing cloud services by transitioning to Microsoft 365 with a security-centric design.

This shift aims to enhance operational efficiency, collaboration, and security across the organization. We are looking for individuals with strong knowledge, a willingness to learn, and a desire to grow as part of this new challenge.

The objective of this statement of work is to establish a support and operating model for End User Services operating in the Public Cloud, with a focus on Microsoft 365 services.

3 SCOPE OF WORK

Under the direction / guidance of the local NCIA Point of Contact or the Cloud Ops Operations Manager, the contractor will support the following activities:

1) Solution Architecture:

Contribute to the development of secure solution architectures by identifying applicable NATO security directives and assessing their implications.

Provide security accreditation input during design, implementation, and transition phases.

2) Cyber Security Risk Management:

Support Security Risk Assessments (SRA) for NATO CIS components.

Identify threats, vulnerabilities, and residual risks, and propose mitigation strategies.

Support with identifying alternate technical solutions to address identified risks.

3) Security Documentation and Planning:

Develop Security Accreditation Plans (SAP), Security Requirement Statements (SRS), Security Risk Assessment Reports (SRAR), and Security Operating Procedures (SecOPs).

Manage Security Test and Verification Plans (STVPs) and observe or witness security testing.

4) Security Accreditation Liaison:

Coordinate with Security Accreditation Authorities (SAAs), Project Managers, and System Managers.

Represent the Agency in Security Accreditation Boards (SABs), stakeholder meetings, and working groups.

5) Requirements Definition:

Define, document, and manage accreditation requirements in compliance with NATO security policies.

Support Invitations for Bid (IFBs), bid evaluations, and acquisition lifecycle documentation.

6) User Experience Analysis:

Engage stakeholders to clarify and prioritize accreditation-related requirements.

Address conflicting needs and constraints.

7) Communication and Reporting:

Provide inputs to project highlight reports, exception reports, strategic plans, and other management documentation.

Deliver briefings and presentations related to security accreditation.

8) Technology Awareness:

Remain up to date on relevant cyber security, cloud, and compliance technologies.

Participate in knowledge sharing and technology review sessions.

9) Reporting and Analysis:

Generate and analyze reports on device compliance, usage, and management activities.

Provide insights into device fleet health and security.

10) Collaboration with IT Support:

Work closely with the IT support team to resolve complex device-related issues.

Serve as a subject matter expert in mobile device management.

11) Documentation and Training:

Maintain comprehensive documentation for Cloud Operations processes, configurations, and workflows.

Provide training and support to other staff as required for knowledge and information sharing.

12) Collaboration and Communication:

Collaborate with IT security, compliance, and other relevant teams to ensure cohesive Cloud Operations strategies.

Communicate effectively with internal stakeholders to understand requirements and address concerns.

The contractor will be part of the project management and implementation team, working closely with the Cloud Operations Centre team, ensuring the secure, available, managed and compliant delivery of Public Cloud Services to NATO and its Strategic Commands.

The measurement of execution for this work is sprints, with each sprint being planned for a duration of 5 working days.

Due to the AGILE approach of this project, the specific deliverables and associated acceptance criteria will be defined for each sprint between the NCIA and the contractor. This includes sprint planning, execution and review processes, which are detailed below:

1. Sprint Planning:

Objective: Plan the objectives for the upcoming sprint

Kick-off meeting: Conduct a monthly meeting with the contractor to plan the objectives of upcoming sprints and review contractor`s manpower to meet the agreed deliverables.

Set sprint goals: Define clear, achievable goals for the sprint and associated acceptance criteria, including specific delivery targets, Quality standards as well as Key Performance Indicators (KPIs) for each task to be recorded in the sprint meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritise the backlog of tasks, issues, and improvements from previous sprints.

Assess each payment milestone cycle duration of one calendar month. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 4.

2. Sprint Execution

Objective: Contractor to execute the agreed “sprint plans” with continuous monitoring and adjustments.

Regular meetings between NCIA and the contractor to review sprint progress, address issues, and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office, or in person via electronic means using Conference Call capabilities, according to the NCIA staff instructions.

Continuous improvement: Contractor to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.

Quality Assurance/Quality Check: Contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.

3. Sprint Review

Objective: Review the sprint performance and identify areas for improvement.

At the end of each sprint, there will be a meeting between the NCIA and the Contractor to review the outcomes against the acceptance criteria comprising sprint goals, agreed quality criteria and Key Performance Indicators (KPIs).

Define specific actions to address issues and enhance the next sprint.

4. Sprint Payment

For each sprint to be considered as complete and payable, the contractor must report the outcome of their work during the sprint, first verbally during the retrospective sprint review meeting and then in writing within three days after the sprint’s end date. A report must be sent by email to the NCIA manager, highlighting all work performed against the agreed tasking list set for the sprint.

The contractor's payment for each sprint will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the sprint planning stage. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task.

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed Delivery Acceptance Sheet (DAS) – (Annex A)

Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS) – (Annex A) signed by the Contractor and project authority.

If the contractor fails to meet the agreed Acceptance criteria for any task, the NCIA reserves the right to withhold payment for that task/sprint.

Each sprint has a duration of one week. The content and scope  of each sprint will be agreed during the sprint‐planning meetings.

4 DELIVERABLES AND PAYMENT MILESTONES

The following deliverables are expected from the work on this statement of work:

2025 BASE period: from 01 SEP 2025 to 31 DEC 2025:

Deliverable: 17 sprints of accreditation support.

Payment Milestones: Upon completion of each fourth sprint and at the end of the work.

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same scrum deliverables, at a later time, depending on the project priorities and requirements, at the following cost: for base year (2025) at the same cost, for outer years (2026, 2027 and 2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex A).

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex A) signed by the Contractor and the project authority.

2026, 2027 and 2028 OPTION: from 01 JAN to 31 DEC

Deliverable: Up to 46 sprints of accreditation support.

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of each fourth sprint and at the end of the work.

5 COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office, or in person via electronic means using Conference Call capabilities, according to the Operation Managers / Team Leaders instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Point of Contact mentioning briefly the work held and the development achievements during the sprint.

6 SCHEDULE

This task order will be active immediately after signing of the contract by both parties and will end no later than 31 December 2025.

If the 2026, 2027 and 2028 options are exercised, the period of performance is 01 JAN to 31 DEC of the respective year.

7 CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the project point of contact.

All code, scripts, documentation, etc. will be stored under configuration management and/or in the provided NCIA tools.

All the deliverables of this project will be considered NATO UNCLASSIFIED, while access to networks exceeding this classification level is required.

With this role being of technical nature with access to NATO managed networks, a security clearance at the NATO SECRET level is required prior to the start of the engagement.

8 PRACTICAL ARRANGEMENTS

The contractor will work 100% on-site, with the possibility to work remote up to 1 day per week.

Remote services need to be provided from a NATO country. The duty location being The Hague (NETHERLANDS), the contractor shall provide services during Core working hours of the Cloud Operations team (Brussels / BEL).

The contractor may be required to travel, infrequent and not exceeding 2 weeks at a maximum, to other NCIA locations as part of his role. Travel arrangements will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article 5.5 of the AAS+ Framework Contract and within the limits of the NCIA Travel Directive.

The contractor delivering the services will be part of the NCIA NATO Public Cloud Project Team.

9 QUALIFICATIONS

[See Requirements]

Requirements

9 QUALIFICATIONS

The consultancy support for these services require an experienced contractor in Cyber Security Accreditation Support, with the following qualifications:

1) Experience:

• At least 5 years of experience supporting cyber security projects for large-scale CIS environments.
• At least 5 years of background in system security engineering, accreditation, and architecture.

2) Accreditation Expertise:

• Proven experience with NATO or national security accreditation.
• Familiarity with lifecycle accreditation documentation (SAP, SRS, STVP).
• Understanding of accreditation authority structures and stakeholder dynamics.

3) Risk Assessment Proficiency:

• Skilled in conducting security risk assessments and SRARs.
• Familiar with NIST SP 800-30, ISO 27005 frameworks.
• Ability to advise on remediation and residual risk handling.

4) Security Policy Knowledge:

• Thorough knowledge of NATO Security Policy and ACO/ACT frameworks.
• Ability to interpret and implement policy requirements.
• Experience contributing to policy and directive development.

5) Technical Security Understanding:

• Understanding of secure architecture principles in hybrid/public cloud.
• Knowledge of identity, access management, and ZTNA concepts.
• Familiarity with data protection strategies, including encryption and DLP.

6) Communication Skills:

• Excellent written communication for reporting and documentation.
• Effective oral communication and stakeholder engagement.
• Presentation of security posture and compliance status to senior audiences.

7) Stakeholder Engagement:

• Comfortable liaising with SAAs, PMs, and operational authorities.
• Representation in SABs and NATO-wide working groups.
• Capable of conflict resolution and negotiating accreditation paths.

8) Project Support:

• Provide accreditation advice for proposals, bids, and tenders.
• Support for security deliverables during project lifecycle.
• Input into procurement, development, and deployment stages.

9) Multinational Experience:

• Experience working in international, multi-cultural environments.
• Familiarity with civil-military collaboration structures.
• Appreciation of NATO’s organizational mission and governance.

10) Certifications:

• Desirable: CISSP, CISM, or CISA.
• Other relevant training in security risk or audit domains.
• Commitment to ongoing professional development.

11) Language and Clearance:

• Fluent in English, both spoken and written.
• French language proficiency is an asset.
• NATO Secret Security Clearance or national equivalent required.

12) Security and Compliance Knowledge:

• Understanding of security best practices and compliance requirements related to Intune Device Management and Operations.
• Experience conducting audits and ensuring adherence to regulatory standards.

13) Communication and Collaboration:

• Excellent communication skills to effectively collaborate with IT teams, stakeholders, and end-users.
• Ability to document processes clearly and provide training on IAM tools and practices.

14) Organizational Skills:

• Strong organizational skills to manage multiple tasks and priorities effectively.
• Attention to detail in managing M365 environment and the Microsoft Intune Platform.

15) Team Collaboration:

• Ability to work effectively as part of a team and share knowledge and resources.
• Willingness to collaborate with colleagues to solve complex issues.

16) Others:

• The individual has strong customer relationship skills, including negotiating complex and sensitive situations under pressure.
• Full proficiency in the English language. French language proficiency is of advantage.
• The individual must have the nationality of one of the NATO nations.
• The individual must possess a NATO Secret Security Clearance or national equivalent.