2025-0217 M365 and Data Compliance Management (NS) - FRI 8 Aug

Deadline Date: Friday 8 August 2025

Requirement: M365 and Data Compliance Management

Location: Braine L'Alleud. Belgium

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: As soon as possible but not later than 1 September 2025 until 31 DEC 2025 with the possibility to exercise following options:

• 2026 option: from 01 JAN 2026 to 31 DEC 2026

• 2027 option: from 01 JAN 2027 to 31 DEC 2027

• 2028 option: from 01 JAN 2028 to 31 DEC 2028

Required Security Clearance: NATO SECRET

Special Terms and Conditions: A Non-disclosure Undertaking will have to be signed before the start of the service delivery

1 INTRODUCTION

Supporting NATO throughout all its geographical locations, NCIA is looking for service delivery in M365 and Data Compliance Management, to support NATO’s modernisation of IT services through leveraging the public cloud (Microsoft Azure, M365, Intune and Amazon AWS), delivering managed, protected, security-centric and reliable IT Services.

NCIA – Cloud Operations Team

The NATO Communications and Information Agency (NCIA) is dedicated to supporting NATO's strategic objectives, including the ambitious NATO 2030 agenda. As part of this commitment, we are spearheading the modernization and digital transformation of NATO’s IT services. Our focus is on leveraging public cloud technologies like Microsoft 365 and Intune, incorporating a security-by-design approach, and ensuring a seamless transition to a modern, collaborative workplace environment.

To achieve these goals, we are building a Cloud Operations team under the Cloud Center of Excellence, operating under the NATO Enterprise Cloud Operating Model (NECOM). The NECOM framework provides a standardized approach for cloud service management, ensuring interoperability, scalability, and security across NATO's IT infrastructure. The Cloud Center of Excellence will serve as a hub for best practices, innovation, and expertise, driving the adoption and optimization of cloud technologies within NATO. This team will play a crucial role in our journey towards providing managed, protected, and reliable End User Services.

Embracing the latest technological advancements, this initiative will foster innovation and ensure NATO remains at the cutting edge of IT capabilities. By continuously evolving and integrating new technologies, we aim to enhance operational efficiency and readiness for future challenges. This remote position offers an exciting opportunity to be at the forefront of NATO's technological evolution and contribute to the security and efficiency of our operations.

NCIA – Cloud Centre of Excellence (CCoE)

The Cloud Centre of Excellence (CCoE) within the NCIA is focused on driving successful cloud adoption and maximizing the potential of cloud technologies across the organization. It serves as a central governing body, promoting best practices, enabling knowledge sharing, and ensuring alignment between business objectives and cloud initiatives. The CCoE supports various cloud-based solutions, ensuring their effective and efficient implementation and management. By fostering a culture of continuous improvement and innovation, the CCoE helps the NCIA leverage cloud technologies to enhance operational efficiency, scalability, and agility.

2 OBJECTIVES

NCIA is embracing cloud services by transitioning to Microsoft 365 with a security-centric design. This shift aims to enhance operational efficiency, collaboration, and security across the organization.

The objective of this statement of work is to establish a support and operating model for End User Services operating in the Public Cloud, with a focus on Microsoft 365 services.

3 SCOPE OF WORK

Under the direction / guidance of the local NCIA Point of Contact or the Cloud Ops Operations Manager, the contractor will support the following:

1) Execute data ingestion into Microsoft 365 services

Migrate large volumes of user and archive data into Exchange Online, SharePoint, OneDrive, and Teams.

Handle folder mapping, duplicate resolution, and retention policies during migration.

Verify accuracy, access rights, and post-migration usability.

2) Operate Azure Blob Storage as staging layer

Upload and organize content securely before ingestion workflows.

Maintain structured metadata for traceability and reconciliation.

Monitor storage utilization, access logs, and tagging structure.

3) Perform file sanitization using OPSWAT and Defender tools

Integrate MetaDefender Core workflows for CDR and malware analysis.

Apply Defender for Endpoint and Defender for M365 scanning policies.

Log, track, and resolve scan results, blocked content, and exceptions.

4) Apply metadata and classification labels via Titus

Use Titus to assign NATO-aligned metadata (classification, caveat, handling).

Validate label inheritance across Microsoft 365 workloads.

Troubleshoot failed labeling operations and regenerate metadata stamps.

5) Assign and verify Microsoft Purview Sensitivity Labels

Deploy and audit sensitivity labels during and after content ingestion.

Support auto-labeling rules and encrypted file handling.

Ensure label compliance with NATO data protection rules.

6) Process PST and legacy email archives

Ingest PSTs using Compliance Center, PowerShell, or AzCopy.

Validate completeness, folder structure, and timestamp accuracy.

Monitor mailbox quotas, duplicate management, and error logs.

7) Develop and manage automation scripts

Write PowerShell and Graph API scripts for labeling and content ingestion.

Ensure logging, rollback, and structured exception handling.

Maintain version control, documentation, and reusability.

8) Administer Microsoft 365 and Intune compliance policies

Enforce DLP, retention, conditional access, and audit policies.

Support policy reviews and reporting within Compliance Center and Intune.

Coordinate configuration changes and incident resolution.

9) Provide on-site device and user support

Enroll Windows 11 endpoints via Intune and enforce secure baselines.

Troubleshoot configuration profile failures, Defender issues, and BitLocker settings.

Assist with onboarding, MFA setup, and general user support.

10) Maintain documentation and reporting routines

Draft SOPs for migration, labeling, sanitization, and compliance procedures.

Submit weekly sprint summaries and update the central documentation repository.

Ensure reproducibility, traceability, and audit readiness.

11) Communication and Reporting:

Provide inputs to project highlight reports, exception reports, strategic plans, and other management documentation.

Deliver briefings and presentations related to security accreditation.

12) Collaboration with IT Support:

Work closely with the IT support team to resolve complex device-related issues.

Serve as a subject matter expert in mobile device management.

13) Documentation and Training:

Maintain comprehensive documentation for Cloud Operations processes, configurations, and workflows.

Provide training and support to other staff as required for knowledge and information sharing.

14) Collaboration and Communication:

Collaborate with IT security, compliance, and other relevant teams to ensure cohesive Cloud Operations strategies.

Communicate effectively with internal stakeholders to understand requirements and address concerns.

The contractor will be part of the project management and implementation team, working closely with the Cloud Operations Centre and Project Management Team, ensuring the secure, available, managed and compliant delivery of Public Cloud Services to NATO and its Strategic Commands.

The measurement of execution for this work is sprints, with each sprint being planned for a duration of 5 working days.

Due to the AGILE approach of this project, the specific deliverables and associated acceptance criteria will be defined for each sprint between the NCIA and the contractor. This includes sprint planning, execution and review processes, which are detailed below:

1. Sprint Planning:

Objective: Plan the objectives for the upcoming sprint

Kick-off meeting: Conduct a monthly meeting with the contractor to plan the objectives of upcoming sprints and review contractor`s manpower to meet the agreed deliverables.

Set sprint goals: Define clear, achievable goals for the sprint and associated acceptance criteria, including specific delivery targets, Quality standards as well as Key Performance Indicators (KPIs) for each task to be recorded in the sprint meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritise the backlog of tasks, issues, and improvements from previous sprints.

Assess each payment milestone cycle duration of one calendar month. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 4.

2. Sprint Execution

Objective: Contractor to execute the agreed “sprint plans” with continuous monitoring and adjustments.

Regular meetings between NCIA and the contractor to review sprint progress, address issues, and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office, or in person via electronic means using Conference Call capabilities, according to the NCIA staff instructions.

Continuous improvement: Contractor to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.

Quality Assurance/Quality Check: Contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.

3. Sprint Review

Objective: Review the sprint performance and identify areas for improvement.

At the end of each sprint, there will be a meeting between the NCIA and the Contractor to review the outcomes against the acceptance criteria comprising sprint goals, agreed quality criteria and Key Performance Indicators (KPIs).

Define specific actions to address issues and enhance the next sprint.

4. Sprint Payment

For each sprint to be considered as complete and payable, the contractor must report the outcome of their work during the sprint, first verbally during the retrospective sprint review meeting and then in writing within three days after the sprint’s end date. A report must be sent by email to the NCIA manager, highlighting all work performed against the agreed tasking list set for the sprint.

The contractor's payment for each sprint will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the sprint planning stage. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task.

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed Delivery Acceptance Sheet (DAS) – (Annex A).

Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS) – (Annex A) signed by the Contractor and project authority.

If the contractor fails to meet the agreed Acceptance criteria for any task, the NCIA reserves the right to withhold payment for that task/sprint.

Each sprint has a duration of 5 days. The content and scope of each sprint will be agreed during the sprint‐planning meetings.

4 DELIVERABLES AND PAYMENT MILESTONES

The following deliverables are expected from the work on this statement of work:

2025 BASE period: from 01 SEP 2025 to 31 DEC 2025:

Deliverable: 17 sprints of M365 and data compliance management.

Payment Milestones: Upon completion of each fourth sprint and at the end of the work.

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same scrum deliverables, at a later time, depending on the project priorities and requirements, at the following cost: for base year (2025) at the same cost, for outer years (2026, 2027 and 2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex A).

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex A) signed by the Contractor and the project authority.

2026, 2027 and 2028 OPTION: from 01 JAN to 31 DEC

Deliverable: Up to 46 sprints of M365 and data compliance management.

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of each fourth sprint and at the end of the work.

5 COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office, or in person via electronic means using Conference Call capabilities, according to the Operation Managers / Team Leaders instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Point of Contact mentioning briefly the work held and the development achievements during the sprint.

6 SCHEDULE

This task order will be active immediately after signing of the contract by both parties and will end no later than 31 December 2025.

If the 2026, 2027 and 2028 options are exercised, the period of performance is 01 JAN to 31 DEC of the respective year.

7 CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the project point of contact.

All code, scripts, documentation, etc. will be stored under configuration management and/or in the provided NCIA tools.

All the deliverables of this project will be considered NATO UNCLASSIFIED, while access to networks exceeding this classification level is required.

With this role being of technical nature providing administrative support, a security clearance at the NATO SECRET level is required prior to the start of the engagement.

8 PRACTICAL ARRANGEMENTS

The contractor will work 100% on-site, with the possibility to work remotely up to one day per week. Remote services need to be provided from a NATO country. The duty location being Braine- l'Alleud (BELGIUM), the contractor shall provide services during core working hours of the Cloud Operations team (Brussels / BEL).

The contractor may be required to travel, infrequent and not exceeding 2 weeks at a maximum, to other NCIA locations as part of his role. Travel arrangements will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article 5.5 of the AAS+ Framework Contract and within the limits of the NCIA Travel Directive.

The contractor delivering the services will be part of the NCIA NATO Public Cloud Project Team.

9 QUALIFICATIONS

[See Requirements]

Requirements

9 QUALIFICATIONS

The consultancy support for these services requires an experienced contractor in M365 and Data Compliance Management, with the following qualifications:

1) Microsoft 365 Data Migration Experience (5 years of experience)

• Proven ability to migrate files and archives into SharePoint, Teams, OneDrive, and Exchange.
• Understanding of data fidelity, access rights, and versioning during migrations.
• Familiarity with bulk import strategies, including Microsoft-provided tools and custom scripts.

2) Metadata and Document Labeling Expertise

• Experience configuring and applying metadata tags through Titus or equivalent tools.
• Understanding of attribute-based access control and downstream integration.
• Ability to audit, troubleshoot, and validate metadata assignments.

3) Sensitivity Label Management in Microsoft Purview

• Hands-on experience creating, assigning, and troubleshooting Sensitivity Labels.
• Familiarity with auto-labeling rules, encrypted content controls, and label inheritance.
• Understanding of NATO classification structures mapped into Purview policies.

4) Sanitization Tools and Workflow Proficiency

• Operational experience with OPSWAT MetaDefender or other CDR/Sandbox platforms.
• Knowledge of integration with blob storage, SharePoint, and file inspection pipelines.
• Capability to configure scanning policies, analyze logs, and resolve false positives.

5) Advanced Automation and Scripting Skills

• Proficiency in PowerShell, Graph API, and Azure CLI for automated compliance operations.
• Ability to write scalable and documented scripts with logging and retry mechanisms.
• Experience integrating scripts with Intune and Microsoft 365 Admin Centers.

6) Compliance Policy and Intune Configuration Support

• Understanding of M365 compliance features: DLP, retention, records management, audit.
• Familiarity with Intune device configuration and app protection policies.
• Experience resolving compliance-related incidents in endpoint environments.

7) PST Archive Processing Knowledge

• Capability to prepare, scan, and ingest PST files into M365 with metadata preservation.
• Knowledge of size limits, duplication handling, and archive folder mapping.
• Familiarity with Microsoft Compliance Center, Import Jobs, and audit trails.

8) Endpoint Support for Intune Enrolled Devices

• Practical experience enrolling, remediating, and supporting devices managed via Intune.
• Proficiency in troubleshooting compliance failures and user access issues.
• Understanding of BitLocker policies, Defender integration, and Windows 11 support.

9) Documentation and Communication Skills

• Ability to create technical SOPs and process documentation aligned with NCIA standards.
• Skilled in reporting progress, risks, and blockers during sprints or compliance reviews.
• Clear and professional written and verbal English communication with technical and non-technical stakeholders.

10) Language and Clearance:

• Fluent in English, both spoken and written.
• French language proficiency is an asset.
• NATO Secret Security Clearance or national equivalent required.

11) Security and Compliance Knowledge:

• Understanding of security best practices and compliance requirements related to Intune Device Management and Operations.
• Experience conducting audits and ensuring adherence to regulatory standards.

12) Communication and Collaboration:

• Excellent communication skills to effectively collaborate with IT teams, stakeholders, and end-users.
• Ability to document processes clearly and provide training on IAM tools and practices.

13) Organizational Skills:

• Strong organizational skills to manage multiple tasks and priorities effectively.
• Attention to detail in managing M365 environment and the Microsoft Intune Platform.

14) Team Collaboration:

• Ability to work effectively as part of a team and share knowledge and resources.
• Willingness to collaborate with colleagues to solve complex issues.

15) Others:

• The individual has strong customer relationship skills, including negotiating complex and sensitive situations under pressure.
• The individual must have the nationality of one of the NATO nations