2024-0109 Cloud Engineer (Hybrid) Security Compliance (NS) - FRI 15 Nov RELAUNCH

Deadline Date: Friday 15 November 2024

Requirement: Cloud Engineer (Hybrid) Security and Compliance Specialist

Location: Off-Site

Note: Please refer to your Subcontract Agreement, article 6.4.1.a, which states “Off-Site Discount: 5% (this discount is applicable to all requirements, and applies when the assigned personnel are permitted to work Off-Site, such as at- home)". Please be sure to price this discount in your overall price proposal when submitting bids against off-site RFQs

Period of Performance:  BASE period: 01 st January 2025 – 31st December 2025

• 2026 Option: 1st January 2026 until 31st December 2026

• 2027 Option: 1st January 2027 until 31st December 2027

Start date is as soon as possible but not later than 01st January 2025

Required Security Clearance: NATO SECRET

1 INTRODUCTION

Supporting NATO throughout all its geographical locations, the NCI Agency is looking for a Cloud Engineer (Hybrid), Security and Compliance Specialist, joining the journey of NATO’s modernisation of IT services, through leveraging the public cloud (Microsoft Azure, M365 and Amazon AWS), delivering managed, protected, security‐centric and reliable IT Services.

NCI Agency – Cloud Operations Team

The NATO Communications and Information Agency (NCI Agency) is dedicated to supporting NATO's strategic objectives, including the ambitious NATO 2030 agenda. As part of this commitment, we are spearheading the modernization and digital transformation of NATO’s IT services. Our focus is on leveraging public cloud technologies like Microsoft 365 and Intune, incorporating a security‐by‐design approach, and ensuring a seamless transition to a modern, collaborative workplace environment.

To achieve these goals, we are building a Cloud Operations team under the Cloud Center of Excellence, operating under the NATO Enterprise Cloud Operating Model (NECOM). The NECOM framework provides a standardized approach for cloud service management, ensuring interoperability, scalability, and security across NATO's IT infrastructure. The Cloud Center of Excellence will serve as a hub for best practices, innovation, and expertise, driving the adoption and optimization of cloud technologies within NATO. This team will play a crucial role in our journey towards providing managed, protected, and reliable End User Services.

Embracing the latest technological advancements, this initiative will foster innovation and ensure NATO remains at the cutting edge of IT capabilities. By continuously evolving and integrating new technologies, we aim to enhance operational efficiency and readiness for future challenges. This remote position offers an exciting opportunity to be at the forefront of NATO's technological evolution and contribute to the security and efficiency of our operations.

NCI Agency – Cloud Centre of Excellence (CCoE)

The Cloud Centre of Excellence (CCoE) within the NCI Agency is focused on driving successful cloud adoption and maximizing the potential of cloud technologies across the organization. It serves as a central governing body, promoting best practices, enabling knowledge sharing, and ensuring alignment between business objectives and cloud initiatives. The CCoE supports various cloud‐based solutions, ensuring their effective and efficient implementation and management. By fostering a culture of continuous improvement and innovation, the CCoE helps the NCI Agency leverage cloud technologies to enhance operational efficiency, scalability, and agility.

You will work closely with various IT teams to support and optimize our M365 security framework. Your responsibilities will include configuring and managing security settings, developing and implementing compliance policies, and performing regular security audits and assessments. You will leverage tools such as Microsoft Defender for Office 365, Azure Information Protection (AIP), and data loss prevention (DLP) policies to safeguard our organization’s data. Additionally, you will monitor security threats, respond to incidents, and ensure all security measures are up‐to‐date and effective.

A key aspect of this role will be developing and maintaining PowerShell scripts and automated workflows to streamline security and compliance processes. You will create automated solutions for compliance reporting and monitoring, ensuring operational efficiency and reducing manual intervention.

You will also support training programs to raise security awareness among end‐users and IT staff. This includes developing educational materials, delivering training sessions, and  promoting best practices for secure use of M365 tools.

Staying up‐to‐date with the latest developments in M365 security features and best practices is crucial. You will participate in security forums, attend training sessions, and continually seek ways to improve our security and compliance posture. Your proactive approach will help identify potential vulnerabilities and implement effective solutions.

2 OBJECTIVES

The NCI Agency is embracing cloud services by transitioning to Microsoft 365 with a security‐centric design. This shift aims to enhance operational efficiency, collaboration, and security across the organization. We are looking for individuals with strong knowledge, a willingness to learn, and a desire to grow as part of this new challenge.

The objective of this statement of work is to establish a support and operating model for End User Services operating in the Public Cloud, with a focus on Microsoft 365 services.

3 SCOPE OF WORK

Under the direction / guidance of the local NCIA Point of Contact or the Cloud Ops Operations

Manager, the Cloud Engineer (Hybrid), Security and Compliance Specialist will be supporting the

following activities:

1) Security Policy Development:

a) Develop and implement comprehensive security policies for the M365 environment.

b) Ensure policies align with organizational and regulatory requirements.

c) Regularly review and update security policies to address emerging threats.

d) Communicate and enforce security policies across the organization.

2) Compliance Management:

a) Ensure compliance with regulatory requirements and organizational standards.

b) Implement and manage data loss prevention (DLP) policies.

c) Conduct regular compliance audits and risk assessments.

d) Develop and maintain compliance documentation and records.

3) Advanced Threat Protection:

a) Configure and manage Microsoft Defender for Office 365.

b) Implement Advanced Threat Protection (ATP) policies to detect and mitigate threats.

c) Monitor threat analytics and respond to security incidents.

d) Conduct regular security assessments and vulnerability scans.

4) Conditional Access and Identity Protection:

a) Implement and manage conditional access policies in Azure AD.

b) Configure identity protection policies to safeguard user accounts.

c) Monitor access patterns and detect suspicious activities.

d) Ensure multi‐factor authentication (MFA) is enforced.

5) Data Encryption and Information Protection:

a) Configure and manage data encryption policies.

b) Implement Azure Information Protection (AIP) for data classification and labeling.

c) Ensure data protection policies are applied to sensitive information.

d) Monitor and report on data protection compliance.

6) eDiscovery and Legal Hold Management:

a) Implement and manage eDiscovery and legal hold processes.

b) Ensure that data required for legal proceedings is preserved.

c) Conduct regular audits of eDiscovery and legal hold configurations.

d) Provide training and support for eDiscovery users.

7) Security Monitoring and Reporting:

a) Monitor the security health of the M365 environment using Microsoft 365 Security Center.

b) Generate security reports and provide insights for improvement.

c) Utilize security information and event management (SIEM) tools.

d) Identify and address security incidents promptly.

8) Automation and Scripting:

a) Develop and maintain PowerShell scripts to automate security and compliance tasks.

b) Implement automated workflows using Power Automate.

c) Create automated solutions for compliance reporting and monitoring.

d) Maintain and update existing automation scripts.

9) User Training and Awareness:

a) Develop and deliver security training programs for end‐users.

b) Promote security awareness and best practices across the organization.

c) Provide guidance on secure use of M365 tools.

d) Conduct regular security awareness campaigns.

10) Continuous Improvement:

a) Stay up‐to‐date with the latest M365 security and compliance features.

b) Continuously improve security and compliance processes.

c) Participate in security and compliance forums and training.

d) Propose and implement new security measures and enhancements.

The contractor will be part of a team providing Technical Level 2 and 3 support, ensuring the secure, available, managed and compliant delivery of Public Cloud Services to NATO and its Strategic Commands.

The contractor will work primarily remotely, providing services during Core working hours of the Cloud Operations team (Brussels / BEL).

The measurement of execution for this work is sprints, with each sprint planned for a duration of 1 week

4 DELIVERABLES AND PAYMENT MILESTONES

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.

The following deliverables are expected from the work on this statement of work:

4.1 2025 BASE: 01 January 2025 to 31 December 2025

Deliverable 01: 46 sprints

Payment Milestones: Upon completion of each fourth sprint and at the end of the work.

4.2 2026 OPTION: 01 January 2026 to 31 December 2026

Deliverable 01: Up to 46 sprints

Payment Milestones: Upon completion of each fourth sprint and at the end of the work

4.3 2027 OPTION: 01 January 2027 to 31 December 2027

Deliverable 01: Up to 46 sprints

Payment Milestones: Upon completion of each fourth sprint and at the end of the work

4.4 The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables, at a later time, depending on the project priorities and requirements, at the following cost: for base year (2025) at the same cost, for outer years (2026 and 2027) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions

5 COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, via electronic means using Conference Call capabilities, according to the Operation Managers / Team Leaders instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Point of Contact mentioning briefly the work held and the development achievements during the sprint.

6 SCHEDULE

This task order will be active immediately after signing of the contract by both parties

The BASE period of performance is as soon as possible but not later than 01st January 2025 and will end no later than 31st December 2025.

If the 2026 option is exercised, the period of performance is 01 st January 2026 to 31st December 2026.

If the 2027 option is exercised, the period of performance is 01 st January 2027 to 31st December 2027

7 CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCI Agency templates or agreed with the project point of contact.

All code, scripts, documentation, etc. will be stored under configuration management and/or in the provided NCI Agency tools.

8 SECURITY

The duties of the consultants require a valid NATO SECRET security clearance.

All the deliverables of this project will be considered NATO UNCLASSIFIED, while access to networks exceeding this classification level is required.

With this role being of technical nature providing administrative support, a security clearance at

the NATO Secret level is required prior to the start of the engagement.

9 PRACTICAL ARRANGEMENTS

The contractor will be required to work primarily remote as part of this engagement. The Cloud Operations Team is located in BRUSSELS / BEL and THE HAGUE / NLD, with working hours to be adjusted accordingly.

The contractor will be required to work within a NATO country, following the rules and regulations applicable for the operations of NATO CIS.

The contractor may be required to travel, not exceeding 1 week per month, to other NCI Agency locations as part of his role. The locations applicable for this engagement are limited to BRUSSELS / BEL and THE HAGUE / NLD. Travel expenses will be reimbursed to the individual directly (outside this contract) under NATO rules.

This individual hired for this position will be part of the NCIA Cloud Operations Team.

Requirements

• The duties of the consultants require a valid NATO SECRET security clearance.

10 QUALIFICATIONS

The consultancy support for this work requires an experienced Cloud Engineer (Hybrid), Security and Compliance Specialist with the following qualifications:

1) Microsoft 365 Security Features:

• Advanced knowledge of Microsoft 365 security features and configurations.
• Experience with Microsoft Defender for Office 365 and ATP policies.
• Proficiency in configuring and managing conditional access and identity protection.
• Knowledge of data encryption and Azure Information Protection (AIP).

2) Compliance Management:

• Strong understanding of regulatory compliance requirements (e.g., GDPR, HIPAA).
• Experience with data loss prevention (DLP) policies and compliance audits.
• Proficiency in conducting risk assessments and developing compliance documentation.
• Knowledge of eDiscovery and legal hold management.

3) PowerShell Scripting:

• Proficient in writing and executing PowerShell scripts for security and compliance tasks.
• Ability to develop and maintain scripts for automation.
• Experience with automating compliance reporting and monitoring.
• Knowledge of script debugging and error handling.

4) Security Monitoring and Reporting:

• Proficient in using Microsoft 365 Security Center and SIEM tools.
• Ability to generate security reports and provide insights.
• Experience with monitoring and responding to security incidents.
• Knowledge of security information and event management (SIEM) best practices.

5) Advanced Threat Protection:

• Expertise in configuring and managing ATP policies.
• Experience with threat detection and mitigation.
• Proficiency in conducting security assessments and vulnerability scans.
• Ability to respond to and mitigate security incidents.

6) Conditional Access and Identity Protection:

• Advanced knowledge of conditional access policies in Azure AD.
• Experience with configuring and managing identity protection policies.
• Proficiency in enforcing multi‐factor authentication (MFA).
• Knowledge of monitoring access patterns and detecting suspicious activities.

7) Data Encryption and Information Protection:

• Skilled in configuring and managing data encryption policies.
• Experience with Azure Information Protection (AIP).
• Ability to apply data protection policies to sensitive information.
• Knowledge of monitoring and reporting on data protection compliance.

8) eDiscovery and Legal Hold Management:

• Proficient in implementing and managing eDiscovery and legal hold processes.
• Experience with auditing eDiscovery and legal hold configurations.
• Knowledge of data preservation for legal proceedings.
• Ability to provide training and support for eDiscovery users.

9) User Training and Awareness:

• Experience promoting security awareness and best practices.
• Proficiency in providing guidance on secure use of M365 tools.

10) Continuous Improvement:

• Commitment to staying current with M365 security and compliance features.
• Proactive in implementing new security measures and enhancements.
• Participation in security and compliance forums and training.
• Ability to propose and implement continuous improvement initiatives.

11) Organizational Skills:

• Strong organizational skills to manage multiple tasks and priorities effectively.
• Attention to detail in managing M365 environment and the Microsoft Intune Platform.

12) Others:

• The candidate has strong customer relationship skills, including negotiating complex and sensitive situations under pressure.
• Full proficiency in the English language. French language proficiency is of advantage.
• The candidate must have the nationality of one of the NATO nations.
• The candidate must possess a NATO Secret Security Clearance or national equivalent.

This role is critical for maintaining efficient IT support operations and ensuring users receive timely and effective assistance with their devices and Microsoft 365 services. As a Level 2/3 specialist, you will handle complex security and compliance issues, support advanced configurations, and play a key role in strategic planning and implementation of security solutions.  If you are a motivated technician with strong problem‐solving skills, full proficiency in English, and a passion for security and compliance, we invite you to apply and join our dynamic team.