2024-0342 Support to Provide CIS Security Assurance (NS) - MON 13 Jan

Deadline Date: Monday 13 January 2025

Requirement: Support to Provide CIS Security Assurance

Location: Braine-l’Alleud, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE 17th February 2025 – 31st December 2025 with possibility to exercise sprints from the following options:

• 2026 Option: 1st January 2026 until 31st December 2026

• 2027 Option: 1st January 2027 until 31st December 2027

Required Security Clearance: NATO SECRET

1 INTRODUCTION

The NCIA is looking for CIS Security Assurance – On Site service, delivered at NCIA headquarters in Braine L’Alleud, Belgium, for achieving the security accreditation and maintaining the CIS security posture of a large NATO CIS.

The NCIA provides advanced technological solutions and support to NATO and its member nations. Its mission is to ensure effective and secure communication and information systems for the alliance, enabling operations and decision-making. The agency plays a critical role in maintaining NATO's technological edge and operational readiness through innovation, collaboration, and the implementation of cutting-edge technologies.

The NATO CIS undergo a security accreditation, and must obtain Approval to Operate (ATO). The NATO CIS security accreditation requires assessing potential cybersecurity risks following a risk management methodology. This includes the identification and assessment of risks for specific NATO CIS in close coordination with NATO accreditation stakeholders (including technical and security authorities), followed by the development and implementation of mitigation and remediation plans, specifically assessing the residual risks after the application of the risk mitigation measures. The security accreditation status is tracked throughout the entire lifecycle of NATO CIS.

2 OBJECTIVE

The objective of this Statement of Work (SOW) is to provide CIS Security Assurance service on Site, for a large NATO CIS, consisting in development of CIS Security accreditation documentation, conducting risk assessments, recommending mitigation measures, and coordinating the remediation of the findings identified by security assessments.

3 SCOPE OF WORK

The measurement of execution for this work is sprints, with each sprint being planned for a duration of 1 week.

This SOW covers one large NATO CIS, the security accreditation document set and the associated CIS Security assurance activities as described below and detailed in Annex C.

1) CIS Security Accreditation:

a) Produce the CIS Description (CISD) documentation, addressing all NATO CIS components; coordinate with Service Delivery Managers (SDMs), network and security architects and other relevant Subject Matter Experts (SMEs) to ensure the complete and accurate description of the CIS.

b) Conduct Security Risk Assessment (SRA) for the NATO CIS in scope; this includes the identification and assessment of risks in close coordination with NATO accreditation stakeholders (including technical and security authorities).

c) In close coordination with the security accreditation support and the technical stakeholders, produce the Security Requirements Statements (SRSs), which include evaluating the implementation of the security requirements as per the NATO security policies and directives, advise on mitigation and remediation recommendations for those security requirements partially implemented (or not implemented), and document these in the relevant accreditation documents (Security Requirements Statements (SRSs), SecOPs).

d) Produce the Security Operating Procedures (SecOPs) in line with the NATO security policies and directives.

e) Develop Security Tests and Verification Plans (STVP).

f) Conduct Security tests in accordance with defined test plans and provide associate reporting.

g) Support the development of mitigation and remediation plans, following the identification and assessment of cybersecurity risks for NISC managed CIS, specifically assessing the residual risks after the application of cybersecurity risk mitigation measures.

h) Assist with complex remediation activities for the NATO CIS in scope of this SoW; conduct remediation activities in collaboration with the NCIA Service Delivery Managers.

i) Ensure adequate level of systems/data protection is implemented for NISC managed CIS in accordance with NATO Security policies and directives.

2) Operations:

a) Perform all operation, support and maintenance activities described in Annex C.

b) Log and track Service and Change requests using the enterprise ticketing system (ITSM).

c) Ensure all tickets are updated with accurate and detailed information and resolved within the agreed service levels.

3) Escalation:

a) Escalate complex issues to appropriate teams when necessary.

b) Follow up on escalated issues to ensure timely resolution and user satisfaction.

4) Knowledge Base Management:

a) Contribute to the creation and maintenance of a knowledge base, documenting common issues and solutions.

b) Share knowledge and best practices with team members to improve overall service quality.

5) Performance Monitoring:

a) Monitor support metrics and KPIs to ensure high-quality service delivery.

b) Participate in regular reviews to identify areas for improvement and implement corrective actions.

6) Automation and Efficiency:

a) Develop and implement automation scripts to streamline routine support tasks such as software installations, updates, system and software checks and notifications.

b) Utilize automation to create workflows for repetitive tasks, improve service efficiency and proactively implement solutions.

7) Communication and Collaboration:

a) Communicate effectively with internal user community to understand their issues and provide clear instructions.

b) Collaborate with IT teams to resolve issues and improve service delivery.

8) Transition-In

The Contractor shall start the execution of the contract by implementing the transition-in Handover-Takeover (HOTO) plan.

The Transition-in Handover-Takeover (HOTO) plan shall include at the minimum:

• Detailed HOTO schedule with GANTT chart
• Resources and PFE required from the Purchaser for successful execution of HOTO plan
• Risk register

Handover-takeover period will be divided in two parts; Shadowing and Reverse Shadowing. For the Transition-In HOTO, Shadowing will be the monitoring of Purchaser’s activities by the Contractor for each product listed in Annex C. Reverse shadowing will the monitoring of the Contractor activities by the Purchaser for item listed in Annex C.

9) Transition-Out

Whatever the cause or the triggering event of the contract coming to an end, the Contractor shall end the execution of the contract by implementing the transition-out Handover-Takeover (HOTO) plan.

The transition-out Handover-Takeover plan to be executed for contract closure or contract termination shall include at the minimum:

• Detailed HOTO schedule with GANTT chart
• Transition to The Purchaser of any tools, procedures, training and documentation used by The Contractor to execute this SOW.
• Resources and PFE required from the Purchaser for successful execution of HOTO plan
• Risk register

Handover-takeover period will be divided two parts; Shadowing and Reverse Shadowing. For the Transition-Out HOTO, Shadowing will be the monitoring of the Contractor activities by The Purchaser for each item listed in Annex C. Reverse shadowing will be the monitoring of the Purchaser activities by The Contractor for the second instance for each product listed in Annex C.

4 DELIVERABLES AND PAYMENT MILESTONES

Payment Schedule will be at the end of each 4 sprints, following the acceptance of the sprint report.

4.2 The NCIA team reserves the possibility to exercise a number of options, based on the same scrum deliverable timeframe, at a later time, depending on the project priorities and requirements.

4.3 The payment shall be dependent upon successful acceptance of the sprint report and the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number.

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and the NCIA POC.

The following deliverables are expected for the scope of work (Section 3) on this statement of work:

Deliverable 01: Up to 46 sprints

Payment Milestones: Upon completion of 4 sprints and at the end of the work

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.

The NCIA team reserves the possibility to exercise a number of options, based on the same deliverable timeframe and cost, at a later time, depending on the project priorities and requirements.

2026 OPTION: 01 January 2026 to 31 December 2026

Deliverable 01: Up to 46 sprints

Payment Milestones: Upon completion of 4 sprints and at the end of the work

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.

2027 OPTION: 01 January 2027 to 31 December 2027

Deliverable 01: Up to 46 sprints

Payment Milestones: Upon completion of 4 sprints and at the end of the work

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.

5 COORDINATION AND REPORTING

5.1 The contractor shall report to the assigned service delivery manager.

5.2 The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office or in person via electronic means using Conference Call capabilities, according to service delivery manager’s instructions.

5.3 For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in writing, within three (3) working days after the sprint’s end date. A report in the format of a short email shall be sent to NCI Agency POC briefly mentioning the work held and the achievements during the sprint. The format of this report shall be added into Delivery Acceptance Sheet (DAS) – (Annex B) mentioning briefly the work held and the development achievements during the sprint.

6 SCHEDULE

The period of performance is 3rd February 2025 through 31st December 2025.

If the 2026 option is exercised, the period of performance is 1 January 2026 to 31 December 2026.

If the 2027 option is exercised, the period of performance is 1 January 2027 to 31 December 2027.

7 CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the project point of contact.

All code, scripts, documentation, etc. will be stored under configuration management and/or in the provided NCIA tools.

8 SECURITY

Performance of the services described in this SOW require a valid NATO SECRET security clearance prior to the start of the engagement.

9 PRACTICAL ARRANGEMENTS

9.1 This is a deliverables-based contract.

9.2 The contractor shall provide services 100% On-site NCIA Headquarters in Braine L’Alleud, Belgium. Exceptional off-site activities to support service delivery can also be arranged with the line manager’s coordination and approval.

9.3 There may be requirements to travel to other sites within NATO for completing these tasks.

9.4 Travel costs are out of scope and will be borne by the NCI Agency separately in accordance to the provisions of the AAS+ Framework Contract.

9.5 The work depicted in this SOW is expected to be carried by a single contractor.

9.6 The service shall be delivered during core working hours (0830 – 1200 and 1300 - 1730). Incident resolution activities may be requested during the out of business hours as part of deliverable-based sprints.

9.7 The contractor will be required to obtain working permission for on-site work in Belgium.

10 QUALIFICATIONS

[See Requirements]

Annex C: Description of the NATO CIS environment

1. The NATO CIS operates at multiple classification levels: NATO UNCLASSIFIED (NU), NATO RESTRICTED (NR) and NATO SECRET (NS).

2. The NATO CIS is composed of two main sub-systems, and 20 components. The CIS nodes as installed in over 400 locations, supporting NATO Command Structure, elements of the NATO Force Structure, National Ministries of Defense (MODs) and Ministries of Foreign Affairs (MFAs).

3. The CIS environment contains predominantly network devices such as routers and switches, firewalls, crypto devices, as well as a management component based on Microsoft Windows Server and Linux Operating systems, running on physical and virtual servers.

4. The following documents need to be produced part of the accreditation documents set for the NATO CIS:

a. Security Accreditation Plan (not in the scope of this SoW)

b. CIS Description

c. Security Risk Assessment

d. Security Requirements Statement

e. Security Operating Procedures

f. Security Testing and Verification Plan

g. Security Testing and Verification Report

Additionally, Remediation Actions status Report following the Security Audits need to produced and submitted to the relevant Cyber/CIS Security and security accreditation authorities.

5. The response and resolution times for ITSM tickets are defined, in accordance with assigned priority, in NCIA Incident Management Standard Operating Procedure (SOP) 06.04.01.

6. The Contractor shall take the description above as an indication on the size and composition of the systems in scope. The actual CIS environment composition in the scope of this contract will stay within a margin of +/- 25% of the provided numbers. Any changes to the number of instances while staying within the above margin will not entitle the Contractor to any price adjustments. However should the numbers move outside this margin, upwards or downwards, this could be ground for an equitable price adjustment to be applied at the next turn of the year.

Requirements

8 SECURITY

• Performance of the services described in this SOW require a valid NATO SECRET security clearance prior to the start of the engagement.

10 QUALIFICATIONS

The consultancy support for this work requires a systems engineer with the following qualifications:

1) Technical Proficiency:

The support for this work requires the following technical proficiencies:

• NATO CIS Security accreditation process
• CIS Security Risk Assessments (SRA)
• CIS Security Tests and Verifications (STV)
• CIS Security Assessments (SA) remediation

2) Problem-Solving Skills:

• Strong troubleshooting skills to diagnose and resolve hardware, software, and network issues.
• Ability to guide users through problem-solving steps effectively.

3) Automation Skills:

• Proficiency in automation to create workflows and automate repetitive processes.
• Ability to identify and implement automation opportunities to enhance efficiency.

4) Communication and Interpersonal Skills:

• Excellent verbal and written communication skills.
• Full proficiency in English.
• Ability to communicate technical information to non-technical users in a clear and concise manner.

5) Customer Service Orientation:

• Strong customer service focus with a commitment to user satisfaction.
• Patience and empathy when dealing with user issues and concerns.

6) Organizational Skills:

• Ability to manage multiple support tickets and prioritize tasks effectively.
• Attention to detail in documenting support activities and maintaining accurate records.

7) Team Collaboration:

• Ability to work effectively as part of a team and share knowledge and resources.
• Willingness to collaborate with colleagues to solve complex issues.

8) Others:

• The candidate has strong customer relationship skills, including negotiating complex and sensitive situations under pressure.
• The candidate must have the nationality of one of the NATO nations.