2024-0335 Cyberspace Operations Threat Hunting Support (NS) - MON 3 Feb

Deadline Date: Monday 3 February 2025

Requirement: Cyberspace Operations Threat Hunting Support

Location: Mons, BE

Full Time On-Site: Yes

Period of Performance: 2025 BASE: 1 APR 2025 to 19 DEC 2025, with possibility to exercise the following options:

• 2026 option: 5 JAN 2026 to 18 DEC 2026

• 2027 option: 4 JAN 2027 to 17 DEC 2027

• 2028 option: 3 JAN 2028 to 15 DEC 2028

Required Security Clearance: NATO SECRET

1. BACKGROUND

The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

2. INTRODUCTION

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services. The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM).

In order to execute this work, the NCI Agency is seeking additional labour through contracted resources (or consulting) to support the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience.

3. PURPOSE

The NCSC is responsible to defend NATO networks on a 24/7 basis and to proactively look for signs of malicious activities by performing threat hunting. The Threat Hunting activities encompass threat intelligence hypotheses based searches on existing security logs sources, anomaly detection and more generally compromise assessment.

4. OBJECTIVES

This Statement of Work (SoW) outlines the services to be provided by the Supplier to NCSC for providing support to Cyber Operations Threat Hunting.

5. DELIVERABLES

The contractor shall deliver the following functions:

D1. Based on directions from the Service Delivery Manager (SDM) and deputy SDM:

• organise meetings (both in-person but virtual using NATO videoconferencing infrastructure),

• open service requests, change requests and work orders within NCIA and NCSC ticketing and tasking systems,

• pro-active follow-up of existing requests in various systems on a periodic basis.

D1 Outcome: The JIRA issue (task) has been handled (if assigned to the person) or created (if it needs to be dispatched within the team).

D1 Acceptance Criteria: The issue has been handled appropriately, using professional judgment and the outcome is clearly indicated in the appropriate field.

The issue has been addressed before or at the target date

D2. Based on directions from the Service Delivery Manager (SDM) and deputy SDM:

• write emails to stakeholders of the service,

• write and review SoW, contracts and license agreements,

• resource planning,

• writing, editing and creation of SOP/SOI in the NCSC wiki,

• presentation slides preparation.

D2 Outcome: List of documents produced and emails sent to support the threat hunting service.

D2 Acceptance Criteria: The list contains the title of documents or subject of emails, the stakeholders informed and the link to issues in Jira (TASK #)

The format expected is an Excel document with the following columns: Title/Subject, Stakeholders, Link to Issue.

This deliverable is expected at the end of each week.

Rejection criteria

• The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.

• A rejected deliverable must be corrected and resubmitted within 1 (one) business day.

Further details:

• Each deliverable will be assessed by a supervisor or team member on a scale of 1 to 5 based on the criteria defined above. This score is used for the monthly KPI, an overall score below 80% introduce financial penalty.

Further, the contractor must conduct the following reviews:

• A bi-weekly ‘touch point’ between NCSC – Threat Hunting Service Delivery Manager, or any other NCSC personnel designated by NCSC.

Structure and formatting of the deliverables:

In addition to their specific acceptance criteria, each deliverable shall meet the following requirements:

• Language: the product shall be written in English, meeting the NATO STANAG 6001 Level 3 “Professional Proficiency”.

• Intended Audience: the product shall be intended for Cyber Security Professional, Senior Military personnel and decision makers in the field of Cyber Security and Cyberspace Operations.

• Accuracy: the product shall accurately reflect what was done.

• Clarity and Conciseness: Information shall be presented clearly and concisely, avoiding unnecessary jargon or complex language.

• Objectivity: the content shall be impartial and objective, presenting information without bias or personal interpretation.

• Structure: the product shall follow a logical structure such as template when available.

• Timeliness: the product shall be prepared and distributed promptly after the assignment, ensuring that information is fresh and actionable.

• Formatting: Consistent formatting shall be used throughout the document, including font style, size, headings, and spacing further directed by the Information and Knowledge Management Steering Group.

• Confidentiality: Information processed by analysing threat intelligence reports or acquired during threat hunting campaigns shall be handled in accordance with the NATO policy on Information Management.

6. COORDINATION AND REPORTING

R1. A monthly performance report (see Annex A), provided at the end of the month, in NCSC tool and using NCSC provided template, containing the number of each deliverable provided during the month.

The report will be prefilled by the service provider and includes as supporting documentation the list of deliverables produced during that month including references to NCSC tools containing the information.

The report will be completed by NCSC to include the overall score received for the deliverables in that month. It is computed as follows: the sum of the score for each deliverable (from 1 to 5) divided by the number of deliverables and converted in percentage.

7. DELIVERABLES MILESTONES AND PAYMENT SCHEDULE

Term and Timeline

Period of performance of this SOW will commence on 01 APR 2025 and continue for maximum 37 weeks until 19 DEC 2025.

The payments shall be dependent upon successful acceptance of the Monthly Performance Report (R1) (Annex A) – including the EBA Receipt number.

Invoices shall be accompanied with the Monthly Performance Report (R1) (Annex A) signed by the Contractor and project authority.

Related invoice will be accompanied by a Monthly Performance Report (R1) (Annex A) signed by the project authority.

Payment is done at the end of each month following the approval of the R1.

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same scrum deliverables, at a later time, depending on the project priorities and requirements, at the following cost: for base year (2025) at the same cost, for outer years (2026-2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

7.1 2025 BASE: PERIOD OF PERFORMANCE FROM 01 APR 2025 TO 19 DEC 2025:

~37 WEEKS

Payment will be done as per the milestones below:

R1 Deliverables:  D1 – D2

Deliverable Due Date: Last Day of Each Month

Payment Milestones: At the end of each month linked to the successful delivery of D1-D2 as tracked in R1

PENALTY SCHEME:

Satisfaction on deliverables >= 80 % = 0 % Penalty

Satisfaction on deliverables 60 – 79% = 25 % Penalty

Satisfaction on deliverables 40 – 59% = 50 % Penalty

Satisfaction on deliverables < 40 % = 75 % Penalty

Method of Surveillance: The overall satisfaction for the month is reported on the R1 (Annex A)

7.2 2026, 2027, 2028 OPTIONS: ~50 WEEKS

R1 Deliverables:  D1 – D2

Deliverable Due Date: Last Day of Each Month

Payment Milestones: At the end of each month linked to the successful delivery of D1-D2 as tracked in R1

8. SKILLS

Services under the current SOW are to be delivered by ONE resource that must meet the following experience, qualities and qualifications:

• Experience in engaging with highly technical cyber security professionals.

• Experience in summarizing discussions, identifying relevant points and action items.

• Language proficiency in English meets or exceeds the NATO STANAG 6001 Level 3 “Professional Proficiency”.

• The contractor shall be dressed suitably for meetings with high ranked officials. No religious sign shall be worn during such meeting.

• The contractor shall actively collaborate during internal meeting and touch-points discussions to improve the quality of services.

• Strong reporting skills to various levels of seniority.

• Accuracy and attention to detail.

• A previous experience in working for or supporting a military or governmental organization is asset.

Further Details:

• Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. The assessment will then be followed by a one week on-site familiarisation period with key NCSC personnel and tools to be introduced to the environment.

• The provider shall minimize the rotation of resources performing the contract to the absolute minimum to ensure continuity of service and to maintain the on boarding overhead on NCSC side at a reasonable level.

• The first 5 working days of a new resource (starting at the date the SHAPE ID was obtained) are considered familiarisation and handover/takeover period for which no payment will be made as no deliverable can reasonably be expected during that time.

• After approval of the resource, the provider must communicate the starting date and all on boarding documents, at least 3 weeks prior to the starting date to the NCSC point of contact.

• It is the responsibility of the provider to inform and make sure each resource can comply with the requirements to obtain a SHAPE ID on their starting day. This includes among others the clearance (RFV) and the mandatory registration in a Belgium commune. The list of documents required can be consulted here: https://www.shape2day.com/arrivingleaving/inprocessing/are-you-a-national-civilian-component/contractorconsultant

9. WORK EXECUTION

The services will be mainly executed on premise in SHAPE, Mons Belgium.

NCIA IT equipment will be provided (NCSC NROP laptop and/or NCIA NRAIS laptop will be provided) + access to NCSC NSOP workstation.

The services may optionally be executed remotely during part of duration of the contract, given prior written pre-approval from NCSC and only for specific durations.

The services can only be executed from NATO member countries.

Results of the work will be provided as stated in paragraph 6 – Coordination and Reporting.

10. TRAVEL

All travel costs are included in the quoted price. No additional cost for travel (including accommodation, per diem, travel expenses, etc.,) will be claimed separately. All travel arrangements are the responsibility of the contractor.

No extra cost can be associated to the presence of any team member on SHAPE, Mons, Belgium.

Daily presence on SHAPE, Mons Belgium is expected to deliver according to performance goals. Maximum 2 travels per month to other locations in Belgium (NATO HQ in Brussels, NCIA offices in Braine L’Alleud) for meetings might be requested. No overnight stay required.

11. SECURITY AND NON-DISCLOSURE AGREEMENT

Any contracted individuals of the Service Provider must be in possession of a security clearance by their National Authority of NATO SECRET or above. The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.

Requirements

8. SKILLS

Services under the current SOW are to be delivered by ONE resource that must meet the following experience, qualities and qualifications:

• Experience in engaging with highly technical cyber security professionals.
• Experience in summarizing discussions, identifying relevant points and action items.
• Language proficiency in English meets or exceeds the NATO STANAG 6001 Level 3 “Professional Proficiency”.
• The contractor shall be dressed suitably for meetings with high ranked officials. No religious sign shall be worn during such meeting.
• The contractor shall actively collaborate during internal meeting and touch-points discussions to improve the quality of services.
• Strong reporting skills to various levels of seniority.
• Accuracy and attention to detail.
• A previous experience in working for or supporting a military or governmental organization is asset.

11. SECURITY AND NON-DISCLOSURE AGREEMENT

• Any contracted individuals of the Service Provider must be in possession of a security clearance by their National Authority of NATO SECRET or above.