2025-0037 Cyber Security and Guard Support (NS) - FRI 14 Feb

Deadline Date: Friday 14 February 2025

Requirement: Cyber Security and Guard Support

Location: Mons, BE

Full Time On-Site: Yes

Period of Performance: As soon as possible but not later than 31st March 2025 until 31 December 2025 with possibility to exercise the following options:

2026 Option: 1st January until 31st December 2026

2027 Option: 1st January until 31st December 2027

2028 Option: 1st January until 31st December 2028

Required Security Clearance: NATO SECRET

1. BACKGROUND

The NCIA has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

2. INTRODUCTION

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services.

In order to execute this work, the NCIA is seeking additional manpower through contracted resources to support the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations.

The Gateway Security Services (GSS) Section facilitates and accounts for all lifecycle aspects of Boundary Protection Components deployed within and on the edge of NATO networks in order to protect key NATO information while allowing NATO staff to work securely and process their information.

NCIA is looking for subject matter expertise for the delivery of this complex and critical cybersecurity capability.

This contract is to provide consistent support on a deliverable-based contract to NCSC based on the deliverables that are described in the scope of work below.

3. PURPOSE

The Cyber Security SECURE Branch delivers a wide suite of enabling services in specific areas of Technical Services and CIS protection.

Gateway Security Services operate (amongst others) various technologies such as data diodes, secure mail gateways and guard components support the secure cross-domain data exchange.

This Statement of Work (SOW) outlines the services to be provided by the Supplier to NCIA Cyber Security Centre Secure Branch to fulfil identified CYBER SECURITY AND GUARD Support more effectively.

4. SCOPE OF WORK

The main objective of the statement of work is to underline the Cyber Security needs of the NCSC and to look for support to Gateway Security Services, the ‘Level 3 Cyber Security and Guard that should be manned by the service supplier on a daily basis to ensure service objectives are met continuously.

The aim of this SOW is to support NCSC with technical expertise specifically related to the operation and maintenance of CYBER SECURITY AND GUARD Support with a deliverable based (completion-type) contract to be executed in 2025.

The service provider will be required to deliver a daily activities schedule, orchestrate NCIA processes as well as represent NCSC business unit on an Enterprise Level where required. Tasks performed by a contractor include:

• Build, implement, maintain, and support systems within existing cross-domain gateways (System Administration).
• Configure, maintain, review and update configuration settings and policies on guard components and data diodes (System Configuration)

Under the direction / guidance of the NCSC Point of Contact, a contractor will be the part of the NCSC Team supporting the following activities:

1. Central system administration of Guards and Data Diodes to ensure continuing functionality and availability.

• Hardware and software systems installation and configuration
• User and access management
• Back up and restore systems data
• Monitor system performance and availability
• Log forwarding towards archiving and/or forensic systems
• Analyze, troubleshoot and resolve application issues
• Development of automation scripts to meet day to day system administration tasks

2. Central configuration of Guards and Data Diodes

• Implementation and verification of guards and data diode configuration to meet customer cross-domain data exchange requirements
• Adaptation of release markings
• Adaptation of email attachment types
• Configuration of additional cross-domain flows
• Back up and restore configuration data

3. Updating of Guard and Data Diode software/patches

• Monitor patch releases
• Test new software and patches
• Support A2SL process for approval of software updates
• Installation and configuration of software and patch updates

4. Documentation of Guards and Data Diode systems

• Development of SOPs and other documentation for repetitive activities
• Produce and maintain comprehensive documentation for all implemented systems
• Review and update security documentation
• Education/training/familiarization of other teams

5. Support of Guards and Data Diodes

• Technical support in troubleshooting infrastructure and operational issues
• Collaborate with other teams for a successful resolution;
• Provide technical support and guidance by answering end-user requests to identify issues in secure cross-domain data exchange

The measurement of execution for this work is sprints, with each sprint planned for a duration of 1 week.

Central configuration of Guards and Data Diodes

The purpose of daily Central administration and configuration of Guards and Data Diodes is to ensure continuing functionality and availability of those critical systems in order to support a wide range of end-user facing services.

The Service Provider will:

• Support the team by routinely reviewing the tickets queue to ensure 4 hours response time for normal events and 1 hour response time for high/critical events
• Provide multi-channel support (phone, email, internal chat)
• Develop and maintain a repository of scrips to automate recurring systems administration activities.
• Ensure correct logging and log forwarding configurations to support availability of system events in central log database.
• Provide pro-active system administration and maintenance to prevent system failures
• Escalate critical events to appropriate channels within 4 hours

GSS contractor is expected to be an experienced Linux administrator and should have sufficient knowledge in Hardware, Systems, Networks, and Cyber Security Tools.

Preparation: Review of incoming administration tickets/requests, initial assessment, categorization and preparation for implementation. Monitor system counters, log files and other usage information to pro-actively identify bottlenecks, upcoming problems. Identify routing tasks that can be automated.

Implementation: Following established processes, perform admin actions to mitigate identified system issues.

Results: Output: Updated administration information and system backup; no more pending tickets in ITSM toolset

Recurrence: Daily (Monday – Friday)

Activity and availability KPIs shall be recorded and visible for review by SEC011 SDM and/or Operations Manager.

Central configuration of Guards and Data Diodes

The Service Provider will:

• Support the team by routinely reviewing the tickets queue to ensure 4 hours response time for normal events and 1 hour response time for high/critical events
• Provide multi-channel support (phone, email, internal chat)
• Update the configuration of cross-domain security guards or data-diodes based on changing requirements.
• Ensure a working backup/restoration procedure of configuration settings has been tested, implemented and documented.

The primary purpose of Central configuration of Guards and Data Diodes is to ensure that all configuration requests are properly prepared (investigated, evaluated and risk assessed) for consideration, documented and implemented.

Preparation: Review of incoming tickets/requests, initial assessment, categorization and preparation for implementation. Relevant stakeholder to be identified and included in consideration for Technical Implementation aspects.

Implementation: Following established processes, implementation either within a planned maintenance window or directly on the affected cross-domain system or data diode.

Verification: Successful implementation to be verified by requestor (through NCIA ITSM toolset)

Results: Output: Updated configuration database and backup; no more pending tickets in ITSM toolset

Recurrence: Daily (Monday – Friday)

Summary report of performed configuration changes to be briefed once per week to SEC011 SDM or Operations Manager

Updating of Guard and Data Diode software/patches

The Service Provider will:

• Raise required documentation to initiate the software approval process
• Update production systems to the latest approved software version

The primary purpose of updating of Guard and Data Diode software/patches is to ensure that the systems operate with the latest approved and most secure software/application version. It includes the scheduling for deployment, cutover and testing of the updates.

Preparation: Review of installed software/patch/application versions. Monitor provider portals for availability of updates.

Execution: Output: SEC011 SDM/Operations Manager should be informed of all actions under preparation; timelines for patching briefed in weekly team meeting; CRQ communicated to NCSC Change Management stuff

Results: CRQ submitted, Update/patch windows planned and approved, systems patched

Recurrence: Preparation: Daily (Monday – Friday); Execution and Results: Upon availability of patches/updates / once a week (Friday)

Documentation of Guards and Data Diode systems

The Service Provider will:

• Document setup, configuration, installation specifics into the GSS documentation repository
• Attend internal meetings within GSS team to provide hands-on demonstration and familiarization of cross-domain gateway systems

Preparation: Draft/review new/updated documentation

Execution: Presentation of updated documentation to GSS Team Lead

Results: Output: Documentation uploaded to SEC011 repositories

Recurrence: Once a week (Thursday)

Notes/documentation to be signed off by NCSC SEC011 SDM.

Support of Guards and Data Diodes

The Service Provider will:

• Provide support to NATO staff users and collaborate with other admin staff to resolve tickets related to cross-domain data transfer
• Create entries on issues activities

The support activities are typically documented within the NCIA ITSM tool suite.

Preparation: Review of all the tickets (INC, WO/SR. CRQ)

Execution: Meetings (in person, online) with GSS team and other peers; communication with end-users (if needed)

Results: Output: Update on related issues during the previous reporting period

Recurrence: Once a week (Friday)

Service Level Agreements (SLAs)

The following SLAs will apply:

Average speed of answer: 30 minutes-4hours

Service provider is expected to provide service every day during normal business hours 08:30-17:30.

Client Responsibilities

The Client will:

Provide necessary access to systems and information required for all services

Tools and equipment (laptop) will be provided for remote service provisioning. Access to the following tools that are used to execute daily tasks will be provided: BMC remedy (NCIA Enterprise); Visio; MS Office Suite; SharePoint;

Designate primary points of contact for escalations and decision-making

Early Definition: Establish criteria at the beginning of the project or sprint; Refine criteria as needed throughout the development process

Prioritization: Identify must-have criteria vs. nice-to-have features; Align prioritization with project / service goals and constraints

Consider Edge Cases: Include criteria for handling unexpected inputs or scenarios; Address potential failure modes and error handling

5. DELIVERABLES AND PAYMENT MILESTONES

The following are expected from this statement of work:

1) Complete the activities/tasks agreed in each spring meeting as per sections 2 and 3 above.

2) Produce sprint completion reports (format: e-mail update), which include details of activities performed and the list of the deliverables of the week.

3) The contractor will participate in the daily reporting and planning activities (daily stand-ups) as well as the required participation in workshops, events and conferences related to the supported services, as requested by the service delivery manager.

4) Payment schedule will be according to payment milestones upon completion of 4 consecutive sprints. Upon completion and validation of each sprint and at the end of the monthly milestone, following the acceptance of the sprint report.

5) The NCIA team reserves the possibility to exercise a number of options, based on the same scrum deliverable timeframe, at a later time, depending on the project priorities and requirements.

6) The payment shall be dependent upon successful acceptance of the sprint report and the delivery acceptance sheet (das) – (annex a) including the EBA receipt number.

7) Invoices shall be accompanied with a delivery acceptance sheet (annex a) signed by the contractor and the NCIA POC

2025 BASE: PERIOD OF PERFORMANCE 31ST MARCH 2025 TO 31 DECEMBER 2025

Deliverable:  up to 34 Sprints containing all deliverables in section 5

Payment Milestones: Upon completion of max 4 sprint accepted within the respective month (at the end of the month) and at the end of the work.

2026 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2026 TO 31 DECEMBER 2026

Deliverable: Up to 44 Sprints

Payment Milestones: Payment Milestones will be end of the month for each 4 Sprints completed and accepted within the respective month and at the end of the work.

2027 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2027 TO 31 DECEMBER 2027

Deliverable: Up to 44 Sprints

Payment Milestones: Payment Milestones will be end of the month for each 4 Sprints completed and accepted within the respective month and at the end of the work.

2028 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2028 TO 31 DECEMBER 2028

Deliverable: Up to 44 Sprints

Payment Milestones: Payment Milestones will be end of the month for each 4 Sprints completed and accepted within the respective month and at the end of the work.

7. COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, via electronic means using Conference Call capabilities, according to the Operation Managers / Team Leaders instructions.

Due to the AGILE approach of this project, there is a need to define a set of specific arrangements between the NCIA and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning, execution and review processes, which are detailed below:

1. Sprint Planning:

Objective: Plan the objectives for the upcoming sprint

Kick-off meeting: Conduct a monthly meeting with the contractor to plan the objectives of upcoming sprints and review contractor`s manpower to meet the agreed deliverables.

Set sprint goals: Define clear, achievable goals for the sprint and associated acceptance criteria, including specific delivery targets, Quality standards as well as Key Performance Indicators (KPIs) for each task to be recorded in the sprint meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritise the backlog of tasks, issues, and improvements from previous sprints.

Assess each payment milestone cycle duration of one calendar month. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 4.

2. Sprint Execution

Objective: Contractor to execute the agreed “sprint plans” with continuous monitoring and adjustments.

Regular meetings between NCIA and the contractor to review sprint progress, address issues, and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office.

Continuous improvement: Contractor to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.

Quality Assurance/Quality Check: Contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.

3. Sprint Review

Objective: Review the sprint performance and identify areas for improvement.

At the end of each sprint, there will be a meeting between the NCIA and the Contractor to review the outcomes against the acceptance criteria comprising sprint goals, agreed quality criteria and Key Performance Indicators (KPIs).

Define specific actions to address issues and enhance the next sprint.

4. Sprint Payment

For each 4 (four) sprints to be considered as complete and payable, the contractor must report the outcome of their work during the sprint, first verbally during the retrospective sprint review meeting and then in writing within five days after the 4th sprint’s end date. A report must be sent by email to the NCIA service manager, listing all the work achieved against the agreed tasking list set for the sprint.

The contractor's payment for each set of 4 sprints will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the sprint planning stage. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task.

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed Delivery Acceptance Sheet (DAS) – (Annex A) including the EBA Receipt number

Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS) – (Annex A) signed by the Contractor and project authority.

If the contractor fails to meet the agreed Acceptance criteria for any task, the NCIA reserves the right to withhold payment for that task/sprint.

Further, the supplier must conduct the following reviews:

A daily ‘touch point’ between NCIA POC and the supplier’s POC to ensure work is on track

Draft versions of the reports where the supplier’s POC presents the draft report to the customer, with the opportunity for the customer to provide feedback and implement uplifts.

Final versions of the reports where the incumbent presents and delivers the final report to the customer.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Project Manager mentioning briefly the work held and the development achievements during the sprint.

At the end of the project, the Contractor shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.

ACCEPTANCE AND REJECTION CRITERIA

a) Acceptance Criteria

a.1. Quality of work reached NATO standards

a.2. Tasks are completed within the assigned time

a.3. Performances are as defined by the line manager

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Point of Contact mentioning briefly the work held and the development achievements during the sprint.

The services will be deemed accepted when:

• All specified SLAs are met
• All deliverables have been provided as outlined in Section 5
• Tickets/requests are continuously monitored
• Issues are continuously monitored
• Recurring meetings and cross-teams collaboration are manned at all times
• All of the meetings information and actions are captured within NCSC SEC011 repositories
• The Written Reports contain no spelling or grammatical errors, all data sources are properly cited, the document follows the provided template, including font styles and sizes, all charts and graphs are clearly labelled and include a brief explanatory caption

Version Control: maintain a clear record of criteria changes and ensure all stakeholders are working with the most up-to-date version

b) Rejection Criteria

b.1. Quality of work is low

b.2. Tasks are not completed within the assigned time

b.3. Performances are not as defined by the line manager

The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.

A rejected deliverable must be corrected and resubmitted within 1 (one) business day.

c) A replacement will be requested if the contractor cannot fulfil the tasks as explained in rejection criteria.

d) Payment will not be done if the sprint is not completed.

8. SCHEDULE

It is expected the service starts as soon as possible but no later than 31 march 2025 and ending no later than 31st December 2025.

if the 2026 option is exercised, the period of performance is 01st January 2026 to 31st December 2026

if the 2027 option is exercised, the period of performance is 01st January 2027 to 31st December 2027

The work will be conducted during normal office hours following the NCIA Brussels calendar, as well as outside office hours and on weekends, if necessary.

9. CONSTRAINTS

All the documentation provided under this statement of work will be based on NCIA templates or agreed with project point of contact.

All support, maintenance, documentation and required code will be stored under configuration management and/or in the provided NCIA tools.

All developed solutions, tools and code under this project will be property of the NCIA.

10. SECURITY AND NON-DISCLOSURE AGREEMENT

Any proposed resource providing services under this SOW must be in possession of a security clearance NATO SECRET or above to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.

11. PRACTICAL ARRANGEMENTS

This is a deliverables-based contract.

The contractor will be required to provide the service 100% on-site at NCIA Mons, Belgium. Exceptional off-site activities to support service delivery can also be arranged with the line manager’s coordination and approval.

NCI Agency will provide access to relevant networks and resources as required by the project. The work depicted in this sow is expected to be carried by a single contractor.

Contractor will be part of the NCIA NCSC GSS team.

There might be requirements to perform out-of-hours work to support planned maintenance activities or delivery of critical services as well as to provide on-call support outside regular business hours.

NCIA IT equipment will be provided (one REACH laptop will be provided). This equipment can be used by one person only and associated to that individual.

12. TRAVEL

There may be limited travel required (max.3 times/per year, each travel up to 3 working days), specifically to Brussels, Belgium, The Hague, Netherlands or Brunsum, Netherlands.

No additional cost for travel (including accommodation, per diem, travel expenses, etc.,) will be claimed separately. All travel arrangements are the responsibility of the contractor.

13. REQUIRED PROFILE

[See Requirements]

Requirements

10. SECURITY AND NON-DISCLOSURE AGREEMENT

• Any proposed resource providing services under this SOW must be in possession of a security clearance NATO SECRET or above to facilitate follow-on engagements and coordination at NATO venues.

13. REQUIRED PROFILE

The contractor that is going to perform the identified tasks as an operation and maintenance expert of CYBER SECURITY AND GUARD must have demonstrated skills, knowledge and experience as listed below.

Activities performed by the contractor include facilitation of all lifecycle aspects of Boundary Protection Components deployed within and on the edge of NATO networks

• Bachelor's degree in Computer Science, Information Technology, or related field Or equivalent experience.
• 5+ years of experience in IT security, with a focus on Security Tools Management in large organisations.
• Strong understanding of security best practices
• Good engineering skills including programming
• Demonstrable experience of analysing and interpreting system, security and application logs in order to diagnose faults and spot abnormal behaviours.
• Experience with system instrumentation solutions such as below:
• Linux System Administration (preferred RedHat Enterprise Linux)
• Scripting/Automation (Bash, Python, Ansible)
• Other Boundaries Protections Devices such as firewalls
• System security, including hardening and SELinux
• System monitoring and troubleshooting
• Experience with network protocols and traffic analysis
• Ability to troubleshoot complex network security issues
• LAN/WAN networking including protocol network architecture
• TCP/IP protocols and services
• Excellent communication abilities, both written and verbal, with the ability to clearly and successfully articulate complex issues to a variety of audiences and teams
• Official Linux certification (such as RHCSA, GCUX,)
• Official Network Management certification (such as Network+)
• Official Service Management certification (such as ITIL Foundation )

In addition to the above, it is desirable for the contracted individual to have working experience and knowledge in the following areas:

• Understanding of Information Security Practices; relating to the Confidentiality, Integrity and Availability of information (CIA triad.)
• Possession of Industry leading certification in the area of Cybersecurity such as CISSP, CISM, CISA, GSNA, SANS GIAC
• Experience in working with NATO.
• Experience of working with NATO Communications and Information Agency.
• Experience of working with national Defence or Government entities.
• Strong stakeholder management skills – can demonstrate evidence of developing and maintaining strong and effective relationships with internal stakeholders at all levels in an organization.
• Flexible and adaptable; experience of working in ambiguous situations.
• Excellent mentoring skills.