2024-0177 Provision of Cyber Technician Services (NS) - FRI 28 Feb

Deadline Date: Friday 28 February 2025

Requirement: Provision of Cyber Technician Services

Location: Brunssum, NL

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: not later than 01-04-2025 until 31-12-2025 with the possibility to exercise following options:

• 2026 option: 01-01-2026 until 31-12-2026

• 2027 option: 01-01-2027 until 31-12-2027

• 2028 option: 01-01-2028 until 31-12-2028

Required Security Clearance: NATO Secret

1. INTRODUCTION

The purpose of this Statement of Work (SoW) is to describe the Cyber Technician Services to the NCIA Agency, NATO Commands and National Accredited entities.

Due to heavy workload related to Cyber Security Activities, Cyber Technician Services are required for the period of 01 April 2025 until 31 Dec 2025 (with the possibility to exercise option years as outlined above) in order to be in compliance with the agreed timelines described in the 2025 SLA.

NCI Agency CIS Support Unit (CSU) Brunssum, located in Brunssum (NLD) enables end-to-end CIS services as it installs, operates, maintains and supports the full range of CIS capabilities during peacetime, crisis and war throughout its allocated Area of Responsibility (AOR) and as otherwise directed.

Due to increasing NATO exercise activity, CSU Brunssum is seeking for Local and AOR Cyber Security Services support.

2. HIGH LEVEL DESCRIPTION OF DELIVERABLES

The Contractor’s personnel will provide the services as part of an existing team of people supporting the NCIA CSU Brunssum Cyber Security Section Services and locations and will not be working independently. It is to augment current capability within the Cyber Security Section.

The contractor will support the CSU Brunssum Cyber Security Section Activities and duties providing CIS/IT Security monitoring and assistance services through the systems and equipment provided by NCIA.

The Contractor’s personnel will operate under the guidance of the Cyber Security Section Head and fulfil Tasks and Work Orders related to Cyber Security. The Contractor’s personnel will operate on CIS systems installed or assigned to the CSU Brunssum Cyber Security Section and AM/TM Security Section.

The Contractor’s personnel will deliver services in cooperation with AM/TM Security Section and NCSC.

The Contractor’s personnel will also support the CIS/IT and Physical security of the CIS/IT Infrastructure installed and operated at the CSU Brunssum and document the processes by following the processes in accordance with NATO Security Policies, Regulations and Directives.

The Contractor’s personnel will activate, revoke, upgrade and downgrade at the user level the access rights on Base Access Control Systems and Electronic Key Systems installed at NCIA Brunssum.

The Contractor’s personnel can be part of the Chain of Custody for Cyber Security Incidents registered inside the Camp Hendrik compound and SWHQ Castlegate.

3. DELIVERABLES AND RELATED MILESTONES

The Service Provider will deliver the following core activities as per the schedule below:

D.01 Cyber Security Monitoring Support

Review the events reported by the monitoring software and appliances

Frequency:  Daily, at least every two hours

Outcome: Production of Electronic Logs/digital evidences /digital events

Collection of relevant evidence in case of incident

Frequency: Per-event, once / twice a week

Outcome: Production of Electronic Log/Chain of Custody and digital evidences

Monitoring of outbound email traffic

Frequency: Daily, at least every two hours

Outcome: Production of Electronic Logs/digital evidences /digital events

Monitoring of inbound email traffic

Frequency: Daily, at least every two hours

Outcome: Production of Electronic Logs/digital evidences /digital events

Monitoring of unauthorised device connected to the networks

Frequency: Daily, at least every two hours

Outcome: Production of Electronic Logs/digital evidences /digital events

Monitoring of potential CIS/IT security violation

Frequency: Daily, at least every two hours

Outcome: Production of Electronic Logs/digital evidences /digital events

Monitoring of ICS/SCADA/EKS/Access Control Systems

Frequency: Daily, at least every two hours

Outcome: Production of Electronic reports and Paper Log

Monitoring of email security portal

Frequency: 3 times per day

Outcome: Production of Electronic Logs/digital evidences /digital events

Monitoring of Traka Key System

Frequency: On-Demand / at least twice a day

Outcome: Production of Paper and Electronic Logs

Monitoring of BRI Access Control System

Frequency: On-Demand / at least twice a day

Outcome: Production of Paper and Electronic Logs/Reports

Integrity Check for Security Seals

Frequency: Daily / at least once a day

Outcome: Signed Paper Logbook

Intrusion Detection Systems

Frequency: Daily / at least three times per day.

Outcome: Production of electronic logs

D.02 Data Analysis Support

Review of network event logs

Frequency: Daily, at least every two hours

Outcome: Collection of Electronic Logs/digital evidences /digital events

Review of computer event logs

Frequency: Daily, at least every two hours

Outcome: Collection of Electronic Logs/digital evidences /digital events

Review of infrastructure logs

Frequency: Daily, at least every two hours

Outcome: Collection of Electronic Logs/digital evidences /digital events

D.03 Customer/Service Line(s) Support

Assistance in Data Transfer (not classified inbound/outbound)

Frequency: On-Demand, at least twice a week

Outcome: ITSM Ticket status report

Assistance in Malware Data Analysis (first line response)

Frequency: On-Demand, at least twice a week

Outcome: ITSM Ticket status report

Assistance to NCSC requests for investigation (first line response)

Frequency: On-Demand, at least twice a week

Outcome: ITSM Ticket status report

Further details:

• Apply procedures in accordance with NATO Rules, Policies and Regulations to ensure strict control of classified items whenever operational requirements necessitate that material being destructed or disposed, on daily basis.

• Contractor provided support individual can be part of the Chain of Custody for equipment provided for Forensic Investigation on event basis.

4. PAYMENT SCHEDULE

The payments shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex A) including the EBA Receipt number.

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex A) signed by the Contractor and project authority.

2025 Base performance – 01 April 2025 – 31 December 2025

Deliverable: As applicable from Section 3 for the period (D01 – D03 per event activity during that calendar month)

Due Date: Last day of each month

Payment Milestones: The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – Annex A including the EBA Receipt number. 100% completion is required for payment.

Contractor’s performance will be monitored against above mentioned deliverable schedule.

In case of completion less than 100% due to non-performance, there will be no payment for the period. Non-performance reasons will be documented in writing.

Payment will be made after the Purchaser has signed the Delivery Acceptance Sheet (DAS) (Annex A) for the respective deliverables. The Contractor shall submit an Invoice, with approved DAS attached, to the Purchaser for payment.

2026, 2027, 2028 Optional performance:

• 01 January 2026 – 31 December 2026

• 01 January 2027 – 31 December 2027

• 01 January 2028 – 31 December 2028

Deliverable: As applicable from Section 3 for the period (D01 – D03 per event activity during that calendar month)

Due Date: Last day of each month

Payment Milestones: The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – Annex A including the EBA Receipt number. 100% completion is required for payment.

5. PRACTICAL ARRANGEMENTS

5.1. This is a completion-type contract which requires one Contractor with complementary skills to complete the work.

5.2. NCIA will provide necessary site access and permission.

5.3. NCIA will perform a full Health & Safety induction and Security Briefing (conducted by local NCIA CSU element) at the first possible opportunity for the Contractor to attend. The Contractor shall give their full attention and confirm the have understood the brief.

5.4. The Contractor shall perform the work as described in this statement of work.

5.5. The Contractor shall handle the equipment with due care to prevent damage and also in line with NATO Security Directives

5.6. The Contractor shall install the equipment following provided guidance to meet the requirements.

5.7. The Contractor shall minimize the impact to the end users during the execution of the work.

5.8. The Contractor shall bring, without delay, to the attention of the Point of Contact onsite any issues preventing the execution of the work.

5.9. The Contractor shall be courteous and professional in dealing with NATO staff.

5.10. The Contractor will report to and receive guidance from the Point of Contact on-site.

5.11. The Contractor shall follow the working procedures, business hours and observe the official holidays only.

5.12. The Contractor will provide services in line with the CSU working schedule (classified) which will be provided at a later stage after on-boarding of the personnel.

5.13. The Contractor shall provide a progress report on request of POC onsite.

5.14. The CSU POC (or authorised person) will provide on-the-job training to the Contractor.

5.15. The Contractor shall undertake the work at Joint Force Command Brunssum site, Brunssum, The Netherlands, working at NCI Agency CSU Brunssum. This requires access to the Base, subject to additional rules and procedures.

5.16. The security details of the Contractor are to be provided to the site at least 2 weeks prior to work commencing.

5.17. The Contractor shall ensure confidentiality, integrity and availability of the artefacts entrusted to them at all times including but not limited to documentation, manuals, guides, procedures, software components, installation media, binaries, scripts, etc.

5.18. In any suspected or confirmed security (including cybersecurity) incident regardless of the scope and impact, the Contractor shall notify the POC and stop any activities under this SOW until further guidance from the NCI Agency (e.g. in case of physical/cyber breach)

6. REQUIRED QUALIFICATIONS

[See Requirements]

7. TIME AND PLACE OF PERFORMANCE

The work shall be carried out at Purchaser’s premises located at Joint Force Command Brunssum, The Netherlands. In emergency cases it shall be performed in other NATO locations for up to 30 days.

Purchaser’s standard working hours at JFC Brunssum, The Netherlands are from 08h00 until 17h00 Monday through Thursday and 08h00 until 13h00 on Friday.

8. REQUIREMENTS

The Contractor shall provide all personnel, transportation, tools, supervision, and other items and non-personal services necessary to perform the scope of the work as described herein, except for those items specified as Purchaser furnished property and services. The contractor shall perform to the standards in this contract.

The Contractor shall support the accreditation of the CIS/IT equipment following the NATO Regulations.

The Contractor shall bring, without delay, to the attention of the Cyber Security Section Head any issues preventing the execution of the work.

The Contractor personnel shall possess valid Personal Security Clearance at NATO SECRET level for the duration of the Contract performance to allow autonomy in movement within the site.

The Contractor shall execute asset accounting transactions in the Purchaser asset system (EBA).

Prior to arriving on site, the Contractor shall have carried out and shall have in place for their staff the appropriate risk assessments.

9. CONTRIBUTION OF THE PURCHASER

The Purchaser will contribute with the following:

A) Provide an onsite Health & Safety induction brief and site familiarization brief;

B) Day to day direction and instruction to The Contractor staff while on site;

C) Requirements and forms for access to Joint Force Command Brunssum.

During the performance of the work, the Purchaser will provide a work position equipped with REACH laptop necessary to execute the asset accounting transactions. The Contractor staff will be required to complete the necessary forms in advance to have valid user accounts

Requirements

6. REQUIRED QUALIFICATIONS

Services under the current SOW are to be delivered by ONE resource that must meet the following experience, qualities and qualifications:

• Vocational training in relevant discipline of NATO Physical Security, Information Assurance Security with 2 years of post-related experience or a secondary educational qualification with 4 years post-related experience.
• At least 2 years of experience in a NATO or National HQ as Cyber Security Analyst and experience in Cyber/IT/CIS Security department/area.
• Experience in cyber monitoring systems, MAILGUARD and EPO reports.
• Strong knowledge in Access Control systems such as BRI and/or TRAKA systems
• Strong teamwork skills and proficiency in English (STANAG 3-3-3)

8. REQUIREMENTS

• The Contractor personnel shall possess valid Personal Security Clearance at NATO SECRET level for the duration of the Contract performance to allow autonomy in movement within the site.