2025-0070 ACPV Programme Management Support (NS) - THU 13 Mar

Deadline Date: Thursday 13 March 2025

Requirement: ACPV Programme Management Support

Location: Brussels, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: As soon as possible but not later than 14 th April 2025 until 31 December 2025.

2026 OPTION: 01 st January 2026 until 31 st December 2026.

Required Security Clearance: NATO SECRET

1. PURPOSE

The objective of this statement of work (SoW) is to outline the scope of work and deliverables for the Asset, Configuration, Patching and Vulnerability (ACPV) Programme Management Support to be conducted by the selected company.

This work package will provide programme management support to the ACPV Programme Manager function to develop identified deliverables. It will also provide advice on best practice and methodology to support effective enterprise programme management.

The products from this work will be used within NATO structure to execute ACPV Management function.

2. BACKGROUND

ACPV supports the NATO strategic objective to enhance cyber defence and resilience. It directly contributes to NATO’s cybersecurity posture, proactively challenging adversarial freedom of manoeuvre in cyberspace, countering malicious cyber activities on the Alliance and contributing to Enterprise cyberspace situational awareness in a dynamic environment.

NATO needs to continuously improve its Enterprise vulnerability management process as part of its aim to operate at the high security levels, which ensure its effectiveness and reliability. The ACPV Core System is expected to provide the NATO Cybersecurity ecosystem with adequate ACP management for vulnerability assessment information within the NATO Enterprise, ensuring that NATO CIS are understood, monitored, patched and actioned properly, in order to improve their protection against the full spectrum of current and future cyber threats.

In support of this, the NCI Agency is tasked under a Programme of Work (POW) to support the ACPV programme management function.

To support this work, the NCI Agency is looking for subject matter expertise in the delivery of complex, foundational and novel capability.

This contract is to provide consistent support, on a completion-type (deliverable-based) contract, to the NATO HQ Office of Chief Information Office (OCIO), thereby contributing to its POW based on the deliverables that are described in the scope of work below.

3. SCOPE OF WORK

The aim of this contract is to support the OCIO with programme management expertise specifically related to ACPV.

The requestor expects the work to be executed with effective planning, research, writing, holding external and internal discussions, modifying documents (including after each meeting), reporting progress, including meetings.

Under the direction / guidance of the NCIA Project Manager and OCIO Point of Contact, the Contractor will be the part of the OCIO Team and will provide services using an Agile and iterative approach using multiple sprints.

Each sprint is planned for a duration of one (1) week. The content and scope of each sprint will be agreed with the NCIA Project Manager during the sprint-planning meeting, in writing.

Services provided will be supporting the following activities:

1) ACPV Strategic Communications Plan:

a) Contribute to the production of the sections of the plan,

b) Provide expertise to mature the plan,

c) Identify ACPV management strategic goals,

d) Implement and manage the ACPV Community of Interest (COI) portal (utilising an existing NATO COI System1)

e) Keep maintenance of up-to-date stakeholder lists including contact details.

2) Lessons Identified Register:

a) Collect feedbacks from various internal NATO Entities and external Industry Partners,

b) Provide a concise and quality-driven list of Lessons Identified from the ACPV management process,

c) Maintain identified lessons in a Lessons Register.

3) Risk Log:

a) Contribute to the identification, the estimation of the probability and the impact of the ACPV program risks,

b) Contribute to the development of a Risk Response Plan,

c) Maintain the Risk Log linking mitigation actions to the D2 Activity / Plan of action.

4) Roll-out and Implementation Roadmap:

a) Contribute to the development of the roll-out and implementation Roadmap of ACPV Programme,

b) Provide own expertise for the development of the Roadmap,

c) Link the actions to the D2 Plan of actions.

5) Bi-weekly Progress Report:

a) Produce bi-weekly progress reports for distribution to OCIO stakeholders and store correctly highlighting the following:

• Executive summary,

• Top 3 Risks and Issues,

• RAG status,

• Progress made,

• Progress planned.

b) Maintain the activity tracker,

c) Summarize change programme schedule, key risks and work in progress/plan of action.

6) ACPV COI Conference:

a) Contribute to the administrative arrangements and the execution of Quarterly Face-2-Face ACPV COI Conference,

b) Prepare calling notice,

c) Develop and coordinate the conference agenda,

d) Coordinate the representatives from stakeholders,

e) Arrange the access of the participants to the NHQ.

7) ACPV RACI Matrix:

a) Define and manage the ACPV RACI (responsible, accountable, consulted, and informed) matrix which feeds into the change management plan,

b) Include following in RACI matrix:

• Names and contact details,

• Roles,

• Manager,

• Area of Responsibility,

• For each task whether they are Responsible, Accountable, Consulted or Informed.

The work shall be conducted in close collaboration between the Contractors and NCI Agency project manager as described below:

Stakeholder Main Role (s)

NCIA PM: Project lead and main stakeholder

OCIO PM: Monitoring, controlling and acceptance of service delivery

Contractor: Providing services and deliverables as identified above

4. DELIVERABLES AND PAYMENT MILESTONES

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables, at a later time, depending on the project priorities and requirements, at the same cost.

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B).

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and the project authority.

The following deliverables are expected from the work on this SoW in 2025:

Deliverable: 36 sprints for ACPV Programme Management Support as per described in Para 3 (Number of sprints is estimated, this will be adjusted based on actual starting date.)

Payment Milestones: Upon completion of each fourth sprint and at the end of the service.  Completion of each milestone shall be accompanied documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor

2026 Option: 01 st January 2026 to 31 st December 2026:

Deliverable: 46 sprints for ACPV Programme Management Support as per described in Para 3 (Number of sprints is estimated, this will be adjusted based on actual starting date.)

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of each fourth sprint and at the end of the service.  Completion of each milestone shall be accompanied documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor

5. COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office, or in person via digital means using conference call capabilities, according to the manager’s / team leader’s instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCI Agency Project Manager mentioning briefly the work held and the development achievements during the sprint.

At the end of the project, the Contractor shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.

6. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The period of performance is as soon as possible but not later than 14 th April 2025 and will end no later than 31st December 2025.

If the 2026 option is exercised, the period of performance is 01 st January 2026 to 31 st December 2026.

7. CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCI Agency templates or agreed with the project point of contact.

All documentation etc. will be stored under configuration management and/or in the provided NCI Agency tools.

8. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task and NCIA will be required prior to execution.

9. PRACTICAL ARRANGEMENTS

The contractor will be required to provide services approximately 100% onsite in Brussels, BEL as part of this engagement, during standard working hours of the ACPV Programme Management Function Team which is also located in BRUSSELS / BEL.

The contractor may be required to travel to other NATO locations as part of his role. Travel expenses for missions to other NATO/NCIA locations rather than NATO HQ in Brussels are out of scope and will be borne by the NCI Agency separately in accordance to the provisions of the AAS+ Framework Contract.

The Purchaser will provide the Contractor with the following Purchaser-Furnished Equipment (PFE):

• Access to NATO sites, as required, for the purpose of executing this SOW.

• Workspace (needed business IT for both on- and off-site work, hot-desk at NATO HQ facility).

10. REQUIRED PROFILE

[See Requirements]

11. DESIRABLE PROFILE

[See Requirements]

Requirements

8. SECURITY AND NON-DISCLOSURE AGREEMENT

• It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

10. REQUIRED PROFILE

The services under this SOW must be accomplished by one resource. The resource will be part of the ACPV Programme Management Functions Team.

The following demonstrated skills, knowledge and experience are required:

• Experience (proven record) in collaborating with industry and international organizations on IT-Service based projects and programmes management activities in general and, desirably experience in at least one ‘ACPV like ’ functional/technical area,
• Experience (proven record) in enterprise risk management plan and risk log,
• Understanding of recent emerging technological trends and challenges in ACPV area,
• Expert technical knowledge of strategic organizational change management,
• Experience (proven record) with strategic planning, change roadmaps and change implementation including progress measurement and reporting,
• Strong analytical and research skills with the ability to collect, analyse and interpret large quantity of data from different sources,
• Strong analytical skills to assess and describe complex problems with multiple variables and develop adequate concepts and solutions,
• Expert communication and writing skills in English with the ability to develop and present complex concepts in a clear and succinct way,
• Strong skills in the creation of information sharing mechanisms including SharePoint and portals,
• Excellent writing skills to produce high-quality reports and deliverables, including presentation of results at meetings,
• Ability to build relationships and communicate with a variety of stakeholders including C-Suite, Technical and Non-Technical.

11. DESIRABLE PROFILE

The candidate should also ideally have knowledge and experience in the following areas:

• Experience in working with NATO.
• Experience of working with NATO Communications and Information Agency.
• Experience of working with national Defence or Government entities.