2024-0258 Support for VeVA and ESOC WatchKeepers (NS) - FRI 21 Mar

Deadline Date: Friday 21 March 2025

Requirement: Support for Vigilence and Enhanced Vigilence Activities (VeVA) Project and ESOC WatchKeepers (24/7 Helpdesk Team of NATO Cybersecurity)

Location: Mons, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: 28th Apr 2025 (tentative) to 31st Dec 2025, with possibility to exercise the following options:

2026 Option: 1st January until 31st December 2026

2027 Option: 1st January until 31st December 2027

2028 Option: 1st January until 31st December 2028

Required Security Clearance: NATO SECRET

1. BACKGROUND

The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

2. INTRODUCTION

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services.

The Cyber Security Operationalize Branch’s mission is to monitor, detect, analyse and respond to cyber incidents and cyber threat activity. It acts as the NATO Computer Emergency Response Team (CERT) for NATO with a NATO-wide mandate. It is responsible for sharing information related to cyber security incidents with NATO Nations and NCIA industry partners

In order to execute this work, the NCI Agency requires support with the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security and cyber defence. This Statement of Work (SoW) specifies the required skillset and experience.

2.1 ARCHITECTURE FOR PROTECTING SECRET/TOP SECRET NETWORKS AND VEVA PROJECT

The primary (and currently, only) NCSC Cyber Security Operations Centre (CSOC), is located in S.H.A.P.E. (Mons, Belgium). This CSOC is responsible for the monitoring of all NCI Agency deployed networks (about 50 sites across multiple NATO Nations), at the UNCLASSIFIED, RESTRICTED and SECRET Level.

There are multiple cyber security solutions which include (but are not limited to) Network Intrusion Detection/Prevention Systems (NIPS), Full Packet Capture (FPC), Firewalls, Network Vulnerability Scanners, Online/Offline Computer Forensics, Network Discovery tools etc.

The central management of those solutions (called Tier 2) is in S.H.A.P.E., while the sensors are spread all across the protected sites (Tier 3 sites), and report back to Tier 2.

In the following years, the coverage of the CSOC will be expanded to include one (1) additional SECRET Network, and two (2) TOP SECRET networks, for all of which architecture work will be required. Due to the strict security and “need-to-know” requirements of those networks, not all existing security services are fit for use. It is the contractor’s responsibility to review the relevant NATO Policy Directives and discuss with the relevant stakeholders, to identify and recommend the optimal security services (and their mechanism for delivery) for the protection of those networks.

3. PURPOSE

The Cyber Security Operationalize Branch performs comprehensive Support to Cyber Security, continually accessible advice and action to support the customer in the maintenance of efficient and compliant cyber security and cryptography that underpins the security of our communication and information.

This Statement of Work (SOW) outlines the services to be provided by the Supplier to NCI Agency Cyber Security Operationalize Branch for the implementation and management of a 24/7 cybersecurity helpdesk service related to VeVA Project.

4. OBJECTIVES

The main objective of the statement of work is to underline the Cyber Security needs of the NCSC and to look for a Service Provider that will provide effective, agile and resilient cyber defences in order to deliver the 24/7 monitoring of crypto devices, networks, websites and email traffic to detect and identify incidents and threats.

The services will be delivered in Sprints, and each sprint will have the duration of 1 (one) week.

During one sprint, the assigned resources will act as one of the key operational and technical experts while developing and demonstrating Monitoring and Detection reports and acting as Point of Contact with NATO Nations for any cyber security incident related issues, performing the following activities:

• Information Assurance incident management;

• 24/7 helpdesk service management;

• Management of Secure Management Centre’s (SMC) including: key management, access control management, security monitoring, IP crypto configuration management, error location and recovery, data base back up, alarm handling;

• Management of NATO Wide PKI user profiles, CA certificates, End-User certificates, other root CA domains certificates, CRLs and ARLs

• Provide technical support and assistance to ACO wide and NATO Agencies and National MODs

• Cyber Security 24/7 watch-keeping duties such as: receiving advisories from national and non-government CERTs, disseminating general incident related information to CIS operating authorities, providing technical support and assistance to NATO CIS operating authorities in respect to malicious code prevention, providing liaison with other CERTs, providing limited technical support and assistance to NATO CIS operating authorities in respect to intrusion detection, performing initial incident response, recovery, and reporting activities in support of operational NATO CIS, reporting incidents and vulnerabilities to the Cyber Security sections, coordinating the collection and processing of all cyber related information for NU, NR, MS and NS systems, providing centralized on line Vulnerability Assessment of remote networks and interfaces;

• Support to incident response as the entry point for the reporting of cyber security incidents, direct support to detection activities, as well as ad-hoc requests;

• Cyber Security Information Sharing Services - This Service provides the dissemination and/or production of different type of documents/updates such as: Cyber Security Daily news, Trend Micro Patterns, replication of Trend Micro Active Repository, McAfee updates, Juniper Signatures, ExtraDat, Cyber Defence SitRep Bulletins, NATO Identified Malware Black List (NIMBL);

• Internet e-mail and Internet-Facing Web Sites monitoring Service – Internet Facing Email Content Monitoring: Checking of all Inbound/Outbound Internet e-mail to ensure compliance with NATO and applicable local Security Polices; such checks include malicious code, executable content, encrypted content, SPAM, and Classified Data content;

• Internet Web Site monitoring - The ability to centrally monitor customer's Internet-facing Web Sites for unauthorised changes and to take appropriate reporting/remedial actions

The content and scope of each sprint will be agreed during the sprint-planning meeting, in writing, based on the activities mentioned above.

Services will be provided by ONE resource.

All of the defined deliverables are deliverable artefacts such briefings, reports, designs or specifications with a well-defined NCI Agency-specified format.

All deliverables are to be peer reviewed within the deliverable cycle. Input and guidance will be provided by NCI Agency in written from or/and during the targeted review meetings.

5. DELIVERABLES

The measurement of execution for the work is sprints, with each sprint planned for a duration of 1 week.

The content and scope of each sprint will be agreed during the sprint-planning meeting, in writing, based on the activities mentioned above in para.4 and as per below.

The Service Provider will deliver the following as per the schedule below:

• Weekly performance reports detailing call volumes, response times, and incident statistics
• Weekly security trend analysis and recommendations
• Weekly review of helpdesk processes and procedures
• Information Assurance incident reports within 24 hours of incident closure
• Daily incident summary and trend analysis
• Weekly SMC performance reports
• Monthly SMC security posture assessment
• 24/7 helpdesk service management: weekly
• Incident management: weekly
• Management of Secure Management Centre’s (SMC): weekly
• Management of NATO Wide PKI user profiles, CA certificates, End-User certificates: weekly
• Technical support and assistance to the NATO Structure, Agencies and Bodies: weekly
• Cyber Security 24/7 watch-keeping: weekly
• Incident response support: weekly
• Cyber Security Information Sharing Services: daily
• Real-time Monitoring the following Internet e-mail and Internet-Facing Web Sites monitoring Service - Internet Facing Email Content: daily
• Monitoring of Internet Web Site: daily

6. SERVICE DETAILS

Helpdesk Operations

The Service Provider will:

• Support the dedicated 24/7 helpdesk team of cybersecurity

• Implement multi-channel support (phone, email, internal chat) for incident reporting and user assistance

• Develop and maintain a knowledge base for common security issues and their resolutions

• Provide regular reporting on helpdesk performance and security incidents

Incident Response and Incident Management

The Service Provider will:

• Respond to all security alerts within 5 minutes of receipt

• Perform initial triage of cyber security incidents

• Escalate critical incidents to appropriate personnel within 30 minutes

• Provide regular status updates to Project Manager / Service Manager during ongoing incidents

• Implement a robust incident detection and classification system

User Support

The Service Provider will assist users with:

• Password resets and account lockouts

• VPN and remote access issues

• Suspicious email and phishing attempts

• Security software queries and troubleshooting

Management of Secure Management Centre (SMC)

The Service Provider will:

• Provide real-time monitoring and analysis of security events across the Client's networks

• Manage and update security policies and rules across network devices

•  Provide secure remote access solutions for authorized personnel

• Ensure compliance with relevant security standards and regulations

• Conduct regular security audits and assessments of the SMC

Service Level Agreements (SLAs)

The following SLAs will apply:

• 99.9% helpdesk availability

• Average speed of answer: 30 seconds

• First call resolution rate: 80%

• Critical incident response time: 10 minutes

• Information Assurance incident initial response time: 30 minutes

• Information Assurance incident containment time: 4 hours for critical incidents

• SMC uptime: 99.99%

• Security event analysis and triage: within 15 minutes of detection

• Critical security patch deployment: within 24 hours of release

Client Responsibilities

The Client will:

• Provide necessary access to systems and information required for all services

• Designate primary points of contact for escalations and decision-making

• Ensure end-users are informed about the helpdesk service and how to access it

• Promptly report any suspected security incidents

• Cooperate in incident investigations and provide necessary resources

• Provide timely approval for security policy changes and updates

• Ensure compliance with security policies and procedures

Acceptance Criteria

The services will be deemed accepted when:

• All deliverables have been provided as outlined in Section 5

• The incident management process has been successfully tested and validated

Rejection Criteria:

• The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.

• A rejected deliverable must be corrected and resubmitted within 1 (one) business day.

Further, the supplier must conduct the following reviews:

• A weekly ‘touch point’ between NCIA POC and the supplier’s POC to ensure work is on track

• Draft versions of the reports where the supplier’s POC presents the draft report to the customer, with the opportunity for the customer to provide feedback and implement uplifts.

• Final versions of the reports where the incumbent presents and delivers the final report to the customer.

7. COORDINATION AND REPORTING

Due to the AGILE approach of this project, there is a need to define a set of specific arrangements between the NCI Agency and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning, execution and review processes, which are detailed below:

1. Sprint Planning:

Objective: Plan the objectives for the upcoming sprint

Kick-off meeting: Conduct a monthly meeting with the contractor to plan the objectives of upcoming sprints and review contractor`s manpower to meet the agreed deliverables.

Set sprint goals: Define clear, achievable goals for the sprint and associated acceptance criteria, including specific delivery targets, Quality standards as well as Key Performance Indicators (KPIs) for each task to be recorded in the sprint meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritise the backlog of tasks, issues, and improvements from previous sprints.

Assess each payment milestone cycle duration of one calendar month. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 4.

2. Sprint Execution

Objective: Contractor to execute the agreed “sprint plans” with continuous monitoring and adjustments.

Regular meetings between NCI Agency and the contractor to review sprint progress, address issues, and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office.

Continuous improvement: Contractor to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.

Quality Assurance/Quality Check: Contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.

3. Sprint Review

Objective: Review the sprint performance and identify areas for improvement.

At the end of each sprint, there will be a meeting between the NCI Agency and the Contractor to review the outcomes against the acceptance criteria comprising sprint goals, agreed quality criteria and Key Performance Indicators (KPIs).

Define specific actions to address issues and enhance the next sprint.

4. Sprint Payment

For each 4 (four) sprints to be considered as complete and payable, the contractor must report the outcome of their work during the sprint, first verbally during the retrospective sprint review meeting and then in writing within five days after the 4th sprint’s end date. A report must be sent by email to the NCI Agency service manager, listing all the work achieved against the agreed tasking list set for the sprint.

The contractor's payment for each set of 4 sprints will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the sprint planning stage. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task.

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed Delivery Acceptance Sheet (DAS) – (Annex A) including the EBA Receipt number

Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS) – (Annex A) signed by the Contractor and project authority.

If the contractor fails to meet the agreed Acceptance criteria for any task, the NCI Agency reserves the right to withhold payment for that task/sprint.

8. PAYMENT MILESTONES

Term and Timeline

Period of performance for SOW will commence on 28th April 2025 (tentative) and continue for until the 31st of December 2025.

After contract is in place, the NCIA representative will have a Kick Off meeting with the Service Provider to perform introductions and review the project plan (sprints activities) The NCIA team reserves the possibility to exercise a number of options, based on the same sprint deliverable timeframe and cost, at a later time, depending on the project priorities and requirements.

The payments shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B).

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.

8.1 BASE 2025: PERIOD OF PERFORMANCE 28TH APRIL (TENTATIVE) TO 31 DECEMBER 2025

The following deliverables are expected from the work on this SoW in 2025

Deliverable: 36 Sprints containing all deliverables in section 5 (Number of sprints is estimated – this will be adjusted depending on actual starting date)

Payment Milestones: At the end of the month upon completion of each 4 sprint accepted within the respective month and at the end of the work.

8.2 2026 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2026 TO 31 DECEMBER 2026

Deliverable: Up to 44 Sprints (Number of sprints is estimated considering a start date of 01 January)

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: At the end of the month upon completion of each 4 sprint accepted within the respective month and at the end of the work.

8.3 2027 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2027 TO 31 DECEMBER 2027

Deliverable: Up to 44 Sprints (Number of sprints is estimated considering a start date of 01 January)

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: At the end of the month upon completion of each 4 sprint accepted within the respective month and at the end of the work.

8.4 2028 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2028 TO 31 DECEMBER 2028

Deliverable: Up to 44 Sprints (Number of sprints is estimated considering a start date of 01 January)

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: At the end of the month upon completion of each 4 sprint accepted within the respective month and at the end of the work.

9. SKILLS

[See Requirements]

10. WORK EXECUTION

The services will be 100% executed onsite (NCIA S.H.A.P.E. premises in Mons, Belgium). NCIA IT equipment will be provided (one REACH laptop will be provided).

Results of the work to be stored on NCI Agency NATO RESTRICTED SharePoint portal and checked on a weekly basis to the assigned Point of Contact (Annex A – Weekly progress report).

All the documentation provided under this statement of work will be based on NCI Agency templates and/or agreed with the NCIA service manager.

All support, maintenance, documentation will be stored under configuration management and/or in the provided NCI Agency tools.

All developed solutions will be property of the NCI Agency.

11. TRAVEL

Travel costs are not included in the quoted price, as there is no expected travel foreseen.

However, in the eventuality where travel is required, the cost for travel (including accommodation, per diem, travel expenses, etc.,) will be claimed separately.

In such an eventuality, an additional PO line will be created with a not to exceed (NTE) value to cover and reimburse of actual expenses upon submission of all receipts and invoices in line with NCIA processes for the right duration and scope of the travel.

12. SECURITY AND NON-DISCLOSURE AGREEMENT

Any proposed resource providing services under this SOW must be in possession of a security clearance NATO SECRET or above. The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.

Requirements

9. SKILLS

• Required skillset of the proposed resource is extensive knowledge and experience (more than 5 years). Moreover, demonstrated experience in IP Crypto devices are a must.

Services under current SOW are to be delivered by ONE resource that must meet the following requirements:

• Experience with Information Systems Engineering and Maintenance – Information Security Implementation Computer Security;
• A good knowledge of Computer Security principles and procedures. Proficiency with Cryptography Technology. Knowledge of Internet Protocol based networks and components (routers and switches);
• Working knowledge of Router configuration;
• A good knowledge of public key infrastructure technology;
• Working knowledge of Crypto systems and techniques;
• A high level of knowledge of network, system and application level troubleshooting techniques;
• Extensive experience in the analysis of risk and in the implementation and integration of Information Security protective measures;
• Red Hat certified and/or Linux professional certified;
• Specific experience: Must be familiar with the detailed and complex NATO standards for the operation of CRYPTO and the associated equipment that process and secure NATO classified information;
• Experience in development and implementation of computer security policies;
• Experience in evaluation and accreditation of telecommunications and information systems;
• Experience in security requirements analysis.
• Hold one or more of the following IT security qualifications/certifications: CCNA; ITIL foundation in IT Service Management; TCE 621 Operator Course THALES Norway; TCE 671 Operator Course THALES Norway
• Prior experience of working in an international mission environment comprising both military and civilian elements;
• Knowledge of NATO responsibilities and organization, including ACO and ACT.

Further Details:

Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. The assessment will follow a brief (see point below) familiarisation period after the initial kick off meeting.

12. SECURITY AND NON-DISCLOSURE AGREEMENT

• Any proposed resource providing services under this SOW must be in possession of a security clearance NATO SECRET or above. The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.