2024-0253 Cyberspace Operations Incident Analysis (NS) - MON 31 Mar

Deadline Date: Monday 31 March 2025

Requirement: Cyberspace Operations Incident Analysis

Location: Mons, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: As soon as possible but not later than 05 May 2025 until 31 December 2025 with possibility to exercise following options:

• 2026 Option: 01/01/2026 to 31/12/2026

• 2027 Option: 01/01/2027 to 31/12/2027

• 2028 Option: 01/01/2028 to 31/12/2028

Required Security Clearance: NATO SECRET

1. PURPOSE

The objective of this statement of work (SoW) is to outline the scope of work and deliverables for the CYBERSPACE OPERATIONS INCIDENT ANALYSIS.

The purpose of the work package is to provide support to NATO Cyber Security Centre (NCSC) to fulfil identified Active Directory Security Assessment Tool operation and maintenance activities more effectively.

2. BACKGROUND

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services. The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM).

In order to execute this work, the NCI Agency is seeking to support the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. To support NCSC for the execution of tasks identified in the subject work package of the project, the NCI Agency is looking for subject matter expertise in the delivery of complex, foundational and novel Cybersecurity capability.

This contract is to provide consistent support on a deliverable-based (completion-type) contract, as described in the scope of work below.

3. SCOPE OF WORK

The aim of this SOW is to support NCSC with technical expertise specifically related to the Cyber Security Incident Detection.

The following activities are expected to be performed under this SOW:

1) Conduct detailed investigation and research of security events within NATO Cyber Security Centre (NCSC) team:

a) Analyse firewall, IDS, anti-virus and other sensor-produced system security events and present findings.

b) Leverage the comprehensive extended toolset (e.g. Log Collection, Intrusion Detection, Packet Capture, VA, Network Devices etc.) to identify malicious activity.

Outcome 1: Triage, analysis and response to alerts. Deliver analysis and reports in response to tasks associated with ongoing investigations and incidents.

2) Develop new Splunk alerts, searches and reports for security monitoring and detection

a) Identify security gaps in NATO infrastructure, develop, update and review custom content utilising available toolset.

Outcome 2: 5 new use cases per month. Propose possible optimisations and enhancements, which help to maintain and improve NATO’s Cyber Security posture.

3) Collaborate with threat intelligence teams to incorporate threat indicators into detection systems.

a) Work closely with the threat intelligence team to integrate the latest Indicators of Compromise (IOCs) and attack techniques into the detection environment.

Outcome 3: Implementation of at least 3 new threat intelligence-driven detections per quarter to stay ahead of emerging threats.

4) Develop and maintain standard operating procedures (SOPs) and playbooks for incident detection and response.

a) Ensure documentation is up-to-date and provides clear guidance for responding to common attack scenarios.

Outcome 4: Delivery of updated SOPs and playbooks quarterly, ensuring they reflect the latest threat landscape and detection capabilities.

5) Produce briefings in Microsoft PowerPoint or Word format to provide detailed technical reports in support of incidents and capability improvements

Outcome 5: Report and/or briefing for the management team containing details on the detection capabilities, scope, and details. This may be requested in either Word, PowerPoint, or both depending on the briefing.

6) Review reports and observables from threat hunting, red teaming, and purple teaming activities.

Outcome 6: Detection gap analysis and recommendations for solutions, subsequently leading on the development, testing and implementation.

7) Brainstorm during weekly meetings with the rest of the Monitoring and Detection Team how to improve detection capability to increase detection coverage

Outcome 7: Participation in meetings as reported and tracked in the meeting minutes which need to be prepared before the meeting and updated during the meeting (Confluence)

The measurement of execution for this work is sprints, with each sprint planned for a duration of 1 week.

The deliverables and objectives for the following sprint will be reviewed and agreed in writing during the sprint retrospective meetings, to be held weekly, based on the activities mentioned above.

The deliverables shall meet the following requirements:

• Language: the product shall be written in English, meeting the NATO STANAG 6001 Level 3 “Professional Proficiency”.

• Intended Audience: the product shall be intended for Cyber Security Professional, Senior Military personnel and decision makers in the field of Cyber Security and Cyberspace Operations.

• Accuracy: the product shall accurately reflect what was done.

• Clarity and Conciseness: Information shall be presented clearly and concisely, avoiding unnecessary jargon or complex language.

• Objectivity: the content shall be impartial and objective, presenting information without bias or personal interpretation.

• Structure: the product shall follow a logical structure such as template when available.

• Timeliness: the product deadline shall be agreed with management team.

• Formatting: Consistent formatting shall be used throughout the document, including font style, size, headings, and spacing further directed by the Information and Knowledge Management Steering Group.

• Confidentiality: Information processed shall be handled in accordance with the NATO policy on Information Management.

Further Details:

• Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. The assessment will then be followed by a one week on-site familiarisation period with key NCSC personnel and tools to be introduced to the environment.

• NCSC reserves the right to perform a technical evaluation of the candidate(s) designated by the supplier under the form of technical challenges that will test the skills required by the candidate(s). Would the candidate(s) fail the test, the supplier would need to propose other candidate(s).

• Each deliverable will be assessed by a supervisor or team member on a scale of 1 to 5 based on the criteria defined above. This score is used for the monthly KPI, an overall score below 80% introduce financial penalty.

4. DELIVERABLES AND PAYMENT MILESTONES

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex A) including the EBA Receipt number.

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex A) signed by the Contractor and the project authority.

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables, at a later time, depending on the project priorities and requirements, at the following cost: for base year (2025) at the same cost, for following years (2026-2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

2025 BASE: 05 May 2025 – 31 December 2025:

Deliverable: 36 sprints to support Cyberspace Operations Incident Analysis (The number of sprints is calculated considering a starting date 05 May 2025. This will be adjusted based on actual starting date.)

Payment Milestones: Upon completion of each fourth sprint or at the end of the month for the accepted number of sprints (whichever condition is met first) and at the end of the service. Completion of each milestone shall be documented in Delivery Acceptance Sheet (DAS) – (Annex A), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor

2026 Option: 1 January 2026 to 31 December 2026:

Deliverable: 46 sprints to support Cyberspace Operations Incident Analysis

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of each fourth sprint or at the end of the month for the accepted number of sprints (whichever condition is met first) and at the end of the service. Completion of each milestone shall be documented in Delivery Acceptance Sheet (DAS) – (Annex A), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor

2027 Option: 1 January 2027 to 31 December 2027:

Deliverable: 46 sprints to support Cyberspace Operations Incident Analysis

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of each fourth sprint or at the end of the month for the accepted number of sprints (whichever condition is met first) and at the end of the service. Completion of each milestone shall be documented in Delivery Acceptance Sheet (DAS) – (Annex A), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor

2028 Option: 1 January 2028 to 31 December 2028:

Deliverable: 46 sprints to support Cyberspace Operations Incident Analysis

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of each fourth sprint or at the end of the month for the accepted number of sprints (whichever condition is met first) and at the end of the service. Completion of each milestone shall be documented in Delivery Acceptance Sheet (DAS) – (Annex A), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor

5. COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office, or via digital means using conference call capabilities, according to the manager’s / team leader’s instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Service Delivery Manager or to the Team Lead mentioning briefly the work held and the development achievements during the sprint.

At the end of the project, the Contractor shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.

6. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The period of performance is as soon as possible but not later than 05 May 2025 and will end no later than 31 December 2025.

If the 2026 option is exercised, the period of performance is 01 January 2026 to 31 December 2026.

If the 2027 option is exercised, the period of performance is 01 January 2027 to 31 December 2027.

If the 2028 option is exercised, the period of performance is 01 January 2028 to 31 December 2028.

7. CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the project point of contact.

All documentation etc. will be stored under configuration management and/or in the provided NCIA tools.

8. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task and NCIA will be required prior to execution.

9. PRACTICAL ARRANGEMENTS

The contractor will be required to work 100% onsite in SHAPE - Mons /. The NCSC Team is located in SHAPE - Mons / BEL, with working hours to be adjusted accordingly.

The contractor might be required to perform services during the sprint period including weekends, with a maximum of 15 on-call weeks for the service period.

The contractor will NOT be required to travel to other NATO locations (out of Belgium) as part of his role.

These services must be delivered by one contractor during the entire service delivery period.

The Purchaser will provide the contractor with the following Purchaser-Furnished Equipment (PFE):

• Access to NATO sites, as required, for the purpose of delivering the services included under this SOW.

• Workspace (needed business IT for both on- and off-site work, hot-desk at NCSC facility).

• NCIA “REACH” laptop to be used by the contractor for the implementation of the contract.

10. QUALIFICATIONS

[See Requirements]

11. DESIRABLE QUALIFICATIONS

[See Requirements]

Requirements

8. SECURITY AND NON-DISCLOSURE AGREEMENT

• It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

10. QUALIFICATIONS

Delivery of the services within this SOW requires a contractor with the following qualifications and experience:

• Bachelor's degree in Computer Science, Information Technology, or related field Or equivalent experience.
• 3+ years of experience in IT security, with a focus on System Administration, Security Tools Management in large organisations.
• Strong understanding of security best practices
• Expert level in at least three of the following areas and a high level of experience in several of the other areas: Security Incidents Event Management products (SIEM) – e.g. Splunk. Network Based Intrusion Detection Systems (NIDS) – e.g. SourceFire, Palo Alto Network Threat Prevention. Host Based Intrusion Detection Systems (HIDS). Full Packet Capture systems – e.g. Niksun, RSA/NetWitness. A variety of Security Event generating sources (e.g. Firewalls, IDS, Routers, Security Appliances). Cloud-specific security tools. Splunk ES suite and Phantom SOAR.
• Proficiency in Intrusion/Incident Detection and Handling.
• Expert knowledge of malware families, network attack vectors and threat actor tools, techniques and procedures.
• Experience in endpoint detection and analysis techniques.
• Expert knowledge of the principles of computer and communications security, networking, and the vulnerabilities of modern operating systems and applications.
• Comprehensive knowledge of the principles of computer and communications security, networking, and the vulnerabilities of modern operating systems and applications.
• Very good communications skills and reporting experience with capacity to communicate to different types of audience (senior executive, middle management, technical and non-technical).
•  Very good understanding of the principles of Computer and Communication Security, networking, and the vulnerabilities of modern operating systems and applications acquired through a blend of academic or professional training coupled with practical professional experience.

11. DESIRABLE QUALIFICATIONS

The contractor should also ideally have knowledge and experience in the following areas:

• Experience in working with NATO.
• Experience of working with NATO Communications and Information Agency.
• Experience of working with national Defence or Government entities.