2025-0035 AD Security Assessment Data Analysis and Reporting (NS) - THU 3 Apr

Deadline Date: Thursday 3 April 2025

Requirement: Active Directory Security Assessment Data Analysis and Reporting

Location: Mons, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: As soon as possible but not later than 12 May 2025 until 31 December 2025.

2026 OPTION: 1 January 2026 until 31 December 2026

Required Security Clearance: NATO SECRET

1. PURPOSE

The objective of this statement of work (SoW) is to outline the scope of work and deliverables for the data analysis and reporting of data reported by Active Directory Security Assessment Tool to be conducted by the selected company.

The purpose of the work package is to provide support to NATO Cyber Security Centre (NCSC) to fulfil identified Active Directory Security Assessment Tool data analysis and reporting activities more effectively.

2. BACKGROUND

The Office of the CIO (OCIO) Enterprise Cyber Security Posture Improvement project focuses on acquisition and implementation of state-of-art tools to enhance Enterprise-wide cybersecurity capabilities considering the key cybersecurity functions.

NCIA initiated a project and procured Active Directory Security Assessment Tool (Tenable Identity Exposure) providing identity unification and risk scoring, real‑time attack detection and continually assessing directory services security in real‑time, eliminate attack paths that lead to domain domination, and investigate and inform.

To support NCSC for the execution of tasks identified in the subject work package of the project, the NCIA is looking for subject matter expertise in the delivery of complex, foundational and novel Cybersecurity capability.

This contract is to provide consistent support on a deliverable-based (completion-type) contract, to NCSC contributing to its POW based on the deliverables that are described in the scope of work below.

3. SCOPE OF WORK

The aim of this SOW is to support NCSC with technical expertise specifically related to the operation and maintenance of Active Directory Security Assessment Tool with a deliverable-based contract to be executed in 2025.

This task includes data analysis and reporting of data reported by the Active Directory Security Assessment Tool. For the provision of consistent support and the execution of the task, NCIA will get subject matter expertise from the industry with a service (deliverable based/completion type) based AAS framework contract in the delivery of requested capability.

Active Directory data analysis and reporting give visibility and insight on the networks into Active Directory environment, which in turn is critical to effective Active Directory management, strong security and compliance, and efficient migrations and consolidations. Effective Active Directory data analysis and reporting will also ensure NATO to monitor Active Directory users and groups including permission levels, inactive users/accounts and group policy settings, user entitlements, user activities, event trends, suspicious patterns, etc.

More broadly, NATO needs to be able to monitor the configuration of its domain controllers in order to prevent exploitation by malicious threat actors.

Under the direction / guidance of the NCSC Point of Contact, a contractor will be the part of the NCSC Team supporting the following activities:

1) Ensuring data accuracy and up-to-date data for Active Directory (AD) Security issues:

a) Ensure accurate and up-to-date AD data is collected from the different Domains in scope,

b) Security baselines are configured based on industry best practice and NATO policies,

c) Review existing policies, fine tune and improve them at the same time,

d) Report to the Tool Managers any technical issues, such as connectivity problems between Tenable Identity Exposure and other integrated systems or errors in scans or reports,

e) Follow up the new releasing of the security solutions to consider the implementation of new features or capabilities

2) Monitoring, analysing the collected data, prioritizing based on risk assessment for Active Directory (AD) Security issues:

a) Monitor the solution daily

b) Identify the potential security issues

c) Ensure that the collected data is analysed

d) Prioritize the remediation actions based on the previous point

3) Reporting Active Directory (AD) Security issues:

a) Critical vulnerabilities will be reported within 4 hours since identified

b) High vulnerabilities will be reported within 8 hours since identified

c) Deliver a comprehensive vulnerability report to each stakeholder under you area of responsibility taking into account all vulnerabilities posing a security risk, remediation actions recommended to the system/application owners and the status of the recommended actions. The weekly report is expected to be delivered each Wednesday/Thursday before Close of Business.

d) Ensure that the reported information is also available via PowerBI dashboard (or similar)

e) Report to the corresponding AD management teams the prioritized remediation actions based on the analysis done on point 2.c/2.d)

f) Record the defined KPIs to follow up the trend of AD Security issues

4) Remediation actions for Active Directory (AD) Security issues:

a) Follow up and verify that the reported security issues have been remediated.

b) Follow the escalation process in case the reported security issues have not been fixed.

5) Documentation:

a) Document configuration and changes: Keep up-to-date documentation of all configurations, baselines, troubleshooting procedures,

b) Keep a lessons learnt document

6) User access Management:

a) Review the list of users with access to the security solution,

b) Verify that only the required users have access to the solution,

c) Coordinate with the Tool Managers any issue with the User access management

7) Automation and Scripting

a) Improve processes efficiency: Identify areas where automation could reduce manual intervention and improve operational efficiency.

The measurement of execution for this work is sprints, with each sprint planned for a duration of 1 week.

4. DELIVERABLES AND PAYMENT MILESTONES

The following deliverables are expected from the work on this SoW in 2025:

Deliverable: 30 sprints to support Active Directory Security Assessment Data Analysis and Reporting as per described in Para 3

Payment Milestones: Upon completion of each fourth sprint and at the end of the service. Completion of each milestone shall be accompanied documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor

Number of sprints is calculated considering a starting date 12 May 2025. This will be adjusted based on actual starting date.

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables, at a later time, depending on the project priorities and requirements, at the same cost.

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B).

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and the project authority.

2026 Option: 1 January 2026 to 31 December 2026:

Deliverable: 46 sprints to support Active Directory Security Assessment Data Analysis and Reporting as per described in Para 3

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of each fourth sprint and at the end of the service. Completion of each milestone shall be accompanied documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables, at a later time, depending on the project priorities and requirements, at the same cost.

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B).

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and the project authority.

5. COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office, or in person via digital means using conference call capabilities, according to the manager’s / team leader’s instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Project Manager mentioning briefly the work held and the development achievements during the sprint.

At the end of the project, the Contractor shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.

6. ACCEPTANCE AND REJECTION CRITERIA

a) Acceptance Criteria

1) Quality of work reached NATO standards,

2) Tasks are completed within the assigned time,

3) Performances are as defined by the line manager.

b) Rejection Criteria

1) Quality of work is low,

2) Tasks are not completed within the assigned time,

3) Performances are not as defined by the line manager.

c) A replacement will be requested if the contractor cannot fulfil the tasks as explained in rejection criteria.

d) Payment will not be done if the sprint is not completed.

7. PENALTY AND REJECTION PROCESS

If the contractor does not meet the work expectation based on the CV presented, the assigned tasks are not performed as expected based on NATO standards or the finalization of the assigned tasks are not done within the given time, the sprint will not be accepted and the service will not be paid.

If any of the above mentioned issues persist, the outsourcing partner will be asked to provide a replacement.

8. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The period of performance is as soon as possible but not later than 12 May 2025 and will end no later than 31 December 2025.

If the 2026 option is exercised, the period of performance is 01 January 2026 to 31 December 2026.

9. CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the project point of contact.

All documentation etc. will be stored under configuration management and/or in the provided NCIA tools.

10. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task and NCIA will be required prior to execution.

11. PRACTICAL ARRANGEMENTS

The contractor will be required to work approximately 100% onsite in SHAPE - Mons / BEL as part of this engagement. The NCSC Team is located in SHAPE - Mons / BEL, with working hours to be adjusted accordingly.

The contractor will be required to work following the rules and regulations applicable for the operations of NATO CIS.

The contractor will not be required to travel to other NATO locations as part of his role.

This work must be accomplished by one contractor.

The Purchaser will provide the contractor with the following Purchaser-Furnished Equipment (PFE):

• Access to NATO sites, as required, for the purpose of executing this SOW.

• Workspace (needed business IT for both on- and off-site work, hot-desk at NCSC facility).

• NCIA “REACH” laptop to be used by the contractor for the execution of the contract.

12. REQUIRED PROFILE

13. DESIRABLE PROFILE

[See Requirements]

Requirements

10. SECURITY AND NON-DISCLOSURE AGREEMENT

• It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

12. REQUIRED PROFILE

The contractor(s) that is going to perform the identified tasks as an Operation and Maintenance Expert of Active Directory Security Assessment Tool must have demonstrated skills, knowledge and experience as listed below.

• Activities performed by a contractor include the lifecycle management of the Tenable Identity Exposure software (including all tasks related to A2SL inclusion), its configuration to ensure  coverage of all in-scope Active Directory servers, and the regular monitoring of the availability of the capability.
• Bachelor's degree in Computer Science, Information Technology, or related field Or equivalent experience.
• 3+ years of experience in IT security, with a focus on Active Directory security, System Administration, and hands-on on Security Assessment Tools in large organisations.
• Experience with Active Directory Management.
• Strong understanding of security best practices and experience with Tenable products especially with Tenable Identity Exposure.
• Comprehensive experience and hands-on on administering Microsoft Windows Domainbased networks
• Systems administration, ideally both with Windows and Linux.
• Good engineering skills including programming and/or scripting knowledge (python, shell scripting, PowerShell).
• Demonstrable experience of analysing, prioritizing and reporting in the field of vulnerabilities assessment.
• Strong analytical and problem-solving skills.
• Excellent communication abilities, both written and verbal, with the ability to clearly and successfully articulate complex issues to a variety of audiences and teams.
• Database management skills, preferably MS SQL.

13. DESIRABLE PROFILE

The candidate should also ideally have knowledge and experience in the following areas:

• Experience in working with NATO.
• Experience of working with NATO Communications and Information Agency.
• Experience of working with national Defence or Government entities.