2024-0272 Support for SIEM (Splunk) (NS) - MON 28 Apr

Deadline Date: Monday 28 April 2025

Requirement: Support in SIEM (Splunk) Infrastructure Management and Log Collection

Location: Mons, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: Base period: As soon as possible but not later than 09 June 2025 (tentative) to 31st Dec 2025, with possibility to exercise the following options:

• 2026 Option: 1st January until 31st December 2026

• 2027 Option: 1st January until 31st December 2027

• 2028 Option: 1st January until 31st December 2028

Required Security Clearance: NATO Secret

1. BACKGROUND

The NATO Communications and Information Agency (NCI Agency) is dedicated to acquiring, deploying, and defending communication systems for NATO’s political decision-makers and Commands. It operates on the frontlines against cyber-attacks, collaborating closely with governments and industry to prevent future debilitating attacks. The NCI Agency plays a crucial role in maintaining NATO’s technological edge and ensuring the collective defence and crisis management capabilities of the Alliance. In pursuit of our mission, we require specialized advisory services to enhance our interim workforce capacity.

The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

2. INTRODUCTION

As part of NCI Agency, the NATO Cyber Security Centre (NCSC) represents one of the largest fully integrated global Cyber Defence capabilities in the world. This capability requires a combined international team of 250+ NATO and Industry analysts as well as engineers, to operate and maintain the wide range of Cyber Security services and the complex infrastructure on which they run, installed at over 100 sites in all 30 NATO member countries.

3. OBJECTIVE

The main objective of this Statement of Work (SOW) is to secure advisory services that provide expert guidance and support in SIEM (Splunk) infrastructure management and log collection.

4. PROBLEM STATEMENT

The Cyber Security Data Engineering Cell, in charge of managing a large scale SIEM deployment composed of hundreds of servers running Splunk components, collecting a wide variety of data sources from more than 20,000 devices and supporting SEC007 service in its daily operations, is facing a heavy workload and a lack of manpower.

This situation is impacting the Cyber Security Monitoring and Detection service (SEC007) supported by CSDE and the numerous projects which are required by internal policies to be monitored via SEC007

5. SCOPE OF WORK

The aim of this SOW is to support NCSC with technical expertise specifically related to the operation and maintenance of CYBER SECURITY Support in SIEM (Splunk) infrastructure management and log collection with a deliverable based (completion-type) contract to be executed in 2025.

VISION and EXPECTED OUTCOMES (Deliverables)

Under the direction of the CSDE Cell Head, SEC007 SDM or delegated authority, a contractor will be the part of the NCSC Team supporting the following activities:

5.1 Log collection

• Manage log collection of new data log sources in SIEM which includes, but is not limited to, log ingestion process from various data sources located on premise or in the cloud, data mapping to Splunk Common Information Model, integration with existing Splunk data models, testing log ingestion, validating log ingestion quality with stakeholders.

• Document all relevant information in Confluence in accordance with CSDE standards

• Coordinate such activity with CSDE team and T3 customers

Outcome:

• Assigned tasks shall be completed within the time allocated for this task by the requestor in the NCSC ticketing system(s). In case of an external request, the time to consider will be the time allocated by the CSDE cell  head, the SDM or one of their delegated authorities.

• Quality of log collection shall be reviewed by Security Analysts and confirmed as in line with expectations in the ticket

5.2 Service availability and monitoring

• Act as one of the engineers and Subject Matter Expert (SME) for SIEM and Log Collection services within the Cyber Security Data team

• Monitoring the availability and performance of the SIEM environment including log collection

• Detecting and reporting to SDM any service degradation

• Taking appropriate actions to restore the environment to a fully operational state when a problem is detected.

• Following best practices for maintaining the Splunk environment in a stable and reliable state with the objective of preventing any service degradation

• Ensure that data security systems are installed, configured, and operating correctly and in line with dependencies with others systems or applications required

• Ensure that data security systems operate within any KPI’s, as defined in Service Level Agreements with NCSC customers

Outcome:

• Service degradation must be detected in less than 2 hours during standard working hours. This measure will be based on the ticket creation time compared to the issue occurrence time.

• Availability of the splunk environment must stay above 99.8% uptime in a fully operational state

• SDM shall be informed by email less than 2 hours after problem occurrence. This shall be measured based on the information provided in the related ticket and time email has been sent.

5.3 Change management

• Implement changes to the SIEM environment including but not limited to: software upgrades, new applications deployment, deploying new servers, modifying existing configuration of the SIEM environment, collecting new data sources, deploying new software.

• Follow NCSC Change management process to get approval before implementing changes. This includes, but is not limited to, creating the change request, ensure all necessary information is provided in due diligence, following up the change request to ensure quick approval, attending to CAB meeting when necessary, providing impact assessment when required.

• Coordinate all these changes with CSDE and external teams.

• Develop and maintain documentation guidelines, standard operating procedures, system and service design documents and other relevant documentation that support management of the data security systems.

Outcome

• Assigned tasks shall be completed within the time allocated for this task by the requestor in the NCSC ticketing system(s). In case of an external request, the time to consider will be the time allocated by the CSDE cell head, the SDM or one of their delegated authorities.

5.4 Reporting and advisory role

• Attending meeting when there is a need for representing the cell, for providing technical advice or for reporting relevant information to the team or other stakeholders.

• Reporting any relevant information to the cell head, the SDM or other team members.

Outcome:

• Less than 1 working day after the meeting, an email containing the meeting minutes, all the relevant information and the required actions shall be sent to the relevant people including SDM and CSDE Cell Head.

• Quality of the reporting to be assessed by the Cell Head or the SDM.

5.5 Providing support to customers

• Provide support to customers (mainly security analysts but not limited to them) facing issues or needing technical assistance

Outcome:

• Tickets should be closed within the time allocated by the Cell Head, the SDM or their delegated authorities

• Problem resolution shall be confirmed by the requestor in the ticket

6. DELIVERABLES AND PAYMENT MILESTONES

The services will be delivered in Sprints, and each sprint will have the duration of 1 (one) week.

The content, scope and acceptance criteria of each sprint will be agreed during the sprint-planning meeting, in writing, based on the activities mentioned above in para. 5 and summarized as follows:

Log collection tasks: Completion in due time; Quality assessment

Service availability and monitoring tasks: Service availability uptime; Issues detection and reporting in due time; Remediation and administration tasks completed in due time

Change management tasks: Completion in due time

Reporting and advisory role: Reporting completed in due time; Satisfactory quality, as agreed with the Technical Lead

Providing support to customers: Tasks completed in due time; Satisfactory quality

Completion Deadline: Each sprint / week, according to the deliverables required at the beginning of the sprint

The NCIA reserves the possibility to exercise a number of options, based on the same

deliverable timeframe and cost, at a later time, depending on the project priorities and

requirements.

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B), as set in the planning/review meetings.

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and the project authority.

For each deliverable to be considered as complete and payable, the contractor must report the outcome of their work during the retrospective review meeting and then in writing within three days after the end of the month. A report must be sent by email to the NCI Agency service delivery manager, listing all the work achieved against the agreed tasking list.

The contractor's payment will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the planning stage, at the beginning of each week. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task.

If the contractor fails to meet the agreed Acceptance criteria for any task, the NCI Agency reserves the right to withhold payment for that task/sprint.

ACCEPTANCE AND REJECTION CRITERIA

a) Acceptance Criteria

a.1. Quality of work reached NATO standards

a.2. Tasks are completed within the assigned time

a.3. Performances are as defined by the line manager in line with the expected outcome from para. 5.

b) Rejection Criteria

b.1. Quality of work is below NATO standards

b.2. Tasks are not completed within the assigned time

b.3. Performances are not as defined by the line manager

c) Payment will be processed only for completed and accepted sprints.

The following deliverables are expected from the work on this SoW:

6.1. BASE PERIOD: 09 June 2025 (tentative) – 31 DEC 2025

Deliverable: 36 sprints of Support in SIEM (Splunk) infrastructure management and log collection (Estimated number of sprints – these will be adjusted depending on actual start date)

Payment Milestones: Upon completion of 4 sprints. Completion of each sprint will be documented in the Delivery Acceptance Sheet Template (DAS) which will be signed for acceptance by the authorized point of contact and the Contractor. This document will accompany the invoice.

6.2. 2026 OPTION: 01 JAN 2026 TO 31 DEC 2026

Deliverable: 46 sprints of Support in SIEM (Splunk) infrastructure management and log collection (Estimated considering a starting date as of 01 January)

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of 4 sprints. Completion of each sprint will be documented in the Delivery Acceptance Sheet Template (DAS) which will be signed for acceptance by the authorized point of contact and the Contractor. This document will accompany the invoice.

6.3. 2027 OPTION: 01 JAN 2027 TO 31 DEC 2027

Deliverable: 46 sprints of Support in SIEM (Splunk) infrastructure management and log collection (Estimated considering a starting date as of 01 January)

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of 4 sprints. Completion of each sprint will be documented in the Delivery Acceptance Sheet Template (DAS) which will be signed for acceptance by the authorized point of contact and the Contractor. This document will accompany the invoice.

6.4. 2028 OPTION: 01 JAN 2028 TO 31 DEC 2028

Deliverable: 46 sprints of Support in SIEM (Splunk) infrastructure management and log collection (Estimated considering a starting date as of 01 January)

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of 4 sprints. Completion of each sprint will be documented in the Delivery Acceptance Sheet Template (DAS) which will be signed for acceptance by the authorized point of contact and the Contractor. This document will accompany the invoice.

7. COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office, according to the manager’s / team leader’s instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCI Agency Project Manager mentioning briefly the work held and the development achievements during the sprint.

At the end of the project, the Contractor shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.

8. SCHEDULE

The period of performance is as soon as possible but not later than 09 June 2025 (tentative) and will end no later than 31 December 2025.

If the 2026, 2027 and 2028 options are exercised, the period of performance is 01 JAN to 31 DEC of the respective year.

9. CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCI Agency templates or agreed with the project point of contact.

All documentation etc. will be stored under configuration management and/or in the provided NCI Agency tools.

10. TRAVEL

There is no travel expected. However, if required during the execution of this contract, travel costs are out of scope and will be borne by the NCI Agency separately in accordance to the provisions of the AAS+ Framework Contract.

11. SECURITY AND NON-DISCLOSURE AGREEMENT

Any proposed resource providing services under this SOW must be in possession of a security clearance NATO SECRET or above. The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.

12. PRACTICAL ARRANGEMENTS

• The services will be performed by a contractor on site at SHAPE Mons Belgium. The contractor will be required to work 100% onsite in Mons / BEL as part of this engagement. The NCSC Team is located in Mons / BEL

• Services will be provided on site during standard working days/hours.

• Exceptionally, the contractor will be on call (max limit : 1 week per month) for this position (e.g. NATO summit)

On-Call Rotation Schedule

• The schedule will be defined during sprint planning and will outline who is responsible for on-call activities duties each week

• On-call duty will cover critical issues outside working hours, including weekend and national holidays.

• The Contractor would cover maximum 1 week per month

• Security Classification: NATO Secret

• Regular travel costs to and from main location of the work (SHAPE) are out of scope and will be borne by the contractor.

• This work must be accomplished by one contractor.

• The Purchaser will provide the contractor with the following Purchaser-Furnished Equipment (PFE): Access to NATO sites, as required, for the purpose of executing this SOW;  Workspace (needed business IT at NCSC facility); NCIA “REACH” laptop to be used by the contractor for the execution of the contract.

13. REQUIRED PROFILE

[See Requirements]

Requirements

11. SECURITY AND NON-DISCLOSURE AGREEMENT

• Any proposed resource providing services under this SOW must be in possession of a security clearance NATO SECRET or above. The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.

13. REQUIRED PROFILE

The contractor that is going to perform the identified tasks as an Operation and Maintenance Expert in SIEM (Splunk) infrastructure management and log collection must have demonstrated skills, knowledge and experience as listed below:

• A good understanding of IT Security
• At least 2 years of relevant experience and strong technical skills in administering, deploying, installing, configuring and maintaining large distributed Splunk Enterprise environment
• Good programming skills in at least one of these languages: Ansible.python or bash
• A good understanding of networking and various protocols such as TCP/IP, HTTP(S), DNS.
• Very good knowledge and proven experience of Linux system and application administration and troubleshooting
• Ability to work autonomously
• Accuracy and attention to detail
• Each team member shall be dressed suitably for meetings with high ranked officials
• Strong reporting skills to various levels of seniority
• Language Proficiency: A thorough knowledge of English language, both written and spoken, is essential.
• Responsible for complying with all applicable local employment laws, in addition to following all SHAPE & NCIA on boarding procedures. Delivery of the service cannot begin until these requirements are fulfilled.
• The service provider shall be required to provide services on NCIA working days