2025-0138 Cyberspace Operations Admin and Coord Support (NS) - THU 8 May

Deadline Date: Thursday 8 May 2025

Requirement: Cyberspace Operations Administrative and Coordination Support to Threat Hunting

Location: Mons, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: 30 JUN 2025 to 31 DEC 2025, with possibility to exercise following options:

2026 option: 01 JAN 2026 to 31 DEC 2026

2027 option: 01 JAN 2027 to 31 DEC 2027

2028 option: 01 JAN 2028 to 31 DEC 2028

Required Security Clearance: NATO Secret

1. BACKGROUND

The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

2. INTRODUCTION

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services. The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM).

In order to execute this work, the NCI Agency is seeking additional labour through contracted resources (or consulting) to support the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience.

3. PURPOSE

The NCSC is responsible to defend NATO networks on a 24/7 basis and to proactively look for signs of malicious activities by performing threat hunting. The Threat Hunting activities encompass threat intelligence hypotheses based searches on existing security logs sources, anomaly detection and more generally compromise assessment.

4. OBJECTIVES

This Statement of Work (SoW) outlines the services to be provided by the Supplier to NCSC for providing support to Cyber Operations Threat Hunting.

5. DELIVERABLES

The service is executed in sprints; each sprint is planned for a duration of 1 week.

The Contractor’s personnel shall deliver the following functions:

D1. Based on directions from the Service Delivery Manager (SDM) and deputy SDM:

organise meetings (both in-person but virtual using NATO videoconferencing infrastructure), open service requests, change requests and work orders within NCIA and NCSC ticketing and tasking systems, pro-active follow-up of existing requests in various systems on a periodic basis.

D1 Outcome: The JIRA issue (task) has been handled (if assigned to the person) or created (if it needs to be dispatched within the team).

D1 Acceptance Criteria: The issue has been handled appropriately, using professional judgment and the outcome is clearly indicated in the appropriate field.

The issue has been addressed before or at the target date

D2. Based on directions from the Service Delivery Manager (SDM) and deputy SDM:

write emails to stakeholders of the service, write and review SoW, contracts and license agreements, resource planning, writing, editing and creation of SOP/SOI in the NCSC wiki, presentation slides preparation.

D2 Outcome: List of documents produced and emails sent to support the threat hunting service.

D2 Acceptance Criteria: The list contains the title of documents or subject of emails, the stakeholders informed and the link to issues in Jira (TASK #)

The format expected is an Excel document with the following columns: Title/Subject, Stakeholders, Link to Issue.

This deliverable is expected at the end of each week.

Rejection criteria:

The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.

A rejected deliverable must be corrected and resubmitted within 1 (one) business day.

Further, the Contractor’s personnel must conduct the following reviews:

A bi-weekly ‘touch point’ between NCSC – Threat Hunting Service Delivery Manager, or any other NCSC personnel designated by NCSC.

Structure and formatting of the deliverables:

In addition to their specific acceptance criteria, each deliverable shall meet the following requirements:

Language: the product shall be written in English, meeting the NATO STANAG 6001 Level 3 “Professional Proficiency”.

Intended Audience: the product shall be intended for Cyber Security Professional, Senior Military personnel and decision makers in the field of Cyber Security and Cyberspace Operations.

Accuracy: the product shall accurately reflect what was done.

Clarity and Conciseness: Information shall be presented clearly and concisely, avoiding unnecessary jargon or complex language.

Objectivity: the content shall be impartial and objective, presenting information without bias or personal interpretation.

Structure: the product shall follow a logical structure such as template when available.

Timeliness: the product shall be prepared and distributed promptly after the assignment, ensuring that information is fresh and actionable.

Formatting: Consistent formatting shall be used throughout the document, including font style, size, headings, and spacing further directed by the Information and Knowledge Management Steering Group.

Confidentiality: Information processed by analysing threat intelligence reports or acquired during threat hunting campaigns shall be handled in accordance with the NATO policy on Information Management.

6. PENALTIES

The penalties defined below will apply to the payment amount based on the performance results measured through R1 - Monthly Service Performance (Annex A)

Each deliverable will be assessed by a supervisor or team member on a scale of 1 to 5 based on the criteria defined above. If the score is below 4/5, a justification is provided by the assessor. This score is used for the monthly KPI reported in R1 (Annex A) which is the sum of all the deliverables scores divided by the number of deliverables and transformed into percentage, an overall score below 80% introduce financial penalty.

This score is computed in the “sprint review” phase detailed in Section 7.

The grade are to be understood as follows:

1 (20%) Unsatisfactory: The deliverable is completely off-target

2 (40%) Lacking: The deliverable doesn’t meet 1 or more acceptance criteria

3 (60%) Substandard: The deliverable didn’t meet an acceptance criteria or the deadline communicated

4 (80%) Acceptable: The deliverable meets all acceptance criteria however some structure and formatting could be improved

5 (100%) Satisfactory: The deliverable perfectly meets the expectations

Overall Satisfaction on deliverables: >= 80% = 0% Penalty

Overall Satisfaction on deliverables: 60% - 79% = 25% Penalty

Overall Satisfaction on deliverables: 40% - 59% = 50% Penalty

Overall Satisfaction on deliverables: < 40% = 75% Penalty

Method of Surveillance: The overall satisfaction for the month is reported on the R1 - Monthly Service Performance (Annex A)

7. COORDINATION AND REPORTING

Due to the AGILE approach of this project, there is a need to define a set of specific arrangements between the NCI Agency and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning, execution and review processes, which are detailed below:

1. Sprint Planning:

Objective: Plan the objectives for the upcoming sprint

Kick-off meeting: Conduct a monthly meeting with the contractor to plan the objectives of upcoming sprints and review contractor`s manpower to meet the agreed deliverables.

The associated criteria for the sprint, unless stated otherwise at the beginning of the sprint period, are the acceptance criteria defined for each deliverable defined in Section 5.

The contractor needs to be assigned at the beginning of the each sprint to be able to fulfil the agreed activities

Agree on the required deliverables for each sprint (D01 to D02).

Backlog Review: Review and prioritise the backlog of tasks, issues, and improvements from previous sprints.

Assess each payment milestone cycle duration of one calendar month. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 7.

2. Sprint Execution:

Objective: Contractor to execute the agreed “sprint plans” with continuous monitoring and adjustments.

Regular meetings between NCI Agency and the contractor to review sprint progress, address issues, and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office.

Continuous improvement: Contractor to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.

Quality Assurance/Quality Check: Contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.

3. Sprint Review:

Objective: Review the sprint performance and identify areas for improvement.

R1-monthly performance report (see Annex A), provided at the end of the month, in NCSC tool and using NCSC provided template, containing the number of each deliverable provided during the month.

The report will be prefilled by the Contractor’s personnel and includes as supporting documentation the list of deliverables produced during that month including references to NCSC tools containing the information.

The report will be completed by NCSC to include the overall score received for the deliverables in that month. It is computed as follows: the sum of the score for each deliverable (from 1 to 5) divided by the number of deliverables and converted in percentage.

At the end of each sprint, there will be a meeting between the NCI Agency and the Contractor’s Personnel to review the outcomes against the acceptance criteria comprising sprint goals, agreed quality criteria and Key Performance Indicators (KPIs).

Define specific actions to address issues and enhance the next sprint.

4. Sprint Payment:

For each 4 (four) consecutive sprints to be considered as complete and payable, the contractor must report the outcome of their work during the sprint, first verbally during the retrospective sprint review meeting and then in writing within five days after the 4th sprint’s end date. A report must be sent by email to the NCI Agency service manager, listing all the work achieved against the agreed tasking list set for the sprint.

The contractor's payment for each set of 4 sprints will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the sprint planning stage. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task.

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed Delivery Acceptance Sheet (DAS) – (Annex A) including the EBA Receipt number

Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS) – (Annex A) signed by the Contractor and project authority.

If the contractor fails to meet the agreed Acceptance criteria for any task, the NCI Agency reserves the right to withhold payment for that task/sprint.

8. DELIVERABLES MILESTONES AND PAYMENT SCHEDULE

Payment will be done after completion of four (4) consecutive sprints, following the acceptance of the sprint report.

The payments shall be dependent upon successful acceptance of the R1 - Monthly Performance Report (Annex A).

Invoices shall be accompanied with the R1 - Monthly Performance Report (Annex A) signed by the Contractor’s personnel and project authority.

Related invoice will be accompanied by a R1 - Monthly Performance Report (Annex A) signed by the project authority.

The NCIA team reserves the possibility to exercise a number of options, based on the same deliverable timeframe and cost, at a later time, depending on the project priorities and requirements.

2025 BASE: PERIOD OF PERFORMANCE FROM 30th June 2025 to 31st December 2025

Deliverable: Up to 23 Sprints as Deliverable D01 and D02 – Para 5 (Number of sprints is estimated.  This will be adjusted based on actual starting date.)

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 – Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractor’s personnel.

2026 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2026 TO 31 DECEMBER 2026

Deliverable: Up to 46 Sprints as Deliverable D01 and D02 – Para 5

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 – Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractor’s personnel.

9. SCHEDULE

The BASE period of performance starts no earlier than 30 th June 2025 (tentative) and will end no later than 31st December 2025

If the 2026 option is exercised, the period of performance is 1st January 2026 to 31st December 2026.

If the 2027 option is exercised, the period of performance is 1st January 2027 to 31st December 2027.

If the 2028 option is exercised, the period of performance is 1st January 2028 to 31st December 2028.

10. SECURITY AND NON-DISCLOSURE AGREEMENT

Any contracted individuals of the Contractor’s personnel must be in possession of a security clearance by their National Authority of NATO SECRET or above. The signature of a Non- Disclosure Agreement between any Contractor’s personnel contributing to this task and NCIA will be required prior to execution.

11. PRACTICAL ARRANGEMENT

Services under the current SOW are to be delivered by ONE resource

The services will be mainly executed on premise in SHAPE, Mons Belgium.

The services may optionally be executed remotely during part of duration of the contract, given prior written pre-approval from NCSC and only for specific durations. The services can only be executed from NATO member countries.

NCIA IT equipment will be provided (NCSC NROP laptop and/or NCIA NRAIS laptop will be provided) + access to NCSC NSOP workstation.

Daily presence on SHAPE, Mons Belgium is expected to deliver according to performance goals. Maximum 2 travels per month to other locations in Belgium (NATO HQ in Brussels, NCIA offices in Braine L’Alleud) for meetings might be requested. No overnight stay required.

All travel costs are included in the quoted price. No additional cost for travel (including accommodation, per diem, travel expenses, etc.,) will be claimed separately. All travel arrangements are the responsibility of the Contractor’s personnel.

No extra cost can be associated to the presence of any team member on SHAPE, Mons, Belgium.

For the extraordinary travel to other NATO locations, the expenses will be reimbursed in accordance with Article 5.5 of AAS Framework Contract and within the limits of the NCIA Travel Directive. They will be invoiced separately to the purchaser by the service provider, in accordance with the terms and conditions of the framework agreement. These additional travel costs are considered an extra charge to the overall bid price.

The first 5 working days of a new resource (starting at the date the SHAPE ID was obtained) are considered familiarisation and handover/takeover period for which no payment will be made as no deliverable can reasonably be expected during that time.

The provider must communicate the starting date and all on boarding documents, at least 3 weeks prior to the starting date to the NCSC point of contact.

It is the responsibility of the provider to inform and make sure each resource can comply with the requirements to obtain a SHAPE ID on their starting day. This includes among others the clearance (RFV) and the mandatory registration in a Belgium commune. The list of documents required can be consulted here:

https://www.shape2day.com/arrivingleaving/inprocessing/are-you-a-national-civilian-component/contractorconsultant

12. QUALIFICATIONS SKILLS

[See Requirements]

Requirements

10. SECURITY AND NON-DISCLOSURE AGREEMENT

• Any contracted individuals of the Contractor’s personnel must be in possession of a security clearance by their National Authority of NATO SECRET or above.

12. QUALIFICATIONS SKILLS

The Contractor’s Personnel must meet the following experience, qualities and qualifications:

• Experience of at least 2 years in engaging with highly technical cyber security professionals.
• Experience of at least 2 years in summarizing discussions, identifying relevant points and action items.
• Experience of at least 2 years in coordinating stakeholders at multiple levels (strategic, operational and tactical/technical).
• Experience of at least 2 years in creating work orders, tickets in multiple ticketing systems and following them up.
• Experience of at least 2 years in writing presentation slides for different audiences.
• Experience of at least 2 years in  resources planning based on current and projected workload.
• Ability to explain complex technical topics in simpler terms to a non-technical audience.
• Maintain situational awareness of multiple ongoing activities across disparate ticketing systems and coordinating the activities across those.
• Demonstrable existing experience with documenting existing processes using Atlassian Confluence software.
• Experience with Knowledge Management activities; storing and categorizing documents from multiple sources.
• Editing work on SOP (Standard Operating Procedures) and SOI (Standard Operating Instructions).
• Language proficiency in English meets or exceeds the NATO STANAG 6001 Level 3 “Professional Proficiency”.
• The Contractor’s personnel shall be dressed suitably for meetings with high ranked officials. No religious sign shall be worn during such meeting.
• The Contractor’s personnel shall actively collaborate during internal meeting and touch-points discussions to improve the quality of services.
• Strong reporting skills to various levels of seniority.
• Accuracy and attention to detail.
• A previous experience in working for or supporting a military or governmental organization is asset.