2025-0283 Support to Provide CIS Security Assurance (NS) - MON 15 Sep

Deadline Date: Monday 15 September 2025

Requirement: Support to Provide CIS Security Assurance

Location: Braine-l’Alleud, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: BASE 2025: As soon as possible, but not later than 13 October 2025 – 31st December 2025

2026 Option: 1st January 2026 until 31st December 2026

2027 Option: 1st January 2027 until 31st December 2027

2028 Option: 1st January 2028 until 31st December 2028

Required Security Clearance: NATO SECRET

1 INTRODUCTION

The NCIA is looking for CIS Security Assurance – On Site service, delivered at NCIA headquarters in Braine L’Alleud, Belgium, for achieving the security accreditation and maintaining the CIS security posture of a medium to large complexity NATO CIS.

The NCIA provides advanced technological solutions and support to NATO and its member nations. Its mission is to ensure effective and secure communication and information systems for the alliance, enabling operations and decision-making. The agency plays a critical role in maintaining NATO's technological edge and operational readiness through innovation, collaboration, and the implementation of cutting-edge technologies.

The NATO CIS undergo a security accreditation process, and must obtain Security Accreditation and Approval to Operate (ATO). The NATO CIS security accreditation requires assessing potential cybersecurity risks following a risk management methodology. This includes the identification and assessment of risks for specific NATO CIS in close coordination with NATO accreditation stakeholders (including technical and security authorities), followed by the development and implementation of mitigation and remediation plans, specifically assessing the residual risks after the application of the risk mitigation measures. The security accreditation status is tracked throughout the entire lifecycle of NATO CIS.

2 OBJECTIVE

The objective of this Statement of Work (SOW) is to provide CIS Security Assurance service on Site, for a medium to large NATO CIS, consisting in development of CIS Security accreditation documentation, conducting risk assessments, recommending mitigation measures, and coordinating the remediation of the findings identified by security assessments.

3 SCOPE OF WORK

This SOW covers one medium to large NATO CIS, the security accreditation document set and the associated CIS Security assurance activities as described below and detailed in Annex C.

1) CIS Security Accreditation:

a) Produce the CIS Description (CISD) documentation, addressing all NATO CIS components; coordinate with Service Delivery Managers (SDMs), network and security architects and other relevant Subject Matter Experts (SMEs) to ensure the complete and accurate description of the CIS.

b) Conduct Security Risk Assessment (SRA) for the NATO CIS in scope; this includes the identification and assessment of risks in close coordination with NATO accreditation stakeholders (including technical and security authorities).

c) In close coordination with the security accreditation support and the technical stakeholders, produce the Security Requirements Statements (SRSs) (System Specific and for the System Interconnections), which include evaluating the implementation of the security requirements as per the NATO security policies and directives, advise on mitigation and remediation recommendations for those security requirements partially implemented (or not implemented), and document these in the relevant accreditation documents (Security Requirements Statements (SRSs), SecOPs).

d) Produce the Security Operating Procedures (SecOPs) in line with the NATO security policies and directives.

e) Develop Security Tests and Verification Plans (STVP).

f) Conduct Security tests in accordance with defined test plans and provide associate reporting.

g) Support the development of mitigation and remediation plans, following the identification and assessment of cybersecurity risks for NISC managed CIS, specifically assessing the residual risks after the application of cybersecurity risk mitigation measures.

h) Assist with complex remediation activities for the NATO CIS in scope of this SoW; conduct remediation activities in collaboration with the NCIA Service Delivery Managers.

i) Ensure adequate level of systems/data protection is implemented for NISC managed CIS in accordance with NATO Security policies and directives.

2) Operations:

a) Perform all operation, support and maintenance activities described in Annex C.

b) Log and track Service and Change requests using the enterprise ticketing system (ITSM).

c) Ensure all tickets are updated with accurate and detailed information and resolved within the agreed service levels.

3) Escalation:

a) Escalate complex issues to appropriate teams when necessary.

b) Follow up on escalated issues to ensure timely resolution and user satisfaction.

4) Knowledge Base Management:

a) Contribute to the creation and maintenance of a knowledge base, documenting common issues and solutions.

b) Share knowledge and best practices with team members to improve overall service quality.

5) Performance Monitoring:

a) Monitor support metrics and KPIs to ensure high-quality service delivery.

b) Participate in regular reviews to identify areas for improvement and implement corrective actions.

6) Automation and Efficiency:

a) Develop and implement automation scripts or advise on automated tools to streamline routine support tasks such as system and software checks and notifications, and the development/continuous update of the accreditation deliverables.

b) Utilize automation to create workflows for repetitive tasks, improve service efficiency and proactively implement solutions.

7) Communication and Collaboration:

a) Communicate effectively with internal user community to understand their issues and provide clear instructions.

b) Collaborate with IT teams to resolve security issues and improve service delivery.

8) Transition-In

The Contractor shall start the execution of the contract by implementing the transition-in Handover-Takeover (HOTO) plan.

The Transition-in Handover-Takeover (HOTO) plan shall include at the minimum:

• Detailed HOTO schedule with GANTT chart

• Resources and PFE required from the Purchaser for successful execution of HOTO plan

• Risk register

Handover-takeover period will be divided in two parts: Shadowing and Reverse Shadowing.

For the Transition-In HOTO, Shadowing will be the monitoring of Purchaser’s activities by the Contractor for each product listed in Annex C. Reverse shadowing will the monitoring of the Contractor activities by the Purchaser for item listed in Annex C.

9) Transition-Out

Whatever the cause or the triggering event of the contract coming to an end, the Contractor shall end the execution of the contract by implementing the transition-out Handover-Takeover (HOTO) plan.

The transition-out Handover-Takeover plan to be executed for contract closure or contract termination shall include at the minimum:

• Detailed HOTO schedule with GANTT chart

• Transition to The Purchaser of any tools, procedures, training and documentation used by The Contractor to execute this SOW.

• Resources and PFE required from the Purchaser for successful execution of HOTO plan

• Risk register

Handover-takeover period will be divided two parts; Shadowing and Reverse Shadowing.

For the Transition-Out HOTO, Shadowing will be the monitoring of the Contractor activities by The Purchaser for each item listed in Annex C. Reverse shadowing will be the monitoring of the Purchaser activities by The Contractor for the second instance for each product listed in Annex C.

4 DELIVERABLES AND PAYMENT MILESTONES

4.1 Payment Schedule will be at the end of each 4 sprints, following the acceptance of the sprint report.

4.2 The NCIA team reserves the possibility to exercise a number of options, based on the same deliverable timeframe and cost, at a later time, depending on the project priorities and requirements.

4.3 The payment shall be dependent upon successful acceptance of the sprint report and the Delivery Acceptance Sheet (DAS) – (Annex B)

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and the NCIA POC.

The following deliverables are expected for the scope of work (Section 3) on this statement of work:

Deliverable: Up to 10 sprints (Number of sprints is estimated and will be adjusted based on actual starting date.)

Payment Milestones: Upon completion of 4 sprints and at the end of the work

2026, 2027, 2028 OPTIONS: 01 January 2026, 2027, 2028 to 31 December 2026, 2027, 2028

Deliverable: Up to 46 sprints (Number of sprints is estimated and will be adjusted based on actual starting date.)

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article 6.5.

Payment Milestones: Upon completion of 4 sprints and at the end of the work

5 COORDINATION AND REPORTING

5.1 The contractor shall report to the assigned service delivery manager.

5.2 The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office or in person via electronic means using Conference Call capabilities, according to service delivery manager’s instructions.

5.3 For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in writing, within three (3) working days after the sprint’s end date. A report in the format of a short email shall be sent to NCI Agency POC briefly mentioning the work held and the achievements during the sprint. The format of this report shall be added into Delivery Acceptance Sheet (DAS) – (Annex B) mentioning briefly the work held and the development achievements during the sprint.

6 SCHEDULE

The period of performance is 13 October (tentative) 2025 through 31st December 2025.

If options are executed, period of performance is the calendar year for the respective option.

7 CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the project point of contact.

All code, scripts, documentation, etc. will be stored under configuration management and/or in the provided NCIA tools.

8 SECURITY

Performance of the services described in this SOW require a valid NATO SECRET security clearance prior to the start of the engagement.

9 PRACTICAL ARRANGEMENTS

9.1 This is a deliverables-based contract.

9.2 The contractor shall provide services 100% On-site NCIA Headquarters in Braine L’ Alleud, Belgium. Exceptional off-site activities to support service delivery can also be arranged with the line manager’s coordination and approval.

9.3 There may be requirements to travel to other sites within NATO for completing these tasks.

9.4 Travel costs are out of scope and will be borne by the NCI Agency separately in accordance to the provisions of the AAS+ Framework Contract.

9.5 The work depicted in this SOW is expected to be carried by a single contractor.

9.6 The service shall be delivered during core working hours (0830 – 1200 and 1300 - 1730).

9.7 The contractor will be required to obtain working permission for on-site work in Belgium.

10 QUALIFICATIONS

[See Requirements]

Annex C: Description of the NATO CIS Environment

1. The NATO CIS operates at the NATO UNCLASSIFIED (NU) and NATO RESTRICTED (NR) classification levels.

2. The NATO CIS is composed mainly of Infrastructure Edge Devices and services, supporting NATO Command Structure, and elements of the NATO Force Structure. It is installed in two locations.

3. The CIS environment contains predominantly proxy and gateway tools, as well as a management component based on Microsoft Windows Server and Linux Operating systems, running on physical and virtual servers.

4. The following documents need to be produced part of the accreditation documents set for the NATO CIS (~8, depending on the approach on the system interconnections):

a. Security Accreditation Plan

b. CIS Description

c. Security Risk Assessment

d. Security Requirements Statements (System-Specific, respectively for System Interconnections)

e. Security Operating Procedures

f. Security Testing and Verification Plan

g. Security Testing and Verification Report

Additionally, on demand, Remediation Actions status Report following the Security Audits might need to be produced and submitted to the relevant Cyber/CIS Security and security accreditation authorities.

5. The response and resolution times for ITSM tickets are defined, in accordance with assigned priority, in NCIA Incident Management Standard Operating Procedure (SOP) 06.04.01.

6. The Contractor shall take the description above as an indication on the composition and complexity of the system in scope, as well as of the required accreditation deliverables in scope of this contract. The actual number of deliverables in scope of this contract will stay within a margin of +/- 25% of the provided numbers. Any changes to the number of deliverables will not entitle the Contractor to any price adjustments. However should the numbers move outside this margin, upwards or downwards, this could be ground for an equitable price adjustment to be applied at the next turn of the year.

8 SECURITY

Performance of the services described in this SOW require a valid NATO SECRET security clearance prior to the start of the engagement.

10 QUALIFICATIONS

The consultancy support for this work requires a systems engineer with the following qualifications:

1) Technical Proficiency:

• The support for this work requires technical proficiencies as the development and execution of the following accreditation deliverables: NATO CIS Security accreditation process; CIS Security Risk Assessments (SRA); CIS Security Tests and Verifications (STV); CIS Security Assessments (SA) remediation
• A minimum of 2 years of experience with the security accreditation process are required, including development of security accreditation documents as listed above.

2) Problem-Solving Skills:

• Strong troubleshooting skills to diagnose and resolve hardware, software, and network security issues.
• Ability to guide users through problem-solving steps effectively.

3) Automation Skills:

• Proficiency in automation to create workflows and automate repetitive processes.
• Ability to identify and implement automation opportunities to enhance efficiency.

4) Communication and Interpersonal Skills:

• Excellent verbal and written communication skills.
• Full proficiency in English.
• Ability to communicate technical information to non-technical users in a clear and concise manner.
• A minimum of 2 years of work experience in an international environment are required.

5) Customer Service Orientation:

• Strong customer service focus with a commitment to user satisfaction.
• Patience and empathy when dealing with user issues and concerns.

6) Organizational Skills:

• Ability to manage multiple support tickets and prioritize tasks effectively.
• Attention to detail in documenting support activities and maintaining accurate records.

7) Team Collaboration:

• Ability to work effectively as part of a team and share knowledge and resources.
• Willingness to collaborate with colleagues to solve complex issues.

8) Others:

• The candidate has strong customer relationship skills, including negotiating complex and sensitive situations under pressure.
• The candidate must have the nationality of one of the NATO nations.