2025-0178 ACPV Service Catalogue Design Development Support (NS) - THU 19 Jun

Deadline Date: Thursday 19 June 2025

Requirement: ACPV Service Catalogue Design and Development Support

Location: Mons BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: As soon as possible but not later than 01 Aug 2025 until 31 December 2025.

2026 OPTION: 1 January 2026 until 31 December 2026.

Required Security Clearance: NATO SECRET

1. PURPOSE

The objective of Statement of Work (SoW) is to support the design and development ofthe Asset Configuration Patching and Vulnerability (ACPV) Service in the Service Catalogue and to prepare its integration in an SLA Framework. It aims at;

Designing and developing the Service Design Package needed for the ACPV Service in order to be integrated in the service catalogue of the Agency within the requisite lead-time

Allowing the aforementioned to be incorporated into an SLA framework from which all NATO entities can consume ACPV data.

The support will be given to NATO Cyber Security Centre (NCSC) to fulfil identified ACPV Service Catalogue design and development activities more effectively.

2. BACKGROUND

ACPV supports the NATO strategic objective to enhance cyber defence and resilience.

It directly contributes to NATOs cybersecurity posture proactively challenging adversarial freedom of manoeuvre in cyberspace countering malicious cyber activities on the Alliance and contributing to Enterprise cyberspace situational awareness in a dynamic environment.

NATO needs to continuously improve its enterprise vulnerability management process as part of its aim to operate at the high security levels which ensure its effectiveness and reliability. The ACPV Core System is expected to provide the NATO Cybersecurity Ecosystem with adequate ACP management for vulnerability assessment information within the NATO Enterprise ensuring that NATO CIS are understood monitored patched and actioned properly in order to improve their protection against the full spectrum of current and future cyber threats.

In support of this the NCI Agency is tasked under a Programme of Work (POW) to support the ACPV program.

To support NCSC for the execution of tasks identified in the subject work package of the project the NCI Agency is looking for subject matter expertise in the delivery of complex foundational and novel ACPV support capability.

This contract is to provide consistent support on a deliverable-based (completion-type) contract to NCSC contributing to its POW based on the deliverables that are described in the scope of work below.

3. SCOPE OF WORK

The objective of this Statement of Work (SOW) is to provide support to the activities executed by NCSC with a qualified contractor on a deliverable-based (completion-type) contract. The work will consist in preparing the following deliverables:

Service Description (SD) following NCIA template describing the service service value proposition each service feature or flavour support hours standard service support level unit of consumption and unitary price.

Service Delivery Plan (SDP) following NCIA template describing all Service Technology Components the Service Tree Service Support Model Roles and Responsibilities Service Level Targets and Key Performance Indicators.

A bottom-up quantified Service Cost Model following NCIA template.

The breakdown of these activities is the following:

3.1 Service Description

The Contractor following a NCIA Template will develop a Service Description Document with the detailed technical description that needs to include Service Identification Service Type Description of Service Value Proposition Service Features/Flavors Environments Prerequisites Standard Service Support Levels and Service Cost.

3.2 Service Delivery Plan (SDP)

In this activity the Contractor needs to draft the Service Delivery Plan and will need to gather from all stakeholders in the following activities all the necessary elements and include the information gathered/developed in the SDP.

Service overview:

The contractor will develop a brief description of the Service from a technical point of view providing the link to the document containing the detailed technical description of the Service (developed in the previous activity).

The contractor will identify and document all prerequisite Customer Facing Services Underlying Services Service Assets (Software/Hardware) Licenses and Underpinning Contracts.

Service Technology Components and Model:

The Contractor will develop a visual representation of the relationship of service technology Components using a provided template.

Service Support Model:

In this activity the Contractor needs to describe what levels of support are applicable to the Service keeping in scope how the NCI Agency has defined standardized levels of support. If the Service requires deviation/different definition of support levels they need to be described identifying their source (e.g. SLA POW etc.)

Service Delivery Support Process:

The Contractor needs to develop a scheme that best depicts how the support process for the Service is defined and operated. An illustration of such a scheme will be provided to harmonize this work with other existing SDPs.

Description of future end-state implementation overview of the Service Delivery Support Process.

The Contractor needs to develop a RACI table to describe the Roles and responsibilities within the Service Delivery Process.

Service Delivery Point is defined as the latest physical location where physical work needs to take place to have a service delivered. The Contractor needs to identify all Service Delivery points for the Service and document them in a matrix indicating all the instances for each.

Service Delivery Management:

The Contractor needs to identify all the major coordination events and their time-frames reporting activities or other relevant events planned during Service Delivery (e.g. Full Service Delivery Review Collection of Customer Inputs etc.).

Annexes:

The Contractor may need to Include any other annexes in accordance with the requirements of the specific SDP to address (Service Level Targets ITSM Configuration Parameters CMDB Data Configuration Acquisition Procedures Material Requisition Procedures Capacity Management etc.) determined during the work on previous activities.

Definitions and Acronyms

Develop the list of definitions and acronyms used in the Service Delivery plan

3.3 Bottom-up Cost Model

In this activity the Contractor shall develop a bottom-up cost model for the Service identifying all service Costs that will be supporting the proposed Service Rate.

The contractor will be part of the NCSC Team and will provide services using an Agile and iterative approach during multiple sprints. Each sprint is planned for a duration of 1 week. The content and scope of each sprint will be agreed during the sprint-planning meeting in writing.

Due to the agile approach of this project there is a need to define a set of specific arrangements between the NCIA and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria.

This includes sprint planning execution and review processes which are detailed below:

Sprint Planning:

Objective: Plan the objectives and deliverables for the upcoming sprint;

At the start of each sprint a sprint planning meeting will be conducted with the contractor to discuss and plan the objectives and deliverables of the upcoming sprint;

Define clear achievable objectives for the sprint and associated acceptance criteria including specific delivery targets and quality standards for each task to be recorded in the sprint planning meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritize the backlog of tasks issues and improvements from previous sprints.

Assess and validate the status of completion of the previous sprint and sign off sprints to be submitted for payment as covered below.

Sprint Execution:

Objective: Contractor to execute the agreed sprint plans with continuous monitoring and adjustments.

Regular meetings: The contractor shall participate in status update meetings to review sprint progress to address issues and to make necessary adjustments to the processes or objectives. Those sprint meetings will be via electronic means using Conference Call capabilities. On rare occasions there may be a requirement to attend a physical meeting in the office or in person as requested by the project manager.

Continuous improvement: The contractor will establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to track and share the status of the sprint deliveries and any risks/issues.

Quality Assurance/Quality Check: The contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA will perform the quality control of the agreed deliverables and provide feedback on any issues.

Sprint Review:

Objective: Review the sprint performance and identify areas for improvement.

At the end of each sprint there will be a meeting to review the deliverables and outcomes against the acceptance criteria.

Define specific actions to address issues and enhance the next sprint.

Sprint Payment:

Progress on the above deliverables will be checked and approved on a per sprint basis.

For each sprint to be considered as complete and payable the contractor must report the outcome of their work during the sprint first verbally during the sprint review meeting and then in writing within three days after the sprints end date. The format of this report shall be an email to the NCIA Point of Contact mentioning briefly the work performed and the development achievements during the sprint against the agreed tasking list set for the sprint.

The payment of each sprint will be depending upon the achievement of agreed acceptance criteria for each task defined at the sprint planning stage. This will include specific delivery targets quality standards as well as Key Performance Indicators (KPIs) for each task.

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed Delivery Acceptance Sheet (DAS).

Invoices shall be accompanied by a Delivery Acceptance Sheet (DAS) signed by the contractor and the project manager and shall follow the payment milestones.

If the contractor fails to meet the agreed acceptance criteria for any task the NCIA reserves the right to withhold (partial) payment for that sprint.

Further the supplier must conduct the following reviews:

A daily touch point between NCIA POC and the Contractors POC to ensure work is on track

Draft versions of the reports where the Contractors POC presents the draft report to the customer with the opportunity for the customer to provide feedback and implement uplifts.

Final versions of the reports where the incumbent presents and delivers the final report to the customer.

4. DELIVERABLES AND PAYMENT MILESTONES

The following deliverables are expected from this statement of work:

1) Complete the activities/tasks agreed in each sprint meeting as per section 3 above.

2) Produce sprint completion reports (format: e-mail update) which include details of activities performed and the list of deliverables of the week.

3) The Contractor will participate in the daily reporting and planning activities (daily stand-ups) as well as the required participation in workshops events and conferences related to the supported services as requested by the Service Delivery Manager.

Payment Schedule will be according to payment milestones upon completion of 4 consecutive sprints. Upon completion and validation of each sprint and at the end of the monthly milestone following the acceptance of the sprint report.

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables at a later time depending on the project priorities and requirements at the following cost: for base year (2025) at the same cost for following years (2026-2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

The payment shall be dependent upon successful acceptance of the sprint report and the Delivery Acceptance Sheet (DAS) (Annex B).

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex A) signed by the Contractor and the NCIA POC.

2025 BASE period: 01 August 2025 31 December 2025:

Deliverable: 22 sprints to support ACPV Service Catalogue Design and Development Support as per described in Para 3 (Number of sprints is calculated considering a starting date 01 Aug 2025. This will be adjusted based on actual starting date.)

Payment Milestones: Upon completion of each fourth sprint and at the end of the service. Completion of each milestone shall be accompanied documented in Delivery Acceptance Sheet (DAS) (Annex B) signed for acceptance by the Purchasers authorized point of contact and the Contractor

2026 Option: 1 January 2026 to 31 December 2026

Deliverable: 46 sprints to support ACPV Service Catalogue Design and Development Support as per described in Para 3

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO115786 AAS Special Provisions article 6.5.

Payment Milestones: Upon completion of each fourth sprint and at the end of the service. Completion of each milestone shall be accompanied documented in Delivery Acceptance Sheet (DAS) (Annex B) signed for acceptance by the Purchasers authorized point of contact and the Contractor

5. COORDINATION AND REPORTING

The contractor shall report to the assigned service delivery manager.

The contractor shall participate in daily status update meetings activity planning and other meetings as instructed physically in the office or in person via digital means using conference call capabilities according to the managers / team leaders instructions.

For each sprint to be considered as complete and payable the contractor must report the outcome of his/her work during the sprint first verbally during the retrospective meeting and then in written within three (3) days after the sprints end date. The format of this report shall be a short email to the NCI Agency Project Manager mentioning briefly the work held and the development achievements during the sprint.

At the end of the project the Contractor shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.

6. PENALTY AND REJECTION PROCESS

If the contractor does not meet the work expectation based on the CV presented the assigned tasks are not performed as expected based on NATO standards or the finalization of the assigned tasks are not done within the given time the sprint will not be accepted and the service will not be paid.

If any of the above mentioned issues persist the outsourcing partner will be asked to provide a replacement.

7. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The period of performance is as soon as possible but not later than 01 Aug 2025 and will end no later than 31 December 2025.

If the 2026 option is exercised the period of performance is 01 January 2026 to 31 December 2026.

8. CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCI Agency templates or agreed with the project point of contact.

All documentation etc. will be stored under configuration management and/or in the provided NCI Agency tools.

9. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task and NCIA will be required prior to execution.

10. PRACTICAL ARRANGEMENTS

The contractor will be required to work approximately 100% onsite at NCIA Headquarters in Mons / BEL as part of this engagement. The NCSC Team is located in Mons/BEL with working hours to be adjusted accordingly. Incident resolution activities may be requested during the out of business hours as part of deliverable-based sprints.

The contractor will be required to work within a NATO country following the rules and regulations applicable for the operations of NATO CIS.

The contractor may be required to travel to other NATO locations as part of his role. Travel expenses for missions to other NATO/NCIA locations than Mons/BEL will be reimbursed to the individual directly (outside this contract) under NATO rules.

Travel arrangements will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article 5.5 of AAS Framework Contract and within the limits of the NCIA Travel Directive.

The services must be provided by ONE contractor for the entire performance period.

The Purchaser will provide the contractor with the following Purchaser-Furnished Equipment (PFE):

Access to NATO sites as required for the purpose of executing this SOW.

Workspace (needed business IT for both on- and off-site work hot-desk at NISC facility).

NCIA REACH laptop to be used by the contractor for the execution of the contract.

11. REQUIRED QUALIFICATIONS

12. DESIRABLE QUALIFICATIONS

See Requirements

9. SECURITY AND NON-DISCLOSURE AGREEMENT

• It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

11. REQUIRED QUALIFICATIONS

The contractor who is going to deliver the identified services must have demonstrated skills knowledge and experience as listed below:

11.1 Technical Proficiency:

• The support for this work requires the following technical proficiencies:
• Good Knowledge and experience with the ITIL Framework (Service Strategy/Service Design)
• Solid understanding of financial management of IT Services and experience with Service Costs and Service Rates calculation.

11.2 Problem-Solving Skills:

• Strong troubleshooting skills to diagnose and resolve hardware software and network issues
• Ability to guide users through problem-solving steps effectively.

11.3 Communication and Interpersonal Skills:

• Excellent verbal and written communication skills
• Full proficiency in English
• Ability to communicate technical information to non-technical users in a clear and concise manner.

11.4 Organizational Skills:

• Ability to manage multiple tasks and prioritize tasks effectively
• Attention to detail in documenting support activities and maintaining accurate records.

11.5 Team Collaboration:

• Ability to work effectively as part of a team and share knowledge and resources
• Willingness to collaborate with colleagues to solve complex issues.

11.6 Others:

• The candidate has strong customer relationship skills including negotiating complex and sensitive situations under pressure
• The candidate must have the nationality of one of the NATO nations.

12. DESIRABLE QUALIFICATIONS

The contractor should also ideally have knowledge and experience in the following areas:

• Experience in working with NATO
• Experience of working with NATO Communications and Information Agency
• Experience of working with national Defence or Government entities.