2025-0210 Cyberspace Operations Malware and Digital Forensics (CTS) - MON 7 Jul

Deadline Date: Monday 7 July 2025

Requirement: Support to Cyberspace Operations Malware and Digital Forensics

Location: Mons BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: 1 SEP 2025 to 31 DEC 2025 with the possibility to exercise following options:

2026 option: 1 JAN 2026 to 31 DEC 2026

2027 option: 1 JAN 2027 to 31 DEC 2027

2028 option: 1 JAN 2028 to 31 DEC 2028

Required Security Clearance: NATO COSMIC TOP SECRET

1. BACKGROUND

The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation Command & Control as well as Communications Information and Cyber Defence functions thereby also facilitating the integration of Intelligence Surveillance Reconnaissance Target Acquisition functions and their associated information exchange.

2. INTRODUCTION

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSCs role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM) the centre executes a portfolio of programmes and projects around 219 MEUR euros per year in order to uplift and enhance critical cyber security services.

The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks including the Common Funded Capability Development Governance Framework (CFCDGM).

In order to execute this work the NCI Agency requires support with the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience.

3. PURPOSE

The NCSC and more specifically the DEFEND branch is responsible to defend NATO networks on a 24/7 basis and to support incident response by performing malware analysis and digital forensics. This involves among other things: the analysis of malicious emails and payloads the retrieval of forensics artefacts in a sound manner the reverse engineering of binaries and continuous improvements of scripting automation and the environment.

4. OBJECTIVES

This Statement of Work (SoW) outlines the services to be provided by the Contractor to NCSC for providing support to Cyber Operations malware and digital forensics.

5. DELIVERABLES

The service is executed in sprints each sprint is planned for a duration of 5 working days.

The Contractors personnel shall deliver the following functions:

D1. Based on a specific malware analysis task (TASK) received via the NCSC COMS system. Analyse what is required (malicious email URL binary) and perform a comprehensive analysis using automated and manual approaches.

D1 Outcome: The analysis is presented in the updated TASK following the template.

D1 Acceptance Criteria:

1. Regular updates are provided via comments on the task once assigned at least daily
2. The format of the analysis follows the agreed template
3. The relevant Standard Operating Procedures (SOP) and Standard Operating Instructions(SOI) are followed
4. Work on the task should start within 2 hours of being assigned
5. A maximum of 1 day for email/URL analysis is foreseen up to 5 days for a complex binary. If a longer time is required a detailed justification is to be provided and accepted by management.

D2. Malware analysis research on samples of particular interest. When such a research is required the provider will perform additional tasks to analyse in depth the sample and produce rules to better detect it.

D2 Outcome: A page in the NCSC wiki containing a detailed research about the samples including links to Yara rules and IOCs created

D2 Acceptance Criteria:

1. The page documenting the research follows the template
2. If applicable the Yara rules were created in the repository
3. If applicable extracted IOCs (indicators of compromise) were recorded in a MISP event

D3. Create update and modify existing SOI/SOPs to reflect the current best practices.

D3 Outcome: The SOI/SOP has been updated created or modified to reflect the current practices.

D3 Acceptance Criteria:

1. The template has been followed
2. Links with other relevant SOI/SOPs have been made

D4. Acquire and analyse digital forensics evidence following the forensics task (TASK) raised in NCSC COMS

D4 Outcome: The evidence has been acquired analysed and the analysis outcome has been documented in COMS

D4 Acceptance Criteria:

1. The acquisition has been performed using the fastest methods available
2. The acquisition is forensically sound and follows existing SOP/SOIs
3. Regular updates on the task are provided via comments at least daily
4. The evidence has been stored in the centralized evidence storage

D5. Use and configure security tools such as Microsoft Defender for Endpoint Fidelis Endpoint Security F-Response as well as supporting scripting and tools.

D5 Outcome: Documentation about the configuration change.

D5 Acceptance Criteria:

1. The change of configuration has been documented in the knowledge base (Confluence). When the tool is using configuration as code the appropriate documented pull request in the Git repository must also be raised.
2. The format should follow the template already in use by NCSC.
3. The change should be documented at least 24 hours before the change is expected to take place.
4. For bigger changes the NCSC change management process must be followed including the submission of a change request as well as supporting documents

D6. Brainstorm during weekly meetings with the rest of the Cyber Threat Investigation Team how to improve the services delivered by the team.

D6 Outcome: Participation in the meetings

D6 Acceptance Criteria: Participation is reported and tracked in the meeting minutes which need to be prepared before the meeting and updated during the meeting (Confluence). Weekly participation is expected.

D7. Perform supporting activities around malware and digital forensics such as informing relevant stakeholders liaising with other teams in the NATO enterprise preparing administrative documents and technical implementation to assist with continuous service improvements.

D7 Outcome: Updated Routine Task (ORT) containing regular updates and the final outcome of the task given.

D7 Acceptance Criteria:

1. The task tracker is updated regularly at least once every week with the latest status
2. The blocking points are clearly identified
3. Subtasks are created proactively if required

Rejection Criteria:

The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.

A rejected deliverable must be corrected and resubmitted within 1 (one) business day.

Further details:

Each deliverable will be assessed by a supervisor or team member on a scale from 1 to 5 based on the criteria defined above. This score is used for the monthly KPI an overall score below 80% introduces a financial penalty. Further the contractor must conduct the following reviews:

A bi-weekly touch point between NCSC Technical Analysis Service Delivery Manager or any other NCSC personnel designated by NCSC.

Structure and formatting of the deliverables:

In addition to their specific acceptance criteria each deliverable shall meet the following requirements:

Language: the product shall be written in English meeting the NATO STANAG 6001 Level 3 Professional Proficiency.

Intended Audience: the product shall be intended for Cyber Security Professional Senior Military personnel and decision makers in the field of Cyber Security and Cyberspace Operations.

Accuracy: the product shall accurately reflect what was done.

Clarity and Conciseness: Information shall be presented clearly and concisely avoiding unnecessary jargon or complex language.

Objectivity: the content shall be impartial and objective presenting information without bias or personal interpretation.

Structure: the product shall follow a logical structure such as template when available.

Timeliness: the product shall be prepared and distributed promptly after the assignment ensuring that information is fresh and actionable.

Formatting: Consistent formatting shall be used throughout the document including font style size headings and spacing further directed by the Information and Knowledge Management Steering Group.

Confidentiality: Information processed by analysing threat intelligence reports or acquired during threat hunting campaigns shall be handled in accordance with the NATO policy on Information Management.

6. PENALTIES

The penalties defined below will apply to the payment amount based on the performance results measured through R1 - Monthly Service Performance (Annex A)

Each deliverable will be assessed by a supervisor or team member on a scale of 1 to 5 based on the criteria defined above. If the score is below 4/5 a justification is provided by the assessor. This score is used for the monthly KPI reported in R1 (Annex A) which is the sum of all the deliverables scores divided by the number of deliverables and transformed into percentage an overall score below 80% introduce financial penalty. This score is computed in the sprint review phase detailed in Section 7.

The grade are to be understood as follows:

1 (20%): Unsatisfactory: The deliverable is completely off-target

2 (40%): Lacking: The deliverable doesnt meet 1 or more acceptance criteria

3 (60%): Substandard: The deliverable didnt meet an acceptance criteria or the deadline communicated

4 (80%): Acceptable: The deliverable meets all acceptance criteria however some structure and formatting could be improved

5 (100%): Satisfactory: The deliverable perfectly meets the expectations

Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: >80% 0% Penalty

Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: 60 - 79% 25% Penalty

Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: 40 - 59% 50% Penalty

Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: < 40% 75% Penalty

Method of Surveillance: The overall satisfaction for the month is reported on the R1 - Monthly Service Performance (Annex A)

7. COORDINATION AND REPORTING

Due to the AGILE approach of this project there is a need to define a set of specific arrangements between the NCIA and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning execution and review processes which are detailed below:

Sprint Planning:

Objective: Plan the objectives for the upcoming sprint.

Kick-off meeting: Conduct a bi-weekly (every two weeks) meeting with the contractor to plan the objectives of upcoming sprint and review contractors manpower to meet the agreed deliverables.

Set sprint goals: Define clear achievable goals for the sprint and associated acceptance criteria including specific delivery targets Quality standards as well as Key Performance Indicators (KPIs) for each task to be recorded in the sprint meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritise the backlog of tasks issues and improvements from previous sprints.

Assess each payment milestone cycle duration of two sprints. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 4.

Sprint Execution

Objective: Contractor to execute the agreed sprint plans with continuous monitoring and adjustments.

Regular meetings between NCIA and the contractor to review sprint progress address issues and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office.

Continuous improvement: Contractor to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.

Quality Assurance/Quality Check: Contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.

Sprint Review

Objective: Review the sprint performance and identify areas for improvement.

R1-monthly performance report (see Annex A) provided at the end of the month in NCSC tool and using NCSC provided template containing the number of each deliverable provided during the month.

The report will be prefilled by the Contractors personnel and includes as supporting documentation the list of deliverables produced during that month including references to NCSC tools containing the information.

The report will be completed by NCSC to include the overall score received for the deliverables in that month. It is computed as follows: the sum of the score for each deliverable (from 1 to 5) divided by the number of deliverables and converted in percentage.

At the end of each sprint there will be a meeting between the NCI Agency and the Contractors Personnel to review the outcomes against the acceptance criteria comprising sprint goals agreed quality criteria and Key Performance Indicators (KPIs).

Define specific actions to address issues and enhance the next sprint.

Sprint Payment

For each 4 (four) consecutive sprints to be considered as complete and payable the contractor must report the outcome of their work during the sprint first verbally during the retrospective sprint review meeting and then in writing within five days after the 4th sprints end date. A report must be sent by email to the NCI Agency service manager listing all the work achieved against the agreed tasking list set for the sprint.

The contractors payment for each set of 4 sprints will be depending upon the achievement of agreed Acceptance Criteria for each task defined at the sprint planning stage. This will include specific delivery targets quality standards as well as Key Performance Indicators (KPIs) for each task.

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed R1 - Monthly Performance Report (Annex A).

Invoices shall be accompanied with a R1 - Monthly Performance Report (Annex A) signed by the Contractor and project authority.

If the contractor fails to meet the agreed Acceptance criteria for any task the NCI Agency reserves the right to withhold payment for that task/sprint.

If due to unavailability of the contractor a sprint is not delivered or delivered incomplete by the end of the sprint period it will be considered as void and no payment will occur.

8. DELIVERABLES MILESTONES AND PAYMENT SCHEDULE

Payment will be done after completion of four (4) consecutive sprints following the acceptance of the sprint report.

The payments shall be dependent upon successful acceptance of the R1 Monthly Performance Report (Annex A).

Invoices shall be accompanied with the R1 - Monthly Performance Report (Annex A) signed by the Contractors personnel and project authority.

The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same scrum deliverables at a later time depending on the project priorities and requirements at the following cost: for base year (2025) at the same cost for outer years (and 2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

2025 BASE: 1 September 2025 to 31 December 2025

Deliverable: Up to 14 sprints (Number of sprints is calculated considering a starting date 1 September 2025. This will be adjusted based on actual starting date.)

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 - Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractors personnel.

2026 OPTION: 01 JANUARY 2026 TO 31 DECEMBER 2026

Deliverable: Up to 46 sprints

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO115786 AAS Special Provisions article 6.5.

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 - Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractors personnel.

2027 OPTION: 01 JANUARY 2027 TO 31 DECEMBER 2027

Deliverable: Up to 46 sprints

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO115786 AAS Special Provisions article 6.5.

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 - Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractors personnel.

2028 OPTION: 01 JANUARY 2028 TO 31 DECEMBER 2028

Deliverable: Up to 46 sprints

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO115786 AAS Special Provisions article 6.5.

Payment Milestones: Completion of four (4) consecutive sprints will be documented in the R1 - Monthly Performance Report (Annex A) which will be signed for acceptance by the authorized point of contact and the Contractors personnel.

9. SCHEDULE

The 2025 BASE period of performance starts as soon as possible and no later than 1 September 2025 and will end no later than 31 December 2025

If the 2026 option is exercised the period of performance is 1 January 2026 to 31 December 2026.

If the 2027 option is exercised the period of performance is 1 January 2027 to 31 December 2027.

If the 2028 option is exercised the period of performance is 1 January 2028 to 31 December 2028.

10. SECURITY AND NON-DISCLOSURE AGREEMENT

Any contracted individuals of the Contractors personnel must be in possession of a security clearance by their National Authority of NATO COSMIC TOP SECRET or above. The signature of a Non-Disclosure Agreement between any Contractors personnel contributing to this task and NCIA will be required prior to execution.

11. PRACTICAL ARRANGEMENTS

Services under the current SOW are to be delivered by ONE resource.

The services will be mainly executed on premise in SHAPE Mons Belgium.

The services may optionally be executed remotely during part of the duration of the contract given prior written pre-approval from NCSC and only for specific durations.

The services can only be executed from NATO member countries.

NCIA IT equipment will be provided (NCSC NROP laptop and/or NCIA NRAIS laptop will be provided) access to NCSC NSOP workstation.

Daily presence on SHAPE Mons Belgium is expected to deliver according to performance goals. Maximum 2 travels per month to other locations in Belgium (NATO HQ in Brussels NCIA offices in Braine LAlleud) for meetings might be requested. No overnight stay required.

All travel costs are included in the quoted price. No additional cost for travel (including accommodation per diem travel expenses etc.) will be claimed separately. All travel arrangements are the responsibility of the Contractors personnel.

No extra cost can be associated to the presence of any team member on SHAPE Mons Belgium.

For the extraordinary travel to other NATO locations the expenses will be reimbursed in accordance with Article 5.5 of AAS Framework Contract and within the limits of the NCIA Travel Directive. They will be invoiced separately to the purchaser by the service provider in accordance with the terms and conditions of the framework agreement.

These additional travel costs are considered an extra charge to the overall bid price.

The first 5 working days of a new resource (starting at the date the SHAPE ID was obtained) are considered familiarisation and handover/takeover period for which no payment will be made as no deliverable can reasonably be expected during that time.

The provider must communicate the starting date and all on boarding documents at least 3 weeks prior to the starting date to the NCSC point of contact.

It is the responsibility of the provider to inform and make sure each resource can comply with the requirements to obtain a SHAPE ID on their starting day. This includes among others the clearance (RFV) and the mandatory registration in a Belgium commune. The list of documents required can be consulted here:

QUALIFICATIONS SKILLS

See Requirements