2024-0279 Cybersecurity Endpoint Engineering Support (NS) - FRI 1 Aug

Deadline Date: Friday 1 August 2025

Requirement: Cybersecurity Endpoint Engineering Support

Location: Mons BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 Base period: As soon as possible but not later than 8 September 2025 to 31 Dec 2025 with possibility to exercise the following options:

2026 Option: 1 January until 31 Dec 2026

2027 Option: 1 January until 31 Dec 2027

2028 Option: 1 January until 31 Dec 2028

Required Security Clearance: NATO SECRET (NATO COSMIC TOP SECRET will be required as of 2026)

1. BACKGROUND

The NATO Communications and Information Agency (NCIA) is dedicated to acquiring deploying and defending communication systems for NATOs political decision-makers and Commands. It operates on the frontlines against cyber-attacks collaborating closely with governments and industry to prevent future debilitating attacks. The NCIA plays a crucial role in maintaining NATOs technological edge and ensuring the collective defence and crisis management capabilities of the Alliance. In pursuit of our mission we require specialized advisory services to enhance our interim workforce capacity.

2. INTRODUCTION

NATO Cyber Security Centre (NCSC) is looking for a contractor to support the work of Enable Branch: to ensure the availability performance and security of NATOs data centre across multiple sites. Focus will be on setting up software or hardware to make it operational and providing technical expertise in compliance with NATOs operational requirements and security standards.

Currently endpoint devices are managed through fragmented systems with manual processes leading to inconsistent updates inefficiencies and security vulnerabilities across the organization.

3. OBJECTIVE

The aim of this SOW is to support NCSC with technical expertise specifically related to the operation and maintenance of NATOs CYBERSECURITY ENDPOINT ENGINEERING with a deliverable based (completion-type) contract to be executed in 2025.

The main objective is to secure advisory services that provide expert guidance and support to achieve:

Operational Efficiency: Achieve faster deployment reduced manual intervention and minimized human error through automation.

Enhanced Security: Strengthened endpoint protection and real-time monitoring to mitigate security risks and ensure compliance with industry standards.

Scalability: A future-ready infrastructure capable of supporting the organizations growth without compromising performance or security.

The desired outcome is a centralized automated endpoint management system is in place offering real-time monitoring enhanced security and scalability ensuring consistency and compliance across all devices.

4. SCOPE OF WORK

Under the direction/guidance of NCIA or delegated staff the Contractors Personnel will be responsible for deployment configuration management and optimization of endpoint security solutions with a focus on products such as Trellix Endpoint Security (formerly McAfee).

The contractor will ensure that NATOs endpointsranging from workstations and mobile devices to serversare secure and compliant with cybersecurity policies. The contractor will focus on maintaining a robust defense against threats monitoring for vulnerabilities and ensuring that endpoint security is effectively integrated into NATOs larger security infrastructure.

The a service-based contractor will focus on delivering key technical solutions and providing expertise in of the current endpoint security infrastructure.

The contractors personnel will ensure that robust threat defence measures encompassing continuous monitoring vulnerability management and proactive threat remediation to safeguard NATOs endpoints against potential security breaches are provided to meet NATOs operational requirements and security standards.

Additionally the service provider will ensure seamless integration of endpoint security into NATOs larger cybersecurity infrastructure adhering to Service Level Agreements (SLAs) and meeting all contractual obligations.

This work will include the following activities:

Expert guidance on the Deployment and Configuration of Endpoint Security Solutions: ensuring successful deployment setup and configuration of Trellix Endpoint Security (formerly McAfee) solutions across all NATO workstations mobile devices and servers. This includes ensuring that all endpoints are integrated with NATOs larger security infrastructure.

Endpoint Management and Optimization: managing and optimizing endpoint security solutions to maintain compliance with NATOs cybersecurity policies. This includes regularly reviewing and improving configurations to meet security and performance standards.

Monitoring and Defence against Cyber Threats: Providing ongoing monitoring of all endpoints to detect vulnerabilities and potential security breaches. Implement real-time defence mechanisms to safeguard against emerging threats and maintain robust security measures.

Vulnerability Management and Threat Remediation: Identifying monitoring and remediating vulnerabilities across the endpoint landscape. Ensuring that detected vulnerabilities are addressed in a timely manner and documented according to NATOs security protocols.

Service Level Agreement (SLA) Compliance: Ensuring all activities related to endpoint security including deployments monitoring and incident response are performed within the defined Service Level Agreements (SLAs) and contractual obligations.

Compliance with Cybersecurity Policies: Maintaining and enforcing adherence to NATOs cybersecurity policies ensuring that all endpoints are secure and compliant with organizational security protocols.

Expert technical assessments and audits of the endpoint security infrastructure: identifying areas for improvement and overall operational efficiency with a focus on aligning with industry best practices and NATOs security and operational requirements.

Inclusion of Multi-Factor Authentication (MFA) and Yubikeys user integration for endpoint access and identify management

Microsoft Endpoint Configuration Manager (MECM /SCCM) proficiency for patching deployment and security configuration enforcement.

Reinforcement of automation capabilities in patch management compliance reporting and scalability planning.

SERVICE DETAILS

High-Level Description of Deliverables

1. Comprehensive System Audit Report

Description: The contractor will provide a detailed assessment report of the current endpoint security infrastructure that will identify key strengths weaknesses and areas that require improvement or optimization to meet the organizations operational and future scalability requirements.

The report must include:

Analysis of existing inefficiencies.

Specific performance benchmarks.

Actionable recommendations for remediation.

Responsibility: The contractor will be responsible for conducting a thorough evaluation of the existing endpoint security infrastructure identifying inefficiencies and providing recommendations to improve overall performance reduce downtime and enhance future scalability.

2. Fully Automated Endpoint Management

Description: Desired outcome - a fully operational automated patch management.

Automation must include:

Patch deployment.

Software updates.

Security configurations across 100% of registered devices.

3. Scalability Enhancement Plan and Implementation

Description: The contractor will support implementing a scalability enhancement plan capable of supporting growth in endpoint devices.

The system must be tested under simulated growth conditions.

4. Optimized Real-Time Monitoring and Incident Response

Description: The contractor will support a fully operational automated patch management system.

Automation must include:

Patch deployment.

Software updates.

Security configurations across 100% of registered devices.

5. Scalability Enhancement Plan and Implementation

Description: The contractor will support providing and implementing a scalability enhancement plan capable of supporting growth in endpoint devices. The system must be tested under simulated growth conditions.

6. Optimized Real-Time Monitoring and Incident Response

Description: The contractor will support delivery of an optimized real-time monitoring dashboard and incident response plan. The system must:

Integrate with existing SIEM.

Provide real-time alerts and enable incident response within 10 minutes.

7. Automated Compliance Reporting System

Description: Its expected to support a fully automated compliance reporting tool throughout the duration of the contract:

Generate weekly and monthly compliance reports aligned with GDPR ISO 27001.

Flag non-compliant devices within 24 hours.

8. Post-Implementation Support and Continuous Improvement

Description: The contractor must provide support with response times for critical issues within 30 minutes as per the agreed Service Level Agreement (SLA). Additionally the contractor must submit monthly performance reports and quarterly system optimization proposals.

The Contractors Personnel will be reinforcing the existing team and will work using an Agile and iterative software development approach during multiple sprints.

The Contractors Personnel shall participate in periodic status update meetings sprint planning sprint review and other meetings via electronic means using collaborative platforms.

On rare occasions there may be a requirement to attend in-person meetings at NATO offices in Mons Belgium as requested by the Project Manager.

Each sprint is planned for a duration of 5 working days. The content and scope of each sprint i.e. the deliverables will be agreed during the sprint-planning meeting in coordination with the NCIA and the contractor in writing. Upon completion and validation of each sprint the completed sprint can be submitted for payment.

Due to the agile approach of this project there is a need to define a set of specific arrangements between the NCIA and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning execution and review processes which are detailed below:

Sprint Planning:

Objective: Plan the objectives and deliverables for the upcoming sprint;

At the start of each sprint a sprint planning meeting will be conducted with the contractor to discuss and plan the objectives and deliverables of the upcoming sprint;

Define clear achievable objectives for the sprint and associated acceptance criteria including specific delivery targets and quality standards for each task to be recorded in the sprint planning meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritize the backlog of tasks issues and improvements from previous sprints.

Assess and validate the status of completion of the previous sprint and sign off sprints to be submitted for payment.

Sprint Execution:

Objective: Contractor to execute the agreed sprint plans with continuous monitoring and adjustments.

Regular meetings: The contractor shall participate in status update meetings to review sprint progress to address issues and to make necessary adjustments to the processes or objectives. Those sprint meetings will be via electronic means using Conference Call capabilities. On rare occasions there may be a requirement to attend a physical meeting in the office or in person as requested by the project manager.

Continuous improvement: The contractor will establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to track and share the status of the sprint deliveries and any risks / issues.

Quality Assurance / Quality Check: The contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA will perform the quality control of the agreed deliverables and provide feedback on any issues.

Sprint Review:

Objective: Review the sprint performance and identify areas for improvement.

At the end of each sprint there will be a meeting to review the deliverables and outcomes against the acceptance criteria.

Define specific actions to address issues and enhance the next sprint.

Sprint Payment:

Progress on the above deliverables will be checked and approved on a per sprint basis.

For each sprint to be considered as complete and payable the contractor must report the outcome of their work during the sprint first verbally during the sprint review meeting and then in writing within three days after the sprints end date. The format of this report shall be an email to the NCIA Point of Contact mentioning briefly the work performed and the development achievements during the sprint against the agreed tasking list set for the sprint.

The payment of each sprint will be depending upon the achievement of agreed acceptance criteria for each task defined at the sprint planning stage.

If the contractor fails to meet the agreed acceptance criteria for any task the NCIA reserves the right to withhold (partial) payment for that sprint.

Invoices shall be accompanied by a Delivery Acceptance Sheet (DAS) signed by the contractor and the project manager and shall follow the payment milestones.

5. DELIVERABLES AND PAYMENT SCHEDULE

The following deliverables are expected from the work on this Statement of Work:

1) Complete the activities/tasks agreed in each sprint meeting as per section 4 above.

2) Produce sprint completion reports (format: e-mail update) which include details of activities performed and the list of the deliverables of the week.

3) The contractor will participate in the daily reporting and planning activities (daily stand-ups) as well as the required participation in workshops events and conferences related to the supported services as requested by the service delivery manager.

4) Payment schedule will be according to the payment milestones upon completion of the respective sprint. Upon completion and validation of each sprint and at the end of the monthly milestone following the acceptance of the sprint report.

5) The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables at a later time depending on the project priorities and requirements at the following cost: for base year (2025) at the same cost for following years (2026-2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

6) The payment shall be dependent upon successful acceptance of the sprint report and the Delivery Acceptance Sheet (DAS) (annex B).

7) Invoices shall be accompanied with a Delivery Acceptance Sheet (annex B) signed by the contractor and the NCIA POC.

2025 BASE: 8 September 2025 31 December 2025:

Deliverable: 18 Sprints (Number of sprints is estimated considering a starting date 8 September 2025. This will be adjusted depending on the actual start date.)

Payment Milestones: Payment Schedule will be monthly for the completed and accepted sprints within the month and at the end of the work. Completion of each payment milestone shall be accompanied by a DAS signed for acceptance by the Purchasers authorized point of contact

AND 2028 OPTION: 01 JANUARY TO 31 DECEMBER

Deliverable: Up to 46 sprints

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO115786 AAS Special Provisions article 6.5.

Payment Milestones: Payment Schedule will be monthly for the completed and accepted sprints within the month and at the end of the work. Completion of each payment milestone shall be accompanied by a DAS signed for acceptance by the Purchasers authorized point of contact

6. CLIENT RESPONSIBILITIES

The Client will:

Provide necessary access to systems and information required for all services

Tools and equipment (laptop) will be provided for remote service provisioning. Access to the Agencys tools that are used to execute daily tasks will be provided.

Designate primary points of contact for escalations and decision-making

Early Definition: Establish criteria at the beginning of the project or sprint; Refine criteria as needed throughout the development process

Prioritization: Identify must-have criteria vs. nice-to-have features; Align prioritization with project / service goals and constraints

Consider Edge Cases: Include criteria for handling unexpected inputs or scenarios; Address potential failure modes and error handling

7. COORDINATION AND REPORTING

Due to the nature and classification of the working environment all services and deliverables outlined in this Statement of Work (SOW) will be performed onsite on clients premises at NCIA location in S.H.A.P.E. Mons Belgium. The contractor will be physically present on location to conduct assessments implement network solutions and provide ongoing support as required throughout the project.

NCIA IT equipment will be provided (one REACH laptop will be provided). This equipment can be used by one person only and associated to that individual.

The highest level of classification that contractor may need to access is NATO SECRET (NS).

As a result of this contractor must hold a valid NATO SECRET Security Clearance.

The contractor shall report to the NCIA Project Manager or designated Point of Contact (POC) assigned by the NCIA Cyber Security Service Line

The Contractor shall participate in monthly status update meetings and other meetings physically in the office or in person via electronic means using Conference Call capabilities according to service delivery managers instructions.

For each sprint to be considered as complete and payable the contractor must report the outcome of his/her work during the sprint first verbally during the retrospective meeting and then in writing within five (5) working days after the sprints end date. A report in the format of a short email shall be sent to NCIA POC briefly mentioning the work held and the achievements during the sprint.

8. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The 2025 BASE period of performance is as soon as possible but not later than 8 September 2025 and will end no later than 31 December 2025.

If the and 2028 options are exercised the period of performance is 01 January until 31 December of that respective year.

9. CONSTRAINTS

Results of the work to be stored on NCIA NATO RESTRICTED SharePoint portal.

All the documentation provided under this statement of work will be based on NCIA templates and/or agreed with the NCIA service manager.

All support maintenance documentation will be stored under configuration management and/or in the provided NCIA tools.

All developed solutions will be property of the NCIA.

10. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory for the Contractor to be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task order and NCIA will be required prior to execution.

11. PRACTICAL ARRANGEMENTS

The contractor will be required to provide services 100% onsite in Mons / BEL as part of this engagement and standard business hours are to be followed. The NCSC Team is located in Mons / BEL with working hours will from 08:30 to 17:30 with 1 hour for lunch from Monday to Thursday. On Friday working hours will be from 08:30 to 15:30 with 1 hour for lunch.

The contractor will be required to provide services following the rules and regulations applicable for the operations of NATO CIS.

The Purchaser will provide the Contractor with the following Purchaser-Furnished Equipment (PFE):

Access to NATO sites as required for the purpose of executing this SOW.

Workspace (needed business IT for both on- and off-site work hot-desk at NCSC facility).

NCIA REACH laptop to be used by the contractor for the execution of the contract.

12. TRAVEL

Regular travel costs to and from the service delivery location (SHAPE) are out of scope and will be borne by the contractor.

Travel costs to other NATO locations are not included in the quoted price as there is no expected travel foreseen.

However should official travel be required travel arrangements will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article 5.5 of the AAS Framework Contract and within the limits of the NCIA Travel Directive.

13. QUALIFICATIONS

See Requirements

13. QUALIFICATIONS

Services under current SOW are to be delivered by ONE resource that must have demonstrated skills knowledge and experience as listed below:

• Security Classification: NATO NS in 2025 and CTS as of 2026 (as soon as available)
• Language Proficiency: English

Past Performance and Qualifications:

To provide a high level of service quality the contractor supporting the Endpoint Engineering Team has a proven track record of successfully deploying configuring managing and optimizing endpoint security solutions with a focus on products such as Trellix Endpoint Security (formerly McAfee)and endpoint infrastructures for a variety of organizations across multiple industries. The contractor should provide and prove the following mandatory performance education and qualifications:

• Minimum 5 in endpoint management and cybersecurity well-versed in supporting NATO networks within a Cyber Security Centre.
• Demonstrated proficiency in managing centralized endpoint solutions and automating workflows in highly secure environments.
• Trellix Expertise: Proficient in managing Trellix (formerly McAfee Enterprise) cybersecurity solutions including Endpoint Detection and Response (EDR) which is crucial for monitoring and mitigating threats across NATOs secure networks.
• Minimum 2 years of NATO-Specific Experience: Extensive experience with NATOs network security protocols including managing endpoint security and ensuring adherence to NATOs strict compliance and data protection standards.
• Proficiency in Automation and Scalability: Developed automated workflows for endpoint provisioning and patch management reducing manual workload and increasing operational efficiency while maintaining security compliance within NATO environments.
• 5 years expertise in deploying configuring managing and optimizing Trellix Endpoint Security solutions including: Endpoint Detection & Response (EDR); Threat Prevention; Data Loss Prevention (DLP); Drive Encryption; Application Control; Trellix ePolicy Orchestrator (ePO)
• Proficiency in Endpoint Configuration Manager (SCCM) for patching deployment and configuration enforcement.
• Experience in the implementation and management of Multi-Factor Authentication (MFA) solutions including Yubikeys integration.
• Minimum 2 years of NATO-specific experience familiar with NATO protocols and compliance standards.
• Knowledge / expertise in automation and scalability skills with patch management and endpoint provisioning.

The following performance and qualifications are not mandatory but will be a benefit:

• Experience in project management and coordination of endpoint security infrastructure deployments.
• Ability to manage project timelines coordinate with multiple stakeholders and ensure adherence to best practices.
• Experience in Agile delivery frameworks including sprint planning review and iteration cycles.
• Familiarity with NATO compliance tooling and incident reporting standards.