2025-0237 Multi-Factor Authentication Internet Facing Portals (NS) - WED 6 Aug

Deadline Date: Wednesday 6 August 2025

Requirement: Multi-Factor Authentication on Internet Facing Portals

Location: Mons Belgium or Braine LAlleud. Belgium

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 8th September 2025 through 31st December 2025

Required Security Clearance: NATO SECRET

1 INTRODUCTION

1 Business Tasks

Due to the findings in the Type 4 Security Audit NATO technical teams has been tasked with planning and implementing a security standardisation for 2 factor to Multifactor authentication for internet facing web-portals through-out NATO enterprise.

1.1 SCOPE

1) Complement the inventory of external facing web portals based on NATO Web Asset Registry (NWAR) looking at user base (approximate number of users) and type (i.e. NATO entity user NATO nation user 7NNN user non-NATO nation user).

2) Support the identification of the most fit for purpose technology for a strong authentication mechanism to access internet facing NATO Enterprise web portals which can be federated across all NATO Enterprise websites and ideally it will support single sign on and single account access;

3) Provide an implementation plan for Multi-factor Authentication (MFA) roll out across the NATO Enterprise and support the implementation of the technology;

4) Implement the MFA pilot on high value and most targeted portals. This is limited to 5 portals only.

1.1.1 Constraints:

6) The Identification of the most fit for purpose solution is to be validated confirmed and accredited prior to submission.

7) The solution is to align with other ongoing NCIA efforts including but not limited to:

a) IT Modernization

b) NATO Cloud Programs

c) Protected Business Network

d) NATO and NCIA Directives

8) The solution is developed in close coordination with NCSC NCIA and its technical staff. Coordination meetings shall take place in intervals sufficient to ensure information sharing and technical exchange.

9) Due to the criticality and dependencies of follow on project elements the Solution is to be completed and accepted NLT end of November 2025.

1.2 MFA INTERNET FACING PORTALS

1 Complement the inventory of external facing web portals based on NATO Web Asset Registry (NWAR) approx. 139 portals. List has been created and owners already identified.

1) Engage with each portal owner/technical team

2) Assess the current technology of each portal

3) Assess if the portal has implemented any second factor authentication and is compatible with future MFA solution including AWS backwards compatibility.

4) Gather and collate the number of users per web portal.

5) The solution should offer a variety of options to cover multiple user groups such as NATO entity user NATO nation user 7NNN user non-NATO nation user.

6) Report the current usage of MFA.

7) Show the delta of any portals identified in the NWAR that require MFA for future implementation

2 Support the identification of the most fit for purpose technology for a strong authentication mechanism to access internet facing NATO Enterprise web portals which can be federated across all NATO Enterprise portals and ideally it will support single sign on and single account access;

1) Complete a solution document with the Identification and recommendations for MFA across the estate

2) Identify a number of solutions compatible with the current NATO Identity and access management (IAM)

3) Identify details regarding current use of MFA on the 5 Identified portals

4) Identify types of identification methods suitable for the portals

3 Provide an implementation plan for MFA roll out across the NATO Enterprise and support the implementation of the technology;

1) Support in the planning for MFA rollout across the estate

2) Identify the requirements to implement MFA on Amazon Web Services (AWS)

3) Identify if the solution is scalable for the entire NATO enterprise

4) Identify costs to implement the solution for the NATO enterprise including licensing model of proposed solutions

5) Identify risks and mitigation plan for identified risks

4 Implement the MFA pilot on high value and most targeted portals. This is limited to 5 websites only. This is a proof of concept

1) Support the implementation of MFA on the 5 Identified portals.

2) Liaise with site owners to support implementation of MFA on the 5 Identified portal

3) Confirm if the implementation will work with AWS

4) Identify the most fit for purpose solution to the 5 websites and how to implement that solution

5) Support the web developers on the proposed solution.

1.3 SCHEDULE

(1) The base period of performance is 8th September 2025 through 31st December 2025.

(2) All deliverables need to complete by the 31st December 2025

1.4 SECURITY

(1) The duties of the contractor require a valid NATO SECRET (NS) security clearance for the entire duration of the contract.

1.5 PRACTICAL ARRANGEMENTS

(1) This is a deliverables-based contract.

(2) The contractor shall provide services 100% On-site NCIA Headquarters in SHAPE Mons Belgium or Braine LAlleud.

Exceptional off-site activities (in a NATO country) to support service delivery can also be arranged with the line managers coordination and approval.

(3) There may be requirements to travel to other sites within NATO for completing these tasks eg NATO HQ Brussels

(4) The expenses will be reimbursed in accordance with Article 5.5 of AAS Framework Contract and within the limits of the NCIA Travel Directive.

(5) The services under this SOW are expected to be carried by a ONE contractor for the entire performance period.

(6) The service shall be delivered during core working hours (0and 1300 - 1730). Incident resolution activities may be requested during the out of business hours as part of deliverable-based sprints.

(7) The contractor will be required to obtain working permission for provide on-site service in Belgium.

1.6 QUALIFICATIONS

See Requirements

1.7 CONTRACT DELIVERABLES

Deliverable 01: Complete the NWAR

Acceptance Criteria: The contractor shall complete the inventory of internet facing portals list with the following information:

1 Record each portal that has implemented any second factor authentication and is compatible with future MFA solution including AWS backwards compatibility.

2 Record the number of users per web portal.

3 Record multiple user groups types per portal e.g. such as NATO entity user NATO nation user 7NNN user non-NATO nation user.

Deliverable 02: Solutions Document

Acceptance Criteria: The contractor shall write a solutions document based on 1.2 2

4 Draft and Complete a solution document with the Identification and recommendations for MFA across the estate

5 Identify a number of solutions compatible with the current NATO Identity and access management (IAM) and security policies

6 Identify recommendations to deploy MFA

7 Identify tools to use simplify MFA deployment on AWS

8 Identify constraints

Deliverable 03: Implementation Plan

Acceptance Criteria: The contractor shall write a solution document based on 1.2 3

9 Identify the requirements to implement MFA on Amazon Web Services (AWS)

10 Identify is the solution is scalable for the entire NATO enterprise

11 Identify costs to implement the solution for the NATO enterprise

12 Estimate timelines for delivery

13 Identify Risks Mitigations Plans and opportunities to future deployment

Deliverable 04: Implementation

Acceptance Criteria: The Contractor shall support the implementation of MFA on the 5 identified web portals within the approved price proposal. 1.2 4

14 Liaise with site owners to support implementation of MFA on the 5 Identified websites

15 Confirm any current implementation will work with AWS

16 Identify the most fit for purpose solution to the 5 website and how to implement that solution

17 Support the web developers responsible for each portal on the proposed solution

1.8 CONTRACT MILESTONES

Solution Acceptance: The purchasers acceptance of the solution principles

Implementation: The purchasers acceptance of the implementation

1.4 SECURITY

• The duties of the contractor require a valid NATO SECRET (NS) security clearance for the entire duration of the contract.

1.6 QUALIFICATIONS

The following qualifications and expertise are required:

Technical Proficiency Tasks:

1) Identity and Access Management:

• Minimum 5 years of experience with Identity and Access Management;
• Strong knowledge of authentication protocols (SAML OIDC...);
• Sound knowledge of federated identity management and Single Sign On (SSO) solution (Okta Entra ID ...).

2) MFA:

• Proven experience designing and rolling out MFA at scale in an enterprise environment (5K users);
• Experience with certificate-based MFA smart cards Yubikeys passkeys/webauthn TOTP and push-based MFA apps (Microsoft Authenticator Duo ...);
• Understanding of risk-based or adaptive authentication strategies.

3) Web security and secure access architecture:

• Experience in securing web applications and APIs;
• Strong understanding of TLS client certificates reverse proxies and Zero trust principles.
• Experience with SSO integration of web applications.

4) Communication and Interpersonal Skills:

• Excellent verbal and written communication skills.
• Full proficiency in English.
• Ability to communicate technical information to non-technical users in a clear and concise manner.

5) Customer Service Orientation:

• Strong customer service focus with a commitment to user satisfaction.
• Patience and empathy when dealing with user issues and concerns.

6) Organizational Skills:

• Attention to detail in documenting support activities and maintaining accurate records.

7) Team Collaboration:

• Ability to work effectively as part of a team and share knowledge and resources.
• Willingness to collaborate with colleagues to solve complex issues.

8) Others:

• The candidate has strong customer relationship skills including negotiating complex and sensitive situations under pressure.
• The candidate must have the nationality of one of the NATO nations.

Required Experience:

Intern