2024-0313 Security System Accreditation Support (NS) - FRI 22 Aug

Deadline Date: Friday 22 August 2025

Requirement: Security System Accreditation Support

Location: The Hague NL

Full Time On-Site: Partially remotely acceptable (average 50% on-site and 50% remotely)

Period of Performance: 2025 Base period: As soon as possible but not later than 29th September 2025 (tentative) to 31 Dec 2025 with possibility to exercise the following options:

2026 Option: 1 Jan until 31 Dec 2026

2027 Option: 1 Jan until 31 Dec 2027

2028 Option: 1 Jan until 31 Dec 2028

Required Security Clearance: NATO SECRET

1. BACKGROUND

The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation Command & Control as well as Communications Information and Cyber Defence functions thereby also facilitating the integration of Intelligence Surveillance Reconnaissance Target Acquisition functions and their associated information exchange.

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO the NCSCs role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM) the centre executes a portfolio of programmes and projects around 219 MEUR euros per year in order to uplift and enhance critical cyber security services.

2. PROBLEM STATEMENT

The Cyber Security TRANSFORM Branch in charge of managing a large scale of projects in its daily operations is facing a heavy workload and a lack of personnel. This situation is impacting all the Cyber Security services and numerous other projects.

3. OBJECTIVES

The main objective of the statement of work is to support the NATO Cyber Security Centre (NCSC) with technical expertise specifically related to security accreditation and risk mitigation of a few large NATO Communication and Information Systems (CIS) in order to successfully execute the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security cyber defence and security accreditation within NATO or equivalent with a deliverable based (completion-type) contract to be executed in 2025.

4. SCOPE OF WORK

This document outlines the services to be provided by the Contractors Personnel to NCIA Cyber Security Transform Branch and specifies the required skillset and experience in order to achieve the above objective.

Under the direction/guidance of NCIA or delegated staff and in cooperation with NATO Infrastructure Services Centre (NISC) and the Accreditation Support Office (ASO) the contractor is tasked to develop a set of documentation for security accreditation of:

- NATO General Communication System (NGCS) and its subsystems

- NATO-Wide Studio Video Teleconferencing (NWSVTC) and

- NATO Secure Voice Services (NSVoS).

The main purpose of requested accreditation document set (ADS) will be documentation of compliance with relevant NATO security directives.

The service-based contractor will focus on providing the standard ADS consisting of:

- CIS description;

- Security Accreditation Plan (SAP);

- Security Risk Assessment (SRA);

- System-specific Security Requirement Statement (SSRS);

- Security Operating Procedures (SecOPs);

- Security Test and Verification Plan (STVP).

The ADS will be subject to approval by NATO Security Accreditation Authorities (SAAs) (this approval is not in scope of the incumbents activities).

This work will include the following activities:

Input to all the documents the contractor will perform the following functions in order to prepare and produce the required deliverables:

1. Gain familiarity with the relevant NATO security directives as indicated by the NCSC PoC. There will be two directives specifically 170 pages in total.

2. Gain familiarity with previous versions of description of NATO General Communication System (NGCS) NATO Wide Studio VideoTeleConferencing (NWSVTC) and NATO Secure Voice Services (NSVoS) (7 documents ca 250 pages in total)

3. Gain familiarity with provided examples of Security Requirement Statements and Security Test and Verification Plans; see example of sample template (unpopulated) in Enclosure 2; and

4. Engage with NCSC ASO NISC and NDWC SMEs (through a variety of workshops or meetings) to ensure that implementation of requirements from relevant NATO security directives by NGCS NWSVTC and NSVoS are adequately addressed in requested ADS (SRA SSRSs SecOPs and STVPs).

SERVICE DETAILS

It shall be noted that ADS development is a team-work activity. The contractor must work in close cooperation with other departments within NCIA: NISC NDWC and ASO.

The Contractor is expected to deliver the core activities presented in the table below under the direction of the Head Accreditation Support Office:

Activity A1: Kick Off Meeting followed by weekly touch point.

A Kick Off meeting between NCIA and the Service Provider / incumbent to perform introductions and review the project plan (Work Breakdown Structure).

A weekly touch point between NCIA POCs and incumbent to ensure work is on track (15 min skype call via REACH).

Activity A2: Contribution to Security Requirement Statements (SRS) for NGCS and its subsystems 3 documents

Activity A3: Contribution to Security Risk Assessment for NGCS and its subsystems 2 documents & input of data (status of implementation of security measures) to NATO PILAR tool.

Activity A4: Contribution to System-specific Security Requirement Statements (SSRS) for NWSVTC and NSVoS 2 documents

Activity A5: Contribution to Security Risk Assessments 2 documents & input of data (status of implementation of security measures) to NATO PILAR tool.

Activity A6: Contribution to SecOPs for NWSVTC and NSVoS 2 documents

Activity A7: Contribution to Security Test and Verification Plan (STVP) for NWSVTC and NSVoS 2 documents

Activity A8: Development of Security Test and Verification Report templates for NWSVTC and NSVoS 2 documents (in MS Excel)

All documents mentioned in D2 D8 have be developed in 2 stages:

Stage 1: Mature draft document suitable for review by NATO CIS Security Accreditation Board (NSAB). Acceptance by ASO SME;

Stage 2: Final version document after NSAB review comments addressed by the contractor and accepted by the NSAB.

Note: Standard NSAB workflow for document review takes 3 months.

Mature draft documents for NGCS shall be delivered first before starting work on documentation for NWSVTC and NSVoS.

Desired outcome is summarized in the table below.

A2 A4 (SRSs): Input to the Security Requirements Statements (SRSs) which include:

- evaluating the implementation of the security requirements as per the relevant NATO security directives

- identification of gaps between the relevant NATO security and reality and documenting them;

The SSRS shall be developed in close coordination with the security accreditation support and the technical stakeholders

Acceptance criteria:

For the Mature Draft: documents follow template provided by ASO; maturity of all relevant security measures assessed and described in SSRS.

For the Final version: formal approval by the NSAB.

A3 A5 (SRAs): Input to NATO PILAR tool and SRA reports which include:

evaluating the implementation of the security requirements as per the NATO security policies and directives

advise on mitigation and remediation recommendations for those security requirements partially implemented (or not implemented) and document these in the SRA Report.

The above mentioned deliverables shall be developed in close coordination with the security accreditation support and the technical stakeholders

Acceptance criteria:

For the Mature Draft: documents follow template provided by ASO; maturity of all relevant security measures assessed and added to NATO PILAR tool; Mitigation proposed to reduce security risks to medium level (in PILAR) or lower.

For the Final version: formal approval by the NSAB.

A6 (SecOPs): Input to Security Operating Procedures (SecOPs)

SecOPs shall address procedural security requirements from the relevant SSRS and SRA recommendations. SecOPs to be divided in SecOPs for end-users of CIS and SecOPs for administrators.

SecOPs shall be developed in close coordination with the ASO SMEs CIS Security Officers and the technical stakeholders

Acceptance criteria:

For the Mature Draft: documents follow example provided by ASO; All relevant procedural security measures from SSRS addressed.

For the Final version: formal approval by the NSAB.

A7 (STVPs): Input to STVP

Each test procedure included into STVP shall verify implementation at least one applicable security requirement from the CIS-specific SSRS.

The STVP shall cover all applicable security requirements from the CIS-specific SSRS.

The STVP shall be developed in close coordination with the ASO SMEs CIS Security Officers and the technical stakeholders.

Acceptance criteria:

For the Mature Draft: documents follow template provided by ASO; Test procedure prepared for all relevant security measures from SSRS; Acceptance by relevant CISSO;

For the Final version: formal approval by the NSAB.

A8 (STVRs templates):

The CIS-specific STVR template shall:

list all test included in STVPs applicable to particular type of CIS node;

provide summary page;

follow example provided by ASO SME.

Acceptance criteria:

For the Mature Draft: documents follow template provided by ASO; Test procedure prepared for all relevant security measures from SSRS;Acceptance by ASO;

For the Final version: STVR template is aligned with final version of STVP; Acceptance by ASO.

Further the contractor must conduct the following reviews:

A bi-weekly touch point between NCIA POC and the contractors PM to ensure work is on track and any ongoing Customer Furnished Information (CFI) is provided to the contractor.

Draft versions of SSRSs/SecOPs/STVPs/STVR templates review where the contractor present sthe draft documents to the customer with the opportunity for the customer to provide feedback and implement uplifts.

A final documents review (after NSAB review) where the contractor presents and delivers the final report to the customer.

The Contractors Personnel will be reinforcing the existing team and will work using an Agile and iterative approach during multiple sprints.

The Contractors Personnel shall participate in periodic status update meetings sprint planning sprint review and other meetings via electronic means using collaborative platforms. On rare occasions there may be a requirement to attend in-person meetings at NATO offices in Mons Belgium as requested by the Project Manager.

Each sprint is planned for a duration of 5 days. The content and scope of each sprint i.e. the deliverables will be agreed during the sprint-planning meeting in coordination with the NCIA and the contractor. Upon completion and validation of each sprint the completed sprint can be submitted for payment.

Due to the agile approach of this project there is a need to define a set of specific arrangements between the NCIA and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning execution and review processes which are detailed below:

Sprint Planning:

Objective: Plan the objectives and deliverables for the upcoming sprint;

At the start of each sprint a sprint planning meeting will be conducted with the contractor to discuss and plan the objectives and deliverables of the upcoming sprint;

Define clear achievable objectives for the sprint and associated acceptance criteria including specific delivery targets and quality standards for each task to be recorded in the sprint planning meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritize the backlog of tasks issues and improvements from previous sprints.

Assess and validate the status of completion of the previous sprint and sign off sprints to be submitted for payment.

Sprint Execution:

Objective: Contractor to execute the agreed sprint plans with continuous monitoring and adjustments.

Regular meetings: The contractor shall participate in status update meetings to review sprint progress to address issues and to make necessary adjustments to the processes or objectives. Those sprint meetings will be via electronic means using Conference Call capabilities. On rare occasions there may be a requirement to attend a physical meeting in the office or in person as requested by the project manager.

Continuous improvement: The contractor will establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to track and share the status of the sprint deliveries and any risks / issues.

Quality Assurance / Quality Check: The contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA will perform the quality control of the agreed deliverables and provide feedback on any issues.

Sprint Review:

Objective: Review the sprint performance and identify areas for improvement.

At the end of each sprint there will be a meeting to review the deliverables and outcomes against the acceptance criteria.

Define specific actions to address issues and enhance the next sprint.

Sprint Payment:

Progress on the above deliverables will be checked and approved on a per sprint basis.

For each sprint to be considered as complete and payable the contractor must report the outcome of their work during the sprint first verbally during the sprint review meeting and then in writing within three days after the sprints end date. The format of this report shall be an email to the NCIA Point of Contact mentioning briefly the work performed and the development achievements during the sprint against the agreed tasking list set for the sprint.

The payment of each sprint will be depending upon the achievement of agreed acceptance criteria for each task defined at the sprint planning stage.

If the contractor fails to meet the agreed acceptance criteria for any task the NCIA reserves the right to withhold (partial) payment for that sprint.

Invoices shall be accompanied by a Delivery Acceptance Sheet (DAS) signed by the contractor and the project manager and shall follow the payment milestones.

5. DELIVERABLES AND PAYMENT SCHEDULE

The following deliverables are expected from the work on this Statement of Work:

1) Complete the activities/tasks agreed in each sprint meeting as per section 4 above.

2) Produce sprint completion reports (format: e-mail update) which include details of activities performed and the list of the deliverables of the week.

3) The contractor will participate in the daily reporting and planning activities (daily stand-ups) as well as the required participation in workshops events and conferences related to the supported services as requested by the service delivery manager.

4) Payment schedule will be according to the payment milestones upon completion of the respective sprint. Upon completion and validation of each sprint and at the end of the monthly milestone following the acceptance of the sprint report.

5) The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables at a later time depending on the project priorities and requirements at the following cost: for base year (2025) at the same cost for following years (2026-2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

6) The payment shall be dependent upon successful acceptance of the sprint report and the Delivery Acceptance Sheet (DAS) (annex B).

7) Invoices shall be accompanied with a Delivery Acceptance Sheet (annex B) signed by the contractor and the NCIA POC.

2025 BASE: 29 September 2025 (tentative) 31 December 2025:

Deliverable: 18 sprints (Number of sprints is estimated and will be adjusted based on actual starting date.)

Payment Milestones: Payment Schedule will be monthly for the completed and accepted sprints within the month and at the end of the work. Completion of each payment milestone shall be accompanied by a DAS signed for acceptance by the Purchasers authorized point of contact.

and 2028 OPTIONS: 01 JANUARY TO 31 DECEMBER of the calendar year

Deliverable: Up to 46 sprints

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO115786 AAS Special Provisions article 6.5.

Payment Milestones: Payment Schedule will be monthly for the completed and accepted sprints within the month and at the end of the work. Completion of each payment milestone shall be accompanied by a DAS signed for acceptance by the Purchasers authorized point of contact.

6. WORK EXECUTION

Due to the nature and classification of the working environment all services and deliverables outlined in this Statement of Work (SOW) will be performed both on site at the NCI Agency location in The Hague (NL) and partially remotely acceptable (average 50% on-site and 50% remotely)

When requested the contractor will be physically present on location to conduct assessments implement solutions and provide ongoing support as required throughout the project.

NCIA IT equipment will be provided (one REACH laptop will be provided). This equipment can be used by one person only and associated to that individual.

7. CLIENT RESPONSIBILITIES

The Client will:

Provide necessary access to systems and information required for all services

Tools and equipment (laptop) will be provided for remote service provisioning. Access to the Agencys tools that are used to execute daily tasks will be provided.

Designate primary points of contact for escalations and decision-making

Early Definition: Establish criteria at the beginning of the project or sprint; Refine criteria as needed throughout the development process

Prioritization: Identify must-have criteria vs. nice-to-have features; Align prioritization with project / service goals and constraints

Consider Edge Cases: Include criteria for handling unexpected inputs or scenarios; Address potential failure modes and error handling

8. COORDINATION AND REPORTING

The Contractor shall deliver services in The Hague / The Netherlands.

The highest level of classification that contractor may need to access is NATO SECRET (NS). As a result of this contractor must hold a valid NATO SECRET Security Clearance.

The contractor shall report to the NCIA Project Manager or designated Point of Contact (POC) assigned by the NCIA Cyber Security Service Line

The Contractor shall participate in monthly status update meetings and other meetings physically in the office or in person via electronic means using Conference Call capabilities according to service delivery managers instructions.

For each sprint to be considered as complete and payable the contractor must report the outcome of his/her work during the sprint first verbally during the retrospective

meeting and then in writing within five (5) working days after the sprints end date.

A report in the format of a short email shall be sent to NCIA POC briefly mentioning the work held and the achievements during the sprint.

9. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The 2025 BASE period of performance is as soon as possible but not later than 29th September 2025 and will end no later than 31 December 2025.

If the or 2028 options are exercised the period of performance is 01 January until 31 December of that respective year.

10. CONSTRAINTS

Results of the work to be stored on NCIA NATO RESTRICTED SharePoint portal.

All the documentation provided under this statement of work will be based on NCIA templates and/or agreed with the NCIA service manager.

All support maintenance documentation will be stored under configuration management and/or in the provided NCIA tools.

All developed solutions will be property of the NCIA.

11. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory for the Contractor to be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task order and NCIA will be required prior to execution.

12. PRACTICAL ARRANGEMENTS

The contractor will be required to provide services in a hybrid way both on-site at NCIA The Hague and remotely averagely estimated 50%-50% as part of this engagement.

The NCSC Team is located in The Hague / The Netherlands with working hours will from 08:30 to 17:30 with 1 hour for lunch from Monday to Thursday. On Friday working hours will be from 08:30 to 15:30 with 1 hour for lunch.

The contractor will be required to provide services following the rules and regulations applicable for the operations of NATO CIS.

The Purchaser will provide the Contractor with the following Purchaser-Furnished Equipment (PFE):

Access to NATO sites as required for the purpose of executing this SOW.

Workspace (needed business IT for both on- and off-site work hot-desk at NCSC facility).

NCIA REACH laptop to be used by the contractor for the execution of the contract.

13. TRAVEL

Regular travel costs to and from the service delivery location (NCIA The Hague) are out of scope and will be borne by the contractor.

Travel costs to other NATO locations are not included in the quoted price as there is no expected travel foreseen.

However should travel be required travel arrangements will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article 5.5 of the AAS Framework Contract and within the limits of the NCIA Travel Directive.

14. QUALIFICATIONS

See Requirements

14. QUALIFICATIONS

Services under current SOW are to be delivered by ONE resource that must have demonstrated skills knowledge and experience as listed below:

• It is mandatory for the Contractor to be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.
• Language Proficiency: English

Past Performance and Qualifications:

Required skillset of the proposed contractor is extensive knowledge and experience (more than 5 years) in the following areas:

• General wide breadth knowledge of cyber security principles best practices concepts and technology;
• Solid knowledge of cyber security including boundary protection encryption identity and access management monitoring and detection incidence response vulnerability assessments and risk management;
• Familiarity with system accreditation and deployment of CIS;
• Knowledge and experience in testing and validating that contracted deliveries meet the security requirements and fulfil the intended use-cases;
• Familiarity with NATO security policy and supporting directives is desirable
• Familiarity with PILAR (tool for security risk assessment) is desirable;
• Familiarity with NGCS and its subsystems is desirable
• Familiarity with NWSVTC and NSVoS is desirable;
• Ability to work independently and in teams to achieve the desired goals.
• The ability to take ownership of tasks and strong motivation to accomplish them to the end.
• Excellent communications and writing skills in English.
• Responsible for complying will all applicable local employment laws in addition to following all NCIA on boarding procedures. Delivery of the service cannot begin until these requirements are fulfilled.