2024-0311 FMN DSC SME and Architecture Support (NS) - MON 1 Sep

Deadline Date: Monday 1 September 2025

Requirement: Federated Mission Networking (FMN) and Data Centric Security (DSC) Subject Matter Expert (SME) and Architecture Support

Location: The Hague NL

Full Time On-Site: Hybrid. On site at the NCI Agency location in The Hague (NL) specifically for in-person deliverable-based meetings. Remote work is acceptable.

Period of Performance: As soon as possible but no later than 01 October 2025 to 31 December 2025 with the possibility to exercise following options:

2026 option: from 01 JAN 2026 to 31 DEC 2026

2027 option: from 01 JAN 2027 to 31 DEC 2027

2028 option: from 01 JAN 2028 to 31 DEC 2028

Required Security Clearance: NATO SECRET

1. BACKGROUND

The NATO Communications and Information Agency (NCI Agency) is dedicated to acquiring deploying and defending communication systems for NATOs political decision-makers and Commands. It operates on the frontlines against cyber-attacks collaborating closely with governments and industry to prevent future debilitating attacks. The NCI Agency plays a crucial role in maintaining NATOs technological edge and ensuring the collective defence and crisis management capabilities of the Alliance.

In pursuit of our mission we require specialized advisory services to enhance our interim workforce capacity.

The NATO Cyber Security Centre (NCSC) is NATOs first line of cyber defence. NCSC is the centre of technical expertise for cybersecurity within the Alliance by leading the technical collaboration within NATO and with Allied cyber defenders.

2. INTRODUCTION

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO the NCSCs role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM) the centre executes a portfolio of programmes and projects around 219 MEUR euros per year in order to uplift and enhance critical cyber security services. The TRANSFORM Branch supports the missions of the NCSC by ensuring the delivery of coherent holistic effective and efficient Cyber Security services across the NATO Enterprise.

3. OBJECTIVES

The main objective of this Statement of Work (SOW) is to secure advisory services that provide expert guidance and support the Multinational CIS Security Management Authority (MCSMA) WG syndicates and chairman.

However in order to achieve the objectives limited support and coordination may also be required with sister FMN working groups including: the Operational Coordination Working Group (OCWG); the Capability Planning Working Group (CPWG) and its syndicates plus the Inter-Working Group (IWG) syndicates; the Coalition Interoperability Assurance and Validation (CIAV) Working Group; the Change and Implementation Coordination Working Group (CICWG) as well as the FMN Secretariat. Additionally assistance in the planning and scoping of upcoming CWIX execution is also required to ensure that experimentation supports developing implementation plans.

This document outlines the services to be provided by the Supplier to NCI Agency Cyber Security Transform Branch for the implementation and management of the ACPV Project.

Moreover it specifies the required skillset and experience.

4. DELIVERABLES

High-Level Description of Deliverables

Support the following working group activities:

Federated Mission Networking (FMN) Capability Planning Working Group (CPWG) Sprints

FMN Multinational CIS Security Management Authority (MCSMA) Security Risk Assessment (SRA) Tiger Team

FMN MCSMA Working Group preparation meeting (with MCSMA WG team leads and secretariat)

FMN CIAV WG to ensure any Data Centric Security (DCS) test requirements are covered in line with developing Implementation Plan

CWIX scoping and planning to ensuring any DCS experimentation that is scoped for CWIX is covered in line with developing Implementation Plan

Participate in and provide input to the DCS Workshops

FMN Support meetings

The Service Provider will deliver the following core activities as per the schedule in the table below under the direction of the Project Managers Head:

5. SERVICE DETAILS

Primarily the tasks shall be conducted via provision of support to the FMN MCSMA WG syndicates and chairman.

However in order to achieve the objectives limited support and coordination may also be required with sister FMN working groups including: the Operational Coordination Working Group (OCWG); the Capability Planning Working Group (CPWG) and its syndicates plus the Inter-Working Group (IWG) syndicates; the Coalition Interoperability Assurance and Validation (CIAV) Working Group; the Change and Implementation Coordination Working Group (CICWG) as well as the FMN Secretariat. Additionally attendance at the ESC and IPC of CWIX is also required.

Client Responsibilities

The Client will:

Provide necessary access to systems and information required for all services

Tools and equipment (laptop) will be provided for remote service provisioning

Designate primary points of contact for escalations and decision-making

Early Definition: Establish criteria at the beginning of work; Refine criteria as needed throughout the development process

Prioritization: Identify must-have criteria vs. nice-to-have features; Align prioritization with project / service goals and constraints

Acceptance Criteria

The services will be deemed accepted when:

All deliverables have been provided as outlined in Section 5

Rejection Criteria:

The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.

A rejected deliverable must be corrected and resubmitted within 1 (one) business day.

Further a bi-weekly touch point between NCIA POC and the contractor must be conducted to ensure work is on track

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed Delivery Acceptance Sheet (DAS) (Annex A)

Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS) (Annex A) signed by the Contractor and project authority.

If the contractor fails to meet the agreed Acceptance criteria for any task the NCI Agency reserves the right to withhold payment for that task/sprint.

6. PAYMENT MILESTONES

Term and Timeline

Period of performance for SOW will commence on 01 October 2025 and continue until the 31st of December 2025.

On the first working day in 2025 The NCIA representative will have a Kick Off meeting with the Contractor to perform introductions and review the project plan.

The NCIA team reserves the possibility to exercise the 2026 option based on the same deliverable timeframe and cost at a later time depending on the project priorities requirements and budget approval.

The payments shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) (Annex A).

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.

2025: PERIOD OF PERFORMANCE 01 OCTOBER TO 19 DECEMBER 2025

Project Milestones and Deliverables

Deliverable 1: Attend MCSMA WG meeting Prepare agenda draft and approve briefing (min 3) prepare and distribute trip report contribute to defining the programme of work executed between WGs Q3/Q4

Completion Deadline: Q4

Payment: 20%

Invoice Submission: After all deliverables are approved

Deliverable 2: Attend CWIX ESC Q3 and IPC Q4 with view to ensuring any Data Centric Security (DCS) experimentation that is scoped for CWIX26 is covered in line with developing Implementation Plan prepare and distribute trip report feed back to MCSMA and CPWG

Completion Deadline: Q4

Payment: 20%

Invoice Submission: After all deliverables are approved

Deliverable 3: Attend CIAV WG meeting Q4 with view to ensuring any Data Centric Security (DCS) test requirements are covered in line with developing Implementation Plan prepare and distribute trip report feed back to MCSMA and CPWG

Completion Deadline: Q4

Payment: 10%

Invoice Submission: After all deliverables are approved

Deliverable 4: Attend CPWG meeting Q4 contribute to DCS roadmap development and develop syndicate specific CIS security requirements per service

Completion Deadline: Q4

Payment: 10%

Invoice Submission: After all deliverables are approved

Deliverable 5: Support FMN activities: Define procedures and service instructions for CIS security for spiral 6 Q3 Q4 Contribute to any assessments and lessons for DCS resulting from implementation (via FMN Sec and SHAPE J6). To include FMN Syndicate Sprint in early Sept

Completion Deadline: Q4

Payment: 20%

Invoice Submission: Staged quarterly approval of deliverable

Deliverable 6: Provide support and technical expertise for Data Centric Security (DCS) Implementation Plan Q3 Q4

Completion Deadline: Q4

Payment: 20%

Invoice Submission: Staged quarterly approval of deliverable

OPTION 2026/2027/2028: PERIOD OF PERFORMANCE (JANUARY DECEMBER)

Project Milestones and Deliverables

Deliverable 1: Attend MCSMA WG meeting Prepare agenda draft and approve briefing (min 3) prepare and distribute trip report contribute to defining the programme of work executed between WGs

Completion Deadline: Q2 / Q4

Payment: 20%

Invoice Submission: After all deliverables are approved

Deliverable 2: Attend CWIX ESC and IPC with view to ensuring any Data Centric Security (DCS) experimentation that is scoped for CWIX26 is covered in line with developing Implementation Plan prepare and distribute trip report feed back to MCSMA and CPWG

Completion Deadline: Q2 / Q4

Payment: 20%

Invoice Submission: After all deliverables are approved

Deliverable 3: Attend CIAV WG meeting with view to ensuring any Data Centric Security (DCS) test requirements are covered in line with developing Implementation Plan prepare and distribute trip report feed back to MCSMA and CPWG

Completion Deadline: Q2 / Q4

Payment: 10%

Invoice Submission: After all deliverables are approved

Deliverable 4: Attend CPWG meeting contribute to DCS roadmap development and develop syndicate specific CIS security requirements per service

Completion Deadline: Q2 / Q4

Payment: 10%

Invoice Submission: After all deliverables are approved

Deliverable 5: Support FMN activities: Define procedures and service instructions for CIS security for spiral 6 Contribute to any assessments and lessons for DCS resulting from implementation (via FMN Sec and SHAPE J6). To include FMN Syndicate Sprint in early Sept

Completion Deadline: Q2 / Q4

Payment: 20%

Invoice Submission: Staged quarterly approval of deliverable

Deliverable 6: Provide support and technical expertise for Data Centric Security (DCS) Implementation Plan

Completion Deadline: Q2 / Q4

Payment: 20%

Invoice Submission: Staged quarterly approval of deliverable

PAYMENT TERMS

Payments will be made according to the following schedule:

Item 1: MCSMA WG meeting

Value (% of total contract): 20% (x1)

Payment Schedule: After each of the meeting deliverables are approved

Item 2: Attend CWIX meetings

Value (% of total contract): 10% (x2)

Payment Schedule: After each of the meeting deliverables are approved.

Item 3: Attend CIAV meeting

Value (% of total contract): 10% (x1)

Payment Schedule: After each of the meeting deliverables are approved

Item 4: Attend CPWG meeting

Value (% of total contract): 10% (x1)

Payment Schedule: After each of the meeting deliverables are approved

Item 5: Procedures and service instructions for CIS security for spiral 6

Value (% of total contract): 10% (x2)

Payment Schedule: After staged quarterly approval of deliverable is approved

Item 6: Data Centric Security (DCS) Implementation Plan updates

Value (% of total contract): 10% (x2)

Payment Schedule: After staged quarterly approval of deliverable is approved

7. WORK EXECUTION

Due to the nature and classification of the working environment all services and deliverables outlined in this Statement of Work (SOW) will be performed both on site at the NCI Agency location in The Hague (NL) and partially remotely acceptable (average 50% on-site and 50% remotely)

When requested the contractor will be physically present on location to conduct assessments implement solutions and provide ongoing support as required throughout the project.

NCIA IT equipment will be provided (one REACH laptop will be provided). This equipment can be used by one person only and associated to that individual.

8. CLIENT RESPONSIBILITIES

The Client will:

Provide necessary access to systems and information required for all services

Tools and equipment (laptop) will be provided for remote service provisioning. Access to the Agencys tools that are used to execute daily tasks will be provided.

Designate primary points of contact for escalations and decision-making

Early Definition: Establish criteria at the beginning of the project or sprint; Refine criteria as needed throughout the development process

Prioritization: Identify must-have criteria vs. nice-to-have features; Align prioritization with project / service goals and constraints

Consider Edge Cases: Include criteria for handling unexpected inputs or scenarios; Address potential failure modes and error handling

9. COORDINATION AND REPORTING

The Contractor shall deliver services in The Hague / The Netherlands.

The highest level of classification that contractor may need to access is NATO SECRET (NS). As a result of this contractor must hold a valid NATO SECRET Security Clearance.

The contractor shall report to the NCIA Project Manager or designated Point of Contact (POC) assigned by the NCIA Cyber Security Service Line

The Contractor shall participate in monthly status update meetings and other meetings physically in the office or in person via electronic means using Conference Call capabilities according to service delivery managers instructions.

For each sprint to be considered as complete and payable the contractor must report the outcome of his/her work during the sprint first verbally during the retrospective meeting and then in writing within five (5) working days after the sprints end date.

A report in the format of a short email shall be sent to NCIA POC briefly mentioning the work held and the achievements during the sprint.

10. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The 2025 BASE period of performance is as soon as possible but not later than 8 September 2025 and will end no later than 31 December 2025.

If theand 2028 options are exercised the period of performance is 01 January until 31 December of that respective year.

11. CONSTRAINTS

Results of the work to be stored on NCIA NATO RESTRICTED SharePoint portal. All the documentation provided under this statement of work will be based on NCIA templates and/or agreed with the NCIA service manager. All support maintenance documentation will be stored under configuration management and/or in the provided NCIA tools. All developed solutions will be property of the NCIA.

12. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory for the Contractor to be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task order and NCIA will be required prior to execution.

13. PRACTICAL ARRANGEMENTS

The contractor will be required to work in a hybrid way both on-site at NCIA The Hague and remotely averagely estimated 50%-50% as part of this engagement.

The NCSC Team is located in The Hague / The Netherlands with working hours will from 08:30 to 17:30 with 1 hour for lunch from Monday to Thursday. On Friday working hours will be from 08:30 to 15:30 with 1 hour for lunch.

The contractor will be required to work following the rules and regulations applicable for the operations of NATO CIS.

The Purchaser will provide the Contractor with the following Purchaser-Furnished Equipment (PFE):

Access to NATO sites as required for the purpose of executing this SOW.

Workspace (needed business IT for both on- and off-site work hot-desk at NCSC facility).

NCIA REACH laptop to be used by the contractor for the execution of the contract.

14. TRAVEL

Travel is required for this contract.

Travel arrangements (including accommodation per diem travel expenses etc.) will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article 5.5 of AAS Framework Contract and within the limits of the NCIA Travel Directive

An additional PO line will be created with a not to exceed (NTE) value to cover and reimburse of actual expenses upon submission of all receipts and invoices in line with NCIA processes for the right duration and scope of the travel.

15. QUALIFICATIONS

See Requirements

15. QUALIFICATIONS

Services under current SOW are to be delivered by ONE resource that must meet the following experience qualities and qualifications:

• SECURITY CLASSIFICATION: It is mandatory for the Contractor to be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.
• Language Proficiency: English: Advanced

PAST PERFORMANCE AND QUALIFICATIONS:

• The contracted individual will hold a University degree at a nationally recognized/certified University in a technical subject with substantial Information Technology (IT) content and 5 years post-related experience. The lack of a university/college degree may be compensated by the demonstration of at least 10 years extensive and progressive expertise in the duties related to the function of the SoW.

Required skillset of the proposed contractor is extensive knowledge and experience (more than 5 years) in the following areas:

• Knowledge of military mission command and control (C2) Communications and Information Systems (CIS) mission operating environments and constraints;
• Knowledge of Federated Mission Networking and the Spiral Development process;
• Knowledge in NATO military and civilian structure organizations and agencies;
• Knowledge of ISO/IEC27002 Security Controls risk assessment methodologies and risk management;
• General familiarity with Security Accreditation processes and specifically the NATO Security Accreditation approach;
• Knowledge of Data Centric Security Zero Trust architecture concepts and implications to interoperability requirements;
• Strong diplomacy coordination and persuasion skills; Strong leadership skills; Strong planning skills;
• Strong analytical thinking; Strong reporting and writings skills; Strong presenting skills;
• Accuracy and attention to details;
• The need to take ownership of tasks and wish to accomplish them to the end;
• Self-discipline and ability to work and deliver results with minimal supervision.
• Responsible for complying will all applicable local employment laws in addition to following all NCIA on boarding procedures. Delivery of the service cannot begin until these requirements are fulfilled

The desired skillset:

• Knowledge of NATO networks and specifically deployable aspects;
• Knowledge of enterprise modelling (specifically ArchiMate Enterprise Architecture Modelling Language) and familiarity with the open source Archi tool