2025-0189 CVA DCIS Tool Management Support (CTS) - TUE 2 Sep

Deadline Date: Tuesday 2 September 2025

Requirement: Continuous Vulnerability Assessment (CVA) Deployable Communication System (DCIS) Tool Management Support

Location: Mons BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 Base period: As soon as possible but not later than 13 October 2025 to 31 Dec 2025 with possibility to exercise the following options:

2026 Option: 1 January until 31 December 2026

2027 Option: 1 January until 31 December 2027

2028 Option: 1 January until 31 December 2028

Required Security Clearance: NATO COSMIC TOP SECRET

1. BACKGROUND

The NATO Communications and Information Agency (NCIA) is dedicated to acquiring deploying and defending communication systems for NATOs political decision-makers and Commands. It operates on the frontlines against cyber-attacks collaborating closely with governments and industry to prevent future debilitating attacks. The NCIA plays a crucial role in maintaining NATOs technological edge and ensuring the collective defence and crisis management capabilities of the pursuit of our mission we require specialized advisory services to enhance our interim workforce capacity.

2. INTRODUCTION

The NCIA has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation Command & Control as well as Communications Information and Cyber Defence functions thereby also facilitating the integration of Intelligence Surveillance Reconnaissance Target Acquisition functions and their associated information exchange.

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. NCSCs role is to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM).

In order to execute this Service NCIA is seeking additional support through contracted resources (or consulting) to support the service undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security cyber defence and cyberspace operations. To support NCSC for the execution of tasks identified in the subject work package of the project the NCIA is looking for subject matter expertise in the delivery of complex foundational and novel Cybersecurity capability.

This contract is to provide consistent support on a deliverable-based (completion-type) contract to NCSC contributing to its mission based on the deliverables that are described in the scope of work below.

3. OBJECTIVE

The objective of this statement of work (SoW) is to outsource the relevant Continuous Vulnerability Assessment (CVA) Deployable Communication System (DCIS) Tool Management function to support the NCSC which is responsible to defend NATO networks on a 24/7 basis and to share relevant cyber information with all its stakeholders.

To achieve these objectives it requires a significant amount of coordination and decision making within and outside the boundaries of NCSC.

This Statement of Work (SoW) defines the expectations for this support to materialize.

4. SCOPE OF WORK

The aim of this SOW is to support NCSC with technical expertise specifically related to the operation and maintenance of Cyber Security Continuous Vulnerability Assessment (CVA) Deployable Communication System (DCIS) Tool Management Operation and maintenance activities with a deliverable-based contract to be executed in 2025.

This task includes data analysis and reporting of data reported by the Cyber Security Continuous

Vulnerability Assessment (CVA) Deployable Communication System (DCIS) Tool Management. For the provision of consistent support and the execution of the task NCIA will get subject matter expertise from the industry with a service (deliverable based/completion type) based AAS framework contract in the delivery of requested capability.

The Cyber Security Continuous Vulnerability Assessment (CVA) Deployable Communication System (DCIS) Tool Management gives visibility and insight on the networks in NATO environment which in turn is critical to effective management strong security and compliance and efficient migrations and consolidations.

More broadly NATO needs to be able to monitor the configuration of its domain controllers in order to prevent exploitation by malicious threat actors.

Under the direction / guidance of the NCSC Point of Contact a contractor will be the part of the NCSC Team supporting the following activities. This service will include the following activities:

Activity A1: Under the direction of the NCSC Operational Tolling Management Section Head the contractor shall deliver the following:

Daily: Verify that the Continuous Vulnerability scans are configured correctly and that information collected is accurate & complete.

Daily: Identify possible scan gaps authentication failures and engage with relevant service provider to remove those gaps and eliminate reasons for authentication failure.

Daily: Review existing scan policies fine tune and improve them at the same time.

Activity A2:

Weekly: Upon completion of scheduled scans deliver a comprehensive vulnerability report to each stakeholder under you area of responsibility taking into account all vulnerabilities posing a security risk remediation actions recommended to the system/application owners and the status of the recommended actions. The weekly report is expected to be delivered each Wednesday/Thursday before Close of Business.

No weekly report is due if that week does not include any working day (for instance: long official holidays such as Christmas break).

Activity A3:

Monthly: deliver vulnerability report to stakeholders with an overview of the critical/high vulnerabilities identified the status of the recommended actions to show in a graphic way the trend of the security posture of CIS assets. The monthly report is expected to be delivered in the week of Microsoft patch Tuesday (second Tuesday of the month).

Each deliverable shall meet the following requirements in order to be accepted:

Language: the product shall be written in English meeting or exceeding the NATO STANAG 6001 Level 3 Professional Proficiency.

Intended Audience: the product shall be intended for Cyber Security Professional Senior Military personnel and decision makers in the field of Cyber Security and Cyberspace Operations.

Accuracy: the product shall accurately reflect what was discussed decided and action items assigned during the meeting.

Clarity and Conciseness: Information shall be presented clearly and concisely avoiding unnecessary jargon or complex language.

Objectivity: the content shall be impartial and objective presenting information without bias or personal interpretation.

Structure: the product shall follow a logical structure typically including sections such as agenda attendees discussions decisions action items and any other relevant information further directed by the IKM SG.

Timeliness: the product shall be prepared and distributed promptly after the meeting ensuring that information is fresh and actionable. It is expected a maximum of two times the length of the meeting for the time required to prepare and share the product to the meeting audience for initial review.

Formatting: Consistent formatting shall be used throughout the document including font style size headings and spacing further directed by the IKM SG.

Confidentiality: Sensitive information discussed prior during and after meetings shall be handled in accordance with the NATO policy on Information Management.

The Contractors Personnel will be reinforcing the existing team and will provide the service using an Agile and iterative software development approach during multiple sprints.

The Contractors Personnel shall participate in periodic status update meetings sprint planning sprint review and other meetings via electronic means using collaborative platforms. On rare occasions there may be a requirement to attend in-person meetings at NATO offices in Mons Belgium as requested by the Project Manager.

Each sprint is planned for a duration of 1 week. The content and scope of each sprint i.e. the deliverables will be agreed during the sprint-planning meeting in coordination with the NCIA and the contractor. Upon completion and validation of each sprint the completed sprint can be submitted for payment.

Due to the agile approach of this project there is a need to define a set of specific arrangements between the NCIA and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning execution and review processes which are detailed below:

Sprint Planning:

Objective: Plan the objectives and deliverables for the upcoming sprint;

At the start of each sprint a sprint planning meeting will be conducted with the contractor to discuss and plan the objectives and deliverables of the upcoming sprint;

Define clear achievable objectives for the sprint and associated acceptance criteria including specific delivery targets and quality standards for each task to be recorded in the sprint planning meeting minutes.

Agree on the required level of effort for the various sprint tasks.

Backlog Review: Review and prioritize the backlog of tasks issues and improvements from previous sprints.

Assess and validate the status of completion of the previous sprint and sign off sprints to be submitted for payment.

Sprint Execution:

Objective: Contractor to execute the agreed sprint plans with continuous monitoring and adjustments.

Regular meetings: The contractor shall participate in status update meetings to review sprint progress to address issues and to make necessary adjustments to the processes or objectives. Those sprint meetings will be via electronic means using Conference Call capabilities. On rare occasions there may be a requirement to attend a physical meeting in the office or in person as requested by the project manager.

Continuous improvement: The contractor will establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor to track and share the status of the sprint deliveries and any risks / issues.

Quality Assurance / Quality Check: The contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA will perform the quality control of the agreed deliverables and provide feedback on any issues.

Sprint Review:

Objective: Review the sprint performance and identify areas for improvement.

At the end of each sprint there will be a meeting to review the deliverables and outcomes against the acceptance criteria.

Define specific actions to address issues and enhance the next sprint.

Sprint Payment:

Progress on the above deliverables will be checked and approved on a per sprint basis.

For each sprint to be considered as complete and payable the contractor must report the outcome of their service during the sprint first verbally during the sprint review meeting and then in writing within three days after the sprints end date. The format of this report shall be an email to the NCIA Point of Contact mentioning briefly the service performed and the development achievements during the sprint against the agreed tasking list set for the sprint.

The payment of each sprint will be depending upon the achievement of agreed acceptance criteria for each task defined at the sprint planning stage.

If the contractor fails to meet the agreed acceptance criteria for any task the NCIA reserves the right to withhold (partial) payment for that sprint.

Invoices shall be accompanied by a Delivery Acceptance Sheet (DAS) signed by the contractor

and the project manager and shall follow the payment milestones.

5. DELIVERABLES AND PAYMENT SCHEDULE

The following deliverables are expected from the service on this Statement of Work:

1) Complete the activities/tasks agreed in each sprint meeting as per section 4 above.

2) Produce sprint completion reports (format: e-mail update) which include details of activities performed and the list of the deliverables of the week.

3) The contractor will participate in the daily reporting and planning activities (daily stand-ups) as well as the required participation in workshops events and conferences related to the supported services as requested by the service delivery manager.

4) Payment schedule will be according to the payment milestones upon completion of the respective sprint. Upon completion and validation of each sprint and at the end of the monthly milestone following the acceptance of the sprint report.

5) The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables at a later time depending on the project priorities and requirements at the following cost: for base year (2025) at the same cost for following years (2026-2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

6) The payment shall be dependent upon successful acceptance of the sprint report and the Delivery Acceptance Sheet (DAS) (annex B).

7) Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS) (annex B) signed by the contractor and the NCIA POC.

2025 BASE: 13 October 2025 31 December 2025:

Deliverable: 11 sprints (Number of sprints is estimated and will be adjusted based on actual starting date.)

Payment Milestones: Payment Schedule will be monthly for the completed and accepted sprints within the month and at the end of the service. Completion of each payment milestone shall be accompanied by a DAS signed for acceptance by the Purchasers authorized point of contact.

AND 2028 OPTIONS: 01 JANUARY TO 31 DECEMBER

Deliverable: Up to 46 sprints

Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO115786 AAS Special Provisions article 6.5.

Payment Milestones: Payment Schedule will be monthly for the completed and accepted sprints within the month and at the end of the service. Completion of each payment milestone shall be accompanied by a DAS signed for acceptance by the Purchasers authorized point of contact.

6. CLIENT RESPONSIBILITIES

The Client will:

6.1. Provide necessary access to systems and information required for all services

6.2. Tools and equipment (laptop) will be provided for remote service provisioning. Access to the Agencys tools that are used to execute daily tasks will be provided.

6.3. Designate primary points of contact for escalations and decision-making

6.4. Early Definition: Establish criteria at the beginning of the project or sprint; Refine criteria as needed throughout the development process

6.5. Prioritization: Identify must-have criteria vs. nice-to-have features; Align prioritization with project / service goals and constraints

6.6. Consider Edge Cases: Include criteria for handling unexpected inputs or scenarios; Address potential failure modes and error handling

7. COORDINATION AND REPORTING

The Contractor shall deliver services onsite in SHAPE Mons Belgium.

The highest level of classification that contractor may need to access is NATO COSMIC TOP SECRET (CTS). As a result of this contractor must hold a valid NATO CTS Security Clearance.

The contractor shall report to the NCIA Project Manager or designated Point of Contact (POC) assigned by the NCIA Cyber Security Service Line

The Contractor shall participate in monthly status update meetings and other meetings physically in the office or in person via electronic means using Conference Call capabilities according to service delivery managers instructions.

For each sprint to be considered as complete and payable the contractor must report the outcome of his/her service during the sprint first verbally during the retrospective meeting and then in writing within five (5) working days after the sprints end date. A report in the format of a short email shall be sent to NCIA POC briefly mentioning the service held and the achievements during the sprint.

8. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The 2025 BASE period of performance is as soon as possible but not later than 13 October and will end no later than 31 December 2025.

If the and 2028 options are exercised the period of performance is 01 January until 31 December of that respective year.

9. CONSTRAINTS

Results of the service to be stored on NCIA NATO RESTRICTED SharePoint portal.

All the documentation provided under this statement of work will be based on NCIA templates and/or agreed with the NCIA service manager.

All support maintenance documentation will be stored under configuration management and/or in the provided NCIA tools.

All developed solutions will be property of the NCIA.

10. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory for the Contractor to be in possession of a NATO COSMIC TOP SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task order and NCIA will be required prior to execution.

11. PRACTICAL ARRANGEMENTS

11.1. Place of Performance: The contractor will be required to provide the service 100% onsite in Mons / BEL as part of this engagement.

11.2. Hours of Operation Service: The NCSC Team is located in Mons / BEL with working hours will from 08:30 to 17:30 with 1 hour for lunch from Monday to Thursday. On Friday working hours will be from 08:30 to 15:30 with 1 hour for lunch.

11.3. Service Execution: Due to the nature and classification of the working environment all services and deliverables outlined in this Statement of Work (SOW) will be performed onsite on clients premises at NCIA location in S.H.A.P.E. Mons Belgium. The contractor will be physically present on location to conduct assessments implement network solutions and provide ongoing support as required throughout the project. The contractor will be required to provide the service following the rules and regulations applicable for the operations of NATO CIS.

11.4. NCIA Furnished Property and Services: The Purchaser will provide the Contractor with the following Purchaser-Furnished Equipment (PFE): Access to NATO sites as required for the purpose of executing this SOW. Workspace (needed business IT for both on- and off-site work hot-desk at NCSC facility). NCIA REACH laptop NCSC NROP laptop & NCSC NSOP workstation to be used by the contractor for the execution of the contract. NCIA IT equipment will be provided (one REACH laptop will be provided). This equipment can be used by one person only and associated to that individual.

11.5. Travel: Regular travel costs to and from the service delivery location (SHAPE) are out of scope and will be borne by the contractor. Travel costs to other NATO locations are not included in the quoted price as there is no expected travel foreseen. However should travel be required travel arrangements will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article 5.5 of the AAS Framework Contract and within the limits of the NCIA Travel Directive.

12. QUALIFICATIONS

See Requirements

12. QUALIFICATIONS

Services under current SOW are to be delivered by ONE resource that must have demonstrated skills knowledge and experience as listed below.

• Security Classification: It is mandatory for the Contractor to be in possession of a NATO COSMIC TOP SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.
• Language Proficiency: English

Past Performance and Qualifications:

To provide a high level of service quality (including the lifecycle management of the software - all tasks related to A2SL inclusion its configuration to ensure coverage and the regular monitoring of the availability of the capability) the contractor upporting the identified tasks shall provide and prove the following mandatory performance education and qualifications:

• Bachelors degree in Computer Science Information Technology or related field Or equivalent experience
• 3 years of experience in IT security with a focus on System Administration Security Tools Management in large organisations.
• Strong understanding of security best practices and experience with Tenable products especially with Tenable Security Center.
• IP switching and routing in a wired and wireless environment.
• Virtual Infrastructure management based on VMWare technologies.
• Systems administration ideally both with Windows and Linux.
• Good engineering skills including programming and/or scripting knowledge (python shell scripting PowerShell).
• Demonstrable experience of analysing and interpreting system security and application logs in order to diagnose faults and spot abnormal behaviours.
• Comprehensive understanding of principles of Computer and Communication Security networking and vulnerabilities of modern operating systems and applications acquired through a blend of academic or professional training coupled with practical professional experience.
• Strong analytical and problem-solving skills.
• Excellent communication abilities both written and verbal with the ability to clearly and successfully articulate complex issues to a variety of audiences and teams.
• Experience with threat intelligence incident response and remediation a plus.
• Knowledge of python (pyTenable) and PowerShell. Experience working with and Nessus Manager APIs is a plus.
• Knowledge of NATO organization and its IT infrastructure is a plus.
• Experience with Service Management monitoring and reporting tools ideally Solarwinds is a plus.
• ITIL Service Management certifications is a plus.
• Experience with system instrumentation solutions such as Ansible is a plus.
• Certifications such as CISSP CISM or CISA is a plus.
• Previous experience working for Cyber Security related organisations (CERTs security offices) is a plus.
• Previous experience working in an international environment comprising both military and civilian elements is a plus.