Deadline Date: Friday 29 November 2024
Requirement: Provision of CIS Security Officer (Security Compliance and Audits)
Location: Brussels, BE
Full Time On-Site: Yes
Time On-Site: 100%
Period of Performance: 2025 BASE: As soon as possible not later than 6th January 2025 (tentative) – 31st December 2025 with possibility to the following options:
• 2026 Option: 1st January 2026 until 31st December 2026
• 2027 Option: 1st January 2027 until 31st December 2027
Required Security Clearance: NATO Secret
1 INTRODUCTION
NCIA – Coherence Branch
Within the Agency CIS Support Unit (CSU) Brussels provides consistent, reliable and cost-effective ICT service delivery to all NATO customers located in the NATO compound in Brussels, including understanding and managing the interface with the Secretary General and Deputy Director General International Military Staff (DG IMS), through his/her delegated representatives ICTM/EXCO IMS, who act in the role of Intelligent Customer.
The Coherence (COH) supports the Agency’s Demand Management (DM) organization, and is responsible for liaison with all customers in the CSU’s AoR and supports the Commander CSU in the role as NCIA representative and provides a single entry point for customers. Service Management Branch (SMB) contributes and/or conducts monitoring and measurement of customer satisfaction. SMB supports the management of all agreements concerning Service Provision, Operations and Exercises within the CSU AoR. SMB supports Service Lines in the implementation and improvement of service management processes.
NCIA – Service Design and CIS Security
Service Design and CIS Security (SDCS) team consists of subject matter experts mainly providing security compliance, risk assessment, risk management and security architecture services.
The service under this SOW have to be delivered by a resource with qualifications and experience as CIS Security Officer (Security Compliance and Audits). The resource will provide services related to main activities as described in Scope of Work section below, under the direction of the Head, Service Design and CIS Security (SDCS) team.
2 OBJECTIVES
The main objectives of this statement of work can be summarized as follow:
• Organize, coordinate and perform CIS security compliance and verification activities;
• Support CIS security accreditation activities and remediation tasks;
• Support and participate high-level, multi-stakeholder CIS security related meetings and forums.
3 SCOPE OF WORK
Under the direction / guidance of the CIS Security Manager, the services provided will be supporting the following activities:
1) CIS Security Services
a) Coordinate system vulnerability assessments to identify weaknesses in security posture.
b) Analyse Cyber Security Hygiene Indicators report and prioritize remediation activities.
c) Ensure proper security testing protocols are in place before any system upgrades or changes.
d) Maintain documentation and evidence for all security tests performed on NATO HQ CIS.
e) Collaborate with stakeholders to define security accreditation requirements.
f) Review and update accreditation documentation for compliance with NATO policies and directives.
g) Coordinate and plan security audits to ensure systems adhere to NATO security accreditation standards.
h) Prepare audit reports with detailed findings and corrective action recommendations.
i) Oversee follow-up actions post-audit to ensure implementation of security improvements.
j) Track remediation progress for security vulnerabilities discovered during audits.
k) Perform post-accreditation monitoring to ensure continued compliance.
l) Review security incident reports and incorporate findings into future audit cycles.
m) Provide expertise in the design and analysis of CIS architectures, equipment, and system technical specifications, including security-related requirements.
n) Engage with relevant NATO HQ bodies, NCIA bodies, and others on network and application system issues affecting CIS operation and maintenance, including staging, pre-production, and production environments.
o) Coordinate and support the design, planning, and testing of network infrastructures and related applications and data, including security aspects.
p) Coordinate discussions and the elaboration of technical and security details for required solutions, in close coordination with Subject Matter Experts (SMEs).
q) Prepare written technical documentation throughout the planning and implementation of CIS initiatives.
r) Work in close coordination with the NHQ CIS Security Officer(s) in NATO Office of Security,
s) Represent the Service Design & CIS Security (SDCS) Team in appropriate meetings and working groups.
t) Report to the Service Design & CIS Security (SDCS) Team Head.
u) Perform any other duties as required.
2) Continuous Improvement:
a) Identify areas for improvement in documentation and processes.
b) Proactively identify potential vulnerabilities and coordinate preventive measures.
c) Contribute to the knowledge base for SDCS team.
d) Ensure information is accurate and up-to-date.
3) Collaboration with IT Teams:
a) Work closely with other CSU Brussels IT teams and other NHQ/NCIA/Enterprise stakeholders to ensure CIS security compliance,
b) Collaborate on projects and initiatives,
c) Participate in CIS forums and discussions.
It is expected that ONE resource is providing the above services.
The contractor will provide the service on-site and there is a possibility to work 1 day per week teleworking from Belgium, providing services during NATO HQ working hours.
The measurement of execution for this service is sprints, with each sprint planned for a duration of 1 week.
The content and scope of each sprint will be agreed in writing, during the sprint-planning meeting, based on the activities mentioned above.
4 DELIVERABLES AND PAYMENT MILESTONES
The following deliverables are expected from the service on this statement of work:
2025 BASE: 01 January 2025 to 31 December 2025
Deliverable: 46 Sprints of Provision of CIS Security Services Contractor
Payment Milestones: Monthly payment, for the number of sprints completed within the calendar month.
Number of sprints is calculated considering a starting date 02 JAN 2025. This will be adjusted based on actual starting date.
Subject on actual requirements, contractor performance and available funding, the Purchaser reserves the right to exercise optional sprints for 2025, at a later time, within the same scope and cost.
The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number.
Invoices shall be accompanied with a DAS, signed by the Contractor and Purchaser’s authority.
2026 OPTION: 01 January 2026 to 31 December 2026:
Deliverable: 46 Sprints of Provision of CIS Security Services Contractor
Payment Milestones: Monthly payment, for the number of sprints completed within the calendar month.
Subject on actual requirements, contractor performance and available funding, the Purchaser reserves the right to exercise optional sprints for 2026, at a later time, within the same scope and cost.
The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number.
Invoices shall be accompanied with a DAS, signed by the Contractor and Purchaser’s authority
2027 OPTION: 01 January 2027 to 31 December 2027:
Deliverable: 46 Sprints of Provision of CIS Security Services Contractor
Payment Milestones: Monthly payment, for the number of sprints completed within the calendar month.
Subject on actual requirements, contractor performance and available funding, the Purchaser reserves the right to exercise optional sprints for 2026, at a later time, within the same scope and cost.
The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number.
Invoices shall be accompanied with a DAS, signed by the Contractor and Purchaser’s authority
5 COORDINATION AND REPORTING
The contractor shall participate in weekly status update meetings, activity planning and other meetings as instructed, physically in the office, or in person via electronic means using Conference Call capabilities, according to the Team Leaders instructions.
For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her service during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Point of Contact mentioning briefly the service held and the development achievements during the sprint.
6 SCHEDULE
This task order will be active immediately after signing of the contract by both parties
It is expected the service starts as soon as possible but no later than 06th January 2025 and ending no later than 31st December 2025.
If the 2026 option is exercised, the period of performance is 01st January 2026 to 31st December 2026
If the 2027 option is exercised, the period of performance is 01st January 2027 to 31st December 2027
7 CONSTRAINTS
All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the project point of contact.
8 SECURITY
The services provided by the proposed resource require a valid NATO SECRET security clearance.
9 PRACTICAL ARRANGEMENTS
The contractor will be required to provide the service primarily on-site at NATO Head Quarter – Brussels – Belgium as part of this engagement. There is a possibility to work 1 day per week teleworking from Belgium.
Services under this SOW must be accomplished by ONE contractor.
The resource providing services under this SOW will be part of the NCIA Service Delivery and CIS Security (SD&CS) team.
No travel is expected. However, if required during the execution of this contract, travel costs are out of scope and will be borne by the NCI Agency separately in accordance to the provisions of the AAS+ Framework Contract.
10 QUALIFICATIONS
[See Requirements]
Requirements
8 SECURITY
10 QUALIFICATIONS
The consultancy support for this service requires a CIS Security Officer (Security Compliance and Audits) with the following qualifications:
1) Essential qualifications
2) Desirable qualifications: