Deadline Date: Wednesday 4 December 2024
Requirement: Support to Change Management for NATO Cyber Security Centre (NCSC) Service Delivery Support Section (SDSS)
Location: Mons, BE
Full Time On-Site: Yes
Time On-Site: 100%
Period of Performance: 2025 BASE: 2nd Jan 2025 to 31st March 2025, with possibility to exercise the following options:
2026 Option: 1st January until 31st December 2026
2027 Option: 1st January until 31st December 2027
2028 Option: 1st January until 31st December 2028
Required Security Clearance: NATO Secret
1. BACKGROUND
The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.
2. INTRODUCTION
The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services.
Mission
The NCSC Service Delivery Support Section (SDSS) is dedicated to centralizing the coordination of cyber security services delivery in a matrix organizational environment.
Our mission is to orchestrate the entire service lifecycle, ensuring that services align to and follow enterprise strategy, policy, and directives established by the NCI Agency management, Chief Operating Officer, Chief Service Operations, Chief Technology Officer, Finance and Acquisition departments. We work closely with Service Area Owners and Service Delivery Managers to enable standardized and effective service delivery. In order to execute this work, the NCI Agency requires support with the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security and cyber defence. This Statement of Work (SoW) specifies the required skillset and experience.
Vision
Our vision at the NCSC Service Delivery Support Section (SDSS) is to become the central coordination point for cyber security service delivery, enabling seamless and transparent end-to-end delivery of services to our customers. We will achieve this by operating in and leading three core areas that are detrimental for quality service delivery: Service Design, Service Transition, and Service Operations. These areas leads will guide the Service Area Owners and Service Delivery Managers, provide advice and ad-hoc support with their challenges in Service Management. SDSS will also act a single source of truth in Service Delivery metrics and quality, and will provide centralized and coordinated responses to enterprise-level inquiries and reporting requirements.
3. PURPOSE
The Cyber Security COHERENCE Branch - Service Delivery Support Section (SDSS) performs comprehensive Support to Cyber Security, continually accessible advice and action to support the customer in the maintenance of efficient and compliant cyber security services.
This Statement of Work (SOW) outlines the services to be provided by the Supplier to NCI Agency Cyber Security Coherence Branch for the implementation and management of Change Management processes.
4. OBJECTIVES
The main objective of the statement of work is to underline the Cyber Security needs of the NCSC and to look for support to Change Management process that should be manned by the service supplier on a daily basis to ensure service objectives are met continuously.
The service provider will be required to deliver a daily activities schedule, orchestrate NCIA Enterprise and NCSC Domain level Change Management process as well as represent NCSC business unit on an Enterprise Level where required.
5. DELIVERABLES
The Service Provider will deliver the following core activities as per the schedule below:
01 Daily Service Requests Review - Daily
02 Technical Review Board - Weekly
03 Release and Governance Board - Weekly
04 Domain Change Advisory Board - Weekly
05 Ad-hoc SME Support Sessions - Weekly
06 Internal Reporting - Weekly
07 Enterprise Change Management Board - Weekly
6. SERVICE DETAILS
Daily Service Requests Review
The purpose of daily service requests review is to monitor all incoming Change Requests as well as Service Requests that do not meet the criteria of the pre-approved “Standard Changes” and re-direct them through the Change Management process.
The Service Provider will:
Support the team by routinely reviewing the tickets queue to ensure 4 hours response time
Multi-channel support (phone, email, internal chat) for change reporting
Develop and maintain a change and configuration management dashboard to reflect up-to-date change status at all times
Provide regular reporting on change and configuration management performance
Escalate critical requests to appropriate channels within 4 hours
Service/Change Request tickets Review (Domain Level): 4 hours response time to capture / categorize incoming Service/Change Requests through NCSC domain and Enterprise ITSM platform. Activity is carried out twice a day for 30 minutes. Activity KPIs shall be recorded and visible for review by Change Management Process owner in the BMC footprints tool.
Technical Review Board
The Service Provider will:
Provide meeting minutes
The primary purpose of TRBs is to ensure that all Change Requests are properly prepared (investigated, evaluated and risk assessed) for consideration by the D-CAB based on input from all stakeholders who have a vested interest in the Change Requests. Change Manager is expected to lead the meetings and should have sufficient knowledge in Hardware, Systems, Networks, and Cyber Security Tools.
Preparation: Review of incoming Change Requests, initial assessment, categorization and relevant stakeholder identification to be included in consideration for Technical Implementation aspects.
Execution: Chair the Technical Review Board (virtual – non location specific)
Results Output: Meeting minutes / Action items
Recurrence: Once a week (Monday)
Meeting minutes shall be captured for each of the TRB held, actions incorporated into Change Requests to be signed off by NCSC Change Manager.
Release and Governance Board
The Service Provider will:
Provide meeting minutes
The primary purpose RGBs is to control the Release and Deployment of all CRs approved by the D-CAB. The RGB maintains the scheduling for deployment, cutover and testing of the CRs to ensure the correct implementation of the changes and verify that implementation has not caused any regression of other services, and report them to the D-CAB.
Should RGB would not be required or applicable for the week TRB may replace the activity.
Preparation: Review of all approved Change Requests, scheduling and coordinating deployment activities, ensuring all of the Stakeholders are properly informed of any risks or potential outages in their services at all times.
Execution: Chair the Technical Review Board (virtual – non location specific)
Results Output: Meeting minutes / Action items
Recurrence: Once a week (Tuesday)
Meeting minutes shall be captured for each of the RGB held, actions incorporated into Change Requests to be signed off by NCSC Change Manager.
Domain Change Advisory Board
The Service Provider will:
Provide meeting minutes of analysis of change request monitoring and analysis of events across the Client's networks
Internal Change Advisory Board that is chaired by Infrastructure Branch Head to make an informed decision on the Change Manager outputs (assessment, compliance, risk, recommendation).
Preparation Review of approved Change Requests, submit pending Change Requests advocate and provide Change Management related information to Change Advisory Board Chair.
Execution: Participate in the Technical Review Board (Virtual – non location specific)
Results Output: Meeting minutes / Action items
Recurrence: Once a week (Thursday)
Meeting minutes shall be uploaded for each of the D-CAB to be signed off by NCSC Change Manager.
Ad-hoc SME support sessions
The Service Provider will:
Attend the meeting with various stakeholders and senior decisions-making staff
Create reports that will include the elements in the table below:
Direct Support Sessions
2 x Half a day, “open door” session (remotely) where consultancy and advise are provided to interested stakeholders: CR processes and governance in general; CR updates; CR informal planning; Other Business.
Results Output: All interactions under consultations shall be captured in ITSM as a service requests and tagged as “Shared Knowledge” were possible.
Recurrence: (Wednesday - Friday)
Internal Reporting
The Service Provider will:
Provide reporting to NCSC Service Transition Area Lead who is reporting to Service Delivery Support Section Head.
Create regular reports on change management activities, including successes and areas for improvement
Preparation: Review of all the activities/KPIs.
Execution: Service Delivery Management Section meetings.
Results Output: Report on the Change Management service delivery.
Recurrence: Once a week (Friday)
Each of the activities shall be captured as an output to meet Service Level Target:
3 x Meeting Agendas/Minutes/Recommendations on the Chaired Boards;
1 x Report on a Weekly Change Management Response times;
1 x Report on interactions with the interested stakeholders;
Enterprise Change Management Board
The Service Provider will:
Provide meeting minutes and reports
Preparation: Prepare any NCSC raised Change Requests that require Enterprise CAB approval.
Recurrence: Once a week (Wednesday)
Participation: Communicate all of the NCSC Change Requests and capture any Change Request inquiries towards NCSC Services.
Results Output: Action items for NCSC.
Meeting minutes shall be uploaded for each of the D-CAB to be signed off by NCSC Change Manager.
Service Level Agreements (SLAs)
The following SLAs will apply:
Average speed of answer: 30 minutes-4hours
Service provider is expected to provide service every day during normal business hours 08:30-17:30.
Client Responsibilities
The Client will:
Provide necessary access to systems and information required for all services
Tools and equipment (laptop) will be provided for remote service provisioning.
Access to the following tools that are used to execute daily tasks will be provided: BMC footprints (NCSC Domain); BMC remedy (NCIA Enterprise); Archimate; Visio; Patch Manager; SharePoint; SolarWinds; PowerBI;
Designate primary points of contact for escalations and decision-making
Early Definition: Establish criteria at the beginning of the project or sprint; Refine criteria as needed throughout the development process
Prioritization: Identify must-have criteria vs. nice-to-have features; Align prioritization with project / service goals and constraints
Consider Edge Cases: Include criteria for handling unexpected inputs or scenarios; Address potential failure modes and error handling
Acceptance Criteria
The services will be deemed accepted when:
All specified SLAs are met
All deliverables have been provided as outlined in Section 5
ITSM service requests are continuously monitored
ITSM change requests are continuously monitored
Recurring meetings (TRB, CAB, RGB) are manned at all times
All of the meetings information and actions are captured within NCSC knowledge management repositories
The Written Reports contain no spelling or grammatical errors, all data sources are properly cited, the document follows the provided template, including font styles and sizes, all charts and graphs are clearly labelled and include a brief explanatory caption
Version Control: maintain a clear record of criteria changes and ensure all stakeholders are working with the most up-to-date version
Rejection Criteria:
The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.
A rejected deliverable must be corrected and resubmitted within 1 (one) business day.
Further, the supplier must conduct the following reviews:
A weekly ‘touch point’ between NCIA POC and the supplier’s POC to ensure work is on track
Draft versions of the reports where the supplier’s POC presents the draft report to the customer, with the opportunity for the customer to provide feedback and implement uplifts.
Final versions of the reports where the incumbent presents and delivers the final report to the customer.
7. COORDINATION AND REPORTING
Due to the AGILE approach of this project, there is a need to define a set of specific arrangements between the NCI Agency and the contractor that specifically defines the deliverables to be provided for each sprint as well as their associated acceptance criteria. This includes sprint planning, execution and review processes, which are detailed below:
1. Sprint Planning:
Objective: Plan the objectives for the upcoming sprint
Kick-off meeting: Conduct a monthly meeting with the contractor to plan the objectives of upcoming sprints and review contractor`s manpower to meet the agreed deliverables.
Set sprint goals: Define clear, achievable goals for the sprint and associated acceptance criteria, including specific delivery targets, Quality standards as well as Key Performance Indicators (KPIs) for each task to be recorded in the sprint meeting minutes.
Agree on the required level of effort for the various sprint tasks.
Backlog Review: Review and prioritise the backlog of tasks, issues, and improvements from previous sprints.
Assess each payment milestone cycle duration of one calendar month. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 4.
2. Sprint Execution
Objective: Contractor to execute the agreed “sprint plans” with continuous monitoring and adjustments.
Regular meetings between NCI Agency and the contractor to review sprint progress, address issues, and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office.
Continuous improvement: Contractor to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.
Progress Tracking: Contractor to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.
Quality Assurance/Quality Check: Contractor shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.
Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.
3. Sprint Review
Objective: Review the sprint performance and identify areas for improvement.
At the end of each sprint, there will be a meeting between the NCI Agency and the Contractor to review the outcomes against the acceptance criteria comprising sprint goals, agreed quality criteria and Key Performance Indicators (KPIs).
Define specific actions to address issues and enhance the next sprint.
4. Sprint Payment
For each 4 (four) sprints to be considered as complete and payable, the contractor must report the outcome of their work during the sprint, first verbally during the retrospective sprint review meeting and then in writing within five days after the 4th sprint’s end date. A report must be sent by email to the NCI Agency service manager, listing all the work achieved against the agreed tasking list set for the sprint.
The contractor's payment for each set of 4 sprints will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the sprint planning stage. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task.
The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed Delivery Acceptance Sheet (DAS) – (Annex A) including the EBA Receipt number
Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS) – (Annex A) signed by the Contractor and project authority.
If the contractor fails to meet the agreed Acceptance criteria for any task, the NCI Agency reserves the right to withhold payment for that task/sprint.
8. PAYMENT MILESTONES
Term and Timeline
Period of performance for SOW will commence on 1st of January 2025 and continue for max. 52 weeks (sprints) until the 31st of December 2025.
Due to budget pending approval, the initial contract will be for 13 weeks (sprints) with the expectation that it will be renewed each quarter of 2025.
On the first working day of 2025, The NCIA representative will have a Kick Off meeting with the Service Provider to perform introductions and review the project plan (sprints activities)
The NCIA team reserves the possibility to exercise a number of options, based on the same sprint deliverable timeframe and cost, at a later time, depending on the project priorities, requirements and budget approval.
The payments shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number.
Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.
8.1 BASE 2025: PERIOD OF PERFORMANCE 01 JANUARY TO 31 DECEMBER 2025
Invoicing will upon completion of each 4 sprints and at the end of the work, with payment due within 30 days of invoice date
Deliverable: 2025: max 52 Sprints containing all deliverables in section 5 (Number of sprints is estimated considering a start date of 01 January 2025)
Payment Milestones: Upon completion of each 4 sprint accepted within the respective month (at the end of the month) and at the end of the work.
8.2 2026 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2026 TO 31 DECEMBER 2026
Deliverable: Up to 52 sprints
Payment Milestones: Payment Milestones will be end of the month for each 4 Sprints completed and accepted within the respective month and at the end of the work.
8.3 2027 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2027 TO 31 DECEMBER 2027
Deliverable: Up to 52 sprints
Payment Milestones: Payment Milestones will be end of the month for each 4 Sprints completed and accepted within the respective month and at the end of the work.
8.4 2028 OPTION: PERIOD OF PERFORMANCE 01 JANUARY 2028 TO 31 DECEMBER 2028
Deliverable: Up to 52 sprints
Payment Milestones: Payment Milestones will be end of the month for each 4 Sprints completed and accepted within the respective month and at the end of the work.
9. PRACTICAL ARRANGEMENETS
[See Requirements]
10. WORK EXECUTION
The services will be executed in a hybrid way: onsite (NCIA S.H.A.P.E. Mons, Belgium) and on contractor premises. NCIA IT equipment will be provided (one REACH laptop will be provided). This equipment can be used by one person only and associated to that individual.
Results of the work to be stored on NCI Agency NATO RESTRICTED SharePoint portal and checked on a weekly basis to the assigned Point of Contact (Annex A – Weekly progress report).
All the documentation provided under this statement of work will be based on NCI Agency templates and/or agreed with the NCIA service manager.
All support, maintenance, documentation will be stored under configuration management and/or in the provided NCI Agency tools.
All developed solutions will be property of the NCI Agency.
11. TRAVEL
Travel is not required and not expected. No additional cost for travel (including accommodation, per diem, travel expenses, etc.,) will be claimed separately. All travel arrangements are the responsibility of the contractor.
SECURITY AND NON-DISCLOSURE AGREEMENT
Any proposed resource providing services under this SOW must be in possession of a security clearance NATO SECRET or above. The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.
Requirements
9. PRACTICAL ARRANGEMENETS
Services under current SOW are to be delivered by ONE resource that must meet the following experience, qualities and qualifications:
a) Experience:
b) Personal qualities required
c) Minimum qualifications required
SECURITY AND NON-DISCLOSURE AGREEMENT
