2026-0019 Security Accreditation Activities (NS) - WED 25 Feb

Deadline Date: Wednesday 25 February 2026

Requirement: Security Accreditation Activities

Location: Mons, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2026 BASE: 1st April 2026 – 31st December 2026

Start date is as soon as possible but not later than 1st April 2026 with possibility to exercise the following options:

2027 Option: 1st January 2027 until 31st December 2027

2028 Option: 1st January 2028 until 31st December 2028

Required Security Clearance: NATO SECRET

1. INTRODUCTION

1.1 The NATO Communications and Information Agency (NCIA) located in Mons, Belgium, is responsible for the security compliance of all its managed CIS capabilities throughout the Alliance. A critical activity in this domain is the continuous update of related documentation to capture the security posture of each site in terms of people, processes and technology.

1.2 The Contractor’s personnel will work on-site and embedded into a CIS Capability Support team of six staff, who provide CIS Engineering support to end-users.

1.3 After the on-boarding, contractor’s personnel will be provided with documentation related to NATO specific security policies and guidelines.

2. OBJECTIVES

The main objectives are:

2.1 To produce, review and maintain a document repository which contains up-to-date security related documentation of each remote site (approximately 54 sites).

2.2 To create security accreditation documentation for four (4) CIS systems.

3. SCOPE OF WORK

In close coordination with the Site Security Officer (SSO) at each remote site, the CIS capability Service Delivery manager and the NCIA Security Accreditation Office, the Contractor’s personnel shall perform the following activities:

3.1 Review existing security documentation and update it as required, to ensure compliance with security guidelines

3.2 Maintain a document library that contains the most updated site and system security documentation

3.3 Establish periodic communication with Site Security Officers to trigger and monitor their actions in updating site specific documentation within the agreed timelines

3.4 Create, and present to the customer, a periodic report that shows the security compliancy and pending actions of each site in terms of security related documentation

3.5 Keep existing user and administrator CIS Security Operating Procedures up-to-date

3.6 Create a basic training package, in PowerPoint format, that describes the actions each Site Security Officer shall perform to maintain local security documentation in compliance with security directives and guidelines

3.7 Review and provide constructive feedback on:

3.7.1 Security Test and Verification Plans and Reports (STVP / STVR)

3.7.2 CIS Security description documents related to managed CIS systems

4. PAYMENT MILESTONES AND DELIVERABLES

4.1 The prioritized list of sites and systems will be determined and agreed in writing at the kick-off meetings in the format of a Work Package (from 1 to 10). These meetings are held at the location of performance at the start of each work package.

4.2 Payments shall be made upon completion and acceptance of the following deliverable groupings:

4.2.1 Each group of nine (9) Remote Site Security Accreditation Packages (including deliverables D001 and D002, as defined in para 4.6 below); OR

4.2.2 Each individual CIS Systems Security Accreditation Package (comprising deliverables D003 to D007, as defined in para 4.6 below)

4.3 Each payment shall be equal to 1/10th of the overall amount of the BASE contract.

4.4 The deliverables, acceptance criteria and payment milestones and payment modalities included in this SOW shall be applicable for the 2026 BASE contract, as well as for the 2027 and 2028 OPTIONS (if exercised).

4.5 Each payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) signed by both the Contractor and the NCIA POC. No partial payments shall be made for partially completed Work Packages.

4.6 The DAS shall be sent via email to the NCIA POC.

4.7 The DAS report shall include the deliverables related to the agreed scope of the work package (see para 4.1). All deliverables shall comply with the content and acceptance criteria below:

4.7.1 D001: Node Security Compliant Statement (NSCS) template (site-specific)

4.7.1.1 Acceptance Criteria for D001:

The following sections of the NSCS template shall be filled-in with site relevant information:

• General information (Location/Address, Node name and Type)
• Point of Contacts
• Physical Environment Information (detailed info about location of CIS equipment)
• List of security related documents already available at each site
• COMSEC/COMPUSEC Compliance (Facility zoning info, Tempest certificates numbers)
• CIS Information Exchange Requirements
• Network Diagram/Physical Layout

4.7.2 D002: Site Installation Report (site-specific)

4.7.2.1 Acceptance Criteria for D002:

The following sections of the Site Installation Report shall be filled in with site relevant information:

• List of CIS equipment installed
• Physical layout, including CIS device’s location
• Network diagram
• List of site Point of Contacts
• Security Test and Validation Report

4.7.3 D003: Security Test and Verification Plan and Report (system-specific)

4.7.3.1 Acceptance Criteria for D003:

The following sections of the Site Installation Report shall be filled in with system relevant information:

• Test procedures for each Section listed in Technical and Implementation Directive on CIS Security, that will be provided to the contractor’s personnel during onboarding
• Applicability of the test to specific system tier/component
• Verification methods
• Clarifications/Comments

4.7.4 D004: CIS Description template (system-specific)

4.7.4.1 Acceptance Criteria for D004:

The following sections of the CIS Description template shall be filled-in with system relevant information:

• General information about the system (including user facing components, functionality perspective)
• Technical description: System architecture; Multi-tier model; Security components
• Network configuration: Network diagrams; Information Exchange Requirements; External Connections
• Physical locations of CIS equipment
• Hardware and Software (baseline)

4.7.5 D005: Site Security Officer Training Package (system-specific)

4.7.5.1 Acceptance Criteria for D005:

A minimum of 25 and a maximum of 35 PowerPoint slides with detailed Notes section

Content:

• NCIA General information (1 slide)
• Supporting Team introduction (2 slides)
• Security principles (3-5 slides)
• Accreditation principles (3-5 slides)
• Accreditation process for CIS systems – process and responsibilities (5-8 slides)
• Accreditation and re-accreditation of the Single System Node – process and responsibilities (5-8 slides)
• Node Security Compliance Statement document structure and description (5-8 slides)

4.7.6 D006: User and Admin Security Operations Procedures (SecOPs) (system-specific)

4.7.6.1 Acceptance Criteria for D006:

User SecOPs Content

• Introduction, general description of the SecOPs
• Administration and Organization of Security
• Physical Security
• Personnel Security
• Security of Information
• CIS Security
• Security Incidents Handling
• Emission Security

Admin SecOPs Content

• Introduction, general description of the SecOPs
• Administration and Organization of Security
• Physical Security
• Personnel Security
• Security of Information
• CIS Security
• Software Security
• Security Management and Audit
• Cryptographic Security
• Emission Security
• Emergency and Business Continuity
• Configuration Management
• Security Incidents Handling

4.7.7 D007: System-specific Security Requirement Statement (SSRS) (system-specific)

4.7.7.1 Acceptance Criteria for D007:

The following sections of the SSRS document shall be filled-in with system relevant information:

• Introduction
• Brief system description
• Security authorities for the system
• Security management staff
• Security requirement
• List of all security measures included in Technical and Implementation Directive on CIS Security that will be provided to the contractor’s personnel during onboarding
• Applicability to the system
• Implementation Details

5. COORDINATION AND REPORTING

5.1 The Contractor’s personnel shall participate in weekly status update meetings, physically in the office, as scheduled by the Service Delivery Manager instructions.

5.2 The Contractor’s personnel shall provide a progress update in Excel format of the deliverables to the NCIA POC, during scheduled service review meetings (see para 3.4).

6. SCHEDULE

6.1 The BASE period of performance is: as soon as possible but not later than 1st April 2026 and will end no later than 31st December 2026.

If the 2027 option is exercised, the period of performance is 1st January 2027 to 31st December 2027.

If the 2028 option is exercised, the period of performance is 1st January 2028 to 31st December 2028.

6.2 The Contractor’s personnel shall deliver services on-site: Monday – Thursday between 08:30 and 17:30, and Friday between 08:30 and 15:30 hrs.

7. CONSTRAINTS

7.1 All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the NCIA Service Delivery Manager.

7.2 All the documentation delivered by the Contractor will be stored in the provided NCIA repositories.

8. SECURITY

8.1 All the deliverables of this project will be considered up-to NATO SECRET.

8.2 A valid security clearance at the level of NATO SECRET or above is expected for the Contractor’s personnel undertaking this project.

9. PRACTICAL ARRANGEMENTS

9.1 The work described in this SoW shall be accomplished by a single member (one) of the Contractor’s personnel.

10. TRAVEL

10.1 This Task Order may require travel to up-to five remote sites in Europe, for maximum two full days per each trip (travel time excluded). The travel, lodging and associated expenses for travel are included in the price of the bid (NTE), such that the purchaser shall not be invoiced.

11. MEETINGS

11.1 The Contractor’s personnel shall participate as a minimum to the following meetings:

11.1.1 Weekly team meetings: focused on team / individual progress and tasks assignment;

11.1.2 Quarterly review meeting:

11.1.2.1 Highlight major achievements and issues encountered during the reporting period, including remediation actions taken.

11.1.2.2 Compliance with the performance requirements of this SoW.

11.1.2.3 Provide trends data for the past and previous quarters (number of NCSC templates prepared, number of sites accredited, etc.)

12. EXPERIENCE AND QUALIFICATIONS

[See Requirements]

13. KEY PERFORMANCE INDICATORS

13.1 Unless stipulated differently, the Contractor’s personnel’s performance shall be assessed quarterly, with each quarter assessed independently.

13.2 Contractor’s personnel are expected to successfully complete a minimum of three work packages per quarter.

13.3 Failure to achieve the threshold mentioned in para 13.2 by the Contractor’s personnel in any given quarter, may be grounds for a partial Termination For The Convenience Of The Purchaser, with the requirement subsequently released for competition. This determination is a unilateral right of the Purchaser, is a function of the Terms and Conditions of this contract, and is not subject to dispute or to any claim for monetary compensation.

Requirements

8. SECURITY

• A valid security clearance at the level of NATO SECRET or above is expected for the Contractor’s personnel undertaking this project.

12. EXPERIENCE AND QUALIFICATIONS

• Comprehensive knowledge of the principles of computers and communication security, networking, and the vulnerabilities of modern operating systems and applications.
• At least five years of experience developing, maintaining, and updating CIS Security policies, standards, procedures and guidelines.
• Proven track record of mapping organizational security documentation to the CIS Security Controls and supporting compliance and audit readiness efforts.
• Hands-on experience conducting periodic reviews, gap analyses, and continuous improvement of security documentation to reflect evolving regulatory requirements.
• At least five years of experience collaborating with technical, operational and compliance stakeholders to ensure security procedures are accurate and aligned with the business risk management objectives
• Demonstrable previous experience in maintaining version-controlled security documentation repositories and ensuring proper change management, approval workflow and traceability
• At least three years of experience planning, conducting and documenting security testing and verification activities, such as control validation, CIS system configuration reviews and procedural walk-throughs, to confirm the effectiveness and operational readiness of CIS-security aligned security controls
• Very good knowledge of spoken and written English as work is conducted in English
• The possession of one or more of the following industry certifications will be considered as an asset: Certified Information Systems Security Professional (CISSP); Certified Information Security Manager (CISM); Certified in Risk and Information Systems Control