Deadline Date: Tuesday 28 April 2026 Requirement: Cyberspace Operations Specialized Computer Forensics Support Location: Mons, BE Full Time On-Site: Yes Time On-Site: 100% Period of Performance: 2026 BASE: 02 JUN 2026 to 31 DEC 2026 2027 OPTION: 1 JAN 2027 to 30 MAY 2027 Required Security Clearance: NATO COSMIC TOP SECRET 1. BACKGROUND The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange. 2. INTRODUCTION The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC's role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services. The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM). In order to execute this work, the NCI Agency requires support with the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience. 3. PURPOSE The NCSC is responsible to defend NATO networks on a 24/7 basis and as part of its cyber defence activities performs digital forensics analysis in case of suspicion or confirmed malicious activities. The Cyber Defence Analysis activities encompass digital forensics activities allowing to get understanding what has really happened during a cyber incident, or in case of suspicion of an incident, to confirm if the incident really happened. The Specialized Computer Forensics (SCF) environment is a dedicated environment for forensics activities. Due to lack of clear ownership, it has fell in a state of inadequacy for the delivery of the service. The NCSC Cyber Security Analysis Service (SEC004) service is looking for help from the industry to bring it back in a good state. The hardware is a mix of physical acquisition devices such as Atola, PC3000, Network Attached Storage (NAS) devices, powerful workstations and servers, but also various disks, cables, converters, write blockers, patch panels, switches and other accessories. The environment is replicated, although not in exactly the same way, on 2 different levels of classification. The work encompasses both environments. In total there are not more than 30 workstations and not more than 20 servers (both physical and virtual). The user base consists of less than 30 users (analysts and administrators). 4. OBJECTIVES This Statement of Work (SoW) outlines the services to be provided by the Supplier to NCSC for providing support to Cyber Security Analysis Service (SEC004). 5. DELIVERABLES The contractor shall deliver the following functions: D1. Complete inventory of equipment, hardware, software and identities. Create a complete inventory from scratch recording each and every element present in the SCF Lab, including but not limited to things like screwdrivers kits, specific hardware, disks, cables and adapters. Besides hardware, it will also contain the software and diagrams about the physical layout and interconnection. Identities will also be listed with the current access to each system for each identity. D1 Scope of Work: Inventory of equipment in the SCF Lab located in SHAPE. D1 Deliverables: The inventory is split between hardware and software and needs to be recorded in the dedicated space within Confluence with all details including, when available: serial number, brand, model (hardware) or software vendor, version (software), classification level, picture of the item (when applicable), the start (and end) timestamp of production use, a changelog, and purchase order number. When some details are not available, a free text description is expected which shall include all necessary details (e.g. non labelled 1.5m long cable USB A male to USB A female). Links are made between software and hardware components using the templates provided to the provider. Identities are linked to the assets they are assigned to. A physical layout representation needs to be produced in the form of a draw.io diagram which maps the different elements physically in the lab. An OSI layer 1, 2 and 3 diagram of the equipment linked to the network needs to be produced in the form of a draw.io diagram in the Confluence space. D1 Acceptance Criteria: All of the data is added in the designated place within Confluence, using the templates provided and in an editable way to make it maintainable over time. The completeness of the inventory will be assessed by the NCSC team taking 10 items randomly and checking if they are indeed present in the inventory and in the diagrams. D1 Schedules and Milestones: The earliest starting date is 2 June 2026, with a latest starting date of 1 July 2026. The first draft of the inventory should be completed by 30 June 2026 at the earliest, and 30 July 2026 at the latest. The final inventory taking comments into account should be delivered by 15 July 2026 at the earliest, and 15 August 2026 at the latest. D2. New placement of network equipment. At the moment the network equipment in the lab is placed on top of the shelves; it is not fixed or placed in any dedicated rack or shelf. With the information collected in D1, organize a few (up to 3) workshops with the NCSC team to brainstorm how to place the switches and patch panels in the forensics lab room. Taking into account their ideas, the reality of the lab (its size and layout), propose your own recommendation about how to place the network equipment in a professional, functional, economical and aesthetical way. If new equipment needs to be purchased (e.g. wall-mountable racks), propose the elements to be purchased. D2 Scope of Work: Based on the inventory made in D1, propose the placement of the network equipment. Document the proposal in a report in Microsoft Word format. The proposal must take into account the following requirements from NATO regulations: minimal distance between NS and NR elements, and the new required elements must be purchased from companies from NATO member states. D2 Deliverables: A report with the new setup of the network equipment in the form of an MS Word document. The report should contain: all items which need to be purchased, including URL links to the proposed products and their quantities and prices; a diagram showing the layout of the room indicating where the network equipment is going to be placed; and all changes in the lab room which would need to be done to implement the proposal. D2 Acceptance Criteria: The final deliverable must follow the provided "deployment plan" template highlighting the final state as well as all the intermediate steps to reach that state. The proposed plan needs to take into account existing conditions of the lab: lab size and layout, the sizes of the existing network equipment, and the minimal distance between NS and NR elements. D2 Schedules and Milestones: The earliest starting date is 1 July 2026, with a latest starting date of 1 September 2026. Workshops should be done and the solution presented to the team for approval by 15 July 2026 at the earliest, and 15 September 2026 at the latest. The final deployment plan taking into account the comments received should be delivered by 1 August 2026 at the earliest, and 1 October 2026 at the latest. D3. Organize the lab's cables, adapters and accessories. At the moment all the small size equipment in the lab (such as cables, converters, disks) is stored in the lab in an unorganized way. With the information collected in D1, organize a workshop with the NCSC team to brainstorm how to place the small size elements in the forensics lab room in a more organized way. Taking into account their ideas, the reality of the lab (its size and layout), propose your own recommendation about how to place it in a professional, functional, economical and aesthetical way. If new equipment needs to be purchased (e.g. drawers, cabinets, cases, labels), propose the elements to be purchased. D3 Scope of Work: Based on the inventory made in D1, propose the placement of the digital forensic accessories equipment. Document the proposal in a dedicated Confluence page. If new required elements need to be purchased, provide the list of such items together with their quantity, price and links to the products on vendors' websites; the new required elements must be purchased from companies from NATO member states. As an option, if feasible, propose a more efficient storage location outside of the lab. D3 Deliverables: A report with the new setup of the accessories in the form of Confluence pages. The report should contain: all items which need to be purchased, including URL links to the proposed products and their quantities and prices; a diagram in draw.io format showing the layout of the room indicating where the organised accessories are going to be placed; and all changes in the lab room which would need to be done to implement the proposal. D3 Acceptance Criteria: The final deliverable must follow the provided "deployment plan" template highlighting the final state as well as all the intermediate steps to reach that state. The proposed plan needs to take into account existing conditions of the lab: lab size and layout. D3 Schedules and Milestones: The earliest starting date is 1 July 2026, with a latest starting date of 1 September 2026. Workshops should be done and the solution presented to the team for approval by 15 July 2026 at the earliest, and 15 September 2026 at the latest. The final deployment plan taking into account the comments received should be delivered by 1 August 2026 at the earliest, and 1 October 2026 at the latest. D4. Propose new organisation for the SCF environment. With the information collected in D1, organize a few workshops with the NCSC team to collect the existing documentation of NS and NR SCF domains and primary use cases for the SCF environment. If there are any gaps in the existing documentation identified during the D1 phase, they need to be documented. Then, based on the information sources mentioned earlier, prepare a plan for how the existing SCF networks could be organized better to be used in a more optimal, functional and secure way. D4 Scope of Work: All devices connected to the existing NR SCF and NSF networks. These devices are located in the forensic lab in SHAPE. In total there are no more than 50 devices (servers, workstations, switches and appliances). D4 Deliverables: All points below relate to both NS SCF and NR SCF networks. Update the existing documentation regarding actual layouts of both networks depicting: physical layout (location in rooms and racks, connection to electrical sockets, connection to Universal Power Supplies, connection to network drops); network layer 2; network layer 3; physical vs virtual systems; domain information for each network; and identities, containing user accounts, administrator accounts and service accounts. Prepare and propose a plan for how the existing SCF networks could be organized better to be used in a more optimal, functional and secure way. This should include: a new proposed layout containing all information as above; a report on Confluence pages with embedded draw.io diagrams presenting the plan and the documented layouts; and, if new required elements need to be purchased, a list of such items together with their quantity, price and links to the products on vendors' websites (the new required elements must be purchased from companies from NATO member states). D4 Acceptance Criteria: The final deliverable must follow the provided "deployment plan" template highlighting the final state as well as all the intermediate steps to reach that state. D4 Schedules and Milestones: The earliest starting date is 1 July 2026, with a latest starting date of 1 September 2026. Workshops should be done and the solution presented to the team for approval by 15 July 2026 at the earliest, and 15 September 2026 at the latest. The final deployment plan taking into account the comments received should be delivered by 1 August 2026 at the earliest, and 1 October 2026 at the latest. D5. Implement the changes required and update the documentation. Once the changes are approved and the required new equipment proposed in D2, D3 and D4 is available, perform the changes during the approved window while minimizing the impact for end users. Some approved service interruptions (ASI) at specific times can be approved. Further adapt the documentation provided in earlier phases to the new organisation during and after implementation. D5 Scope of Work: This part of the work is dependent on the change proposals resulting from the previous tasks (D2, D3 and D4) of this work. D5 Deliverables: The enhancements to the SCF environment which were proposed in the previous stages of this work need to be installed and implemented after being approved and after the new proposed elements were purchased by the requestor (NCIA). D5 Acceptance Criteria: The enhancements proposed and approved in previous stages (D2, D3 and D4) are installed and implemented. D5 Schedules and Milestones: The earliest starting date is 1 September 2026, with a latest starting date of 1 October 2026. Implementation should be finalized and ready for User Acceptance Test (UAT) by 1 October 2026 at the earliest, and 1 November 2026 at the latest. UAT should be completed with findings addressed and final documentation updated by 1 November 2026 at the earliest, and 15 December 2026 at the latest. D6. (OPTION for 2027) Follow-up activities for implementation, maintenance and documentation. Following the execution of D5, any additional enhancement activity will be documented and the ones agreed by the service delivery manager will be collected and executed under this deliverable. D6 Scope of Work: This part of the work is dependent on work already done under D5 and identified as agreed follow-up activities in the realm of implementation, maintenance and documentation. D6 Deliverables: The enhancements to the SCF environment which were identified as additional in the previous stages of this work need to be installed and implemented after being approved and after the new proposed elements were purchased by the requestor (NCIA). D6 Acceptance Criteria: The enhancements proposed and approved after the previous stages (D5) are installed and implemented. D6 Schedules and Milestones: The earliest starting date is 1 January 2027, with a latest starting date of 1 February 2027. Implementation should be finalized and ready for UAT by 1 April 2027 at the earliest, and 1 May 2027 at the latest. UAT should be completed with findings addressed and final documentation updated by 1 May 2027 at the earliest, and 30 May 2027 at the latest. Rejection criteria: The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors. A rejected deliverable must be corrected and resubmitted within 5 (five) business days. Further, the contractor must conduct the following reviews: a weekly touch point between NCSC – SEC004 Service Delivery Manager, or any other NCSC personnel designated by NCSC to follow the progress and correct the course of actions if needed. Structure and formatting of the deliverables: In addition to their specific acceptance criteria, each deliverable shall meet the following requirements: Language: the product shall be written in English, meeting the NATO STANAG 6001 Level 3 "Professional Proficiency". Intended Audience: the product shall be intended for Cyber Security Professionals, System/Network Administrators and their managers. Accuracy: the product shall accurately reflect what was done. Clarity and Conciseness: information shall be presented clearly and concisely, avoiding unnecessary jargon or complex language. Objectivity: the content shall be impartial and objective, presenting information without bias or personal interpretation. Structure: the product shall follow a logical structure such as a template when available. Timeliness: the product shall be prepared and distributed promptly after the assignment, ensuring that information is fresh and actionable. Formatting: consistent formatting shall be used throughout the document, including font style, size, headings, and spacing further directed by the Information and Knowledge Management Steering Group. Confidentiality: information processed by performing activities as part of this contract shall be handled in accordance with the NATO policy on Information Management. 6. COORDINATION AND REPORTING At the end of each deliverable, the R1 deliverable report (see Annex A) will be provided for validation by the SEC004 Service Delivery Manager. The report shall contain the dates of delivery according to the schedule defined for each deliverable (see Section 5 – Deliverables). The report will be prefilled by the service provider and includes as supporting documentation the list of deliverables produced including, where applicable, the links to the documentation portal and/or change management tool. 7. DELIVERABLES MILESTONES AND PAYMENT SCHEDULE Period of performance of this SOW will commence on 02 June 2026 and continue until 31 December 2026. An option can be exercised for follow-up activities in 2027; the decision about whether or not to exercise the option will be taken by end of November 2026. The payments shall be dependent upon successful acceptance of the Deliverable Report (R1) (Annex A). Invoices shall be accompanied with the Deliverable Report (R1) signed by the Contractor and service delivery manager. Payment is done at the end of each confirmed deliverable following the acceptance of R1. 7.1 2026 BASE: Period of performance from 02 June 2026 to 31 December 2026. Payment will be done as per the milestones below: D1 Due: 15 August 2026 D2 Due: 1 October 2026 D3 Due: 1 October 2026 D4 Due: 1 October 2026 D5 Due: 15 December 2026 The combined cost of deliverables cannot exceed the overall ceiling for this statement of work in the period of performance. 7.2 (OPTION) 2027 BASE: Period of performance from 01 January 2027 to 30 May 2027. Payment will be done as per the milestones below: D6 Option Due: 30 May 2027 Payment Schedule: once the deliverable is accepted, the provider sends the fully signed R1 (Annex A) together with its invoice through the Neo portal in order to receive payment. Penalty scheme: Delays of up to 5 business days incur no penalty. Delays of more than 5 and up to 10 business days incur a 5% penalty. Delays of more than 10 and up to 20 business days incur a 15% penalty. Delays of more than 20 business days incur a 25% penalty. Penalties are assessed based on the date at which the R1 is signed by the SDM compared to the planned scheduled and maximum delivery date. Note: a penalty can be reduced or cancelled if the delays are the consequence of NCIA personnel; this must be proven by the provider. 8. SKILLS [See Requirements] 9. WORK EXECUTION The services will be mainly executed on premise in SHAPE, Mons, Belgium. Occasionally, remote working may be allowed at the discretion of NCSC when it does not negatively impact the delivery. NCIA IT equipment will be provided (NCSC NROP laptop and/or NCIA NR laptop) plus access to NCSC SCF workstations. Results of the work will be provided as stated in paragraph 6 – Coordination and Reporting. 10. TRAVEL Daily presence on SHAPE, Mons, Belgium is expected to deliver according to performance goals. All travel costs associated with the delivery of the service should be included in the quoted price. No additional cost for travel (including accommodation, per diem, travel expenses, etc.) will be claimed separately. All travel arrangements are the responsibility of the contractor. 11. SECURITY AND NON-DISCLOSURE AGREEMENT Any resource providing services under this SOW must be in possession of a security clearance NATO COSMIC TOP SECRET. The signature of a Non-Disclosure Agreement between any Service Provider's individuals contributing to this task and NCIA will be required prior to execution. Requirements 8. SKILLS Services under the current SOW are to be delivered by one or multiple resources that must meet the following experience, qualities and qualifications: Demonstrable minimum 3 years of experience as system administrator Good knowledge of the OSI layers and protocols such as TCP/IP, 802.1x, VLANs Knowledge of digital forensics principles such as chain of custody and forensically sound acquisition processes Knowledge of tools such as Microsoft Office (Word, Excel, Power Point and Visio) Knowledge of ITILv4 processes and change management principles Demonstrable 2 years of experience with Atlassian Confluence Demonstrable 2 years of experience with draw.io or similar network diagram tools Demonstrable 3 years of experience of advising companies with digital forensics processes At least 1 relevant certification pertaining to digital forensics: CISSP, MCFE, SANS GIAC, or equivalent Good English writing and speaking skills (NATO STANAG 3333) Soft skills: Accuracy and Attention to Details (Precision), Patience and Persistence, Methodical Organization, Time Management and Prioritization, Effective Communication. Further Details: Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. This will take the form of a short remote interview with key NCSC staff. NCSC reserves the right to perform an evaluation of the candidate(s) designated by the supplier in the form of conversations and challenges that will test the required skills. Should the candidate(s) fail the test, the supplier would need to propose other candidate(s). The provider shall minimize the rotation of resources performing the contract to the absolute minimum to ensure continuity of service and to maintain the onboarding overhead on the NCSC side at a reasonable level. After approval of the resource, the provider must communicate the starting date and all onboarding documents at least 3 weeks prior to the starting date to the NCSC point of contact. It is the responsibility of the provider to inform and ensure each resource can comply with the requirements to obtain a SHAPE ID on their starting day. This includes among others the clearance (RFV) and the mandatory registration in a Belgian commune. 11. SECURITY AND NON-DISCLOSURE AGREEMENT Any resource providing services under this SOW must be in possession of a security clearance NATO COSMIC TOP SECRET. The signature of a Non-Disclosure Agreement between any Service Provider's individuals contributing to this task and NCIA will be required prior to execution.