1. Bidding Instructions
1.1 Technical Proposal
Bidders shall submit a proposal clearly providing the following information:
a: The proposed approach to address the required scope of work and the required delivery and milestones plan.
b: CVs of the assigned resource(s) for the project. It is up to the bidder to propose the size of the team that executes the work and produces the deliverables in the time line allocated.
c: A compliancy matrix clearly stating how your proposal meets the deliverables/performance goals outlined in Part 2, Section 5.
Deadline Date: Friday 12 June 2026
Requirement: NIAPC Content Management
Location: Braine l’Alleud, BE (2026); Brussels (Evere), BE from Q3 2027 (2027 Option); Brussels (Evere), BE (2028 Option)
Period of Performance: 2026 BASE: As soon as possible but not later than 3 August 2026 – 23 December 2026, with possibility to exercise the following options:
2027 Option: 2 January 2027 – 23 December 2027;
2028 Option: 2 January 2028 – 23 December 2028
Required Security Clearance: NATO SECRET
1. Introduction
NCIA has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defense functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.
The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the center executes a portfolio of programs and projects around 219 MEUR per year, in order to uplift and enhance critical cyber security services. The Portfolio ranges from Program of Work (POW) activities funded via the NATO Military Budget (MB) to Critical/Urgent Requirements (CURs/URs) and NATO Security Investment Program (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM).
The NATO Information Assurance Product Catalogue (NIAPC) is an authoritative catalogue mandated under AC/322 directives and delivered as a funded service under NCSC INFORM SEC036. The NIAPC was developed initially under directive AC/322-D(2010)0042 (22 Sep 2010) later on superseded by AC/322-D(2019)0041 REV1 – Technical and Implementation Directive on Introducing Secure Systems and Solutions (Appendix B / NIAPC).
The catalogue provides a single point of reference for the initial selection of security enforcing products. Its effectiveness is further extended by the inclusion of lists of common specifications, in the form of protection profiles, as used in Common Criteria certification (both Protection Profiles (PPs) and collaborative protection profiles (cPPs)) together with their associated supporting documents as described in Appendix A of this Directive.
The catalogue may also contain national requirements (such as national specifications, national Requirement Profiles for Product Types, etc.) by an NCSA, provided these are relevant for the evaluation and approval of a product, hereinafter referred to as “Requirement Profiles”. These Requirement Profiles do not necessarily need to be CC compliant, but according to an assessment of the responsible NCSA, they should be essential and eligible for a listing in the NIAPC together with an approved product.
Since emission security and cryptographic security can form all or parts of the security features of a product, certified TEMPEST vendors, and approved Cryptographic Products and Mechanisms, are also listed in the catalogue.
The system is Internet facing, accessible publicly and can be found at
This Statement of Work defines outcome-based services to ensure controlled intake, catalogue accuracy, transparency of processing, and sustained service performance in compliance with Service-Based Contract NCIA/FC/2025/03519 directive.
2. Scope of Work
The Contractor shall deliver NIAPC service flavor outcomes, including controlled request intake, execution of approved workflows, maintenance of catalogue accuracy, and delivery of service reporting. The Contractor retains full responsibility for how capacity is organized to achieve these outcomes. This contract does not constitute staff augmentation.
3. Deliverables
The following outcomes are to be delivered:
Deliverable D1 – Controlled NIAPC Intake and Processing
Deliverable D1: All NIAPC-related requests are registered, processed, and closed using approved workflows with full traceability.
Acceptance Criteria A1: 0 orphaned or unmanaged requests at the time of reporting; ≥ 90% of requests follow the defined workflow (excluding justified exceptions); measurements executed on the NCIA COMS capability (Atlassian JIRA) where all workflows are executed; backlog levels are monitored and maintained in line with SLA2 (Section 4), as evidenced through reporting (D5).
D1 KPIs
KPI D1.KPI.Orphaned/Unmanaged Requests: Request Ownership Compliance. Definition: Percentage of requests with an assigned owner and active status. Formula: Ownership Compliance (%) = (Total Requests − Orphaned Requests) / Total Requests × 100. Target: 100% (0 orphaned/unmanaged requests). Data Source: JIRA fields (Assignee, Status). Reporting Frequency: Daily/Weekly. Alert Threshold:
Requirements
REQUIREMENTS
* 5 years’ experience of execution and governance of workflow-based service requests.
* 3 years’ experience in catalogue and content lifecycle management in regulated or public-sector environments.
* 3 years’ experience in management of multi-stakeholder approval workflows (NATO entities, Nations, vendors).
* 3 years’ experience in maintenance of traceability, accuracy, and auditability of service outputs.
* Demonstrated experience in production of service performance reports, including KPI and trend analysis.
* Demonstrated experience in the use of service management and collaboration tools (e.g., Jira, Confluence) to evidence delivery.
* Strong written professional communication skills suitable for policy-driven and politically sensitive contexts.
* Required Security Clearance: NATO SECRET clearance must be held at the start of the contract.