Deadline Date: Wednesday 25 February 2026
Requirement: Security Accreditation Activities
Location: Mons, BE
Full Time On-Site: Yes
Time On-Site: 100%
Period of Performance: 2026 BASE: 1st April 2026 – 31st December 2026
Start date is as soon as possible but not later than 1st April 2026 with possibility to exercise the following options:
2027 Option: 1st January 2027 until 31st December 2027
2028 Option: 1st January 2028 until 31st December 2028
Required Security Clearance: NATO SECRET
1. INTRODUCTION
The NATO Communications and Information Agency (NCIA) located in Mons, Belgium, is responsible for the security compliance of all its managed CIS capabilities throughout the Alliance. A critical activity in this domain is the continuous update of related documentation to capture the security posture of each site in terms of people, processes and technology.
The Contractor’s personnel will work on-site and embedded into a CIS Capability Support team of six staff, who provide CIS Engineering support to end-users.
After the on-boarding, contractor’s personnel will be provided with documentation related to NATO specific security policies and guidelines.
2. OBJECTIVES
The main objectives are:
To produce, review and maintain a document repository which contains up-to-date security related documentation of each remote site (approximately 54 sites).
To create security accreditation documentation for four (4) CIS systems.
3. SCOPE OF WORK
In close coordination with the Site Security Officer (SSO) at each remote site, the CIS capability Service Delivery manager and the NCIA Security Accreditation Office, the Contractor’s personnel shall perform the following activities:
Review existing security documentation and update it as required, to ensure compliance with security guidelines
Maintain a document library that contains the most updated site and system security documentation
Establish periodic communication with Site Security Officers to trigger and monitor their actions in updating site specific documentation within the agreed timelines
Create, and present to the customer, a periodic report that shows the security compliancy and pending actions of each site in terms of security related documentation
Keep existing user and administrator CIS Security Operating Procedures up-to-date
Create a basic training package, in PowerPoint format, that describes the actions each Site Security Officer shall perform to maintain local security documentation in compliance with security directives and guidelines
Review and provide constructive feedback on:
Security Test and Verification Plans and Reports (STVP / STVR)
CIS Security description documents related to managed CIS systems
4. PAYMENT MILESTONES AND DELIVERABLES
The prioritized list of sites and systems will be determined and agreed in writing at the kick-off meetings in the format of a Work Package (from 1 to 10). These meetings are held at the location of performance at the start of each work package.
Payments shall be made upon completion and acceptance of the following deliverable groupings:
Each group of nine (9) Remote Site Security Accreditation Packages (including deliverables D001 and D002, as defined in para below); OR
Each individual CIS Systems Security Accreditation Package (comprising deliverables D003 to D007, as defined in para below)
Each payment shall be equal to 1/10th of the overall amount of the BASE contract.
The deliverables, acceptance criteria and payment milestones and payment modalities included in this SOW shall be applicable for the 2026 BASE contract, as well as for the 2027 and 2028 OPTIONS (if exercised).
Each payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) signed by both the Contractor and the NCIA POC. No partial payments shall be made for partially completed Work Packages.
The DAS shall be sent via email to the NCIA POC.
The DAS report shall include the deliverables related to the agreed scope of the work package (see para All deliverables shall comply with the content and acceptance criteria below:
D001: Node Security Compliant Statement (NSCS) template (site-specific)
Acceptance Criteria for D001:
The following sections of the NSCS template shall be filled-in with site relevant information:
1. General information (Location/Address, Node name and Type)
2. Point of Contacts
3. Physical Environment Information (detailed info about location of CIS equipment)
4. List of security related documents already available at each site
5. COMSEC/COMPUSEC Compliance (Facility zoning info, Tempest certificates numbers)
6. CIS Information Exchange Requirements
7. Network Diagram/Physical Layout
D002: Site Installation Report (site-specific)
Acceptance Criteria for D002:
The following sections of the Site Installation Report shall be filled in with site relevant information:
8. List of CIS equipment installed
9. Physical layout, including CIS device’s location
10. Network diagram
11. List of site Point of Contacts
12. Security Test and Validation Report
D003: Security Test and Verification Plan and Report (system-specific)
Acceptance Criteria for D003:
The following sections of the Site Installation Report shall be filled in with system relevant information:
13. Test procedures for each Section listed in Technical and Implementation Directive on CIS Security, that will be provided to the contractor’s personnel during onboarding
14. Applicability of the test to specific system tier/component
15. Verification methods
16. Clarifications/Comments
D004: CIS Description template (system-specific)
Acceptance Criteria for D004:
The following sections of the CIS Description template shall be filled-in with system relevant information:
17. General information about the system (including user facing components, functionality perspective)
18. Technical description: System architecture; Multi-tier model; Security components
19. Network configuration: Network diagrams; Information Exchange Requirements; External Connections
20. Physical locations of CIS equipment
21. Hardware and Software (baseline)
D005: Site Security Officer Training Package (system-specific)
Acceptance Criteria for D005:
A minimum of 25 and a maximum of 35 PowerPoint slides with detailed Notes section
Content:
22. NCIA General information (1 slide)
23. Supporting Team introduction (2 slides)
24. Security principles (3-5 slides)
25. Accreditation principles (3-5 slides)
26. Accreditation process for CIS systems – process and responsibilities (5-8 slides)
27. Accreditation and re-accreditation of the Single System Node – process and responsibilities (5-8 slides)
28. Node Security Compliance Statement document structure and description (5-8 slides)
D006: User and Admin Security Operations Procedures (SecOPs) (system-specific)
Acceptance Criteria for D006:
User SecOPs Content
29. Introduction, general description of the SecOPs
30. Administration and Organization of Security
31. Physical Security
32. Personnel Security
33. Security of Information
34. CIS Security
35. Security Incidents Handling
36. Emission Security
Admin SecOPs Content
37. Introduction, general description of the SecOPs
38. Administration and Organization of Security
39. Physical Security
40. Personnel Security
41. Security of Information
42. CIS Security
43. Software Security
44. Security Management and Audit
45. Cryptographic Security
46. Emission Security
47. Emergency and Business Continuity
48. Configuration Management
49. Security Incidents Handling
D007: System-specific Security Requirement Statement (SSRS) (system-specific)
Acceptance Criteria for D007:
The following sections of the SSRS document shall be filled-in with system relevant information:
50. Introduction
51. Brief system description
52. Security authorities for the system
53. Security management staff
54. Security requirement
55. List of all security measures included in Technical and Implementation Directive on CIS Security that will be provided to the contractor’s personnel during onboarding
56. Applicability to the system
57. Implementation Details
5. COORDINATION AND REPORTING
The Contractor’s personnel shall participate in weekly status update meetings, physically in the office, as scheduled by the Service Delivery Manager instructions.
The Contractor’s personnel shall provide a progress update in Excel format of the deliverables to the NCIA POC, during scheduled service review meetings (see para
6. SCHEDULE
The BASE period of performance is: as soon as possible but not later than 1st April 2026 and will end no later than 31st December 2026.
If the 2027 option is exercised, the period of performance is 1st January 2027 to 31st December 2027.
If the 2028 option is exercised, the period of performance is 1st January 2028 to 31st December 2028.
The Contractor’s personnel shall deliver services on-site: Monday – Thursday between 08:30 and 17:30, and Friday between 08:30 and 15:30 hrs.
7. CONSTRAINTS
All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the NCIA Service Delivery Manager.
All the documentation delivered by the Contractor will be stored in the provided NCIA repositories.
8. SECURITY
All the deliverables of this project will be considered up-to NATO SECRET.
A valid security clearance at the level of NATO SECRET or above is expected for the Contractor’s personnel undertaking this project.
9. PRACTICAL ARRANGEMENTS
The work described in this SoW shall be accomplished by a single member (one) of the Contractor’s personnel.
10. TRAVEL
This Task Order may require travel to up-to five remote sites in Europe, for maximum two full days per each trip (travel time excluded). The travel, lodging and associated expenses for travel are included in the price of the bid (NTE), such that the purchaser shall not be invoiced.
11. MEETINGS
The Contractor’s personnel shall participate as a minimum to the following meetings:
Weekly team meetings: focused on team / individual progress and tasks assignment;
Quarterly review meeting:
Highlight major achievements and issues encountered during the reporting period, including remediation actions taken.
Compliance with the performance requirements of this SoW.
Provide trends data for the past and previous quarters (number of NCSC templates prepared, number of sites accredited, etc.)
12. EXPERIENCE AND QUALIFICATIONS
[See Requirements]
13. KEY PERFORMANCE INDICATORS
Unless stipulated differently, the Contractor’s personnel’s performance shall be assessed quarterly, with each quarter assessed independently.
Contractor’s personnel are expected to successfully complete a minimum of three work packages per quarter.
Failure to achieve the threshold mentioned in para by the Contractor’s personnel in any given quarter, may be grounds for a partial Termination For The Convenience Of The Purchaser, with the requirement subsequently released for competition. This determination is a unilateral right of the Purchaser, is a function of the Terms and Conditions of this contract, and is not subject to dispute or to any claim for monetary compensation.
Requirements
8. SECURITY
58. A valid security clearance at the level of NATO SECRET or above is expected for the Contractor’s personnel undertaking this project.
12. EXPERIENCE AND QUALIFICATIONS
59. Comprehensive knowledge of the principles of computers and communication security, networking, and the vulnerabilities of modern operating systems and applications.
60. At least five years of experience developing, maintaining, and updating CIS Security policies, standards, procedures and guidelines.
61. Proven track record of mapping organizational security documentation to the CIS Security Controls and supporting compliance and audit readiness efforts.
62. Hands-on experience conducting periodic reviews, gap analyses, and continuous improvement of security documentation to reflect evolving regulatory requirements.
63. At least five years of experience collaborating with technical, operational and compliance stakeholders to ensure security procedures are accurate and aligned with the business risk management objectives
64. Demonstrable previous experience in maintaining version-controlled security documentation repositories and ensuring proper change management, approval workflow and traceability
65. At least three years of experience planning, conducting and documenting security testing and verification activities, such as control validation, CIS system configuration reviews and procedural walk-throughs, to confirm the effectiveness and operational readiness of CIS-security aligned security controls
66. Very good knowledge of spoken and written English as work is conducted in English
67. The possession of one or more of the following industry certifications will be considered as an asset: Certified Information Systems Security Professional (CISSP); Certified Information Security Manager (CISM); Certified in Risk and Information Systems Control