Deadline Date: Friday 5 September 2025
Requirement: Adversary Emulation Tool Management Support for NATO Cyber Security Centre’s Assess Branch
Location: Mons, BE
Full Time On-Site: Yes
Time On-Site: 100%
Period of Performance: As soon as possible but not later than 13 October 2025 until 31 December 2025, with possibility to exercise the following options:
• 2026 Option: 1st January until 31st December 2026
• 2027 Option: 1st January until 31st December 2027
• 2028 Option: 1st January until 31st December 2028
Required Security Clearance: NATO COSMIC TOP SECRET
1. INTRODUCTION
The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.
2. BACKGROUND
The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.
The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. NCSC’s role is to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM).
In order to execute this service, the NCI Agency is seeking additional support through contracted resources (or consulting) to support the service undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. To support NCSC for the execution of tasks identified in the subject work package of the project, the NCIA is looking for subject matter expertise in the delivery of complex, foundational and novel Cybersecurity capability.
This contract is to provide consistent support on a deliverable-based (completion-type) contract, to NCSC contributing to its mission based on the deliverables that are described in the scope of work below.
3. OBJECTIVE
The objective of this statement of work (SoW) is to outline the scope of service and deliverables for the Adversary Emulation Tool Management to be conducted by the selected company in order to provide support to NATO Cyber Security Centre (NCSC) to fulfil identified Tool Management operation and maintenance activities more effectively.
The NCSC is responsible to defend NATO networks on a 24/7 basis and to share relevant cyber information with all its stakeholders. To achieve these objectives, it requires a significant amount of coordination and decision making within and outside the boundaries of NCSC. In an effort to better capture the meeting minutes, share them efficiently with the stakeholders and track decision that are made in such meetings, the NCSC is seeking support from industry. This Statement of Work (SoW) defines the expectations for this support to materialize.
The current expectation is that there will be one to several meetings to support on a daily basis, during weekdays.
4. SCOPE OF WORK
The aim of this SOW is to support NCSC with technical expertise specifically related to the system administration of the Adversary Emulation breach and attack simulation platform with a deliverable-based contract to be executed in 2025.
This task includes system administration, documentation, data analysis, reporting and troubleshoot of the Adversary Emulation breach and attack simulation platform. For the provision of consistent support and the execution of the task, NCIA will get subject matter expertise from the industry with a service (deliverable based/completion type) based AAS framework contract in the delivery of requested capability.
Under the direction / guidance of the NCSC Point of Contact, a contractor’s personnel will be the part of the NCSC Team supporting the following activities:
1) System administration, monitoring and reporting :
a) Install, configure, update Linux operating systems,
b) Manage user accounts, permissions and security,
c) Configure network service (DNS, DHCP, NFS, SSH),
d) Proactively review logs and alerts to identify any technical issues, errors, or failures in the monitoring process,
e) Produce and distribute reports related to system health, monitoring activities, and compliance status (, audit logs, system performance metrics).
f) Daily: Verify the system is healthy (Check CPU, memory, disk usage, etc.), if not resolve the issues to make system up and running.
g) Daily: Review logs for errors or anomalies.
h) Daily: Respond quickly to outages or system alerts.
i) Daily: Check ITSM and take an action for requests, changes and incidents
2) System Documentation:
a) Document configuration and changes: Keep up-to-date documentation of all configurations, integration steps, troubleshooting procedures, and system maintenance tasks,
b) Maintain an inventory: Keep track of all integrated identity sources, IAM systems, and external tools.
c) Weekly: Do the maintenance (Schedule and apply updates, check system resources, etc.)
d) Weekly: Periodically test backup restores to ensure data integrity.
e) Weekly: Identify and resolve performance bottlenecks or capacity issues.
3) Automation and Scripting
a) Improve system efficiency: Identify areas where automation could reduce manual intervention and improve operational efficiency.
b) Monthly: Analyse trends in resource usage and plan for upgrades.
c) Monthly: Ensure service levels are met; report to stakeholders.
d) Monthly: Verify and update hardware/software inventory.
The services related to the activities above will be delivered in Sprints, and each sprint will have the duration 5 working days.
The content and scope of each sprint will be agreed during the sprint-planning meetings as covered in this section 5.
5. SPRINTS PLANNING, EXECUTION, REVIEW AND PAYMENT
Due to the AGILE approach of this project, the deliverables will be provided for each sprint as well as their associated acceptance criteria at the beginning of the sprint.
This includes sprint planning, execution and review processes, which are detailed below:
Sprint Planning:
• Objective: Plan the objectives for the upcoming sprint
• Kick-off meeting: Conduct a monthly meeting with the contractor’s personnel to plan the objectives of upcoming sprints and review contractor`s manpower to meet the agreed deliverables.
• Set sprint goals: Define clear, achievable goals for the sprint and associated acceptance criteria, including specific delivery targets, Quality standards as well as Key Performance Indicators (KPIs) for each task to be recorded in the sprint meeting minutes.
• Agree on the required deliverables for each sprint.
• Backlog Review: Review and priorities the backlog of tasks, issues, and improvements from previous sprints.
• Assess each payment milestone cycle duration of one calendar month. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 5.
Sprint Execution
• Objective: Contractor’s personnel to execute the agreed “sprint plans” with continuous monitoring and adjustments.
• Regular meetings between NCIA and the Contractor’s personnel to review sprint progress, address issues, and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office.
• Continuous improvement: Contractor’s personnel to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.
• Progress Tracking: Contractor’s personnel to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.
• Quality Assurance/Quality Check: Contractor’s personnel shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.
• Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.
Sprint Review
• Objective: Review the sprint performance and identify areas for improvement.
• At the end of each sprint, there will be a meeting between the NCIA and the Contractor personnel to review the outcomes against the acceptance criteria comprising sprint goals, agreed quality criteria and Key Performance Indicators (KPIs).
• Define specific actions to address issues and enhance the next sprint.
Sprint Payment
• Payment Schedule will be monthly for the completed and accepted sprints within the month.
• For each 4 (four) sprints to be considered as complete and payable, the contractor must report the outcome of the service during the sprint, first verbally during the retrospective sprint review meeting and then in writing within five days after the 4th sprint’s end date. A report must be sent by email to the NCI Agency service manager, listing all the work achieved against the agreed tasking list set for the sprint.
• The contractor's payment for each set of 4 (four) sprints will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the sprint planning stage. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task.
• The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) Payment will be provided based on these deliveries as indicated in the table. Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.
• If the contractor fails to meet the agreed Acceptance criteria for any task, the NCI Agency reserves the right to withhold payment for that task/sprint.
6. DELIVERABLES AND PAYMENT MILESTONES
The following deliverables are expected from the service on this SoW in 2025:
1) Complete the activities/tasks agreed in each sprint meeting as per sections 4 above.
2) Produce sprint completion reports (format: e-mail update), which include details of activities performed and the list of the deliverables of the week.
3) The contractor’s personnel will participate in the daily reporting and planning activities (daily stand-ups) as well as the required participation in workshops, events and conferences related to the supported services, as requested by the service delivery manager.
4) Payment schedule will be according to the payment milestones upon completion of the respective sprint. Upon completion and validation of each sprint and at the end of the monthly milestone, following the acceptance of the sprint report.
5) The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables, at a later time, depending on the project priorities and requirements, at the following cost: for base year (2025) at the same cost, for following years (2026-2028) the Price Adjustment Formula will be applied in accordance with paragraph of the Framework Contract Special Provisions.
6) The payment shall be dependent upon successful acceptance of the sprint report and the Delivery Acceptance Sheet (DAS) – (annex B).
7) Invoices shall be accompanied with a Delivery Acceptance Sheet (annex B) signed by the contractor and the NCIA POC
2025 BASE: Period of Performance 13th October 2025 to 31st December 2025
Deliverable: 11 sprints to support NCSC Assess Branch with CVA DCIS as described in Para 4 (Number of sprints is estimated and will be adjusted based on actual starting date.)
Payment Milestones: Monthly payment for the completed and accepted sprints within the month. Completion of each sprint shall be accompanied documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor
2026, 2027, 2028 Option: 1 January to 31 December:
Deliverable: 46 sprints to support NCSC Assess Branch with CVA DCIS as described in Para 4
Cost Ceiling: Price will be determined by applying the price adjustment formula as outlined in CO‐115786‐ AAS+ Special Provisions article
Payment Milestones: Monthly payment for the completed and accepted sprints within the month. Completion of each sprint shall be accompanied documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor
7. ACCEPTANCE AND REJECTION CRITERIA
a) Acceptance Criteria
Quality of service reached NATO standards
Tasks are completed within the assigned time
Performances are as defined by the line manager
Accuracy: the product shall accurately reflect what was discussed, decided, and action items assigned during the meeting.
Clarity and Conciseness: Information shall be presented clearly and concisely, avoiding unnecessary jargon or complex language.
Objectivity: the content shall be impartial and objective, presenting information without bias or personal interpretation.
Structure: the product shall follow a logical structure, typically including sections such as agenda, attendees, discussions, decisions, action items, and any other relevant information.
Timeliness: the product shall be prepared and distributed promptly after the meeting, ensuring that information is fresh and actionable. It is expected a maximum of two times the length of the meeting for the time required to prepare and share the product to the meeting audience for initial review.
Formatting: Consistent formatting shall be used throughout the document, including font style, size, headings, and spacing.
Confidentiality: Sensitive information discussed prior, during and after meetings shall be handled in accordance with the NATO policy on Information Management.
b) Rejection Criteria
Quality of service is low
Tasks are not completed within the assigned time
Performances are not as defined by the line manager
c) A replacement will be requested if the contractor cannot fulfil the tasks as explained in rejection criteria.
d) Payment will not be done if the sprint is not completed.
8. PENALTY AND REJECTION PROCESS
If the contractor’s personnel does not meet the service expectation based on the CV presented, the assigned tasks are not performed as expected based on NATO standards or the finalization of the assigned tasks are not done within the given time, the sprint will not be accepted and the service will not be paid.
If any of the above mentioned issues persist, the outsourcing partner will be asked to provide a replacement.
9. COORDINATION AND REPORTING
The contractor’s personnel shall participate in daily status update meetings, activity planning and other meetings as instructed, physically in the office, or in person via digital means using conference call capabilities, according to the manager’s / team leader’s instructions.
At the end of the project, the contractor’s personnel shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.
10. SCHEDULE
This task order will be active immediately after signing of the contract by both parties.
It is expected the service starts as soon as possible but no later than 13th October 2025 and
ending no later than 31st December 2025.
If the 2026 option is exercised, the period of performance is 01st January 2026 to 31st December 2026.
If the 2027 option is exercised, the period of performance is 01st January 2027 to 31st December 2027.
If the 2028 option is exercised, the period of performance is 01st January 2028 to 31st December 2028
11. CONSTRAINTS
All the deliverables provided under this statement of work will be based on NCIA templates or agreed with the project point of contact.
All documentation etc. will be stored under configuration management and/or in the provided NCIA tools.
12. SECURITY AND NON-DISCLOSURE AGREEMENT
It is mandatory to have the candidate be in possession of a COSMIC TOP SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.
The signature of a Non-Disclosure Agreement between the contractor contributing to this task and NCIA will be required prior to execution.
13. PRACTICAL ARRANGEMENTS
This service must be accomplished by a SINGLE RESOURCE for the entire duration of the contract.
Place of Performance: The contractor’s personnel will be required to provide the service onsite in SHAPE, Mons / BEL. The services will be mainly executed on premise in SHAPE, Mons Belgium. Daily presence on SHAPE, Mons Belgium is expected to deliver according to performance goals.
Hours of Operation Service: The service will be conducted during normal office hours (Monday to Thursday from 08h30 until 17h30 and Friday from 08h30 until 15h30) following the Mons/BEL calendar.
Travel: No travel expected. The contractor’s personnel will not be required to travel to other NATO locations as part of his/her role. Regular travel costs to and from main location of the service (SHAPE) are out of scope and will be borne by the contractor’s personnel.
For exceptional travel, then it will be the responsibility of the contractor and the expenses will be reimbursed in accordance with Article of AAS Framework Contract and within the limits of the NCIA Travel Directive. They will be invoiced separately to the purchaser by the service provider, in accordance with the terms and conditions of the framework agreement. These additional travel costs are considered an extra charge to the overall bid price.
NCIA Furnished Property and Services: NCIA IT equipment will be provided (Reach laptop, NCSC NROP laptop & NCSC NSOP workstation).
The Purchaser will provide the contractor’s personnel with the following Purchaser-Furnished Equipment (PFE):
Access to NATO sites, as required, for the purpose of executing this SOW.
Workspace (needed business IT for on-site service, hot-desk at NCSC facility).
NCIA “REACH” laptop to be used by the contractor’s personnel for the execution of the contract.
14. REQUIRED PROFILE
[See Requirements]
Requirements
12. SECURITY AND NON-DISCLOSURE AGREEMENT
1. It is mandatory to have the candidate be in possession of a COSMIC TOP SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.
14. REQUIRED PROFILE
The contractor’s personnel that is going to perform the identified tasks to support the Adversary Emulation Tool Management must have demonstrated skills, knowledge and experience as listed below.
Service Activities performed by a contractor’s personnel include the lifecycle management of the Adversary Emulation software (including all tasks related to A2SL inclusion), its configuration to ensure coverage of all Adversary Emulation targets, and the regular monitoring of the availability of the capability.
They will act as tool management SME and must have strong proficiency in spoken and written English and must comply with these following requirements:
2. Bachelor's degree in Computer Science, Information Technology, or related field or at least 6 years of experience,
3. 3+ years of relevant experience in IT security, with a focus on System Administration, Security Tools Management in large organisations.
Relevant and proven experience acquired during the 3+ years time:
4. Linux Systems administration(Install/configure/maintain Linux based servers, apply system updates/patches, monitor system performance/logs, manage users/permissions/settings of the platform),
5. Docker management (maintain Docker containers, troubleshoot Docker based applications and volumes),
6. Strong understanding of security best practices,
7. IP switching and routing, experience in network troubleshooting
8. Virtual Infrastructure understanding based on VMWare technologies,
9. Good engineering skills including programming and/or scripting knowledge (python, shell scripting, PowerShell),
10. Demonstrable experience of analysing and interpreting logs in order to diagnose faults and spot abnormal behaviours,
11. Experience in Proxy management (Configure/maintain proxy, implement routing rules/access control),
In addition, the tool manager should have a good understanding of:
12. NATO organization and its IT infrastructure,
13. Service Management, monitoring and reporting tools, such as Solarwinds,
14. ITIL Service Management,
15. System instrumentation solutions such as Ansible,
16. Certifications such as CISSP, CISM, or CISA, or equivalent,
17. An international environment comprising both military and civilian elements.