2025-0210 Cyberspace Ops Malware and Digital Forensics (CTS) BELGIUM - 7 Jul

Deadline Date:  Monday 7 July 2025
 
Requirement:   Support to Cyberspace Operations Malware and Digital Forensics
 
Location:  Mons, BELGIUM
 
Time On-Site:  100%
 
Not to Exceed:  2025 BASE: 14 sprints * NTE 3,892 EUR (total NTE 54,495 EUR) 2026, 2027, 2028 options
 
Period of Performance:  2025 BASE: 1 Sep 2025 
 
Required Security Clearance:  NATO COSMIC TOP SECRET
 
Background:
The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.
 
Introduction:

• The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services.
• The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework  (CFCDGM).
• In order to execute this work, the NCI Agency requires support with the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience.

• The NCSC and more specifically the DEFEND branch is responsible to defend NATO networks on a 24/7 basis and to support incident response by performing malware analysis and digital forensics. This involves among other things: the analysis of malicious emails and payloads, the retrieval of forensics artefacts in a sound manner, the reverse engineering of binaries and continuous improvements of scripting, automation and the environment.  

• This Statement of Work (SoW) outlines the services to be provided by the Contractor to NCSC for providing support to Cyber Operations malware and digital forensics.

• Any contracted individuals of the Contractor’s personnel must be in possession of a security clearance by their National Authority of NATO COSMIC TOP SECRET or above. The signature of a Non-Disclosure Agreement between any Contractor’s personnel contributing to this task and NCIA will be required prior to execution.

• Services under the current SOW are to be delivered by ONE resource.
• The services will be mainly executed on premise in SHAPE, Mons Belgium.
• The services may optionally be executed remotely during part of the duration of the contract, given prior written pre-approval from NCSC and only for specific durations.
• The services can only be executed from NATO member countries.
• NCIA IT equipment will be provided (NCSC NROP laptop and/or NCIA NRAIS laptop will be provided) + access to NCSC NSOP workstation.
• Daily presence on SHAPE, Mons Belgium is expected to deliver according to performance goals. Maximum 2 travels per month to other locations in Belgium (NATO HQ in Brussels, NCIA offices in Braine L’Alleud) for meetings might be requested. No overnight stay required.
• All travel costs are included in the quoted price. No additional cost for travel (including accommodation, per diem, travel expenses, etc.,) will be claimed separately. All travel arrangements are the responsibility of the Contractor’s personnel.
• No extra cost can be associated to the presence of any team member on SHAPE, Mons, Belgium.
• For the extraordinary travel to other NATO locations, the expenses will be reimbursed in accordance with Article 5.5 of AAS Framework Contract and within the limits of the NCIA Travel Directive. They will be invoiced separately to the purchaser by the service provider, in accordance with the terms and conditions of the framework agreement.
• These additional travel costs are considered an extra charge to the overall bid price.
• The first 5 working days of a new resource (starting at the date the SHAPE ID was obtained) are considered familiarisation and handover/takeover period for which no payment will be made as no deliverable can reasonably be expected during that time.
• The provider must communicate the starting date and all on boarding documents, at least 3 weeks prior to the starting date to the NCSC point of contact.

• Experience of at least 2 years in malware analysis techniques and technologies;
• Experience of at least 2 years in analysis of digital forensic artefacts in the context of cyber security
• Experience of at least 2 years in cyber security in cloud-based environments
• Experience of at least 2 years in analysing Windows forensics artefacts such as Windows Event logs, UAL, MFT…
• Experience of at least 2 years in writing scripts (Python, Powershell) and building automation workflows
• Experience of at least 2 years in report writing about a technical task and communication with stakeholders
• Excellent ability to recognise when an IT network/system has been attacked, be able to take immediate action to limit damage and to escalate the event to higher authority;
• Good knowledge of the principles of computer and communications security, networking, and vulnerabilities of modern operating systems and applications;
• Good understanding of the MITRE ATT&CK framework and its applicability in Cyber;
• Good knowledge of cyber security incident handling;
• Knowledge of Azure Sentinel, Microsoft Defender for endpoint
• Good knowledge of networking protocols
• Knowledge of Fidelis EDR is an asset
• Language proficiency in English meet or exceed the NATO STANAG 6001 Level 3 “Professional Proficiency”.
• The contractor shall be dressed suitably for meetings with high ranked officials. No religious sign shall be worn during such meeting.
• The contractor shall actively collaborate during internal meeting and touch-points discussions to improve the quality of services.
• Strong reporting skills to various levels of seniority,
• Accuracy and attention to detail.
• Previous experience in working for or supporting a military or governmental organization is an asset.