2025-0240 Continuous Vulnerability Assessment Analyst Support (CTS) BELGIUM - 16

Purpose:

• The objective of this statement of work (SoW) is to outline the scope of work and deliverables for the Continuous Vulnerability Assessment (CVA) Analysis for Assess Branch.
• The purpose of the work package is to provide support to NATO Cyber Security Centre (NCSC) to fulfil identified Cyber Security Continuous Vulnerability Assessment (CVA) Analyst Support activities more effectively.

Background:

• NCIA has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.
• The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC's role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services. The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM).
• In order to execute this work, NCIA is seeking additional support through contracted resources (or consulting) to support the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience. To support NCSC for the execution of tasks identified in the subject work package of the project, NCIA is looking for subject matter expertise in the delivery of complex, foundational and novel Cybersecurity capability.
• This contract is to provide consistent support on a deliverable-based (completion-type) contract, to NCSC contributing to its mission based on the deliverables that are described in the scope of work below.

Purpose:

• The NCSC is responsible to defend NATO networks on a 24/7 basis and to share relevant cyber information with all its stakeholders. To achieve these objectives, it requires a significant amount of coordination and decision making within and outside the boundaries of NCSC. In an effort to better capture the meeting minutes, share them efficiently with the stakeholders and track decision that are made in such meetings, the NCSC is seeking support from industry. This Statement of Work (SoW) defines the expectations for this support to materialize.
• The current expectation is that there will be one to several meetings to support on a daily basis, during weekdays.

Scope of Work:
The aim of this SOW is to support NCSC with technical expertise specifically related to the operation and maintenance of Continuous Vulnerability Assessment (CVA) Analyst Support with a deliverable-based contract to be executed in 2025.
This task includes data analysis and reporting of data reported by the Continuous Vulnerability Assessment (CVA) Analyst Support. For the provision of consistent support and the execution of the task, NCIA will get subject matter expertise from the industry with a service (deliverable based/completion type) based AAS framework contract in the delivery of requested capability.
The Cyber Continuous Vulnerability Assessment (CVA) Support gives visibility and insight on the networks in NATO environment, which in turn is critical to effective management, strong security and compliance, and efficient migrations and consolidations.
More broadly, NATO needs to be able to monitor the configuration of its domain controllers in order to prevent exploitation by malicious threat actors.
Under the direction / guidance of the NCSC Point of Contact, a contractor will be the part of the NCSC Team supporting the following activities:
Monitoring and Reporting :

• Proactively review logs and alerts to identify any technical issues, errors, or failures in the monitoring process,
• Produce and distribute reports related to system health, monitoring activities, and compliance status (e.g., audit logs, system performance metrics).

System Documentation:

• Document configuration and changes: Keep up-to-date documentation of all configurations, integration steps, troubleshooting procedures, and system maintenance tasks,
• Maintain an inventory: Keep track of all integrated identity sources, IAM systems, and external tools.

Automation and Scripting

• Improve system efficiency: Identify areas where automation could reduce manual intervention and improve operational efficiency.

Activity A1: Under the direction of the NCSC Continuous Vulnerability Assessment Head the contractor shall deliver the following:

• Daily: Verify that the Continuous Vulnerability scans are configured correctly and that information collected is accurate & complete.
• Daily: Identify possible scan gaps, authentication failures and engage with relevant service provider to remove those gaps and eliminate reasons for authentication failure.
• Daily: Review existing scan policies, fine tune and improve them at the same time.

Activity A2:

• Weekly: Upon completion of scheduled scans, deliver a comprehensive vulnerability report to each stakeholder under you area of responsibility taking into account all vulnerabilities posing a security risk, remediation actions recommended to the system/application owners and the status of the recommended actions.

The weekly report is expected to be delivered each Wednesday/Thursday before Close of Business.

• No weekly report is due if that week does not include any working day (for instance: long official holidays such as Christmas break).

Activity A3:

• Monthly: deliver vulnerability report to stakeholders, with an overview of the critical/high vulnerabilities identified, the status of the recommended actions to show in a graphic way the trend of the security posture of CIS assets. The monthly report is expected to be delivered in the week of Microsoft patch Tuesday (second Tuesday of the month).

Practical Arrangements:
The contractor will be required to work onsite in Mons / BEL as part of this engagement. The NCSC Team is located in Mons / BEL, with working hours to be adjusted accordingly.
 
The services will be mainly executed on premise in SHAPE, Mons, Belgium. NCIA IT equipment will be provided (NCSC NROP laptop & NCSC NSOP workstation).
 
Results of the work will be provided on a weekly basis to the assigned Point of Contact (Annex A - weekly action tracking report).
 
The contractor will be required to work within a NATO country, following the rules and regulations applicable for the operations of NATO CIS.
 
The contractor will not be required to travel to other NATO locations as part of his role.
 
Travel expenses for missions to other NATO/NCIA locations: No travel expected. Daily presence on SHAPE, Mons Belgium is expected to deliver according to performance goals.
 
Regular travel costs to and from main location of the work (SHAPE, Mons, Belgium) are out of scope and will be borne by the contractor.
 
This work must be accomplished by one contractor for the entire duration of the contract.
The Purchaser will provide the contractor with the following Purchaser-Furnished Equipment (PFE):

• Access to NATO sites, as required, for the purpose of executing this SOW.
• Workspace (needed business IT for both on- and off-site work, hot-desk at NCSC facility).
• NCIA "REACH" laptop to be used by the contractor for the execution of the contract.

Security and non-disclosure agreement:

• It is mandatory to have the candidate be in possession of a COSMIC TOP SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

Requirements:
The contractor(s) that is going to deliver the identified services must have demonstrated skills, knowledge and experience as listed below:
Mandatory:

• Bachelor's degree in Computer Science, Information Technology, or related field Or equivalent experience
• Minimum of 3 years' experience required for all listed technical qualifications unless otherwise specified.
• 3+ years of professional experience in IT security, specifically in Vulnerability Assessment and / or Security Audit of large organisation
• Strong understanding of security best practices and hands-on experience with Tenable products especially with Tenable Security Center and Tenable Nessus Agent Manager (minimum 3 years)
• Strong knowledge and hands-on in SQL database scripting and Power BI (3+ years of hands-on experience)
• Strong knowledge of python (pyTenable) and PowerShell (3+ years experience required)
• Experience working with Tenable Security Center and Nessus Agent Manager APIs (3+ years experience)
• In-depth knowledge in Windows Domain environment (Active Directory structure, Tiers Model, LAPS, Group Policy Objects, DNS)
• Basic knowledge of Unix / Linux OS
• Strong analytical and problem-solving skills
• Excellent communication and collaboration skills
• Ability to understand and interpret the outcomes of security audit reports

Desirable:
The candidate should also ideally have knowledge and experience in the following areas:

• Experience in working with NATO.
• Experience of working with NATO Communications and Information Agency.
• Experience of working with national Defence or Government entities.
• Experience with threat intelligence, incident response and remediation a plus
• Knowledge of NATO organization and its IT infrastructure is a plus
• Certifications such as CISSP, CISM, or CISA is a plus
• Previous experience working for Cyber Security related organisations (CERTs, security offices) is a plus
• Previous experience working in an international environment comprising both military and civilian elements is a plus (minimum 1 year, out of 3+ years of working in IT Security with a focus on Vulnerability Assessment and / or Security Audit on International environment)