Requirement: Online Cyber Threat Intelligence Tools and Feeds Management
Location: Three times per week: Braine L'Alleud, Belgium
Note: the first 3 weeks will be fully performed at Braine L'Alleud, Belgium.
Not to Exceed: 2026: 141,210 EUR (~44 weeks)
Option 2027: 171,270 EUR (52 weeks)
Option 2028: 175,050 EUR (52 weeks)
Travel included in the price of the quote
Period of Performance: 2026: 01 March 2026
Required Security Clearance: NATO SECRET
Please do NOT apply for any NATO contract positions unless you meet ALL the following criteria:
- Current National or NATO SECRET clearance
- Nationality of one of the NATO member countries
- Current work visa for the specific location if applying for an in-country position
Introduction:
- The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.
- The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC's role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services. The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM).
- In order to execute this work, the NCI Agency is seeking additional labour through contracted resources (or consulting) to support the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience.
- The NCSC is responsible to defend NATO networks on a 24/7 basis and to share relevant cyber information with all its stakeholders. As such, NCSC is the global purchaser and maintainer of a wide-range of cyber security and cyber threat intelligence (CTI) tools and feeds - hereby referred as "feed" or "feeds" in the subsequent portion of this Statement of Work (SoW). The contractor shall be the interface between these feeds and the user community (NATO-wide), managing the "Terms of Use" for each of the associated feed, capturing the usage statistics and other Key Performance Indicators (KPIs) for each of the feed, managing user lifecycle directly in the feed's interface or liaising with the feed vendor if such interface does not exist.
- The contractor shall also communicate to each user community about the relevant documentation and/or training which exist whenever required, and will capture feedback from the user community about the "value-for-money" of each of the feed, the use cases the user community leverages with the feed, and the possible gap in the feed we are currently purchasing.
The following functions are to be delivered:
D1 The contractor shall create and maintain a list of users and stakeholders with their respective point of contact, in the NCSC tools. The NCSC Tools are composed of
- Atlassian Confluence, including any plugins installed on the instance
- Atlassian JIRA, including any plugins installed on the instance
- Microsoft Powerpoint
- Microsoft Word
- Microsoft OneNote
- Microsoft Outlook
- Microsoft Sharepoint
- NCIA ITSM tool
Expert advice on how to use the non-Microsoft tools will be provided by NCSC.
Outcome: The list of users and stakeholders, completed and accurate, using the template delivered by NCSC and in the NCSC tool.
D2 For each of the feed, the contractor shall identify the relevant Key Performance Indicator(s), based on user inputs, feasibility of measurement delivered by the feed, and ultimately approval by NCSC. The contractor shall be responsible to measure the KPIs.
There will be a maximum of 20 feeds to manage/measure.
There will be a maximum of 4 KPIs per feed to manage/measure and report on.
For each of the feed, the contractor shall capture usage statistics, per user, in NCSC tools.
D2 Outcome: For each of the feed, the identified KPIs and the method for measurement have been identified and approved.
D3 For each of the feed, the contractor shall redact and maintain, based on user inputs, an associated Terms of Use (ToU), using NCSC-provided template, which aims at clarifying the "do and don't" when using a feed. The ToU will ultimately be approved by NCSC and be part of the user management process.
D3 Outcome: For each of the feed, the Terms of Use has been approved by NCSC
D4 For each of the feed, the contractor shall put in place a user management process, which will meet the following criteria:
The process shall respect the confidentiality of Personally Identifiable Information (PII). Ideally, the information will be hosted on NCIA or NCSC-managed network(s).
The process shall include the approval by the end-user of the ToU conditions.
The process shall manage the creation, revision, password/credentials reset, disabling, and deletion of a user.
Each request will be acknowledged by a message which will reach the end user and NCSC within 30 minutes (during working hours) of the request being submitted by the end user. Working hours are 08:30-17:30 on weekdays, Brussels time.
Each request shall be processed, if all conditions are met, within 4 working hours.
When a user request implies going above a set maximum number of users, the contractor shall proactively provide a recommendation for user replacement based on usage statistics. The process shall be executed under approval of NCSC.
The implemented process shall be fully auditable by the NATO Security Authorities or any delegated authorities as approved by the Chief NCSC.
D4 Outcome: The User Management Process has been approved by NCSC and implemented.
D5 The contractor shall manage and make available to each user the documentation and training available for the feed. The training/documentation is provided either by the vendor or NCSC, on a case by case basis.
D6 On a monthly basis, the contractor shall organize a meeting with the users of the feeds or their representative - hereby called "stakeholders" in any subsequent portion if this statement of work, as directed by NCSC, to:
- define the actions to contribute to Continuous Service Improvement (CSI) from an ITIL version 4 terminology;
- capture the Use Cases of the feed for each respective community in a NCSC approved format; and
- present the usage statistics and KPIs, per feed, to the audience.
Meeting minutes, using NCSC-provided templates and captured in NCSC Tool will be delivered by the contractor, first as draft for the stakeholders for review, then for final approval by NCSC. The meeting minutes shall:
Identify the participants, based on Para 2 point 1,
Deliver the key points of discussion, identified actions, conditions, expected outcomes and timelines to achieve these actions to all participants - referred to in any subsequent text as the "draft meeting minutes", using NCSC tool.
The NCSC shall be the final approver of the draft meeting minutes.
Each deliverable of D2, D3, D4, D5, D6 shall meet the following requirements:
- Language: the product shall be written in English, meeting the NATO STANAG 6001 Level 3 "Professional Proficiency".
- Intended Audience: the product shall be intended for Cyber Security Professionals.
- Accuracy: the product shall accurately reflect what was discussed, decided, and action items assigned during the meeting.
- Clarity and Conciseness: Information shall be presented clearly and concisely, avoiding unnecessary jargon or complex language.
- Objectivity: the content shall be impartial and objective, presenting information without bias or personal interpretation.
- Timeliness: the product shall be prepared and distributed promptly after the meeting, ensuring that information is fresh and actionable.
- Formatting: Consistent formatting shall be used throughout the document, including font style, size, headings, and spacing further directed by the NCSC.
- Confidentiality: Sensitive information discussed prior, during and after meetings shall be handled in accordance with the NATO policy on Information Management.
A bi-weekly 'touch point' between NCSC - Head of Inform Branch, or any other NCSC personnel designated by NCSC.
Further Details: Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. The assessment will then be followed by a three week on-site familiarisation period with key NCSC personnel and tool to be introduced to the environment
Requirements
Skills
It is up to the bidding company to propose and size the team that will be working to fulfilling these deliverables.
Required skillset of the contracted team:
- Experience in user management support IT Service Delivery (ITIL).
- Experience in engaging with highly technical cyber security professionals.
- Experience in summarizing discussions, identifying relevant points and action items.
- Language proficiency for all interaction with users and stakeholders shall happen in English and meet or exceed the NATO STANAG 6001 Level 3 "Professional Proficiency".
- Accuracy and attention to detail.
- A previous experience in using Cyber Threat Intelligence tools and feeds is an asset.
- Any contracted individuals of the Service Provider must be in possession of a security clearance by their National Authority of NATO SECRET or above. The signature of a Non-Disclosure Agreement between any Service Provider's individuals contributing to this task and NCIA will be required prior to execution.