Deadline Date:
Friday 4 July 2025
Requirement:
NATO Enterprise Security Architecture Support
Location:
Brussels, BELGIUM
Full Time On-Site:
Yes
Time On-Site:
100%
Not to Exceed:
Cost Not to Exceed: 2025 BASE: NTE 117,000€
2026 – 2027 – 2028 - 2029 Options
Period of Performance:
2025 BASE: As soon as possible until 31 December 2025 with possibility to exercise sprints from the following options:
- 2026 Options: 1st January 2026 until 31st December 2026
- 2027 Options: 1st January 2027 until 31st December 2027
- 2028 Options: 1st January 2028 until 31st December 2028
Special Terms and Conditions: The contractor will be responsible for complying with the respective national requirements for working permits, visas, taxes, social security etc. whilst working on site at NATO HQ Brussels, Belgium. No special status is either conferred or implied by the host organisation, NATO HQ Brussels, Belgium to the contractor whilst working on site. The contractor will be responsible for complying with all the respective National Health COVID-19 regulations in Belgium before taking up the position
INTRODUCTION:
The NATO Chief Information Officer (CIO) ensures ICT coherence across NATO’s 50+ civil and military bodies, serving over 25,000 users. Reporting to the Secretary General, the CIO oversees Enterprise directives and advises on IT acquisition and services.
In 2025, the OCIO is prioritizing de-risking activities to enable NR and NS accreditation of cloud-based CIS across the NATO Enterprise. This is a critical step in ensuring that NATO can securely adopt cloud technologies while maintaining the confidentiality, integrity, and availability of classified information.
To achieve this, the OCIO is seeking expert support to assess the feasibility of accrediting NR and NS cloud-based CIS. This includes identifying policy gaps, technical challenges, and the necessary mitigation measures to align cloud architectures with NATO’s stringent accreditation requirements.
In addition, the OCIO is seeking expert support to develop a future-proof IAM strategy that will serve the NATO Enterprise mission, operational and security requirements.
These efforts will inform policy evolution and drive coherence across the NATO Enterprise both in accreditation and Enterprise IAM strategy. They also support key initiatives such as Digital Transformation and Cloud Adoption, ensuring that NATO can leverage secure and scalable cloud capabilities for operational and strategic advantage.
SCOPE OF WORK:
The expert contractor (single resource) shall carry out the specific tasks, as described in the Work Packages below:
- Work Package WP1:
NR Accreditation Support
- Support the execution and delivery of the NR Accreditation Task Force
- Support the documentation and clarification of policy gaps and issues with regards to the accreditation of cloud-based CIS up to NR.
- Gather, assess and provide technical documentation that can be used to support the accreditation of public cloud-based CIS up to NR, including technical documentation, reference architectures, list of security enforcing services in public cloud infrastructure.
- Work Package WP2:
NS Accreditation Support
- Support the documentation and clarification of policy gaps and issues with regards to the accreditation of cloud-based CIS up to NS.
- Gather, assess and provide technical documentation that can be used to support the accreditation of air-gapped private cloud-based CIS up to NS, including technical documentation, reference architectures, list of security enforcing services mapped onto policy requirements.
- Provide expert input and strategic outlook on the feasibility of executing highly classified workloads up to NS in the public cloud. Identify challenges, policy gaps and mitigations.
- Work Package WP3:
Enterprise IAM Strategy
- Support drafting a high-level IAM strategy that aligns with NATO Enterprise’s mission, security posture, and operational needs.
- Ensure the IAM strategy fully aligns with NATO’s Zero Trust policy and requirements, addressing identity-centric security controls.
- Conduct an assessment of existing IAM technologies within NATO to identify gaps, redundancies, and integration challenges.
- Support development of a high-level roadmap towards a future state IAM system with phased recommendations, ensuring a structured approach to adoption.
PRACTICAL ARRANGEMENTS
This work will be carried out 100% on site at NATO HQ, Brussels, Belgium. Meetings will be physically in the office, or in person via electronic means using Conference Call capabilities, according to the OCIO staff instructions.
NATO HQ, OCIO Recognized Business hours/Holidays: NATO HQ, OCICO official holiday schedule applies and will be provided to the contractor.
NATO HQ, Brussels, Belgium of Operations: Monday to Thursday 0830 – 1730 and Friday 0830 – 1600 (CET)
Contractor Furnished Services: Contractor shall furnish everything required to perform the contract except for the items specified and covered under OCIC Furnished Property and Services below.
OCIO Furnished Property and Services: Laptop for business administration including relevant software will be provided by OCIO Laptop for technical work including relevant software will be provided by OCIO. Access to relevant networks and environments will be provided by OCIO
Work is to be performed on the OCIO NATO HQ network(s) and appropriate hardware and connectivity will be provided by the OCIO NATO HQ, for the duration of this contract, and is to be returned upon completion of the contract. The work depicted in this SOW is expected to be carried by a single resource
COORDINATION & REPORTING
- Weekly Status Reporting
- The contractor is required to provide weekly status reports detailing project progress, challenges encountered, and solutions implemented. These reports should highlight any deviations from the schedule or budget and propose corrective actions if necessary.
- Status reporting can be conducted either on-site at NATO HQ Brussels or through a scheduled conference call, based on what is most effective and feasible. The preference and availability of the OCIO assigned Project Manager should be considered in determining the mode of communication.
- Each status report should follow a standardized format agreed upon at the project's outset, which includes sections for accomplishments, work in progress, upcoming tasks, issues, and risks.
- Adherence to NATO and OCIO Protocols
- The contractor shall comply with all general rules, terms, and conditions applicable to working within the OCIO at NATO HQ Brussels. This includes security protocols, data protection guidelines, and any specific operational procedures.
- The contractor must participate in an orientation session (if provided) to familiarize themselves with NATO HQ's environment, culture, and specific requirements of the facility.
- Regular coordination meetings with the OCIO assigned Project Manager or designated point of contact will be scheduled to ensure alignment with NATO's objectives and to facilitate any necessary adjustments to the project plan.
All the documentation provided under this statement of work will be based on OCIO templates and/or agreed with the OCIO project manager.
All support, maintenance, documentation and required code will be stored under configuration management and/or in the provided OCIO tools.
All developed solutions, tools and code under this project will be property of the OCIO.
SCHEDULE:
This task order will be active immediately after signing of the contract by both parties. The BASE period of performance is as soon as possible and will end no later than 31 Decembers 2025.
If the 2026 option is exercised, the period of performance is 01st January 2026 to 31st December 2026.
If the 2027 option is exercised, the period of performance is 01st January 2027 to 31st December 2027.
If the 2028 option is exercised, the period of performance is 01st January 2028 to 31st December 2028.
If the 2029 option is exercised, the period of performance is 01st January 2029 to 31st December 2029.
TRAVEL:
There shall be no separate re-imbursement for travel and accommodation. Travel cost included in the project amount.
SECURITY AND NON-DISCLOSURE AGREEMENT:
The security classification of the service will be up to NATO SECRET.
Performance of the services described in this SOW require a valid NATO SECRET security clearance at the time of proposal submission
Contractor/ shall be aware of all security rules pertaining to the handling of NATO classified information.
Personnel Security Clearance (PSC). Individuals who require access or may have access to information classified NC or above during the course of their duties shall have a PSC at the appropriate level, which is valid for the duration of the authorized access. In addition, such individuals are required to: Have a need-to-know; Have been briefed on their security obligations in respect to the protection of NATO Classified Information; and Have acknowledged their responsibilities either in writing or an equivalent method which ensures non-repudiation.
Requirements:
PROFILE
- Demonstrated relevant experience (5+ years) in the area of cyber security and defense, more specifically on identity and access management, accreditation processes and security audit/compliance.
- Demonstrated relevant experience in NATO, defense, or government projects in the area of cloud computing and cyber.
- Proven experience in designing, assessing, and implementing cloud security architectures in large international organisations.
- Experience with commercial cloud provider platforms.
- Knowledge of relevant NATO security requirements and policies.
- Prior experience of working in an environment comprising both military and civilian elements.
- A thorough knowledge of one of the two NATO languages, both written and spoken, is essential and some knowledge of the other is desirable. (Note: Most of the work of the OCIO-NATO HQ is conducted in the English language)
- Performance of the services described in this SOW require a valid NATO SECRET security clearance at the time of proposal submission