2022-0121 DevSecOps Engineer (NS) - THU 6 Jan OFF-SITE

Deadline Date: Friday 6 January 2023

Requirement: DevSecOps Engineer

Location: Off-Site

Full time on-site: No

NATO Grade: A/96,580 EUR (Each sprint 4,390 EUR)

Required Start Date: 30 January 2023

End Contract Date: 30 December 2023

Required Security Clearance: NATO SECRET

Duties & Role:

1 INTRODUCTION

The NATO Communications and Information Agency (NCI Agency) has moved towards short-cyclic capability development via NATO Software Factory (NSF) services. NSF is a development and testing DevSecOps Platform hosted in Microsoft Azure Cloud, designed to enable the use of standardized secure software engineering processes and common tooling shared by Alliance Federation, Industry, Academia and Nations. NCI Agency is looking for a DevSecOps engineer with a strong background on containerization technology (compliancy and security assessment, implementing and maintaining base layers, and assist with complex containerized deployments and infrastructure as code (Terraform & Ansible) to support the NSF team.

2 OBJECTIVES

NCI Agency is building a NATO Trusted Container service, enabling future container-based FAS secure lifecycle management. In addition, a new Integration Testing service is being established in the NSF, replacing legacy on-prem labs and test environments. The main objective of this statement of work is to support the NST team building these two new services within the NSF.

3 SCOPE OF WORK

Under the direction / guidance of the NCIA Point of Contact or delegated staff, the DevSecOps engineer will support building the NATO Trusted Container service and Integration Testing service.

This includes the following activities:

• Develop / update Jenkins and Azure DevOps pipelines
• Implement security scanning for containers
• Implement compliancy scanning for containers
• Develop and maintain secure common base layers for containers, including applying required hardening settings
• Develop / maintain infrastructure as code for deployment and configuration of infrastructure (VMs, Disks), core services (AD, CA, Exchange etc.), and applications (NATO and Commercial Application)
• Define standard for infrastructure as code
• Create pipelines and self-service solutions for deploying test environments using infrastructure as code

The contractor will be part of a team and will give the service using an Agile and iterative approach during multiple sprints. Each sprint is planned for a duration of 1 week. The content and scope of each sprint will be agreed during the sprint-planning meeting.

4 DELIVERABLES AND PAYMENT MILESTONES

The following deliverables are expected from the service on this statement of work:

Deliverable 01: 22 sprints of software development.

NTE Sprint Cost: 4,390 EUR

Number of Sprints: 22

NTE Total Cost: 96,580 EUR

Payment Milestones: Upon completion of each fourth sprint and at the end of the service.

The NCIA team reserves the possibility to exercise a number of options, based on the same scrum deliverable timeframe and cost, at a later time, depending on the project priorities and requirements

5 COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, sprint planning, sprint retrospectives and other meetings, physically in the office, or in person via electronic means using Conference Call capabilities, according to Service Delivery Manager’s instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her service during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Point of Contact mentioning briefly the service held and the development achievements during the sprint.

6 SCHEDULE

This task order will be active immediately after signing of the contract by both parties. It is expected the initial service starts on 30th January 2023 and will end no later than 31 December 2023.

7 CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCI Agency templates or agreed with the point of contact. All work, artefacts, scripts, documentation, etc. will be stored under configuration management and/or in the provided NCI Agency tools.

All the deliverables of this project will be considered NATO UNCLASSIFIED

Part of the service may involve handling sensitive data, therefore, a security clearance at the right level is expected for the contractor(s) undertaking this service.

8 PRACTICAL ARRANGEMENTS

The contractor will be required to provide the service off site. Access to the NCI Agency NSF platform will be provided in coordination with the NCIA Point of Contact or delegated staff.

The contractor may be required occasionally to travel to NCI Agency sites within NATO for completing these tasks. Travel expenses will be reimbursed to the individual directly (outside this contract) under NATO rules.

This service must be accomplished by ONE contractor.

Requirements

9 QUALIFICATIONS

The consultancy support for this service requires a software developer with the

following qualifications:

• The candidate must have a currently active NATO SECRET security clearance
• The candidate has relevant and recent experience in building and securing containers.
• The candidate has relevant and recent experience in developing infrastructure as code
• The candidate has a strong track record in DevSecOps and has strong problem solving skills.
• The candidate has extensive and recent experience with and knowledge of Continuous integration and delivery, including the following tools and technologies and concepts:
  • Git (mandatory),
  • Ansible (mandatory),
  • Docker (mandatory),
  • Jenkins (mandatory),
  • Terraform (mandatory),
  • Infrastructure as Code such as ARM,
  • Designing and implementing build/deploy pipelines,
  • Application security/code quality testing tools such as SonarQube, Checkmarx or OWASP Dependency Check,
  • Shift left/right testing using test automation tools such Junit/NUnit, Selenium, Protractor, Cucumber
• The candidate has extensive and recent experience with and knowledge of Continuous Operations, including the following tools and technologies and concepts:
  • Kubernetes (mandatory),
  • Telemetry/Monitoring solutions such as Application Insights, Azure Monitor or Prometheus,
  • Helm,
  • Container Registry,
  • Container vulnerability scanning tools such as Trivy and Anchore,
• The candidate has experience with and knowledge of Java and NodeJS/JavaScript
• The candidate has relevant and recent experience in using development tools (e.g. Maven, Jira, GitLab, Zephyr) and the Scrum methodology.
• The candidate has strong customer relationship skills, including negotiating complex and sensitive situations under pressure.
• The candidate is able to speak and write fluent English since the service is conducted in English.
• The candidate must have the nationality of one of the NATO nations.