OCIO-0015 Enterprise Security Accreditation and ECISOA (NS) - TUE 24 Jan

Deadline Date: Tuesday 24 January 2023

Requirement: Enterprise Security Accreditation and ECISOA

Location: Brussels, BE

Full time on-site: Yes

NATO Grade: A3/G17/88

Total Scope of the request (hours): 1672

Required Start Date: As soon as possible, but no later than 23 February 2023

End Contract Date: 31 December 2023

Required Security Clearance: NATO SECRET

Annex A – Special Terms and Conditions

The contractor will be responsible for complying with the respective national requirements for working permits, visas, taxes, social security etc. whilst working on site at NATO HQ Brussels, Belgium.

No special status is either conferred or implied by the host organisation, NATO HQ Brussels, Belgium to the contractor whilst working on-site.

The contractor will be responsible for complying with all the respective National Health COVID-19 regulations in Belgium before taking up the position.

1. INTRODUCTION

NATO is undergoing a major adaptation of its overall approach to cybersecurity. As part of its mandate, the NATO Chief Information Officer (CIO) is overseeing the coherence of the NATO Enterprise ICT (Information Communication Technology) capabilities and services and is the single point of authority (SPA) for cybersecurity. The NATO CIO is responsible for developing and implementing a cybersecurity strategy through a comprehensive cyber adaptation programme. This includes significant interaction with executive stakeholders, both military and civilian, required to oversee the NATO Enterprise coherence and cybersecurity efforts.

As part of its mandate, the NATO Office of the CIO (OCIO) needs to execute and enforce the role of NATO Enterprise CIS Operational Authority (ECISOA) allowing the NATO CIO to perform its role of Enterprise Risk owner. The main goal is to ensure risks identified as part of supporting existing processes (e.g. security accreditation, incident management, etc.) are properly evaluated, operationally validated and formally accepted, keeping and maintaining an overall view on the global Enterprise security posture.

To support this effort, OCIO requires services that will leverage in-depth knowledge of Risk Management (Risk Assessment methodology, Processes and Best practices), to support the roles of ECISOA and the related risk management-supporting activities, enabling an informed and on-point decision making regarding Enterprise cybersecurity risks.

The project will provide support and expertise to the execution of those activities related to ECISOA and Enterprise Risk Owner roles.

2. TASKS

The contractor will effectively and efficiently provide, with minimal supervision, the following services, with a special focus on cybersecurity risk management:

2.1 Support CIO in his role of Enterprise CISOA in the issuance of different decision making-related documentation such as Authorizations to Operate (ATOs) and interim ATOs (iATO) for systems and Networks, as required. Assess, verify risks and eventually develop suggestions in support of the Enterprise Risk acceptance function of the CIO. Supports the development of Cybersecurity Risk Management Processes and Frameworks;

o Measurement: To the NATO OCIO, ESRM section satisfaction about the quality of the issued documentation and the time taken to produce it, as required, as well as the level of support provided on the development and maintenance of the Risk Management processes and framework and the quality of the provided support to risk management activities;

2.2 Maintain a Board of CISOA as a stable coordination framework between the various local CISOA among various HQs and Subordinate commands, as well as review and implement the Board of CISOAs ToRs, where required by the Board itself. Support the activity of the Cyber Risk Management Group (CRMG), especially in its cybersecurity risk management function;

o Measurement: Confirmation by the NATO CIO concerning the quality of the engagement and support to the Board of CISOAs and CRMG, especially related to the organization and execution of regular meetings (on a weekly and monthly basis) and support to their planned and unplanned activities.

2.3 Supports the Enterprise CISOA in the development and execution of the accreditation process, for NATO CIS at Enterprise level. Receives updates and analyses data related to the list of sites and networks interested by the accreditation process, maintaining a situational awareness regarding said CIS Provides inputs for the planning and monitors the implementation, of the annual program of work for the auditing/inspection within the CIO AoR.

o Measurement: Effectiveness and quality of the engagement with the Security Accreditation Authorities (SAAs) and on-time development of mitigation and remediation measures in support of accreditation-related activities. Development and effective support to the approval of the annual Vulnerability Assessment PoW.

2.4 Supports and contributes to the process of policy changes related to CIS security and its management in coordination with the SAA and CISP

o Measurement: Support as necessary until the end of 4th Quarter 2023 (and subsequently if the contract is extended).

3. PROFILE

[See Requirements]

4. LOCATION OF DUTY

The work will be executed primarily on site at the NATO HQ offices in Brussels, Belgium. Frequent travels or short deployments to NATO Command Structure bodies would be required. Due to the nature of the work, minimal teleworking can be foreseen.

5. TIMELINES

The services of the contractor are required for the period starting 23 February 2023 until 31 December 2023.

6. SPECIFIC WORKING CONDITIONS

Secure environment with standard working hours. Occasional non-standard hours may be required in support of the NATO Chief Information Officer urgent tasks.

7. TRAVEL

Occasional business travel may be required. Travel expenses to be reimbursed to the individual directly (in addition to the hourly rate) under NATO rules.

8. SECURITY AND NON-DISCLOSURE AGREEMENT

The contractor must be in possession or capable of possessing a security clearance of NATO SECRET.

A signed Non-Disclosure Agreement will be required.

Requirements

3. PROFILE

• The candidate must have a currently active NATO SECRET security clearance
• The candidate must have knowledge and multiyear experience in organization, management and support of various (international) operations, activities, units and projects related to defence, security, electronics and communications, in the NATO environments.
• The candidate must have previous experience within NATO CIS Operational Authority dealing with accreditation procedures, Risk Assessment and Crypto implementation and standards.
• The candidate must have previous experience in developing contingency plans, mitigation measures and Authorization To Operate (ATO) and interim Authorizations to Operate (iATO,) risk acceptance in support of the enforcement of CIS Security Frameworks;
• The job requires knowledge of the NATO Security Accreditation Processes, CIS Security and operational evaluation of CIS;
• The job requires experience with Risks assessment and Risk Management as applied to CIS Security and Cyber Security;
• Experience in supporting or driving Policy changes related to CIS security and its management;
• Knowledge in the development of Cybersecurity Risk Management Processes and Frameworks;
• The candidate must have experience in leading staff work on large and complex projects and to coordinate multiple stakeholders in different and separate locations.
• The candidate must have excellent English writing skills and the ability to brief their work in English.