2024-0086 Specialised Consultants for Security Development (NS) - THU 11 Apr

Deadline Date: Thursday 11 April 2024

Requirement: Specialised Consultants for Security Profile and Interface development

Location: OFF-SITE

Note: Please refer to your Subcontract Agreement, article 6.4.1.a, which states “Off-Site Discount: 5% (this discount is applicable to all requirements, and applies when the assigned personnel are permitted to work Off-Site, such as at- home)". Please be sure to price this discount in your overall price proposal when submitting bids against off-site RFQs

Period of Performance: Base period: 6th May 2024 – 31st December 2024 with possibility to exercise 1 (one) one‐year option: 1st January 2025 until 31st December 2025.  Start date is as soon as possible but not later than 6th May 2024

Required Security Clearance: NATO SECRET

1 INTRODUCTION

The NATO Communications and Information Agency (NCI Agency) located in The Hague, The Netherlands, is involved in the development of new capabilities for NATO as well as in the support of existing capabilities. In light of these, Command and Control (C2) Service Line have a requirement for subject matter experts to be embedded with a team of NCI Agency staff in support of the Scientific Programme of Work for 2021.

2 OBJECTIVES

The main objective of this statement of work are:

Support the development and validation of C2 Services Enabling requirements, architectural products and technical specifications;

Support the Alliance Federation information sharing concepts, services and specifications; supporting TIDE and CWIX activities and;

Providing technical support for C3S activities in the area of identity and access management,  API security, Data Management and Message and Information transformation and standardisation.

3 SCOPE OF WORK

The consultant is requested to participate and provide expert support to NCI Agency in the execution of scientific activities advancing the following objectives:

ACT Interoperability Standardization (IOS) ‐ Joint C2 Cross‐COI Concepts: Maintenance of standards to support seamless information sharing techniques.

ACT Interoperability Standardization (IOS) ‐ Joint C2 Cross‐COI Concepts (NATO Core Data Framework (NCDF) implementation development and support): Assist ACT with the maturing of the NATO Core Data Framework (NCDF), AFSC, Data Centric Security (DCS)

This work will further develop and contribute to the definition of Information Sharing Scenarios for Core and C2 Services. This includes knowledge and expertise in Metadata Labelling, Binding, Binding Profiles, Label to Marking mapping, label interoperability cross domain information exchanges including , NATO Common Cross-Community Semantic Reference Model (CXCSRM) , MIP Information Model (MIM), Cross‐Domain Information Sharing (CDIS) solutions and the validation of information sharing Core and C2 Services at various exercise venues such as TIDE Sprint, CWIX and further support may be required for Steadfast Cobalt as added scope to this task.

The consultants will work off‐site and regularly coordinate their efforts with the team using the Agile/Sprint procedures already established. This requires both face‐to‐face meetings and remote tele‐ or video‐conferences.

The expertise is focused on:

‐ requirement elicitation, formalization and validation

‐ API design with specific attention to the security aspects

‐ System and services architecture design

‐ Design, validate, implement and test identity and data management infrastructures and API security.

‐ Design, validate, implement and test messages and information transformation and standardization.

Other related areas will be the technical input and validation of the NATO Core Metadata Specification (NCMS), NATO Core Data Framework (NCDF) and technical input for the NCDF adoption of the NATO Core Metadata Specification (NCMS), of the data centric security and metadata labelling.

This expertise is required to supplement the current level of expertise within the C2 SL so the consultants must be ready to quickly integrate with the current team and take up duties. The work required will be based on submitted Delivery Acceptance Sheets indicating the effort completed for each of deliverables as defined below.

A request for available staff has not been successful in this request for consultancy support

4 DELIVARABLES

The consultant, directed from the NCIA team and following an agile methodology shall deliver:

Deliverable 1 ‐ D001:

The architecture for the protection of the NATO Core Data Framework API. The architecture shall adhere to the API security Best Practices, shall be based on the adoption and profiling of the NATO standards and of the Federated Mission Network (FMN) adopted protocols and methodologies. The API architecture shall cover at least the aspects of the user authentication/authorization and the propagation of the user identity to the backend services via the impersonation and/or the delegation approaches.

An initial “NCDF API security implementation guide” document to guide the API implementation. It shall contain enough information to guide the implementation of the security services and the configuration of the security infrastructure.

This deliverable will be provided in form a single document, the “NCDF API security architecture and implementation guide” containing both the architecture definition and the implementation guide.

Deliverable 2 ‐ D002:

Shall participate to the design, implementation and test of the secure NCDF Data Lake API for the NCDF Data Lake services.

Those activities will be executed using the agile methodologies and the expected deliverables and timeline will be decided at runtime as part of the sprint planning activities.

Deliverable 3 (Optional) ‐ D003:

May participate to further improvements of the NCDF Data Lake API and of the related NCDF Data Lake services.

Those activities will be executed in 2024 and will be using the agile methodologies. The expected deliverables and timeline will be decided at runtime as part of the sprint planning activities.

Deliverable 4 (Optional) ‐ D004

May participate to further improvements of the NCDF Data Lake API and of the related NCDF Data Lake services.

Those activities will be executed in 2025 and will be using the agile methodologies. The expected

deliverables and timeline will be decided at runtime as part of the sprint planning activities.

Optional deliverables D003 and D004 may be exercised at the discretion of NCIA.

For the mentioned deliverables, the consultant is expected

To co‐author with the NCI Agency publications in international conferences and journals contributing to discoveries and advances made during the period of performance.

To prepare documentation and make presentations to sponsors and stakeholders throughout the contract period. This may require the consultants to independently represent specific technical areas on behalf of NCI Agency without direct support of Agency staff e.g. TIDE Sprint, CWIX execution.

5 PAYMENT MILESTONES

All of the defined deliverables are briefings, reports, designs or specifications with a well‐defined NCI Agency‐specified format.

All deliverables are to be peer reviewed within the deliverable cycle. Input and guidance will be provided by NCI Agency in written from or/and during the targeted review meetings.

D001: “NCDF API security architecture and implementation guide”

Delivery Date: 20 May 2024

Payment Milestones: 100% upon completion and acceptance of deliverables.

D002:  Participation to the design, implementation and test of the secure NCDF Data Lake API

Delivery Date: 30 June 2025

Payment Milestones: 100% upon completion and acceptance of deliverables.

D003 (Optional): Up to 10 (Ten) one‐week sprints for additional NCDF Data Lake related development work.  Note that these sprints may be activated in increments (due as agreed, no later than December 2024).

Delivery Date: 31 Dec 2024

Payment Milestones: Upon completion of each second sprint.

D004 (Optional): Up to 16 (sixteen) one‐week sprints for additional NCDF Data Lake related

development work. Note that these sprints may be activated in increments (due as agreed, no later than December 2025).

Delivery Date: 31 Dec 2025

Payment Milestones: Upon completion of each second sprint.

The NCIA team reserves the possibility to exercise a number of options sprints, based on the same deliverable timeframe and cost, at a later time, depending on the project priorities and  requirements

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number

Payment will be provided based on these deliveries as indicated in the table Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.

6 SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The BASE period of performance is as soon as possible but not later than 6th May 2024 and will end no later than 31st December 2024.

If exercised the options, the period of performance is 01st January 2025 to 31st December 2025.

7 CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCI Agency templates or agreed with the project point of contact.

All code, scripts, documentation, etc. will be stored under configuration management and/or in the provided NCI Agency tools.

NATO will retain the intellectual property rights for all products developed in relation to this project.

8 SECURITY

The duties of the consultants require a valid NATO SECRET security clearance.

The expected classification level of the deliverables is NATO UNCLASSIFIED. However, in some particular circumstances it might be decided that a part of the deliverables will be classified as NATO RESTRICTED.

The execution of duties may require the consultants to access information, as well as CIS systems, classified up to NATO SECRET.

9 PRACTICAL ARRANGEMENTS

Service on the contract will be performed off‐site at the consultant’s own office. Office space and computer equipment will be provided at NCI Agency‐NL for access during scheduled visits for the duration of this contract; contractor is responsible for office space and computer equipment at their own facilities.

Extraordinary travel (Purchaser Directed Travel) may be required to other NATO or non‐NATO locations as necessary so agility must be maintained.

Travel expenses will be reimbursed in accordance with Article 5.5 of AAS+ Framework Contract.

Requirements

10 QUALIFICATIONS

10.1 THE FOLLOWING EXPERTISE AND KNOWLEDGE IS ESSENTIAL FOR THIS REQUIREMENT:

• The duties of the consultants require a valid NATO SECRET security clearance.
• Knowledge of Information Management principles;
• Knowledge of the Modern Data Architecture. Data Lakes, Hubs & Warehouses concepts and experience in design related system and services architecture;
• Knowledge of design and implementation of architectures and protocols for distributed and federated systems.
• Detailed knowledge and experience with Web Service‐specific security standards and products including Security Policy Information File (SPIF), SAML 1.x and 2.0, XACML, WS‐Security, WS‐Trust, OpenId Connect, OAuth 2.0, Microsoft Active Directory Federation Services (ADFS) v3.0, and competing products in this space;
• Detailed knowledge and experience with Service Oriented Architecture (SOA) implementation concepts including Web Services, SOAP, REST, Publish‐Subscribe, XML and WSDL, as well as Web Services specifications;
• Knowledge and experience with NATO Core Data Framework (NCDF) concepts, technologies and business cases, standard specifications and related implementations.
• Ability to independently produce and edit technical documentation and scientific reports in English;
• Excellent communications skills;
• Good understanding of the project management methodologies, including PRINCE 2 and Agile/Scrum

10.2 DESIRABLE EXPERTISE:

The following expertise and knowledge is desirable for this requirement:

• Knowledge of NATO Confidentiality Label Syntax specifications (specifically ADatP‐4774 & 4778), profiles and emerging standards;
• Knowledge of NATO Metadata Binding Mechanism specifications, profiles and emerging standards, including Metadata Labelling Strategy and the Data Centric Security Strategy;
• Knowledge of NATO Core Metadata Specification (NCMS), profiles and emerging standards;
• Knowledge of the NATO C3 Policies, including the Data Management Policy
• knowledge of methods and mechanisms to resolve security label translation/mapping between NATO and NATO national systems;
• Knowledge and experience with Standards Transformation Framework (STF) concepts, technologies, business cases.
• Expertise in security labelling and object level protection solutions;
• Expertise in secure communication and API security.
• Familiarity with NATO organisational and political structures (especially NHQC3S, ACT HQ and NCI Agency) and relationships with NATO and Partner nations;