Deadline Date: Tuesday 24 January 2023
Requirement: Enterprise Security Accreditation and ECISOA
Location: Brussels, BE
Full time on-site: Yes
NATO Grade: A3/G17/88
Total Scope of the request (hours): 1672
Required Start Date: As soon as possible, but no later than 23 February 2023
End Contract Date: 31 December 2023
Required Security Clearance: NATO SECRET
Annex A – Special Terms and Conditions
The contractor will be responsible for complying with the respective national requirements for working permits, visas, taxes, social security etc. whilst working on site at NATO HQ Brussels, Belgium.
No special status is either conferred or implied by the host organisation, NATO HQ Brussels, Belgium to the contractor whilst working on-site.
The contractor will be responsible for complying with all the respective National Health COVID-19 regulations in Belgium before taking up the position.
NATO is undergoing a major adaptation of its overall approach to cybersecurity. As part of its mandate, the NATO Chief Information Officer (CIO) is overseeing the coherence of the NATO Enterprise ICT (Information Communication Technology) capabilities and services and is the single point of authority (SPA) for cybersecurity. The NATO CIO is responsible for developing and implementing a cybersecurity strategy through a comprehensive cyber adaptation programme. This includes significant interaction with executive stakeholders, both military and civilian, required to oversee the NATO Enterprise coherence and cybersecurity efforts.
As part of its mandate, the NATO Office of the CIO (OCIO) needs to execute and enforce the role of NATO Enterprise CIS Operational Authority (ECISOA) allowing the NATO CIO to perform its role of Enterprise Risk owner. The main goal is to ensure risks identified as part of supporting existing processes (e.g. security accreditation, incident management, etc.) are properly evaluated, operationally validated and formally accepted, keeping and maintaining an overall view on the global Enterprise security posture.
To support this effort, OCIO requires services that will leverage in-depth knowledge of Risk Management (Risk Assessment methodology, Processes and Best practices), to support the roles of ECISOA and the related risk management-supporting activities, enabling an informed and on-point decision making regarding Enterprise cybersecurity risks.
The project will provide support and expertise to the execution of those activities related to ECISOA and Enterprise Risk Owner roles.
The contractor will effectively and efficiently provide, with minimal supervision, the following services, with a special focus on cybersecurity risk management:
2.1 Support CIO in his role of Enterprise CISOA in the issuance of different decision making-related documentation such as Authorizations to Operate (ATOs) and interim ATOs (iATO) for systems and Networks, as required. Assess, verify risks and eventually develop suggestions in support of the Enterprise Risk acceptance function of the CIO. Supports the development of Cybersecurity Risk Management Processes and Frameworks;
o Measurement: To the NATO OCIO, ESRM section satisfaction about the quality of the issued documentation and the time taken to produce it, as required, as well as the level of support provided on the development and maintenance of the Risk Management processes and framework and the quality of the provided support to risk management activities;
2.2 Maintain a Board of CISOA as a stable coordination framework between the various local CISOA among various HQs and Subordinate commands, as well as review and implement the Board of CISOAs ToRs, where required by the Board itself. Support the activity of the Cyber Risk Management Group (CRMG), especially in its cybersecurity risk management function;
o Measurement: Confirmation by the NATO CIO concerning the quality of the engagement and support to the Board of CISOAs and CRMG, especially related to the organization and execution of regular meetings (on a weekly and monthly basis) and support to their planned and unplanned activities.
2.3 Supports the Enterprise CISOA in the development and execution of the accreditation process, for NATO CIS at Enterprise level. Receives updates and analyses data related to the list of sites and networks interested by the accreditation process, maintaining a situational awareness regarding said CIS Provides inputs for the planning and monitors the implementation, of the annual program of work for the auditing/inspection within the CIO AoR.
o Measurement: Effectiveness and quality of the engagement with the Security Accreditation Authorities (SAAs) and on-time development of mitigation and remediation measures in support of accreditation-related activities. Development and effective support to the approval of the annual Vulnerability Assessment PoW.
2.4 Supports and contributes to the process of policy changes related to CIS security and its management in coordination with the SAA and CISP
o Measurement: Support as necessary until the end of 4th Quarter 2023 (and subsequently if the contract is extended).
4. LOCATION OF DUTY
The work will be executed primarily on site at the NATO HQ offices in Brussels, Belgium. Frequent travels or short deployments to NATO Command Structure bodies would be required. Due to the nature of the work, minimal teleworking can be foreseen.
The services of the contractor are required for the period starting 23 February 2023 until 31 December 2023.
6. SPECIFIC WORKING CONDITIONS
Secure environment with standard working hours. Occasional non-standard hours may be required in support of the NATO Chief Information Officer urgent tasks.
Occasional business travel may be required. Travel expenses to be reimbursed to the individual directly (in addition to the hourly rate) under NATO rules.
8. SECURITY AND NON-DISCLOSURE AGREEMENT
The contractor must be in possession or capable of possessing a security clearance of NATO SECRET.
A signed Non-Disclosure Agreement will be required.