2022-0096 Cybersecurity cultural assessment and Outreach model dev - THU 29 Sep

Required Start Date: 18 October 2022 (or earlier, if possible)

End Contract Date: 20 December 2022

Duties & Role:

Annex A – Statement of Work

STATEMENT OF WORK (SoW)

Contractor Support for development of a Cybersecurity cultural assessment and Outreach model

Table of Contents

1. INTRODUCTION

2. SCOPE OF WORK

3. ROLES AND RESPONSIBILITIES

4. SCHEDULE AND PRACTICAL ARRANGEMENTS

5. REQUIRED PERSONNEL QUALIFICATIONS

References

A. BiSC Directive 75-7, “Education and Individual Training (E&IT)”. September 2015 (NU)

1. INTRODUCTION

1.1 The NATO Communications and Information Academy (NCI Academy) consolidates all Education and Training services provided by the NCI Agency. The NCI Academy provides NATO with a world-class training capability to maintain its technological advantage. The NCI Academy provides training on both static and deployed NATO communication and information systems (CIS), Air Command and Control (AirC2), cyber security and cyber defense. In addition, it plays a pivotal role in designing and developing new learning solutions for our customers, by conducting a thorough analysis of training needs and leveraging the latest learning technology.

1.2 For a new project, the NCI Academy will develop an outreach model and orchestrate a series of engagements with multiple NATO entities to raise Cybersecurity awareness across NATO and build a NATO Enterprise Cybersecurity culture.

1.3 Background: Cybersecurity is not just about technology, it is ultimately about people. How we think about cybersecurity, what we prioritize and how we act, from the top political level to every individual in the organization. The 2021 Verizon Data Breach Investigations Report, one of the most reputable sources of analysis regarding security incidents, identified the human factor playing a significant role in over 85% of all breaches investigated during that year, whether that entailed falling for a phishing attack, making bad decisions that lead to malware infections, or using easily decipherable passwords. The human element is a risk every organization needs to be actively managing, and a strong security culture creates a safe environment for that to happen. Cybersecurity culture drives the behaviours, perceptions and beliefs of all staff towards cybersecurity, and the stronger the cybersecurity culture in our organization is, the more likely our workforce will exhibit secure behaviours, resulting in a far more secure NATO Enterprise.

1.4 Therefore, the central objective of this project is to enhance cybersecurity culture, improving awareness, enhancing the communication between the cybersecurity community and NATO leaders, and creating a space for sharing views with other national and international organizations, Academia and Industry. Activities will pertain to creating a steady stream of communication around CS, bringing it from a specialist only forum to a wider audience, including executive leadership, in order to enhance the cybersecurity culture throughout the NATO Enterprise.

Chapter 2 will further elaborate on the content and expected outcomes of the work.

2. SCOPE OF WORK

The expert contractor team shall carry out the specific tasks, as described in paragraph 2.1 below:

2022 ACTIVITIES AND DELIVERABLES (IN SCOPE OF THIS CONTRACT)

TASK 1 - Conduct analysis of Cybersecurity culture in the NATO Enterprise

The expected output is a report that describes:

• a recognized model for defining and measuring cybersecurity culture in large organizations (including success criteria) applicable to the NATO Enterprise
• a description of the NATO target audiences that should be in scope of cybersecurity culture building activities
• Definition of a CS culture measurement methodology for the NATO Enterprise;
• collection and calculation of the current situation measurement for the NATO Enterprise cybersecurity culture
• a gap analysis towards the programme’s goals / cybersecurity culture success criteria

Envisioned 2023 activities and deliverables (Out of scope of this contract. This work will be covered by a new competition and contract in 2023)

Task 2 - Develop and execute a NATO wide CS outreach model

Based on the outcome of the NATO Cybersecurity culture measurement: define and execute the outreach activities, to include:

• Develop 12-month rolling plan (to be reviewed quarterly) with event calendar promoting cybersecurity, to include live online panels, recorded webinars, face-to-face conferences etc.;
• Promotion / marketing plan for the various events;
• Deliver a sustained Enterprise CS awareness campaign continuously delivered to NATO audiences;
• Identify lessons and ideas generated in these events and disseminate them across the relevant NATO stakeholders.

Task 3 - Periodically measure the cybersecurity culture levels and analyse the results, to

conclude on the success of each set of activities

Due date final deliverable of the 2022 activities: 20 Dec 2022

Cost not to exceed: EUR 30k

3. ROLES AND RESPONSIBILITIES

The work shall be conducted in close collaboration between the Contractor and the NCI Academy, as described in table 2-2, and will be based on the NATO standards (Ref A):

NCIA – NCI Academy:

• Managing Authority
• NCIA Project Management
• Learning Design and Development (LDD) Lead
• Cyber Training Branch Head
• Provider of direction and guidance for training needs analysis

Contractor:

• Conduct CS culture assessment

4. SCHEDULE AND PRACTICAL ARRANGEMENTS

4.1 This is a deliverable based contract.

4.2 Services shall be delivered 100% offsite, but where needed with occasional travel to NATO

offices in Oeiras (Portugal) Brussels and/or Mons (up to 2 trips). Travel requires the prior

coordination with and approval of the NCIA Project Manager.

4.3 All travel and per diem costs shall be included in the Firm Fixed Price of this Contract,

together with cost of lodging and subsistence costs for all individuals. There shall be no

separate re-imbursement for travel and accommodation.

4.4 Services shall be conducted from 18 October 2022 at the latest to 20 December 2022.

4.5 The final deliverables will need to be agreed with the Branch Head Cyber Training and the

Branch Head Learning Design and Development in the NCI Academy.

4.6 Schedule of payments.

A single invoice shall be submitted and payment will be made after Purchaser’s written

acceptance (Delivery Acceptance Sheet (DAS) (Annex B)) for the following deliverables:

Deliverable: Conduct analysis of Cybersecurity culture in the NATO Enterprise as defined in table 2-1

Delivery Date: 20 Dec 2022

Payment Amount: 100% of the total contract value

Invoice to include the dully signed DAS and the EBA Receipt number shall be submitted to

Purchaser for payment in accordance with the Contractual Terms and Conditions.

Requirements

5. REQUIRED PERSONNEL QUALIFICATIONS

5.1 Contractor – MANDATORY Requirements

• Experience with Cybersecurity
• Experience with cultural assessments and organising Outreach activities
• Experience with working in an international environment comprising both military and civilian elements.
• Strong project management skills
• Experience with NCI Agency and NATO
• Knowledge of / practical user experience in the field of Cybersecurity

5.2 Contractor – DESIRED Requirements

• Experience with development of engaging online and blended learning methodologies

Language Proficiency:

• Level 3 English language skills according to NATO STANAG 6001: Listening (3); Speaking (2); Reading (3); and Writing (2) or according to Common European Framework of Reference for Language level B2-C1/Upper Intermediate-Advanced level).