2022-0109 Contractor Support for Mapping NATO Cyber Security roles (NS) - WED 5

Deadline Date: Wednesday 5 Oct 2022

Requirement: Contractor Support for Mapping NATO Cyber Security roles to the NICE and SFIA framework

Full time on-site: No

NATO Grade: A/42,600 EUR

Required Start Date: 1 November 2022

End Contract Date: 31 December 2022

Required Security Clearance: NATO SECRET

1. INTRODUCTION

1.1 At present, there is no standardized way in NATO to describe Cybersecurity (CS) related roles, nor the Knowledge, Skills and Abilities that are required to perform each of these roles successfully.

The ambiguity in role descriptions makes it difficult to identify and communicate NATO’s workforce requirements for personnel filling and developing cybersecurity-related positions. In addition, the lack of a standardized terminology to describe NATO CS roles makes identifying and curating existing commercial training solutions for these roles a labor intensive as well as subjective task. Lastly, there is no agreed baseline to establish a minimum level of competency for each role, that could be fed in to specific Training Needs Analysis, which makes the development of new learning solutions and career paths for NATO Cyber CS roles challenging.

1.2 The NCI Academy aims to mitigate above challenges by mapping each CS related position in the NATO Command Structure to industry standards and frameworks, and by describing the Tasks, Knowledge, Skills and Abilities (KSA’s) that are associated with each role in a standardized terminology. Subsequently, this work includes referencing the standardized description of NATO CS roles to relevant NATO and commercial training courses, which may be added as an annex to NATO CS job descriptions (JDs).

1.3 The frameworks that will provide the foundation for this mapping exercise are:

• The Skills Framework for the Information Age (SFIA), and;

• The National Initiative for Cybersecurity Education framework (NICE).

As the SFIA framework describes ‘ICT roles’ in a more generic sense, and the NICE framework describes roles with a focus on Cyber Security, the two models can be regarded as complementary. In this work, each NATO CS role shall be analysed and the associated duties shall be mapped to the corresponding task descriptions of the SFIA and/or NICE framework. The role specific matches shall subsequently be fed into and tracked by a central database.

2. SCOPE OF WORK

2.1 Activities overview

The expert contractor team shall carry out the specific tasks and provide the deliverables per table 2-1 below:

2022 Activities and deliverables (in scope of the 2022 contract)

1 - Build inventory of the NATO CS job roles and associated job descriptions (to be stored in a central repository)

2 - Propose technical platform for the recording and analysis of all mapping results, for purchaser approval

3 - Implement purchaser approved technical platform for the recording of all mapping results. Deliverables included in this task:

• Database in place in which all mapping results can be stored

• Analysis and reporting capability enabled in order to provide numerical and visual dashboards and reports

Envisioned 2023 activities and deliverables (Out of scope of the 2022 contract. This work will be covered by a new competition and contract in 2023)

4 - Map JD duties to the SFIA framework. Deliverables included in this task:

• For each NATO CS JD in scope:

- Complete mapping of the respective duties to the SFIA framework

- Concrete recommendations articulated to existing NATO and commercial training programs

5 - Map JD duties to the NICE framework. Deliverables to be included in this task:

• For each NATO CS JD in scope:

- Complete mapping of the respective duties to the NICE framework

- Concrete recommendations articulated to existing NATO and commercial training programs

6 - Develop annex and visual overviews. Deliverables to be included in this task:

• For each NATO CS JD in scope: Annex and visual overviews developed to describe the SFIA/NICE mappings and training recommendations to NATO CS staff and their leaders

8 - Generate NATO-wide picture of CS role training requirements. Deliverables to be included in this task:

• Across all JDs: NATO-wide picture generated of CS role training requirements

• Due date final deliverables for 2022: 20 Dec 2022
• Cost 2022 not to exceed: EUR 42,600 EUR

2.2 Roles and responsibilities

This work will be conducted in close collaboration between the contractor and the NCI Academy, as described in table 2-2, and will be based on the NATO standards (Ref A):

NCIA – NCI Academy

• Managing Authority

• NCIA Project Management

• Cyber Training Lead

• Learning Design and Development (LDD) Lead

• Coordinator for NATO Cyber SMEs

Contractor

• Conduct analysis and mapping of all NATO CS roles to SFIA and NICE framework

3. SCHEDULE AND PRACTICAL ARRANGEMENTS

3.1. This is a deliverable based contract

3.2. The work shall be conducted 100% offsite but with occasional travel to NATO offices in Brussels, Mons and/or The Hague (up to 1 trip, with an expected duration of 2 days).

3.3. All travel and per diem costs shall be included in the Firm Fixed Price of this Contract, together with cost of lodging and subsistence costs for all individuals. There shall be no separate re-imbursement for travel and accommodation.

3.4. The work will be conducted from 01 November 2022 to 20 December 2022. Specific deliverables for 2022 are defined in Table 2-1.

3.5. All deliverables are subject to acceptance by NCIA Project Management in accordance with the requirements and terms laid out in this Contract.

3.6. Coordination and progress checks shall be conducted at least once per month during the period of performance with metrics reporting the work completed and work remaining, and during final report phase. These periodic checks can be accomplished remotely as required.

3.7. Schedule of payments. A single invoice shall be submitted and payment will be made after Purchaser’s written acceptance of the totality of the 2022 deliverables as defined in table 2-1.

Annex B – Special Terms and Conditions

Quoting Article 5.3 of AAS Framework Contract

“Travel costs associated with awarded Purchase/Task Orders will be processed by the Purchaser and reimbursed directly to AAS Framework Contractor personnel, for the majority of personnel assigned to the primary Purchaser locations (Mons, Belgium; Brussels, Belgium; and The Hague, Netherlands) in accordance with Purchaser Internal Policy. For personnel that cannot be directly reimbursed, the Purchaser will allocate Travel costs to each Purchase Order and all processing shall be accomplished through the AAS Framework Contractor. Travel requirements vary by requirement and shall be communicated to personnel in accordance with Article 7.1.2. Note that each AAS Framework Contractor is responsible for all liabilities during performance of Travel, and the AAS Framework Contractor indemnifies the Purchaser regarding these liabilities.”

Requirements

4. REQUIRED PERSONNEL QUALIFICATIONS

4.1 Contractor Mapping activities – MANDATORY Requirements

The Contractor personnel shall have the following experience:

• The personnel must have a currently active NATO SECRET security clearance
• Knowledge of / practical user experience with Cybersecurity
• Experience with the NICE and SFIA framework
• Experience with mapping job roles to frameworks and/or cyber related training offerings
• Experience with working in an international environment comprising both military and civilian elements
• Experience with NCI Agency and NATO
• Experience with technical platforms to support competency based talent management / job role mapping (e.g. Lexonis)
• Strong project management skills.

4.2 Language Proficiency – MANDATORY Requirements:

• Level 3 English language skills according to NATO STANAG 6001: Listening (3); Speaking (2); Reading (3); and Writing (2) or according to Common European Framework of Reference for Language level B2-C1/Upper Intermediate-Advanced level).