EMW, Inc. logo

NATOIS-0014 Security Accreditation Support (NS) - THU 28 Nov

EMW, Inc.
Contract
Remote
Belgium, Belgium

Deadline Date:               Thursday 28 November 2024

Requirement Title:      SECURITY ACCREDITATION SUPPORT

Location:                         Brussels, Belgium                       

Full time on-site:           No (Hybrid)

Total Scope of the request (hours):     1672

Required Start Date:    02 January 2025

End Contract Date:       31 December 2025

Required Security Clearance:  NATO Secret

Duties and Role

The Cyber Threat Analysis Branch is responsible for providing evidence-based assessments of the cyber threat landscape to empower NATO stakeholders to make risk-informed decisions. The multidisciplinary team combines all-source data with cutting edge technologies to support and enhance the Alliance leaderships’ understanding on the nature of cyber competition and conflict. CTAB systematically identifies strategic patterns and trends in cyber space and generates tailored insights to support network defence and mission assurance with predictive analysis, cyber threat intelligence, and threat hunting.

The contractor will support the work of the OCIO and Cyber Threat Analysis Branch by supporting the security accreditation process for a cloud based environment, specifically focused on AWS (Amazon Web Services).

TASKS

To provide security accreditation support services, the contractor will work closely with the NATO Office of Security (NOS) and DevSecOps engineers to ensure that current and future improvements to the cloud environment are aligned with the security accreditation policies. The contractor will be responsible for drafting the necessary paperwork regarding processes, procedures, policies and governance. Specific tasks include:

2.1 Make sure the necessary security controls are put in place in the following security control domains:

• Audit and Assurance

• Application and Interface Security,

• Business Continuity Management and Operations Resilience

• Business Continuity Management and Operations Resilience

• Change Control and Configuration Management

• Cryptography, Encryption and Key Management

• Data Centre Security, Data Security and Privacy Lifecycle Management

• Governance, Risk and Compliance

• Human Resources, Identity and Access Management

• Interoperability and Portability, Infrastructure and Virtualisation

• Logging and Monitoring, Security Incident Management, e-Discovery and Cloud Forensics

• Supply Chain Management, Transparency and Accountability

• Threat and Vulnerability Management, Universal Endpoint Management

Document how the security controls are put in place by drafting processes, procedures and policies. Work together with the engineers and developers to shape a clear picture of the cloud environment and how the team and tools interact with it. Cooperate with NOS to find the balance between security and usability.

o Measurement: Documentation in the form of procedures, policies and processes. Documentation should be of a standard that the work is easily understood and replicable.

2.2 Stakeholder Engagement:

• Collaborate with cross-functional teams, including IT, security, compliance, and management, to gather information, address concerns, and ensure alignment throughout the accreditation process.

• Serve as a subject matter expert on cloud accreditation, providing guidance and support to stakeholders.

• Participate in meetings, workshops, and presentations to communicate accreditation requirements, progress, and recommendations to stakeholders at various levels.

o Measurement: Excellent cooperation and visibility between involved teams at any point during the project. Constant engagement and interaction without being prompted.

2.3 Accreditation Process Management:

• Develop and implement an accreditation calendar with specific steps that need to be followed in accordance with NATO’s cloud directives. Plan, support, monitor and track the progress of accreditation activities, ensuring adherence to timelines and milestones. Periodically report the progress to stakeholders

o Measurement: Planning documents with clear milestones and timelines. Adherence to reasonable milestones and time tables.

LOCATION

The work is to be executed mostly remotely, but it is required to be at least one day per week on-site at the NATO HQ offices in Brussels, Belgium.

TIMELINES

The services are to be provided starting 02 January 2025 to 31 December 2025

SPECIFIC WORKING CONDITIONS

Secure environment with standard working hours, with the exception of working in non-standard working hours up to 360 hours annually.

In addition, it may exceptionally be required to work non-standard hours in support of a major Cyber Incident, or on a shift system for a limited period of time due to urgent operational needs.

TRAVEL

No travel is required.

SECURITY AND NON-DISCLOSURE AGREEMENT

The contracted individual must be in possession or capable of possessing a security clearance of NATO Secret.

A signed Non-Disclosure Agreement will be required.

  • A university degree from a nationally recognised/certified University in a technical subject with substantial Information Technology (IT) content and 3 years of specific experience. Exceptionally, the lack of a university degree may be compensated by the demonstration of a contractor’s particular abilities or experience that is/are of interest to the OCIO; that is, at least 5 years extensive and progressive expertise in the tasks related to the function of the security accreditation support.
  • NATO Secret security clearance

Mandatory

Expert level in at least three of the following areas and a high level of experience in the other areas:

  • Experience in setting up AWS cloud environments.
  • Experience in Linux system engineering and network engineering.
  • Experience in security architecture.
  • Demonstrate expertise in AWS-specific accreditation requirements, such as AWS Well-Architected Framework, AWS Security Best Practices, and AWS Compliance Programs.
  • Strong knowledge of cloud security best practices, industry standards, and regulatory compliance frameworks (e.g., PIC-DSS, ISO 27001, SOC 1, SOC 2).

Desirable

  • Experience with Docker and Serverless in a secure environment.
  • Experience with security accreditation processes.
  • Experience in the Cyber Threat Intelligence and Research domain.
  • Knowledge of NATO Security Policy and supporting directives.
  • Prior experience of working in an international environment comprising both military and civilian elements.
  • Knowledge of NATO responsibilities and organization.