2025-0093 Cybersecurity Scorecard Development and Assessment (NS) - FRI 2 May

Deadline Date: Friday 2 May 2025

Requirement: Cybersecurity Scorecard Development and Assessment

Location: Off-Site (+ 3 Site Visits Required)

Note: Please refer to your Subcontract Agreement, article 6.4.1.a, which states “Off-Site Discount: 5% (this discount is applicable to all requirements, and applies when the assigned personnel are permitted to work Off-Site, such as at- home)". Please be sure to price this discount in your overall price proposal when submitting bids against off-site RFQs

Period of Performance: 2025 BASE: 9 June (tentative) to 31 December 2025

Required Security Clearance: NATO Secret

1. Introduction

Background:

Cyber threats continue to evolve, requiring proactive and enterprise-wide strategies to protect sensitive data and operations. The NATO Enterprise recognized a need for a unified framework that measures and tracks cybersecurity readiness across diverse NATO Entities, some of which possess well-established security practices while others depend on external assistance. In response, NATO Enterprise Scorecard was established to provide a high-level view of cybersecurity performance, enable data-driven decision-making, and identify performance gaps and areas for improvement across NATO Enterprise.

In order to support this work, the NCIA is seeking additional assisstance for the work undertaken by the NATO Cyber Security Centre (NCSC). This Statement of Work (SoW) specifies the required skillset and experience and expected deliverables.

2. Scope of work

The overall objective of this assignment is to support the development, execution and continuous improvement of the NATO Enterprise Cybersecurity Scorecard by contributing assessment activities, tools, methodology and reporting. The contractors will provide technical expertise and coordination support to enable effective performance assessment, self-evaluation, stakeholder engagement and results communication across NATO Enterprise.

To achieve these objectives, the contractors are expected to perform the following types of activities.

• Organize and perform on-site cybersecurity scorecard assessments across various locations as required.

• Guide and support various non-NCIA managed Enterprise entities in conducting their self- assessments.

• Analyse collected cybersecurity data and generate insightful reports and visualizations.

• Continuously update and refine the assessment methodology to ensure it remains effective and relevant to NATO’s needs.

• Effectively communicate with stakeholders at all levels.

The above activities will directly contribute to the production of the deliverables listed in the Deliverables section of this Statement of Work.

3. Deliverables

This work will be executed and funded as a service based contract with a set deliverables, and therefore delivery will be based on instructions provided by the project team.

It is envisioned that the services are to be provided by a team of two (2) persons having the qualifications mentioned in para.7.

For information, the primary deliverables for this work are anticipated to be:

D1 - Conducting On-Site Assessment:

• Deliverable: Completion of cybersecurity maturity and performance assessments at predefined locations (3 sites per contract period per contractor; will send both contractors on first site visit.)

• Output: A structured assessment report per site, including findings and highlights.

D2 - Supporting Self Assessments:

• Deliverable: Assistance provided to various non-NCIA managed Enterprise entities in conducting their self-assessments (15 sites per contract period per contractor)

• Output: A completed self-assessment report per site, including findings and highlights.

D3 - Compiling Results and Report Generation:

• Deliverable: Consolidated assessment report covering all on-site and self-assessment results, including dashboard and visualizations.

• Output: A fully compiled report with trend analysis (if applicable), visualizations, insights, and conclusions. The outline for the report will be provided.

D4 - Refining Assessment Methodology:

• Deliverable: Refined and updated scorecard methodology, incorporating feedback from entities and other stakeholder.

• Output: Documented refinements along with justifications and improvements.

D5 - Maintaining Self-Assessment Tools:

• Deliverable: Up-to-date self-assessment tools, questionnaires and KPIs.

• Output: Updated toolset with version control and change log.

Acceptance Criteria:

Each deliverable will be reviewed and considered acceptable when it meets all of the following criteria:

• Completeness: The deliverable includes all agreed components, sections or outputs in the task definition and scope.

• Quality: The content is logically structured, does not include major errors or inconsistencies.

• Relevance and Accuracy: The deliverable aligns with objectives of the assignment and reflects accurate and up-to-date information.

• Usability: The deliverable provides practical value to the project, and ready to use.

• Timeliness: The deliverable is submitted within the agreed timeframe or approved extension period.

• Timely participation: The contractor attends scheduled meetings, workshops and assessment activities (if the deliverable requires) on time and as agreed, contributing actively when required.

• Responsiveness: The revisions (if any) are delivered promptly and in alignment with the feedback received.

4. Payment Schedule

4.1. The payment shall be dependent upon successful acceptance of the Deliverable Acceptance Sheets (Annex A), signed by authorized point of contact and the Contractor.

4.2. Invoices shall be accompanied by the Deliverable Acceptance Sheets (Annex B) signed by the project authority and the Contractor.

4.3. Schedule of payments is based on the acceptance of the deliverables as described below:

Deliverable 01: D1 (see para.3)

Qty (Qty will be split equally among the 2 resources): 6

Deliverables completion deadline Date: Q2-Q3 2025

Deliverable 01: D2 (see para.3)

Qty (Qty will be split equally among the 2 resources): 30

Deliverables completion deadline Date: Q2-Q3 2025

Deliverable 01: D3 (see para.3)

Qty (Qty will be split equally among the 2 resources): 2

Deliverables completion deadline Date: Q4 2025

Deliverable 01: D4 (see para.3)

Qty (Qty will be split equally among the 2 resources): 2

Deliverables completion deadline Date: Q4 2025

Deliverable 01: D5 (see para.3)

Qty (Qty will be split equally among the 2 resources): 2

Deliverables completion deadline Date: Q2-Q4 2025 (continuous)

Payment Schedule: The payment is monthly, for the deliverables completed within the month, upon successful acceptance, based on the Delivery Acceptance Sheet and Weekly reports for the period.

4.4. The exact start date and due date for each deliverable will be jointly agreed upon by the Purchaser and the Contractor at the start of each period (month, quarter, etc.).

These due dates will be formally documented in an agreed tracking format, such as official email correspondence, or a shared deliverable tracking document. Only documented and mutually acknowledged due dates will be recognized for performance assessment and payment release.

4.5. If more than 2 (two) consecutive deliverables fail to meet quality standards or delivery times, the Purchaser reserves the right to escalate performance concerns in accordance with the CO-115786-AAS+ General and Special Provisions.

4.6. For any deliverable delay, the Purchaser reserves the right to withhold payment until satisfactory completion.

4.7. Failure to meet delivery times beyond 10 days can result in payment reduction up to 20% for the affected deliverable.

5. Work Execution

The work will mostly be executed remotely, but there will also be a requirement to visit sites for assessments as directed by the project team. Travel costs are out of scope and will be borne by the NCI Agency separately in accordance to the provisions of the AAS+ Framework Contract.

Due to the nature of the working environment, all services and deliverables outlined in this Statement of Work (SOW) will be performed by at least TWO (2) resources.

6. Reporting

At the end of each milestone, the Contractor shall report the completion and achievements to the Purchase POC via email for each resource providing services under this SoW.

At the end of each milestone, the Contractor shall deliver Delivery Acceptance Sheet (Annex A) for Purchaser approval and signature for each resource providing services under this SoW.

The deliverables shall be produced within the timeframes as requested and be of satisfactory quality to avoid re-work, ensure the achievement of the objectives and specific tasks. Any risks or potential delays shall be flagged immediately.

7. Period of Performance

It is expected the service starts on 09 th of June 2025 (tentative) and ending no later than 31st December 2025.

8. Security and Non-disclosure Agreement

The resource providing services under this SOW must be in possession of a security clearance of NATO SECRET or above. The signature of a Non-Disclosure Agreement between the contractors contributing to this task and NCIA will be required prior to execution.

9. Qualifications

[See Requirements]

Requirements

8. Security and Non-disclosure Agreement

• The resource providing services under this SOW must be in possession of a security clearance of NATO SECRET or above.

9. Qualifications

Delivery of services under this SOW require proposed reqources with the following qualifications:

• Expertise in Cyber Security: Contractor’s personnel must have extensive experience in cyber security with a focus on analytical assessment, scorecard development and performance metrics. Contractor’s personnel must have a deep understanding of the cybersecurity processes such as Cyber Incident Management, Defensive Cyberspace Operations, Enterprise Risk Management and Cyber Threat Intelligence Analysis and Sharing.
• Experience in Metrics and Measures Development: Contractor’s personnel must have experience in creating meaningful and actionable cybersecurity metrics and measures.
• Methodology Development Skills: Contractor’s personnel must have proficiency in developing, refining and updating methodologies for assessing cybersecurity maturity and performance.
• Data Analysis and Visualization Proficiency: Contractor’s personnel must have strong skills in data analysis and the ability to create insightful visualizations for complex data sets. Familiarity with modern data visualization tools is essential.
• Communication Skills: Contractor’s personnel must have excellent written and verbal communication skills for engaging with various stakeholders and facilitating Enterprise-wide assessments.
• The contracted individuals must be able to perform effectively and efficiently with minimal supervision.