2024-0247 Penetration Testing Service (NS) - THU 4 Dec

Deadline Date: Thursday 4 December 2025

Requirement: Penetration Testing Service

Location: Off-Site

Note: Please refer to your Subcontract Agreement, article 6.4.1.a, which states “Off-Site Discount: 5% (this discount is applicable to all requirements, and applies when the assigned personnel are permitted to work Off-Site, such as at- home)". Please be sure to price this discount in your overall price proposal when submitting bids against off-site RFQs

Period of Performance: 2026 BASE: 1 Jan 2026 to 31 Dec 2026, with possibility to exercise the following options:

• 2027 Option: 1 January until 31 December 2027

• 2028 Option: 1 January until 31 December 2028

Required Security Clearance: NATO SECRET

1. PURPOSE

The objective of this statement of work (SoW) is to outline the scope of work and deliverables for the penetration testing service to be conducted by the selected company.

The purpose of the work package is to provide support to NATO Cyber Security Centre (NCSC) to fulfil identified penetration testing activities more effectively.

2. BACKGROUND

NCIA has been established with a view to meeting to the best advantage the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

The NCIA NATO Cyber Security Centre (NCSC) is responsible for planning and executing all lifecycle management activities for cyber security. In executing this responsibility, NCSC provides specialist cyber security-related services covering the spectrum of scientific, technical, acquisition, operations, maintenance, and sustainment support, throughout the lifecycle of NATO Information Communications and Technology (ICT).

Within the NCSC, the Assess Branch performs comprehensive vulnerability assessments, penetration testing, security compliance audits and red teaming activities against NATO CIS components throughout their lifecycle and across the NATO CIS footprint, improving its cyber hygiene while contributing to the CIS accreditation, IT change management and cyber incident response and recovery processes. It reports on security shortfalls and provides expertise in support of the mitigation and remediation assistance process. The Section also supports exercises, software development assurance and purple teaming activities.

The Penetration Testing Section manages and conducts tailored penetration testing activities against NATO networks and systems, with the objective to assess the impact of current cyber threats, as well as, their likelihood and difficulty of exploitation, on NATO CIS, a NATO Mission or NATO’s cyber defences by emulating an intermediate or advanced cyber adversary. These unique activities are performed in support of accreditation, IT change management and software development assurance throughout the lifecycle of NATO CIS, during NATO exercises and in support of incident handling and recovery.

3. SCOPE OF WORK

To support the NCSC with the execution of tasks identified in the subject work package of the service, NCIA is looking for support in order to respond to the increasing demand for high quality security assessments and expertise.

This contract is to provide consistent support on a deliverable-based (completion-type) contract, for NCSC to contribute to its POW, based on the deliverables that are described below.

Being part of the Penetration Testing Section and under the direction of the Team Lead, the Contractor personnel will deliver following services:

• Providing Web, infrastructure and application level penetration testing, including but not limited to COTS software and NOTS/GOTS software (NATO/Government off the Shelf), following clearly defined methodologies.
• Participating in kick-off meetings with stakeholders and technical points of contact in order to identify requirements for testing.
• Following the documented procedures and workflows outlined by the technical leads.
• Attending team meetings if required.
• Writing technical reports in fluent English, following defined templates and Reporting Tools.
• Briefing, at both executive and technical levels, on security reports and testing outcome, including at flag officer level.
• In case of new vulnerabilities detected for COTS software, following the Responsible Disclosure Process and following-up with vendors and stakeholders.
• Providing security design reviews to ensure compliance with NATO policies and directives.
• In co-ordination with the Technical Lead of the Penetration testing team, ensuring proactive collaboration and coordination with internal and external stakeholders.
• Staying abreast of technological developments relevant to the area of work.
• Performing any other duties as may be required.

The measurement of execution for this work is sprints, with each sprint planned for a duration of 5 days.

4. SPRINT PLANNING, EXECUTION, REVIEW AND PAYMENT

Due to the AGILE approach of this project, the deliverables will be provided for each sprint as well as their associated acceptance criteria at the beginning of the sprint. This includes sprint planning, execution and review processes, which are detailed below:

4.1 Sprint Planning:

Objective: Plan the objectives for the upcoming sprint

Kick‐off meeting: Conduct a monthly meeting with the contractor’s personnel to plan the objectives of upcoming sprints and review contractor`s manpower to meet the agreed deliverables.

Set sprint goals: Define clear, achievable goals for the sprint and associated acceptance criteria, including specific delivery targets, Quality standards as well as Key Performance Indicators (KPIs) for each task to be recorded in the sprint meeting minutes.

Agree on the required deliverables for each sprint

Backlog Review: Review and prioritise the backlog of tasks, issues, and improvements from previous sprints.

Assess each payment milestone cycle duration of one calendar month for the completed and accepted sprints within the month. State of completion and validation of each sprint status and sign off sprints to be submitted for payment as covered in Section 6.

4.2 Sprint Execution:

Objective: Contractor’s personnel to execute the agreed “sprint plans” with continuous monitoring and adjustments.

Regular meetings between NCIA and the Contractor’s personnel to review sprint progress, address issues, and make necessary adjustments to the processes or production methodology. The Meetings will be physically in the office.

Continuous improvement: Contractor’s personnel to establish a continuous feedback loop to gather input from all stakeholders for ongoing improvements and their subsequent implementation depending on NCIA approval.

Progress Tracking: Contractor’s personnel to use a shared dashboard or tool to track the status of the sprint deliveries and any issues.

Quality Assurance/Quality Check: Contractor’s personnel shall ensure that the quality standards agreed for the sprint deliverables are maintained throughout the sprint.

Quality Control: NCIA to perform the Final Quality Control of the agreed deliverables and provide feedback on any issues.

The deliverables shall be produced within the sprint as requested and be of satisfactory quality to avoid re‐work, ensure the achievement of the objectives and sprint‐specific tasks

4.3 Sprint Review:

Objective: Review the sprint performance and identify areas for improvement.

At the end of each 4 (four) sprints, there will be a meeting between the NCIA and the Contractor’s personnel to review the outcomes against the acceptance criteria comprising sprint goals, agreed quality criteria and Key Performance Indicators (KPIs).

Define specific actions to address issues and enhance the next sprint.

4.4 Sprint Payment:

The Payment Schedule will be monthly for the completed and accepted sprints within the month.

For each sprint to be considered as complete and payable, the Contractor’s personnel must report the outcome of their services during the sprint, first verbally during the retrospective sprint review meeting and then in writing within five days after the month’s end date. A report must be sent by email to the NCIA service manager, listing all the service achieved against the agreed tasking list set for the sprint.

The contractor's payment will be depending upon the achievement of agreed Acceptance Criteria for each task, defined at the sprint planning stage. This will include specific delivery targets, quality standards as well as Key Performance Indicators (KPIs) for each task

The payment shall be dependent upon successful acceptance as set in the above planning/review meetings. This will follow the payment milestones that shall include a completed Delivery Acceptance Sheet (DAS) – (Annex B)

Invoices shall be accompanied with a Delivery Acceptance Sheet (DAS) – (Annex B) signed by the Contractor’s personnel and project authority.

If the Contractor’s personnel fails to meet the agreed Acceptance criteria for any task, the NCIA reserves the right to withhold payment for that task/sprint.

5. DELIVERABLES AND PAYMENT MILESTONES

The following deliverables are expected from the service on this Statement of Work:

1) Complete the activities/tasks agreed in each sprint meeting as per sections 3 above.

2) Produce sprint completion reports (format: e-mail update), which include details of activities performed and the list of the deliverables of the week.

3) The contractor will participate in the daily reporting and planning activities (daily stand-ups) as well as the required participation in workshops, events and conferences related to the supported services, as requested by the service delivery manager.

4) Payment schedule will be according to the payment milestones upon completion of the respective sprint. Upon completion and validation of each sprint and at the end of the monthly milestone, following the acceptance of the sprint report.

5) The Purchaser (NCIA) reserves the right to exercise a number of options of one or more sprints based on the same deliverables, at a later time, depending on the project priorities and requirements, at the following cost: for base year (2026) at the same cost, for following years (2027-2028) the Price Adjustment Formula will be applied in accordance with paragraph 6.5 of the Framework Contract Special Provisions.

6) The payment shall be dependent upon successful acceptance of the sprint report and the Delivery Acceptance Sheet (DAS) – (annex B).

7) Invoices shall be accompanied with a Delivery Acceptance Sheet (annex B) signed by the contractor and the NCIA POC

5.1 2026 BASE: period of performance 1 JAN 2026 to 31 DEC 2026

Deliverable: 30 sprints

Payment Milestones: Payment Schedule will be monthly for the completed and accepted sprints within the month and at the end of the service.

5.2 2027 and 2028 OPTIONS: period of performance 1 JAN to 31 DEC

Deliverable: 30 sprints

Cost Ceiling: Price per sprint will be determined by applying the price adjustment formula as outlined in CO-115786-AAS+ Special Provisions article 6.5.

Payment Milestones: Payment Schedule will be monthly for the completed and accepted sprints within the month and at the end of the service.

6. COORDINATION AND REPORTING

The contractor shall participate in weekly status update meetings, activity planning and other meetings as instructed, physically in the office, or in person via digital means using conference call capabilities, according to the manager’s / team leader’s instructions

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, verbally during the retrospective meeting.

Upon completion of each penetration test, whether executed in one or multiple sprints as determined by the NCSC Penetration Testing Technical Lead, the Contractor shall, within five (5) calendar days, prepare and deliver a penetration test report in accordance with NCSC-prescribed templates and tools.

At the end of the project, the Contractor shall provide a Project Closure Report that is summarizing the activities during the period of performance at high level.

7. SCHEDULE

This task order will be active immediately after signing of the contract by both parties.

The period of performance is as soon as possible but not later than 1 January 2026 and will end no later than 31 December 2026.

The Purchaser reserves the right to exercise the following options:

• 2027 Option: 1 January until 31 December 2027
• 2028 Option: 1 January until 31 December 2028

8. CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCI Agency templates or agreed with the project point of contact.

All documentation will be stored under configuration management and/or in the provided NCI Agency tools.

9. SECURITY AND NON-DISCLOSURE AGREEMENT

It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

The signature of a Non-Disclosure Agreement between the contractor contributing to this task and NCIA will be required prior to execution.

10. PRACTICAL ARRANGEMENTS

The contractor will be required to work 100% offsite as part of this engagement with working hours to be adjusted with NCSC.

The contractor will be required to work within a NATO country, following the rules and regulations applicable for the operations of NATO CIS.

The contractor may be required to travel to other NATO locations as part of his role. Travel expenses for missions to other NATO/NCIA locations rather than Mons / BEL will be reimbursed to the individual directly (outside this contract) under NATO rules.

Regular travel costs to and from main location of the work (NATO HQ) are out of scope and will be borne by the contractor.

This work must be accomplished by one contractor.

The Purchaser will provide the contractor with the following Purchaser-Furnished Equipment (PFE):

• Access to NATO sites, as required, for the purpose of executing this SOW.

• Workspace (needed business IT for both on- and off-site work, hot-desk at NCSC facility).

• NCIA “REACH” laptop to be used by the contractor for the execution of the contract.

11. REQUIREMENTS

[See Requirements]

Requirements

8. SECURITY AND NON-DISCLOSURE AGREEMENT

• It is mandatory to have the candidate be in possession of a NATO SECRET security clearance to facilitate follow-on engagements and coordination at NATO venues.

11. REQUIREMENTS

Mandatory Experience and Education:

• The contractor personnel will be required to have a Bachelor of Science (BSc) degree at a nationally recognised/certified university in a technical subject with substantial Information Technology (IT) content and 3 years post-related experience. As an exception, the lack of a university degree may be compensated by the demonstration of a candidate’s particular abilities or experience that are of interest to the NCI Agency; namely, at least 10 years of extensive and progressive experience in the duties related to the functions of this post.
• Extensive knowledge and experience (at least 3 years) in web application penetration testing
• Extensive knowledge and experience (at least 3 years) in IT infrastructure penetration testing
• Extensive knowledge and experience (at least 3 years) in network security architecture design
• Extensive knowledge and experience (at least 3 years) in assessing security vulnerabilities within OS, software, protocols & networks
• Extensive knowledge and experience (at least 3 years) in researching and evaluating security products & technologies
• Knowledge in system and network administration of UNIX and Windows systems
• Extensive knowledge and experience (at least 3 years) in use of penetration testing tools, techniques, and recognized testing methodologies
• Scripting skills in at least one of the following: Python, Go, PowerShell, shell (bash, ksh, csh)
• Technical knowledge in system and network security, authentication and security protocols, cryptography, application security, as well as, malware infection techniques and protection technologies.
• Ability to evaluate risks and formulate mitigation plans.
• Proven ability to brief at executive level on security findings, reports and testing outcome.
• Proven ability to write clear and structured technical reports including executive summary, technical findings and remediation plan for several different audiences.
• Language Proficiency: A thorough knowledge of one of the two NATO languages, both written and spoken, is essential and some knowledge of the other is desirable. NOTE: Most of the work of the NCI Agency is conducted in the English language.

Desirable Experience and Education:

• Professional qualifications: OSCP, OSCE, OSWE, GPEN, CREST Certified Web Application Tester, GXPN, GWAPT or equivalent
• Familiarity with risk analysis methodologies.
• Prior experience of working in an international environment comprising both military and civilian elements.
• Knowledge of NATO organization, internal structure and resultant relationships.