NATOIS-0014, SECURITY ACCREDITATION SUPPORT

Duties

To provide security accreditation support services, the contractor will work closely with the NATO Office of Security (NOS) and DevSecOps engineers to ensure that current and future improvements to the cloud environment are aligned with the security accreditation policies. The contractor will be responsible for drafting the necessary paperwork regarding processes, procedures, policies and governance. Specific tasks include:

Make sure the necessary security controls are put in place in the following security control domains:

• Audit and Assurance
• Application and Interface Security,
• Business Continuity Management and Operations Resilience
• Business Continuity Management and Operations Resilience
• Change Control and Configuration Management
• Cryptography, Encryption and Key Management
• Data Centre Security, Data Security and Privacy Lifecycle Management
• Governance, Risk and Compliance
• Human Resources, Identity and Access Management
• Interoperability and Portability, Infrastructure and Virtualisation
• Logging and Monitoring, Security Incident Management, e-Discovery and Cloud Forensics
• Supply Chain Management, Transparency and Accountability
• Threat and Vulnerability Management, Universal Endpoint Management Document how the security controls are put in place by drafting processes, procedures and policies. Work together with the engineers and developers to shape a clear picture of the cloud environment and how the team and tools interact with it. Cooperate with NOS to find the balance between security and usability.
• Measurement: Documentation in the form of procedures, policies and processes. Documentation should be of a standard that the work is easily understood and replicable.

Stakeholder Engagement:

• Collaborate with cross-functional teams, including IT, security, compliance, and management, to gather information, address concerns, and ensure alignment throughout the accreditation process.
• Serve as a subject matter expert on cloud accreditation, providing guidance and support to stakeholders.
• Participate in meetings, workshops, and presentations to communicate accreditation requirements, progress, and recommendations to stakeholders at various levels.
• Measurement: Excellent cooperation and visibility between involved teams at any point during the project. Constant engagement and interaction without being prompted.

Accreditation Process Management:

• Develop and implement an accreditation calendar with specific steps that need to be followed in accordance with NATO’s cloud directives. Plan, support, monitor and track the progress of accreditation activities, ensuring adherence to timelines and milestones. Periodically report the progress to stakeholders
• Measurement: Planning documents with clear milestones and timelines. Adherence to reasonable milestones and time tables.

Requirements

• A university degree from a nationally recognised/certified University in a technical subject with substantial Information Technology (IT) content and 3 years of specific experience.
• Exceptionally, the lack of a university degree may be compensated by the demonstration of a contractor’s particular abilities or experience that is/are of interest to the OCIO; that is, at least 5 years extensive and progressive expertise in the tasks related to the function of the security accreditation support.

Mandatory

• Expert level in at least three of the following areas and a high level of experience in the other areas:
• Experience in setting up AWS cloud environments.
• Experience in Linux system engineering and network engineering.
• Experience in security architecture.
• Demonstrate expertise in AWS-specific accreditation requirements, such as AWS Well-Architected Framework, AWS Security Best Practices, and AWS Compliance Programs.
• Strong knowledge of cloud security best practices, industry standards, and regulatory compliance frameworks (e.g., PIC-DSS, ISO 27001, SOC 1, SOC 2).

Desirable

• Experience with Docker and Serverless in a secure environment.
• Experience with security accreditation processes.
• Experience in the Cyber Threat Intelligence and Research domain.
• Knowledge of NATO Security Policy and supporting directives.
• Prior experience of working in an international environment comprising both military and civilian elements.
• Knowledge of NATO responsibilities and organization.

Location

The work is to be executed mostly remotely, but it is required to be at least one day per week on-site at the NATO HQ offices in Brussels, Belgium.