# 2026-0030 NIAPC Content Management (NS) - FRI 12 Jun

> EMW, Inc. · Braine-l'Alleud, Belgium · Contract · Posted 2026-06-01

**Workplace:** on_site

**Department:** AAS

## Description

**1\. Bidding Instructions**

**1.1 Technical Proposal**

Bidders shall submit a proposal clearly providing the following information:

**a:** The proposed approach to address the required scope of work and the required delivery and milestones plan.

**b:** CVs of the assigned resource(s) for the project. It is up to the bidder to propose the size of the team that executes the work and produces the deliverables in the time line allocated.

**c:** A compliancy matrix clearly stating how your proposal meets the deliverables/performance goals outlined in Part 2, Section 5.

**Deadline Date:** Friday 12 June 2026

**Requirement:** NIAPC Content Management

**Location:** Braine l’Alleud, BE (2026); Brussels (Evere), BE from Q3 2027 (2027 Option); Brussels (Evere), BE (2028 Option)

**Period of Performance:** 2026 BASE: As soon as possible but not later than 3 August 2026 – 23 December 2026, with possibility to exercise the following options:

2027 Option: 2 January 2027 – 23 December 2027;

2028 Option: 2 January 2028 – 23 December 2028

**Required Security Clearance:** NATO SECRET

**1\. Introduction**

NCIA has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defense functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the center executes a portfolio of programs and projects around 219 MEUR per year, in order to uplift and enhance critical cyber security services. The Portfolio ranges from Program of Work (POW) activities funded via the NATO Military Budget (MB) to Critical/Urgent Requirements (CURs/URs) and NATO Security Investment Program (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM).

The NATO Information Assurance Product Catalogue (NIAPC) is an authoritative catalogue mandated under AC/322 directives and delivered as a funded service under NCSC INFORM SEC036. The NIAPC was developed initially under directive AC/322-D(2010)0042 (22 Sep 2010) later on superseded by AC/322-D(2019)0041 REV1 – Technical and Implementation Directive on Introducing Secure Systems and Solutions (Appendix B / NIAPC).

The catalogue provides a single point of reference for the initial selection of security enforcing products. Its effectiveness is further extended by the inclusion of lists of common specifications, in the form of protection profiles, as used in Common Criteria certification (both Protection Profiles (PPs) and collaborative protection profiles (cPPs)) together with their associated supporting documents as described in Appendix A of this Directive.

The catalogue may also contain national requirements (such as national specifications, national Requirement Profiles for Product Types, etc.) by an NCSA, provided these are relevant for the evaluation and approval of a product, hereinafter referred to as “Requirement Profiles”. These Requirement Profiles do not necessarily need to be CC compliant, but according to an assessment of the responsible NCSA, they should be essential and eligible for a listing in the NIAPC together with an approved product.

Since emission security and cryptographic security can form all or parts of the security features of a product, certified TEMPEST vendors, and approved Cryptographic Products and Mechanisms, are also listed in the catalogue.

The system is Internet facing, accessible publicly and can be found at [https://www.ia.nato.int/niapc](https://www.ia.nato.int/niapc)

This Statement of Work defines outcome-based services to ensure controlled intake, catalogue accuracy, transparency of processing, and sustained service performance in compliance with Service-Based Contract NCIA/FC/2025/03519 directive.

**2\. Scope of Work**

The Contractor shall deliver NIAPC service flavor outcomes, including controlled request intake, execution of approved workflows, maintenance of catalogue accuracy, and delivery of service reporting. The Contractor retains full responsibility for how capacity is organized to achieve these outcomes. This contract does not constitute staff augmentation.

**3\. Deliverables**

The following outcomes are to be delivered:

**Deliverable D1 – Controlled NIAPC Intake and Processing**

**Deliverable D1:** All NIAPC-related requests are registered, processed, and closed using approved workflows with full traceability.

**Acceptance Criteria A1:** 0 orphaned or unmanaged requests at the time of reporting; ≥ 90% of requests follow the defined workflow (excluding justified exceptions); measurements executed on the NCIA COMS capability (Atlassian JIRA) where all workflows are executed; backlog levels are monitored and maintained in line with SLA2 (Section 4), as evidenced through reporting (D5).

**D1 KPIs**

**KPI D1.KPI.Orphaned/Unmanaged Requests:** Request Ownership Compliance. Definition: Percentage of requests with an assigned owner and active status. Formula: Ownership Compliance (%) = (Total Requests − Orphaned Requests) / Total Requests × 100. Target: 100% (0 orphaned/unmanaged requests). Data Source: JIRA fields (Assignee, Status). Reporting Frequency: Daily/Weekly. Alert Threshold: < 100%.

**KPI D1.KPI.Workflow Execution Coverage:** Request Workflow Utilization. Definition: Degree to which all requests are processed within the official NCIA COMS (JIRA) workflows. Formula: Workflow Utilization (%) = Requests Processed in JIRA / Total Requests × 100. Target: 100%. Data Source: JIRA system records vs. external intake sources. Reporting Frequency: Monthly.

**KPI D1.KPI.Backlog SLA Compliance:** Backlog SLA Compliance. Definition: Percentage of backlog items within SLA2 thresholds (as defined in Section 4). Formula: Backlog SLA Compliance (%) = Backlog Items Within SLA / Total Backlog Items × 100. Target: Defined by SLA2 (e.g., ≥ 95%). Data Source: JIRA backlog age, priority, SLA timers. Reporting Frequency: Weekly. Supporting Metrics: Average age of backlog items; Number of SLA breaches.

**Deliverable D2 – Authoritative NIAPC Catalogue**

**Deliverable D2:** The NIAPC catalogue accurately reflects all approved products and vendors.

**Acceptance Criteria A2:** 100% of approved products and vendors are reflected in the NIAPC catalogue within the expected delay after the workflow is fully executed; catalogue accuracy is evidenced through reporting and/or sample validation; any product no longer approved shall have its status changed not later than 8 hours after the end of the approval period; the vendor address and means of contact are updated not later than 1 working day after the vendor’s request is validated; publication timelines aligned with SLA1 are demonstrated in reporting.

**D2 KPIs**

**KPI D2.KPI.Catalogue Update Timeliness:** Catalogue Publication Timeliness. Definition: Measures how quickly approved products/vendors are reflected in the NIAPC catalogue after workflow completion. Formula: On-Time Publication (%) = Items Published Within Expected Delay (SLA.1) / Total Approved Items × 100. Target: 100%. Data Source: Workflow completion timestamps vs. catalogue publication timestamps. Reporting Frequency: Monthly. Alert Threshold: < 100%.

**Deliverable D3 – Process Transparency**

**Deliverable D3:** NIAPC workflows, decisions, and lessons learned are documented and maintained for audit and CSI purposes.

**Acceptance Criteria A3:** Workflows are documented and accessible in the COMS platform; key decisions and process changes are recorded and traceable; documentation supports traceability of service execution (sample-based verification acceptable); documentation is maintained and available for review during the reporting period.

**D3 KPIs**

**KPI D3.KPI.Workflow Documentation Availability:** Workflow Documentation Coverage. Definition: Measures whether all workflows are documented and accessible in the COMS platform. Formula: Coverage (%) = Documented & Accessible Workflows / Total Identified Workflows × 100. Target: 100%. Data Source: COMS repository (e.g., JIRA/Confluence workflow documentation inventory). Reporting Frequency: Quarterly. Validation Method: Inventory check + accessibility verification (permissions, links working).

**Deliverable D4 – Stakeholder Engagement & Communication**

**Deliverable D4:** Vendors and NATO catalogue users are informed about any relevant platform availability change impacting the catalogue usage.

**Acceptance Criteria A4:** Major incidents or service-impacting changes are communicated to stakeholders; communication is documented and traceable; evidence of communication is available and consistent with reporting (R2).

**D4 KPIs**

**KPI D4.KPI.Major Incident Stakeholder Communication Compliance:** Definition: Measures whether major incidents and service-impacting changes are communicated to relevant stakeholders. Formula: Communication Compliance (%) = Incidents/Changes Communicated / Total Major Incidents/Service-Impacting Changes × 100. Target: 100%. Data Source: Incident records, change records, communication logs. Reporting Frequency: Monthly. Notes: Scope should clearly define “major incident” and “service-impacting change”; communication channels may include email, portal notifications, Teams, or ticket updates.

**KPI D4.KPI.Communication Timeliness:** Timely Stakeholder Notification Rate. Definition: Measures whether communications are sent within the agreed notification timeframe. Formula: Timely Notifications (%) = Notifications Sent Within SLA (SLA.3) / Total Required Notifications × 100. Target: ≥ 95–100%. Data Source: Incident timestamps vs. communication timestamps. Reporting Frequency: Monthly.

**KPI D4.KPI.Communication Traceability:** Communication Traceability Rate. Definition: Measures whether communications are properly documented and traceable to incidents or changes. Formula: Traceability (%) = Communications Linked to Records / Total Communications Reviewed × 100. Target: 100%. Data Source: COMS tickets, email archives, communication repositories. Reporting Frequency: Monthly/Quarterly. Validation Criteria: Communication contains timestamp; linked ticket/change ID exists; stakeholder recipient list recorded.

**Deliverable D5 – Service Performance Reporting on D1–D4**

**Deliverable D5:** Monthly accepted reports (R1–R3) provide visibility on volumes, throughput, SLA adherence, and risks in accordance with Section 4 (Reporting & SLAs).

**Acceptance Criteria A5:** Delivered no later than the 5th working day of each month and accepted by NATO SDM; 100% of required reports (R1–R3) are delivered; backlog levels (SLA2) are clearly reported and traceable to source data; language: written in English meeting NATO STANAG 6001 Level 3 Professional Proficiency; intended audience: Cyber Security Professionals; accuracy: accurately reflects what was discussed, decided, and action items assigned; clarity and conciseness: information presented clearly and concisely, avoiding unnecessary jargon or complex language; formatting: consistent formatting throughout, including font style, size, headings, and spacing as directed by the NCSC; accepted by the NCSC Service Delivery Manager without material rework.

**D5 KPIs**

**KPI D5.KPI.Report Delivery Timeliness:** On-Time Report Delivery Rate. Definition: Measures whether required reports (R1–R3) are delivered no later than the 5th working day of each month. Formula: On-Time Delivery (%) = Reports Delivered On Time / Total Reports Due × 100. Target: 100%. Data Source: Submission timestamps, delivery logs. Reporting Frequency: Monthly.

**4\. Reporting & SLAs**

**4.1 Reporting Requirements**

The Contractor shall deliver three reports on a monthly basis:

**R1:** On a monthly basis (see Annex A), and in accordance with D5, a report on: received, active, and resolved vendor requests; associated Management Tool(s) tickets, counters and their workflow status.

**R2:** Monthly stakeholder coordination summary (Annex B) that outlines: status of approvals/rejections; listed products into NIAPC; notable blockers, risks, and escalations.

**R3:** Monthly NIAPC Platform Availability & Number of Unique Visitors.

**4.2 Service Flavor SLAs**

**SLA1:** NIAPC Product Approval Time to Published State – the maximum Approval Time to Published State should be 4 hours from the received approval state.

**SLA2:** Backlog load level – at all times there should be a maximum of 20% backlog for any given content item (such as cryptographic product / security enforcement product / TEMPEST vendor etc.). This shall be measured continuously and reported monthly.

**SLA3:** Notification time for major incidents and service impacting changes – all major incidents/service impacting changes should be communicated to the main service stakeholders & users within maximum 15 minutes.

Important note: Failure to meet SLAs may trigger corrective actions and impact acceptance.

**5\. Skills**

It is up to the bidding company to propose and size the team that will be working to fulfilling these deliverables. Nevertheless, NCIA NCSC considers the skills below are essential to deliver the service.

\[See Requirements\]

**6\. Work Execution**

In the year 2026, the resource will be primarily located at Braine l’Alleud, Belgium.

In the course of the option year 2027, the services will be delivered from Brussels (Evere), Belgium. This transition will happen during the month of September (estimated). This timing might change by up to 3 months (before or after) depending on the availability of the facilities. The contractor shall be made aware 3 months before the actual move date.

For option year 2028, the work will be executed from Evere, Belgium.

In 2026 and option year 2027, up to 8 travels to Brussels (Evere) shall be included in the bid price.

For option year 2028, up to 12 travels to Mons, Belgium shall be included in the bid price.

**7\. Deliverables and Payment Milestones**

Payments shall be linked to acceptance of defined service deliverables. Payments shall be made only upon formal acceptance of service outcomes by the NIAPC Service Delivery Manager.

**8\. Period of Performance**

The base period of performance is scheduled to begin on 3 August 2026, and will conclude no later than 23 December 2026. If the options are exercised, the period of performance shall be from 2 January to 23 December of each year.

**9\. Payment Milestones**

**2026 BASE: 3 August 2026 – 23 December 2026**

**Milestone 01:** Intake milestone – Service Mobilization & Workflow Operationalization. Includes: NIAPC intake and processing workflows operational in agreed tooling; initial reporting baseline established and validated; first full reporting cycle delivered (R1–R3).

Acceptance: formal acceptance confirmed in writing.

Payment Milestone: EDC +3 months, upon formal acceptance.

 **Milestone 02:** Recurring monthly milestones. For each calendar month: delivery of D1–D5 outcomes; submission of R1–R3 reports; demonstrated SLA compliance; updated documentation and audit records.

Acceptance criteria as per Sections 3 and 4.

Payment Milestone: Upon monthly acceptance.

**2027 Option: 2 January 2027 – 23 December 2027 (if 2027 option is exercised)**

**Milestone 01:** Progress on deliverables stated above (D1–D5).

Payment Milestone: Upon monthly acceptance.

**2028 Option: 2 January 2028 – 23 December 2028 (if 2028 option is exercised)**

**Milestone 01:** Progress on deliverables stated above (D1–D5).

Payment Milestone: Upon monthly acceptance.

**9.1 Payment Conditions**

Payments are triggered only after acceptance of the deliverables. Failure to meet acceptance criteria may result in: deferred payment; mandatory corrective action; non-exercise of option periods.

**10\. Security and Non-Disclosure Agreement**

Any contracted individuals of the Contractor must be in possession of a NATO SECRET security clearance at the start of the contract. The signature of a Non-Disclosure Agreement between any Contractor’s individuals delivering services under this SoW and NCIA will be required prior to the start of the service delivery.

**Annex A – NIAPC Reference Documents**

[https://www.ia.nato.int/NIAPC/Documents/AC322-D(2010)0042.pdf](https://www.ia.nato.int/NIAPC/Documents/AC322-D\(2010\)0042.pdf)

[https://www.ia.nato.int/NIAPC/Documents/AC322-D(2019)0041-REV1.pdf](https://www.ia.nato.int/NIAPC/Documents/AC322-D\(2019\)0041-REV1.pdf)

![](https://workablehr.s3.amazonaws.com/uploads/photos/92373/96b92fa6a1d890a8c5c8ec455cfb0707.png)

## Requirements

**REQUIREMENTS**

-   5 years’ experience of execution and governance of workflow-based service requests.
-   3 years’ experience in catalogue and content lifecycle management in regulated or public-sector environments.
-   3 years’ experience in management of multi-stakeholder approval workflows (NATO entities, Nations, vendors).
-   3 years’ experience in maintenance of traceability, accuracy, and auditability of service outputs.
-   Demonstrated experience in production of service performance reports, including KPI and trend analysis.
-   Demonstrated experience in the use of service management and collaboration tools (e.g., Jira, Confluence) to evidence delivery.
-   Strong written professional communication skills suitable for policy-driven and politically sensitive contexts.
-   Required Security Clearance: NATO SECRET clearance must be held at the start of the contract.

## Apply

[Apply at EMW, Inc.](https://apply.workable.com/emw/j/27BE4A3842/apply)

---
Powered by [Workable](https://www.workable.com)