Enterprise Security Accreditation and ECISOA

Spektrum supports apex purchasers (NATO, UN, EU, and National Government and Defence) and their Tier 1 supplier ecosystem with a wide range of specialist services. We provide our clients with professional services, specialised aerospace and defence sales, delivery, and operational subject matter expertise. We are looking for personnel to join our team and support key client projects.

Who we are supporting 

The NATO Communication and Information Agency (NCIA) is responsible for providing secure and effective communications and information technology (IT) services to NATO's member countries and its partners. The agency was established in 2012 and is headquartered in Brussels, Belgium.

The NCIA provides a wide range of services, including:

• Cyber Security: The NCIA provides advanced cybersecurity solutions to protect NATO's communication networks and information systems against cyber threats.
• Command and Control Systems: The NCIA develops and maintains the systems used by NATO's military commanders to plan and execute operations.
• Satellite Communications: The NCIA provides satellite communications services to enable secure and reliable communications between NATO forces.
• Electronic Warfare: The NCIA provides electronic warfare services to support NATO's mission to detect, deny, and defeat threats to its communication networks.
• Information Management: The NCIA manages NATO's information technology infrastructure, including its databases, applications, and servers.

Overall, the NCIA plays a critical role in ensuring the security and effectiveness of NATO's communication and information technology capabilities.

The program

Assistance and Advisory Service (AAS)

The NATO Communications and Information Agency (NCI Agency) is NATO’s principal C3 capability deliverer and CIS service provider. It provides, maintains and defends the NATO enterprise-wide information technology infrastructure to enable Allies to consult together under Article IV, and, when required, stand together in the face of attack under Article V.

To provide these critical services, in the modern evolving dynamic environment the NCI Agency needs to build and maintain high performance-engaged workforce. The NCI Agency workforce strategically consists of three major categorise's: NATO International Civilians (NIC)'s, Military (Mil), and Interim Workforce Consultants (IWC)'s. The IWCs are a critical part of the overall NCI Agency workforce and make up approximately 15 percent of the total workforce.

Role Background

NATO is undergoing a major adaptation of its overall approach to cybersecurity. As part of its mandate, the NATO Chief Information Officer (CIO) is overseeing the coherence of the NATO Enterprise ICT 1 capabilities and services and is the single point of authority for cybersecurity. The NATO CIO is responsible for developing and implementing a cybersecurity strategy through a comprehensive cyber adaptation effort. This includes significant interaction with executive stakeholders, both military and civilian, required to oversee the NATO Enterprise coherence and cybersecurity efforts. As part of its mandate, the NATO Office of the CIO (OCIO) needs to execute and enforce the role of NATO Enterprise CIS Operational Authority (ECISOA) allowing the NATO CIO to perform its role of Enterprise Risk owner. The main goal is to ensure risks identified as part of supporting existing processes (e.g. security accreditation, incident management, etc.) are properly evaluated, operationally validated and formally accepted, keeping and maintaining an overall view on the global Enterprise security posture. To support this effort, OCIO requires services that will leverage in-depth knowledge of Risk Management (Risk Assessment methodology, Processes and Best practices), to support the roles of ECISOA and the related risk management-supporting activities, enabling an informed and on-point decision making regarding Enterprise cybersecurity risks. The project will provide support and expertise to the execution of those activities related to ECISOA and Enterprise Risk Owner roles.

Role Duties and Responsibilities

• Support CIO in his role of Enterprise CISOA in the issuance of different decision making-related documentation such as Authorizations to Operate (ATOs) and interim ATOs (iATO) for systems and Networks, as required. Assess, verify risks and eventually develop suggestions in support of the Enterprise Risk acceptance function of the CIO. Supports the development of Cybersecurity Risk Management Processes and Frameworks;
  • Measurement: To the NATO OCIO, ESRM section satisfaction about the quality of the issued documentation and the time taken to produce it, as required, as well as the level of support provided on the development and maintenance of the Risk Management processes and framework and the quality of the provided support to risk management activities;
• Maintain a Board of CISOA as a stable coordination framework between the various local CISOA among various HQs and Subordinate commands, as well as review and implement the Board of CISOAs ToRs, where required by the Board itself. Support the activity of the Cyber Risk Management Group (CRMG), especially in its cybersecurity risk management function;
  • Measurement: Confirmation by the NATO CIO concerning the quality of the engagement and support to the Board of CISOAs and CRMG, especially related to the organization and execution of regular meetings (on a weekly and monthly basis) and support to their planned and unplanned activities.
• Supports the Enterprise CISOA in the development and execution of the accreditation process, for NATO CIS at Enterprise level. Receives updates and analyses data related to the list of sites and networks interested by the accreditation process, maintaining a situational awareness regarding said CIS Provides inputs for the planning and monitors the implementation, of the annual program of work for the auditing/inspection within the CIO AoR.
  • Measurement: Effectiveness and quality of the engagement with the Security Accreditation Authorities (SAAs) and on-time development of mitigation and remediation measures in support of accreditation-related activities. Development and effective support to the approval of the annual Vulnerability Assessment PoW.
• Supports and contributes to the process of policy changes related to CIS security and its management in coordination with the SAA and CISP
  • Measurement: Support as necessary until the end of 4th Quarter 2023 (and subsequently if the contract is extended).

Essential Skills and Experience

• They must have knowledge and multiyear experience in organization, management and support of various (international) operations, activities, units and projects related to defence, security, electronics and communications, in the NATO environments.
• They must have previous experience within NATO CIS Operational Authority dealing with accreditation procedures, Risk Assessment and Crypto implementation and standards.
• They must have previous experience in developing contingency plans, mitigation measures and Authorization To Operate (ATO) and interim Authorizations to Operate (iATO,) risk acceptance in support of the enforcement of CIS Security Frameworks;
• The job requires knowledge of the NATO Security Accreditation Processes, CIS Security and operational evaluation of CIS;
• The job requires experience with Risks assessment and Risk Management as applied to CIS Security and Cyber Security;
• Experience in supporting or driving Policy changes related to CIS security and its management;
• Knowledge in the development of Cybersecurity Risk Management Processes and Frameworks;
• They must have experience in leading staff work on large and complex projects and to coordinate multiple stakeholders in different and separate locations.

Language Proficiency

• Business English

Working Location

• Brussels, Belgium

Working Policy

• On-Site

Travel

• Some travel to other NATO sites may be required

Security Clearance

• Valid National or NATO Secret personal security clearance