2024-0110 Cloud Identity and Access Management (NS) - FRI 10 Jan RELAUNCH

Deadline Date: Friday 10 January 2025

Requirement: Cloud Identity and Access Management

Location: Off-Site

Note: Please refer to your Subcontract Agreement, article 6.4.1.a, which states “Off-Site Discount: 5% (this discount is applicable to all requirements, and applies when the assigned personnel are permitted to work Off-Site, such as at- home)". Please be sure to price this discount in your overall price proposal when submitting bids against off-site RFQs

Period of Performance: BASE period: 17 February 2025 – 31st December 2025

Start date is as soon as possible but not later than 17 February 2025 with possibility to exercise sprints from the following options:

2026 Options: 1st January 2026 until 31st December 2026

2027 Options: 1st January 2027 until 31st December 2027

Required Security Clearance: NATO SECRET

1 INTRODUCTION

Supporting NATO throughout all its geographical locations, the NCI Agency is looking for Support for Cloud Identity and Access Management, joining the journey of NATO’s modernisation of IT services, through leveraging the public cloud (Microsoft Azure, M365 and Amazon AWS), delivering managed, protected, security-centric and reliable IT Services.

NCI Agency – Cloud Operations Team

The NATO Communications and Information Agency (NCI Agency) is dedicated to supporting NATO's strategic objectives, including the ambitious NATO 2030 agenda. As part of this commitment, we are spearheading the modernization and digital transformation of NATO’s IT services. Our focus is on leveraging public cloud technologies like Microsoft 365 and Intune, incorporating a security-by-design approach, and ensuring a seamless transition to a modern, collaborative workplace environment.

To achieve these goals, we are building a Cloud Operations team under the Cloud Portfolio, operating under the NATO Enterprise Cloud Operating Model (NECOM) and under the guidance of the Cloud Center of Excellence (CCoE). The NECOM framework provides a standardized approach for cloud service management, ensuring interoperability, scalability, and security across NATO's IT infrastructure. The Cloud Center of Excellence will serve as a hub for best practices, innovation, and expertise, driving the adoption and optimization of cloud technologies within NATO. This team will play a crucial role in our journey towards providing managed, protected, and reliable End User Services.

Embracing the latest technological advancements, this initiative will foster innovation and ensure NATO remains at the cutting edge of IT capabilities. By continuously evolving and integrating new technologies, we aim to enhance operational efficiency and readiness for future challenges. This remote position offers an exciting opportunity to be at the forefront of NATO's technological evolution and contribute to the security and efficiency of our operations.

NCI Agency – Cloud Centre of Excellence (CCoE)

The Cloud Centre of Excellence (CCoE) within the NCI Agency is focused on driving successful cloud adoption and maximizing the potential of cloud technologies across the organization. It serves as a central governing body, promoting best practices, enabling knowledge sharing, and ensuring alignment between business objectives and cloud initiatives. The CCoE supports various cloud-based solutions, ensuring their effective and efficient implementation and management. By fostering a culture of continuous improvement and innovation, the CCoE helps the NCI Agency leverage cloud technologies to enhance operational efficiency, scalability, and agility.

The ideal candidate will have expertise in Entra ID, AWS IAM, PowerShell scripting, RBAC, MFA, and conditional access policies. Strong analytical, problem-solving, and organizational skills are required, along with the ability to document processes and provide training on IAM tools and practices.

This role is critical for maintaining a secure and efficient IAM environment, supporting internal users and external collaborators. If you are a motivated IAM specialist passionate about security, automation, and multi-cloud environments, we invite you to apply and join our dynamic team.

2 OBJECTIVES

The NCI Agency is embracing cloud services by transitioning to Microsoft 365 with a security-centric design. This shift aims to enhance operational efficiency, collaboration, and security across the organization. We are looking for service provider with strong knowledge, a willingness to learn, and a desire to grow as part of this new challenge.

The objective of this statement of work is to establish a support and operating model for End User Services operating in the Public Cloud, with a focus on Microsoft 365 services.

3 SCOPE OF WORK

Under the direction / guidance of the local NCIA Point of Contact or the Cloud Operations Center Manager, the Support for Cloud Identity and Access Management will perform the following activities:

1) Design and Implement IAM Solutions:

a) Design, implement, and manage identity and access management solutions using Microsoft Entra ID (Azure AD) and Amazon AWS.

b) Ensure seamless integration with internal and external applications and systems.

2) Automate Account and Group Management:

a) Develop and deploy PowerShell scripts and Azure Automation workflows to automate user account and group management tasks.

b) Implement self-service capabilities for account and group management to improve efficiency.

3) Manage Account Lifecycle:

a) Oversee the entire account lifecycle management process, from user onboarding to offboarding.

b) Provision new accounts and assign appropriate access rights based on role requirements.

c) Regularly review and update user roles and permissions to reflect changes in job functions and organizational structure.

d) Deprovision accounts promptly when users leave the organization or change roles, ensuring removal of access rights.

e) Implement role-based access control (RBAC) to manage permissions based on job roles.

f) Conduct periodic access reviews and certifications to ensure compliance with organizational policies.

4) Privileged Identity Management:

a) Implement and manage Azure AD Privileged Identity Management (PIM) to control, monitor, and audit privileged access to resources.

b) Configure PIM to enforce just-in-time (JIT) access, approval workflows, and access reviews for privileged roles.

5) Security and Compliance:

a) Implement security best practices and ensure compliance with relevant standards and regulations.

b) Conduct regular audits and reviews of access controls and permissions.

6) User Support and Troubleshooting:

a) Provide support for IAM-related issues, including troubleshooting user access problems and resolving authentication issues.

b) Act as an escalation point for complex IAM issues.

c) Maintain comprehensive documentation for IAM processes, configurations, and workflows.

d) Provide training and support to IT staff and end-users on IAM best practices and tools.

7) Monitor and Optimize IAM Systems:

a) Monitor the performance and effectiveness of IAM systems and processes.

b) Identify opportunities for improvement and implement optimizations to enhance security and efficiency.

8) Collaboration and Communication:

a) Collaborate with IT security, compliance, and other relevant teams to ensure cohesive IAM strategies.

b) Communicate effectively with stakeholders to understand IAM requirements and address concerns.

9) External Collaboration and Sharing:

a) Manage external collaboration and sharing settings in Azure AD to facilitate secure access for partners and external users.

b) Implement and manage B2B (Business to Business) collaboration settings and policies through Entra ID.

c) Integrate and manage identity and access management for B2B scenarios, ensuring seamless and secure interactions with external partners.

10) AWS Integration:

a) Integrate and manage IAM processes with Amazon AWS, ensuring secure access and interoperability between Azure AD and AWS.

b) Implement and manage federated identities and single sign-on (SSO) between Azure AD and AWS environments.

c) Monitor and optimize IAM configurations to ensure compliance and security across multi-cloud environments.

11) Automation and Efficiency:

a) Develop and implement automation scripts using PowerShell to streamline routine support tasks such as software installations, updates, and system checks.

b) Utilize Power Automate to create workflows that automate repetitive tasks and improve service efficiency.

c) Identify opportunities to enhance efficiency through automation and proactively implement solutions.

12) Communication and Collaboration:

a) Communicate effectively with users to understand their issues and provide clear instructions.

b) Collaborate with IT teams to resolve issues and improve service delivery.

The contractor will be part of a team providing Technical Level 2 and 3 support , ensuring the secure, available, managed and compliant delivery of Public Cloud Services to NATO and its Strategic Commands.

The contractor will work remotely, providing services during Core working hours of the Cloud Operations team (Brussels / BEL).

The measurement of execution for this work is sprints, with each sprint planned for a duration of 1 week.

4 DELIVERABLES AND PAYMENT MILESTONES

The following deliverables are expected from the work on this statement of work:

4.1 2025 BASE: 17 February 2025 to 31 December 2025

Deliverable: 42 sprints

Payment Milestones: Upon completion of each fourth sprint and at the end of the work.

4.2 2026 OPTION: 01 January 2026 to 31 December 2026

Deliverable: Up to 46 Sprints

Payment Milestones: Upon completion of four consecutive sprints.

4.3 2027 OPTION: 01 January 2027 to 31 December 2027

Deliverable: Up to 46 Sprints

Payment Milestones: Upon completion of four consecutive sprints.

The NCIA team reserves the possibility to exercise a number of options, based on the same scrum deliverable timeframe and cost, at a later time, depending on the project priorities and requirements.

The payment shall be dependent upon successful acceptance of the Delivery Acceptance Sheet (DAS) – (Annex B) including the EBA Receipt number

Invoices shall be accompanied with a Delivery Acceptance Sheet (Annex B) signed by the Contractor and project authority.

5 COORDINATION AND REPORTING

The contractor shall participate in daily status update meetings, activity planning and other meetings as instructed, via electronic means using Conference Call capabilities, according to the Operation Managers / Team Leaders instructions.

For each sprint to be considered as complete and payable, the contractor must report the outcome of his/her work during the sprint, first verbally during the retrospective meeting and then in written within three (3) days after the sprint’s end date. The format of this report shall be a short email to the NCIA Point of Contact mentioning briefly the work held and the development achievements during the sprint.

6 SCHEDULE

This task order will be active immediately after signing of the contract by both parties

The BASE period of performance is as soon as possible but not later than 17th February 2025 and will end no later than 31st December 2025.

7 CONSTRAINTS

All the deliverables provided under this statement of work will be based on NCI Agency templates or agreed with the project point of contact.

All code, scripts, documentation, etc. will be stored under configuration management and/or in the provided NCI Agency tools.

8 SECURITY

To deliver services under this SoW require a valid NATO SECRET security clearance.

All the deliverables of this project will be considered NATO UNCLASSIFIED, while access to networks exceeding this classification level is required.

With this role being of technical nature providing administrative support, a security clearance at the NATO Secret level is required prior to the start of the engagement.

9 PRACTICAL ARRANGEMENTS

The contractor will be required to work remote as part of this engagement. The Cloud Operations Team is located in BRUSSELS / BEL and THE HAGUE / NLD , with working hours to be adjusted accordingly.

The contractor will be required to work within a NATO country, following the rules and regulations applicable for the operations of NATO CIS.

The contractor is required to travel for on-boarding and off-boarding to an NCI Agency location as part of this role, for periods not exceeding 1 week.

This contractor hired for this position will be part of the NCIA Cloud Operations Team.

10 QUALIFICATIONS

[See Requirements]

10 QUALIFICATIONS

The consultancy support for this work requires an experienced Cloud Engineer (Remote), Identity and Access Management with the following qualifications:

1) Technical Expertise:

• In‐depth knowledge of Microsoft Entra ID (Azure Active Directory) and Amazon AWS identity and access management services.
• Proficiency in PowerShell scripting and automation tools (e.g., Azure Automation, Microsoft Graph API).
• Experience with IAM solutions and tools, including role‐based access control (RBAC), multi‐factor authentication (MFA), and conditional access policies.
• Expertise in Azure AD Privileged Identity Management (PIM) and privileged access control.

2) Analytical and Problem‐Solving Skills:

• Strong analytical skills to assess and improve IAM processes and workflows.
• Ability to troubleshoot complex IAM issues and implement effective solutions.

3) Security and Compliance Knowledge:

• Understanding of security best practices and compliance requirements related to identity and access management.
• Experience conducting audits and ensuring adherence to regulatory standards.

4) Communication and Collaboration:

• Excellent communication skills to effectively collaborate with IT teams, stakeholders, and end‐users.
• Ability to document processes clearly and provide training on IAM tools and practices.

5) Organizational Skills:

• Strong organizational skills to manage multiple tasks and priorities effectively.
• Attention to detail in managing user accounts, groups, and access controls.

6) Team Collaboration:

• Ability to work effectively as part of a team and share knowledge and resources.
• Willingness to collaborate with colleagues to solve complex issues.

7) Others:

• The candidate has strong customer relationship skills, including negotiating complex and sensitive situations under pressure.
• Full proficiency in the English language. French language proficiency is of advantage.
• The candidate must have the nationality of one of the NATO nations.
• The candidate must possess a NATO SECRET Security Clearance or national equivalent.

This position is crucial for maintaining a secure and efficient IAM environment within our organization, supporting both internal users and external collaborators. If you are a highly motivated IAM specialist with a passion for security, automation, and multi‐cloud environments, we invite you to apply and join our dynamic team.