Cybersecurity Scorecard Development and Assessment

Summary

Join NATO Cyber Security Centre (NCSC) to support the development, execution, and continuous improvement of the NATO Enterprise Cybersecurity Scorecard. The work involves on-site cybersecurity scorecard assessments, guiding self-assessments, analyzing data, generating reports, updating assessment methodologies, and communicating with stakeholders. This is a service-based contract requiring a team of two with expertise in cybersecurity, metrics development, methodology development, data analysis, and communication. The contract period is from June 9, 2025, to December 31, 2025, with deliverables including assessment reports, self-assessment support, consolidated reports, methodology refinements, and updated self-assessment tools. A NATO Secret security clearance is required. Travel costs for on-site visits are covered separately.

Requirements

• The deliverable includes all agreed components, sections or outputs in the task definition and scope
• The content is logically structured, does not include major errors or inconsistencies
• The deliverable aligns with objectives of the assignment and reflects accurate and up-to-date information
• The deliverable provides practical value to the project, and ready to use
• The deliverable is submitted within the agreed timeframe or approved extension period
• Timely participation: The contractor attends scheduled meetings, workshops and assessment activities (if the deliverable requires) on time and as agreed, contributing actively when required
• Responsiveness: The revisions (if any) are delivered promptly and in alignment with the feedback received
• Contractor’s personnel must have extensive experience in cyber security with a focus on analytical assessment, scorecard development and performance metrics
• Contractor’s personnel must have a deep understanding of the cybersecurity processes such as Cyber Incident Management, Defensive Cyberspace Operations, Enterprise Risk Management and Cyber Threat Intelligence Analysis and Sharing
• Contractor’s personnel must have experience in creating meaningful and actionable cybersecurity metrics and measures
• Contractor’s personnel must have proficiency in developing, refining and updating methodologies for assessing cybersecurity maturity and performance
• Contractor’s personnel must have strong skills in data analysis and the ability to create insightful visualizations for complex data sets
• Familiarity with modern data visualization tools is essential
• Contractor’s personnel must have excellent written and verbal communication skills for engaging with various stakeholders and facilitating Enterprise-wide assessments
• The contracted individuals must be able to perform effectively and efficiently with minimal supervision
• The resource providing services under this SOW must be in possession of a security clearance of NATO SECRET or above

Responsibilities

• Organize and perform on-site cybersecurity scorecard assessments across various locations as required
• Guide and support various non-NCIA managed Enterprise entities in conducting their self- assessments
• Analyse collected cybersecurity data and generate insightful reports and visualizations
• Continuously update and refine the assessment methodology to ensure it remains effective and relevant to NATO’s needs
• Effectively communicate with stakeholders at all levels
• Deliverable: Completion of cybersecurity maturity and performance assessments at predefined locations (3 sites per contract period per contractor; will send both contractors on first site visit.)
• Output: A structured assessment report per site, including findings and highlights
• Deliverable: Assistance provided to various non-NCIA managed Enterprise entities in conducting their self-assessments (15 sites per contract period per contractor)
• Output: A completed self-assessment report per site, including findings and highlights
• Deliverable: Consolidated assessment report covering all on-site and self-assessment results, including dashboard and visualizations
• Output: A fully compiled report with trend analysis (if applicable), visualizations, insights, and conclusions. The outline for the report will be provided
• Deliverable: Refined and updated scorecard methodology, incorporating feedback from entities and other stakeholder
• Output: Documented refinements along with justifications and improvements
• Deliverable: Up-to-date self-assessment tools, questionnaires and KPIs
• Output: Updated toolset with version control and change log