3299 Cyber Security Engineer

Required Security Clearance: NATO SecretSCOPE OF WORKProvide expert cyber security engineering support to prepare, maintain, and evidence all documentation required to achieve and sustain accreditation/Authorization to Operate for all ALE systems in operation. This includes supporting secure design, risk assessments, control implementation traceability, security testing and evaluation evidence, and risk treatment records, in compliance with NATO/NCI Agency security policies and standards.In addition, the Contractor shall support the Academy Technical Capability (TeC) Team by delivering the following outcomes:Solution Architecture (Secure by Design): Design secure architectures for ALE systems (on-premises and cloud), evaluating alternatives and trade-offs (cost, performance, scalability), documenting architectural decisions, and preparing security design inputs and technical plans aligned with enterprise/solution architecture standards. Ensure alignment with enterprise security standards and support change initiatives with technical plans.Information Security (Controls & Risk): Apply physical, procedural, and technical controls. Conduct risk and business impact analysis, identify vulnerabilities, and design countermeasures. Support security incident investigations and lessons learnt, support response coordination and track remediation to closure.Information Assurance & Accreditation: Lead technical assessments of ALE systems. Define accreditation requirements, gather evidence, and coordinate with stakeholders throughout the accreditation lifecycle. Ensure traceability of controls and contribute to assurance processes.System Hardening & Compliance Support: Collaborate with system and network administrators, as well as developers, to implement hardening measures across systems and applications, ensuring compliance with security best practices and organizational standards.Security Documentation: Develop and maintain SOPs/SECOPs, Security Test & Evaluation plans and reports, and user guides. Contribute to the ALE knowledge base with security-focused content.The Contractor shall deliver services in an agile and iterative manner, organized into the following main activities:The Contractor shall develop and maintain the system descriptions for ALE systems, capturing the technical description, connections (physical and logical), physical locations, and hardware/software inventories. This shall be formalized in a document titled “CIS Description” and maintained under version control.The Contractor shall define the accreditation strategy and plan for ALE systems, describing the steps required to achieve security accreditation for operation at the NCI Academy. This shall be formalized in a document titled “Security Accreditation Plan (SAP)” and maintained under version control.The Contractor shall perform a high-level security risk assessment to inform early design, including identifying assets, threats, vulnerabilities, likelihood/impact, and initial risk ratings. This shall be formalized in a document titled “High-Level Security Risk Assessment (SRA)” and maintained under version control.The Contractor shall define system-specific security requirements and control coverage by tailoring the security control baseline, mapping requirements to applicable standards and policies, and identifying coverage gaps with corresponding actions. This shall be formalized in a document titled “System-specific Security Requirement Statement (SSRS)” and maintained under version control.The Contractor shall develop and maintain Security Operating Procedures (SecOPs) to enable secure day-to-day operations. This includes:For Administrators: account/privilege management, backups, patching, baseline configurations, logging/monitoring, incident and change handling, and continuity steps.For End Users: acceptable use, data handling, access/MFA, reporting suspicious activity, and secure usage guidance.These shall be formalized in a document titled “Security Operating Procedures (SecOPs)” and maintained under version control.The Contractor shall define security test and verification activities to evidence control effectiveness. This shall be formalized in a document titled “Security Test and Verification Plan (STVP)” and maintained under version control. SKILL, KNOWLEDGE & EXPERIENCEThe Contractor staff proposed for this service must meet the following minimum qualifications:NATO Security Clearance valid for the duration of the contract, issued by the respective National Security Authority.Cyber Security Engineer ExperienceMinimum 5 years of experience in designing secure, scalable solution architectures aligned with enterprise standards, or complex environments.Minimum 5 years of experience in applying and overseeing physical, procedural, and technical security controls, conducting risk assessments, and leading incident response efforts.Minimum 5 years of experience in system and application hardening, collaborating across technical teams to enforce best practices and compliance.GeneralAccreditation Process: Demonstrated success in managing accreditation processes, defining assurance requirements, and coordinating with stakeholders is essential.Communication Skills: Excellent written and verbal communication in English, with the ability to explain technical information clearly and in a user-friendly manner.Collaboration: Demonstrated ability to work effectively in a team environment and coordinate with multiple stakeholders.Documentation: Strong documentation capabilities including SOPs, technical manuals, and security guidelines are required to support operational readiness and knowledge sharing.Analytical Skills: Strong problem-solving and troubleshooting ability, with the capacity to quickly identify issues and determine the most efficient resolution.Desirable Qualifications And ExperienceKnowledge and experience of working with the NCI Agency and/or NATO organizations.Knowledge of ISO27001 or equivalent standards.Familiarity with Agency tools for configuration, risk, and documentation management.Experience supporting audits.Understanding of Agile delivery practices.Language ProficiencyLevel 3 English language skills according to NATO STANAG 6001: Listening (3); Speaking (2); Reading (3); and Writing (2) or according to Common European Framework of Reference for Language level B2-C1/Upper Intermediate-Advanced level).This is a deliverable-based contract.This is a condensed version of the job description. A full, detailed job description will be provided during the application process.