Description
Deadline Date:
Monday 2 June 2025
Requirement:
NISP Linux Engineering Services
Location:
The Hague, NL
Full Time On-Site:
Yes
Time On-Site: 100%Period of Performance: 2025 BASE: starting not later than 1 September 2025 to 31 December 2025 with the possibility to exercise following options:• 2026 OPTION: 01 January 2026 to 31 December 2026• 2027 OPTION: 01 January 2027 to 31 December 2027• 2028 OPTION: 01 January 2028 to 31 December 2028
Required Security Clearance:
NATO SECRET
1. INTRODUCTION
1.1 To strengthen the Alliance through connecting its forces, the NCIA delivers secure, coherent, cost effective and interoperable communications and information systems in support of consultation, command & control and enabling intelligence, surveillance and reconnaissance capabilities, for NATO, where and when required. It includes IT support to the Alliances’ business processes (to include provision of IT shared services) to the NATO HQ, the Command Structure and NATO Agencies.1.2 The Air Command and Control Centre (AirC2 Centre), as part of the NCI Agency, ensures the harmonised planning, implementation, deployment, evolution and support of the Air Command and Control (AirC2) programmes as well as other assigned programmes, in a way that satisfies the operational requirements and minimizes the military risk, taking into account the NATO political, economic and schedule requirements and using the most suitable industrial and technological solutions.
The Centre is the procurement and implementation body of the NCI Agency, charged with the effective planning, execution, delivery into service, evolution and through-life logistic support of NATO’s and assigned national AirC2 systems.1.3 In the light of these activities, AirC2 Centre is looking for Oracle Linux or Red Hat Linux software engineers with in-depth knowledge of the topics related to the NISP (NATO integrated Secured Platform) work packages described below.
2. SCOPE OF WORK
2.1 The expert contractor’s personnel(s) shall carry out the specific tasks and provide the specific deliverables, as described in the Work Package table(s) below:
Work Package WP1: Port latest released NISP (Oracle Linux) to latest released Oracle Linux 9 NISP_OL is comprised of software and documentation, which allow the end user to install a secured Oracle Linux 8 onto bare metal, or update an existing installation. Several machine profiles are supported, such as AD member server, standalone server
Deliverable D1: Bootable ISO image (compatible with boot from USB keys and BluRay) which allows to install NISP_OL with Oracle Linux 9 following the same or very similar procedures as NISP_OL with Oracle Linux 8.Deliverable D2: Automatic build procedure to build the bootable ISO image from D1.Deliverable D3: Standalone server fresh installation and configuration as Active Directory Member Server.Deliverable D4: Updated documentation and procedures for NISP_OL with Oracle Linux 9 in the following documents: Software Installation Plan, System Administration ManualDeliverable D5: Updated information on supported hardware and virtualization environments in the Hardware GuideConstraint C1: Secure Boot shall be supported for installation from media and network.Constraint C2: Provided procedures must provide the service in an offline environment (no Internet connectivity).Constraint C3: Documentation source is in DocBook, however oXygen is available for near WYSIWYG editing.Constraint C4: Revision control used in NISP project is git with gitlab.
All source is to be revision controlled.Acceptance Criteria A1: Deliverables shall pass the full NISP Regression Test Suite, any test case redlines must be approved by test director and leading engineer.Acceptance Criteria A2: Any provided code or code changes must pass SonarQube quality evaluation (same settings as rest of NISP project).Additional Notes:Note 1: The automatic build of the NISP_OL installation ISO and all associated procedures are available and tested for Oracle Linux 8. The contractor’ personnels may build upon those procedures and code.Note 2: We expect familiarity with revision control in general and git in particular.Note 3: We expect the contractor’s personnels to be specialists with in-depth expertise in the area related to this work-package; we further expect the contractor’s personnel to be able to provide the service unsupervised.Note 4: NISP Team will provide support and information related to local specificities, such as the NISP build environment, access to required files and folders, access to test machines, access to offices and work-environment; NISP Team can further provide details on “what” to implement related to this service package; however, NISP Team cannot provide technical expertise related to the “how” of implementing this work package.Note 5: Deliverables can be grouped and each group accepted separately
Work Package WP2: Application of OpenScap Security Rules on NISP Oracle and Redhat Linux 9 NISP_OL is comprised of software and documentation, which allow the end user to install a secured Oracle Linux 8 onto bare metal, or update an existing installation. Several machine profiles are supported, such as AD member server, standalone server.
Deliverable D1: Successful application (remediation) of selected security rules NISP Oracle/RedHat Linux 9.Deliverable D2: Successful auditing of selected of security rules to NISP Oracle/RedHat Linux 9. Deliverable D3: Documentation of changes to security rules required for successful remediation and rationale for change.Deliverable D4: Documentation of changes to security rules required for successful auditing and rationale for change.Deliverable D5: Adaptation of security rules to different machine profiles (standalone server, member server).Constraint C1: Security Rules from Oracle Linux 8 DISA STIG or Oracle/RedHat Linux 9 SCAP Security Guide.Constraint C2: Provided procedures must provide the service in an offline environment (no Internet connectivity).Constraint C3: Application and auditing of security rules using oscap commands.Constraint C4: Revision control used in NISP project is git with gitlab.Constraint C5: Changes to security rules shall be traced in revision control tool.Acceptance Criteria A1: Machine shall pass the full NISP Regression Test Suite after application of security settings, any test case redlines must be approved by test director and leading engineer.Acceptance Criteria A2: Security settings shall be applied successfully according to documented procedureAcceptance Criteria A3: Any provided code or code changes must pass SonarQube quality evaluation (same settings as rest of NISP project).Additional Notes:Note 1: The automatic build of the NISP_OL installation ISO and all associated procedures are available and tested for Oracle Linux 8.
The contractor’s personnel may build upon those procedures and code.Note 2: We expect familiarity with revision control in general and git in particular.Note 3: We expect the contractor’s personnel to be specialists with in-depth expertise in the area related to this work-package; we further expect the contractor’s personnel to be able to provide the service unsupervised.Note 4: NISP Team will provide support and information related to local specificities, such as the NISP build environment, access to required files and folders, access to test machines, access to offices and work-environment; NISP Team can further provide details on “what” to implement related to this service package; however, NISP Team cannot provide technical expertise related to the “how” of implementing this work package.Note 5: Deliverables can be grouped
3. ROLES AND RESPONSIBILITIES
3.1 The service shall be conducted in close collaboration between the Contractor’s personnel and NCI Agency AirC2 Centre, as described below:NCIA Agency AirC2 Centre: Service Area Lead Interface Products, Project Manager, Test Director, Lead EngineerContractor’s personnel: To provide deliverables identified above.
4. DELIVERABLES AND PAYMENT MILESTONES
This is a deliverable-based contract.4.1 Schedule of payments. Payment will be made after Purchaser’s written acceptance Delivery Acceptance Sheet (DAS) (Annex B) of the respective deliverables.4.2 Invoice and DAS shall be provided to Purchaser for the payment.4.3 Payment will be made only after a deliverable or several deliverables are accepted, but not more often than once per month without surpassing the latest delivery date.4.4 Payment shall have equal percentages for each deliverable within the same work package.4.5 The following deliverables are expected from the service on this SoW:
2025 BASE: 01 September 2025 TO 31 December 2025
Work Package WP1 Deliverables D1, D2, D3, D4, and D5: Latest Delivery Date: 31 December 2025Payment Amount: 50 % of the total costPayment Milestones: Completion of each milestone shall be documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor’s personnelWork Package WP2 Deliverables D1, D2, D3, D4, and D5: Latest Delivery Date: 31 December 2025Payment Amount: 50 % of the total costPayment Milestones: Completion of each milestone shall be documented in Delivery Acceptance Sheet (DAS) – (Annex B), signed for acceptance by the Purchaser’s authorized point of contact and the Contractor’s personnel
2026, 2027 AND 2028 OPTION: PERIOD OF PERFORMANCE 01 JANUARY TO 31 DECEMBER
The option will be the same WPs but would be for the required adaptation for the latest version of Redhat/Oracle Linux (i.e. a new version of Redhat/Oracle, new drivers, new kernel,…). These will be established during a kick-off meeting upon exercising the option.
5. COORDINATION & REPORTING
5.1 The contractor’s personnel shall follow all general rules, terms and conditions as applicable for providing the service in the NCIA, The Hague Offices.5.2 The contractor’s personnel shall report to the Project Manager and provide update on the progress of work on weekly basis5.3 The contractor’s personnel shall provide the service mostly unsupervised.5.4 The contractor’s personnel shall consult the NISP Lead Engineer on any technical matters needing more details or clarification.5.5 The contractor’s personnel shall hand-over a deliverable in a scheduled meeting with at least the NISP leading engineer, one additional NISP engineer, and at least one representative from NISP test team.5.6 The NISP Lead Engineer shall decide on the complete or partial acceptance of a delivery and/or rework/refinement as may be necessary before recommending for payment.5.7 The contractor’s personnel shall hand-over a deliverable in a scheduled meeting with at least the NISP leading engineer, one additional NISP engineer, and at least one representative from NISP test team.
6. GENERAL NOTES
6.1 Service is to be performed on the NCI Agency network(s) and appropriate hardware and connectivity will be provided by the NCI Agency, for the duration of this contract, and is to be returned upon completion of the contract.
7. SCHEDULE
7.1 It is expected the service starts as soon as possible but no later than 1 st September 2025 and ending no later than 31st December 2025.7.2 If the 2026 option is exercised, the period of performance is 01st January 2026 to 31st December 20267.3 If the 2027 option is exercised, the period of performance is 01st January 2027 to 31st December 20277.4 If the 2028 option is exercised, the period of performance is 01st January 2028 to 31st December 2028
8. PRACTICAL ARRANGEMENTS
8.1 Location:8.1.1 The Contractor’s personnel will be required to provide the service 100% on site at NCIAgency The Hague.8.1.2 Normal working hours and procedures of NCIA, The Hague are applicable8.2 Expected Travel:8.2.1 No travel expected8.2.2 For extraordinary travel, the expenses will be reimbursed in accordance with Article 5.5 of AAS Framework Contract and within the limits of the NCIA Travel Directive. They will be invoiced separately to the purchaser by the service provider, in accordance with the terms and conditions of the framework agreement.
These additional travel costs are considered an extra charge to the overall bid price8.3 Whilst it is up to the bidder to propose the size of the team that executes the work and produces the deliverables in the time line allocated, it is estimated and preferred that the deliverables are completed by one individual full time.
9. SECURITY AND NON-DISCLOSURE AGREEMENT
Any proposed resource providing services under this SOW must be in possession of a valid security clearance NATO SECRET.The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.
10. REQUIRED QUALIFICATIONS
[See Requirements]
Requirements
10. REQUIRED QUALIFICATIONS
10.1 Contractor’s personnel – MANDATORY Requirements
- Hold a valid NATO SECRET Security Clearance.
- Have 3 years expertise relevant to the implementation of that work-package
- Have thorough knowledge of English, both written and spoken
- Have 3 years experience with distributed revision control tools (i.e Git and GitLab)
- Must have passed RHCSA examination or possess equivalent knowledge
10.2 Contractor’s personnel – DESIRED Requirements
- Prior experience of working in an international environment comprising both military and civilian elements.
- Practical experience in defining and applying security profiles (auditing and remediation) with OpenSCAP on RHEL/OL 9
- Practical experience in creating RPM packages on RHEL/OL 9
- Practical experience creating SELinux policies to confine system services RHEL/OL 9
- Practical experience configuring the bootloader on RHEL/OL9 9
