2026-0098 MFA Internet Portals POC (NS) - THU 9 Jul

BIDDING INSTRUCTIONS

The Bidder shall submit the Proposed Person Curriculum Vitae (CV). This CV shall have enough details and evidence of the individual's previous work to show suitability and compliance for the job based on the work description included in the Statement of Work.

Deadline Date: Thursday 09 July 2026

Requirement: Multi-Factor Authentication on Internet Facing Portals - Proof of Concept

Location: Off-Site

Note: Please refer to your Subcontract Agreement, article 6.4.1.a, which states "Off-Site Discount: 5% (this discount is applicable to all requirements, and applies when the assigned personnel are permitted to work Off-Site, such as at-home)". Please be sure to price this discount in your overall price proposal when submitting bids against off-site RFQs.

Period of Performance: 13 August 2026 through 30 December 2026

Required Security Clearance: NATO SECRET

1. INTRODUCTION

Due to the findings in the Type 4 Security Audit NATO, technical teams have been tasked with planning and implementing a security standardisation for Multi-Factor Authentication for internet facing web-portals throughout the NATO enterprise.

1.1 Scope

1) Build a Proof of Concept (POC) environment based on a single Entra ID Identity Provider to a number of MFA technologies as MFA brokers.

2) Test and document POC applications against a set test criterion.

3) Build and test security logging with the security department.

4) Document Service delivery requirements and support documentation.

5) Work with Quality teams to align test strategy and test acceptance.

6) This SOW will not exceed EUR 73,750 (Deliverables and Travel).

1.1.1 Constraints

7) The identification of the most fit-for-purpose solution is to be validated, confirmed and accredited.

8) The solution is to align with other ongoing NCIA efforts, including but not limited to: IT Modernization; NATO Cloud Programs; Protected Business Network; and NATO and NCIA Directives.

9) The solution is developed in close coordination with NCSC, NCIA and its technical staff. Coordination meetings shall take place at intervals sufficient to ensure information sharing and technical exchange.

10) Due to the criticality and dependencies of follow-on project elements, the solution is to be completed and accepted no later than end of December 2026.

1.2 MFA Internet Facing Portals – Extract Scope

1.2.1 Preparation Phase and Configuration

Business Analysis; Document current production configurations; Full production configuration export; Document current production MFA configuration (if it exists); Document current self-registration, onboarding and user lifecycle process; Screenshot and document current login and logout UI/UX; Inventory all application interfaces; User account audit and mapping; CIS Description; Test strategy; Test scripts created by principal users; Security Pen Testing; Dependency Map; Target Architecture; Training Materials; Runbooks.

1.2.2 Execution Phase: POC Build and Technology Pillar Integration

Create non-production Entra ID app registration; Configure Entra ID branding; Customize Entra ID sign-in and sign-out page text; Configure and map Entra ID MFA registration policy; Design Entra ID self-service signup, browser authentication, and first login flows; Configure Entra ID custom attributes; Customize Entra ID email templates; Configure Entra ID Terms of Use; Configure identity provider attribute mappers; Enable Account Linking strategy; Setup monitoring and alerting; Document rollback procedure.

Technology Pillars: Moodle; SharePoint; Keycloak; Cognito.

1.2.3 Security

NCSC ASO CIS Security and Accreditation Coordination; NISC CISS CIS Security and Accreditation Support; NCSC Support – Logging analysis; Sysadmins Logs mapping; Log forwarding monitoring; Storing the Logs.

1.2.4 Testing Non-Production

V&V and QA Support; Test scripts; Security Pen Testing; Test Entra ID branding matches application; Test MFA enrolment flow (Entra ID); Test self-registration flow (Entra ID); Test MFA authentication flow; Test account linking for existing users; Validate custom attributes flow correctly; Logging testing – Cyber Security; Agree on success criteria and KPIs.

1.2.5 Out of Scope

Application Migrations: Application owners can raise Change Request Forms (CRF) when the new service line is available.

User Migrations: Application owners can raise Change Request Forms (CRF) when the new service line is available.

Production environment setup for the technical pillars: this will be covered in the next increment.

1.3 Schedule

The base period of performance is 13 August 2026 through 30 December 2026. All deliverables must be complete by 30 December 2026.

1.4 Security

The duties of the contractor require a valid NATO SECRET (NS) security clearance for the entire duration of the contract.

1.5 Practical Arrangements

This is a deliverables-based contract.

The contractor shall provide remote services to NCIA.

There may be requirements to travel to the following sites within NATO for completing these tasks: NATO HQ Brussels; NATO The Hague, NL; Braine L'Alleud; and/or SHAPE Mons, BE. (Maximum 4 times until 30 December 2026, with a duration of up to 3 days per visit.)

The services under this SOW are expected to be carried out by ONE contractor for the entire performance period.

Services shall be delivered during core working hours (08:30–12:00 and 13:00–17:30). Incident resolution activities may be requested during out-of-business hours as part of deliverable-based sprints.

The contractor will be required to obtain working permission to provide on-site service in Belgium.

1.6 Qualifications

[See Requirements]

1.7 Contract Deliverables

Preparation Phase and Configuration

Document current production configurations; Document current self-registration, onboarding and user lifecycle process; Screenshot and document current login and logout UI/UX; Inventory all application interfaces; User account audit and mapping; Support with test strategy and planning; Produce Service Delivery Training Materials; Runbooks; Create a migration plan for each Technology Provider.

Execution Phase: POC Build and Integration

Create POC Entra ID app registration; Configure Entra ID branding; Customize Entra ID sign-in and sign-out page text; Configure and map Entra ID MFA registration policy; Design Entra ID self-service signup, browser authentication, and first login flows; Configure Entra ID custom attributes; Customize Entra ID email templates; Configure Entra ID Terms of Use; Configure identity provider attribute mappers; Enable Account Linking strategy; Setup monitoring and alerting; Document rollback procedure; Technology Pillars migration documentation and integration limited to Moodle, Cognito and Keycloak.

Security Planning

NCSC Security and Accreditation Coordination and document requirement for each technology pillar; Sysadmins Logs mapping; Log forwarding monitoring; Storing the Logs.

Testing POC

Supporting production of test scripts; Gathering Security Pen Testing requirements; Testing and documenting all tests; Validate custom attributes flow correctly; Logging testing – engaging with Cyber Security and confirming the logging is fit for purpose.

1.8 Contract Milestones

Solution Acceptance: The purchaser's acceptance of the solution principles.

Implementation: The purchaser's acceptance of the implementation.

Requirements

1.4 SECURITY

• The duties of the contractor require a valid NATO SECRET (NS) security clearance for the entire duration of the contract.

1.6 QUALIFICATIONS

Identity and Access Management

• Minimum 5 years of experience in Identity and Access Management.
• Strong knowledge of authentication protocols (SAML, OIDC).
• Sound knowledge of federated identity management and Single Sign-On (SSO) solutions (Okta, Entra ID, and similar).

Multi-Factor Authentication

• Proven experience designing and rolling out MFA at scale in an enterprise environment (5,000+ users).
• Experience with certificate-based MFA smart cards, YubiKeys, passkeys/WebAuthn, TOTP, and push-based MFA applications (Microsoft Authenticator, Duo, and similar).
• Understanding of risk-based or adaptive authentication strategies.

Web Security and Secure Access Architecture

• Experience in securing web applications and APIs.
• Strong understanding of TLS, client certificates, reverse proxies, and Zero Trust principles.
• Experience with SSO integration of web applications.
• Recent experience configuring MFA technologies on the following platforms (Technology Pillars) as brokers: Moodle; SharePoint; Keycloak; Cognito.
• Demonstrated recent experience configuring Entra ID as an MFA Provider to the above MFA brokers.
• Ability to produce high-standard documentation for testing and service delivery.

Communication and Interpersonal Skills

• Excellent verbal and written communication skills.
• Full proficiency in English.
• Ability to communicate technical information to non-technical users in a clear and concise manner.

Customer Service Orientation

• Strong customer service focus with a commitment to user satisfaction.
• Patience and empathy when dealing with user issues and concerns.

Organisational Skills

• Attention to detail in documenting support activities and maintaining accurate records.

Team Collaboration

• Ability to work effectively as part of a team and share knowledge and resources.
• Willingness to collaborate with colleagues to solve complex issues.

Other Requirements

• Strong customer relationship skills, including negotiating complex and sensitive situations under pressure.
• Must hold the nationality of one of the NATO member nations.