ANWI Architecture Initial System and Technical View
ANWI Architecture Initial System and Technical View
ANWI Architecture Initial System and Technical View
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 12. ANNEX D: <strong>ANWI</strong> <strong>Architecture</strong> <strong>Initial</strong> <strong>System</strong><br />
<strong>and</strong> <strong>Technical</strong> <strong>View</strong><br />
12.1 Introduction<br />
12.1.1 Purpose<br />
12.1.1-p1 The purpose of this technical annex is to provide architecture initial<br />
system <strong>and</strong> technical view information <strong>and</strong> requirements that will drive the production<br />
of the <strong>ANWI</strong> design as required by section 5 of this SoW.<br />
12.1.1-p2 A key purpose of this annex is to describe all interfaces within the <strong>ANWI</strong><br />
project, <strong>and</strong> all interfaces between the <strong>ANWI</strong> <strong>and</strong> the external services.<br />
12.1.2 Annex Structure<br />
12.1.2-p1 This Annex contains the following chapters:<br />
A. Section 12.2 provides the design drivers.<br />
B. Section 12.3 provides the initial architecture system view <strong>and</strong> identifies at<br />
the high level the external interfaces to the <strong>ANWI</strong> capability.<br />
C. Section 12.4 provides an overview of the <strong>ANWI</strong> modules <strong>and</strong> identifies<br />
internal interfaces<br />
D. Section 12.5 specifies the external interfaces.<br />
E. Section 12.6 provides the end-to-end information flows showing the<br />
service traversal through internal modules <strong>and</strong> interfaces to external<br />
interfaces.<br />
12.2 Design Drivers<br />
12.2.1 General<br />
12.2.1-p1 The scope of this section is to drill down on the key architecture<br />
principles as introduced in annex C <strong>and</strong> provide design guidance that the <strong>ANWI</strong><br />
contractor shall address in <strong>ANWI</strong> design:<br />
12.2.2 Mobility<br />
12.2.2-p1 The <strong>ANWI</strong> design shall address the implementation of the New NATO<br />
HQ operational mobility concept that consists of two key pillars:<br />
12.2.2-p2 Mobile devices that embrace Unified Communication <strong>and</strong> Collaboration<br />
(UCC) capabilities:<br />
A. Support Data, Voice <strong>and</strong> Video<br />
B. To experience a similar „look <strong>and</strong> feel‟ on various mobile <strong>and</strong> fixed<br />
devices.<br />
C. Services that are capable of switching automatically <strong>and</strong> transparently (to<br />
the User) from one device to another (dependent upon user/device<br />
location).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-166 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-167 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
D. Extensive Unified Communications & Collaboration (UCC) tools, which will<br />
be seamlessly integrated between the various devices (e.g. continuously<br />
synchronized email <strong>and</strong> Calendar/Agenda).<br />
E. Presence/Availability services (e.g. if a user makes a telephone call he<br />
should be identified „busy‟ for other UCC services).<br />
12.2.2-p3 Adopt the increasing use of the Business Infrastructure for processing<br />
NATO information<br />
12.2.3 Identity Management<br />
12.2.3-p1 The <strong>ANWI</strong> design shall address the implementation of Identity <strong>and</strong><br />
Access Management to achieve the following effects:<br />
12.2.3-p2 Identity Management shall include the provision of a single sign on user<br />
experience for <strong>ANWI</strong> user for <strong>ANWI</strong> end-2-end services. This include the integration<br />
of logical (<strong>ANWI</strong> access) <strong>and</strong> physical (building access) Identify <strong>and</strong> Access<br />
management for the Business Infrastructure utilising the building access smartcard<br />
capability as provided by HN Belgium as part of the ESS capability.<br />
12.2.3-p3 Identity Management shall include the provision of a single identity <strong>and</strong><br />
identity authoritative data sources across the <strong>ANWI</strong> security domains.<br />
12.2.3-p4 Identity Management shall support federated identity <strong>and</strong> access<br />
management for access to/from security domains external to the <strong>ANWI</strong> domains.<br />
12.2.3-p5 Identity Management shall support integration of business applications<br />
Identity <strong>and</strong> Access Management mechanisms with the <strong>ANWI</strong> provided Identity <strong>and</strong><br />
Access management services.<br />
12.2.4 Infrastructure as a Service (IaaS)<br />
12.2.4-p1 The <strong>ANWI</strong> design for the <strong>ANWI</strong> infrastructure services (see Annex F)<br />
shall adopt an IaaS cloud-ready approach.<br />
12.2.4-p2<br />
It shall include all functionality for on-dem<strong>and</strong> self service.<br />
12.2.4-p3 It shall ensure broad network access for the <strong>ANWI</strong> (local) network<br />
environment <strong>and</strong> shall include provisions to extend this to the WAN environment.<br />
12.2.4-p4 It shall support resource pooling: dynamical assignment <strong>and</strong> deassignment<br />
of infrastructure resources.<br />
12.2.4-p5 It shall support rapid elasticity within the boundaries as defined for<br />
scalability as the local <strong>ANWI</strong> level (see section 11) <strong>and</strong> it shall include provisions to<br />
extend elasticity support at the WAN level shared IT.<br />
12.2.4-p6 It shall allow for full measuring <strong>and</strong> metering <strong>and</strong> reporting of all<br />
infrastructure services on all its indicated performance, capacity, elasticity, resource<br />
assignment features (see annex F).<br />
12.2.5 Green IT<br />
12.2.5-p1 The NNHQ project has a focus on sustainability, which must be<br />
inherited by the ICT projects. The <strong>ANWI</strong> Contractor shall incorporate <strong>and</strong> cover in the<br />
PMP <strong>and</strong> design the following three Strategic areas that are part of the NNHQ Green
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
IT strategy (see reference 1.1.1.7.7) <strong>and</strong> proof compliance to these strategies<br />
through processes, procedureal or technical/services measures:<br />
A. Energy Optimisation Management.<br />
B. IT Governance.<br />
C. Communication.<br />
12.2.5-p2 Any green optimizations that negatively impact NATO´s primary<br />
objectives or increase the life cycle cost shall not be proposed.<br />
12.2.5-p3 The following targets shall be completed by the end of the build phase<br />
<strong>and</strong> of the migration to the new NATO headquarters.<br />
12.2.5-p4 Energy reduction - The success of this target shall be measured as the<br />
reduction of the overall energy consumption per employee. The target will be set<br />
after the initial measurement. The <strong>ANWI</strong> Contractor shall provide support to this effort<br />
by performing <strong>and</strong> reporting the baseline <strong>ANWI</strong> energy concsumtion measurements<br />
by FOC. The <strong>ANWI</strong> Contractor shall formally manage <strong>and</strong> report <strong>ANWI</strong> energy<br />
consumption after baselining the <strong>ANWI</strong> energy consumption as part of the overall<br />
<strong>ANWI</strong> services change management procedures.<br />
12.2.5-p5 Green Procurement - The <strong>ANWI</strong> Contractor shall provide relevant<br />
environmental compliance documents for all its products <strong>and</strong> suppliers (Electronic<br />
Product Environmental Assessment, Energy Star) <strong>and</strong> their own environmental<br />
policy.<br />
12.2.5-p6<br />
The following are specific Green IT targets for the <strong>ANWI</strong> project:<br />
12.2.5-p7 Paper reduction - The printing services shall by default provide options<br />
to reduce printed paper, for example double sided printing.<br />
12.2.5-p8 The <strong>ANWI</strong> Contractor shall take into account the environmental<br />
specifications for each service specified in Annexes F – I.<br />
12.2.5-p9 All devices used in the <strong>ANWI</strong> environment shall be optimized for energy<br />
efficiency <strong>and</strong> “Green” settings should be used <strong>and</strong> enforced as much as possible.<br />
12.2.5-p10 The <strong>ANWI</strong> user facing devices shall have limited heat production<br />
<strong>and</strong> shall ensure the user working environment environmental conditions for the<br />
users remain at all times within the limits of workable conditions given the building<br />
environmental slab cooling capacity.<br />
12.2.6 Virtualization<br />
12.2.6-p1 Virtualization is a key requirementfor NATO so the <strong>ANWI</strong> Contractor<br />
shall provide the service through a vitualised infrastructure.<br />
12.2.6-p2 Any deviation of the proposed solution from deploying the virtualized<br />
environment (due to very specific hardware component or peripheral dependencies,<br />
<strong>and</strong> so on) shall be documented in detail with its justification <strong>and</strong> be subject to the<br />
approval of the Purchaser.<br />
12.2.6-p3 In case of a non-virtualized solution being proposed, the physical<br />
infrastructure shall be integrated into the <strong>ANWI</strong>SMC environment minimizing direct<br />
physical interaction with the servers needed.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-168 of 532
12.2.7 User Experience<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.2.7-p1 With remote workers, branch offices, security dem<strong>and</strong>s <strong>and</strong> other<br />
reasons, most modern ICT solutions combine different workplace solutions for their<br />
users (desktops, laptops, Virtual Desktop Infrastructure (VDI), Server Based<br />
Computing (SBC)). For users working with these solutions, this can be quite<br />
confusing. Desktops change, icons are different, <strong>and</strong> versions of software can be<br />
different.<br />
12.2.7-p2 The Man-Machine Interface (MMI) shall be similar enough between all<br />
workplace solutions in order for a normal user to be able to use them conveniently.<br />
12.2.7-p3 Whether a user works on a laptop or on a SBC solution, the look <strong>and</strong><br />
feel of his desktop shall be the same <strong>and</strong> a user shall have minimal confusion when<br />
switching between workplaces.<br />
12.2.7-p4 The user interfaces shall make it instantly clear (visible) on which<br />
security network the user is currently working, to prevent accidents resulting in<br />
security violations.<br />
12.2.7-p5<br />
centrally.<br />
12.2.8 St<strong>and</strong>ardization<br />
The management of these different user environments shall be done<br />
12.2.8-p1 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the <strong>ANWI</strong> services<br />
using a well-defined set of products that are to be st<strong>and</strong>ardized to the extent possible<br />
thus ensuring a minimized variation of components <strong>and</strong> products across the ICT’s<br />
infrastructure.<br />
12.2.8-p2 Components that perform the same function across different locations,<br />
networks within <strong>ANWI</strong> shall be of same br<strong>and</strong>, model, capacity <strong>and</strong> feature.<br />
12.2.8-p3 The <strong>ANWI</strong> Contractor shall clearly document the justification <strong>and</strong> the<br />
results of exceptional cases where use of same equipment is not possible.<br />
12.2.8-p4<br />
All physical interfaces shall be based on industry st<strong>and</strong>ards.<br />
12.2.8-p5 All logical interfaces shall be based on industry st<strong>and</strong>ards <strong>and</strong><br />
protocols. The minimum is to ensure the <strong>ANWI</strong> interfaces comply with st<strong>and</strong>ards as<br />
promoted in the NISP. As <strong>and</strong> when there is no match with the NISP promoted<br />
st<strong>and</strong>ards then either a reference to open st<strong>and</strong>ards (OSI, ITU, ..) need to be<br />
provided or in case it is about a proprietary or industry st<strong>and</strong>ards a justification of its<br />
use <strong>and</strong> interoperability (limitations) should be provided.<br />
12.2.8-p6 All hardware shall comply with the Bi-SC Minimum Hardware<br />
Procurement Specifications (see 1.1.1.5.1). Compliance with this document shall be<br />
limited at the level of specific hardware components (e.g. server, processing unit…)<br />
as part of the design <strong>and</strong> considered as minimum component requirements. The<br />
contractor’s design shall address the additional HW component features needed to<br />
achieve an integrate <strong>ANWI</strong> service.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-169 of 532
N A T O U N C L A S S I F I E D<br />
12.2.9 High Available NNHQ ICT Environment<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.2.9-p1 The <strong>ANWI</strong> contractor shall provide the necessary means to minimize<br />
service disruption <strong>and</strong> data loss, to meet or exceed the requirements stated in this<br />
section <strong>and</strong> in specific Annexes.<br />
12.2.9-p2<br />
Availability is defined as: Availability = uptime / total time.<br />
12.2.9-p3 The <strong>ANWI</strong> contract has introduced an additional metric to entertain<br />
efficient management (limit size <strong>and</strong> frequency in a certain period) of scheduled<br />
downtime: Reliability. Reliability is defined as: Reliability = uptime / (total time –<br />
scheduled downtime)<br />
12.2.9-p4 <strong>ANWI</strong> services shall be designed <strong>and</strong> implemented to meet the specific<br />
availability criteria provided in Annex E – I.<br />
12.2.9-p5 Disruptions, ranging from user error to the complete failure of a server<br />
room, shall result in minimal data loss <strong>and</strong> minimal disruption of ICT services, using a<br />
combination of failover mechanisms.<br />
12.2.9-p6 <strong>ANWI</strong> shall have its core components <strong>and</strong> capabilities installed into two<br />
server rooms within NNHQ building.<br />
12.2.9-p7 Based on the required availability thresholds, the <strong>ANWI</strong> Contractor shall<br />
design <strong>and</strong> implement required configurations across two server rooms for each<br />
component (such as an active-active setup).<br />
12.2.9-p8 In case of failure in one server room, from a single server or a storage<br />
unit, to the entire server room, the other server room shall automatically take over the<br />
functionality, with minimal disruption of user services.<br />
12.2.9-p9 Apart from the dual server rooms, there shall also be dual<br />
Communication rooms (TCF) built in the NNHQ.<br />
12.2.9-p10 Where needed, <strong>ANWI</strong> components shall be installed or integrated<br />
with equipment across these two Communication Rooms following the same high<br />
availability principles as the Server Rooms.<br />
12.2.10 Additional Availability Requirements<br />
12.2.10-p1 <strong>ANWI</strong> design <strong>and</strong> implementation shall take into account the<br />
requirement to be able to use a third storage node for disaster recovery purposes.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-170 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.2.10-p2 Data synchronization between the server rooms shall be<br />
considered, on multiple levels, for example:<br />
A. Application replication, e.g. Active Directory (AD) synchronization or<br />
Exchange Database Availability Group (DAG).<br />
B. Storage replication.<br />
12.2.10-p3 The following requirements on availability of data <strong>and</strong> services shall<br />
be taken into consideration in addition to the individual specific figures in Annex E –I<br />
A. Basic Office automation services (for example: authentication, user<br />
settings, file & print services, email) shall be high available. Even if a<br />
complete collapse of one server room occurs, there shall be limited<br />
noticeable disturbance for users. More service specific availability figures<br />
can be found in Annex E-I.<br />
B. NATO client-server or web based applications shall be redundantly setup<br />
over both server rooms, making them highly available.<br />
C. Client-server applications, which cannot have an active-active setup, shall<br />
lose only a limited amount of data. The amount of lost data is dependent<br />
upon 1) the amount of changes per time period in the databases <strong>and</strong> 2)<br />
the transfer speed of the changes. E.g. a critical Database (DB), with few<br />
<strong>and</strong> small changes, could synchronize its changes (log shipping) every 10<br />
minutes.<br />
D. All servers/applications that cannot be configured as an active-active<br />
configuration, shall, in case of failure of that server, or of the entire server<br />
room, be available to restart in the second server room.<br />
E. All data shall be available in either server room, to be accessible in case<br />
there is a problem in the other room.<br />
12.2.11 Modularity Principle<br />
12.2.11-p1 The <strong>ANWI</strong> design <strong>and</strong> physical implementation shall support a<br />
modular approach where system functions are logically <strong>and</strong> physically bundled in<br />
modules that can easily be exp<strong>and</strong>ed vertically (scale out, adding<br />
functions/performance) or horizontally (scale up, adding capacity). More information<br />
about the <strong>ANWI</strong> modularity requirements is provided in paragraph 12.5.<br />
12.2.12 Reduced ICT Capacity<br />
12.2.12-p1 In case of unavailability of a complete server room the <strong>ANWI</strong> services<br />
shall have a maximum allowed performance degradation per service as indicated in<br />
the table below.<br />
No. Reduced ICT Capacity Max Degradation -<br />
Performance<br />
Services<br />
1 Specific Communities Of Interest (SCOI)<br />
1.1 Service Management Capabilities (SMC) 25%<br />
1.2 Information Assurance Policies & Management 25%<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-171 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
No. Reduced ICT Capacity Max Degradation -<br />
Performance<br />
Services<br />
(IAM)<br />
2 Infrastructure Services<br />
2.1 Processing n.a.<br />
2.2 Storage n.a.<br />
2.3 Printing & Scanning 25%<br />
2.4 Network Infrastructure 25%<br />
2.5<br />
a<br />
2.5<br />
b<br />
LAN (Wired)<br />
LAN (Wireless)<br />
n.a.<br />
n.a.<br />
2.6 Cross Domain 25%<br />
3 UCC (Unified Communications & Collaboration Services<br />
3.1 Voice 10%<br />
3.2 Voicemail 25%<br />
3.3 Video-Teleconferencing (VTC) 10%<br />
3.4 E-mail 25%<br />
3.5 Unified Messaging 25%<br />
3.6 FAX 25%<br />
3.7 Instant Messaging (IM)/chat 25%<br />
3.8 Presence 25%<br />
3.9 Directory Service 25%<br />
3.1<br />
0<br />
3.1<br />
1<br />
Collaboration 25%<br />
Mobility 25%<br />
4 Client Provisioning Services<br />
4.1 Software provisioning 25%<br />
4.2 Client devices n.a.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-172 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
No. Reduced ICT Capacity Max Degradation -<br />
Performance<br />
Services<br />
5 Supplementary Services<br />
5.1 GSM n.a.<br />
5.2 GSM Blocking n.a.<br />
5.3 Wireless Blocking n.a.<br />
5.4 Site Security Communications (Radio) n.a.<br />
5.5 IPTV 25%<br />
12.2.12-p2 For the <strong>ANWI</strong> Services (except Voice/VTC) – a single server room shall<br />
be able to support 75% of the total users/load without Performance degradation.<br />
12.3 <strong>Initial</strong> <strong>System</strong> <strong>View</strong><br />
12.3.1 <strong>ANWI</strong> <strong>System</strong> <strong>View</strong><br />
12.3.1-p1 Figure 12.1 shows the high-level <strong>ANWI</strong> system view that identifies the<br />
following main elements:<br />
A. External Entities, entities PFE (Annex B) shall be fully integrated into the<br />
<strong>ANWI</strong> capability by the <strong>ANWI</strong> Contractor.<br />
B. The two major infrastructures that comprise the <strong>ANWI</strong> capability. These<br />
major infrastructures will be further defined in section 12.3.2 <strong>and</strong> 12.3.3<br />
respectively:<br />
1. NS Infrastructure.<br />
2. Business Infrastructure.<br />
C. Cross Domain Services, described in 12.3.4, that secure <strong>and</strong> regulate the<br />
interfaces <strong>and</strong> information flows:<br />
1. To the external entities.<br />
2. Between the Business <strong>and</strong> NS infrastructures.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-173 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 12.1: <strong>ANWI</strong> <strong>System</strong> <strong>View</strong><br />
12.3.2 External Entities<br />
12.3.2-p1 The <strong>ANWI</strong> shall interface with <strong>and</strong> integrate to the external entities as<br />
identifiedin figure 12.1 in the following groupings:<br />
A. NATO Services; The NGCS is responsible for providing connectivity <strong>and</strong><br />
services across NATO <strong>and</strong> between NATO <strong>and</strong> NATO Nations.<br />
Interconnection between NATO <strong>and</strong> other International Organisations (EU,<br />
Partners for Peace, Mediterranean Dialogue), will be via the PIA gateway.<br />
Annex B provides a detailed NGCS Operational Connectivity description.<br />
The NATO Network Services, connected through NGCS will present<br />
network interfaces into other NATO Services.<br />
B. Commercial Network Services. These are services available through<br />
(public) service providers.<br />
C. Passive Building Facility Related Services; Representing the physical<br />
(passive) building related services (e.g. cabling, desk space, rack/floor<br />
space, power/cooling) see Annex B.<br />
D. Active Building Facility Related Services; Representing the (active)<br />
information services related to building security management <strong>and</strong><br />
conference facilities (e.g. Enterprise Security <strong>System</strong> (ESS, see Annex B),<br />
the building management services (BMS, see Annex B) <strong>and</strong> the Audio<br />
Video Infrastructure (AVI, see Annex B) related services).<br />
E. Business Applications; Represents end-user or application services that<br />
are provided to HQ users <strong>and</strong>/or users accessing the applications via<br />
extranet portals (see Annex B).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-174 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.3.2-p2 The <strong>ANWI</strong> shall integrate <strong>and</strong> interface, via NGCS, with the following<br />
NATO Services:<br />
A. VTC: see Annex B.<br />
B. PIA: see Annex B.<br />
C. Reserved<br />
D. Voice: see Annex B.<br />
E. NEDS: see Annex B.<br />
F. IA Services:<br />
1. NCIRC: see Annex B.<br />
2. NPKI: see Annex B.<br />
3. Firewall Management: see Annex B.<br />
G. Domain Services:<br />
1. Active Directory<br />
2. AIS AD domain services: See Annex B.<br />
3. Future Single Forest Single Domain, or federated NU <strong>and</strong> NR domains.<br />
H. Messaging Services, consisting of:<br />
1. AIS email Active Directory based Services: See Annex B.<br />
2. NATO Messaging Services: See Annex B<br />
I. SMC/CIS management consisting of:<br />
1. NCGS management: See Annex B<br />
2. AIS Enterprise Management Services (EMS): See Annex B<br />
12.3.2-p3 The <strong>ANWI</strong> system shall interface <strong>and</strong> integrate with the following<br />
external Commercial Services:<br />
A. The IPTV service shall manage <strong>and</strong> administer IP rendered Television<br />
content <strong>and</strong> stream it to end-user devices using various delivery protocols,<br />
the required video/audio quality <strong>and</strong> the required video formats.<br />
B. Coverage/access to all authorised GSM service suppliers at authorised<br />
locations within the NNHQ building.<br />
C. Voice: Additional VoIP/PSTN/ISDN services that augment the NGCS<br />
Voice services.<br />
12.3.2-p4 The <strong>ANWI</strong> shall interface with the following external Active <strong>and</strong> Passive<br />
Building Facility Related Services (defined in Annex B):<br />
A. Cabling infrastructure will be provided by the PNWI, HN Belgium. It<br />
comprises of fibre <strong>and</strong> copper backbone. For more detail on the PNWI<br />
project cabling infrastructure, see Annex B.<br />
B. Racking <strong>and</strong> floor space will be provided by the PNWI. For more detail on<br />
the PNWI project racking infrastructure, see Annex B.<br />
C. Power/ cooling will be provided by the PNWI. For more detail on the PNWI<br />
project power/cooling facilities, see Annex B.<br />
D. The Audio Visual Infrastructure (AVI) that will be implemented by Host<br />
Nation Belgium, covers a broad range of technologies such as:<br />
presentation, conference <strong>and</strong> interpretation, broadcast <strong>and</strong> multi-media.<br />
Further details are in see Annex B.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-175 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
E. The other interface with the <strong>ANWI</strong> infrastructure is the video<br />
teleconferencing provisioning from the conference rooms to the desktops<br />
on dem<strong>and</strong>. The AVI shall use the Storage Area Network (SAN) storage<br />
of the NS <strong>and</strong> Business networks for storing <strong>and</strong> archiving all video<br />
conferences.<br />
F. The ElectronicSecurity <strong>System</strong> (ESS) provides a campus-wide coverage<br />
throughsecurity cameras <strong>and</strong> other devices that keep track of events<br />
happening in <strong>and</strong> outside the building. An ESS viewer allows security<br />
personnel to watch any event from a workstation on the Business Network<br />
<strong>and</strong> take appropriate action if required. The ESS servers shall be installed<br />
on the Business Network <strong>and</strong> shall use its SAN storage for archiving <strong>and</strong><br />
recovery. Further details are in Annex B.<br />
G. The Building Management <strong>System</strong> (BMS) keeps track of all technical<br />
related events in the building. It is connected to the building<br />
heating/cooling system <strong>and</strong> regulates the building power consumption.<br />
The BMS is connected to the <strong>ANWI</strong> <strong>and</strong> provides technical staff access to<br />
the BMS on workstations from anywhere in the building. The BMS servers<br />
shall be installed on the Business network <strong>and</strong> make use of the SAN<br />
storage. Further details are in Annex B.<br />
12.3.2-p5 The <strong>ANWI</strong> system shall interface with the following Business<br />
Application Services supported by the NNHQ O&M Authority:<br />
A. The Business Application are outside the scope of the <strong>ANWI</strong> project,<br />
however, they will make use of the <strong>ANWI</strong> services.<br />
B. Extranet Applications through extranet portals: There are a number of<br />
extranet portals that require <strong>ANWI</strong> connectivity in integration with <strong>ANWI</strong><br />
services.An overview of the ICTM business application, including extranet<br />
portal is provided in Annex B.<br />
12.3.3 Cross Domain Gateways (CDGW)<br />
12.3.3-p1 To achieve the required cross domain services six Cross Domain<br />
Gateway (CDGW) capabilities have been identified that are visualised in figure 12.2<br />
<strong>and</strong> specified in table 12.1.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-176 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 12.2 Cross Domain Gateways<br />
CDGW # Interoperability Interface Operational Concept<br />
1 External:<br />
NS NS WAN<br />
Collaboration <strong>and</strong> information sharingat the NATO<br />
enterprise level in a federated way with NATO entities<br />
connected to the NS WAN.<br />
2 External:<br />
NR NR WAN<br />
NR NU WAN<br />
Internal via CDGW3:<br />
NR Public/INTERNET<br />
3 External:<br />
Public/CDGW2Public<br />
Networks/Internet<br />
Internal via CDGW3<br />
Business Public<br />
Networks/Internet<br />
4 Internal:<br />
NS EAPC<br />
This includes information sharing with NATO Nation<br />
SECRET (IEG B concept) <strong>and</strong> NATO Mission Secret (IEG<br />
C concept) where the NS WAN interconnection allows to<br />
interconnect with these gateways (i.e. IEG B <strong>and</strong> C).<br />
Collaboration <strong>and</strong> information sharing at the NATO<br />
enterprise level in a federated way.<br />
Interconnection with NATO wide NU <strong>and</strong> NR WAN.<br />
Interconnection via CDGW3 to exchange information with<br />
public (to include INTERNET <strong>and</strong> PUBLIC).<br />
Public Information Access for NATO HQ users as well as<br />
access from users on public networks to information <strong>and</strong><br />
collaboration services made available to those CoIs by the<br />
use of Publishing or Extranet Web Site/Portal concepts.<br />
The service provided “over the Internet” is via a VPN for<br />
roaming users, remote users or offices (fixed device of<br />
LAN).<br />
Secure <strong>and</strong> controlled capability to automate release of<br />
information from the NS domain to the EAPC network<br />
users <strong>and</strong> enable EAPC SECRET message exchange<br />
through the registry.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-177 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
CDGW # Interoperability Interface Operational Concept<br />
5 Internal:<br />
NS Business<br />
Release <strong>and</strong> information sharing between the Business LAN<br />
which is planned to be the primary environment for day-today<br />
business <strong>and</strong> the NATO SECRET, the primary<br />
infrastructure for official document repositories, for various<br />
purposes.<br />
6 Internal: Public > NS Provision of information about CIS assets <strong>and</strong> services to<br />
the central integrated CIS management capability residing<br />
on the NS network.<br />
Table 12.1: <strong>ANWI</strong> Cross Domain Gateways (CDGW)<br />
12.3.4 <strong>ANWI</strong> NS Infrastructure <strong>System</strong> <strong>View</strong><br />
12.3.4-p1 The first major infrastructure capability, the NS infrastructure <strong>and</strong> its<br />
substructures, is depicted in figure 12.3. The system architecture as shown in 12.3<br />
comprises the system view architecture for backend infrastructure. Extension of the<br />
infrastructure to the end points is covered by the LAN services as specified in chapter<br />
14 annex F. The infrastructure is redundantly spread over two in-building locations<br />
(server rooms <strong>and</strong> interfaces to the TCFs).<br />
12.3.4-p2 The system architecture view shows the following main elements:<br />
A. External Connectivity to the NGCS NS network.<br />
B. The following zones:<br />
1. EAPC LAN security domain used to host EAPC backend <strong>and</strong> user<br />
services.<br />
2. NS LAN security domain use to host NS backend <strong>and</strong> user services.<br />
C. The following Cross Domain Gateways:<br />
1. CDGW 1: Interconnection to the NS WAN. This Gateway support the<br />
following DMZ segments/zones:<br />
a. NS level front end (FE) DMZ for information sharing <strong>and</strong> federation (NS<br />
extranet) with other CoI’s through the NS WAN (interfaced via GW1).<br />
b. NS level backend (BE) DMZ services in support of the front end (user<br />
facing) NS extranet services (interfaced via GW1).<br />
c. NS authentication DMZ to support direct or federated authentication for<br />
external users to NS (DMZ) provided services.<br />
2. CDGW4: Interconnection of the NS LAN to/from the EAPC LAN,<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-178 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 12.3: <strong>ANWI</strong> NS Level infrastructure system architecture view<br />
12.3.5 <strong>ANWI</strong> NU/NR/Public Level Infrastructure <strong>System</strong> <strong>View</strong><br />
12.3.5-p1 The second major infrastructure capability, in support of the Business<br />
<strong>and</strong> Public LAN (at NR level <strong>and</strong> NU/Public level respectively) <strong>and</strong> its substructures,<br />
is depicted in figure 12.4. The system architecture as shown in 12.4 comprises the<br />
backend infrastructure. Extension of the infrastructure to the end points is covered by<br />
the LAN services as specified in chapter 14 annex F. The infrastructure is<br />
redundantly spread over two in-building locations (server rooms <strong>and</strong> interfaces to the<br />
TCFs).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-179 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.3.5-p2 The system architecture view shows the following main elements:<br />
A. External Connectivity to:<br />
1. The Internet via the PIA Gateway.<br />
2. The NGCS for:<br />
a. Interconnection to the NR WAN.<br />
b. Interconnection to the NU WAN.<br />
B. The following zones:<br />
1. NR LAN (business) security domain used to host Business backend<br />
<strong>and</strong> user services.<br />
2. Public (W)LAN security domain used to:<br />
a. Host Public backend <strong>and</strong> user services.<br />
b. Public WLAN extension to support WLAN access for mobile business<br />
users inside the building.<br />
C. The following Cross Domain Gateways:<br />
1. CDGW 2: Interconnection to the NR WAN (NR enterprise), NU (NU<br />
WAN) <strong>and</strong> PIA (via CDGW3). This gateway supports the following DMZ<br />
segments/zones:<br />
a. NU/NR level front end DMZ for information sharing <strong>and</strong> federation (NU<br />
extranet) with other CoI’s through the external networks (Internet,<br />
NGCS NU <strong>and</strong> NR WAN), interfaced via CDGW2). There will be<br />
multiple instances of this type of DMZ to support multiple CoI’s.<br />
b. NU/NR level backend DMZ services in support of the front end (user<br />
facing) NU/NR extranet services (interfaced via CDGW 2).<br />
c. Remote access DMZ to support VPN level interconnection for remote<br />
users/offices/sites.<br />
2. CDGW3: Interconnection to Internet/Public Networks utilising the PIA<br />
GW services in support of Internet access, Public Network Access <strong>and</strong><br />
remote/mobile user/site VPN services. This gateway supports the<br />
following DMZ segments/zones:<br />
a. Public (non-classified) level Internet Publishing DMZ used to share<br />
information with the public communities.<br />
b. Public level Backend DMZ in support of the internet publishing DMZ<br />
services.<br />
c. Remote access DMZ supporting reachback.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-180 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 12.4: <strong>ANWI</strong> NR/NU/Public Infrastructure system architecture view<br />
12.3.6 NATO HQ NS to NU/NR/Public Cross Domain Infrastructure<br />
12.3.6-p1 Figure 12.5 shows the “shared” cross domain infrastructure that support<br />
information sharing across the two major infrastructures.<br />
12.3.6-p2 This system subview adds two more gateways use for internal NATO<br />
HQ interconnection purposes ONLY:<br />
A. Gateway 5, the NS NR gateway. This gateway support DMZ<br />
segment/zones both ways for providing access to NR <strong>and</strong>/or NS.<br />
B. Gateway 6, the Public to NS gateway for collecting management<br />
information from the Public LAN <strong>and</strong> consolidating that on the NS SMC<br />
capability.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-181 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 12.5: Cross domain infrastructure across the NS <strong>and</strong> NU/NR/Public<br />
infrastructures<br />
12.3.7 Cross Domain Gateway Coherency <strong>View</strong><br />
12.3.7-p1 Annex E section 13.2.1 will take the architecture systems views as<br />
presented in 12.3.3, 12.3.4 <strong>and</strong> 12.3.5 forward <strong>and</strong> provide:<br />
A. more details on each of the individual cross domain gateway services, <strong>and</strong><br />
B. provide the perspective of a consistent Cross Domain Module (CDM), see<br />
also section 12.4) that includes a uniform, flexible, scalable way of<br />
managing <strong>and</strong> exp<strong>and</strong>ing cross domain gateway services in two ways:<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-182 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
1. providing additional gateways,<br />
2. Adding services to existing gateways. This view provides the holistic<br />
perspective on how all the GW are consistently managed <strong>and</strong><br />
interconnected to the infrastructures, domains <strong>and</strong> zones.<br />
12.4 <strong>ANWI</strong> Modules <strong>and</strong> Internal Interfaces Identification<br />
12.4.1 <strong>ANWI</strong> Modules<br />
12.4.1-p1 To enable proper analysis <strong>and</strong> description of various services for the<br />
multiple networks within NNHQ <strong>and</strong> clearly identifying their interfaces with other<br />
entities, a module based definition of the required infrastructure <strong>and</strong> services is<br />
introduced in this section. The module concept introduces a container perspective<br />
that is valid for all infrastructures, security domains <strong>and</strong> zones.<br />
12.4.1-p2 The architecture is sub-divided into four major modules, used as logical<br />
groupings to achieve a structured approach.<br />
1) The Core AIS Module (CAM) providing core <strong>and</strong> infrastructure services.<br />
2) The Core AIS Client Module (CACM) end-user (client) core <strong>and</strong><br />
infrastructure services.<br />
3) The Cross Domain <strong>and</strong> external network interfaces Module (CDM) providing<br />
the cross security domain services <strong>and</strong> interconnection to external<br />
networks.<br />
4) The Core Communications LAN Module (CCLM), providing the LAN<br />
services.<br />
5) In addition three more st<strong>and</strong>-alone type services are identified that are not<br />
logically bundled in a module but are connected to the <strong>ANWI</strong> modules as<br />
one-off services:<br />
6) GSM blocking<br />
7) WIFI blocking<br />
8) Site Security Communications<br />
12.4.1-p3 The <strong>ANWI</strong> Contractor shall follow the same modular approach while<br />
describing details of the design <strong>and</strong> implementation of <strong>ANWI</strong>. Modules <strong>and</strong> interfaces<br />
as identified in Annex D shall be referred to <strong>and</strong> worked out in more detail as part of<br />
the <strong>ANWI</strong> design creating a more detailed technical view of the system architecture<br />
views as presented in this Annex. As <strong>and</strong> when the contractor in his/her design<br />
decides to change or enhance the system view architecture a clearly written<br />
justification with attained design rationale shall be provided.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-183 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 12.6: <strong>ANWI</strong> Modules <strong>and</strong> information flows<br />
12.4.1-p4 Figure 12.6 provides an overview of the <strong>ANWI</strong> modules in action. It<br />
shows the <strong>ANWI</strong> modules <strong>and</strong> depicts the internal <strong>and</strong> external interfaces involved in<br />
information flows that traverse the <strong>ANWI</strong> infrastructure. The remainder of this section<br />
will identify <strong>and</strong> describe at a high level:<br />
A. Module scope <strong>and</strong> functionality.<br />
B. Inter module interfaces.<br />
12.4.1-p5 Section 12.5 will focus on specifying the external interfaces <strong>and</strong> section<br />
will 12.6 will complete the end-2-end flow description by listing the <strong>ANWI</strong> governed<br />
end-2-end (user level) services.The <strong>ANWI</strong> contractor shall be responsible for both<br />
the end-2-end design, testing <strong>and</strong> delivery of the <strong>ANWI</strong> governed end-2-end (user<br />
level) services in full cooperation of providers of services needed to achieve the end-<br />
2-end service.<br />
12.4.1.1 Core AIS Module (CAM)<br />
12.4.1.1-p1 The Core AIS Module (CAM) provides the architecture of the server<br />
<strong>and</strong> storage infrastructure for each of the four networks (NATO SECRET, EAPC<br />
SECRET, Business <strong>and</strong> Public). The module provides various interfaces to other<br />
modules <strong>and</strong> external interfaces that enable the use of infrastructure or core<br />
services.<br />
12.4.1.1-p2<br />
Figure 12.7 is an example for the NS CAM for the NNHQ.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-184 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 12.7: NS Network CAM<br />
12.4.1.1-p3 A combination of physical servers <strong>and</strong> virtualised servers, in a<br />
resilient configuration, spread over two server rooms shall be supported by a SAN<br />
structure, providing a high available, high capacity, flexible storage environment.<br />
12.4.1.1-p4 The servers shall be connected to the Network via the switches in<br />
the server room. More details are described in the Core Communications LAN<br />
Module (CCLM) paragraph.<br />
12.4.1.1-p5 Each of the other domains mayfollow the same layout as the NS<br />
domain <strong>and</strong>/or may be consolidated into NS/EAPC <strong>and</strong> NU/NR/Public infrastructure<br />
while complying with the NATO security regulation <strong>and</strong> proof TCO reductions.<br />
12.4.1.2 Core AIS Client Module<br />
12.4.1.2-p1 The role of the Core AIS Client Module (CACM) is to describe the<br />
approach to provide the client devices including voice clients.<br />
12.4.1.2-p2 The CACM shall provide end-users with sufficient client processing<br />
power to satisfy their business requirements.<br />
12.4.1.2.1 Client-Provisioning<br />
12.4.1.2.1-p1 The following <strong>ANWI</strong> client devices are identified:<br />
A. Fixed Desktop.<br />
B. Fixed Desktop Network Agnostic.<br />
C. Fixed Desktop High Performance.<br />
D. Thin Client<br />
E. Mobile (laptop/Tablet).<br />
F. VOIP phone. (Basic/Secretarial)<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-185 of 532
G. Secure IP-phone.<br />
H. Smart phone/PDA.<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.4.1.2.1-p 2 Any <strong>ANWI</strong> Client device proposed by the <strong>ANWI</strong> Contractor that<br />
matches with a client device, as listed below, shall comply with the requirements<br />
specified in the MHWPS (see 1.1.1.5.1) :<br />
A. Office Desktop PC, st<strong>and</strong>ard desktop for normal office workers.<br />
B. High Performance workstations used for applications that are processor<br />
intensive, e.g. CIS management workstations <strong>and</strong> INFOSEC management<br />
workstations.<br />
C. Laptop for mobile users.<br />
12.4.1.2.2 Client locations<br />
12.4.1.2.2-p1 NS users work on NS devices located in the HQ, or in remote<br />
offices (see Annex M). NR users work on NR devices in the HQ, or remotely on NR<br />
devices over the Internet. NATO Restricted over the Internet (NRoI) is an in-service<br />
solution for mobile users, using a NATO owned device <strong>and</strong> NR approved VPN to get<br />
(remote) access to NR network services.<br />
12.4.1.2.2-p2<br />
Other users to access NS devices on the HQ network are:<br />
A. NATO NS cleared personnel of other agencies/organizations where HQ<br />
NS devices are located <strong>and</strong><br />
B. Non NATO, but NS cleared, personnel (nations or international<br />
organizations like the EU) working on HQ NS devices located at their<br />
offices.<br />
12.4.1.2.2-p3 The NRoI, or a comparable concept, shall be reused <strong>and</strong> where<br />
necessary be extended to provide reach-back capability to the users, within the<br />
limitations of client form factor, classification of the service, location of the user, <strong>and</strong><br />
applicable IA restrictions.<br />
12.4.1.2.2-p4 The NRoI device shall be connected to the Public network when<br />
in the HQ Building, <strong>and</strong> use the NRoI Virtual Private Network (VPN) solution to<br />
access NR services.<br />
12.4.1.2.3 Computer Client <strong>Architecture</strong><br />
12.4.1.2.3-p1 The CACM shall run on a passive network cabling infrastructure<br />
provided by the PNWI for the following three networks: NATO SECRET, EAPC<br />
SECRET <strong>and</strong> Business.<br />
12.4.1.2.3-p2 The Mobile (laptop) capability for the Business Network shall use<br />
wired or wireless network services <strong>and</strong> connect to the Business Domain via the<br />
public LAN security domain using a Secure VPN solution (NRoI).<br />
12.4.1.2.3-p3 Where possible, a desktop Keyboard, Video <strong>and</strong> Mouse (KVM)<br />
switch shall be used to reduce the number of screens <strong>and</strong> monitors on the desktop<br />
(the number of thin clients or PCs shall remain the same).<br />
12.4.1.2.3-p4 The <strong>ANWI</strong> Contractor shall follow SDIP-29/1 (see 1.1.1.3.3)<br />
installation guidelines regarding the physical separation of classified equipment.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-186 of 532
N A T O U N C L A S S I F I E D<br />
12.4.1.2.4 Conference Room Client Access Infrastructure<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-187 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.4.1.2.4-p1 In the official conference <strong>and</strong> meeting rooms the <strong>ANWI</strong><br />
Contractor shall implement network agnostic clients that can be connected to any<br />
network domain dependent on the classification of the conference or meeting. This<br />
holds for the presentation <strong>and</strong> conference support (interpreter) clients.<br />
12.4.1.2.4-p2 WLAN connectivity for mobile clients is available as <strong>and</strong> when<br />
the conference Authority is allowing wireless access, given the classification <strong>and</strong><br />
sensitivity of the conference.<br />
12.4.1.3 Core Communication LAN Module<br />
12.4.1.3-p1 The Core Communication LAN Module (CCLM) shall provide<br />
connectivity between the devices located throughout the building as well as providing<br />
connectivity to outside networks, via the interface to Cross Domain Module (CDM).<br />
12.4.1.3-p2 CCLM also shall provide the network transport services for<br />
telephony <strong>and</strong> IPTV services throughout the buildings.<br />
12.4.1.3-p3 CCLM shall provide active infrastructure for the combination of<br />
multiple wired infrastructures based on Ethernet running over fibre or copper cables<br />
utilising <strong>and</strong> extending, where necessary, the cable infrastructure as provided as PFE<br />
(see Annex B) <strong>and</strong> wireless connectivity will be provided using 802.11 based<br />
networks that shall be connected to the wired network.<br />
12.4.1.3-p4 CCLM shall provide access to appropriate services for a given<br />
network classification.<br />
12.4.1.3-p5 CCLM implementation shall follow the NCIRC security guidance that<br />
allows, under certain conditions, for logical separation of networks (1.1.1.6.9) which<br />
allows for a certain level of <strong>ANWI</strong> infrastructure consolidation (see Annex F Appendic<br />
6).<br />
12.4.1.3-p6 AllLAN components provided by the <strong>ANWI</strong> Contractor shall adhere<br />
to the Bi-SC AIS Minimum Hardware Procurement Specifications (see 1.1.1.5.1).<br />
12.4.1.4 Cross Domain Module<br />
12.4.1.4-p1<br />
The cross domain module shall achieve three major functions:<br />
12.4.1.4-p2 Secure network connectivity <strong>and</strong> interconnections to networks or<br />
value added network services that are available via NATO wide network capabilities<br />
(NGCS) or via public networks.<br />
12.4.1.4-p3 Cross domain solutions to support secure information access <strong>and</strong><br />
information sharing across the <strong>ANWI</strong> identified major infrastructure, security domains<br />
<strong>and</strong> zones.<br />
12.4.1.4-p4 An integrated, consistent, coherent, flexible <strong>and</strong> scalable<br />
management capability of the Cross Domain Gateways (CDGW) as identified in<br />
section 12.3 <strong>and</strong> all other cross domain solutions related to zoning. This will allow for<br />
a unified way of either locally or centrally manage cross domain functionality <strong>and</strong><br />
consistent managed interfaces with NATO centralised Information Assurance<br />
services such as NCIRC, central Firewall Management <strong>and</strong> NPKI. Annex E, appendix
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
2, provides the specification of the CDM architecture <strong>and</strong> of the individual CDGW’s it<br />
is managing.<br />
12.4.2 <strong>ANWI</strong> Module Internal Interface Identification<br />
12.4.2-p1 Figure 12.8 shows the <strong>ANWI</strong> inter-module interfaces. The interface<br />
details are specified later on in this Annex.<br />
Figure 12.8: <strong>ANWI</strong> Inter-module Interfaces<br />
12.4.2-p2 Figure 12.8 shows the relationship within the various internal <strong>ANWI</strong><br />
modules. The relationships are described in terms of the OSI model, where the<br />
green arrows represent the physical, the yellow the transport, <strong>and</strong> purple the service<br />
layer (representing the OSI session, presentation <strong>and</strong> application layers),<br />
respectively.<br />
12.4.2-p3 Table 12.2 describes the module high level interfaces at any of the<br />
three identified levels. In the remainder of this appendix as well as in the specification<br />
of each of the individual services more interface details are provided at either the<br />
information flow level (this appendix) or at the individual service interface level<br />
(Annexes E-I).<br />
# <strong>and</strong> description Physical Layer Transport Protocol Service Protocol<br />
1 CCLM-CACM Either copper RJ45 Layer 2-3 (Ethernet, -<br />
or Fiber connector IPv4, IPv6)<br />
2 CCLM-CAM Either copper RJ45 Layer 2-3 (Ethernet, CCLM management<br />
or Fiber connector IPv4, IPv6)<br />
information services<br />
3 CCLM-CDM Either copper RJ45 All allowed IP -<br />
or Fiber connector TCP/UDP ports<br />
IPv4/IPv6<br />
4. CAM – CDM - All allowed IP All <strong>ANWI</strong> services<br />
TCP/UDP ports that related to cross<br />
IPv4/IPv6<br />
domain end-to end<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-188 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
# <strong>and</strong> description Physical Layer Transport Protocol Service Protocol<br />
information flows<br />
5 CAM- CACM - All allowed IP<br />
TCP/UDP ports<br />
IPv4/IPv6<br />
All <strong>ANWI</strong><br />
infrastructure, UCC<br />
services<br />
Table 12.2: <strong>ANWI</strong> inter module interfaces<br />
12.5 External Interfaces<br />
12.5-p1 For each of the external entities as identified in section 12.2, the interfaces<br />
<strong>and</strong> interface st<strong>and</strong>ards are specified.<br />
12.5.1 Facility-Physical Interfaces<br />
12.5.1-p1<br />
The following figure identifies all <strong>ANWI</strong> physical external interfaces.<br />
Figure 12.9: <strong>ANWI</strong> Physical Interfaces<br />
12.5.1-p2<br />
The following table describes in more detail the physical interfaces:<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-189 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Interface Protocol Description Remarks<br />
PNWI-<strong>ANWI</strong> IPv4/MAC/SNMP Cabling <strong>and</strong> Intelligent Patching See description below<br />
DESK-<strong>ANWI</strong> - User desks See description below<br />
POW-<strong>ANWI</strong> - Power for all <strong>ANWI</strong> See description below<br />
COOL-<strong>ANWI</strong> - Cooling for <strong>ANWI</strong> components See description below<br />
RACK-<strong>ANWI</strong> - 19’ racks in server room, TERs, TCF See description below<br />
ESS-<strong>ANWI</strong> IPv4 Security camera connectivity, Building<br />
Access Card<br />
See description below<br />
BMS-<strong>ANWI</strong> IPv4 Building management connectivity See description below<br />
AV-<strong>ANWI</strong> IPv4 Audio Visual Infrastructure connectivity See description below<br />
Table 12.3: <strong>ANWI</strong> physical interfaces<br />
A. PNWI-<strong>ANWI</strong>: All passive cabling, both fibre <strong>and</strong> copper, will be provided<br />
by PNWI <strong>and</strong> are described in Annex B. All cabling in racks shall be<br />
provided by <strong>ANWI</strong>. All rack cabling on NS <strong>and</strong> EAPC classification<br />
networks shall be fibre (see 1.1.1.3.2), except for those cables located in<br />
class I security areas (copper). PNWI is managed through an Intelligent<br />
Patching capability that is integrated to <strong>ANWI</strong> at the LAN SMC level (See<br />
Annex B).<br />
B. DESK-<strong>ANWI</strong>: A desk outlet module will be included with every desk, with<br />
power, a copper RJ45 connector (for public/phone connectivity) <strong>and</strong> four<br />
(4) fibre connectors (See Annex B). <strong>ANWI</strong> shall provide the patch cords<br />
from the desk outlet to the device (connector types defined in Annex B.)<br />
C. POW-<strong>ANWI</strong>: All power in the server room (220v single phase or three<br />
phase high-voltage), TERs <strong>and</strong> in all other locations, including UPS <strong>and</strong><br />
generator facilities, will be provided by the GCCproject <strong>and</strong> have Type E "<br />
French style CEE 7/5 Schuko plugs. The <strong>ANWI</strong> Contractor shall provide<br />
the server room power distribution scheme within the limitations of the<br />
server room’s maximum power capacity (see Annex B).<br />
D. COOL-<strong>ANWI</strong>: All cooling for the server rooms <strong>and</strong> TER’s equipment is<br />
provided by GCC, (see Annex B).<br />
E. RACK-<strong>ANWI</strong>: All racks will be 19” wide <strong>and</strong> 45U high, provided by the<br />
PNWI project. Racks will have an electronic access control system. Details<br />
of the system are provided in Annex B.<br />
F. ESS-<strong>ANWI</strong>: All security cameras are connected via ESS cabling to the<br />
Business network. All video data is stored on the Business network.<br />
Workstations to view ESS data are located on the Business network. Also<br />
the building access card, NPKI enabled, will be used by <strong>ANWI</strong> for user<br />
token based access to the different Networks. Details of the system are<br />
provided in Annex B.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-190 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
G. BMS-<strong>ANWI</strong>: All building management systems are connected to the<br />
Business network. All data is stored on the Business (NR) network.<br />
Workstations to view BMS data are located on the Business network.<br />
Details of the system are provided in Annex B.<br />
H. AVI-<strong>ANWI</strong>: All AVI conference facilities shall make use of <strong>ANWI</strong> services<br />
(such as processing, storage, network infrastructure) <strong>and</strong> also<br />
interconnect to NATO Wide VTC via NGCS. Details of the system are<br />
provided in Annex B.<br />
12.5.2 NS Infrastructure External/Internal Interfaces<br />
12.5.2-p1 In this section the service <strong>and</strong> protocol interfaces are listed for the two<br />
major domains on the NS infrastructure: NS <strong>and</strong> EAPC.<br />
12.5.2.1 NS Domain<br />
12.5.2.1-p1<br />
The following picture describes the interfaces of the NS Network.<br />
Figure 12.10: NS network interfaces<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-191 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.5.2.1-p2<br />
NS Network:<br />
The following table describes in more detail the interfaces for the<br />
Flow 1/2 way Service Service name<br />
Supported<br />
Protocols<br />
Remarks<br />
NS-CDGW1 Two way NS-NPKI Authentication TBD NATO PKI<br />
Two way NS-NVTC VTC TBD NATO wide VTC<br />
Two way NS-NCIRC IDS TBD FW, IDS, IPS, DD<br />
Two way<br />
NS-SMC<br />
Two way NS-NSWAN Extranet<br />
Monitoring, Configuration<br />
Management, Software<br />
distribution, Service Desk<br />
SNMP, XML SQL,<br />
HTTP(S)<br />
HTTP(S), DNS<br />
Software distribution<br />
based on SCCM<br />
AIS services<br />
monitoring based on<br />
SCOM agents<br />
Two way NS-NDOM Windows AD LDAP Part of AIS SFSD<br />
Two way NS-NMSG Email, NMS SMTP, MMHS AIS email, NMS<br />
Two way NS-NEDS Directory Synchronisation LDAP Through AIS<br />
Two way NS-NSWAN NSWAN Extranet HTTP(S) Through AIS<br />
Two way NS-Roff Remote offices All <strong>ANWI</strong> services<br />
NS-CDGW4 Two way NS-EAPC Email SMTP Releasable to EAPC<br />
Two way NS-EAPC<br />
File<br />
CIFS, FTP,<br />
WebDAV<br />
Releasable to EAPC<br />
NS-CDGW5 One way NS-BUS Email SMTP Notification only<br />
CDGW4-NS One way EAPC-NS CIS Management XML<br />
CDGW5-NS One way BUS-NS CIS Management XML<br />
One way BUS-NS<br />
File<br />
CIFS, FTP,<br />
WebDAV<br />
One way BUS-BUS Email SMTP<br />
CDGW6-NS One way PUB-NS CIS Management XML<br />
NS-APP<br />
NS-XNET<br />
Two way<br />
Two way<br />
NNHQApplications<br />
NS Extranet<br />
See Annex B<br />
See Annex B<br />
Various protocols as<br />
identified in<br />
applications services<br />
list<br />
Various protocols as<br />
identified in<br />
applications services<br />
list<br />
Table 12.4: NS domain interfaces<br />
12.5.2.2 EAPC Domain<br />
12.5.2.2-p1<br />
The following picture describes the interfaces of the EAPC Network.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-192 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 12.11: EAPC domain interfaces<br />
12.5.2.2-p2<br />
EAPC Network:<br />
The following table describes in more detail the interfaces for the<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
EAPC-<br />
CDGW4 One way EAPC-NS CIS Management<br />
CDGW4-<br />
EAPC<br />
Two way NS-EAPC Email SMTP<br />
File Transfer (XML<br />
formatted), XML web<br />
services (messaging),<br />
SNMP<br />
Releasable to EAPC, labelled<br />
with attachments<br />
Two way NS-EAPC File CIFS, FTP, WebDAV Releasable to EAPC<br />
Table 12.5(a): EAPC network interfaces<br />
12.5.2.2-p3 GSM <strong>and</strong> WIFI blocking is not shown as a service interface since its<br />
intention is to ensure GSM <strong>and</strong> WIFI signals do not interfere with NS domain<br />
services.<br />
12.5.3 Business Infrastructure External Interfaces<br />
12.5.3-p1 This section will specify the services <strong>and</strong> protocol interfaces for the two<br />
key user domains in the business infrastructure: NR domain <strong>and</strong> Public Domain<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-193 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.5.3.1 NR Domain<br />
12.5.3.1-p1 The following picture describes the interfaces of the NR domain.<br />
Figure 12.12: Business network interfaces<br />
12.5.3.1-p2<br />
NR domain:<br />
The following table describes in more detail the interfaces for the<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CDGW2 Two way BUS-CVO Telephony<br />
POTS, ISDN, VOIP,<br />
PLAR<br />
Commercial voice<br />
Two way BUS-NVO Telephony VOIP, PLAR NATO voice<br />
Two way- BUS-GSM GSM Voice/SMS/MMS Integrate with UCC service<br />
Two way BUS-INT Internet browsing HTTP(S), DNS InternetNRWAN/NUWAN<br />
Two way BUS-INT Extranet HTTP(S), DNS Via CDGW3<br />
Two way BUS-NGCS Extranet HTTP(S), DNS NU WAN <strong>and</strong> NR WAN<br />
Two way BUS-Roff Remote offices VPN User Type U8a<br />
Two way BUS-Eusr External users VPN User Type U7a<br />
Two way BUS-NEDS NR NEDS LDAP<br />
Two way BUS-NMSG NR Email SMTP<br />
Two way<br />
Two way<br />
BUS-DOM Windows AD LDAP<br />
BUS-SMC<br />
Monitoring,<br />
Configuration<br />
Management,<br />
Software distribution,<br />
Service Desk<br />
SNMP, XML SQL,<br />
HTTP(S)<br />
Part of NATO enterprise NR<br />
SFSD<br />
Software distribution based on<br />
SCCM<br />
AIS services monitoring based<br />
on SCOM agents<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-194 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
Two way BUS-NCIRC Management TBD FW, IDS, DDD<br />
Two way BUS-NPKI Authentication TBD<br />
Two way BUS-NTVC VTC TBD<br />
CDGW2-BUS One way IPTV-BUS IPTV TBD IPTV->CD3->CD2->NR<br />
BUS-CDGW5<br />
One way BUS-NS CIS Management<br />
File Transfer (XML<br />
formatted), XML web<br />
services (messaging),<br />
SNMP<br />
One way BUS-NS File CIFS, FTP, WebDAV<br />
One way BUS-NS Email SMTP<br />
CDGW5-BUS One way NS-BUS Email XML Notification only<br />
BUS-APP Two way - NNHQApplications See Annex B<br />
BUS-XNET Two way -<br />
BUS-WLAN<br />
NR Extranet<br />
NU Extranet<br />
- - WLAN WIFI<br />
See Annex B<br />
Table 12.5(b): Business network interfaces<br />
Various protocols as identified<br />
in applications services list<br />
Various protocols as identified<br />
in applications services list<br />
Combined with Public WLAN<br />
to achieve Business Network<br />
Access based on VPN<br />
12.5.3.2 Public Domain<br />
12.5.3.2-p1<br />
The following picture describes the interfaces of the Public Domain.<br />
Figure 12.13: Public network interfaces<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-195 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
12.5.3.2-p2<br />
Public Network:<br />
The following table describes in more detail the interfaces for the<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
PUB-CDGW6<br />
One way PUB-NS CIS management<br />
File Transfer (XML<br />
formatted), XML web<br />
services (messaging),<br />
SNMP<br />
PUB-CDGW3 Two way PUB-INT Internet HTTP(S), SMTP, DNS<br />
Two-way<br />
Two way<br />
PUB-BUS<br />
PUB-NCIRC<br />
Management<br />
Two way PUB-CVO Comm. voice<br />
CDGW3-PUB One way IPTV-PUB IPTV TBD<br />
CDGW3-PUB One way<br />
Internet<br />
Publishing<br />
SMTP, File, HTTP<br />
POTS, ISDN, VOIP,<br />
PLAR<br />
No user info exchange but in<br />
support of support to the public<br />
domain<br />
Central Mgmt FW, IDC, DD,<br />
works via Business Domain<br />
NATO TV distribution to Public<br />
networks<br />
Web publishing HTTP(S), DNS NATO public websites<br />
Table 12.6: Public network interfaces<br />
12.5.3.2-p3 GSM <strong>and</strong> WIFI blocking is not shown as a service interface since its<br />
intention is to ensure GSM <strong>and</strong> WIFI public signals are blocked in areas where Public<br />
network access is not authorised.<br />
12.6 End to End Services<br />
12.6-p1 The following table describes the services of the <strong>ANWI</strong> project. The table<br />
basically is a list of <strong>ANWI</strong> services <strong>and</strong> their position in the end to end services chain.<br />
12.6-p2 The information provided in the table can be read as follows:<br />
FROM <strong>and</strong> TO fields are the two endpoints of the service flow.<br />
1or2 WAY field identifies if the flow is restricted to one way or not.<br />
GW field identifies the Cross Domain Gateway elements that need to be part<br />
of the flow.<br />
EXTERNAL SERVICE field identifies any external service dependencies for<br />
the flow.<br />
A yellow line means the functionality is still in question, or is available, but in a<br />
different form than the other solutions.<br />
User<br />
Services<br />
From 1/2 way GW To Provider External service Remarks<br />
Processing - - - PUBLIC PNWI<br />
- - - NR PNWI<br />
- - - EAPC PNWI<br />
- - - NS PNWI<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-196 of 532<br />
Processing<br />
backend for<br />
PUBLIC<br />
Processing<br />
backend for NR<br />
Processing<br />
backend for<br />
EAPC<br />
Processing<br />
backend for NS
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
User<br />
Services<br />
From 1/2 way GW To Provider External service Remarks<br />
Storage - - - PUBLIC PNWI<br />
- - - NR PNWI<br />
- - - EAPC PNWI<br />
- - - NS PNWI<br />
Printing - - - PUBLIC<br />
- - - NR<br />
- - - EAPC<br />
- - - NS<br />
NR > CDGW5 NS <strong>ANWI</strong><br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-197 of 532<br />
Central Storage<br />
for PUBLIC<br />
Central Storage<br />
for NR<br />
Central Storage<br />
for EAPC<br />
Central Storage<br />
for NS<br />
Printing service<br />
for PUBLIC<br />
Printing service<br />
for NR<br />
Printing service<br />
for EAPC<br />
Printing service<br />
for NS<br />
AD synch NR WAN CDGW2 NR ? NR Domain<br />
federated or<br />
single domain<br />
structure<br />
NS WAN CDGW1 NS NCIA Bi-SC AIS<br />
federated or<br />
single domain<br />
structure<br />
LAN - - - PUBLIC PNWI<br />
Mainly WLAN<br />
based<br />
- - - NR PNWI (W)LAN<br />
- - - EAPC PNWI LAN<br />
- - - NS PNWI LAN<br />
Email NR - NR <strong>ANWI</strong> -<br />
NRWAN CDGW2 NR ? NATO NR mail<br />
NR CDGW3 Internet NGCS PIA gateway<br />
NR > CDGW5 NS <strong>ANWI</strong> -<br />
NS - NS <strong>ANWI</strong> -<br />
NSWAN CDGW1 NS NCIA Bi-SC AIS<br />
EAPC - EAPC <strong>ANWI</strong> -<br />
NS CDGW4 EAPC <strong>ANWI</strong> -<br />
NS > CDGW5 NR <strong>ANWI</strong> -<br />
IM NS - NS <strong>ANWI</strong> -<br />
Email within<br />
<strong>ANWI</strong> NR<br />
Email between<br />
<strong>ANWI</strong> NR <strong>and</strong><br />
NATO Federated<br />
NR<br />
Email between<br />
<strong>ANWI</strong> NR <strong>and</strong><br />
Internet Via<br />
CDGW2 -<br />
>CDGW3<br />
One way e-mail<br />
from NR to NS<br />
Email within<br />
<strong>ANWI</strong> NS<br />
Email between<br />
<strong>ANWI</strong> NS <strong>and</strong><br />
NATO Federated<br />
NS<br />
Email within<br />
<strong>ANWI</strong> EAPC<br />
Email between<br />
<strong>ANWI</strong> NS <strong>and</strong><br />
<strong>ANWI</strong> EAPC<br />
Email<br />
NOTIFICATIO<br />
N ONLY from<br />
<strong>ANWI</strong> NS to<br />
<strong>ANWI</strong> NR<br />
<strong>ANWI</strong> NS<br />
Internal
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
User<br />
Services<br />
From 1/2 way GW To Provider External service Remarks<br />
NSWAN CDGW1 NS NCIA Bi-SC AIS<br />
NR - NR <strong>ANWI</strong> -<br />
NRWAN CDGW2 NR ? NRNRWAN<br />
NU - NU <strong>ANWI</strong> -<br />
Voice NR - NR <strong>ANWI</strong><br />
PUBLIC CDGW3 NR <strong>ANWI</strong><br />
NATO CDGW3 NR NGCS -<br />
NR > CDGW3 external NGCS -<br />
NATO CDGW3 NU NGCS -<br />
PUBLIC > CDGW3 external NGCS -<br />
NR CDGW3 external Commercial -<br />
PUBLIC CDGW3 external Commercial -<br />
<strong>ANWI</strong> NS to<br />
federated or<br />
Single Domain<br />
NS<br />
<strong>ANWI</strong> NR<br />
Internal<br />
<strong>ANWI</strong> NR to<br />
federated or<br />
Single Domain<br />
NR<br />
NU extranet portalbased<br />
IM<br />
(EIM/ERP)<br />
VOIP on NR<br />
BUS to BUS soft<br />
clients<br />
VoIP session<br />
between <strong>ANWI</strong><br />
PUBLIC to<br />
<strong>ANWI</strong> NR<br />
(From CDGW3<br />
to CDGW2 to<br />
NR)<br />
VoIP session<br />
between NATO<br />
VoIP Networks<br />
to <strong>ANWI</strong> NR<br />
(From CDGW3<br />
to CDGW2 to<br />
NR)<br />
VoIP session<br />
between External<br />
Networks to<br />
<strong>ANWI</strong> NR<br />
(From CDGW3<br />
to CDGW2 to<br />
NR)<br />
VoIP session<br />
between NATO<br />
Networks /<br />
<strong>ANWI</strong> NU<br />
VoIP session<br />
between External<br />
Networks to<br />
<strong>ANWI</strong> PUBLIC<br />
Commercial<br />
Backup Route<br />
for Above NGCS<br />
link<br />
Commercial<br />
Backup Route<br />
for Above NGCS<br />
link<br />
Fax NS CDGW1 NSWAN - UCC integrated.<br />
NR CDGW3 external Commercial -<br />
UCC integrated,<br />
via CDGW2 -<br />
>CDGW3.<br />
NU CDGW3 external Commercial - UCC integrated.<br />
VTC/VMR NSWAN CDGW1 NS NGCS NATO Wide VTC<br />
VTC session btw<br />
<strong>ANWI</strong> <strong>and</strong> NATO<br />
Wide VTC<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-198 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
User<br />
Services<br />
From 1/2 way GW To Provider External service Remarks<br />
Services NRWAN CDGW2 NR NGCS NATO Wide VTC<br />
NUWAN CDGW3 NU NGCS NATO Wide VTC<br />
NSWAN CDGW1 AVI NGCS NATO Wide VTC<br />
NRWAN CDGW2 AVI NGCS NATO Wide VTC<br />
NUWAN CDGW3 AVI NGCS NATO Wide VTC<br />
NS - NS HN BE AVI<br />
NR - NR HN BE AVI<br />
NU - NU HN BE AVI<br />
NR NR<br />
NS - NS <strong>ANWI</strong> -<br />
VTC session btw<br />
<strong>ANWI</strong> <strong>and</strong> NATO<br />
Wide VTC<br />
VTC session btw<br />
<strong>ANWI</strong> <strong>and</strong> NATO<br />
Wide VTC<br />
VTC session btw<br />
AVI <strong>and</strong> NATO<br />
Wide VTC<br />
VTC session btw<br />
AVI <strong>and</strong> NATO<br />
Wide VTC<br />
VTC session btw<br />
AVI <strong>and</strong> NATO<br />
Wide VTC<br />
VTC session btw<br />
<strong>ANWI</strong> <strong>and</strong> AVI<br />
endpoints<br />
VTC session btw<br />
<strong>ANWI</strong> <strong>and</strong> AVI<br />
endpoints<br />
VTC session btw<br />
<strong>ANWI</strong> <strong>and</strong> AVI<br />
endpoints<br />
VTC session<br />
within <strong>ANWI</strong> end<br />
points<br />
VTC session<br />
within <strong>ANWI</strong><br />
endpoints<br />
UM NS - NS <strong>ANWI</strong> - <strong>ANWI</strong> Internal NS<br />
NSWAN CDGW1 NS NCIA Bi-SC AIS<br />
NR - NR <strong>ANWI</strong> -<br />
NRWAN CDGW2 NR ? NRNRWAN<br />
NU - NU <strong>ANWI</strong> -<br />
Presence NS - NS <strong>ANWI</strong> -<br />
NSWAN CDGW1 NS NGCS NSNSWAN<br />
NR - NR <strong>ANWI</strong> -<br />
NRWAN CDGW2 NR NGCS NRNRWAN<br />
Collaboration NS - NS <strong>ANWI</strong> -<br />
NSWAN CDGW1 NS NGCS NSNSWAN<br />
NR - NR <strong>ANWI</strong> -<br />
NRWAN CDGW2 NR NGCS NRNRWAN<br />
From federated /<br />
single domain NS<br />
to <strong>ANWI</strong> NS<br />
<strong>ANWI</strong> Internal<br />
NR<br />
From federated /<br />
single domain NR<br />
to <strong>ANWI</strong> NR<br />
NU extranet portalbased<br />
UM<br />
(EIM/ERP)<br />
<strong>ANWI</strong> NS<br />
Internal<br />
<strong>ANWI</strong> NS to<br />
federated or<br />
single domain<br />
NS<br />
<strong>ANWI</strong> NR<br />
Internal<br />
<strong>ANWI</strong> NR to<br />
federated or<br />
single domain<br />
NR<br />
<strong>ANWI</strong> NS<br />
Internal<br />
<strong>ANWI</strong> NS to<br />
federated or<br />
single domain<br />
NS<br />
<strong>ANWI</strong> NR<br />
Internal<br />
<strong>ANWI</strong> NR to<br />
federated or<br />
single NR<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-199 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
User<br />
Services<br />
UCC<br />
Directory<br />
From 1/2 way GW To Provider External service Remarks<br />
NU - NU <strong>ANWI</strong> -<br />
NR - NR <strong>ANWI</strong> -<br />
NRWAN CDGW2 NR ? NATO NR mail<br />
NR CDGW2 PUBLIC <strong>ANWI</strong> -<br />
NS - NS <strong>ANWI</strong> -<br />
NSWAN CDGW1 NS NCIA Bi-SC AIS<br />
NUWAN CDGW2 PUBLIC NCIA Bi-SC AIS<br />
PUBLIC - PUBLIC <strong>ANWI</strong><br />
NS > - EAPC <strong>ANWI</strong><br />
IPTV - > CDGW3 PUBLIC Commercial -<br />
- > CDGW3 NR Commercial -<br />
File services NR > CDGW5 NS <strong>ANWI</strong> -<br />
File<br />
Transfer<br />
Event<br />
Logging/Mo<br />
nitoring<br />
Remote<br />
users<br />
NS > CDGW4 EAPC <strong>ANWI</strong> -<br />
NU > CDGW6 NS <strong>ANWI</strong><br />
NR > CDGW5 NS <strong>ANWI</strong><br />
EAPC > CDGW4 NS <strong>ANWI</strong><br />
NR external CDGW3 NR NGCS PIA gateway<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-200 of 532<br />
NU extranet portalbased<br />
coll.<br />
(EIM/ERP)<br />
UCC Directory<br />
to support <strong>ANWI</strong><br />
NR<br />
Directory<br />
Exchange<br />
between <strong>ANWI</strong><br />
NR <strong>and</strong> NATO<br />
Federated NR<br />
Directory<br />
Exchange<br />
between <strong>ANWI</strong><br />
NR <strong>and</strong> <strong>ANWI</strong><br />
PUBLIC (via<br />
CDGW3)<br />
UCC Directory<br />
to support <strong>ANWI</strong><br />
NS<br />
Directory<br />
Exchange<br />
between <strong>ANWI</strong><br />
NS <strong>and</strong> NATO<br />
Federated NS<br />
Directory<br />
Exchange<br />
between <strong>ANWI</strong><br />
PUBLIC <strong>and</strong><br />
NATO Federated<br />
NU (via<br />
CDGW3)<br />
UCC Directory<br />
to support <strong>ANWI</strong><br />
PUBLIC<br />
UCC Directory<br />
to support <strong>ANWI</strong><br />
EAPC<br />
One way flow<br />
from provider to<br />
<strong>ANWI</strong> PUBLIC<br />
One way flow<br />
from provider to<br />
<strong>ANWI</strong> NR( via<br />
CDGW2)<br />
File transfer<br />
between NS <strong>and</strong><br />
NR<br />
One way file<br />
transfer from NS<br />
to EAPC<br />
Based on<br />
XMLfile<br />
transfer,<br />
messaging <strong>and</strong><br />
SNMP<br />
From CDGW3 to<br />
CDGW2 to NR
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
User<br />
Services<br />
From 1/2 way GW To Provider External service Remarks<br />
Offices NS external CDGW1 NS NGCS<br />
Browsing PUBLIC CDGW3 Internet NGCS PIA gateway<br />
NR CDGW2<br />
Internet<br />
Publishing<br />
<strong>ANWI</strong><br />
NR CDGW3 NUWAN NGCS<br />
Via PIA<br />
NR CDGW3 Internet NGCS PIA gateway<br />
NR CDGW2 NU Extranet <strong>ANWI</strong><br />
NR CDGW2 NR Extranet <strong>ANWI</strong><br />
NR CDGW2 NRWAN NGCS<br />
NS CDGW1 NSWAN NGCS<br />
NS CDGW1 NS extranet <strong>ANWI</strong><br />
NS > CDGW4 EAPC <strong>ANWI</strong><br />
1 through NATO approved/provided NR access mechanisms<br />
Table 12.7: End to End services<br />
Exceptional<br />
cases.<br />
<strong>ANWI</strong> PUBLIC<br />
browsing to<br />
Internet<br />
<strong>ANWI</strong> NR<br />
browsing <strong>ANWI</strong><br />
Internet Site (via<br />
CDGW3)<br />
<strong>ANWI</strong> NR<br />
browsing to<br />
NUWAN (Via<br />
CDGW2)<br />
<strong>ANWI</strong> NR<br />
browsing to<br />
Internet (Via<br />
CDGW3 to<br />
CDGW2 to NR)<br />
<strong>ANWI</strong> NR<br />
browsing to<br />
<strong>ANWI</strong> NU<br />
Extranet (Via<br />
CDGW3)<br />
<strong>ANWI</strong> NR<br />
browsing to<br />
<strong>ANWI</strong> NR<br />
Extranet<br />
<strong>ANWI</strong> NR<br />
browsing to<br />
NRWAN<br />
<strong>ANWI</strong> NS<br />
browsing to<br />
NSWAN<br />
<strong>ANWI</strong> NS<br />
browsing to NS<br />
Extranet<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-201 of 532
N A T O U N C L A S S I F I E D<br />
SECTION 13. ANNEX E: SMC <strong>and</strong> IA SERVICES<br />
13.1 Appendix 1: Service Management <strong>and</strong> Control<br />
13.1.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.1-p1 Service Management <strong>and</strong> Control (SMC) is used in this SOW to define<br />
the capability <strong>and</strong> processes needed to manage the life-cycle <strong>and</strong> support the<br />
delivered <strong>ANWI</strong> services.<br />
13.1.2 Scope<br />
13.1.2-p1 The <strong>ANWI</strong> Contractor shall deliver a SMC suite of tools supporting the<br />
following ITIL ® Processes:<br />
A. Service Design processes:<br />
1. Service Level Management<br />
2. Capacity Management<br />
3. Availability Management<br />
4. Service Catalogue Management<br />
5. Continuity Management<br />
6. Information Security Management<br />
B. Service Transition processes:<br />
1. Change Management<br />
2. Service Asset Management<br />
3. Configuration Management<br />
4. Release Management<br />
5. Knowledge Management<br />
C. Service Operations processes:<br />
1. Event Management<br />
2. Incident Management<br />
3. Problem Management<br />
3. Request Fulfilment<br />
4. Access Management<br />
D. Continuous Service Improvement processes:<br />
1. SLA Reporting<br />
2. Service Measurement.<br />
13.1.2-p2 The <strong>ANWI</strong> Contractor shall provide ITIL v3 based tools supporting these<br />
lifecycle management processes.<br />
13.1.2-p3 Figure 13.1 shows the SMC service mapping to the services taxonomy<br />
(as introduced in Annex C) as a vertical capability (supported by tools) that<br />
interfaces, monitors, supports <strong>and</strong> reports on the suite of <strong>ANWI</strong> services.<br />
13.1.2-p4 Each <strong>ANWI</strong> service identifies specific ELement Management (ELM)<br />
services in support of day-to-day operation <strong>and</strong> configuration/deployment.<br />
13.1.2-p5<br />
SMC delivers the capability to manage end to end service provisioning.<br />
13.1.2-p6 SMC includes the portfolio of end-user <strong>and</strong> internal services throughout<br />
their life-cycle.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-202 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.2-p7 The <strong>ANWI</strong> service portfolio <strong>and</strong> service catalogue are key authoritative<br />
information sources for the definition of these services.<br />
Figure 13.1: SMC services mapped to the Services Taxonomy<br />
13.1.2-p8 The <strong>ANWI</strong> Contractor shall procure the needed tools, document the<br />
processes <strong>and</strong> implement tools for the above ITILv3 processes as part of the SMC.<br />
13.1.2-p9<br />
The Purchaser will review the SMC processes for acceptance.<br />
13.1.2-p10 The <strong>ANWI</strong> Contractor shall provide: consolidated service monitoring<br />
information gathering <strong>and</strong> visualization (i.e. dashboard), detailed monitoring<br />
information gathering <strong>and</strong> visualization <strong>and</strong> periodic or request triggered reporting<br />
capabilities for the NNHQ O&M Authority <strong>and</strong> Purchaser use. The above shall be<br />
provided by the <strong>ANWI</strong> Contractor regardless of the service delivery model.<br />
13.1.3 Governance<br />
13.1.3-p1<br />
The Purchaser will establish a SMC governance board for the NNHQ.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-203 of 532
13.1.3-p2<br />
Authority.<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-204 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
The SMC governance board will be chaired by the NATO O&M<br />
13.1.3-p3 The HQPO, local NNHQ ICT staff, <strong>and</strong> Purchaser will be members of<br />
the SMC governance board.<br />
13.1.3-p4 The <strong>ANWI</strong> Contractor <strong>and</strong> <strong>ANWI</strong> IV&V shall be members of the NNHQ<br />
SMC governance board through FSA.<br />
13.1.4 <strong>Architecture</strong><br />
13.1.4.1 <strong>Architecture</strong> Requirements<br />
13.1.4.1-p1 The SMC covers the full range of automated information systems<br />
(AIS), communication services, networks, building management system (BMS), etc.<br />
Management systems shall be provided for all services, components, <strong>and</strong> elements<br />
that can be managed.<br />
13.1.4.1-p2 AIS, service, network, <strong>and</strong> element management shall be<br />
centralized to the extent possible. A protected management network shall be<br />
provided in each security domain. This management network must allow local<br />
management (within the HQ) <strong>and</strong> remote support management by NCIA for the<br />
components that are centrally managed by NCIA , <strong>and</strong> remote from an external<br />
location to be determined following a disaster recovery.<br />
13.1.4.1-p3 The SMC shall use a centralized Integrated Operation Support<br />
<strong>System</strong> (IOSS), located in a protected (at least by the firewall) management network<br />
in the NS security domain, providing aggregation, correlation, <strong>and</strong> de-duplication of<br />
events. Also providing root cause analysis <strong>and</strong> visualization of the global service<br />
status, root-cause analysis of incidents, <strong>and</strong> centralized control <strong>and</strong> centralized<br />
configuration management.<br />
13.1.4.1-p4 The SMC shall use reporting, monitoring <strong>and</strong> tracking automation to<br />
the maximum extend feasible. Critical configuration changes shall require human<br />
authorizations. Risk assessment may allow a limited set of automatic automated<br />
configuration changes to take place.<br />
13.1.4.1-p5 Each security domain requires dedicated AIS/service management<br />
<strong>and</strong> dedicated N/ELM system(s) for networking, communication, IT service <strong>and</strong> other<br />
services components.<br />
13.1.4.1-p6 The AIS/service manager <strong>and</strong> the N/ELM in the different security<br />
domains shall report to the central IOSS.<br />
13.1.4.1-p7 The SMC shall have complete N/ELM <strong>and</strong> AIS/service management<br />
capability on NS network.<br />
13.1.4.1-p8 The SMC shall have basic N/ELM <strong>and</strong> AIS/service management<br />
capability monitoring <strong>and</strong> reporting on the EAPC network.<br />
13.1.4.1-p9 The SMC shall have complete N/ELM <strong>and</strong> AIS/service management<br />
capability in Business network.<br />
13.1.4.1-p10 The SMC shall have basic N/ELM <strong>and</strong> AIS/service management<br />
monitoring <strong>and</strong> reporting capability on the Public network.
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-205 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.4.1-p11 All SMC N/ELM components shall provide a ‘north bound’ interface<br />
to the central IOSS (located in NS security domain in Mons).<br />
13.1.4.1-p12 SMC components (N/ELM, AIS/service managers, IOSS) shall be<br />
integrated through the SMC enterprise service bus (ESB) infrastructure. All N/ELM<br />
<strong>and</strong> AIS/service management components shall have a documented <strong>and</strong> open<br />
interface towards the SMC ESB. (E.g. using web-services, JMS, SOAP, etc.).<br />
13.1.4.1-p13 The SMC ESB shall be based on open st<strong>and</strong>ards like Multi-<br />
Technology Operations <strong>System</strong> Interface (MTOSI), Operations Support <strong>System</strong><br />
through Java Initiative (OSS/J), eXtensible Markup Language (XML).<br />
13.1.4.1-p14 Management systems that require a database capability shall use a<br />
SQL database (with an open API) as the database backend, have the database<br />
model described/available, allow exploitation of the data store for future integration<br />
efforts.<br />
13.1.4.1-p15 All management systems shall be accessible through the SMC ESB<br />
allowing future integration with future SMC systems/components if <strong>and</strong> when<br />
required.<br />
13.1.4.2 Protocol Requirements<br />
13.1.4.2-p1 The IOSS shall use open interfaces like web-services, JMS or<br />
SOAP allowing integration, through an enterprise services bus, with 3rd party<br />
systems <strong>and</strong> automation through external 3rd party workflow engines, allowing<br />
control <strong>and</strong> information import <strong>and</strong> export.<br />
13.1.5 Installation<br />
13.1.5-p1 The <strong>ANWI</strong> Contractor shall install the SMC ELM services on the<br />
delivered <strong>ANWI</strong> services to support monitoring the service’s Service Level Targets<br />
(SLTs).<br />
13.1.5-p2 The specific CoI SMC services shall be provided on all 4 networks –<br />
NATO SECRET, EAPC SECRET, BUSINESS <strong>and</strong> PUBLIC.<br />
13.1.5-p3 The <strong>ANWI</strong> Contractor shall install the <strong>ANWI</strong>’s Service Management<br />
console, central information management <strong>and</strong> SMC reporting capabilities on the<br />
<strong>ANWI</strong>’s NS network.<br />
13.1.5-p4 The <strong>ANWI</strong> Contractor shall install service element managers on each of<br />
the other networks (EAPC, Business <strong>and</strong> Public) <strong>and</strong> ensure that their<br />
monitoring/reporting output is routed through the <strong>ANWI</strong> Cross Domain Gateways to<br />
the NS’ Service management console.<br />
13.1.5-p5 The <strong>ANWI</strong> Contractor shall configure the SMC to ensure that the NATO<br />
O&M Authority can provide: remote device management; remote asset/configuration<br />
management querying <strong>and</strong> Service Level Agreement (SLA) monitoring.<br />
13.1.5-p6 The <strong>ANWI</strong> Contractor shall configure the SMC to provide trouble ticket<br />
escalationis reported (up) to the NATO O&M Authority.<br />
13.1.5-p7 The <strong>ANWI</strong> Contractor shall configure the SMC to provide<br />
asset/configuration management information (up) to the NATO O&M Authority.
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-206 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.5-p8 The <strong>ANWI</strong> Contractor shall ensure that the NATO O&M Authority is able<br />
to remotely monitor <strong>and</strong> manage CDGW <strong>and</strong> other IA devices.<br />
13.1.6 Service Desk<br />
13.1.6-p1 The <strong>ANWI</strong> Service Desk shall provide Service Desk staff access to all<br />
SMC processes <strong>and</strong> tools.<br />
13.1.6-p2 The <strong>ANWI</strong> Contractor provided Service Desk Software shall have an<br />
overview of the user environment <strong>and</strong> can easily prioritize requests based upon<br />
urgency, priority <strong>and</strong> impact on the user.<br />
13.1.6-p3 The Service Desk shall serve as the single point of contact for all<br />
inquiries on ICT for all users for all networks <strong>and</strong> services.<br />
13.1.6-p4 The Service Desk shall use a service desk application to provide<br />
service desk functionality. The selected service desk application must support the<br />
ITIL service management framework at time of deployment.<br />
13.1.6-p5 The Service Desk shall be the user interface for all queries on <strong>and</strong><br />
administering all software licenses <strong>and</strong> service contracts.<br />
13.1.6-p6<br />
13.1.6-p7<br />
The central Service Desk IT infrastructure is located in the NS network.<br />
The Service Desk shall support incident <strong>and</strong> availability management.<br />
13.1.6-p8 The Service Desk shall support a knowledge base populated by the<br />
designers <strong>and</strong> operators.<br />
13.1.6-p9<br />
13.1.6-p10<br />
13.1.6-p11<br />
management.<br />
13.1.6-p12<br />
CMDB.<br />
The Service Desk shall support asset management.<br />
The Service Desk shall support change management.<br />
The Service Desk shall support routine/day-to-day service<br />
The Service Desk application(s) shall interface with the central<br />
13.1.6-p13 The Service Desk infrastructure shall provide an interface for<br />
financial management of CIS services.<br />
13.1.6-p14 The Service Deskshall use automation where feasible. The service<br />
desk application(s) shall be integrated with the rest of the SMC infrastructure through<br />
the management ESB.<br />
13.1.6-p15 The Service Desk shall interoperate with NCIA’s central Service<br />
Desk tool (currently BMC express) for escalation <strong>and</strong>/or receiving trouble tickets..<br />
13.1.7 Trouble Ticketing<br />
13.1.7-p1<br />
the SMC.<br />
The <strong>ANWI</strong> Contractor shall provide a trouble ticketing system as part of<br />
13.1.7-p2 The <strong>ANWI</strong> Contractor’s tool shall log, categorise <strong>and</strong> prioritise work<br />
tickets for action.<br />
13.1.7-p3 The Service Desk staff can, via email notification, assign <strong>and</strong> reassign<br />
work orders to support staff on the NS <strong>and</strong> Business domains.
13.1.7-p4<br />
from users.<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-207 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
The <strong>ANWI</strong> Contractor’s tool shall capture ticket closure after verification<br />
13.1.7-p5 The <strong>ANWI</strong> Contractor’s tool shall launch a feedback (via short survey)<br />
from the user to measure user satisfaction.<br />
13.1.7-p6<br />
portal.<br />
The <strong>ANWI</strong> Contractor’s tool shall be integrated with the self-service<br />
13.1.7-p7 Self-Service Portal shall provide:<br />
A. User trouble ticket creation for either incident or request templates<br />
B. Status tracking capability to view trouble tickets<br />
C. User password changes without a trouble ticket<br />
D. Workflow tracking<br />
E. Self Help Portal for users<br />
F. Knowledgebase access<br />
G. Integration with SMC processes<br />
13.1.7-p8 Email integration (for notifications to the user of trouble ticket resolution,<br />
trouble ticket state change or trouble ticket escalation) shall be supported.<br />
13.1.8 Performance Management<br />
13.1.8-p1 The <strong>ANWI</strong> Contractor shall provide a tool to monitor the performance of<br />
delivered <strong>ANWI</strong> services.<br />
13.1.8-p2 The <strong>ANWI</strong> Contractor shall monitor the performance of each service<br />
<strong>and</strong> virtual server suite provided under the infrastructure service.<br />
13.1.8-p3 The AIS monitoring manager shall use a separate reporting service to<br />
render service performance reports, using a specific reporting tool.<br />
13.1.8-p4<br />
statistics.<br />
The SMC shall collect, display <strong>and</strong> store network <strong>and</strong> service usage<br />
13.1.8-p5 The SMC shall collect, display <strong>and</strong> store KPI/KQI statistics from internal<br />
<strong>and</strong> external services.<br />
13.1.8-p6 Collected usage, KPI, <strong>and</strong> KQI statistics shall be analysed for use in<br />
resource planning <strong>and</strong> SLA management. The infrastructure shall provide automated<br />
reports for this purpose <strong>and</strong> shall allow ad-hoc reports allowing for further analysis.<br />
13.1.9 Service Design Processes<br />
13.1.9.1 Service Level Management (SLM)<br />
13.1.9.1-p1 The <strong>ANWI</strong> Contractor’s SLM delivered process shall define <strong>and</strong><br />
document the SLA framework for monitoring, measuring, reporting <strong>and</strong> reviewing of<br />
provided <strong>ANWI</strong> services to ensure SLTs <strong>and</strong> SLAs are met.<br />
13.1.9.1-p2 The <strong>ANWI</strong> Contractor’s SLM delivered process shall ensure that the<br />
specific <strong>ANWI</strong> service targets are identified <strong>and</strong> monitored <strong>and</strong> measurable for all<br />
services.<br />
13.1.9.1-p3 The <strong>ANWI</strong> Contractor’s SLM delivered process shall be used to<br />
monitor service performance against SLAs.
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-208 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.9.1-p4 The <strong>ANWI</strong> Contractor’s SLM delivered process shall check that the<br />
service catalogue information presents users with clear information on the level of<br />
service to be delivered with every service catalogue item.<br />
13.1.9.1-p5 The <strong>ANWI</strong> Contractor’s SLM delivered process shall identify cost<br />
effective proactive measures to support improving the implemented <strong>ANWI</strong> delivered<br />
service levels.<br />
13.1.9.1-p6 The <strong>ANWI</strong> Contractor’s SLM process shall capture <strong>and</strong> analyse<br />
service metrics for use in the creation of service level reports.<br />
13.1.9.1-p7 The <strong>ANWI</strong> Contractor’s SLM tool shall be used to create, monitor<br />
<strong>and</strong> track customer satisfaction <strong>and</strong> the quality of the delivered service via user<br />
surveys.<br />
13.1.9.1-p8 The <strong>ANWI</strong> Contractor’s SLM delivered process shall be used as the<br />
framework to conduct service reviews <strong>and</strong> initiate service improvements.<br />
13.1.9.1-p9 The <strong>ANWI</strong> Contractor’s SLM delivered process shall be capable to<br />
diversify SLM for different communities <strong>and</strong> users <strong>and</strong> fully aligned with the billing<br />
functions.<br />
13.1.9.2 Capacity Management<br />
13.1.9.2-p1 The <strong>ANWI</strong> Contractor shall deliver a capacity management process<br />
with supporting tool to manage the capacity of the <strong>ANWI</strong>’s ICT resources.<br />
13.1.9.2-p2 The <strong>ANWI</strong> Contractor shall produce <strong>and</strong> maintain an appropriate<br />
<strong>and</strong> up-to-date capacity plan, which reflects the current <strong>and</strong> future needs of the<br />
NNHQ <strong>ANWI</strong>.<br />
13.1.9.2-p3 <strong>ANWI</strong> routine KPI <strong>and</strong> KQI compliance status shall be reported<br />
every 24 hours to the SMC.<br />
13.1.9.2-p4 The <strong>ANWI</strong> Contractor shall deliver a capacity management process<br />
where the user experience is monitored using network traffic <strong>and</strong> network health<br />
status monitoring (may include passive <strong>and</strong> active measurements) <strong>and</strong> reported to<br />
the SMC .<br />
13.1.9.2-p5 The Service Desk shall provide automated KPI <strong>and</strong> KQI routine <strong>and</strong><br />
on-dem<strong>and</strong> performance reporting.<br />
13.1.9.2-p6 The <strong>ANWI</strong> Contractor’s capacity plan <strong>and</strong> implementation shall<br />
ensure proper provisioning of sufficient IT resource capacity for the immediate need;<br />
provide the ability to exp<strong>and</strong> to proactively address growth while managing dem<strong>and</strong>;<br />
address the strategy for long term capacity through the end of the 5 year life cycle<br />
<strong>and</strong> how capacity will capitalise on the technological evolution during the life cycle<br />
period.<br />
13.1.9.2-p7 The <strong>ANWI</strong> Contractor’s capacity plan <strong>and</strong> implementation shall<br />
support user <strong>and</strong> <strong>ANWI</strong> service capacity <strong>and</strong> performance related issues<br />
13.1.9.2-p8 The <strong>ANWI</strong> Contractor’s capacity management tool shall monitor the<br />
capacity, growth <strong>and</strong> performance ensuring that service performance parameters of<br />
the <strong>ANWI</strong> service SLAs meet or exceed all of their agreed performance targets, by<br />
managing the performance <strong>and</strong> capacity of both services <strong>and</strong> resources
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.9.2-p9 The <strong>ANWI</strong> Contractor’s capacity management tool shall support the<br />
diagnosis <strong>and</strong> resolution of performance <strong>and</strong> capacity related incidents <strong>and</strong><br />
problems.<br />
13.1.9.2-p10 The <strong>ANWI</strong> Contractor’s capacity management tool shall support the<br />
analysis <strong>and</strong> impact of all changes on the capacity plan, <strong>and</strong> the performance <strong>and</strong><br />
capacity of all services <strong>and</strong> resources<br />
13.1.9.2-p11 The <strong>ANWI</strong> Contractor’s capacity management tool shall provide<br />
monitoring patterns of capacity activity <strong>and</strong> the SLM plan<br />
13.1.9.2-p12 The <strong>ANWI</strong> Contractor’s capacity management process shall, for<br />
each Service/ SLA identify the agreed capacity <strong>and</strong> performance levels <strong>and</strong> for each<br />
identify the current usage or dem<strong>and</strong> (e.g. measured transaction volumes) against<br />
the agreed usage levels; provide a trend analysis; identify the expected dem<strong>and</strong><br />
increase or decrease for the services<br />
13.1.9.2-p13 The <strong>ANWI</strong> Contractor’s capacity plan shall identify the decision<br />
points <strong>and</strong> metrics to decide which components need to be upgraded <strong>and</strong> at what<br />
time<br />
13.1.9.3 Availability Management<br />
13.1.9.3-p1 The <strong>ANWI</strong> Contractor shall provide an availability management<br />
process with supporting tool to monitor, measure, analyse, report <strong>and</strong> manage the<br />
<strong>ANWI</strong> components’ availability<br />
13.1.9.3-p2 The <strong>ANWI</strong> Contractor’s availability management process <strong>and</strong><br />
supporting tool shall provide unavailability analysis<br />
13.1.9.3-p3 The <strong>ANWI</strong> Contractor availability management process shall use<br />
proactive activities to ensure the agreed <strong>ANWI</strong> level of service availability<br />
13.1.9.3-p4 The <strong>ANWI</strong> Contractor’s availability management process shall<br />
support availability input to SLA reporting<br />
13.1.9.3-p5 The <strong>ANWI</strong> Contractor’s availability management process <strong>and</strong><br />
supporting tool shall address monitoring <strong>and</strong> reporting of redundant service solutions<br />
13.1.9.3-p6 The <strong>ANWI</strong> Contractor’s availability management tool shall support<br />
the failure impact analysis of <strong>ANWI</strong> components/services.<br />
13.1.9.3-p7 The IOSS shall receive services status change notifications from<br />
external service providers (service available/unavailable, KPI/KQI threshold<br />
reached).<br />
13.1.9.4 Service Catalogue Management<br />
13.1.9.4-p1<br />
The <strong>ANWI</strong> Contractor shall implement a service catalogue.<br />
13.1.9.4-p2 The <strong>ANWI</strong> Contractor’s service catalogue shall be a local e-<br />
commerce application populated with the <strong>ANWI</strong> services (<strong>and</strong> exp<strong>and</strong>able to support<br />
business applications <strong>and</strong> other future NATO services) so that users are able to raise<br />
new service requests.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-209 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.9.4-p3 The <strong>ANWI</strong> Contractor’s implemented service catalogue shall be role<br />
based, so that a user logs in <strong>and</strong> based on his/her role has access to their<br />
configuration <strong>and</strong> is able to request an update of their capabilities <strong>and</strong>/or components<br />
13.1.9.4-p4 The <strong>ANWI</strong> Contractor shall implement a workflow in the service<br />
catalogue that flows from requestor, to supervisor, to fund approver/releaser,<br />
ordering, <strong>and</strong> appropriate service managers to accommodate technical scope (sizing,<br />
performance, capacity, LAN, cabling, etc.)<br />
13.1.9.4-p5 The <strong>ANWI</strong> Contractor’s implemented service catalogue shall be web<br />
based Windows oriented GUI that is intuitive to end users <strong>and</strong> shall be menu driven<br />
based on a taxonomy developed by the <strong>ANWI</strong> Contractor which considers users<br />
groups, roles <strong>and</strong> requirements (e.g. a normal user on EAPC will only see EAPC<br />
offered services <strong>and</strong> options).<br />
13.1.9.4-p6 The <strong>ANWI</strong> Contractor’s service catalogue shall provide a user a<br />
transparent view of available services categories <strong>and</strong> options<br />
13.1.9.4-p7 The <strong>ANWI</strong> Contractor’s implemented service catalogue shall<br />
monitor trends in ordering <strong>and</strong> trace delivery time<br />
13.1.9.4-p8 The <strong>ANWI</strong> Contractor’s service catalogue shall permit a user to<br />
track/monitor the state of their request from submission through approval <strong>and</strong><br />
ordering to fulfilled or denied<br />
13.1.9.4-p9 The <strong>ANWI</strong> Contractor’s service catalogue shall clearly identify for<br />
each service item: description, options, costs, conditions, <strong>and</strong> support services<br />
(appropriate SLAs)<br />
13.1.9.5 Continuity Management<br />
13.1.9.5-p1 The <strong>ANWI</strong> Contractor shall implement a continuity process that is<br />
documented in the SMC’s continuity management plan<br />
13.1.9.5-p2 The <strong>ANWI</strong> Contractor’s continuity management plan shall be used<br />
to manage the risk of a disaster event so that the <strong>ANWI</strong> services are offered at an<br />
agreed minimum level <strong>and</strong> support the recovery operation.<br />
13.1.9.5-p3 The <strong>ANWI</strong> Contractor’s continuity management plan shall address<br />
backup <strong>and</strong> recovery strategy, as well as address failover technologies used.<br />
13.1.9.5-p4 The <strong>ANWI</strong> Contractor shall ensure that the SMC information store’s<br />
underlying databases (CMDB, Asset Management) are highly-available across both<br />
server rooms.<br />
13.1.9.5-p5 The <strong>ANWI</strong> Contractor shall ensure that all SMC data is kept in<br />
synch for the SMC in both server rooms so that in the case of a server room failure<br />
the surviving server room SMC information store can continue the service without<br />
data loss.<br />
13.1.9.5-p6 The <strong>ANWI</strong> Contractor shall, as part of the SMC information lifecycle,<br />
ensure that management data <strong>and</strong> supporting storage solutions include data<br />
<strong>and</strong> information backup strategies to safeguard the information <strong>and</strong> data against<br />
catastrophic events.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-210 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-211 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.9.5-p7 The <strong>ANWI</strong> Contractor shall, as part of the SMC information lifecycle,<br />
ensure that management data <strong>and</strong> supporting storage solutions include data<br />
<strong>and</strong> information backup strategies to safeguard the information <strong>and</strong> data for long<br />
term data backup <strong>and</strong> archival.<br />
13.1.9.5-p8 The SMC information life-cycle shall support the following metrics,<br />
in-line with the critical function of SMC:<br />
13.1.9.5-p9<br />
13.1.9.5-p10<br />
13.1.9.5-p11<br />
13.1.9.5-p12<br />
process.<br />
RTO: 30 minutes.<br />
RPO: 30 minutes.<br />
Information Security Management<br />
The <strong>ANWI</strong> Contractor shall implement an information security<br />
13.1.9.5-p13 The <strong>ANWI</strong> Contractor’s information security process shall provide<br />
access requesting, detection <strong>and</strong> reporting utilities<br />
13.1.9.5-p14 The <strong>ANWI</strong> Contractor’s information security utility shall log,<br />
categorise <strong>and</strong> prioritise access requests based on user support profile<br />
13.1.9.5-p15 The <strong>ANWI</strong> Contractor’s information security utility shall trigger <strong>and</strong><br />
provide input to other SMC processes<br />
13.1.9.5-p16 The <strong>ANWI</strong> Contractor’s information security access process shall<br />
log requests, track fulfilment <strong>and</strong> closure; this can be supported by another process<br />
or tool<br />
13.1.9.5-p17 The <strong>ANWI</strong> Contractor’s information security process shall evaluate<br />
Access Requests to determine if they are likely to reoccur<br />
13.1.9.5-p18<br />
Security management shall be an integral part of the SMC.<br />
13.1.9.5-p19 SMC shall make use of NATO PKI to support the required Identity<br />
<strong>and</strong> Access management security mechanisms.<br />
13.1.9.5-p20 The SMC shall use centralized authentication, authorization <strong>and</strong><br />
accounting (AAA) to consoles, clients <strong>and</strong> network elements.<br />
13.1.9.5-p21 AAA, in support of SMC, shall be centralized through a directory<br />
service synchronized with the enterprise directory service information.<br />
13.1.9.5-p22 Management systems shall be installed on a separate zone<br />
ensuring protection against unauthorized access from the user domain.<br />
13.1.9.5-p23 BPS systems shall be managed centrally from NCIA but a local fall<br />
back capability (physical access to devices) shall be provided.<br />
13.1.9.5-p24 Management of BPS systems shall be done from the internal or<br />
high side (where possible, via dedicated network interface) <strong>and</strong> shall be restricted to<br />
management systems in the management network only.<br />
13.1.9.5-p25 Intrusion detection/prevention system (ID/PS) management is<br />
provided by NCIRC – see section 13.2.4. ArcSight Connectors collect events from<br />
different products/sensors (e.g. firewalls, network <strong>and</strong> host based-IDS/IDP) <strong>and</strong><br />
provide them to ArcSight Enterprise Management <strong>System</strong>s. SMC is collecting events
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-212 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
<strong>and</strong> performing event correlation <strong>and</strong> analysis. ArcSight database is used for midterm<br />
storage of collected events.<br />
13.1.9.5-p26 IDS management traffic shall be transported to NCIRC using a<br />
commercial IPsec VPN through a dedicated VPN client based on NCIRC<br />
specifications. Once installed, the VPN appliance shall be managed by NCIRC (se<br />
13.2.4.3).<br />
13.1.10 Service Transition Processes<br />
13.1.10.1 Change Management<br />
13.1.10.1-p1 The <strong>ANWI</strong> Contractor shall provide an ITIL compatible change<br />
management process <strong>and</strong> supporting utility for the SMC.<br />
13.1.10.1-p2 The <strong>ANWI</strong> Contractor’s change management utility shall provide an<br />
overview of all ongoing, planned, successful <strong>and</strong> unsuccessful changes.<br />
13.1.10.1-p3 The <strong>ANWI</strong> Contractor’s change management process shall be<br />
integrated with other SMC management processes (e.g. release <strong>and</strong> deployment,<br />
asset <strong>and</strong> configuration management) ensuring that all changes are screened,<br />
approved, managed <strong>and</strong> implemented based on an automated workflow process<br />
(workflows can be serial, parallel or ad hoc based on the defined process).<br />
13.1.10.1-p4 The <strong>ANWI</strong> Contractor’s change management utility’s workflow shall<br />
graphically visualise the change process, the current state <strong>and</strong> status, steps<br />
completed with date <strong>and</strong> steps to be completed.<br />
13.1.10.1-p5 The <strong>ANWI</strong> Contractor’s change management utility shall be<br />
integrated with the SMC’s Incident <strong>and</strong> Problem Management.<br />
13.1.10.1-p6 The <strong>ANWI</strong> Contractor’s change management utility shall provide<br />
web based form(s) integrated into the workflow process that is email enabled for<br />
alerts, notifications <strong>and</strong> approvals.<br />
13.1.10.1-p7 The <strong>ANWI</strong> Contractor’s change management utility shall provide<br />
functionality to identify <strong>and</strong> manage minor, major <strong>and</strong> emergency changes.<br />
13.1.10.1-p8 The <strong>ANWI</strong> Contractor shall provide a SMC calendar service where<br />
all main SMC events <strong>and</strong> tasks as well as SMC key personnel personal calendars<br />
can be displayed.<br />
13.1.10.1-p9 The <strong>ANWI</strong> Contractor’s change management utility shall interface<br />
with the SMC calendar to display all scheduled changes <strong>and</strong> provides drill down<br />
capability to specific changes.<br />
13.1.10.1-p10 The <strong>ANWI</strong> Contractor’s change management utility shall be<br />
integrated with SLM to ensure all OLAs <strong>and</strong> SLAs are tracked <strong>and</strong> managed<br />
13.1.10.1-p11<br />
generate reports.<br />
The <strong>ANWI</strong> Contractor’s change management utility shall<br />
13.1.10.1-p12 The <strong>ANWI</strong> Contractor’s change management utility shall also<br />
easily create customisable (customer-specific) reports.<br />
13.1.10.1-p13 The <strong>ANWI</strong> Contractor’s change management utility shall be<br />
integrated with release <strong>and</strong> deployment management; asset <strong>and</strong> configuration
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
management. Configuration Items (CIs) cannot be changed unless the CI is linked to<br />
a change.<br />
13.1.10.1-p14 The <strong>ANWI</strong> Contractor’s change management utility shall have bidirectional<br />
integration with other SMC processes (e.g. request fulfilment, incident <strong>and</strong><br />
problem management).<br />
13.1.10.2 Service Asset Management<br />
13.1.10.2-p1 The <strong>ANWI</strong> Contractor shall provide an asset management<br />
process <strong>and</strong> supporting ITIL compliant tool that is integrated into the SMC.<br />
13.1.10.2-p2 The <strong>ANWI</strong> Contractor’s asset management utility shall provide an<br />
inventory agent which will inventory all <strong>ANWI</strong> provided assets.<br />
13.1.10.2-p3 The <strong>ANWI</strong> Contractor’s asset management utility shall provide<br />
<strong>and</strong> populate the <strong>ANWI</strong>’s CMDB.<br />
13.1.10.2-p4 The <strong>ANWI</strong> Contractor’s asset management utility shall record<br />
assets based on the <strong>ANWI</strong> CI list <strong>and</strong> attributes.<br />
13.1.10.2-p5 The <strong>ANWI</strong> Contractor’s asset management utility shall permit<br />
defining the relationships between CIs <strong>and</strong> associated service(s).<br />
13.1.10.2-p6 The <strong>ANWI</strong> Contractor’s change management utility shall not<br />
allow a CI record to be changed unless it is linked to a Change Request.<br />
13.1.10.2-p7 The <strong>ANWI</strong> Contractor’s asset management utility shall link the CI<br />
to all SMC requests.<br />
13.1.10.2-p8 The <strong>ANWI</strong> Contractor’s asset management utility shall be<br />
integrated with all other required SMC processes.<br />
13.1.10.2-p9 The <strong>ANWI</strong> Contractor’s asset management utility shall interface <strong>and</strong><br />
exchange data with the HN BE provided active cable management system.<br />
13.1.10.2-p10<br />
The <strong>ANWI</strong> Contractor’s asset management utility shall<br />
interface <strong>and</strong> exchange data with the NCIA ’s CMDB (BMCs’ Atrium).<br />
13.1.10.2-p11 The <strong>ANWI</strong> Contractor’s asset management utility shall be able to<br />
bundle multiple CIs assets to one system configuration to simplify the display.<br />
13.1.10.2-p12 The <strong>ANWI</strong> Contractor’s asset management utility shall provide<br />
asset life cycle tracking <strong>and</strong> monitoring.<br />
13.1.10.2-p13 The <strong>ANWI</strong> Contractor’s asset management utility shall provide an<br />
auditing capability for verification <strong>and</strong> validation of the CMDB.<br />
13.1.10.2-p14 The <strong>ANWI</strong> Contractor’s asset management utility shall<br />
programmatically take regular snapshots of the Configuration Baselines for review<br />
<strong>and</strong> auditing.<br />
13.1.10.3 Configuration Management<br />
13.1.10.3-p1 The <strong>ANWI</strong> Contractor shall provide a configuration management<br />
process <strong>and</strong> utility as part of the <strong>ANWI</strong> SMC.<br />
13.1.10.3-p2 SMC shall use a single centralized configuration management<br />
database (CMDB). Used in, amongst others: Service Desk, Monitoring servers,<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-213 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-214 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Software <strong>and</strong> configuration distribution/deployment, license management, <strong>and</strong><br />
supporting contract information.<br />
13.1.10.3-p3 The CMDB shall use a SQL backend <strong>and</strong> must provide an open<br />
API that allows further integration if <strong>and</strong> when required at a later stage.<br />
13.1.10.3-p4 The <strong>ANWI</strong> Contractor shall base the <strong>ANWI</strong> CMDB schema on the<br />
TeleManagement Forum (TMF) SID or DTMF Common Information Model (CIM)<br />
supporting a WBEM interface.<br />
13.1.10.3-p5 The <strong>ANWI</strong> Contractor shall align the <strong>ANWI</strong> CMDB with the NATO<br />
enterprise wide CMDB schema.<br />
13.1.10.3-p6<br />
XML schema.<br />
The <strong>ANWI</strong> Contractor shall provide the <strong>ANWI</strong> CMDB schema as an<br />
13.1.10.3-p7 The <strong>ANWI</strong> Contractor shall be put any CMDB schema<br />
enhancements under formal change management justified through the <strong>ANWI</strong> CMDB<br />
design.<br />
13.1.10.3-p8 The CMDB shall be based on the Telemanagement Forum<br />
(TMF) Common Information Model (CIM).<br />
13.1.10.3-p9 The configuration change request <strong>and</strong> approval capability shall<br />
be integrated in the selected service desk solution, configuration management <strong>and</strong><br />
deployment system <strong>and</strong> the N/ELM systems.<br />
13.1.10.3-p10<br />
The CMDB shall hold all relevant information on external<br />
interfaces <strong>and</strong> related SLA information (including KPI <strong>and</strong> KQI).<br />
13.1.10.3-p11<br />
The <strong>ANWI</strong> Contractor’s configuration management utility<br />
shall interface with the tool used by the NCIA enterprise management section (MS<br />
SCCM)<br />
13.1.10.3-p12<br />
The <strong>ANWI</strong> Contractor’s configuration management utility<br />
shall be able to centrally monitor, manage <strong>and</strong> deploy software (OS or application) to<br />
servers <strong>and</strong> clients.<br />
13.1.10.3-p13<br />
The <strong>ANWI</strong> Contractor’s configuration management utility<br />
shall monitor the accepted baseline <strong>and</strong> non-compliant baseline configurations shall<br />
be auto remediated after a period that permitted the user to update the baseline.<br />
13.1.10.3-p14 The <strong>ANWI</strong> Contractor’s configuration management utility shall<br />
support software <strong>and</strong> security patch updating.<br />
13.1.10.3-p15 The <strong>ANWI</strong> Contractor’s configuration management utility shall<br />
manage mobile <strong>ANWI</strong> user devices.<br />
13.1.10.3-p16 The <strong>ANWI</strong> Contractor’s configuration management utility shall be<br />
able to monitor <strong>and</strong> manage energy saving devices <strong>and</strong> with power management<br />
tools – to the rack <strong>and</strong> equipment level.<br />
13.1.10.3-p17 The <strong>ANWI</strong> Contractor’s configuration management utility shall<br />
monitor <strong>and</strong> evaluate client device ‘health’.<br />
13.1.10.3-p18 The <strong>ANWI</strong> Contractor’s configuration management utility shall<br />
monitor <strong>and</strong> report asset (hardware <strong>and</strong> software) use.
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-215 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.10.3-p19 The <strong>ANWI</strong> Contractor’s configuration management utility shall<br />
support the asset (inventory) process.<br />
13.1.10.4 Release Management<br />
13.1.10.4-p1<br />
process.<br />
The <strong>ANWI</strong> Contractor shall provide a release management<br />
13.1.10.4-p2 The <strong>ANWI</strong> Contractor’s release management process shall be<br />
integrated with the SMC calendar.<br />
13.1.10.4-p3 The <strong>ANWI</strong> Contractor’s release management process shall<br />
address planning, design, coordinating, building <strong>and</strong> configuring of releases, release<br />
distribution <strong>and</strong> installation, <strong>and</strong> acceptance.<br />
13.1.10.5 Knowledge Management<br />
13.1.10.5-p1 The <strong>ANWI</strong> Contractor shall provide a knowledge management<br />
database for use by the support staff to document best practices <strong>and</strong> solutions to<br />
common problems.<br />
13.1.10.5-p2 The <strong>ANWI</strong> Contractor tool shall be able to share practical<br />
solutions with the NNHQ users.<br />
13.1.10.5-p3 The <strong>ANWI</strong> Contractor tool shall provide local search <strong>and</strong> allow<br />
federated searching from NATO search engines (FAST <strong>and</strong> Autonomy) based on<br />
attributes such as author, title, date, free text or keywords.<br />
13.1.10.5-p4 The <strong>ANWI</strong> Contractor tool shall provide a template to capture the<br />
problem description, OS, solution, author <strong>and</strong> date.<br />
13.1.11 Service Operations Processes<br />
13.1.11.1 Event Management<br />
13.1.11.1-p1 The <strong>ANWI</strong> Contractor shall provide an event management<br />
process <strong>and</strong> supporting tool.<br />
13.1.11.1-p2<br />
The <strong>ANWI</strong> Contractor’s tool shall consolidate event reporting.<br />
13.1.11.1-p3 The <strong>ANWI</strong> Contractor’s tool shall provide predictive analytics,<br />
correlation <strong>and</strong> dynamic prioritization of <strong>ANWI</strong> events irrespective of its source.<br />
13.1.11.1-p4 The <strong>ANWI</strong> Contractor’s tool shall provide configurable rules to<br />
process an event received from an <strong>ANWI</strong> monitored system.<br />
13.1.11.1-p5 The <strong>ANWI</strong> Contractor’s tool shall integrate with the SMC’s<br />
monitoring/dashboard system.<br />
13.1.11.1-p6 The <strong>ANWI</strong> Contractor’s tool shall assign the event through the<br />
<strong>ANWI</strong> trouble ticket system.<br />
13.1.11.1-p7<br />
SMC processes.<br />
The <strong>ANWI</strong> Contractor’s tool shall be integrated with all necessary<br />
13.1.11.1-p8 The <strong>ANWI</strong> Contractor’s tool shall be able to interface with the<br />
NCIA Microsoft SCOM/MOM applications for bidirectional communication.
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-216 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.11.1-p9 The <strong>ANWI</strong> Contractor’s tool shall interface with the NCIA<br />
Openview Network Management <strong>System</strong> for bi-directional communication..<br />
13.1.11.1-p10 The <strong>ANWI</strong> Contractor’s tool shall flexible rules to support<br />
assignment, notification <strong>and</strong> workflow to resolve an event.<br />
13.1.11.1-p11<br />
reports.<br />
The <strong>ANWI</strong> Contractor’s tool shall detect events <strong>and</strong> generate<br />
13.1.11.1-p12 All events shall be automatically logged recoding at a minimum a<br />
timestamp, the reporting source, <strong>and</strong> notification content.<br />
13.1.11.1-p13<br />
SMC shall provide automated event filtering <strong>and</strong> consolidation.<br />
13.1.11.1-p14 The building management system (BMS) shall be integrated<br />
through web services with the SMC ESB in order to import BMS events relevant for<br />
communication <strong>and</strong> information systems services provisioning into the SMC.<br />
13.1.11.1-p15 The <strong>ANWI</strong> Contractor’s event management tool shall support<br />
physical, virtual environments <strong>and</strong> shall be extensible to cloud environments.<br />
13.1.11.2 Incident Management<br />
13.1.11.2-p1 The <strong>ANWI</strong> Contractor shall provide an incident management<br />
process <strong>and</strong> supporting tool.<br />
13.1.11.2-p2 The <strong>ANWI</strong> Contractor’s tool shall integrate with E-mail (also to<br />
support ESS <strong>and</strong> BMS reporting), the self-service portal, <strong>ANWI</strong> device monitoring<br />
tools <strong>and</strong> other ITIL linked SMC processes<br />
13.1.11.2-p3 The <strong>ANWI</strong> Contractor’s tool shall interface with the Service<br />
Catalogue forms to capture user required data for incident submission<br />
13.1.11.2-p4 The <strong>ANWI</strong> Contractor’s tool shall allow the Service Desk easy<br />
access to all trouble ticket updates aiding in resolution <strong>and</strong> reporting<br />
13.1.11.2-p5 The <strong>ANWI</strong> Contractor’s incident process tool shall:<br />
A. Capture <strong>and</strong> report incidents<br />
B. Log, categorise <strong>and</strong> prioritise incidents for resolution<br />
C. Provide initial Incident support<br />
D. Trigger other processes with input<br />
E. Initiate incident investigation <strong>and</strong> diagnosis<br />
F. Capture incident resolution or recovery using workarounds.<br />
G. Capture incident closure after verification from users<br />
H. Incident monitoring <strong>and</strong> interaction to other processes<br />
13.1.11.2-p6 Entering workarounds into Known Error Data Base (KEDB) <strong>and</strong><br />
trigger the Problem Management process<br />
13.1.11.2-p7 The <strong>ANWI</strong> Contractor’s tool shall be able to tag incidents if they are<br />
likely to reoccur or impact other users<br />
13.1.11.2-p8 The <strong>ANWI</strong> Contractor’s tool shall integrate with <strong>and</strong> link incidents to<br />
a Known Error Database or Problem log/registry.<br />
13.1.11.2-p9 The <strong>ANWI</strong> Contractor’s tool shall provide appropriate ITIL based<br />
workflows to support the incident management process.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.11.2-p10 The <strong>ANWI</strong> Contractor’s tool shall be integrated with the<br />
contractor provided trouble ticketing system.<br />
13.1.11.2-p11 The <strong>ANWI</strong> Contractor’s tool shall provide configurable<br />
escalations <strong>and</strong> notifications.<br />
13.1.11.2-p12<br />
scheduled reports.<br />
The <strong>ANWI</strong> Contractor’s tool shall provide interactive <strong>and</strong><br />
13.1.11.2-p13 The <strong>ANWI</strong> Contractor’s tool shall be integrated with Incident,<br />
Problem, Knowledge, Change, CMDB <strong>and</strong> Service Level Management.<br />
13.1.11.2-p14 The <strong>ANWI</strong> Contractor’s tool shall be integrated with the SMC<br />
regular customer support survey support capability<br />
13.1.11.2-p15 The <strong>ANWI</strong> Contractor’s SMC shall automatically generate a<br />
trouble ticket in case of, component, service, or link status failure.<br />
13.1.11.2-p16 The <strong>ANWI</strong> Contractor’s SMC shall automatically generate a<br />
trouble ticket when a KPI or KQI is exceeded.<br />
13.1.11.2-p17 <strong>ANWI</strong> incidents shall be automatically analysed against the<br />
overall service impact.<br />
13.1.11.3 Problem Management<br />
13.1.11.3-p1 The <strong>ANWI</strong> Contractor shall provide a problem management process<br />
<strong>and</strong> supporting tool.<br />
13.1.11.3-p2 The <strong>ANWI</strong> Contractor’s tool shall support proactive IT management<br />
via tracking <strong>and</strong> trending incidents <strong>and</strong> events.<br />
13.1.11.3-p3 The <strong>ANWI</strong> Contractor’s tool shall provide the functionality <strong>and</strong><br />
reporting to ensure that the Service Desk can minimize the effect of infrastructure<br />
issues.<br />
13.1.11.3-p4 The <strong>ANWI</strong> Contractor’s tool shall be integrated with the <strong>ANWI</strong><br />
monitoring capability so that when an event or incident occurs, a problem ticket is<br />
automatically created <strong>and</strong> assigned to the appropriate staff to resolve.<br />
13.1.11.3-p5 The <strong>ANWI</strong> Contractor’s tool shall create reports which permit<br />
analysis of problem data to improve the performance of problem management.<br />
13.1.11.3-p6 The <strong>ANWI</strong> Contractor’s tool shall integrate problem management<br />
with all other SMC process (linked to SLM, Incidents, Knowledge, CMDB <strong>and</strong><br />
Changes).<br />
13.1.11.3-p7 The <strong>ANWI</strong> Contractor’s tool shall link Configuration Items (CIs) to a<br />
problem so impact analysis can be performed on the CI as it is related to the linked<br />
problem.<br />
13.1.11.3-p8 The <strong>ANWI</strong> Contractor’s tool shall be able to capture problems using<br />
hardware/software agents or <strong>ANWI</strong> monitoring tools.<br />
13.1.11.3-p9 The <strong>ANWI</strong> Contractor’s tool shall provide configurable escalations<br />
<strong>and</strong> notifications.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-217 of 532
N A T O U N C L A S S I F I E D<br />
13.1.11.4 Known Error Data Base (KEDB)<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-218 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.11.4-p1 The <strong>ANWI</strong> Contractor’s KEDB shall maintain information about<br />
Known Errors <strong>and</strong> Workarounds.<br />
13.1.11.4-p2 The <strong>ANWI</strong> Contractor’s KEDB shall maintain the root-causes of<br />
Incidents in the KEDB.<br />
13.1.11.4-p3 The <strong>ANWI</strong> Contractor’s KEDB shall make workarounds available to<br />
Incident Management while Problem Management develops final solutions for Known<br />
Errors.<br />
13.1.11.4-p4 The <strong>ANWI</strong> Contractor’s KEDB shall provide a trend-analysis of<br />
problems for important services <strong>and</strong> historical Incidents.<br />
13.1.11.4-p5 The <strong>ANWI</strong> Contractor’s problem process tool shall provide:<br />
A. Integrated customer surveys to collect user feedback.<br />
B. Capture unplanned service interruptions<br />
C. Problem detection <strong>and</strong> reporting<br />
D. Log <strong>and</strong> categorise problems<br />
E. Provide initial problem support<br />
F. Initiate other SMC processes with problem data as input<br />
G. Capture problem diagnosis<br />
H. Close incidents after verification from users<br />
i. Problem monitoring <strong>and</strong> interaction to other processes<br />
j. Enable entering workaround entry into Known Error Data Base (KEDB)<br />
k. Track problem management solutions<br />
l. Track procedures for major Problems<br />
13.1.11.4-p6 The <strong>ANWI</strong> Contractor’s tool shall be able to tag incidents if they are<br />
likely to reoccur or impact other users<br />
13.1.11.5 Request Fulfilment<br />
13.1.11.5-p1 The <strong>ANWI</strong> Contractor shall deliver a process tool supporting ITIL<br />
request fulfilment requirements.<br />
13.1.11.5-p2 The <strong>ANWI</strong> Contractor’s tool shall provide the means to respond to<br />
all ICT Service Requests.<br />
13.1.11.5-p3 The <strong>ANWI</strong> Contractor’s tool shall provide logging, categorization<br />
<strong>and</strong> prioritizing of Service Requests<br />
13.1.11.5-p4 The <strong>ANWI</strong> Contractor’s tool shall trigger other necessary SMC<br />
processes with required input for execution<br />
13.1.11.5-p5 The <strong>ANWI</strong> Contractor’s tool shall request fulfilment closure after<br />
verification from the requesting user<br />
13.1.11.5-p6 The <strong>ANWI</strong> Contractor’s tool shall monitor <strong>and</strong> produce necessary<br />
request fulfilment management information to track adherence to the billing SLA<br />
13.1.11.5-p7 The <strong>ANWI</strong> Contractor’s tool shall provide a capability to identify <strong>and</strong><br />
track if the service request is likely to reoccur<br />
13.1.11.5-p8 The <strong>ANWI</strong> Contractor’s tool shall support a priority based fulfilment<br />
need based on either impact or urgency
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.11.5-p9 Routine move, add or change (MAC) request of user clients<br />
(workstations, telephones, user accounts, etc.) shall be executed within 4 hours by<br />
the <strong>ANWI</strong> Contractor.<br />
13.1.11.5-p10 The service provisioning shall support 1000 routine<br />
move/add/change requestsfrom user clients per day.<br />
13.1.11.5-p11 The SMC shall provide a centralized interface for user account<br />
management including an interface to network access control (NAC) functions.<br />
13.1.11.6 Access Management<br />
13.1.11.6-p1<br />
for the <strong>ANWI</strong>.<br />
The <strong>ANWI</strong> Contractor shall provide an access management process<br />
13.1.11.6-p2 The <strong>ANWI</strong> Contractor’s access management process shall establish<br />
a catalogue of user roles <strong>and</strong> associated access profiles for the <strong>ANWI</strong> services<br />
13.1.11.6-p3 The <strong>ANWI</strong> Contractor’s access management process shall be<br />
extensible to accommodate extensions of the roles <strong>and</strong> profiles to support the PFE<br />
projects (ESS, BMS, business applications <strong>and</strong> data access).<br />
13.1.11.6-p4 The <strong>ANWI</strong> Contractor’s access management catalogue shall<br />
interface with the <strong>ANWI</strong> directories (Active Directory, UCC<strong>and</strong> any SMC ELM<br />
systems that support an internal directory for Identity <strong>and</strong> Access management) for<br />
role <strong>and</strong> profile management.<br />
13.1.11.6-p5 The <strong>ANWI</strong> Contractor’s access management catalogue shall allow<br />
support staff easy access <strong>and</strong> viewing of a user’s role, access rights <strong>and</strong><br />
permissions.<br />
13.1.11.6-p6 The <strong>ANWI</strong> Contractor’s access management process shall provide<br />
users the ability to change their own network passwords.<br />
13.1.11.6-p7 The <strong>ANWI</strong> Contractor’s access management process shall interface<br />
with the service catalogue to request the granting, changing or removing a user’s<br />
right to use a particular service or asset by the Service Desk from an authorised user.<br />
13.1.12 Continuous Service Improvement Processes<br />
13.1.12.1 Service Level Agreement (SLA) Reporting<br />
13.1.12.1-p1 The <strong>ANWI</strong> Contractor shall create bi-weekly reports on each <strong>ANWI</strong><br />
Service usage, from the start of users arrival on site <strong>and</strong> establish the mechanism to<br />
have the reports generated monthly after FSA.<br />
13.1.12.1-p2 The <strong>ANWI</strong> Contractor shall create an <strong>ANWI</strong> SLA report based on<br />
the information captured from the monitoring <strong>and</strong> SMC tools <strong>and</strong> compare it to the<br />
SLTs <strong>and</strong> SLA<br />
13.1.12.1-p3 The <strong>ANWI</strong> Contractor shall use the data <strong>and</strong> previous reports to<br />
identify service trends.<br />
13.1.12.1-p4<br />
Purchaser<br />
The <strong>ANWI</strong> Contractor shall provide the SLA reports to the<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-219 of 532
N A T O U N C L A S S I F I E D<br />
Number of SLAs<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-220 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.12.1-p5 The <strong>ANWI</strong> Contractor shall review the provided <strong>ANWI</strong> SLA reports<br />
with the Purchaser<br />
13.1.12.2 Service Measurement<br />
13.1.12.2-p1 The <strong>ANWI</strong> Contractor’s service measurement shall primarily focus<br />
on availability, reliability <strong>and</strong> performance parameters augmented with other<br />
parameters to ensure SLAs <strong>and</strong> SLTs are satisfied.<br />
13.1.12.2-p2 The <strong>ANWI</strong> Contractor shall review the <strong>ANWI</strong>’s availability, reliability<br />
<strong>and</strong> performance data <strong>and</strong> report their status the Purchaser<br />
13.1.12.2-p3 The <strong>ANWI</strong> Contractor shall analyse the <strong>ANWI</strong>’s availability, reliability<br />
<strong>and</strong> performance trend<br />
13.1.12.3 Billing<br />
13.1.12.3-p1 The <strong>ANWI</strong> Contractor shall provide a billing capability to track<br />
services consumed <strong>and</strong> appropriately invoice serviced customers<br />
13.1.12.3-p2 The <strong>ANWI</strong> Contractor shall develop a financial management<br />
process with the Purchaser for billing serviced customers.<br />
13.1.12.3-p3 The <strong>ANWI</strong> Contractor’s tool shall interface with the NNHQ’s<br />
financial management process to support the invoicing <strong>and</strong> collection process.<br />
13.1.12.3-p4 The <strong>ANWI</strong> Contractor’s tool shall monitor <strong>and</strong> produce necessary<br />
financial management information to track adherence to the billing SLA.<br />
13.1.13 Key Performance Indicators (KPIs) <strong>and</strong> Metrics<br />
13.1.13.1 Performance KPI<br />
13.1.13.1-p1<br />
13.1.13.2 SLM KPIs<br />
13.1.13.2-p1<br />
at present<br />
13.1.13.2-p2<br />
13.1.13.2-p3<br />
13.1.13.2-p4<br />
13.1.13.2-p5<br />
13.1.13.2-p6<br />
place<br />
13.1.13.3 SLM Metrics<br />
13.1.13.3-p1<br />
13.1.13.3-p2<br />
13.1.13.3-p3<br />
13.1.13.3-p4<br />
Per infrastructure annex<br />
Number of services that are not meeting agreed service targets<br />
Number of services without updated SLAs at present<br />
Number of SLA targets missed<br />
Number of SLA targets threatened<br />
Percentage of services covered by SLAs<br />
Percentage of the coverage of OLAs <strong>and</strong> third-party contracts in<br />
Number of times the service is bypassed<br />
Number <strong>and</strong> severity of service breaches<br />
Number of services with timely reports <strong>and</strong> active service reviews
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.13.3-p5 Results from Customer Satisfaction Surveys<br />
13.1.13.3-p6 Evidence that issues raised at service <strong>and</strong> SLA reviews are<br />
being followed up <strong>and</strong> resolved<br />
13.1.13.3-p7 Incidents noted against the service<br />
13.1.13.4 Capacity KPIs<br />
13.1.13.4-p1 Plan over forecasted Capacity requirements<br />
13.1.13.4-p2 Plan over SLA forecasting to Capacity<br />
13.1.13.4-p3 Relevant information from the Event Management<br />
13.1.13.4-p4 Number of present SLA breaches due to subst<strong>and</strong>ard service or<br />
component performance<br />
13.1.13.4-p5 Mean percentage of over-capacity<br />
13.1.13.5 Capacity Metrics<br />
13.1.13.5-p1 Number of service thresholds exceeded<br />
13.1.13.5-p2 Number of Incidents caused by performance overload<br />
13.1.13.5-p3 Number of urgent purchases made to address urgent<br />
performance/capacity issues<br />
13.1.13.5-p4 Accuracy of forecasts of operational trends<br />
13.1.13.6 Billing KPIs<br />
13.1.13.6-p1 Cost of Services today<br />
13.1.13.6-p2 Up to date status of invoices issued<br />
13.1.13.6-p3 Up to date status of invoices paid<br />
13.1.13.6-p4 Up to date service costs based on the Service Catalogue’s<br />
services<br />
13.1.13.7 Availability KPIs<br />
13.1.13.7-p1 Plan over forecasted Availability requirements<br />
13.1.13.7-p2 Plan over SLA forecasting to Availability<br />
13.1.13.7-p3 Relevant information from Event Management<br />
13.1.13.7-p4 Percentage of services <strong>and</strong> componentscurrently unavailable<br />
13.1.13.7-p5 Mean time between failures<br />
13.1.13.7-p6 Mean time between system Incidents<br />
13.1.13.7-p7 Mean time to restore service<br />
13.1.13.7-p8 Mean time to repair component<br />
13.1.13.8 Availability Metrics<br />
13.1.13.8-p1 Number of times the process is bypassed<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-221 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.13.8-p2<br />
13.1.13.8-p3<br />
Number of Incidents against the service<br />
Percentage of overall availability of services <strong>and</strong> components<br />
13.1.13.9 Service Catalogue KPI<br />
13.1.13.9-p1 Number of users accessing / browsing the site<br />
13.1.13.9-p2 Number of requests submitted<br />
13.1.13.9-p3 Items being ordered<br />
13.1.13.10 Continuity Management KPI<br />
13.1.13.10-p1 Number of disaster exercises held<br />
13.1.13.10-p2 Number of shortcomings identified during a disaster exercise<br />
13.1.13.11 Information Security Management KPIs<br />
13.1.13.11-p1 Number of Access open requests (not h<strong>and</strong>led)<br />
13.1.13.11-p2 Response times - Amount of Access requests h<strong>and</strong>led within the<br />
time scale defined in the SLA<br />
13.1.13.11-p3 Number of currently open unauthorized Access rights<br />
13.1.13.11-p4 Number of preventative security measures implemented<br />
13.1.13.11-p5 Duration from identification of a threat to implementation of<br />
counter measure<br />
13.1.13.11-p6 Number of security incidents by severity<br />
13.1.13.11-p7 Number of incidents causing a service interruption<br />
13.1.13.12 Information Security Metrics:<br />
13.1.13.12-p1 Number of times the Access Management process is bypassed<br />
13.1.13.12-p2 Number of Access requests performed through the Access<br />
Management process<br />
13.1.13.12-p3 Number of Access requests performed with the Directory<br />
Services tool to manage access <strong>and</strong> rights<br />
13.1.13.12-p4 Number of triggers to process<br />
13.1.13.12-p5 Number of Access requests processed per agent<br />
13.1.13.12-p6 Number of users attempting to access services without proper<br />
Authority<br />
13.1.13.12-p7 Number of Access requests from users compared to Access<br />
Management being triggered by Event Management<br />
13.1.13.12-p8 Number of live operational SLAs in use<br />
13.1.13.12-p9 Number of Security Policies in use<br />
13.1.13.12-p10 Number of many to one Access requests through use of group<br />
rights<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-222 of 532
13.1.13.12-p11<br />
13.1.13.12-p12<br />
requests.<br />
N A T O U N C L A S S I F I E D<br />
Number of complaints <strong>and</strong>/or letters of praise<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-223 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Identifying, logging, categorizing <strong>and</strong> prioritizing all Access<br />
13.1.13.12-p13 Access Management cost - Cost based on time used from<br />
Access request logging to closure.<br />
13.1.13.12-p14 Percentage number of Access requests from customer compared<br />
to operational changes<br />
13.1.13.12-p15<br />
13.1.13.12-p16<br />
Results of customer satisfaction surveys<br />
Hours worked against budget<br />
13.1.13.13 Change Management KPIs<br />
13.1.13.13-p1<br />
The Change Schedule not adversely affecting the organization.<br />
13.1.13.13-p2 Number of Changes proceeding to Change Authority that should<br />
have been previously defined as St<strong>and</strong>ard Changes, i.e. definition = low impact + low<br />
cost still going through Change Authority.<br />
13.1.13.13-p3<br />
Number of planned Changes without detailed roll back plan.<br />
13.1.13.14 Change Management Metrics<br />
13.1.13.14-p1<br />
13.1.13.14-p2<br />
changes<br />
Number of times the process is bypassed<br />
Number of emergency changes, normal changes <strong>and</strong> st<strong>and</strong>ard<br />
13.1.13.14-p3 Number of changes defined as st<strong>and</strong>ard changes after one<br />
change management process run through.<br />
13.1.13.14-p4<br />
13.1.13.14-p5<br />
13.1.13.14-p6<br />
13.1.13.14-p7<br />
13.1.13.14-p8<br />
13.1.13.14-p9<br />
more aligned<br />
Number of changes that comply with customer strategy<br />
Reduction of number of unplanned changes<br />
Reduction of unplanned service outages<br />
Reduction of change roll backs<br />
13.1.13.15 Asset Management KPI<br />
13.1.13.15-p1<br />
13.1.13.15-p2<br />
management data<br />
13.1.13.15-p3<br />
Reduction of number of incidents after approved changes<br />
Evaluation process's predicted performance actual performance<br />
Frequency of configuration verifications<br />
Number of incidents resulting from incorrect configuration<br />
Average work (effort) for configuration management verification<br />
13.1.13.15-p4 Number of incorrect changes made using automated<br />
configuration updates<br />
13.1.13.15-p5<br />
audit<br />
Number of configuration management errors identified during an
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.13.16 Asset Management Metrics<br />
13.1.13.16-p1 Number of times the process is bypassed<br />
13.1.13.16-p2 Number of errors in information through timely audits compared<br />
to real-life<br />
13.1.13.16-p3 Number of times the process has been triggered<br />
13.1.13.16-p4 Population of the CMDB<br />
13.1.13.16-p5 Time of actual triggering of the process compared to actual<br />
Change time.<br />
13.1.13.16-p6 Accurate information of CIs <strong>and</strong> Service Assets in CMDB<br />
13.1.13.16-p7 Few errors on CIs information entered<br />
13.1.13.17 Release Management KPI<br />
13.1.13.17-p1 Number of major <strong>and</strong> minor releases<br />
13.1.13.17-p2 Duration of deployment (approval to work completed)<br />
13.1.13.17-p3 Number of releases which had to be reversed<br />
13.1.13.17-p4 Proportion of automatic releases<br />
13.1.13.18 Event Management KPIs<br />
13.1.13.18-p1 Reasons documented for present Event monitoring<br />
13.1.13.18-p2 Number of Events triggering Incident Management process<br />
13.1.13.18-p3 Number of Events eventually leading to Change<br />
13.1.13.19 Event Management Metrics<br />
13.1.13.19-p1 Number of bypasses of the process made<br />
13.1.13.19-p2 Number of Events per category<br />
13.1.13.19-p3 Number of important Events<br />
13.1.13.19-p4 Number of Events requiring human intervention<br />
13.1.13.19-p5 Number of Events per Service<br />
13.1.13.19-p6 Number of Events per application<br />
13.1.13.19-p7 Number of Events per Operating <strong>System</strong><br />
13.1.13.19-p8 Number of Events wrongly sorted<br />
13.1.13.19-p9 Number of Events that detected in relation to Incidents detected<br />
by IT staff<br />
13.1.13.20 Incident Management KPIs<br />
13.1.13.20-p1 Number of Incidents not presently assigned<br />
13.1.13.20-p2 Number of Incidents resolved through the Incident Management<br />
process<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-224 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.13.20-p3 Incident Response Time - Amount of Incidents h<strong>and</strong>led within the<br />
time scale defined in the SLA<br />
13.1.13.20-p4 Length of time before the Incident Management phone is<br />
answered<br />
13.1.13.20-p5 Length of time before user gets feedback from input to Service<br />
Desk.<br />
13.1.13.21 Incident Management Metrics<br />
13.1.13.21-p1 Number of Incidents where staff proceeded into Problem<br />
Management<br />
13.1.13.21-p2 Time of day when most Incidents were<br />
opened/assigned/resolved/closed<br />
13.1.13.21-p3 Number of bypasses to the process<br />
13.1.13.21-p4 Number of Incidents closed in service desk, first line support,<br />
using KEDB for workarounds.<br />
13.1.13.21-p5 Number of calls received<br />
13.1.13.21-p6 Number of calls missed<br />
13.1.13.21-p7 Number of calls logged<br />
13.1.13.21-p8 Number of non-logged calls<br />
13.1.13.21-p9 Number of calls escalated<br />
13.1.13.21-p10 Number of Incidents processed per agent<br />
13.1.13.21-p11 Number of complaints <strong>and</strong>/or letters of praise<br />
13.1.13.21-p12 Percentage of repeat calls for the same Incident<br />
13.1.13.21-p13 Percentage of Incidents resolved by help desk - first level<br />
13.1.13.21-p14 Percentage of operations support requests closed<br />
13.1.13.21-p15 Percentage number of Incidents compared to incoming calls<br />
13.1.13.21-p16 Mean Elapsed Time - Time between Incident report <strong>and</strong><br />
resolution<br />
13.1.13.21-p17 Mean time to achieve Incident resolution<br />
13.1.13.21-p18 Incident cost - Cost based on time used from Incident logging to<br />
Incident closure.<br />
13.1.13.21-p19 Length of time before the phone is answered<br />
13.1.13.21-p20 Average duration of phone calls<br />
13.1.13.21-p21 Results of customer satisfaction surveys<br />
13.1.13.21-p22 Hours worked against budget<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-225 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.13.22 Problem Management KPI<br />
13.1.13.22-p1 Number of Problems not h<strong>and</strong>led at the present i.e. Open<br />
Problems<br />
13.1.13.22-p2 Problem Response Time - Amount of Problems managed within<br />
the time scale defined in the SLA<br />
13.1.13.22-p3 Percentage of Problems presently being escalated<br />
13.1.13.22-p4 Planned initial Problem team groups<br />
13.1.13.23 Problem Management Metrics<br />
13.1.13.23-p1 Percentage reduction in the Incidents <strong>and</strong> Problems affecting<br />
service to Customers<br />
13.1.13.23-p2 Percentage reduction in average time to resolve Problems<br />
13.1.13.23-p3 Percentage reduction of the time to implement fixes to Known<br />
Errors<br />
13.1.13.23-p4 Percentage reduction of the time to diagnose Problems<br />
13.1.13.23-p5 Percentage reduction of the average number of undiagnosed<br />
Problems<br />
13.1.13.23-p6 Percentage reduction of the average backlog of 'open' Problems<br />
<strong>and</strong> errors.<br />
13.1.13.23-p7 Percentage of incidents defined as Problems<br />
13.1.13.23-p8 Percentage of proactive Problem Management triggers<br />
13.1.13.23-p9 Percentage of Problems managed through the Problem<br />
Management process model<br />
13.1.13.23-p10 Number of bypasses on the process<br />
13.1.13.23-p11 Number of Problem resolved through the Problem Management<br />
process<br />
13.1.13.23-p12 Number of complaints <strong>and</strong>/or letters of praise<br />
13.1.13.23-p13 Number of Problems logged<br />
13.1.13.23-p14 Number of Problems fixed<br />
13.1.13.23-p15 Number of Problems outst<strong>and</strong>ing<br />
13.1.13.23-p16 Number of Workarounds added to the KEDB<br />
13.1.13.23-p17 Number of added Workarounds in KEDB used by Incident<br />
Management<br />
13.1.13.23-p18 Number of Problems solved by initial diagnosis<br />
13.1.13.23-p19 Number of RfCs sent to Change Management<br />
13.1.13.23-p20 Number of non-recurring incidents due to fixes<br />
13.1.13.23-p21 Number of many-to-one incident fixes compared to one-to-one<br />
incident fixes<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-226 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.13.23-p22<br />
13.1.13.23-p23<br />
Problem closure.<br />
13.1.13.23-p24<br />
13.1.13.23-p25<br />
13.1.13.23-p26<br />
13.1.13.23-p27<br />
performance<br />
Time between Problem Logging <strong>and</strong> Problem resolution<br />
Problem cost - Cost based on time used from Problem logging to<br />
Results of customer satisfaction surveys<br />
Hours worked against budget<br />
Resolution times with respect to service level requirements<br />
Hardware, software <strong>and</strong> help desk support, response <strong>and</strong><br />
13.1.13.24 Request fulfilment KPIs<br />
13.1.13.24-p1<br />
13.1.13.24-p2<br />
13.1.13.24-p3<br />
Number of presently unanswered Requests<br />
Number of Requests that have stopped dead in the process<br />
Number of staff presently running the process<br />
13.1.13.25 Request fulfilment Metrics<br />
13.1.13.25-p1<br />
13.1.13.25-p2<br />
Number of bypasses to the process<br />
Time of day Requests have been submitted.<br />
13.1.13.25-p3 Number of Service Requests through the Request Fulfilment<br />
Management process<br />
13.1.13.25-p4<br />
13.1.13.25-p5<br />
13.1.13.25-p6<br />
Number of Service Requests processed<br />
Number of St<strong>and</strong>ard Changes processed<br />
Number of complaints <strong>and</strong>/or letters of praise<br />
13.1.13.25-p7 Request Fulfilment cost - Cost based on time used from Service<br />
Request logging to Service Request closure.<br />
13.1.13.25-p8<br />
13.1.13.25-p9<br />
13.1.13.26 Billing Metrics<br />
13.1.13.26-p1<br />
Results of customer satisfaction surveys<br />
Hours worked against budget<br />
Number of bypasses to the process<br />
13.1.13.26-p2 Number of times Financial Management has been triggered by<br />
other ITSM processes<br />
13.1.13.26-p3 Number of Services with up to date Valuations<strong>and</strong> TCO (Total<br />
Cost of Ownership)<br />
13.1.14 End-to-End Scenario Testing<br />
13.1.14-p1 SMC performance shall be measured during the end-to-end test<br />
scenario which will be a structured walkthrough of all the identified ITIL processes to<br />
be supported where provider, customer, user <strong>and</strong> IV&V are represented.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-227 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.1.14-p2 During the scenario testing the following performance shall be<br />
measured:<br />
A. Mean Customer wait time.<br />
B. Mean customer Request duration time.<br />
C. First call resolution percentage.<br />
D. Volume of customer requests.<br />
E. Cost efficiency of customer management.<br />
F. Mean reporting wait time.<br />
G. Mean change management <strong>and</strong> CMDB update wait time.<br />
H. Mean change management <strong>and</strong> asset management update wait time.<br />
i. Reporting to Central NATO SMC (NCIA ).<br />
J. Providing monitoring info to Central NATO SMC (NCIA ).<br />
13.1.14-p3 Consume <strong>and</strong> proliferate Software package from Central NATO<br />
SMC <strong>and</strong> distribute to NNHQ infrastructure.<br />
13.1.15 Training<br />
13.1.15-p1 The <strong>ANWI</strong> Contractor shall provide NATO O&M personnel (for<br />
NONO services only) full training of the SMC tools <strong>and</strong> processes to fit the identified<br />
ITIL processes, if the service is identified as NONO.<br />
13.1.15-p2 Users shall be provided with an informational guide to be able to<br />
effectively communicate with the Service Desk, service catalogue <strong>and</strong> interact with<br />
the Self-Service portal.<br />
13.1.16 Cross Domain Requirements<br />
13.1.16-p1 Cross domain management information XML messages shall use a<br />
highly normalized <strong>and</strong> strictly enforced XML schema.<br />
13.1.16-p2 Cross domain management information XML messages shall be<br />
signed before exchanging the message across the cross domain boundary <strong>and</strong><br />
verified upon receipt on the other side. XML messages with incorrect signatures<br />
<strong>and</strong>/or untrusted signers are rejected. The signing entity must only permit messages<br />
from entities that are trusted <strong>and</strong> permitted to send messages across the security<br />
domain boundary.<br />
13.1.16-p3 Violations of the cross domain XML message schema <strong>and</strong>/or<br />
signature shall be logged <strong>and</strong> a notification shall be send to the IOSS.<br />
13.1.17 Future Technology Requirements<br />
13.1.17-p1 Where the cross domain exchange of management information is<br />
initially constrained to unidirectional low-to-high exchange of management<br />
information, using a data-diode, due to unavailability of a bi-directional gateway that<br />
can be accredited, the SMC infrastructure (including AIS Managers, N/ELM, IOSS,<br />
<strong>and</strong> ESB systems) shall be prepared for augmenting the data-diode with a bidirectional<br />
cross domain management information gateway when <strong>and</strong> where<br />
available.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-228 of 532
N A T O U N C L A S S I F I E D<br />
13.1.18 SMC Service Level Agreement/Target<br />
SLT feature<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Value<br />
Availability (6 months period)<br />
Service Availability 99.5<br />
Response time<br />
Number of Service Interruptions 1<br />
Duration of service interruptions (hours) 1<br />
TBD<br />
Number of Service Availability Measurements (over the period) 43800<br />
Capacity<br />
Number of capacity shortfall incidents 5<br />
Number of capacity modifications 1<br />
Resolution time of capacity adjustments (hours) 1<br />
Capacity reserve 25%<br />
Reliability<br />
MTBF (hours) 4380<br />
MTTR (hours) 4<br />
Number of critical failures 1<br />
Maintainability<br />
Mean Time to Replace (hours) 24<br />
Table 13.1 SMC SLTs<br />
13.1.19 Management <strong>and</strong> Operational Requirements<br />
13.1.19.1 Interfaces<br />
13.1.19.1-p1 The <strong>ANWI</strong> Contractor shall describe the following internal interfaces<br />
<strong>and</strong> dependencies for the Specific COI SMC capability, interfacing with the<br />
respective SMC (element management) services of each of the individual services.<br />
User Services<br />
Processing<br />
Storage<br />
Printing<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client<br />
Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
SMC X X X X X X X X X X X X X X X X X X X X X<br />
Table 13.2 SMC Interfaces<br />
13.1.19.1-p2 In support of the SMC management concept to consolidate SMC<br />
management information on the NS network the following interfaces are required that<br />
are linked to the functionality of CDGW. These are the internal NNHQ internal Cross<br />
Domain Interfaces as specified in Annex E Appendix 2.<br />
CDM function protocols comment<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-229 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
CDGW4-NS XML, SMTP, SNMP, FTP (XML preferred) EAPC-NS (one way initial)<br />
CDGW5-NS XML, SMTP, SNMP, FTP (XML preferred) Business-NS (one way initial)<br />
CDGW6-NS XML, SMTP, SNMP, FTP (XML preferred). Public-NS (one way initial)<br />
Table 13.3 Cross Domain Gateway Interfaces for the SMC<br />
13.1.19.1-p3 For the sharing of SMC services <strong>and</strong> interfaces with the central<br />
NCIA CIS management services the following Cross Domain Gateways are<br />
instrumental to support that function.<br />
CDM function<br />
CDGW1-NSNS WAN<br />
CDGW2-NR NR WAN<br />
CDGW2NU WAN<br />
CDGW3-Public Public<br />
Public PIA services<br />
functions<br />
Monitoring, software distribution, remote management (which is a function of each<br />
individual service SMC interface)<br />
The <strong>ANWI</strong> specific COI SMC service interfaces with the NCIA central management<br />
monitoring, reporting <strong>and</strong> CMDB capability:<br />
HP Open<strong>View</strong> (Comms Monitoring)<br />
SCOM (AIS monitoring)<br />
SCCM (AIS inventory <strong>and</strong> metering)<br />
Remedy (Service Desk management Comms <strong>and</strong> Central Management of CIS services)<br />
SDE (Service Desk management AIS)<br />
CMDB<br />
Monitoring, software distribution, remote management (which is a function of each<br />
individual service SMC interface).<br />
Monitoring, software distribution, remote management<br />
(which is a function of each individual service SMC interface).<br />
Table 13.4 Cross Domain Gateway functions<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-230 of 532
N A T O U N C L A S S I F I E D<br />
13.2 Appendix 2: Information Assurance<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-231 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2-p1 The <strong>ANWI</strong> Contractor shall implement <strong>and</strong> integrate the <strong>ANWI</strong> IA vertical<br />
services components into the existing NATO SMI environment <strong>and</strong> centralized IA<br />
management system.<br />
13.2-p2 The <strong>ANWI</strong> IA management services shall be an integrated part of the SMC<br />
services.<br />
13.2-p3 The <strong>ANWI</strong> IA management services shall be centralized as specified in<br />
section 13.2.1-13.2.5. Currently, the central IA management systems are installed<br />
outside of the NATO HQ <strong>and</strong> operated by NATO that are assigned the responsibility<br />
for central management of certain IA related capabilities for central management<br />
(e.g. NCIA , NCIRC). In case of an <strong>ANWI</strong> IA service to be centrally managed certain<br />
dedicated management tasks may be delegated to the local admins.<br />
13.2-p4 Required local IA management capabilities shall be provided <strong>and</strong> installed<br />
in Class 1 Security Areas. IA management services shall be reachable only from<br />
certain admin workstations in the NNHQ building, or through a management server.<br />
13.2-p5 The <strong>ANWI</strong> contractor shall implement Specific COI IA services that map to<br />
the Security Mechanisms as outlined in Annex C section 11.8.<br />
13.2-p6 Ultimately, the <strong>ANWI</strong> contractor shall verify <strong>and</strong> validate the <strong>ANWI</strong> IA<br />
management services comply with the security CONOPS 1.1.1.7.4 <strong>and</strong> report the<br />
results to the Purchaser.<br />
13.2-p7 The <strong>ANWI</strong> Information Assurance services are specified in Table 13.1.<br />
13.2-p8 The required <strong>ANWI</strong> IA services <strong>and</strong> <strong>ANWI</strong> IA management services as<br />
identified in Table 13.1 are all part of a bigger picture NATO wide IA services scope.<br />
For the scoping of the <strong>ANWI</strong> contractor responsibilities in this area three areas are<br />
covered:<br />
A. Delivery of <strong>ANWI</strong> provided service components.<br />
B. Delivery of <strong>ANWI</strong> provided IA management service components.<br />
C. Level of integration into a NATO wide capability.<br />
13.2-p9 Each of the <strong>ANWI</strong> IA services as identified in the table is specified in more<br />
detail in the respective paragraphs in sections 13.2.2.2-13.2.2.6.<br />
<strong>ANWI</strong> IA<br />
service<br />
Cross Domain<br />
Module<br />
Anti-Virus<br />
<strong>ANWI</strong> service<br />
Provision of<br />
consistent cross<br />
domain services <strong>and</strong><br />
support to the 6<br />
CDGW’s as identified<br />
in section 12.3.2.6.<br />
Part of the following<br />
<strong>ANWI</strong> service –<br />
Processing Services,<br />
Cross-domain<br />
Services, Client<br />
provisioning service,<br />
UCC service<br />
<strong>ANWI</strong><br />
management<br />
service<br />
Local Firewall,<br />
guards <strong>and</strong> NCIRC<br />
management<br />
services as<br />
defined NATO<br />
wide.<br />
Local Anti-Virus<br />
management<br />
capability fit to<br />
the NATO wide<br />
NIATC anti-virus<br />
capability<br />
Integration<br />
Integration into NATO wide<br />
central management of BPDs.<br />
Integration into NCIRC.<br />
Integration with PIA GW<br />
See appropriate SMs in<br />
section 11.8.2.2for details<br />
Integrates to NIATC Anti-Virus<br />
support on the NS <strong>and</strong> NU/NR<br />
See appropriate SMs in<br />
section 13.4 for details<br />
Relevant<br />
Security<br />
Mechanisms<br />
SM01, SM06-<br />
09, SM 11,<br />
SM14-20, SM22<br />
SM01-05,<br />
SM08-09
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
NPKI<br />
Incident<br />
Management<br />
Security Patch<br />
<strong>and</strong><br />
Configuration<br />
Management<br />
<strong>ANWI</strong> shall integrate<br />
NATO wide PKI<br />
services<br />
<strong>ANWI</strong> shall provide<br />
two factor<br />
authentication using<br />
NPKI (included in<br />
Client Provisioning<br />
Service) <strong>and</strong> RAs<br />
Part of Processing<br />
Services (PR060-061)<br />
– host-based IDS <strong>and</strong><br />
Cross-domain<br />
services<br />
No specific security<br />
patch management –<br />
see SMC<br />
<strong>ANWI</strong> shall<br />
provide<br />
Registration<br />
Authorities(RAs)<br />
for NS <strong>and</strong><br />
Business network<br />
Local<br />
management of<br />
H-ID/PS;<br />
N-ID/PS, FPC<br />
centrally<br />
managed by<br />
NCIRC;<br />
Log collection for<br />
NCIRC (via<br />
ArcSight<br />
Connectors/<br />
Loggers)<br />
NPKI integration – see Annex<br />
B<br />
Security tools (apart from H-<br />
IDS <strong>and</strong> AV) shall be centrally<br />
managed by NCIRC. Note:<br />
NCIRC FOC project may<br />
provide N-ID/PS, OCF <strong>and</strong> FPC<br />
to be integrated into CDMs.<br />
Integration with NCIRC for log<br />
collection<br />
See appropriate SMs in<br />
section 13.4 for details<br />
SM11-13,<br />
SM17, SM30,<br />
SM42, SM49<br />
SM16, SM21,<br />
SM28, SM36<br />
See SMC See SMC SM40, SM43<br />
Table 13.5<strong>ANWI</strong> Specific CoI IA <strong>and</strong> IA management Services<br />
13.2-p10 These specific IA services, addressed in subsequent sections, shall be<br />
provide on all 4 networks within New NATO HQ (NS, EAPC, Business <strong>and</strong> Public),<br />
within <strong>and</strong> between the internal networks <strong>and</strong> between <strong>ANWI</strong> <strong>and</strong> all external<br />
networks.<br />
13.2.1 Cross Domain Module (CDM)<br />
13.2.1-p1 Cross-domain capabilities provide the required connectivity of NNHQ<br />
<strong>ANWI</strong> LAN infrastructures to external networks or to each other.<br />
13.2.1.1 <strong>Architecture</strong><br />
13.2.1.1-p1 The CDM architecture shall be based on a modular approach where<br />
additional modules may be added or old modules replaced with newer modules.<br />
13.2.1.1-p2 As mentioned in Annex D (table 12.1), the CDM shall initially consist<br />
of six major gateways:<br />
A. CDGW1: NSNS WAN,<br />
B. CDGW2: NRNR WAN/NU/Public,<br />
C. CDGW3: Public Access,<br />
D. CDGW4: NSEAPC,<br />
E. CDGW5: NSNR,<br />
F. CDGW6: Public >NS.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-232 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-233 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.1-p3 CDM components shall be installed in the server rooms (Class 1<br />
secure areas), in a redundant <strong>and</strong> high available configuration.<br />
A. The Cross Domain Module shall implement the <strong>ANWI</strong> CDM architecture in<br />
an integrated, resilient, logical, modular <strong>and</strong> scalable way as shown in<br />
Figure 13.3.<br />
B. The CDM shall be implemented in a redundant load balancing fashion<br />
across the two server rooms as depicted in section 12.3<br />
C. The CDM shall present one integrated <strong>and</strong> consolidate management<br />
interface that allows to manage all cross domain gateways, both locally<br />
<strong>and</strong> centrally (remote).<br />
D. The CDM shall be scalable <strong>and</strong> allow for creation of additional CDGWs or<br />
exp<strong>and</strong>ing on existing CDGW enhancements.<br />
E. The CDM management interface shall be used as the primary tool for level<br />
1 CDM operations <strong>and</strong> maintenance. Through this tool access to other<br />
CDM component management tools shall be organised.<br />
F. The CDM management interface shall be used to create, visualise CDM<br />
component configuration settings (rulesets) <strong>and</strong> present the end-to-end<br />
cross domain information flows based on the following parameters:<br />
1. Cross domain information services active<br />
2. Configuration Settings<br />
3. Performance <strong>and</strong> throughput<br />
4. Incidents detected<br />
G. The CDM management interface shall allow security staffs to inspect <strong>and</strong><br />
audit the overall active Cross Domain architecture <strong>and</strong> cross domain<br />
services in a top-down fashion.<br />
H. All individual CDM, CDGW components shall allow for local <strong>and</strong> central<br />
management <strong>and</strong> reporting interface.<br />
i. Backup <strong>and</strong> recovery devices shall be available to preserve the overall<br />
availability of the CDM <strong>and</strong> its CDGWs.<br />
J. The availability of on-line redundant components for all CDM component<br />
shall be determined by the availability, reliability <strong>and</strong> MTTR requirements<br />
as specified in the services paragraph (13.2.2.2.2).<br />
K. Implementation of the CDM <strong>and</strong> CDM management interfaces shall not<br />
negatively impact the end-to-end services performance (delays).<br />
L. IP stack: Gateway 1 to 6 shall support IPv4 <strong>and</strong> IPv6 in a dual stack<br />
configuration.<br />
M. All exchanged data shall be checked for malicious code.<br />
N. There shall be validation of the format of exchanged data.<br />
O. An intrusion detection / prevention system shall be implemented to include<br />
network or host based detection / prevention, online computer forensics<br />
<strong>and</strong> full packet capturing that complies with the NCIRC FOC<br />
specifications.<br />
P. All gateway components shall be administered by staff possessing NATO<br />
Cosmic Top Secret security clearances <strong>and</strong> shall operate in a NATO class<br />
1 security area.<br />
Q. User authentication information shall be used.<br />
R. User authorization shall be used.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
S. Network communication information shall be taken into account (IP<br />
address, domain, other network protocols).<br />
T. Application layer information shall be used (screening for "dirty words",<br />
HTTP comm<strong>and</strong>s).<br />
U. "White"- or "black"-listing methods shall be used (e.g. IP-ranges, file types,<br />
user groups).<br />
V. Cross-domain, management of: The management of the cross domain<br />
gateway's Mail guard components shall be centralized from the high side<br />
(typically using a SSH2 terminal connection).<br />
W. Cross-domain, management of: The management of the cross domain<br />
gateway's XML guard components shall be centralized from the high side<br />
(typically using a SSH2 terminal connection).<br />
X. Cross-domain, management of: The management of the cross domain<br />
gateway firewall components shall be centralized from the high side.<br />
Y. Cross-domain, management of: The management of data dioded<br />
components shall be centralized from the high side (typically using a<br />
SSH2 terminal connection).<br />
Z. Cross-domain, management of: The management of Ethernet switching<br />
<strong>and</strong> IP routing component of cross domain gateways shall be done from<br />
the N/ELM located in the security domain that it belongs to.<br />
AA. Where technically possible, appropriate NATO security settings (currently<br />
available for Windows <strong>and</strong> Solaris based servers) shall be implemented<br />
<strong>and</strong> network equipment (e.g. switches) shall be configured in accordance<br />
with NIATC security guidance (Ref. 1.1.1.6.36 <strong>and</strong> 1.1.1.6.37).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-234 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 13.3 CDM architecture across the dual server rooms<br />
13.2.1.1-p4 The subsections of this chapter list requirements which have an<br />
impact on architecture <strong>and</strong> components of particular cross domain gateways. The<br />
Contractor is responsible for designing Gateways in accordance with these<br />
requirements <strong>and</strong> IA-related NATO directives <strong>and</strong> guidance listed in section 1.1.1.6.<br />
13.2.1.1.1 CDGW1<br />
13.2.1.1.1-p1 The architecture of CDGW1 (depicted in Figure 13.4) shall follow the<br />
NGCS Target <strong>Architecture</strong> document (see reference 1.1.1.8.13.) as the key reference<br />
for SIPs <strong>and</strong> SIOPs. In addition, the following requirements shall be fulfilled:<br />
A. The gateway shall include a Boundary Protection Device (firewall) limiting<br />
network traffic to authorized protocols.<br />
B. The BPD shall be evaluated to at least EAL3 according to Common<br />
Criteria or national equivalent.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-235 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
C. The intermediate servers/concentrators shall be placed in the DMZ<br />
segments <strong>and</strong> diversify between the following three types of DMZ<br />
segments as specified in section 12.3.3 :<br />
1. NS level FE DMZ<br />
2. NS level BE DMZ<br />
3. NS authentication DMZ<br />
D. Due to different user <strong>and</strong> security requirements voice <strong>and</strong> video traffic<br />
should be separated from the other network traffic.<br />
Figure 13.4 CDGW1 architecture<br />
13.2.1.1.2 CDGW2<br />
13.2.1.1.2-p1 This gateway capability (depicted in Figure 13.5) shall facilitate interface<br />
to the future NR enterprise WAN as described in the NGCS TA (1.1.1.8.13). From an<br />
AIS perspective CDGW2 shall facilitate integration <strong>and</strong>/or information sharing with<br />
(federated NATO) entities through the NR WAN, NU WAN <strong>and</strong> the Internet at the<br />
NU/NR level.<br />
13.2.1.1.2-p2 The architecture proposed by the Contractor shall be compliant with the<br />
following requirements:<br />
A. The gateway shall include a Boundary Protection Device (firewall) limiting<br />
network traffic to authorized protocols.<br />
B. The BPD shall be evaluated to at least EAL3 according to Common<br />
Criteria or national equivalent.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-236 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
C. The intermediate servers/concentrators may be placed in the DMZ<br />
segments <strong>and</strong> diversify between the following types of DMZ segments as<br />
specified in section 12.3.4:<br />
1. NU or NR FE DMZ<br />
2. NU or NR BE DMZ<br />
3. NU or NR authentication DMZ<br />
D. Due to different user <strong>and</strong> security requirements voice <strong>and</strong> video traffic<br />
should be separated from the other network traffic.<br />
E. The NR domain IP address scheme shall be concealed from the NU<br />
domain by NAT or similar.<br />
Figure 13.5 CDGW2 architecture<br />
13.2.1.1.3 CDGW3<br />
13.2.1.1.3-p1 The architecture of CDGW3 (depicted in Figure 13.6) shall follow the<br />
NGCS Target <strong>Architecture</strong> document (see reference 1.1.1.8.13.) as the key reference<br />
for SIPs <strong>and</strong> SIOPs.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-237 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 13.6 CDGW3 architecture<br />
13.2.1.1.3-p2 The CDGW3 architecture shall be compliant with the following<br />
requirements:<br />
A. The minimum assurance level for the security enforcing elements of the<br />
CDGW3 is EAL4 or national/international equivalent.<br />
B. The Boundary Protection Devicess (BPDs) shall ensure that only NU<br />
information is provided to public network.<br />
C. A DMZ access for both NR, NU <strong>and</strong> Public Level segments shall be fully<br />
integrated <strong>and</strong> supported in conjunction with CDGW2.<br />
D. The intermediate servers/concentrators may be placed in the DMZ<br />
segments <strong>and</strong> diversify between the following types of DMZ segments as<br />
specified in section 12.3.4:<br />
1. Internet Publishing FE DMZ<br />
2. Internet Publishing BE DMZ<br />
3. Remote Access DMZ<br />
E. The BPC shall validate the format of all exchanged data (e.g. checking<br />
that web traffic is in fact HTTP or HTTPS) to minimize the risk of exploits.<br />
13.2.1.1.4 CDGW4<br />
13.2.1.1.4-p1 The architecture of CDGW4 (depicted in Figure 13.7) shallsupport bidirectional<br />
email exchange <strong>and</strong> use secure release mechanisms from NS to EAPC to<br />
release or publish document. It shall also be used for management information<br />
transfer from the EAPC network to the NS network.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-238 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 13.7 CDGW4 architecture<br />
13.2.1.1.4-p2 The CDGW4 architecture shall be complaint with the following<br />
requirements:<br />
A. Network traffic shall be limited (by BPDs) to set of services authorized by<br />
the Security Accreditation Authority (SAA).<br />
B. The interconnection architecture shall use a DMZfor the exchange of<br />
information unless it is operationally not acceptable.<br />
C. The intermediate servers/concentrators may be placed in the DMZ<br />
segments <strong>and</strong> diversify between the following types of DMZ segments as<br />
specified in section 12.3.3:<br />
1. NS level FE DMZ<br />
2. NS level BE DMZ<br />
3. NS authentication DMZ<br />
D. Authorized data flow need to be controlled (e.g. bye-mail or XML guard) to<br />
make sure that NATO information not releasable to EAPCshall not pass<br />
through the Gateway.<br />
E. The mail guard shall be protected by the Boundary Protection Device (s).<br />
F. The minimum EAL for the security enforcing elements of the BPD is 4.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-239 of 532
13.2.1.1.5 CDGW5<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.1.5-p1 The CDGW5 architecture (depicted in Figure13.8) shall be compliant<br />
with the following requirements:<br />
A. There shall be network services control use (e.g. implemented on firewall<br />
limiting network traffic to set of services authorized by the Security<br />
Accreditation Authority (SAA)) of guard or data diode (e.g. by e-mail or<br />
XML guard) to ensure that data from higher domain (NS) shall not be<br />
released to lower domain (NR).<br />
B. The interconnection architecture shall use a DMZ for the exchange of<br />
information unless it is operationally not acceptable.<br />
C. The intermediate servers/concentrators may be placed in the DMZ<br />
segments <strong>and</strong> diversify between the following types of DMZ segments as<br />
specified in section 12.3.5:<br />
1. NS level FE DMZ<br />
2. NS level BE DMZ<br />
3. NS authentication DMZ<br />
4. NR level FE DMZ<br />
5. NR level BE DMZ<br />
6. NR authentication DMZ<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-240 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 13.8 CDGW5 architecture<br />
13.2.1.1.5-p2 Currently (2Q 2012) evaluated guards supporting all services required<br />
by NNHQ users are not available, so initially CDGW5 architecture shall be based on<br />
a data diode solution with mail guard allowing notification of data transfer.<br />
A. The low side server (LSS) shall be protected by the BPD (e.g. firewall) to<br />
ensure that only authorized systems/hosts can exchange data with the<br />
LSS.<br />
B. All exchanged data shall be checked against malicious software at the low<br />
side (it can be installed on the LSS itself or on each hosts which provides<br />
data for the LSS).<br />
C. There shall be a protocol conformance checker (mechanisms remove<br />
potentially harmful protocol options, using for instance an application layer<br />
(proxying) firewall) to be implemented at the low side.<br />
D. Data scrubbing shall be implemented at the high side – to ensure that<br />
threats such as active content are removed from the information flow.<br />
Additionally, transforming data (e.g. from one file format to another) or<br />
masking data (e.g. removing or zero-izing data field contents) may be<br />
useful to sanitize data without the loss of semantics <strong>and</strong> may help prevent<br />
a successful attack.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-241 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
E. Protection against malicious software shall be implemented at the high<br />
side – all data need to be scanned before transmission to internal NS<br />
LAN. Use of different anti-virus software than on the low side is<br />
recommended.<br />
F. The mail guard shall be protected by the firewall(s)<br />
G. Firewalls, guard(s), high <strong>and</strong> low side servers shall be centrally managed<br />
(2 instances of centralize management capabilities for data diode servers:<br />
on NR <strong>and</strong> NS level, management on NS level for firewalls <strong>and</strong> guards).<br />
As centrally managed data diodes solutions <strong>and</strong> firewalls are/shall be<br />
implemented at various NATO sides, the selected solutions should be<br />
consistent with existing (at the implementation time) products used within<br />
NATO <strong>and</strong> managed by NCIA .<br />
H. Strong (two factor) authentication for administrators of High <strong>and</strong> Low Side<br />
Servers shall be implemented.<br />
13.2.1.1.6 CDGW6<br />
13.2.1.1.6-p1 The architecture of CDGW6 (depicted in Figure 13.9) shall consist of<br />
data diodes as its key components providing transfer of network/component<br />
management-related data to the NS domain from the unclassified network.<br />
Figure 13.9 CDGW6 architecture<br />
A. Strong (two factor) authentication for administrators of High <strong>and</strong> Low Side<br />
Servers shall be implemented.<br />
B. The low side server (LSS) shall be protected by the BPD (e.g. firewall) to<br />
ensure that only authorized systems/hosts can exchange data with the<br />
LSS.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-242 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-243 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
C. All exchanged data shall be checked against malicious software at the low<br />
side (it can be installed on the LSS itself or on each hosts which provides<br />
data for the LSS).<br />
D. There shall be a protocol conformance checker (mechanisms remove<br />
potentially harmful protocol options, using for instance an application layer<br />
(proxying) firewall) to be implemented at the low side.<br />
E. Data scrubbing shall be implemented at the high side – to ensure that<br />
threats such as active content are removed from the information flow.<br />
Additionally, transforming data (e.g. from one file format to another) or<br />
masking data (e.g. removing or zero-izing data field contents) may be<br />
useful to sanitize data without the loss of semantics <strong>and</strong> may help prevent<br />
a successful attack.<br />
F. Protection against malicious software shall be implemented at the high<br />
side – all data need to be scanned before transmission to internal NS<br />
LAN. Use of different anti-virus software than on the low side is<br />
recommended.<br />
G. Firewalls, guard(s), high <strong>and</strong> low side servers shall be centrally managed<br />
(2 instances of centralize management capabilities for data diode servers:<br />
on NR <strong>and</strong> NS level, management on NS level for firewalls <strong>and</strong> guards).<br />
As centrally managed data diodes solutions <strong>and</strong> firewalls are/shall be<br />
implemented at various NATO sides, the selected solutions should be<br />
consistent with existing (at the implementation time) products used within<br />
NATO <strong>and</strong> managed by NCIA .<br />
13.2.1.2 Service<br />
13.2.1.2-p1 Cross domain module supports information exchange between<br />
different networks/security domains (e.g. LANs with different security classification or<br />
networks managed by different CIS Operating Authorities). Table 13.2 summarises<br />
the nature of each of the individual cross domain gateways information exchange<br />
services. The detailed summary of cross domain information services per CDGW is<br />
provided in the paragraphs 13.2.1.2.1-13.2.1.2.6.<br />
Gateway<br />
CDGW1: NSNS<br />
WAN<br />
CDGW2:<br />
NRNR/NU/Public<br />
CDGW3: Public<br />
Access<br />
Service<br />
information sharing between the NS LAN <strong>and</strong> the NS WAN<br />
network;<br />
the external interfaces to the NS based network services.<br />
information sharing between the NR LAN <strong>and</strong> the NR/NU<br />
WAN NGCS networks, <strong>and</strong><br />
the connectivity between NR <strong>and</strong> NU/Public for voice <strong>and</strong><br />
internet services through CDGW3,<br />
Authenticate remote users or remote offices on NR level);<br />
Access to the Public Information Access Gateway (PIA GW) –<br />
see annex B<br />
the Public Voice Services Access Gateway- this gateway<br />
plays an important role in the establishment of a voice (VOIP)<br />
<strong>and</strong> SMS interface from the public telephony domain to the<br />
NATO HQ UCC services;<br />
Support Remote VPN access (up to NR level)
Gateway<br />
CDGW4:<br />
NSEAPC<br />
CDGW5: NSNR<br />
CDGW6: Public<br />
>NS<br />
N A T O U N C L A S S I F I E D<br />
<br />
<br />
<br />
<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Service<br />
Automated transfer of documents <strong>and</strong> notifications between<br />
NATO registry <strong>and</strong> partners that are connected to the EAPC<br />
network.<br />
Support for information sharing between the Business LAN<br />
<strong>and</strong> the NS network,<br />
Transfer of the management information from the Business<br />
network to the NS network.<br />
the management information transfer from the Public network<br />
to the NS network<br />
Table 13.6Nature of <strong>ANWI</strong> cross domain information exchange per Cross Domain<br />
Gateway<br />
13.2.1.2-p2 Table 13.3 CDM generic SLTs shows the generic Service Level<br />
Target for providing all CDM based services. As <strong>and</strong> when there are different SLTs<br />
for a specific CDGW services this is listed as a specific CDGW service requirement.<br />
Service Level Target Parameters<br />
Capacity<br />
Capacity SLTs (6 months period)<br />
Number of Capacity Shortfall Incidents 2<br />
Number of Capacity Modifications 1<br />
Resolution Time for Capacity Adjustments (hours) 1<br />
Capacity Reserve (%) 25<br />
Availability SLTs (6 months period)<br />
Service Availability (%)(generic, may be overruled by specific SLTs in the<br />
remaining SLT requirements) 99.95<br />
Response Time (s)<br />
Number of Service Interruptions 1<br />
Duration of Service Interruptions (hours) 1<br />
Number of Service Availability Measurements<br />
Reliability SLTs (6 months period)<br />
Table 13.7CDM generic SLTs<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-244 of 532<br />
Shall be specified for each CDGW<br />
specifically<br />
<br />
Mean Time Between Failures (MTBF) (hours) 4380<br />
Mean Time Between Critical Failures (hours) 4380<br />
Number of Critical Failures 1<br />
Maintainability SLTs (6 months period)<br />
Mean Time To Replace / Repair (MTTR) (hours) 24<br />
Number of Corrective Maintenance Actions<br />
Number of Preventive Maintenance Actions<br />
Turnaround Time in Depot (hours)<br />
Transportation Time Between HQ <strong>and</strong> Depot (hours)<br />
Performance Parameters<br />
TBD<br />
Continuous<br />
<br />
<br />
<br />
<br />
TBD
13.2.1.2.1 CDGW1 Services<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.2.1-p1 The CDGW1 shall support the following cross domain information<br />
exchange services as identified in Figure 13.10).<br />
13.2.1.2.1-p2 The CDGW1 shall support the following specific SLTs:<br />
A. Overall capacity of the CDGW1 capability 100 Mbps.<br />
B. Availability of cross domain voice services: 99.995%<br />
Figure 13.10 CDGW1 cross domain services<br />
13.2.1.2.2 CDGW2 Services<br />
13.2.1.2.2-p1 The CDGW2 shall support the following cross domain information<br />
exchange services as identified in Figure 13.11).<br />
13.2.1.2.2-p2 The CDGW1 shall support the following specific SLTs:<br />
A. Overall capacity of the CDGW2 capability 1 Gbps.<br />
B. Availability of cross domain voice services: 99.995%<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-245 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 13.11 CDGW2 cross domain services<br />
13.2.1.2.2-p3 The contractor shall implement the following specific CDGW2 cross<br />
domain service requirements:<br />
13.2.1.2.2.1 Requirements applicable to e-mail:<br />
13.2.1.2.2.1-p1 The gateway shall provide bi-directional email with attachments<br />
between users of the NR business LAN <strong>and</strong> the NU WAN, NR WAN <strong>and</strong> via CDGW3<br />
with the Internet.<br />
13.2.1.2.2.1-p2 The gateway shall allow rewriting of header information such as<br />
‘from’ addresses so that the internal domain structure is concealed from external<br />
recipients.<br />
13.2.1.2.2.1-p3<br />
The gateway shall support aliases <strong>and</strong> distribution lists.<br />
13.2.1.2.2.1-p4 The gateway shall attempt to correct addressing errors in<br />
incoming email by trying to match the address with known NR domain recipients. At<br />
the minimum the following features shall be implemented:<br />
Closest match within sent domain correcting name typos, removing dots,<br />
dashes, <strong>and</strong> other non-alphabetic characters.<br />
matching to an alias list (e.g. for addresses known for miss-spelling).<br />
13.2.1.2.2.1-p5 All email shall be marked with classification <strong>and</strong> releasability<br />
labels by x-header extensions (e.g. by Titus Labs). This information shall be stripped<br />
from email traversing the gateway from NR to Internet <strong>and</strong> added to email travelling<br />
from Internet to NR.<br />
13.2.1.2.2.1-p6 All attempts to send NR e-mail to an external Internet or NU<br />
address shall generate an alert to a system administrator.<br />
13.2.1.2.2.1-p7 All attempts to send NR e-mail to external Internet or NU<br />
addresses shall be blocked <strong>and</strong> quarantined for manual inspection.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-246 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.2.2.1-p8 The gateway shall block unauthorized types of attachments or<br />
unreadable attachments.<br />
13.2.1.2.2.1-p9 In addition to the security label attached by the originator, all mail<br />
(including attachments) shall be automatically scanned to try to identify classified<br />
content. If such content is identified an alert shall be generated. If such content is<br />
suspected, the email shall be quarantined for manual inspection <strong>and</strong> then either<br />
released or logged as a violation.<br />
13.2.1.2.2.1-p10 All email passing through the gateway shall be scanned for<br />
viruses <strong>and</strong> other malicious content <strong>and</strong> appropriate action taken upon detection.<br />
13.2.1.2.2.1-p11<br />
specified domains.<br />
13.2.1.2.2.1-p12<br />
13.2.1.2.2.1-p13<br />
audit purposes.<br />
The gateway shall allow mail to be blocked to <strong>and</strong> from<br />
The gateway shall provide spam protection.<br />
The gateway shall keep a log of all email <strong>and</strong> attachments for<br />
13.2.1.2.2.2 Requirements applicable to Internet web access:<br />
13.2.1.2.2.2-p1<br />
World Wide Web.<br />
The gateway shall allow users of the NR domain to browse the<br />
13.2.1.2.2.2-p2 The gateway shall block all attempts toaccess any <strong>and</strong> all<br />
Business LAN NR services from NU/Internet.<br />
13.2.1.2.2.2-p3<br />
DMZ.<br />
13.2.1.2.2.2-p4<br />
All browsing shall be mediated by a proxy device in the gateway<br />
The gateway shall check all data for malicious content.<br />
13.2.1.2.2.2-p5 The gateway shall allow only a configured set of services <strong>and</strong><br />
content types to be accessed from the NR domain.<br />
13.2.1.2.2.2-p6 The gateway shall open <strong>and</strong> inspect https <strong>and</strong> ssl content, <strong>and</strong><br />
check external server certificates for validity.<br />
13.2.1.2.2.2-p7<br />
13.2.1.2.2.2-p8<br />
13.2.1.2.2.2-p9<br />
purposes.<br />
The gateway shall block all uncheckable encrypted data transfer.<br />
The set of domains accessible from NR shall be configurable.<br />
The gateway shall keep a log of all web access for audit<br />
13.2.1.2.2.3 Requirements applicable to telephony:<br />
13.2.1.2.2.3-p1 A VOIP gateway shall allow unified messaging services to be<br />
provided to users of the NR domain.<br />
13.2.1.2.2.4 Requirements applicable to remote access:<br />
13.2.1.2.2.4-p1 The gateway shall support Remote User (NRoI) capabilities for<br />
establishing NRoI VPN connection to the NR Business LAN by supporting access to<br />
the GDGW3 VPN services.<br />
13.2.1.2.2.4-p2<br />
PIA gateway.<br />
The remote user authentication solution shall integrate with the<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-247 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.2.2.5 Requirements applicable to business to business connections:<br />
13.2.1.2.2.5-p1 The gateway shall support VPN relay capabilities for establishing<br />
NR B2B connections to trusted business partners through the NR extranet DMZ<br />
segments <strong>and</strong> the VPN capability of CDGW3.<br />
13.2.1.2.3 CDGW3 services<br />
13.2.1.2.3-p1 The <strong>ANWI</strong> Contractorshall provide a complete<br />
design/architecture for CDGW3 <strong>and</strong> as an option indicated how the PIA gateway<br />
services (see Annex B) can be integrated.<br />
13.2.1.2.3-p2 The CDGW3 shall support the following cross domain<br />
information exchange services as identified in Figure 13.12).<br />
13.2.1.2.3-p3 The CDGW3 shall support the following specific SLTs:<br />
A. Overall capacity of the CDGW3 capability 2 Gbps.<br />
B. Availability of cross domain voice services: 99.995%<br />
Figure 13.12 CDGW3 cross domain services<br />
13.2.1.2.3-p4 The contractor shall implement the following specific CDGW3<br />
cross domain service requirements:<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-248 of 532
N A T O U N C L A S S I F I E D<br />
13.2.1.2.3.1 Requirements applicable to e-mail:<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.2.3.1-p1 The gateway shall allow rewriting of header information such as<br />
‘from’ addresses so that the internal domain structure is concealed from external<br />
recipients.<br />
13.2.1.2.3.1-p2<br />
The gateway shall support aliases <strong>and</strong> distribution lists.<br />
13.2.1.2.3.1-p3 The gateway shall attempt to correct addressing errors in<br />
incoming email by trying to match the address with known NR domain recipients.<br />
13.2.1.2.3.1-p4 All attempts to send NR e-mail to an Internet address shall<br />
generate an alert to a system administrator.<br />
13.2.1.2.3.1-p5 All attempts to send NR e-mail to Internet addresses shall be<br />
blocked <strong>and</strong> quarantined for manual inspection.<br />
13.2.1.2.3.1-p6 The gateway shall block unauthorized types of attachments or<br />
unreadable attachments.<br />
13.2.1.2.3.1-p7 In addition to the security label attached by the originator, all mail<br />
(including attachments) shall be automatically scanned to try to identify classified<br />
content. If such content is identified an alert shall be generated. If such content is<br />
suspected, the email shall be quarantined for manual inspection <strong>and</strong> then either<br />
released or logged as a violation.<br />
13.2.1.2.3.1-p8 All email passing through the gateway shall be scanned for<br />
viruses <strong>and</strong> other malicious content <strong>and</strong> appropriate action taken upon detection.<br />
13.2.1.2.3.1-p9<br />
domains.<br />
13.2.1.2.3.1-p10<br />
The gateway shall allow mail to be blocked to <strong>and</strong> from specified<br />
The gateway shall provide spam protection.<br />
13.2.1.2.3.1-p11 The gateway shall be configured in accordance with Internet<br />
best practice recommendations.<br />
13.2.1.2.3.1-p12<br />
audit purposes.<br />
The gateway shall keep a log of all email message traffic for<br />
13.2.1.2.3.2 Requirements applicable to Internet web access:<br />
13.2.1.2.3.2-p1<br />
DMZ.<br />
13.2.1.2.3.2-p2<br />
All browsing shall be mediated by a proxy device in the gateway<br />
The gateway shall check all data for malicious content.<br />
13.2.1.2.3.2-p3 The gateway shall allow only a configured set of services <strong>and</strong><br />
content types to be accessed from the NR business LAN through CDGW2.<br />
13.2.1.2.3.2-p4 The gateway shall open <strong>and</strong> inspect https <strong>and</strong> ssl content, <strong>and</strong><br />
check external server certificates for validity.<br />
13.2.1.2.3.2-p5<br />
13.2.1.2.3.2-p6<br />
13.2.1.2.3.2-p7<br />
purposes.<br />
The gateway shall block all uncheckable encrypted data transfer.<br />
The set of domains accessible from NR shall be configurable.<br />
The gateway shall keep a log of all web access for audit<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-249 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.2.3.3 Requirements applicable to telephony:<br />
13.2.1.2.3.3-p1 A public to NR voice gateway via CDGW2 shall support the<br />
secure interconnection of Public to NATO voice services at the NU level.<br />
13.2.1.2.3.3-p2 A VOIP gateway shall allow unifiedmessaging services to be<br />
provided to users of the NR domain via CDGW2.<br />
13.2.1.2.3.4 Requirements applicable to remote access:<br />
13.2.1.2.3.4-p1 The gateway shall include VPN termination capabilities for<br />
establishing NRoI VPN connection to the NR network.<br />
13.2.1.2.3.4-p2 The VPN solution shall be able to integrate with the PIA gateway.<br />
13.2.1.2.3.5 Requirements applicable to business to business connections:<br />
13.2.1.2.3.5-p1 The gateway shall include VPN termination capabilities for<br />
establishing NR B2B connections to trusted business partners.<br />
13.2.1.2.4 CDGW4 services<br />
13.2.1.2.4-p1 The CDGW4 shall support the following cross domain<br />
information exchange services as identified inFigure 13.13).<br />
Figure 13.13 CDGW4 cross domain services<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-250 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.2.4-p2 The CDGW4 shall support the following specific SLT:<br />
A. Overall capacity of the CDGW4 capability 100 Mbps.<br />
13.2.1.2.4-p3 The contractor shall implement the following specific CDGW4<br />
cross domain service requirements:<br />
13.2.1.2.4.1 The requirements for the bi-directional email with attachments:<br />
13.2.1.2.4.1-p1 All email <strong>and</strong> attachments passing from NATO to EAPC shall be<br />
checked for ‘releasable to EAPC’ security markings.<br />
13.2.1.2.4.1-p2 The device must be formally accredited to a level specified by a<br />
security risk assessment.<br />
13.2.1.2.4.1-p3<br />
security alerts.<br />
Attempts to send data not marked as releasable shall generate<br />
13.2.1.2.4.1-p4 The device shall be centrally managed by the NCIA Boundary<br />
Protection team at NCIA .<br />
13.2.1.2.4.1-p5<br />
13.2.1.2.4.1-p6<br />
The NEXOR Sentinel device shall be used.<br />
The email interface shall be SMTP.<br />
13.2.1.2.4.1-p7 Availability requirements shall dictate whether an online<br />
redundant configuration is required.<br />
13.2.1.2.4.2 The requirements applicable to directory services:<br />
13.2.1.2.4.2-p1 NCIA shall provide an LDAP service to populate a directory in the<br />
gateway with email addresses <strong>and</strong> other information of all users reachable in or<br />
through the NATO domain. The LDAP service shall read similar directory information<br />
published in the directory from the EAPC CIS <strong>and</strong> publish it in the NATO domain.<br />
The EAPC must provide a similar service to read NATO data <strong>and</strong> write EAPC data in<br />
the DMZ directory. (Note that security requirements shall determine if this should be<br />
a full or partial list of users).<br />
13.2.1.2.4.2-p2<br />
Device.<br />
The LDAP services shall be mediated by a Boundary Protection<br />
13.2.1.2.4.3 The requirements applicable to web browsing<br />
13.2.1.2.4.3-p1 A proxy service in the DMZ shall allow NATO users to access<br />
any web content published in the EAPC domain.<br />
13.2.1.2.4.3-p2 Web browsing from NS to the EAPC domain shall be mediated<br />
by a Boundary Protection Device.<br />
13.2.1.2.4.3-p3 The Boundary Protection Device shall prevent any access to the<br />
NATO domain from the EAPC domain.<br />
13.2.1.2.4.4 The requirements applicable to file transfer:<br />
13.2.1.2.4.4-p1 The Boundary Protection Device shall allow authorised users in<br />
the NATO domain to read <strong>and</strong> write data directly onto data stores in the EAPC<br />
domain.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-251 of 532
N A T O U N C L A S S I F I E D<br />
13.2.1.2.4.5 The requirements applicable NS extranet services:<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.2.4.5-p1 The Boundary Protection Device shall ensure that any (web/file<br />
services) allow authorised users in the NATO domain to read <strong>and</strong> write data directly<br />
onto data stores in the EAPC domain.<br />
13.2.1.2.4.5-p2 The Boundary Protection Device shall ensure that any<br />
information on the extranet DMZ is labelled releasable EAPC.<br />
13.2.1.2.4.5-p3 For the transfer of CIS management information, CDGW4 shall<br />
comply with all requirements as stated for CDGW6, which is essentially only a CIS<br />
management gateway.<br />
13.2.1.2.5 CDGW5 services<br />
13.2.1.2.5-p1 The CDGW5 shall support the following cross domain<br />
information exchange services as identified in Figure 13.14).<br />
Figure 13.14 CDGW5 cross domain services<br />
13.2.1.2.5-p2 The CDGW5 shall support the following specific SLT:<br />
A. Overall capacity of the CDGW5 capability 100 Mbps.<br />
13.2.1.2.5-p3 Automatic data transfer from NS to NR security domain shall be<br />
limited to data classified up to <strong>and</strong> including NR <strong>and</strong> agreed file format <strong>and</strong> protocols<br />
(the BPCs shall be able to validate the format <strong>and</strong> content).Encrypted on<br />
“unreadable” (via the BPCs) data shall be not permitted.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-252 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.1.2.5-p4 <strong>Initial</strong>ly automatic data transfer shall be limited to short<br />
notification about new e-mail on NS (st<strong>and</strong>ard text (classified NU), no attachments,<br />
no sensitive data included in message (header <strong>and</strong> message body)).<br />
13.2.1.2.5-p5 At the moment there is no accredited solution in NATO which<br />
supports all these services. Lack of evaluated guards is another issue. From these<br />
reasons the services to be supported by the CDGW5 have been limited to the<br />
following list:<br />
A. Email shall be allowed from the NR to the NS security domain.<br />
B. Notification mail, stripped from all sensitive <strong>and</strong>classified NC or above<br />
content, shall be sent from the NS to the NR securitydomain.<br />
C. File transfer shall be allowed from the NR to the NS security domain.<br />
13.2.1.2.5-p6 In the future, when appropriate guards shall be available, this list<br />
can be extended to support additional services initially requested by the NATO HQ<br />
users.<br />
A. Communication via NR-NS interconnection shall be limited to authorized<br />
file formats <strong>and</strong> network protocols (the BPC shall be able to validate the<br />
format of exchanged data).<br />
B. Information exchanged via the interconnection shall follow NATO labelling<br />
schema (Ref. 1.1.1.6.12 <strong>and</strong> 1.1.1.6.13).<br />
C. The interconnection shall be implemented in accordance with Ref.<br />
1.1.1.6.4.<br />
D. For the protocols being transmitted sufficiently secure <strong>and</strong> evaluated<br />
BPDs (e.g. guards) shall be used.<br />
E. There shall be logging <strong>and</strong> auditing in accordance with Ref. 1.1.1.6.5 <strong>and</strong><br />
1.1.1.6.4.<br />
F. The BPDs (e.g. mail guard) shall be evaluated at least to EAL4.<br />
G. GW5 NS->NR: There shall be non-repudiation of origin (not m<strong>and</strong>ated if<br />
only notifications are sent from NS to NR).<br />
H. GW5 NS->NR: There shall be label checking.<br />
i. GW5 NS->NR: There shall be content checking (including, but not limited<br />
to, “dirty words”, file type).<br />
13.2.1.2.5-p7 For the transfer of CIS management information, CD GW5 shall<br />
comply with all requirements as stated for GW6, which is essentially only a CIS<br />
management gateway.<br />
13.2.1.2.6 CDGW6 services<br />
13.2.1.2.6-p1 The CDGW6 shall support the following cross domain<br />
information exchange services as identified in Figure 13.15).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-253 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 13.15 CDGW6 cross domain services<br />
13.2.1.2.6-p2 The CDGW6 shall support the following specific SLT:<br />
A. Overall capacity of the CDGW5 capability 100 Mbps.<br />
13.2.1.2.6-p3 Gateway 6 (CDGW6), the Public>NS gateway, currently only<br />
supports the transfer of CIS Management information from the public network to NS.<br />
It shall provide the infrastructure to support centralized management of CIS<br />
components residing in the public network, from the NS management network.<br />
13.2.1.2.6-p4 The CDGW6 shall support the cross-domain transfer of:<br />
A. Event messages.<br />
B. (Externally originating) trouble tickets.<br />
C. Status updates.<br />
D. Statistics from CIS components <strong>and</strong> environmental sensors.<br />
E. Configuration data.<br />
F. IP <strong>and</strong> service routing information.<br />
13.2.1.2.6-p5 The message format exchanged across the gateway is typically<br />
structured XML or XML encapsulated bulk data.<br />
13.2.1.2.6-p6 Due to the one way data transfer via a diode, manual intervention<br />
shall be needed to provide “high to low” feedback if <strong>and</strong> when required.<br />
A. CDGW6 shall provide the cross-domain management information<br />
exchange gateway "Public <strong>and</strong> Extranet - NS Management Network". This<br />
is used for "AIS & N/ELM - IOSS" management information exchange.<br />
B. The initial cross-domain management information exchange, provided by<br />
CDGW6, shall be unidirectional low-to-high only (using a data-diode). It is<br />
anticipated that controlled bidirectional exchange of management traffic<br />
shall be available at a later stage.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-254 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-255 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
C. The N/ELM, within the Public network shall forward notifications of<br />
element, interface <strong>and</strong> (service) status changes to the IOSS (located in<br />
NS) through CDGW6.<br />
D. The AIS/service manager, within the Public network, shall forward<br />
notifications of service status changes to the IOSS (located in NS) through<br />
CDGW6.<br />
E. When/where the exchange of cross-domain management information is<br />
limited to low-to-high, the AIS/service manager <strong>and</strong> N/ELM shall<br />
independently schedule discoveries of configuration <strong>and</strong> topology<br />
changes. The AIS/services manager <strong>and</strong> N/ELM shall compare to a local<br />
CMDB <strong>and</strong> sent changes to the IOSS through CDGW6.<br />
F. Cross domain management information exchange, through CDGW6, shall<br />
be based on the exchange of XML messages.<br />
G. CDGW6 shall provide inspection (access <strong>and</strong> flow control) verifying all<br />
incoming messages. Only messages corresponding to a known <strong>and</strong><br />
allowed message flow shall be forwarded.<br />
H. CDGW6 shall provide viruses <strong>and</strong> malicious code scanning.<br />
i. CDGW6 shall interface with the AIS manager <strong>and</strong> the N/ELM on one side<br />
<strong>and</strong> the IOSS on the other side through the SMC enterprise service bus<br />
(ESB) infrastructure.<br />
J. CDGW6 shall provide release control. This implies: Ensure that the<br />
message corresponds to the defined cross-domain messaging policy. Not<br />
authorised messages/sources/destinations shall be dropped, archived <strong>and</strong><br />
logged.<br />
K. CDGW6 shall have a message firewall function allowing only permitted<br />
message flows. Other messages <strong>and</strong> flows are blocked <strong>and</strong> logged. A<br />
notification is sent on policy violation to the IOSS.<br />
L. The SMC/CDGW6 shall anticipate the future availability of an accredited<br />
bidirectional cross-domain management information exchange gateway<br />
between the public network <strong>and</strong> the NS IOSS management network. This<br />
capability is not likely to be available before initial deployment.<br />
M. A future bidirectional CDGW6 shall allow low-to-high status updates (from<br />
AIS manager to IOSS <strong>and</strong> from N/ELM to IOSS), on dem<strong>and</strong> (requested<br />
from IOSS) low-to-high topology updates (e.g. routing table, connectivity<br />
discovery), on dem<strong>and</strong> (requested from IOSS) low-to-high statistics<br />
forwarding; <strong>and</strong> high-to-low configuration management (IOSS to N/ELM<br />
<strong>and</strong> IOSS to AIS manager).<br />
N. When at a later stage CDGW6 allows controlled bidirectional transfer of<br />
management information, the IOSS shall be able to deploy configuration<br />
changes directly (through a human approval mechanism), request on<br />
dem<strong>and</strong> polls of status <strong>and</strong> configuration, <strong>and</strong> request on dem<strong>and</strong> polls for<br />
statistics counters from network elements. Requests from the IOSS are<br />
executed through the AIS manager or N/ELM in the destination security<br />
domain.<br />
13.2.1.3 Management<br />
13.2.1.3-p1 It is assumed that all the gateways shall be managed by the same<br />
CIS Operating Authority (CISOA) (e.g. NCIA ). Where technically feasible, the
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Boundary Protection Components shall be centrally managed, if possible, from<br />
existing management environments (e.g. centralized firewall management from NCIA<br />
SMD facilities at SHAPE) – see also 13.2.13.<br />
A. The management of the cross domain gateway's Mail guard components<br />
shall be centralized from the high side (typically using a SSH2 terminal<br />
connection).<br />
B. The management of the cross domain gateway's XML guard components<br />
shall be centralized from the high side (typically using a SSH2 terminal<br />
connection).<br />
C. The management of the cross domain gateway firewall components shall<br />
be centralized from the high side.<br />
D. The management of Ethernet switching <strong>and</strong> IP routing component of cross<br />
domain gateways shall be done from the N/ELM located in the security<br />
domain that it belongs to.<br />
E. The management of Data Diode components of cross domain gateways<br />
shall be done from the N/ELM located in the security domain that it<br />
belongs to.<br />
F. The management of the cross domain components in the CIS<br />
management function of CDGW4, CDGW5 <strong>and</strong> CDGW6 shall be possible<br />
from the local management LAN <strong>and</strong> shall be possible centrally from NCIA<br />
.<br />
13.2.1.3.1 Firewall management<br />
13.2.1.3.1-p1 It is assumed that firewalls shall be centrally managed by NCIA ,<br />
similarly as it is conducted nowadays. Currently (2Q 2012) NCIA manages firewalls<br />
from management servers on NU <strong>and</strong> NS level from facilities at SHAPE (<strong>and</strong> backup<br />
facilities at Brunssum, NL). NCIA supports two firewall products: CheckPoint <strong>and</strong><br />
PaloAlto Networks. Both of them are managed from appropriate management<br />
servers (Provider-1 <strong>and</strong> Panorama respectively) <strong>and</strong> dedicated management<br />
workstations at NCIA SMD. Local staffs (from sites where firewall enforcement<br />
modules are installed) in general have no admin rights <strong>and</strong> can conduct only basic<br />
tasks related with enabling connectivity with management servers. They can have<br />
also access to logs from “their” firewall only.<br />
13.2.1.3.1-p2 Firewall monitoring is integrated with NCIRC. Security events<br />
from firewalls are initially submitted to Firewall Management Server, <strong>and</strong> later to<br />
appropriate ArcSight Connector <strong>and</strong> ESM. Example of Figure 13.16 illustrates how it<br />
works in case of CheckPoint Firewall:<br />
A. The logs from the firewall enforcement module, <strong>and</strong> firewall system health<br />
status information are sent to a central management server Provider-1.<br />
B. From Provider 1 logs are sent via the ArcSight Connector for CheckPoint<br />
firewall to the ArcSight Manager, for analysis <strong>and</strong> correlation with logs<br />
from other devices.<br />
C. Finally the logs are stored in an ArcSight database at NCIRC.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-256 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 13.16 Current Central Firewall Management Solution<br />
13.2.1.3.1-p3 The <strong>ANWI</strong> Contractor shall be responsible for the installation <strong>and</strong><br />
initial configuration (to set up network connectivity) of firewalls according to<br />
instructions <strong>and</strong> procedures provided by NCIA SMD.<br />
13.2.1.3.1.1 Guard management<br />
13.2.1.3.1.1-p1 It is assumed, that guard management also shall be centralized<br />
<strong>and</strong> that guards included in <strong>ANWI</strong> CDMs shall be managed by NCIA SMB in similar<br />
ways as nowadays.<br />
13.2.1.3.1.1-p2 As most of the guards currently (2Q 2012) used within NATO<br />
supports local management system console, NCIA uses console server (e.g. Avocent<br />
Advanced Console Server) connected directly to console port of the guard. The<br />
console server is accessible from designated NCIA SMD servers/workstations via<br />
ssh over NS WAN. Copy of guard configuration is stored on management server at<br />
NCIA SMD. Logs from guards are uploaded to log server at NCIA SMD <strong>and</strong> provided<br />
to NCIRC (via appropriate ArcSight Connector) for analysis<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-257 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 13.17 Current Central Guard solution<br />
13.2.1.3.1.1-p3 If the integration of the solution selected for <strong>ANWI</strong> with the<br />
existing (at <strong>ANWI</strong> implementation time) centralized guard management capabilities<br />
shall be technically feasible, the <strong>ANWI</strong> Contractor shall be responsible for installation<br />
<strong>and</strong> initial configuration (to set up network connectivity) of the guards according to<br />
instructions <strong>and</strong> procedures provided by NCIA SMD.<br />
13.2.1.3.2 Data diode servers management<br />
13.2.1.3.2-p1 At the time of writing (2Q 2012), implementation of centralized<br />
management of data diode servers within NATO is on progress. It is assumed that<br />
data diode servers provided by <strong>ANWI</strong> shall be managed in a similar way as the<br />
current management.<br />
13.2.1.3.2-p2 Currently NCIA SMD has management servers deployed in NU<br />
<strong>and</strong> NS management LANs. Management (including configuration <strong>and</strong> log storage) is<br />
very similar to guard management, but this time NCIA connects directly to the diode<br />
servers (<strong>and</strong> not to console servers) via ssh over PAN or NS WAN. Low servers are<br />
managed from NU centralized management facilities <strong>and</strong> high servers from NS, as<br />
presented on Figure 13.18 below<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-258 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 13.18 Current Central Data Diode solution<br />
13.2.1.3.2-p3 If the integration of the solution selected for <strong>ANWI</strong> with the<br />
existing (at <strong>ANWI</strong> implementation time) centralized diode management capabilities<br />
shall be technically feasible, the <strong>ANWI</strong> Contractor shall be responsible for installation<br />
<strong>and</strong> initial configuration (to set up network connectivity) of the diode servers<br />
according to instructions <strong>and</strong> procedures provided by NCIA SMD.<br />
13.2.1.4 Integration<br />
13.2.1.4-p1 The <strong>ANWI</strong> contractor is responsible for integration (reuse) of the<br />
following CDM components/services into the CDM architecture that shall be available<br />
as PFE:<br />
A. PIA: the PIA GW services as available through the PIA GW contract (see<br />
Annex B) shall be used to compose the <strong>ANWI</strong> CDGW3 capability.<br />
B. Intrusion detection services. CDM network <strong>and</strong> host based IDS services<br />
shall be integrated with NCIRC FOC as specified in section 13.2.2.4.<br />
C. (Optional) Integration of reused components <strong>and</strong> SW licenses of the<br />
Current Gateway Components (to be decided after contract award):<br />
1. CDGW 1 <strong>and</strong> CDGW 2/3 Web <strong>and</strong> Messaging Proxies <strong>and</strong> Content<br />
Filtering including AV for HTTP/FTP (see SM06-SM09)<br />
2. CDGW 1 <strong>and</strong> CDGW 2/3 inner <strong>and</strong> outer perimeter <strong>and</strong> application<br />
firewalls <strong>and</strong> routers-switches (SM14, 15, 18-20 22).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-259 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-260 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
D. SMC: Integration with <strong>ANWI</strong> <strong>and</strong> Central Management SMC services.<br />
E. AV: Integration with the <strong>ANWI</strong> <strong>and</strong> central AV management services as<br />
specified in 13.2.2.3<br />
13.2.2 AV management<br />
13.2.2.1 <strong>Architecture</strong><br />
13.2.2.1-p1 IA agents <strong>and</strong> software shall be installed on all servers <strong>and</strong> clients<br />
<strong>and</strong> IA platforms in the NNHQ <strong>and</strong> are integrated with Processing Services, Client<br />
Provisioning Service, CDM <strong>and</strong> UCC Services as service features. (called end-point<br />
AV services).<br />
13.2.2.1-p2 On each of the <strong>ANWI</strong> security domains a redundant AV<br />
management server capability shall be installed that shall manage <strong>and</strong> distribute AV<br />
updates to the end-points.<br />
13.2.2.1-p3 AV updates are obtained through the centrally managed AV<br />
updates test <strong>and</strong> verification facility as managed by NIATC <strong>and</strong> are available for the<br />
McAfee, Kasperski, <strong>and</strong> TrendMicro.<br />
13.2.2.2 Service<br />
13.2.2.2-p1 The AV management service is required for each of the <strong>ANWI</strong><br />
security domains <strong>and</strong> for the CDM elements. AV management services shall comply<br />
with the SLT as specified in Table 13.4 AV management SLT.<br />
13.2.2.2-p2 The AV management service shall retrieve updates from the<br />
centralisedNIATC AV management server/portal.<br />
Service Level Target<br />
Parameters<br />
Capacity<br />
Capacity SLTs (6 months<br />
period)<br />
Number of Capacity Shortfall<br />
Incidents<br />
Number of Capacity<br />
Modifications<br />
Resolution Time for Capacity<br />
Adjustments (hours)<br />
Capacity Reserve (%) 25<br />
Availability SLTs (6 months<br />
period)<br />
Service Availability (%) 99.95<br />
Response Time (s)<br />
Number of Service<br />
Interruptions<br />
Duration of Service<br />
Interruptions (hours)<br />
Number of Service<br />
Availability Measurements<br />
Reliability SLTs (6 months<br />
Sufficient AV management server processing <strong>and</strong> network capacity to manage <strong>and</strong> update<br />
all the NATO HQ IT platforms within 2 hours as <strong>and</strong> when new updates are published by<br />
NIATC.<br />
2<br />
1<br />
1<br />
<br />
1<br />
1<br />
Continuous
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Service Level Target<br />
Parameters<br />
period)<br />
Mean Time Between Failures<br />
(MTBF) (hours)<br />
Mean Time Between Critical<br />
Failures (hours)<br />
Number of Critical Failures 1<br />
Maintainability SLTs (6<br />
months period)<br />
Mean Time To Replace /<br />
Repair (MTTR) (hours)<br />
Number of Corrective<br />
Maintenance Actions<br />
Number of Preventive<br />
Maintenance Actions<br />
Turnaround Time in Depot<br />
(hours)<br />
Transportation Time<br />
Between HQ <strong>and</strong> Depot<br />
(hours)<br />
Performance Parameters<br />
TBD<br />
4380<br />
4380<br />
24<br />
<br />
<br />
<br />
<br />
TBD<br />
Table 13.8AV management SLT<br />
13.2.2.3 Management<br />
13.2.2.3-p1 Updates for NS network can be downloaded directly from NIATC<br />
server <strong>and</strong> not manually transferred from NU via air gap as it is done nowadays.<br />
13.2.2.3-p2 Alerts from AV management server shall be submitted to NCIRC via<br />
appropriate ArcSight Connector.<br />
13.2.2.4 Integration<br />
13.2.2.4-p1 Besides the integration of the <strong>ANWI</strong> AV management servers into<br />
the NIATC AV management structure there is an option requirement to<br />
integrate/reuse Malware solutions as in use today:<br />
A. Optional reuse <strong>and</strong> integration of Current Malware SW licenses:<br />
1. Malware protection for server (see SM01)<br />
2. Malware protection for client (SM02)<br />
3. Malware protection for PDA (SM03)<br />
4. Malware protection for email server (SM04)<br />
5. Malware protection for Web server (SM05)<br />
13.2.3 NPKI<br />
13.2.3.1 <strong>Architecture</strong><br />
13.2.3.1-p1 The NPKI architecture is predominantly hosted on the NATO wide<br />
NS <strong>and</strong> NR infrastructures. The NATO HQ infrastructures are aligned with the NPKI<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-261 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
for all four security domains where for the NS <strong>and</strong> NR the RA function is delegated to<br />
the local HQ security Authority.<br />
13.2.3.1-p2<br />
User level certs <strong>and</strong> CRLs are distributed using NEDS.<br />
13.2.3.1-p3 NPKI support for NU <strong>and</strong> EAPC domains shall be provided through<br />
the NS <strong>and</strong> NR domain implying that the CDGW4 <strong>and</strong> CDGW 2 <strong>and</strong> 3 will need to<br />
support (in addition to NPKI based user services) NPKI management services. The<br />
NPKI architecture is further specified Annex B.<br />
13.2.3.2 Service<br />
13.2.3.2-p1 The NPKI service is required for each of the <strong>ANWI</strong> security domains<br />
<strong>and</strong> for the CDM elements. Related to the NATO HQ <strong>ANWI</strong> supported RA servers<br />
the following SLTs are applicable:<br />
Service Level Target Parameters<br />
Capacity<br />
Capacity SLTs (6 months period)<br />
Number of Capacity Shortfall Incidents 2<br />
Number of Capacity Modifications 1<br />
Resolution Time for Capacity Adjustments 1<br />
(hours)<br />
Capacity Reserve (%) 25<br />
Availability SLTs (6 months period)<br />
Service Availability (%) 99.95<br />
Response Time (s)<br />
Number of Service Interruptions 1<br />
Duration of Service Interruptions (hours) 1<br />
Number of Service Availability<br />
Measurements<br />
Reliability SLTs (6 months period)<br />
Mean Time Between Failures (MTBF)<br />
(hours)<br />
Mean Time Between Critical Failures<br />
(hours)<br />
Number of Critical Failures 1<br />
Maintainability SLTs (6 months period)<br />
Mean Time To Replace / Repair (MTTR)<br />
(hours)<br />
Number of Corrective Maintenance<br />
Actions<br />
Number of Preventive Maintenance<br />
Actions<br />
Turnaround Time in Depot (hours)<br />
Transportation Time Between HQ <strong>and</strong><br />
Depot (hours)<br />
Performance Parameters<br />
TBD<br />
Sufficient capacity to h<strong>and</strong>le Certificate Requests for all NPKI dependent<br />
applications (tokens, user authentication, VPN, Application Services, CDM,<br />
NAC/NAP)<br />
<br />
Continuous<br />
4380<br />
4380<br />
24<br />
<br />
<br />
<br />
<br />
TBD<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-262 of 532
N A T O U N C L A S S I F I E D<br />
Table 13.9NPKI NATO HQ RA SLT<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.3.3 Management<br />
13.2.3.3-p1 The Local NPKI based management is an integrated (delegated<br />
part of the NPKI management) <strong>and</strong> is described in Annex B.<br />
13.2.3.3-p2 The RA shall be locally operated <strong>and</strong> managed. Main management<br />
efforts are to ensure that the Directory Services based interfaces (NEDS) are<br />
operational in the NCIA centrally managed NPKI infrastructure (e.g. the CA <strong>and</strong> Sub-<br />
CA’s).<br />
13.2.3.3-p3 Alerts from RA servers shall be submitted to NCIRC via appropriate<br />
ArcSight Connector.<br />
13.2.3.3.1 Integration<br />
13.2.3.3.1-p1 The <strong>ANWI</strong> project shall integrate for all its PKI services into the<br />
NPKI infrastructure.<br />
13.2.4 Incident Management<br />
13.2.4.1 <strong>Architecture</strong><br />
13.2.4.1-p1 The NATO HQ incident management services are an integrated part<br />
of the NATO (Alliance) wide Incident management infrastructure that on the NATO<br />
side is realised via the NCIRC FOC project.<br />
13.2.4.1-p2 IA agents <strong>and</strong> software shall be installed on all servers <strong>and</strong> clients<br />
in the NNHQ. Network-based IDS shall be part of CDM. Placement of online<br />
computer forensics<strong>and</strong> Full Packet Capture shall be coordinated with NCIRC FOC.<br />
13.2.4.2 Service<br />
13.2.4.2-p1 The incident management service is required for each of the <strong>ANWI</strong><br />
security domains <strong>and</strong> for the CDM elements. The NATO HQ SLTs are directly<br />
derived from the NCIRC FOC SLTs:<br />
Service Level Target Parameters<br />
Capacity<br />
Capacity SLTs (6 months period)<br />
Number of Capacity Shortfall<br />
Incidents<br />
Number of Capacity<br />
Modifications<br />
Resolution Time for Capacity<br />
Adjustments (hours)<br />
Capacity Reserve (%) 25<br />
Availability SLTs (6 months<br />
period)<br />
Service Availability (%) 99.95<br />
Response Time (s)<br />
Sufficient capacity to locally manage, analyse, collect, store <strong>and</strong> forward all logging<br />
based incidents <strong>and</strong> required reports to NCIRC FOC.<br />
2<br />
1<br />
1<br />
<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-263 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Service Level Target Parameters<br />
Number of Service Interruptions 1<br />
Duration of Service Interruptions<br />
(hours)<br />
Number of Service Availability<br />
Measurements<br />
Reliability SLTs (6 months<br />
period)<br />
Mean Time Between Failures<br />
(MTBF) (hours)<br />
Mean Time Between Critical<br />
Failures (hours)<br />
Number of Critical Failures 1<br />
Maintainability SLTs (6 months<br />
period)<br />
Mean Time To Replace / Repair<br />
(MTTR) (hours)<br />
Number of Corrective<br />
Maintenance Actions<br />
Number of Preventive<br />
Maintenance Actions<br />
Turnaround Time in Depot<br />
(hours)<br />
Transportation Time Between<br />
HQ <strong>and</strong> Depot (hours)<br />
Performance Parameters<br />
TBD<br />
1<br />
Continuous<br />
4380<br />
4380<br />
24<br />
<br />
<br />
<br />
<br />
TBD<br />
Table 13.10NPKI NATO HQ RA SLT<br />
13.2.4.3 Management<br />
A. The <strong>ANWI</strong> Incident Management services shall fully integrate into the<br />
NCIRC FOC IDS <strong>and</strong> FPC management.<br />
B. The <strong>ANWI</strong> Incident Management services network interface shall be<br />
provided via a redundant VPN interface to the NCIRC FOC management<br />
capability.<br />
13.2.4.3.1 NCIRC sensor management: ID/PS, OCF <strong>and</strong> FPC management<br />
13.2.4.3.1-p1 Current management of IDS sensors (network- <strong>and</strong> host-based)<br />
<strong>and</strong> online computer forensic <strong>and</strong> full packet capture is conducted by NCIRC. Note:<br />
According to [Ref 1.1.1.6.49], forensic packet capture should be installed in:<br />
A. NU/NR networks: Gateways, then remote sites.<br />
B. NS: Gateways, then backbone nodes <strong>and</strong> optionally remote sites.<br />
13.2.4.3.1-p2 At the time of writing (2Q 2012), NCIRC has implemented two<br />
management <strong>and</strong> monitoring centres:<br />
A. NU level for monitoring unclassified NATO systems <strong>and</strong> their connection<br />
to the Internet – NCIRC TC NU.<br />
B. NS level for monitoring NS systems <strong>and</strong> their interconnection to NS WAN<br />
<strong>and</strong>/or Mission systems – NCIRC TC NS.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-264 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
13.2.4.3.1-p3 NCIRC FOC project will enhance existing infrastructure,<br />
implement additional sensors at critical sites <strong>and</strong> “upgrade” NCIRC TC NU<br />
management environment to NU/NR level. When NCIRC FOC will be completed,<br />
NCIRC will be able to manage sensors located in NU, NR, NS <strong>and</strong> MS domain <strong>and</strong><br />
collect logs from different BPCs (e.g. firewalls) located within all of these domains as<br />
illustrated on Figure 13.19 below.<br />
NCIRC TC<br />
NCIRC TC NR<br />
NCIRC TC NS<br />
TIER 2 – NCIRC <strong>Technical</strong> Centre<br />
SIEM<br />
Other NCIRC services<br />
Management<br />
Servers/ Log collection - NR<br />
SIEM<br />
Other NCIRC services<br />
Management<br />
Servers/ Log collection - NS<br />
Management<br />
Servers/<br />
Log collection - NU<br />
BPS<br />
Management<br />
Servers/<br />
Log Collection - MS<br />
BPS<br />
TIER 3 – CIS Operating Authorities<br />
Management<br />
servers - NU<br />
Internet<br />
NGCS<br />
Management<br />
servers - NR<br />
Management<br />
servers - MS<br />
NGCS<br />
Management<br />
servers - NS<br />
sensors/agents - NU<br />
sensors/agents – NR<br />
sensors/agents - MS<br />
sensors/agents – NS<br />
Figure 13.19 NCIRC sensors management<br />
13.2.4.3.1-p4 <strong>Architecture</strong> of NCIRC TC NR <strong>and</strong> NCIRC TC NS is similar <strong>and</strong><br />
consists of:<br />
A. Management Servers for each type of sensor/product managed by NCIA<br />
<strong>System</strong> Management Division (SMD).<br />
B. ArcSight Connectors for collecting events from different product/sensors<br />
(e.g. firewalls, network- <strong>and</strong> host based-IDS/IDP).<br />
C. Arcsight Enterprise Management <strong>System</strong>s (EMS) collecting events from<br />
ArcSight Connectors <strong>and</strong> performing event correlation <strong>and</strong> analysis.<br />
D. ArcSight database – for mid-term storage of collected events.<br />
13.2.4.3.1-p5 To manage <strong>and</strong> monitor network-based IDS/IDP sensors NCIRC<br />
currently (2Q 2012) uses small dedicated VPN gateways connected directly to an<br />
interface of network-based IDS. Similar approach will be used for NCIRC FOC.<br />
Events from the sensors are submitted via VPN tunnel over NGCS (for NS <strong>and</strong> NR<br />
(in the future)) or Internet (for NU) to IDS/IDP Management server located at NCIRC.<br />
From this server, events are sent via appropriate ArcSight Connector to Arcsight<br />
Enterprise Management <strong>System</strong> (used for event correlation <strong>and</strong> analysis). Sensor<br />
management is performed from the Management Server at NCIRC - policies <strong>and</strong><br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-265 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
configurations are pushed from this server to sensors via VPN tunnel over NGCS (for<br />
NS <strong>and</strong> NR (in the future)) or Internet (for NU).<br />
13.2.4.3.1-p6 Management/event monitoring for forensic packet capture<br />
devices is performed in similar way. The <strong>ANWI</strong> Contractor shall be responsible for<br />
installation <strong>and</strong> initial configuration (to set up network connectivity) of IDS/IDPs, OCF<br />
<strong>and</strong> FPCs according to instructions <strong>and</strong> procedures provided by NCIRC.<br />
Figure 13.20: Current NCIRC solution<br />
13.2.4.4 Integration<br />
13.2.4.4-p1 All ID/PS based products shall be in line with NCIRC FOC <strong>and</strong><br />
provided as PFE to the <strong>ANWI</strong> contractor.<br />
13.2.4.4-p2 <strong>ANWI</strong> contractor shall integrate the NCIRC FOC agents with all<br />
<strong>ANWI</strong> platforms (all servers all CDM elements).<br />
13.2.5 Security Patches <strong>and</strong> Configuration Management<br />
13.2.5-p1 See 13.1<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-266 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 14. ANNEX F: INFRASTRUCTURE SERVICES<br />
14.1 APPENDIX 1: Introduction to Infrastructure Services<br />
14.1.1 Definition<br />
14.1.1-p1 The infrastructure services are fundamental services that are metered<br />
<strong>and</strong> also provide capabilities to support <strong>and</strong> deliver other services (IaaS). These<br />
capabilities will allow the other consuming services to be able to operate <strong>and</strong> offer<br />
user features.<br />
14.1.1-p2 The infrastructure services can be perceived as platform services<br />
closely linked to the Information <strong>and</strong> Communication <strong>System</strong>s equipment, in short:<br />
the <strong>ANWI</strong> platform. This service shall be used to host other Core Enterprise Service’<br />
specific CoI or enabling CoI services in support of user applications <strong>and</strong>/or to be<br />
accessed by user devices.<br />
14.1.2 Service Overview<br />
14.1.2-p1 The Infrastructure service shall provide the service provider<br />
(Contractor/ICTM) with the infrastructure, software <strong>and</strong> management solution to<br />
effectively assign resources for other services, application hosting <strong>and</strong> user<br />
provisioning.<br />
14.1.2-p2 Besides the physical hardware (e.g. servers, storage <strong>and</strong> switches) it<br />
shall also provide the virtualization <strong>and</strong> Operating system layer as well as the<br />
st<strong>and</strong>ard infrastructure service features (e.g. authentication, file sharing, etc.).<br />
14.1.2-p3 Advanced management <strong>and</strong> security products <strong>and</strong> features (e.g. QoS,<br />
I/O optimization <strong>and</strong> data guards) shall provide infrastructure resources to be<br />
assigned to specific services.<br />
14.1.3 Scope<br />
14.1.3-p1 The capabilities that shall make up the infrastructure services platform<br />
are:<br />
A. Physical Data Centre (Mechanical <strong>and</strong> Electrical) – Provided as PFE.<br />
B. Processing service (Physical Servers).<br />
C. Storage service (data storage).<br />
D. Virtualization Capability.<br />
E. Networking service (Wired <strong>and</strong> Wireless LAN).<br />
F. Cross-Domain Modules (Border Protection <strong>and</strong> monitoring):<br />
G. Operating <strong>System</strong>s (Windows, UNIX, Linux).<br />
H. Infrastructure Network Services capabilities:<br />
1. Identification <strong>and</strong> Authentication (based on MS Active Directory/NPKI).<br />
2. Network access control solution to protect the network.<br />
3. Supporting services like DNS, DHCP, time services, etc.<br />
4. File serving.<br />
5. Web Browsing (Proxy).<br />
6. Printing <strong>and</strong> scanning.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-267 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.1.3-p2 Figure 14.1 provides an overview of the Infrastructure Services mapped<br />
to the Services Taxonomy as introduced in Annex C as represented by the blue<br />
section.<br />
Figure 14.1: Infrastructure overview<br />
14.1.4 Service Requirements<br />
14.1.4-p1 The Contractor shall design the infrastructure capabilities to deliver the<br />
required <strong>ANWI</strong> Infrastructure Services as specified in Appendices 14.2-14.6.<br />
14.1.4-p2 The Contractor shall clearly describe how the service <strong>and</strong> the individual<br />
components are integrated into the Service Management <strong>and</strong> Control (SMC) <strong>and</strong><br />
Information Assurance Services to support the overall ICT SMC <strong>and</strong> IA management<br />
concept as indicated in figure 14.1 <strong>and</strong> defined in Annex E.<br />
14.1.4-p3 The Infrastructure Services shall be sized to support all the current<br />
applications <strong>and</strong> the expected near future applications (Annex B).<br />
14.1.4-p4 The physical Data Centre capabilities shall be provided as PFE (Annex<br />
B). The Contractor shall use no more than 50% of the total allocation of power,<br />
cooling <strong>and</strong> floor space in his calculations as the data centre is shared with other<br />
PFE services.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-268 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-269 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.1.4-p5 The Contractor shall base his estimates for sizing of the infrastructure<br />
capabilities on the requirement figures provided later in this section.<br />
14.1.4-p6 Infrastructure shall be available on all 4 networks – NATO SECRET,<br />
EAPC SECRET, NR <strong>and</strong> PUBLIC.<br />
14.1.4-p7 Under appropriately protected configurations, different network<br />
classifications may be consolidated on the same infrastructure (Hardware) but<br />
virtually separated. Only NATO accredited or National COMSEC approved solutions<br />
shall be offered. In case of National COMSEC approved solutions the <strong>ANWI</strong><br />
Contractorshall still hold responsibility for the security accreditation effort under the<br />
<strong>ANWI</strong> scope. In case of rejection the <strong>ANWI</strong> contractor shall be responsible for<br />
alternative solutions to satisfy the requirements in the contract without cost impact<br />
(overall TCO impact).<br />
14.1.5 Service Level Agreement/Targets<br />
14.1.5-p1 As indicated in the definition, the Infrastructure Service provides the<br />
base capabilities for all other services <strong>and</strong> as such shall have the highest required<br />
availability.<br />
14.1.5-p2 The Infrastructure Service shall have a service availability of 99.99%<br />
across both server rooms. This availability figure shall be achieved end-to-end over<br />
all underlying infrastructure sub-services unless otherwise specified.<br />
14.1.5-p3 For some of the sub-services described in the appropriate appendix,<br />
some performance degradation is acceptable in case of a catastrophic failure (ex.<br />
Server room failure). More details are found in the corresponding Infrastructure<br />
Services appendices.<br />
14.1.5-p4 The <strong>ANWI</strong> contractor shall provide an additional 25% capacity for all the<br />
required infrastructure services to host additional information <strong>and</strong> application<br />
services. The infrastructure services shall provide a flexible capacity expansion<br />
beyond the required 125%.<br />
14.1.6 Service Testing <strong>and</strong> Reporting<br />
14.1.6-p1 The Infrastructure Services are managed through the SMC <strong>and</strong> shall<br />
provide the Service Level Target (SLT) metrics reporting on each infrastructure subservice<br />
to measure the compliance of the service against the defined Service Level<br />
Agreement (SLA).<br />
14.1.6-p2 Individual sub-services shall be tested for compliance against the<br />
technical requirements of the specific sub-service.<br />
14.1.6-p3 Overall end-to-end infrastructure integration tests shall be conducted to<br />
verify the integration of the individual capability into the Infrastructure Service. These<br />
integration tests shall also include the measurement metrics supporting the SMC <strong>and</strong><br />
IA capabilities <strong>and</strong> requirements.<br />
14.1.7 Dependencies<br />
14.1.7-p1 The Infrastructure Service interfaces with several different entities <strong>and</strong><br />
the Contractor shall identify, assess <strong>and</strong> mitigate these risks in the service’s design<br />
<strong>and</strong> shall log these risks in the Risk Register.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.1.7-p2 The <strong>ANWI</strong> Infrastructure Services shall interface with <strong>and</strong> integrate to<br />
the external context as shown in figure 14.2 consisting of the following major entities<br />
(for more information see Annex D:<br />
A. NGCS<br />
B. NATO services.<br />
C. Commercial Network Services.<br />
D. Active <strong>and</strong> Passive Building Facility related services.<br />
E. Business Application services.<br />
Figure 14.2: External interfaces<br />
14.1.7-p3 The <strong>ANWI</strong> Infrastructure Services shall interface with the external<br />
NATO CIS services (for more information, see Annex B).<br />
14.1.7-p4 The <strong>ANWI</strong> Infrastructure Services shall interface with the external<br />
Commercial Networks Services (for more information, see Annex B).<br />
14.1.7-p5 The <strong>ANWI</strong> Infrastructure Services shall interface with the external<br />
Active <strong>and</strong> Passive Building Facility Related Services (for more information, see<br />
Annex B).<br />
14.1.7-p6 The <strong>ANWI</strong> Infrastructure Services shall interface with the Business<br />
Applications (for more information, see Annex B).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-270 of 532
N A T O U N C L A S S I F I E D<br />
14.2 APPENDIX 2: Processing Services<br />
14.2.1 Definition<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-271 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.2.1-p1 The processing service is an essential back-end of the Infrastructure<br />
Service providing the resources (CPU <strong>and</strong> memory) to host core <strong>and</strong> functional<br />
applications.<br />
14.2.2 Scope/Scenario<br />
14.2.2-p1 The processing service is a critical component of the Infrastructure<br />
Service that shall use the latest NATO approved OS including updates <strong>and</strong> patches.<br />
14.2.2-p2 The processing service shall deliver physical <strong>and</strong> virtual servers in a<br />
resilient configuration, spread over two server rooms to host other services <strong>and</strong><br />
applications.<br />
14.2.2-p3 The processing service shall provide server consolidation through<br />
virtualization to optimize the use of available processing resources supporting the<br />
running of multiple services on the same physical hardware.<br />
14.2.2-p4 The <strong>ANWI</strong> Contractor shall size the processing service to support all<br />
<strong>ANWI</strong> services in this SOW with additional 25% free resources (CPU <strong>and</strong> memory) to<br />
support expected near-future applications. To support the current Business<br />
Applications the contractor shall provide processing resources to provision the<br />
amount of servers as indicated in the table (ICTM apps) in section 14.2.3.4 Table<br />
14.1.<br />
14.2.2-p5 The <strong>ANWI</strong> Contractor’s processing service shall be designed to easily<br />
exp<strong>and</strong> the service for future growth, beyond the provided 25% identified above.<br />
14.2.3 Service Requirements<br />
14.2.3.1 Domains<br />
14.2.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install processing services<br />
on all 4 networks – NATO SECRET, EAPC SECRET, NR <strong>and</strong> PUBLIC in a high<br />
available configuration across the two NNHQ server rooms to create a NNHQ data<br />
centre.<br />
14.2.3.2 Location<br />
14.2.3.2-p1 The <strong>ANWI</strong> Contractor’s server room design shall be planned around<br />
the building’s physical layout provisions <strong>and</strong> constraints (a representative Server<br />
Room layout is provided in Annex B):<br />
A. The current server room design has enough floor space for 100+ racks per<br />
server room.<br />
B. It has raised floors, with cold air entering from below the floor.<br />
C. Racks are placed in 10 rows, with the backs of a pair of racks covered,<br />
thus creating hot aisles.<br />
14.2.3.2-p2<br />
14.2.3.2-p3<br />
Power distribution is located above the racks.<br />
The average cooling capacity per Server Room rack is 3.2 kW.
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-272 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.2.3.2-p4 The total heat that can be dissipated by the cooling system per<br />
Server room is 378kW (7 CRACs of 54kW each).<br />
14.2.3.2-p5<br />
The average power per double row of racks is 72kW.<br />
14.2.3.2-p6 Each server room has up to 360kW of available electrical power,<br />
supported by UPS, in fully redundant mode.<br />
14.2.3.2-p7 The <strong>ANWI</strong> Contractor provided server room concept shall ensure<br />
that:<br />
A. All server power supplies shall be at least 90% efficient.<br />
B. All server processors shall support power management.<br />
C. The processing service design shall specify server consolidation.<br />
D. The processing service design shall specify flexibility <strong>and</strong> scalability to limit<br />
overprovisioning.<br />
14.2.3.2-p8 The processing service design shall specify "virtualization, unless<br />
specifically not recommended by specific software vendor or test results confirm the<br />
need for physical servers, AND approved by Purchaser".<br />
14.2.3.2-p9<br />
components.<br />
14.2.3.2-p10<br />
solution.<br />
The processing service design shall specify st<strong>and</strong>ardization of<br />
The processing service design shall specify a high available<br />
14.2.3.3 Minimum Hardware Procurement Specifications (MHWPS)<br />
14.2.3.3-p1 The <strong>ANWI</strong> shall comply with the following hardware <strong>and</strong> software<br />
requirements, over <strong>and</strong> above those requirements identified in the minimum<br />
hardware procurement specifications (MHWPS see 1.1.1.5.1); the server shall<br />
comply at minimum with the GP server or blade server requirements from the<br />
MHWPS.<br />
14.2.3.3-p2<br />
The server shall support 2 to 4 processors.<br />
14.2.3.3-p3 The server processor shall be x64 AND x86 compatible (or any<br />
future generation processor, if mainstream by 2015).<br />
14.2.3.3-p4 The memory modules shall be current technology, <strong>and</strong> in line with<br />
the server specifications <strong>and</strong> shall be installed according to the br<strong>and</strong>’s specifications<br />
to ensure optimal performance.<br />
14.2.3.3-p5 All servers (physical <strong>and</strong> virtual) shall support IPv4 <strong>and</strong> IPv6 in a<br />
dual stack configuration.<br />
14.2.3.3-p6 All servers shall have redundant connections to the LAN <strong>and</strong> the<br />
storage network.<br />
14.2.3.3-p7 All servers shall have an option for adding extra connectivity<br />
hardware; minimum expansion of 1 LAN <strong>and</strong> 1 SAN<br />
14.2.3.3-p8<br />
specifications.<br />
14.2.3.3-p9<br />
from SAN<br />
The hardware shall be current technology, in line with the server<br />
There shall be a minimum of 60 GB per server <strong>and</strong> support for Boot
N A T O U N C L A S S I F I E D<br />
14.2.3.3-p10 The controller shall support RAID 1.<br />
14.2.3.3-p11<br />
later.<br />
14.2.3.3-p12<br />
14.2.3.3-p13<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
The server shall be certified for Windows Server 2008 R2 SP1 or<br />
The server shall be certified for VMware vSphere 5 or later.<br />
The server shall be 19" rack mountable, directly or in an enclosure.<br />
14.2.3.3-p14 Operating temperature: The servers shall be able to operate at<br />
maximum efficiency in between 10°C - 35°C.<br />
14.2.3.3-p15<br />
The servers shall have an infrastructure management port.<br />
14.2.3.4 Scaling per Network Classification<br />
14.2.3.4-p1 The <strong>ANWI</strong> Contractor shall scale the processing services for each<br />
classification as identified below:<br />
NS EAPC Business Public<br />
<strong>ANWI</strong> Core TBD by Ctr TBD by Ctr TBD by Ctr TBD by Ctr<br />
ICTM Apps 500 10 1000 50<br />
ESS - - Post EDC -<br />
BMS<br />
Post EDC<br />
AVI Post EDC Post EDC Post EDC Post EDC<br />
Table 14.1 Processing service scaling<br />
14.2.3.4-p2 For ICTM Application 15% of the servers cannot be virtualised, the<br />
remaining servers can be virtualised with the same scalability as defined in 14.2.3.4-<br />
p4. The total number of ICTM Application servers is across both server rooms.<br />
14.2.3.4-p3 The <strong>ANWI</strong> Contractor’s design shall provide information on how the<br />
processing capability shall be scaled based on the requirement that virtualization is<br />
the preferred design approach, but recognising that physical servers may still be<br />
required beyond the virtualization host servers.<br />
14.2.3.4-p4<br />
server:<br />
14.2.3.4-p5<br />
14.2.3.4-p6<br />
The <strong>ANWI</strong> shall provide the following minimum resources per virtual<br />
There shall be at least one core per two virtual servers.<br />
Physical <strong>and</strong> Virtual Servers shall have a minimum 4 GB RAM.<br />
14.2.3.4-p7 Connectivity of the physical server shall be at least 0,25 Gbps per<br />
virtual server to LAN <strong>and</strong> storage network.<br />
14.2.3.4-p8 The <strong>ANWI</strong> Contractor design <strong>and</strong> implementation shall build the<br />
<strong>ANWI</strong> with COTS st<strong>and</strong>ard components acknowledging that the final distribution of<br />
processing components across the different classifications shall be optimized at the<br />
latest possible stage (such that the overall processing requirement is unchanged but<br />
noting that a reduction of processing requirement on the NS network are<br />
compensated with a comparable increase in processing on the Business network).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-273 of 532
14.2.3.5 Virtualization <strong>and</strong> OS Baseline<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-274 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.2.3.5-p1 The <strong>ANWI</strong> Contractor’s <strong>ANWI</strong> design <strong>and</strong> implementation shall<br />
provide the following hypervisor features:<br />
14.2.3.5-p2<br />
The hypervisor shall provide administrative tools for management.<br />
14.2.3.5-p3 The server virtualisation design shall not be impacted by the<br />
hypervisor limitations.<br />
14.2.3.5-p4<br />
16.<br />
14.2.3.5-p5<br />
14.2.3.5-p6<br />
14.2.3.5-p7<br />
14.2.3.5-p8<br />
The maximum amount of physical server per cluster shall be at least<br />
The hypervisor shall support High Availability options.<br />
The hypervisor shall support Live Migration of VM's.<br />
Thin provisioning shall be supported by the hypervisor.<br />
Virtual switches shall be supported by the hypervisor.<br />
14.2.3.5-p9 The Hypervisor shall support use of MS Windows Server <strong>and</strong><br />
Desktop OS's, Linux OS's, Unix Os's.<br />
14.2.3.5-p10 Support for the Hypervisor by the technology provider shall last for<br />
at least 5 more years.<br />
14.2.3.5-p11 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall provide for<br />
the following server operating system’s requirements of:<br />
14.2.3.5-p12 On the NS Network NNHQ shall join the NATO AIS Active Directory<br />
domain <strong>and</strong> email organization.<br />
14.2.3.5-p13<br />
configuration.<br />
14.2.3.6 Information Assurance<br />
St<strong>and</strong>ard OS environment will be PFE NATO Server Baseline<br />
14.2.3.6-p1 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> installation shall take into<br />
account the following restrictions for the placement of electronic equipment of<br />
different classifications [ref SDIP 29/1] <strong>and</strong> their physical or virtual separation (see<br />
1.1.1.3.3).<br />
14.2.3.6-p2 Server room layout: Components from different classifications shall<br />
be at least one meter apart in all dimensions.<br />
14.2.3.6-p3 The <strong>ANWI</strong> Contractor shall implement a NATO-approved Anti-Virus<br />
solution (listed on current (at implementation time) version of AFPL - 1.1.1.8.4).<br />
14.2.3.6-p4<br />
14.2.3.6-p5<br />
14.2.3.6-p6<br />
14.2.3.6-p7<br />
Every server shall have an antivirus product installed <strong>and</strong> running.<br />
Antivirus software shall be kept up to date.<br />
Antivirus policy in case of an outbreak shall be in place.<br />
Antivirus management server(s) shall be in place per network.<br />
14.2.3.6-p8 An antivirus product from a different vendor (than the servers <strong>and</strong><br />
workstations) shall be deployed on Microsoft Exchange Servers to check user<br />
mailboxes for malicious code.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.2.3.6-p9 The <strong>ANWI</strong> Contractor’s IDS/IPS design <strong>and</strong> implementation shall<br />
meet the following requirements:<br />
14.2.3.6-p10 Host Intrusion Protection Software (HIPS) shall be procured <strong>and</strong><br />
installed on critical servers.<br />
14.2.3.6-p11<br />
14.2.3.6-p12<br />
14.2.3.6-p13<br />
requirements:<br />
The NCIRC supported HIDS product shall be deployed.<br />
The HIPS shall be managed centrally by the NCIRC.<br />
The <strong>ANWI</strong> Contractor shall implement the following security setting<br />
14.2.3.6-p14 The appropriate NCIRC provided (at contract award) role based<br />
security settings shall be applied to the appropriate servers.<br />
14.2.3.6-p15 Settings for Windows Servers shall be managed centrally via the<br />
use of Microsoft Group Policy.<br />
14.2.3.6-p16 NCIRC Security settings for virtualisation software shall be applied<br />
to the virtualised environment.<br />
14.2.3.6-p17<br />
requirements:<br />
The <strong>ANWI</strong> shall meet the following Forensic examination<br />
14.2.3.6-p18 The NCIRC shall have the ability to carry out online forensic<br />
examinations of all servers.<br />
14.2.3.6-p19 The Forensic Agent selected by NCIRC FOC shall be deployed on<br />
all servers. (PFE)<br />
14.2.3.6-p20<br />
14.2.3.7 Service Management<br />
The agents shall be managed centrally by the NCIRC.<br />
14.2.3.7-p1 The <strong>ANWI</strong> Contractor shall implement the following Server<br />
infrastructure management features:<br />
14.2.3.7-p2 The AIS monitoring manager shall monitor the physical <strong>and</strong> virtual<br />
infrastructures for each network classification.<br />
14.2.3.7-p3<br />
status.<br />
The AIS monitoring manager shall monitor the server hardware<br />
14.2.3.7-p4 The SMC shall receive event notifications from relevant<br />
environmental monitoring <strong>and</strong> control systems in key equipment rooms <strong>and</strong> correlate<br />
these to impact on infrastructure <strong>and</strong> service health.<br />
14.2.3.7-p5 Computing hardware shall support an open platform management<br />
interface like Intelligent Platform Management Interface (IPMI). Platform status<br />
information shall be reported to the SMC.<br />
14.2.3.7-p6 The SMC shall monitor <strong>and</strong> manage the Processing capacity. It<br />
shall be able to provide accurate capacity information <strong>and</strong> also support future<br />
capacity assessment.<br />
14.2.3.7-p7 The SMC shall provide management for virtualized <strong>and</strong> nonvirtualized<br />
services including a Lights-out physical equipment h<strong>and</strong>ling.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-275 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.2.3.7-p8 The <strong>ANWI</strong> Contractor shall design the processing services based<br />
on all required capabilities (including the high level capabilities requirements of<br />
service management <strong>and</strong> information management) <strong>and</strong> clearly describe how the<br />
processing service <strong>and</strong> its individual capabilities are integrated in the service<br />
management concept (SMC).<br />
14.2.3.7-p9 The <strong>ANWI</strong> Contractor’s provided Processing Service shall conform<br />
to the following Service Level Agreement/Targets:<br />
14.2.3.7.1.1.1.1 Service Level Target Parameters<br />
Capacity SLTs<br />
Availability SLTs<br />
Service Availability (%)<br />
Max number for scheduled downtimes (month)<br />
Manageability SLTs<br />
Frequency of Service Measurements<br />
Frequency of SLA Reports<br />
Max Time to provision new Server (Virtual-Physical)<br />
Reliability SLTs<br />
Service reliability (%)<br />
Maintainability SLTs<br />
Mean Time To Restore (MTTR) (hours)<br />
99,5%<br />
1<br />
Continuous<br />
Daily/Weekly<br />
2-8 hours<br />
>99,99%<br />
Table 14.2 Network Infrastructure processing SLTs<br />
4<br />
14.2.4 Management <strong>and</strong> Operational Requirements<br />
14.2.4.1 Interfaces<br />
14.2.4.1-p1 The <strong>ANWI</strong> processing service design shall describe the following<br />
internal interfaces <strong>and</strong> dependencies:<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
Processing X X X X X X X X X X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
Table 14.3 Network Infrastructure processing interfaces<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
AVI<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
14.2.4.2 Backup <strong>and</strong> Recovery<br />
14.2.4.2-p1 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement a back-up<br />
strategy that supports all servers (physical <strong>and</strong> virtual) <strong>and</strong> additional applications<br />
running on the processing capability by the data storage service.<br />
14.2.4.2-p2 The <strong>ANWI</strong> Contractor shall ensure that in case of failures, the <strong>ANWI</strong><br />
service level target m<strong>and</strong>ates the problem resolution for a RTO of 4 hours.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-276 of 532
14.2.5 Testing<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.2.5-p1 The <strong>ANWI</strong> Contractor shall test the processing service using the<br />
following End-to-End Test Scenarios:<br />
A. Processing service stress test with load simulation (CPU <strong>and</strong> memory<br />
stressing).<br />
B. Monitoring period (ex. 15 days) after the initial loading <strong>and</strong> migration of<br />
Core applications (e.g. E-Mail).<br />
C. Monitoring period (ex. 15 days) after loading <strong>and</strong> migration of ICTM<br />
applications (e.g. Document system).<br />
D. Overall processing capacity reporting:<br />
1. Allocated resources.<br />
2, Headroom for Growth – 25%.<br />
3. <strong>System</strong> Overhead (e.g. VM host).<br />
E. High Availability features – Server room fail-over.<br />
F. Provisioning of a new Server (virtual).<br />
1. Resource allocation flexibility/control.<br />
G. Fail-over simulation <strong>and</strong> availability check for different services.<br />
H. Backup <strong>and</strong> Recovery<br />
i. Live migration of running service (e.g. Scheduled HW maintenance).<br />
J. Performance metering:<br />
1. Sustained performance metering for a fixed period to endorse resource<br />
capacity allocation figures.<br />
2. Resource allocation reporting over certain time period (5days – 3<br />
weeks).<br />
3. Server (Physical/Virtual) Backup <strong>and</strong> Recovery.<br />
14.2.6 Training<br />
14.2.6-p1 The <strong>ANWI</strong> Contractor shall train the ICTM on how to install, configure<br />
<strong>and</strong> troubleshoot the following areas to support the processing service:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-277 of 532
N A T O U N C L A S S I F I E D<br />
14.3 APPENDIX 3: Storage services<br />
14.3.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.3.1-p1 The storage service is an essential back-end service supporting all<br />
<strong>ANWI</strong> services providing the physical capacity parameters for user <strong>and</strong> application<br />
data storage.<br />
14.3.2 Scope/Scenario<br />
14.3.2-p1 The storage service is part of the Infrastructure Service <strong>and</strong> shall<br />
provide a tiered data storage solution supporting the full data lifecycle management<br />
having at least the following levels:<br />
A. Tier 1: On-line Storage (mission-critical, high-frequency data).<br />
B. Tier 2: Near-line Storage (non-frequent data, online archive).<br />
C. Tier 3: Off-line Storage (Offline archive, Backup, offline records).<br />
14.3.2-p2 The <strong>ANWI</strong> Contractor’s storage service shall be sized to provide data<br />
storage for all the current applications/users; all <strong>ANWI</strong> services; all external NNHQ<br />
services’ needs (e.g. AVI, ESS <strong>and</strong> BMS.<br />
14.3.2-p3 The <strong>ANWI</strong> Contractor shall ensure that the storage solution is designed<br />
to provide the highest availability <strong>and</strong> resilience.<br />
14.3.2-p4 The Storage service in combination with the processing service shall<br />
provide a file sharing solution. This shall enable the users to access a common<br />
network drive to store information<br />
14.3.3 Service Requirements<br />
14.3.3.1 Domains<br />
14.3.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install storage services on all<br />
4 networks – NATO SECRET, EAPC SECRET, NR <strong>and</strong> PUBLIC.<br />
14.3.3.2 Location<br />
14.3.3.2-p1 The <strong>ANWI</strong> Contractor’s storage design shall be planned around the<br />
building’s physical layout compliance limits defined in the Processing Services<br />
Location (Section 14.2.3.3.2).<br />
14.3.3.2-p2<br />
requirements:<br />
The <strong>ANWI</strong> Contractor’s design shall also include the following <strong>ANWI</strong><br />
A. The Storage power supplies shall be at least 90% efficient.<br />
B. The Storage design shall include tiered storage (for energy <strong>and</strong> speed<br />
optimized storage).<br />
C. The Storage solution shall support de-duplication of data, <strong>and</strong> other<br />
intelligent technologies to reduce the amount of storage needed.<br />
D. The Storage service design shall specify flexibility <strong>and</strong> scalability to limit<br />
overprovisioning.<br />
E. The Storage service design shall specify st<strong>and</strong>ardization of components.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-278 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
F. The Storage solution shall support Hypervisor virtualisation.<br />
G. The Storage service design shall specify an active-active setup in the dual<br />
server rooms.<br />
14.3.3.3 Minimum Hardware Procurement Specifications (MHWPS)<br />
14.3.3.3-p1 The <strong>ANWI</strong> shall comply with the following hardware requirements<br />
over <strong>and</strong> above those requirements identified in the MHWPS (see 1.1.1.5.1):<br />
14.3.3.3-p2<br />
14.3.3.3-p3<br />
14.3.3.3-p4<br />
configuration.<br />
14.3.3.3-p5<br />
The storage power supply shall be redundant.<br />
The storage power supply shall be hot pluggable.<br />
The storage solution shall support IPv4 <strong>and</strong> IPv6 in a dual stack<br />
The storage solution shall be redundantly connected to the network.<br />
14.3.3.3-p6 The storage solution shall provide enough connectivity to all<br />
projected servers.<br />
14.3.3.3-p7<br />
simultaneously.<br />
The storage solution shall provide iSCSI <strong>and</strong> FC connectivity<br />
14.3.3.3-p8 The storage solution shall support other protocols, like FCIP, FCoE,<br />
10+ Gb Storage network protocols.<br />
14.3.3.3-p9<br />
14.3.3.3-p10<br />
storage model.<br />
The storage controllers shall be redundant, active-active controllers.<br />
The storage solution shall support different disks, for a tiered<br />
14.3.3.4 Scaling per Network Classification<br />
14.3.3.4-p1 The <strong>ANWI</strong> Contractor shall scale the storage solution to comply with<br />
the following estimated usable data capacity requirements:<br />
14.3.3.4-p2 The storage space requirements for VM's, snapshots etc. shall be<br />
calculated by <strong>ANWI</strong> Contractor.<br />
14.3.3.4-p3<br />
classification.<br />
There shall be enough offline capacity to backup ALL data, per<br />
14.3.3.4-p4 All data shall also be backed up on disk, for fast restore actions.The<br />
Disk to Disk (D2D) backup shall be stored on different disks than where the actual<br />
data is stored.<br />
14.3.3.4-p5 Backup Capacity: Backup capacity shall be redundantly available in<br />
the two server rooms.<br />
Type<br />
Total<br />
Usable<br />
storage<br />
Tier 1<br />
Online<br />
Tier 2<br />
Online/<br />
Near-line<br />
Tier 3<br />
Offline<br />
(archive)<br />
Backup<br />
D2D2T<br />
NATO SECRET<br />
<strong>ANWI</strong> systems<br />
TBD by CTR<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-279 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Type<br />
Total<br />
Usable<br />
storage<br />
Tier 1<br />
Online<br />
Tier 2<br />
Online/<br />
Near-line<br />
Tier 3<br />
Offline<br />
(archive)<br />
Backup<br />
D2D2T<br />
User-Based Storage<br />
(mail / files)<br />
60 TB 40% 60% YES*<br />
Application Data 118 TB 50% 50% YES*<br />
AVI 40 TB 50% 50% NO<br />
EAPC<br />
<strong>ANWI</strong> systems<br />
User-Based Storage<br />
(mail / files)<br />
TBD by CTR<br />
30 TB 40% 60% YES*<br />
AVI 40 TB 50% 50% NO<br />
NR<br />
<strong>ANWI</strong> systems<br />
User-Based Storage<br />
(mail / files)<br />
TBD by CTR<br />
100 TB 40% 60% YES*<br />
Application Data 86 TB 50% 50% YES*<br />
AVI 40 TB 50% 50% NO<br />
ESS 1050 TB 15% 85% NO<br />
BMS 10 TB 100% NO<br />
NU/PUBLIC<br />
<strong>ANWI</strong> systems<br />
User-Based Storage<br />
(mail / files)<br />
TBD by CTR<br />
16 TB 40% 60% YES*<br />
Application Data 138 TB 50% 50% YES*<br />
AVI 40 TB 50% 50% NO<br />
NATO-TV 80 TB 50% 50% NO<br />
*D2D backup storage is already included in the total usable storage number (30% of the total Storage<br />
capacity). D2T Backup has not been integrated in the above number.<br />
Table 14.4Storage Planning Information<br />
14.3.3.4-p6 The <strong>ANWI</strong> Contractor shall provide a storage solution with an I/O<br />
capacity of at least 100.000 front end IOPS:<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-280 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.3.3.4-p7 The <strong>ANWI</strong> Contractor storage design shall have an average SAN<br />
infrastructure latency (for the primary online storage) of not more than 10ms.<br />
14.3.4 Information Assurance<br />
14.3.4-p1 The <strong>ANWI</strong> design <strong>and</strong> installation shall take into account the following<br />
restrictions for the placement of electronic equipment of different classifications [ref<br />
SDIP 29/1] <strong>and</strong> their physical or virtual separation (see 1.1.1.3.1):<br />
14.3.4-p2<br />
apart.<br />
Components from different classifications shall be at least one meter<br />
14.3.4-p3 The <strong>ANWI</strong> Contractor shall define <strong>and</strong> implement a Secure Long Term<br />
Data Backup <strong>and</strong> Archival capability for forensic <strong>and</strong> security analysis purposes <strong>and</strong><br />
provided by an offline backup <strong>and</strong> a secure storage facility.<br />
14.3.4-p4 There shall be secure Long Term Data Backup <strong>and</strong> Archival, for a<br />
period of at least 5 years, for forensic purposes.<br />
14.3.4-p5 Backup shall be protected against unauthorized modification (e.g. use<br />
of digital signatures <strong>and</strong> time stamping compliant with NPKI) <strong>and</strong> deletion.<br />
14.3.4-p6<br />
features:<br />
The <strong>ANWI</strong> Contractor shall provide the following service management<br />
14.3.4-p7 The SMC shall provide an automated display of the aggregated status<br />
of file service per security domain.<br />
14.3.4-p8<br />
The AIS monitoring manager shall monitor the storage.<br />
14.3.4-p9 The <strong>ANWI</strong> Contractor’s provided Storage Service shall conform to the<br />
following Service Level Agreement/Targets:<br />
Service Level Target Parameters<br />
Capacity SLTs<br />
Availability SLTs<br />
Service Availability (%) 99,99%<br />
Max number for scheduled downtimes (month) 1<br />
Manageability SLTs<br />
Frequency of Service Measurements<br />
Continuous<br />
Frequency of SLA Reports<br />
Daily/Weekly<br />
Max Time to provision LUN<br />
4 hours<br />
Reliability SLTs<br />
Service reliability (%) >99,99%<br />
Maintainability SLTs<br />
Mean Time To Restore (MTTR) (hours) 4<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-281 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.3.5 Management <strong>and</strong> Operational Requirements<br />
14.3.5.1 Interfaces<br />
14.3.5.1-p1 The <strong>ANWI</strong> storage service design shall describe the following<br />
internal interfaces <strong>and</strong> dependencies:<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
Storage X X X X X X X X X X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
14.3.5.2 Backup <strong>and</strong> Recovery<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
14.3.5.2-p1 The Storage Service shall provide backup capacity to backup all<br />
systems <strong>and</strong> data on both the SAN <strong>and</strong> individual servers. The backup capability<br />
shall be integrated in the Information Lifecycle Management (ILM) solution.<br />
14.3.5.2-p2 The <strong>ANWI</strong> Contractor, as part of the <strong>ANWI</strong>’s data life cycle<br />
management concept, shall provide a storage solution that includes data backup<br />
strategies to safeguard the data against a catastrophic event <strong>and</strong> supports long term<br />
data backup <strong>and</strong> archival (ex. forensic investigation)<br />
14.3.5.2-p3 The backup capability shall provide at minimum the following<br />
restore capabilities<br />
A. Disk: shall contain online-restore capability up to 5 days (daily Increment)<br />
B. Disk/Tape: Shall contain online-restore capability up to 6 months (monthly<br />
Increment)<br />
C. Tape: Shall contain offline restore capability up to 7 years.<br />
14.3.5.2-p4 The backup capability shall implement a tape retention policy that<br />
has the following restore capabilities:<br />
A. Incremental backup – 2 years<br />
B. Monthly Full backup – 5 years<br />
C. Yearly Full backup – 7 years<br />
14.3.5.2-p5 The <strong>ANWI</strong> Contractor’s storage capability shall be high available<br />
across both server rooms guaranteeing that data shall be kept in sync on the storage<br />
systems in both server rooms.<br />
14.3.5.2-p6 The <strong>ANWI</strong> Contractor shall ensure that in case of a server room<br />
failure the surviving server room’s storage system shall continue the service without<br />
any data loss.<br />
14.3.5.2-p7 The <strong>ANWI</strong> contractor shall design <strong>and</strong> implement a storage<br />
capability that meets the following (Disaster) Recovery requirements:<br />
<strong>ANWI</strong> CAMPUS<br />
DR LOCATION (out of scope)<br />
TIER 1 TIER 2 TIER 1 TIER 2<br />
RTO 30 minutes 1 hour 4 hours 8 hours<br />
RPO
14.3.6 Testing<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.3.6-p1 The <strong>ANWI</strong> Contractor shall test the storage service using the following<br />
End-to-End Test Scenarios:<br />
A. Hardware Inspection – Physical inspection of the storage components.<br />
B. Capacity Tests (Raw storage size vs. Usable storage size):<br />
1. Usable storage = Raw Storage size (right-sized) – Storage Overhead<br />
(e.g. RAID, HA).<br />
2. All Tier storage capacity.<br />
C. Availability Test:<br />
1. Demonstrates High availability.<br />
2. Simulate SAN/Server room fail-over.<br />
3. Simulate component failure (disk, FC switch, <strong>and</strong> controller).<br />
4. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
D. Performance tests (Test shall be conducted over a predefined period not<br />
point in time test):<br />
1. I/O monitoring (with specific tools):<br />
a. For different storage types <strong>and</strong> data types.<br />
b. Under normal conditions.<br />
c. With reduced capacity (after component or system failure).<br />
E. Overall Storage Reporting using SMC service:<br />
1. Total storage (data size).<br />
2. Used storage (throughout project lifecycle).<br />
3. IOPS usage/headroom.<br />
14.3.7 Training<br />
14.3.7-p1 The <strong>ANWI</strong> Contractor shall train the ICTM on how to install, configure<br />
<strong>and</strong> troubleshoot the following areas to support the storage service:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
D. Basic storage configuration <strong>and</strong> management:<br />
1. LUN creation.<br />
2. RAID management.<br />
E. Advanced storage configuration <strong>and</strong> management:<br />
1. Mirroring setup <strong>and</strong> maintenance.<br />
2. HA policy <strong>and</strong> failover scripts.<br />
F. Creation <strong>and</strong> management of data life cycle policies.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-283 of 532
N A T O U N C L A S S I F I E D<br />
14.4 APPENDIX 4: Printing <strong>and</strong> Scanning Services<br />
14.4.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.4.1-p1 The printing service is an essential client service providing the ability to<br />
print hardcopies of documents or other electronic data via ‘follow-me’ printing based<br />
on a user’s Identity-card.<br />
14.4.1-p2 The scanning capability provides the client the ability to digitize<br />
hardcopies of documents or pictures <strong>and</strong> have the scanned result sent to the user’s<br />
email account.<br />
14.4.2 Scope/Scenario<br />
14.4.2-p1 The <strong>ANWI</strong> Contractor provided printing-scanning capability is designed<br />
<strong>and</strong> implemented as part of the Infrastructure Service <strong>and</strong> shall deliver improved<br />
efficiency by allowing users to more easily print/scan a hardcopy from any<br />
appropriate security domain device on the NNHQ campus so the long term cost<br />
reductions are realised by deploying fewer devices <strong>and</strong> cleansing print requests<br />
when not dem<strong>and</strong>ed via an ID-card request.<br />
14.4.2-p2 The <strong>ANWI</strong> Contractor’s Printer Services implementation for each<br />
classification level shall be subject to information assurance requirements of the<br />
respective classification.<br />
14.4.2-p3 “Cross Domain Printing” solutions between NR <strong>and</strong> NS networks can be<br />
proposed optionally to satisfy the required functionality, however the proposed<br />
system shall not introduce additional limitations in terms of usability, manageability<br />
<strong>and</strong> functionality, shall not increase the TCO for the lifecycle <strong>and</strong> shall be subject to<br />
the accreditation (as any other system <strong>and</strong> solution).<br />
14.4.2-p4 The <strong>ANWI</strong> contractor shall implement <strong>and</strong> MFP solution that allows for<br />
printing/scanning <strong>and</strong> copy from the same device. In case the <strong>ANWI</strong> contractor<br />
proposes a cross-domain printing solution, a NR network scanning solution shall be<br />
included on the Business network.<br />
14.4.3 Service Requirements<br />
14.4.3.1 Domains<br />
14.4.3.1-p1 The <strong>ANWI</strong> Contractor shall provide printing <strong>and</strong> scanning services<br />
that are readily available on <strong>and</strong> to all 4 networks – NATO SECRET, EAPC<br />
SECRET, NR <strong>and</strong> PUBLIC.<br />
14.4.3.2 Location<br />
14.4.3.2.1 The <strong>ANWI</strong> Contractor print/scan design <strong>and</strong> implementation shall comply<br />
with the following:<br />
14.4.3.2.1-p1<br />
All <strong>ANWI</strong> printing shall be network based.<br />
14.4.3.2.1-p2 The <strong>ANWI</strong> Contractor shall install the printers around the lift<br />
shafts in each wing/floor.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-284 of 532
14.4.3.2.1-p3<br />
areas.<br />
14.4.3.2.1-p4<br />
areas.<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Printers for Public classification shall be provided for Public<br />
Printers for EAPC classification shall be provided in the EAPC<br />
14.4.3.2.1-p5 Printers for NR classification shall be provided throughout all<br />
IS/IMS marked wings AND conference areas (Class 2 secure areas).<br />
14.4.3.2.1-p6<br />
areas.<br />
Printers for NS classification shall be provided in Class 1 secure<br />
14.4.3.2.1-p7 The <strong>ANWI</strong> Contractor provided printing services shall comply<br />
with the following Green IT <strong>and</strong> availability requirements:<br />
A. Print jobs shall be printed at any device on the user’s network where the<br />
user authenticates with his ID-card (follow me printing).<br />
B. Default printer settings shall be optimized for Green IT (double sided, N-up<br />
printing, suppress header print).<br />
C. The <strong>ANWI</strong> Contractor shall optimize the number of printers/worker, with<br />
consolidation <strong>and</strong> centralization of printing devices.<br />
D. Printers shall have a low-power state, such as a st<strong>and</strong>by or sleep mode.<br />
E. Print services shall be redundantly available over both server rooms.<br />
F. If a print server fails, users shall be able to print through another instance<br />
without extra configuration on the user side.<br />
14.4.3.2.1-p8 The <strong>ANWI</strong> Contractor provided printers shall comply with the<br />
following hardware requirements:<br />
A. Printers shall be Energy Star Qualified.<br />
B. Printers shall be able to print on A3 <strong>and</strong> A4 paper.<br />
C. Printers shall have a sorter/stacker with a capacity of 1000 pages.<br />
D. Card readers shall be securely attached to the print device requiring<br />
special tools to be removed.<br />
E. Printers driver shall support the latest Windows server products.<br />
F. Printers driver shall support the latest Windows desktop products.<br />
G. Printers shall support IPv4 <strong>and</strong> IPv6 in a dual stack configuration.<br />
14.4.3.2.1-p9 The <strong>ANWI</strong> Contractor printing solution shall satisfy the following<br />
IA requirements for all printers (per 1.1.1.6.39):<br />
A. Print jobs shall be queued <strong>and</strong> shall only print when a user activates a<br />
device using their ID-card.<br />
B. The Contractor shall address in the SRA the IA measures related to local<br />
printer memory devices (harddisk <strong>and</strong> memory)<br />
C. Printers control panel must have the possibility to be locked.<br />
D. Printers options shall be configurable, <strong>and</strong> to be restricted in options.<br />
1. All unnecessary services <strong>and</strong> network protocols shall be disabled.<br />
2. Unneeded management protocols shall be disabled.<br />
3. Static IP addresses shall be assigned to printers/MFP (multi-function<br />
printer).<br />
4. MPFs should be installed in VLANs specific to those devices. Access to<br />
MPFs should be limited to particular ports <strong>and</strong> protocols using a BPD<br />
(e.g. firewall).<br />
E. MFP shall maintain its configuration state after power-down or reboot.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-285 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-286 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.4.3.2.1-p10 The <strong>ANWI</strong> Contractor shall ensure that the printing service is<br />
interfaced, as follows, with the <strong>ANWI</strong> Service Management <strong>and</strong> Control<br />
requirements:<br />
A. Printers shall be able to be remotely managed.<br />
B. Printers shall support SNMPv3.<br />
C. Printers/MFPs should support SSHv2 <strong>and</strong> SCP.<br />
14.4.3.2.1-p11 The <strong>ANWI</strong> Contractor scanners shall comply with the following<br />
requirements:<br />
A. Scanners shall have a low-power state, such as a st<strong>and</strong>by or sleep mode.<br />
B. Scan services shall be redundantly available over both server rooms.<br />
C. General: Scan services shall be available for all users via Network<br />
scanners.<br />
D. Scanners shall be Energy Star Qualified.<br />
E. Card readers shall be securely connected to the scan device.<br />
F. Scanners shall support IPv4 <strong>and</strong> IPv6 in a dual stack configuration.<br />
14.4.3.2.1-p12 The <strong>ANWI</strong> Contractor scanner solution shall comply with the<br />
following Information Assurance requirements:<br />
A. Scanner functionality shall only be activated when the user activates the<br />
scanner using their ID card.<br />
B. Scans shall be sent to the a-mail address associated with the ID card that<br />
activated the scanner; other options shall not be available.<br />
14.4.3.2.1-p13 The <strong>ANWI</strong> Contractor shall ensure that the scanning service is<br />
interfaced, as follows, with the <strong>ANWI</strong> Service Management <strong>and</strong> Control<br />
requirements:<br />
A. Scanners shall be able to be remotely managed.<br />
B. Scanners shall support SNMPv3.<br />
14.4.3.2.1-p14 The <strong>ANWI</strong> Contractor’s provided Print/Scan Service shall<br />
conform to the following Service Level Agreement/Targets:<br />
Service Level Target Parameters<br />
Capacity SLTs<br />
Service Capacity<br />
Supported sizes<br />
Supported colours<br />
Copy – Print – Scan to mail<br />
A3 – A4<br />
Monthly volume (Pages) >100,000<br />
Supported colour<br />
Availability SLTs<br />
Service Availability (%) 99,5%<br />
Max number for scheduled downtimes (month) 1<br />
Manageability SLTs<br />
Frequency of Service Measurements<br />
Frequency of SLAReports<br />
Max duration for Toner replacement<br />
Reliability SLTs<br />
Full colour - Black <strong>and</strong> White<br />
Continuous<br />
Daily/Weekly<br />
1 hour<br />
Service reliability (%) 99,9%<br />
Maintainability SLTs
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Service Level Target Parameters<br />
Mean Time To Restore Service (MTTR) (hours) 4<br />
Max Time to Repair individual Printer (hours) 24<br />
14.4.4 Management <strong>and</strong> Operational Requirements<br />
14.4.4.1 Interfaces<br />
14.4.4.1-p1 The <strong>ANWI</strong> print <strong>and</strong> scan service design shall describe <strong>and</strong><br />
implement the following internal interfaces <strong>and</strong> dependencies:<br />
Processing<br />
Storage<br />
Printing<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
Printing X X X X X X X X X X X X X<br />
14.4.4.1-p2 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall document<br />
<strong>and</strong> support the following cross-domain interfaces:<br />
Flow 1.<br />
1/2 way 2. Service 3. Service name 4. Supported Protocols 5. Remarks<br />
6. BUS-CD5 One way BUS-NS CD Printing UDP<br />
14.4.4.2 Backup <strong>and</strong> Recovery<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-287 of 532<br />
not M<strong>and</strong>atory dependant on<br />
design<br />
14.4.4.2-p1 The <strong>ANWI</strong> Contractor shall include the back-end print infrastructure<br />
into the overall <strong>ANWI</strong> backup policy.<br />
14.4.4.3 Testing<br />
14.4.4.3-p1 The <strong>ANWI</strong> Contractor shall test the print-scan service using the<br />
following End-to-End Test Scenarios:<br />
A. Follow-me printing scenario (ID-Card Authentication).<br />
B. Scan to mail scenario.<br />
C. Print server failure test scenario.<br />
D. Off-site printing test scenario.<br />
E. Print usage reporting test scenario.<br />
F. Cross-domain printing (if applicable),<br />
14.4.5 Training<br />
14.4.5-p1 The <strong>ANWI</strong> Contractor shall train the users in the following areas:<br />
A. Follow-me printing.<br />
B. Print device default (power saving) settings.<br />
C. Cross Domain printing, if applicable.<br />
D. Printer <strong>and</strong> scanner menu settings.<br />
14.4.5-p2 The <strong>ANWI</strong> Contractor shall train the ICTM staff on how to install,<br />
configure <strong>and</strong> troubleshoot the following areas to support the print <strong>and</strong> scan<br />
capability:<br />
A. Print server configuration.<br />
B. Central management of printers (DHCP/DNS integration).
N A T O U N C L A S S I F I E D<br />
C. Configuration of client printing agent.<br />
D. Print queue management.<br />
E. Follow-me printing software.<br />
F. Scanning software.<br />
G. Email - scanner software interface.<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-288 of 532
N A T O U N C L A S S I F I E D<br />
14.5 APPENDIX 5: Infrastructure Network Services<br />
14.5.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.5.1-p1 Infrastructure Network services provides authentication <strong>and</strong><br />
authorization, Name Resolution, DHCP, Time services <strong>and</strong> network Access control<br />
(NAC) functionality to the <strong>ANWI</strong>.<br />
14.5.2 Scope/Scenario<br />
14.5.2-p1 The infrastructure network services are part of the Infrastructure<br />
services <strong>and</strong> shall reside on each network <strong>and</strong> interact with all devices <strong>and</strong> users that<br />
connect to that NNHQ network, by either allowing/denying access (AD/NAC) or<br />
facilitating the ICT services (DHCP/DNS).<br />
14.5.3 Service Requirements<br />
14.5.3.1 Domains<br />
14.5.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install the network<br />
infrastructure services on all 4 networks – NATO SECRET, EAPC SECRET, NR <strong>and</strong><br />
PUBLIC.<br />
14.5.3.2 Location<br />
14.5.3.2-p1 The <strong>ANWI</strong> Contractor’s infrastructure network service’s servers shall<br />
be located in both server rooms in order to keep basic network services running even<br />
in case of a major failure, which also includes losing one of the server rooms.<br />
14.5.3.2-p2 The <strong>ANWI</strong> Infrastructure Services shall interact with all NNHQ users<br />
that connect to the NNHQ network, from remote offices on NS <strong>and</strong> mobile NR<br />
devices via the Internet.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-289 of 532
14.5.3.3 Directory Services<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.5.3.3-p1 The <strong>ANWI</strong> Contractor shall install <strong>and</strong> configure Active Directory<br />
(AD) Services on each NNHQ network in accordance with the following diagram <strong>and</strong><br />
requirements:<br />
Figure 14.3: NATO HQ Integrated Bi-SC AIS Domain Services<br />
A. The NNHQ Active Directory (NS level) shall join the AIS single forest.<br />
B. The NNHQ Active Directory (NS level) shall join the AIS single domain.<br />
14.5.3.3-p2 The <strong>ANWI</strong> Contractor provided AD Services for EAPC, NR<br />
classifications shall be installed <strong>and</strong> configured in accordance with the following<br />
requirements:<br />
A. The NNHQ Active Directory (NR level) shall follow the design of the AD at<br />
NS level.<br />
B. The NNHQ Active Directory (Public level) shall follow the design of the AD<br />
at NS level.<br />
C. The NNHQ Active Directory (EAPC level) shall follow the design of the AD<br />
at NS level.<br />
D. NNHQ AD Services for NR classification shall be prepared to federate with<br />
/ integrate to future NATO-wide Business NR AD Service.<br />
14.5.3.3-p3 For the public network the contractor shall provide AAA services.<br />
A. The public network shall support RADIUS or an equivalent technology.<br />
14.5.3.3.1 NATO Enterprise directory service (NEDS)<br />
14.5.3.3.1-p1 NEDS - The current specification for the NATO Enterprise<br />
Directory Service (NEDS) solutions is based on the requirement to support email<br />
Global Address List (GAL) synchronisation <strong>and</strong> Active Directory user synchronisation<br />
for cross authentication of users between forests (see Annex B for more detail); to<br />
that end the <strong>ANWI</strong> Contractor shall connect the NNHQ’s Active Directory (NS <strong>and</strong><br />
NR level) with the NATO Enterprise Directory Service (NEDS).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-290 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.5.3.3.1-p2 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement each of the 4<br />
NNHQ networks to comply with the following:<br />
A. The Active Directory service shall be highly available <strong>and</strong> redundant on all<br />
classification networks.<br />
B. At least one AD server per server rooms shall be hosted on a physical<br />
server.<br />
14.5.3.3.1-p3 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the AD<br />
restricting administrative rights to certain individuals who may add, change or delete<br />
items in the Active Directory service.<br />
14.5.3.3.1-p4 The <strong>ANWI</strong> Contractor shall centrally monitor <strong>and</strong> display the<br />
Active Directory service according to the following:<br />
A. The SMC shall provide an automated display of the aggregated status of<br />
directory services per security domain. This is an aggregation of server<br />
<strong>and</strong> service status <strong>and</strong> network status.<br />
B. The AIS monitoring manager shall monitor the active directory (AD).<br />
C. The SMC shall provide an automated display of the aggregated status of<br />
browsing service per security domain (this is an aggregation of relevant<br />
network, DNS <strong>and</strong> gateway status).<br />
D. The SMC shall provide an automated display of the aggregated status of<br />
web publishing service per security domain (this is an aggregation of<br />
relevant network, web-servers (<strong>and</strong> associated storage), DNS <strong>and</strong><br />
gateway status).<br />
E. The SMC shall provide an automated display of the aggregated status of<br />
remote user service per security domain. This is an aggregation of<br />
gateway, VPN service status <strong>and</strong> relevant network status.<br />
F. The AIS monitoring server shall monitor core services like: Windows<br />
Active Directory, DNS, MS SQL.<br />
G. The AIS monitoring manager shall monitor the database(s).<br />
H. The AIS monitoring manager shall monitor the web sites <strong>and</strong> web<br />
services.<br />
14.5.3.4 Domain Name <strong>System</strong> (DNS)<br />
14.5.3.4-p1 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall use DNS<br />
to resolve DNS names related to systems <strong>and</strong> services on the 4 NNHQ (NS, EAPC,<br />
NR <strong>and</strong> the Public) networks, <strong>and</strong>/or to point to DNS resolvers on external networks<br />
that can resolve DNS names of systems/services that are external to NATO HQ.<br />
14.5.3.4-p2 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the DNS according to<br />
the following DNS service requirements:<br />
A. The internal DNS infrastructure shall be split from the External DNS <strong>and</strong><br />
will not be accessed from external networks.<br />
B. The network shall use an internal DNS root <strong>and</strong> namespace, where all<br />
Authority is internal.<br />
C. DNS servers shall limit zone transfers to specified IP-addresses, if<br />
needed.<br />
D. DNS servers shall be configured to listen on specified IP-addresses.<br />
E. Cache pollution prevention shall be enabled on all DNS servers.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-291 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-292 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
F. DNS solution shall provide efficient network discovery <strong>and</strong> automated IP<br />
address management<br />
G. Internal DNS zones shall be stored in Active Directory, with a DACL to<br />
allow specified individuals to add, delete or modify DNS data.<br />
H. The DNS service shall allow to be managed from a single console.<br />
I. Internal DNS servers shall be configured with root hints that point to the<br />
internal DNS servers that host the root zone for the internal namespace.<br />
J. The DNS service shall be high available on all classification networks.<br />
K. The DNS service shall be redundant on all classification networks.<br />
14.5.3.4-p3 The <strong>ANWI</strong> Contractor shall implement the DNS service, like all other<br />
components in the network, to support multiple IP stacks according to the following:<br />
A. The DNS service implementation for the NNHQ shall be IPv4.<br />
B. The DNS service implementation shall be able to support an IPv6<br />
implementation.<br />
14.5.3.4-p4 The <strong>ANWI</strong> Contractor shall implement the DNS service so that the<br />
AIS monitoring manager (in Mons) shall monitor the DNS.<br />
14.5.3.5 Windows Internet Name Service (WINS)<br />
14.5.3.5-p1<br />
applications.<br />
The WINS service shall not be used, unless needed for legacy<br />
14.5.3.6 Dynamic Host Configuration Protocol (DHCP)<br />
14.5.3.6-p1 The <strong>ANWI</strong> Contractor shall implement the DHCP service to assign an<br />
IP-number to a client or connection to the network supporting the following<br />
requirements:<br />
A. All DHCP servers shall be authorized.<br />
B. The DHCP service shall not be installed on Domain Controllers.<br />
C. DHCP relaying on routers shall be used to relay DHCP request to the<br />
central DHCP servers.<br />
D. Each scope of the DHCP service shall be high available on all<br />
classification networks.<br />
E. Each scope of the DHCP service shall be redundant on all classification<br />
networks.<br />
14.5.3.6-p2 The <strong>ANWI</strong> Contractor shall implement the DHCP service, like all other<br />
components in the network, to support multiple IP stacks:<br />
A. The DHCP service implementation for the NNHQ shall be IPv4.<br />
B. The DHCP service implementation shall be able to support an IPv6<br />
implementation.<br />
14.5.3.7 Network Time Protocol (NTP)<br />
14.5.3.7-p1 The ANW Contractor shall implement the following requirements for the<br />
NTP service:<br />
A. All end systems, network <strong>and</strong> security devices shall be synchronised to a<br />
common time source to facilitate computer <strong>and</strong> network forensics<br />
investigations.<br />
B. Windows servers shall use W32time for timekeeping.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
C. For the NS network the authoritative time shall be provided by the AIS<br />
network (PFE).<br />
D. When using VMware, VMware tools periodic time synchronization shall be<br />
disabled.<br />
E. For Public/NR Networks an authoritative (stratum-1) time server shall be<br />
supplied by <strong>ANWI</strong>.<br />
14.5.3.8 Network Access Control (NAC)<br />
14.5.3.8-p1 Network Access Control (NAC) services review the configuration of<br />
devices connecting to a network based on endpoint security (such as OS patch level,<br />
antivirus updates, host IPS, etc.), user <strong>and</strong> system authentication <strong>and</strong> network<br />
security enforcement. The NAC will protect the network by preventing non-compliant<br />
clients from accessing the network at the IP-level. In case of a device that is not<br />
compliant with a defined security policy it shall be isolated / quarantined <strong>and</strong> has to<br />
undergo a remediation <strong>and</strong> sanitization process. Only when successful, the device<br />
may be granted access to the network <strong>and</strong> in accordance with its identity<br />
characteristics.<br />
14.5.3.8-p2 The NAC solutions shall provide End-point-protection features for all<br />
<strong>ANWI</strong> client types. The End-point protections shall cover from real-time malware<br />
protection to in-depth network <strong>and</strong> device control <strong>and</strong> protection (including peripheral<br />
management <strong>and</strong> control).<br />
14.5.3.8-p3 The NAC Solution shall enable context-aware security in the<br />
network; this shall allow for granular visibility <strong>and</strong> control, down to the user <strong>and</strong><br />
device level.<br />
14.5.3.8-p4 The NAC Solution shall provide flexible authentication options -<br />
802.1x, MAC, client- <strong>and</strong> web-based authentication. The NAC solutions shall be able<br />
to integrate with the NATO PKI <strong>and</strong> NATO Directory Services (ex. MS AD).<br />
14.5.3.8-p5 The <strong>ANWI</strong> Contractor shall support, through design <strong>and</strong><br />
implementation, the following list of NAC requirements for the four different security<br />
networks:<br />
A. There shall be no restrictions on devices connected to the network,<br />
provided they comply with the NAC policy.<br />
B. The system shall recognize <strong>and</strong> be able to report on NATO approved<br />
devices <strong>and</strong> external devices that connect to the network.<br />
C. The system shall be able to access devices to ensure they are compliant<br />
before granting access to network resources.<br />
D. The system shall restrict devices access to network resources, other than<br />
those needed for remediation, until they are compliant or the isolation is<br />
overridden by an admin.<br />
E. If a valid device fails an integrity check, there shall be a mechanism by<br />
which the device can be brought back into compliance.<br />
F. It shall be possible for visitors to gain access to resources, as an internet<br />
connection, provided they accept or comply with NAC policy.<br />
G. The system shall not restrict compliant users on compliant devices to<br />
access resources.<br />
H. A system shall support, <strong>and</strong> not restrict, the current <strong>and</strong> future choice of<br />
network devices.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-293 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
I. The system shall be able to use the existing authentication method to<br />
grant system or user access to network resources.<br />
J. The system shall enable admins to create, deploy, monitor <strong>and</strong> enforce<br />
NAC policies which reflect the NNHQ NAC policy.<br />
K. The <strong>ANWI</strong> shall be able to capture en disseminate info regarding endpoint<br />
<strong>and</strong> the systems own status, in a manner <strong>and</strong> format which can be used to<br />
manage the system <strong>and</strong> the issues <strong>and</strong> to identify trends.<br />
L. The <strong>ANWI</strong> shall be able to raise alert in case of issues.<br />
M. The <strong>ANWI</strong> shall be able to be supported as other management systems.<br />
N. The NAC solution shall support the automated deployment of the user<br />
agent.<br />
O. The <strong>ANWI</strong> Contractor shall provide regular updates, for new devices,<br />
Operating systems <strong>and</strong> software at the time of release by their<br />
manufacturers.<br />
P. The <strong>ANWI</strong> Contractor shall confirm on the policy of to cover 3rd party<br />
events, as virus outbreaks, or Microsoft "Patch Tuesday" results.<br />
Q. The <strong>ANWI</strong> shall not adversely impact functionality or performance of user<br />
<strong>and</strong> systems.<br />
R. The <strong>ANWI</strong> itself shall be secure against attacks or attempts to bypass the<br />
protection it affords NNHQ systems.<br />
S. The <strong>ANWI</strong> shall support license monitoring <strong>and</strong> reporting.<br />
T. The <strong>ANWI</strong> Contractor’s provided Network Infrastructure Service shall<br />
conform to the following Service Level Agreement/Targets:<br />
Service Level Target Parameters<br />
Availability SLTs<br />
Service Availability (%) 99,99%<br />
Max number for scheduled downtimes (month) 1<br />
Manageability SLTs<br />
Frequency of Service Measurements<br />
Continuous<br />
Frequency of SLA Reports<br />
Daily/Weekly<br />
Reliability SLTs<br />
Service reliability (%) >99,99%<br />
Maintainability SLTs<br />
Mean Time To Restore (MTTR) (hours) 4<br />
Performance Parameters<br />
Response Time (DNS) - (ms)<br />
Response Time (DHCP) - (sec)<br />
Response Time (Authentication) – (sec)<br />
Response Time (NTP) – (ms)<br />
Response Time (NAC) – (sec)<br />
< 50ms<br />
< 5 sec<br />
< 10 Sec<br />
< 50ms<br />
< 5 Sec<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-294 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.5.4 Management <strong>and</strong> Operational Requirements<br />
14.5.4.1 Interfaces<br />
14.5.4.1-p1 The <strong>ANWI</strong> network infrastructure service design shall describe <strong>and</strong><br />
implement the following internal interfaces <strong>and</strong> dependencies:<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
AD X X X X X X X X X X X X X X X X X X X X X X X X<br />
DNS X X X X X X X X X X X X X X X X X X X X X X X X X<br />
DHCP X X X X X X X X X X X X X X X X X X X<br />
NTP X X X X X X X X X X X X X X X X X<br />
NAC X X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
14.5.4.1-p2 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall document<br />
<strong>and</strong> support the following cross-domain interfaces:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
PUB-CD3 Two way PUB-NEDS NU NEDS conn<br />
PUB-CD3 Two way PUB-NMSG NU Messaging SMTP Federated or NU email<br />
PUB-CD3 Two way PUB-NDS NU Domain LDAP Federated or NU domain<br />
PUB-APP - - ICTM Apps<br />
PUB-XNET - - PUB Extranet<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-NEDS NR NEDS<br />
BUS-CD2 Two way BUS-NMSG NR Email<br />
BUS-CD2 Two way BUS-NDS Dir sync LDAP Federated domain<br />
BUS-APP - - ICTM Apps<br />
BUS-XNET - - NR Extranet<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
EAPC-APP - - ICTM Apps<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
NS-GW1 Two way NS-NDS Dir sync Ldap Bi-SC AIS domain<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-295 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
NS-GW1 Two way NS-NEDS Dir sync Ldap Through Bi-SC AIS<br />
NS-APP Two way ICTM Apps<br />
NS-XNET Two way NS Extranet<br />
14.5.4.2 Backup <strong>and</strong> Recovery<br />
14.5.4.2-p1 The <strong>ANWI</strong> Contractor shall include the configuration files of the<br />
Infrastructure Network Service into the overall <strong>ANWI</strong> backup policy.<br />
14.5.4.3 Testing<br />
14.5.4.3-p1 Testing The <strong>ANWI</strong> Contractor shall test the Network Infrastructure<br />
service using the following End-to-End Test Scenarios:<br />
User Services From 1/2 way GW To Provider External service Remarks<br />
AD synch NR WAN GW2 NR ? NR Domain federated or single domain structure<br />
NS WAN GW1 NS NCIA Bi-SC AIS<br />
14.5.4.3-p2 The <strong>ANWI</strong> Contractor shall ensure that the test scenarios simulate<br />
the use of network services during peak <strong>and</strong> off-hours regarding:<br />
A. Active Directory:<br />
1. simulate AD interactions to reflecting expected user traffic (e.g.<br />
ADTEST.exe).<br />
2. NPKI token login in AD environment.<br />
3. availability <strong>and</strong> resilience test in case of server failure.<br />
B. DNS:<br />
1. resolution for internal <strong>and</strong> external resources.<br />
2. Use test tool to test response times (e.g. DPT).<br />
3. DNS security settings implementation checks.<br />
4. availability <strong>and</strong> resilience test in case of server failure.<br />
C. DHCP:<br />
1. IP acquisition for devices (internal LAN <strong>and</strong> DHCP relays).<br />
2. DHCP response times for varying user load.<br />
3. availability <strong>and</strong> resilience test in case of server failure.<br />
D. NTP:<br />
1. Performance: NTP Response time.<br />
E. NAC:<br />
1. connect out-of-date end-user device <strong>and</strong> perform remedial actions.<br />
2. Test rejection policy.<br />
3. NAC response times with varying load (requests).<br />
4. availability <strong>and</strong> resilience test in case of server failure.<br />
14.5.5 Training<br />
14.5.5-p1 The <strong>ANWI</strong> Contractor shall train the ICTM staff on know how to install,<br />
configure, operate <strong>and</strong> troubleshoot the following areas to support the network<br />
infrastructure capability:<br />
A. Active Directory management in the NATO delegation model.<br />
B. Network Access control:<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-296 of 532
1. Configuration.<br />
2. Operation.<br />
3. Maintenance.<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-297 of 532
14.6 APPENDIX 6: LAN services<br />
14.6.1 Definition<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.6.1-p1 In general the LAN module provides three types of services:<br />
A. Packet Switching Services, related to the required switched transport<br />
services. This translates very much to one of the applicable Ethernet<br />
st<strong>and</strong>ards. It also includes support for multicast.<br />
B. QoS <strong>and</strong> Security services such as VLAN, NAC, QoS, which relate to<br />
network services.<br />
C. Management services, needed to manage <strong>and</strong> measure network <strong>and</strong><br />
transport service performance.<br />
14.6.2 Scope/Scenario<br />
14.6.2-p1 The LAN capability shall provide infrastructure for both wired <strong>and</strong><br />
wireless Local Area Networks.<br />
14.6.2-p2 Unclassified voice <strong>and</strong> Public networks may be provided by single<br />
switched infrastructure, with appropriate security measures including VLAN<br />
separation where the specific implementation shall undergo security accreditation.<br />
14.6.2-p3 NR, NS <strong>and</strong> EAPC shall be implemented on physically separated<br />
switched infrastructures; unless a nationally accredited solution which is allowed to<br />
be exported <strong>and</strong> used by NATO is provided.<br />
14.6.2-p4 The wired LAN services shall distinguish between:<br />
A. Core Switching; these are switching <strong>and</strong> routing capabilities that are<br />
oriented in the core of the network <strong>and</strong> shall provide for Access switch,<br />
Server <strong>and</strong> SAN connectivity as well as added services like load-balancing<br />
<strong>and</strong> content switching functionalities.<br />
B. Server/SAN switching shall provide connectivity for servers <strong>and</strong> SAN<br />
components (Dedicated or converged)<br />
C. Access Switching shall provide connectivity to end-user devices.<br />
14.6.2-p5 IDS <strong>and</strong> monitoring switch modules may be required at specific<br />
locations on site, based on the outcome of the Contractor’s detailed site <strong>and</strong> design’s<br />
risk assessment.<br />
14.6.2-p6 As part of the switching infrastructure – a load balancing solution shall<br />
be provided. This solution shall provide redundant <strong>and</strong> high available load balanced<br />
services. These shall include but not limited to HTTP(S), FTP <strong>and</strong> DNS. The load<br />
balancing solution shall also provide advanced features like SSL Offload, TCP<br />
buffering, client authentication, content aware switching <strong>and</strong> HTTP compression.<br />
14.6.2-p7 The <strong>ANWI</strong> Contractor shall size the LAN service to support all <strong>ANWI</strong><br />
equipment <strong>and</strong> services in this SOW, with additional 25% free resources to support<br />
expected near-future applications.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-298 of 532
14.6.3 Service Requirements<br />
14.6.3.1 Domains<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.6.3.1-p1 The LAN capability shall be available on all 4 networks – NATO<br />
SECRET, EAPC SECRET, NR <strong>and</strong> PUBLIC.<br />
14.6.3.1-p2 The Wireless LAN (WLAN) capability shall be available on the<br />
PUBLIC network. NR clients shall connect through PUBLIC to NR, via a secure VPN<br />
connection.<br />
14.6.3.2 LAN Service Types<br />
14.6.3.2-p1 The following table provides information on the type of LAN services<br />
required per classification:<br />
Classification LAN Type Cable type<br />
NS Wired Fibre Optic<br />
EAPC Wired Fibre Optic<br />
NR Wired Fibre Optic<br />
Wireless<br />
Public Wired Copper<br />
Wireless<br />
N/A<br />
N/A<br />
Table 14.1: LAN services per classification<br />
14.6.3.3 Service Capacity<br />
14.6.3.3-p1 The Access Switch port requirements will be determined by the<br />
actual allocation of users to the building. As this is still an on-going task it is<br />
impossible to provide exact access switch port allocation per classification <strong>and</strong> TER.<br />
However the number of devices that need to be supported for a specific classification<br />
is known. As the <strong>ANWI</strong> design requires flexibility in the allocation of resources <strong>and</strong><br />
capabilities the <strong>ANWI</strong> Contractorshall provide an access switch solution based on the<br />
following numbers:<br />
Classification NS NR EAPC Public<br />
Total FO Ports 2200 3400 220<br />
Total CU Ports 3000<br />
Supported devices<br />
NS Client<br />
NS peripheral<br />
-NR Client (cabled)<br />
-NR Peripheral<br />
-ESS devices<br />
-BMS devices<br />
-AV devices<br />
(These port quantities do not included the 25% spare capacity)<br />
EAPC Client<br />
EAPC Peripheral<br />
WLAN AP<br />
Telephone<br />
IPTV devices<br />
Public Client<br />
14.6.3.4 Location<br />
14.6.3.4-p1 Core, Server (rack) <strong>and</strong> Storage switches shall be located in the<br />
dual server rooms.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-299 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.6.3.4-p2 Access switches shall be located in the TER’s, which are in the<br />
basement of the NNHQ.<br />
14.6.3.4-p3 There are 45 TER rooms across the <strong>ANWI</strong> Campus of which 41 are<br />
in the main building.<br />
14.6.3.4-p4 Wireless access points shall be located throughout the main<br />
building <strong>and</strong> staff centre.<br />
14.6.3.4-p5 For Access switches, located in the TERs, there is the following limit:<br />
A. The maximum cooling per TER is 3.2 kW or 6.4 kW (where 2 CRACs are<br />
available) - Annex B<br />
B. Security cameras shall be connected by fibre.<br />
C. BMS access controllers shall be connected by fibre.<br />
D. Wireless access points connect via copper PoE connections.<br />
E. VOIP phones connect via copper PoE connections.<br />
F. Trunk connections between switches shall be at least 10Gbit Ethernet.<br />
G. All network devices shall support IPv4 <strong>and</strong> IPv6 in a dual stack<br />
configuration.<br />
H. The following list describes the End point capacity <strong>and</strong> quality:<br />
1. User capacity oversubscription shall not exceed 5:1.<br />
2. End-user sustained capacity shall be at least 40Mbps.<br />
3. Voice units sustained capacity shall be at least 0.080Mbps, expedite<br />
service.<br />
4. BMS Video units sustained capacity shall be at least 4Mbps, expedite<br />
service.<br />
5. Wireless access point sustained capacity shall be at least 80% of<br />
maximum device capacity.<br />
6. Server capacity oversubscription shall not exceed 1:1.<br />
I. The LAN capability shall comply with the below public wireless network<br />
service requirements:<br />
1. Wireless capability shall cover the entire NNHQ main building <strong>and</strong> staff<br />
centre.<br />
2. There shall be sufficient redundancy in coverage that 10% failed<br />
Access Points will not impact the WLAN’s availability.<br />
3. The Wireless capability shall support internal roaming (between Access<br />
Points).<br />
4. The Wireless capability shall be sized to support over 5,000 concurrent<br />
users, this are both internal staff as well as public guest access.<br />
5. The Wireless capability shall support as a minimum the WLAN<br />
st<strong>and</strong>ards at the time of bidding.<br />
6. The Wireless capability shall support various end-user devices e.g.<br />
laptops, tablets, PDA’s, mobile phones.<br />
7. The Wireless Capability shall provide segmentation between the Guest<br />
<strong>and</strong> NATO user WLAN networks.<br />
* Note: PNWI passive Fibre <strong>and</strong> Copper specifications are found in Annex B.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-300 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.6.3.4-p6 The wired LAN Services shall comply with the below generic wired<br />
network service requirements:<br />
A. Maximum of 2 different vendors/br<strong>and</strong>s to provide the complete LAN <strong>and</strong><br />
WIFI solution. Number of modular chassis types <strong>and</strong>/or "boxed" switches<br />
is limited to 2 of each.<br />
B. The network shall be End-to-End Ethernet based.<br />
C. All access switches shall be installed in the TER, WLAN access points<br />
shall be installed throughout the building out of user reach.<br />
D. Port based network access control shall use 802.1x EAP.<br />
E. Network devices shall have a redundant power supply N+1.<br />
F. Power supply <strong>and</strong> cords shall be delivered according to local<br />
requirements.<br />
G. Devices shall use a Server Room High availability features processor,<br />
switching module.<br />
H. All devices shall use hot swappable components.<br />
I. Software: Software & Documentation shall be included, the latest release<br />
on CD or printed media.<br />
J. Rack mounted equipment must be capable of being mounted in st<strong>and</strong>ard<br />
19” racks.<br />
K. Equipment shall provide port mirror functionality (bi-directional).<br />
L. Equipment shall provide broadcast control blocking / limiting mechanism.<br />
M. Consolidation of LAN <strong>and</strong> SAN traffic in the server rooms shall be in line<br />
with industry st<strong>and</strong>ards like FCoE <strong>and</strong> ISCSI.<br />
14.6.3.4-p7 The wired network service provided through a Switched<br />
environment shall support the following protocols:<br />
A. Protocols: Layer2:<br />
1. Provide support for at least 1000 VLANs.<br />
2. VLAN St<strong>and</strong>ards 802.1q (VLAN).<br />
3. Spanning Tree 802.1d (Spanning Tree Protocol).<br />
4. 802.1s (Multiple Spanning Tree Protocol).<br />
5. 802.1w (Rapid Spanning Tree Protocol).<br />
6. QOS/COS 802.1p (QOS on MAC level) (by 802.1Q tags, DSCP,<br />
minimum 5 queues).<br />
7. Port based network access control 802.1x EAP.<br />
8. Flow control 802.3x.<br />
9. Link aggregation 802.3ad.<br />
B. support for TRILL or equivalent<br />
C. DHCP snooping<br />
D. Dynamic ARP inspection<br />
E. private VLANs<br />
F. Protocols: Layer 3:<br />
1. RIP v1 <strong>and</strong> v2.<br />
2. OSPF v2 <strong>and</strong> v3.<br />
3. VRRP.<br />
4. PIM.<br />
5. BGPv4<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-301 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-302 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.6.3.4-p8 For the Public/NR LAN services, the following requirements apply:<br />
A. Connections, if wired, must be wired with Copper for NU <strong>and</strong> Public.<br />
B. Connections, if wired, must be wired with Fibre for NR.<br />
C. Devices shall be modular based or single fixed configured stackable.<br />
D. The device must be able to support at least 40,000 MAC addresses.<br />
E. Wireless access points shall support PoE.<br />
F. The device uplink must be dual homed <strong>and</strong> connected to each server<br />
room for redundancy.<br />
G. The device shall be upgradable to at least the next capacity level (e.g.<br />
implement 10 Gbps, service must be upgradable to at least the next<br />
capacity level at 40 Gbps).<br />
* Note: Stackable switches are not the same as cascadable switches, a stack of stackable switches<br />
act as one switch.<br />
14.6.3.5 SECRET Network Design<br />
14.6.3.5-p1 For the EAPC SECRET LAN services, the following requirements<br />
apply:<br />
A. Connections must be wired, with Fibre for EAPC.<br />
B. Devices shall be modular based or single fixed configured stackable.<br />
C. The device must be able to support at least 16,000 MAC addresses.<br />
D. The device uplink must be dual homed <strong>and</strong> connected to each server<br />
room for redundancy.<br />
E. The device shall be upgradable to at least the next capacity level (e.g.<br />
implement 10 Gbps, service must be upgradable to at least the next<br />
capacity level at 40 Gbps).<br />
14.6.3.5-p2 For the NATO SECRET LAN services, the following requirements<br />
apply:<br />
A. Connections must be wired, with Fibre for NS.<br />
B. Devices shall be modular based or single fixed configured stackable.<br />
C. The device must be able to support at least 16,000 MAC addresses.<br />
D. The device uplink must be dual homed <strong>and</strong> connected to each server<br />
room for redundancy.<br />
E. The device shall be upgradable to at least the next capacity level (e.g.<br />
implement 10 Gbps, service must be upgradable to at least the next<br />
capacity level at 40 Gbps).<br />
14.6.4 Conference Room Infrastructure<br />
14.6.4-p1 In the conference room area requires network access to all 4 networks.<br />
The <strong>ANWI</strong> contractor shall provide switching capability for 400 user devices in this<br />
area. The Conference area LAN capability shall be able to be switched flexible<br />
between network classifications depending on the classification of the conference.<br />
14.6.4-p2 Information <strong>and</strong> requirements for the Network agnostic clients can be<br />
found in Annex H, Appendix 3.<br />
14.6.5 Information Assurance<br />
14.6.5-p1 NITC guidance on the hardening of switches <strong>and</strong> routers shall be used<br />
as a guideline for securing the NNHQ networks.
14.6.5-p2<br />
N A T O U N C L A S S I F I E D<br />
Port Security shall be implemented<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-303 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.6.5-p3 Logical segmentation along functional boundaries using VLANs shall be<br />
implemented, at a minimum voice, management <strong>and</strong> user data shall be separated.<br />
14.6.5-p4 Authentication of access to switches <strong>and</strong> routers shall be via a<br />
mechanism based on the use of a security server such as TACACS+ or RADIUS .<br />
14.6.5-p5<br />
guidance .<br />
Switches <strong>and</strong> routers shall be hardened in accordance with NITC<br />
14.6.5-p6 Wireless LAN shall be used only for UNCLASSIFIED information <strong>and</strong><br />
shall be implemented in accordance with the guidance.<br />
14.6.5-p7 Wireless user-based authentication shall be based on an Extensible<br />
Authentication protocol st<strong>and</strong>ard.<br />
14.6.5-p8 Wireless LAN (WLAN) Access Points (AP) shall be placed in secured<br />
areas to prevent unauthorized access.<br />
14.6.5-p9 WLAN AP shall be separated from wired LAN by Boundary Protection<br />
Devices (e.g. firewall <strong>and</strong> IDS).<br />
14.6.5-p10 Wireless VLANs – shall use separated VLANs for NATO internal<br />
users <strong>and</strong> guests.<br />
14.6.6 Service Management<br />
14.6.6-p1 The generic management requirements:<br />
A. There shall be out of b<strong>and</strong> management (Ethernet based, at minimum<br />
fibre based for classified equipment). – All LAN devices shall have a<br />
dedicated management port.<br />
B. LAN devices shall be programmable via a secure interface offering<br />
SSHv2, HTTP with SSL <strong>and</strong> SNMPv3.<br />
C. LAN devices shall support at least IGMP v2 <strong>and</strong> 3, Telnet, TFTP, (S)NTP.<br />
D. LAN device management via RMON <strong>and</strong> web based management<br />
functionality (at a minimum – Traffic Statistics, history, events <strong>and</strong> alarms)<br />
shall be provided internally to the switch. This capability, when turned on,<br />
shall not severely diminish the processing capability, degrade performance<br />
<strong>and</strong> speed of the switch.<br />
E. LAN devices shall be manageable (remotely monitor, control <strong>and</strong><br />
diagnose) via SNMP <strong>and</strong> RMON capabilities (module). They shall have<br />
support for network management packages (e.g. HP Openview, IBM<br />
Tivoli/Netview, SPECTRUM, MS SCCM/SCOM).<br />
F. The wired network service component shall support: SNMP v3, NetFlow<br />
(or comparable) MIBII, RMON MIB I&II <strong>and</strong> RMON-II MIB, Ethernet MIB,<br />
802.1x MIB,(VRRP MIB,OSPF MIB, BGP MIB, IGMP MIB, PIM MIB,<br />
Router MIB) <strong>and</strong> SSH where applicable.<br />
G. Configurations of network elements <strong>and</strong> networking services are controlled<br />
through a configuration management <strong>and</strong> deployment system using the<br />
CMDB. Network elements may not be configured (less emergency<br />
interventions) by administrators in isolation directly on the hardware (either<br />
through direct or remote terminal connections).
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
H. Scheduled <strong>and</strong> on dem<strong>and</strong> automated infrastructure discovery shall be<br />
used to validate against approved configuration in CMDB. Discrepancies<br />
shall result in a trouble ticket to be automatically generated. Critical<br />
unauthorized configuration changes may result in roll-back action<br />
depending on the policy. Authorized deltas between deployed <strong>and</strong> stored<br />
configurations shall lead to update of CMDB.<br />
I. Automatic infrastructure discovery shall find <strong>and</strong> store the configuration of<br />
infrastructure elements <strong>and</strong> the relationships/mapping between them.<br />
J. Configuration changes on infrastructure elements shall trigger an event to<br />
the N/ELM, which is logged <strong>and</strong> must trigger a re-discovery <strong>and</strong> potential<br />
follow-up action if the re-discovery determines that the configuration<br />
change unauthorized.<br />
K. Configurations of network elements <strong>and</strong> changes thereof shall be centrally<br />
controlled <strong>and</strong> approved recording an audit trail recording requester,<br />
approver, <strong>and</strong> implementer.<br />
L. Network elements shall use SNMP Trap <strong>and</strong>/or Syslog for event reporting.<br />
M. Network elements shall generate as a minimum an event upon element<br />
status change, interface status change, exceeding environmental<br />
thresholds (typically internal temperature sensors) <strong>and</strong> terminal access.<br />
N. Wireless Access Points shall be controllable centrally. The solution shall<br />
be controller based using CAPWAP protocol.<br />
O. The wireless system shall be able to detect, identify <strong>and</strong> locate the source<br />
of interferences<br />
P. A dedicated radio shall be used to detect interference<br />
14.6.6-p2 The <strong>ANWI</strong> Contractor’s provided LAN Service shall conform to the<br />
following Service Level Agreement/Targets:<br />
Service Level Target Parameters<br />
Availability SLTs<br />
Service Availability (%) 99,99%<br />
Max number for scheduled downtimes (month) 1<br />
Manageability SLTs<br />
Frequency of Service Measurements<br />
Continuous<br />
Frequency of SLA Reports<br />
Daily/Weekly<br />
Reliability SLTs<br />
Service reliability (%) >99,99%<br />
Maintainability SLTs<br />
Mean Time To Restore (MTTR) (hours) 4<br />
Performance Parameters<br />
Switch Throughput (Server-Server)<br />
~ 1 Gbps<br />
Switch Throughput (Server-Client)<br />
~ 100 Mbps<br />
Network Latency < 10 ms (layer 2/3)<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-304 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
14.6.7 Management <strong>and</strong> Operational Requirements<br />
14.6.7.1 Interfaces<br />
14.6.7.1-p1 The <strong>ANWI</strong> LAN (wired <strong>and</strong> wireless) design shall describe the<br />
following internal interfaces <strong>and</strong> dependencies:<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
LAN X X X X X X X X X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
14.6.7.2 Backup <strong>and</strong> Recovery<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
14.6.7.2-p1 The <strong>ANWI</strong> Contractor shall include the configuration files of network<br />
devices shall be available on both online <strong>and</strong> offline storage.<br />
14.6.8 Testing<br />
14.6.8-p1 The <strong>ANWI</strong> Contractor shall test the (wired <strong>and</strong> wireless) LAN service<br />
using the following End-to-End Test Scenarios:<br />
A. Throughput/latency tests to verify switch performance.<br />
B. Performance testing:<br />
1. From server to server (rack switch).<br />
2. From server to end devices (end-to-end).<br />
3. From end device to end device.<br />
IM<br />
B. Spanning tree testing. (or comparable protocol e.g. TRILL)<br />
C. Test accessibility of restricted VLANs (E.g. the management VLAN should<br />
be restricted from a user VLAN).<br />
D. Test IPv6 support (IPv6 only, IPv4/IPv6 together).<br />
14.6.9 Training<br />
14.6.9-p1 The <strong>ANWI</strong> Contractor shall train the ICTM staff on how to install,<br />
configure, operate <strong>and</strong> troubleshoot the following areas to support the LAN capability:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
D. Configuration of LAN infrastructure.<br />
E. Management of LAN infrastructure.<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-305 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 15. ANNEX G: UCC SERVICES<br />
15.1 APPENDIX 1: Introduction to UCC Services<br />
15.1.1 Definition<br />
15.1.1-p1 This section describes the requirements of the UCC capability to be<br />
provided as part of the <strong>ANWI</strong> for the new NATO HQ building. While this contract only<br />
deals with NATO HQ UCC capability, UCC services will also be implemented NATO<br />
Wide at a later stage.<br />
15.1.1-p2 UCC is defined as an evolving technology architecture that integrates<br />
real-time <strong>and</strong> non real-time communication <strong>and</strong> collaboration services delivered<br />
ubiquitously across a protected <strong>and</strong> highly available network infrastructure. Its goal is<br />
to improve productivity <strong>and</strong> efficiency through enhanced human communication <strong>and</strong><br />
collaboration. UCC is not a single product, but a set of services that provide a<br />
consistent unified user interface <strong>and</strong> user experience across multiple devices <strong>and</strong><br />
media types.<br />
15.1.2 Scope<br />
15.1.2-p1 The services made available shall be configurable using the parameters<br />
in the following table:<br />
Scenario Parameter Minimum Set of Values<br />
Users NNHQ User Types (Reference: 1.1.1.7.1.)<br />
Devices<br />
NNHQ Managed<br />
Locations<br />
Inside NNHQ Campus – Class 2 (Reserved Zone)<br />
Inside NNHQ Campus – Class 1 (Secure Compartments)<br />
Inside NNHQ Campus – ADMZ (Controlled Zone)<br />
Inside NNHQ Campus – Base (Common Zone)<br />
Outside NNHQ Campus – Remote Sites<br />
Outside NNHQ Campus – Anywhere<br />
Table 15.1 UCC Overall Site Parameters<br />
15.1.2.1 Domains<br />
15.1.2.1-p1 The requirements apply for: NATO SECRET, EAPC SECRET,<br />
BUSINESS (NR) <strong>and</strong> PUBLIC.<br />
15.1.2.2 Location<br />
15.1.2.2-p1 The UCC service components shall be delivered <strong>and</strong> installed in two<br />
NNHQ server rooms. The <strong>ANWI</strong> Contractor shall design a physical layout in<br />
compliance with the limits defined in the Processing Services Location (Section<br />
15.2.3.2).<br />
15.1.2.2-p2 The client software shall be provisioned as described in Annex H.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-306 of 532
15.1.2.3 UCC Integration<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.1.2.3-p1 The UCC environment shall be constructed through the integration<br />
of a set of communication <strong>and</strong> collaboration services that either exist in current<br />
NATO systems or additional UCC services provided through the <strong>ANWI</strong> UCC system.<br />
When combined together they shall integrate to the full extent, allowing users to<br />
make use of all available services in a converged unified communication <strong>and</strong><br />
collaboration environment.<br />
15.1.2.4 UCC Integration Concept<br />
15.1.2.4-p1 The NNHQ UCC Services shall be part of an integrated approach,<br />
the UCC concept, as depicted in figure 15.1.<br />
Figure 15.1: NATO UCC Concept<br />
15.1.2.4-p2 The UCC capability shall be compliant with the NATO UCC<br />
conceptas depicted in figure 15.1.<br />
15.1.2.4-p3<br />
Integration.<br />
The UCC capability shall provide Service <strong>and</strong> User-Interface<br />
15.1.2.4-p4 The <strong>ANWI</strong> Contractor shall deliver a UCC capability which shall<br />
provide the following service components:<br />
A. Voice.<br />
B. Voicemail.<br />
C. VTC.<br />
D. Email.<br />
E. Fax.<br />
F. Calendar/scheduling.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-307 of 532
G. Instant Messaging (IM).<br />
H. Presence.<br />
I. Unified messaging.<br />
J. Directory services.<br />
K. Collaboration tools.<br />
L. Mobility.<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.1.2.4-p5 As part of the Detailed <strong>Technical</strong> Design of his technical solution to<br />
be provided in the relevant Section of the <strong>ANWI</strong> Design Document, the <strong>ANWI</strong><br />
Contractor shall describe <strong>and</strong> provide the <strong>ANWI</strong> UCC design that reflects the <strong>ANWI</strong><br />
UCC logical model <strong>and</strong> <strong>ANWI</strong> UCC architecture as specified in sections 15.1.3-<br />
15.1.4 covering the following aspects:<br />
<br />
<br />
<br />
<br />
The network access requirements for both <strong>ANWI</strong> internal <strong>and</strong> external network<br />
interfaces.<br />
The service integration capabilities that comprise a full unified capability.<br />
The unified UCC ELM capability <strong>and</strong> its interface to centralised management.<br />
Using a modular approach as introduced in the <strong>ANWI</strong> UCC architecture.<br />
15.1.2.5 <strong>Architecture</strong><br />
15.1.2.5-p1 Figure 15.2 shows the <strong>ANWI</strong> UCC services mapping to the services<br />
taxonomy as introduced in Annex C.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-308 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 15.2: <strong>ANWI</strong> UCC services mapped to services taxonomy.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-309 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.1.3 Logical Model<br />
Figure 15.3: NATO UCC Logical Model<br />
15.1.3-p1 The UCC delivered capability shall be based on the logical model as<br />
depicted in figure 15.3 <strong>and</strong> have at least the following logical modules:<br />
A. UCC Service Integration Module: The module that shall achieve the<br />
unified communications <strong>and</strong> collaboration presentation of both end-user<br />
(UCC client) as well as backend service (UCC core <strong>and</strong> NATO HQ<br />
services components).<br />
B. NATO HQ UCC clients module providing the service to the UCC enabled<br />
clients to include the UCC vendor user application that allows a user to<br />
have unified access to all UCC marked services as well as the interface<br />
(API) to user application either residing on the client or as part of the<br />
<strong>ANWI</strong> backend services.<br />
C. NATO HQ UCC Service Delivery <strong>System</strong> module: responsible for end-toend<br />
delivery of UCC services by utilising the <strong>ANWI</strong> core UCC services, the<br />
NATO HQ service components (other ICT service in the building) <strong>and</strong> the<br />
services available through the services domain gateway (either NATO<br />
wide or commercially provided UCC related services).<br />
D. Services domain gateway module that is interface from the UCC service<br />
delivery module to the external UCC related services.<br />
15.1.3-p2 The Logical Model abstracts from the security domain model. The<br />
<strong>ANWI</strong> contractor shall determine with <strong>ANWI</strong> UCC components need to be hosted on<br />
what infrastructure <strong>and</strong> associated domains/DMZ segments.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-310 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.1.3-p3 As part of the Detailed <strong>Technical</strong> Design of his technical solution to be<br />
provided in the relevant Section of the <strong>ANWI</strong> Design Document , the <strong>ANWI</strong><br />
Contractor shall, in compliance with the Logical Model defined in Figure 15.3,<br />
describe the architecture (server <strong>and</strong> client side) delivering the UCC experience <strong>and</strong><br />
the integration functions.<br />
15.1.3-p4 The UCC Core services shall provide interfaces that adhere to the<br />
prescribed UCC services internal <strong>and</strong> external interface st<strong>and</strong>ards to integrate with<br />
all other <strong>ANWI</strong> services.<br />
15.1.3-p5 The UCC internal interfaces between the UCC logical model<br />
components shall adhere to the prescribed UCC service st<strong>and</strong>ards <strong>and</strong> based on<br />
open industry st<strong>and</strong>ards to achieve a coherent <strong>and</strong> unified architecture for all<br />
identified UCC services.<br />
15.1.3-p6 The <strong>ANWI</strong> Contractor shall outline the compatibility of the UCC<br />
capability with existing service component systems that are either identified as<br />
internal <strong>ANWI</strong> interfaces or external <strong>ANWI</strong> interfaces in each of the individual UCC<br />
service specification as provided in Appendix 15.2-15.12.<br />
15.1.3-p7 UCC Service Integration Module shall provide service integration at<br />
either server <strong>and</strong>/or client side.<br />
15.1.3-p8 The NATO HQ UCC capability shall, integrate with the <strong>ANWI</strong> cross<br />
domain module (see Annex E) to provide external connectivity via the Service<br />
Domain Gateways to allow Alliance or NATO wide interoperability or interoperability<br />
with services as provided by commercial providers..<br />
15.1.3-p9 The <strong>ANWI</strong> Contractor shall provide UCC clients with both UCC User<br />
applications <strong>and</strong> with UCC functionalities which are integrated with business<br />
applications…delivering the UCC experience.<br />
15.1.3-p10 The delivered UCC capability shall allow the usage of all different<br />
types of user devices as described in the Client Provisioning Service Annex.<br />
15.1.4 <strong>ANWI</strong> UCC <strong>Architecture</strong><br />
15.1.4-p1 Based on the logical model from figure 15.3 the architecture is defined<br />
<strong>and</strong> visualised in figure 15.4. The modules are described in more detail in the<br />
following sections.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-311 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 15.4: <strong>ANWI</strong> UCC <strong>Architecture</strong>, Service Component <strong>View</strong><br />
15.1.4.1 HQ UCC Service Delivery <strong>System</strong><br />
15.1.4.1-p1 The architecture introduces three main building blocks mapping the<br />
to the logical model as introduced in figure 15.3:<br />
A. NATO HQ UCC Service Delivery <strong>System</strong>, which consists of the following<br />
modules:<br />
1. NATO HQ Service Component <strong>System</strong>s, (external) non-UCC core<br />
systems that consume UCC services <strong>and</strong> deliver UCC based services,<br />
(these could be specific Business applications). In the remainder of this<br />
section these systems will not be defined in further detail.<br />
2. UCC Core Service Interfaces.<br />
3. UCC Service Delivery Core <strong>System</strong>, which provide the UCC SMC, UCC<br />
service integration API’s <strong>and</strong> UCC Client service API’s.<br />
B. Service domain gateway<br />
C. NATO HQ UCC Clients including the UCC devices <strong>and</strong>, UCC client<br />
integration API <strong>and</strong> the UCC user interfaces.<br />
15.1.4.1-p2 The architecture reflects a clear distinction between the NATO HQ<br />
UCC Service delivery <strong>System</strong> <strong>and</strong> the UCC Service Delivery Core system.<br />
Integration of (existing or future) service components are defined at this layer via<br />
(Industry st<strong>and</strong>ard) interfaces. The <strong>ANWI</strong> contractor shall deliver NATO HQ UCC<br />
services by using the UCC core services interfaces.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-312 of 532
N A T O U N C L A S S I F I E D<br />
15.1.4.2 UCC Service Delivery Core <strong>System</strong><br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.1.4.2-p1 The following components are envisioned to form the UCC Service<br />
Delivery Core <strong>System</strong>:<br />
A. The Service Component Core system interfaces shall allow integration of<br />
“external Industry St<strong>and</strong>ardised Interfaces into the UCC capability. This<br />
will enable new NATO defined service components (NATO HQ Service<br />
Component systems) to be integrated into the vendor proposed solution.<br />
B. The UCC services are available via the client interfaces (APIs) for the<br />
UCC Clients.<br />
C. This component implements the management functionality of the UCC<br />
capability/appliance. It shall be scalable <strong>and</strong> provide wide support of<br />
clients:<br />
1. Services management.<br />
2. User management.<br />
3. Monitoring & reporting.<br />
4. Security.<br />
15.1.4.2-p2 The delivered UCC capability shall allow modular expansion by<br />
addition or hardware <strong>and</strong> / or software. The <strong>ANWI</strong> Contractor shall identify the<br />
granularity <strong>and</strong> limitations of the delivered UCC capability expansion in the Detailed<br />
<strong>Technical</strong> Design part of the <strong>ANWI</strong> Design Document. The contractor shall explain<br />
<strong>and</strong> describe how the modular expansion capability of the UCC capability will be<br />
implemented.<br />
15.1.4.2-p3 The UCC Service Delivery Core system shall deliver the<br />
functionality as required for each of the <strong>ANWI</strong> UCC services as specified in Appendix<br />
15.2-15.12.<br />
15.1.4.2-p4 The UCC service shall provide seamless integration between the<br />
UCC core system <strong>and</strong> the NATO-defined service components. The <strong>ANWI</strong> Contractor<br />
delivered capability may provide all the service components as part of the UCC core<br />
system but shall provide as a minimum, functionality identified by the NATO-defined<br />
service components outlined in Figure 15.4.<br />
A. Voice<br />
B. Voicemail<br />
C. VTC<br />
D. Email<br />
E. IM<br />
F. Presence<br />
G. Directory<br />
H. Collaboration Tools<br />
I. Calendar/scheduling<br />
J. Mobility<br />
15.1.4.2-p5 The integration of the functionality of the different service<br />
components required to deliver the UCC user experience may happen in the core<br />
system or in the client. The <strong>ANWI</strong> Contractor shall specify where in the architecture<br />
the functionality provided by his capability resides<br />
15.1.4.2-p6 The UCC capability shall provide a unique user id valid for reaching<br />
the user via different service components.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-313 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.1.4.2-p7 The UCC Service Delivery Core <strong>System</strong> shall perform access<br />
control for access of UCC users to the UCC services utilising the user <strong>and</strong> device<br />
authentication mechanism.as specified in annex F.<br />
15.1.4.3 General UCC Client requirements<br />
15.1.4.3-p1 Clients: UCC Clients are Clients providing access to several of the<br />
UCC service components. The following Clients shall be used:<br />
A. Analogue/Basic SIP phone.<br />
B. Medium SIP phone.<br />
C. Multimedia SIP phone.<br />
D. VTC client.<br />
E. Smartphone/Basic wireless device.<br />
F. Tablet PC/Medium Wireless Device.<br />
G. Netbook, Laptop/Advanced wireless Device.<br />
H. Desktop computer/Server.<br />
15.1.4.3-p2 The <strong>ANWI</strong> Contractor shall provide a list of Clients proposed in their<br />
capability <strong>and</strong> shall identify, for all <strong>ANWI</strong> clients <strong>and</strong> all possible other client, the level<br />
of support of UCC services <strong>and</strong> client user interfaces.<br />
15.1.4.4 Service Domain Gateway<br />
15.1.4.4-p1 Services Domain Gateways shall provide service <strong>and</strong>/or security<br />
related cross domain functions. All UCC service gateway functions shall meet<br />
requirements as stated in the Cross Domain Services in Annex E Appendix 2 <strong>and</strong><br />
adhere to the end-2-end UCC services cross domain interfaces as specified in each<br />
UCC service specification in appendix 15.2-15.12<br />
15.1.5 UCC Services <strong>and</strong> NNHQ Multiple Classification Networks<br />
15.1.5-p1 UCC is most efficient if there is one UCC environment serving the entire<br />
community of the NNHQ. However NNHQ shall consist of 4 separated classification<br />
domains:<br />
A. Public domain.<br />
B. Business Network (NATO Restricted network).<br />
C. Euro-Atlantic Partnership Council (EAPC) domain.<br />
D. NATO Secret domain.<br />
15.1.5-p2 UCC service components shall be available on all 4 networks. However,<br />
not all the networks receive all the UCC capabilities.<br />
15.1.5-p3 Connectivity between the different classification networks shall be<br />
strictly controlled by gateways which limit full functionality integration of each of the<br />
service components. In addition to the service requirements between the different<br />
classification networks inside the NNHQ, there are also service requirements to other<br />
NATO locations (federated or equal level of security domain), on external networks<br />
15.1.5-p4 A service matrix table at each service component provides an overview<br />
of services that shall be supported as a minimum, in between the multiple<br />
classification networks both internal to NNHQ as well as to external locations. The<br />
comprehensive table including all services requirement can be found in section<br />
<strong>Technical</strong> Annex D section 12.6: End-to-End Services.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-314 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-315 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.1.5-p5 The <strong>ANWI</strong> Contractor shall implement UCC Services on the NS<br />
infrastructure supporting the NS <strong>and</strong> EAPC user domains <strong>and</strong> on the NU/NR/Public<br />
infrastructure supporting the Business (NR) <strong>and</strong> Public user domains.<br />
15.1.5-p6 The <strong>ANWI</strong> Contractor shall design the UCC services considering all the<br />
required capabilities including the high level capabilities requirements of service<br />
management <strong>and</strong> information management.<br />
15.1.5-p7 The <strong>ANWI</strong> Contractor shall clearly describe how the service <strong>and</strong> the<br />
individual capabilities are integrated in the service management <strong>and</strong> control (SMC)<br />
<strong>and</strong> Information Assurance Services in support of the overall ICT SMC <strong>and</strong> IA<br />
management concept as indicated in Annex E.<br />
15.1.6 UCC Service Management Requirements<br />
15.1.6-p1 This component implements the management functionality of the UCC<br />
capability/appliance. It shall be scalable <strong>and</strong> provide wide support of management<br />
functions <strong>and</strong> clients:<br />
A. Services management.<br />
B. User management.<br />
C. Monitoring & reporting.<br />
D. Security.<br />
15.1.6-p2 The <strong>ANWI</strong> Contractor shall deliver UCC management consoles the<br />
UCC management functionality for use on designated workstations subject to user<br />
role.providing centralized system management of the whole service <strong>and</strong> service (<strong>and</strong><br />
service supporting) components (per security domain).<br />
15.1.6-p3 The UCC system shall support availability management from the<br />
centralized overarching management system Integrated Operation Support <strong>System</strong><br />
(IOSS) using SNMPv3.<br />
15.1.6-p4 There shall be policy-based centralised user-, service <strong>and</strong> client<br />
management (policy based deployments to control user environment, software<br />
update propagation).<br />
15.1.6-p5 The <strong>ANWI</strong> Contractor shall provide the following Management functions<br />
that shall be run from centralised locations for the user, service, client <strong>and</strong> system<br />
for:<br />
A. Planning.<br />
B. Configuration.<br />
C. Deployment.<br />
D. Activation.<br />
E. Quality monitoring (passive <strong>and</strong>/or active data collection).<br />
15.1.6-p6 The <strong>ANWI</strong> contractor shall implement service performance reporting<br />
(scheduled <strong>and</strong> on dem<strong>and</strong> reporting).<br />
15.1.6-p7 The <strong>ANWI</strong> contractor shall implement the necessary security<br />
mechanisms in-line with the SRA to achieve a robust security capability for UCC<br />
SMC user access.<br />
15.1.6-p8 There shall be detailed error logging with fault resolution (event<br />
correlation, root cause analysis).
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.1.6-p9 Devices shall not be allowed to connect to the UCC system without<br />
granted network access (authentication).<br />
15.1.6-p10 The UCC shall keep call records of attempted <strong>and</strong> successful calls,<br />
connections recording originator, receiver, session start <strong>and</strong> session stop<br />
(asymmetric messaging record a message transmitted timestamp <strong>and</strong> no session<br />
start <strong>and</strong> stop timestamp).<br />
15.1.6-p11 The <strong>ANWI</strong> Contractor shall provide information on future UCC<br />
technologies <strong>and</strong> enhancement that can become in scope for a mature <strong>and</strong> solid<br />
infrastructure services towards 2015.<br />
15.1.6-p12 Both static provisioning <strong>and</strong> DCHP based provisioning shall be<br />
possible to configure network parameters.<br />
15.1.6-p13<br />
upgrade.<br />
The <strong>ANWI</strong> SMC shall be capable of remote firmware <strong>and</strong> software<br />
15.1.7 Service Level Agreement/Targets<br />
15.1.7-p1 As indicated in the definition, the UCC services provide all<br />
communication <strong>and</strong> collaboration capabilities including synchronous capabilities for<br />
all users <strong>and</strong> other services.<br />
15.1.7-p2 The UCC service shall have a service availability of 99.99%. This<br />
availability shall be ensured across both server rooms. This availability figure shall be<br />
achieved end-to-end over all underlying sub-services, (excluding external<br />
dependency outages).<br />
15.1.7-p3 For some of the sub-services described in the appendix, some<br />
performance degradation is acceptable in case of a catastrophic failure (E.g. Server<br />
room failure). More details can be found in each of the UCC service annexes 15.2-<br />
15.12.<br />
15.1.7-p4 The common SLTs for each of the individual services as shown in the<br />
table below shall be achieved:<br />
Service Level Target Parameters<br />
UCC Services<br />
Capacity SLTs (6 months period)<br />
Number of Capacity Shortfall Incidents 1<br />
Number of Capacity Modifications 4<br />
Resolution Time for Capacity Adjustments (hours) 24<br />
Capacity Reserve (%) 25<br />
Availability SLTs (6 months period)<br />
Service Availability (%) 99.99<br />
Response Times<br />
N/A<br />
Number of Service Interruptions 2<br />
Duration of Service Interruptions (hours) 1<br />
Number of Service Availability Measurements<br />
Continuous<br />
Reliability SLTs (6 months period)<br />
Mean Time Between Failures (MTBF) (hours) 4380<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-316 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Service Level Target Parameters<br />
UCC Services<br />
Mean Time Between Critical Failures (hours) 4380<br />
Number of Critical Failures 1<br />
Maintainability SLTs (6 months period)<br />
Mean Time To Replace / Repair (MTTR) (hours) 4<br />
Number of Corrective Maintenance Actions 1<br />
Number of Preventive Maintenance Actions 1<br />
Table 15.1 UCC SLT/SLA<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-317 of 532
15.1.7-p5<br />
Performan<br />
ce<br />
Capacity<br />
(minimum)<br />
Mean<br />
Opinion<br />
Score (ITU<br />
P.800)<br />
Voice<br />
N A T O U N C L A S S I F I E D<br />
Other required specific sub service SLTs are specified in the table below:<br />
1000<br />
simultaneous<br />
internal calls,<br />
500<br />
simultaneous<br />
external calls<br />
Internal<br />
higher than<br />
4.0, External<br />
higher than<br />
Voic<br />
ema<br />
il<br />
30<br />
min<br />
utes<br />
/use<br />
r<br />
VTC<br />
100<br />
simultaneous<br />
internal<br />
desktop VTC,<br />
100<br />
simultaneous<br />
external<br />
desktop VTC,<br />
Simultaneous<br />
VTC from ALL<br />
VTC/Conferen<br />
ce rooms<br />
Email<br />
10 internal<br />
messages / hour /<br />
user, 10 external<br />
messages / hour /<br />
user<br />
Unified<br />
Messagi<br />
ng<br />
N/A<br />
FAX<br />
200<br />
messages<br />
/hour<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-318 of 532<br />
Instant Messaging<br />
ALL users to be<br />
online<br />
simultaneously, 10<br />
internal messages /<br />
hour / user, 10<br />
external messages /<br />
hour / user<br />
Prese<br />
nce<br />
ALL<br />
users<br />
to be<br />
online<br />
simult<br />
aneou<br />
sly<br />
UCC<br />
Directo<br />
ry<br />
ALL<br />
users to<br />
be<br />
online<br />
simulta<br />
neously<br />
3.8 N/A N/A N/A N/A N/A N/A N/A N/A N/A<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Collaboration<br />
200 simultaneous<br />
internal sessions,<br />
100 simultaneous<br />
external sessions<br />
Mobility<br />
1000<br />
simultaneous<br />
internal calls,<br />
500<br />
simultaneous<br />
external calls<br />
Higher than<br />
3.8<br />
Less<br />
than 1<br />
secon<br />
d N/A N/A N/A<br />
300 dpi or<br />
higher N/A N/A N/A 1080p or Higher N/A<br />
Delay (s) Max … N/A Max … N/A N/A N/A<br />
720p or<br />
Resolution N/A N/A Higher N/A N/A<br />
Less<br />
than<br />
100<br />
Server<br />
messag<br />
Queue N/A N/A N/A<br />
es N/A N/A N/A N/A N/A<br />
Less than 100<br />
messages<br />
Less than 5 minutes<br />
Less than Less than 5 seconds<br />
external, Less than 1<br />
5 minutes external, Less than 2<br />
Send Delay N/A N/A N/A<br />
minutes internal N/A external seconds internal N/A N/A N/A N/A<br />
Request/se<br />
c N/A N/A N/A N/A N/A N/A N/A N/A 100 N/A N/A<br />
Less<br />
Latency N/A N/A N/A N/A N/A N/A N/A N/A than 1 N/A N/A
Performan<br />
ce<br />
Voice<br />
Voic<br />
ema<br />
il<br />
VTC<br />
Email<br />
N A T O U N C L A S S I F I E D<br />
Unified<br />
Messagi<br />
ng<br />
FAX<br />
Instant Messaging<br />
Prese<br />
nce<br />
UCC<br />
Directo<br />
ry<br />
ms<br />
internal<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Collaboration<br />
For internal<br />
connection,<br />
Responsive<br />
ness N/A N/A N/A N/A N/A N/A N/A N/A N/A<br />
Keypress delay less<br />
than 500 ms<br />
3 seconds<br />
10 secondes<br />
External, 1<br />
External, 5<br />
Max time second<br />
seconds<br />
5 seconds<br />
before call Internal N/A Internal N/A N/A External N/A N/A N/A N/A<br />
Peak<br />
Mobile<br />
Client (%) N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 100<br />
Average<br />
Mobile<br />
Client (%) N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 40<br />
Table 15.2 Sub Service SLTs<br />
Mobility<br />
N/A<br />
3 seconds<br />
External, 1<br />
second<br />
Internal<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-319 of 532
15.1.8 Service Testing <strong>and</strong> Reporting<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.1.8-p1 The <strong>ANWI</strong> Contractor shall manage UCC services through the SMC.<br />
The SMC shall also provide the capability to provide reports on the different UCC<br />
sub-services. These reports shall also be required to measure the compliance of the<br />
system towards the SLA requirements.<br />
15.1.8-p2 Individual sub-services shall be tested for compliance on the technical<br />
requirements of the specific sub-service.<br />
15.1.8-p3 Overall end-to-end UCC integration tests shall be conducted to verify<br />
the integration of the individual capabilities into the service. These integration tests<br />
shall include the SMC <strong>and</strong> IA capabilities <strong>and</strong> requirements.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-320 of 532
N A T O U N C L A S S I F I E D<br />
15.2 APPENDIX 2: Voice ServiceComponent<br />
15.2.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.2.1-p1 The <strong>ANWI</strong> Contractor shall provide a new voice service component for<br />
the NNHQ which shall integrate with the current NATO wide voice service<br />
component.<br />
15.2.2 Scope / Scenario<br />
15.2.2-p1 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement a voice service into<br />
the <strong>ANWI</strong> to deliver voice communications support that integrates into the <strong>ANWI</strong><br />
UCC.<br />
15.2.2-p2 The <strong>ANWI</strong> voice service shall be designed <strong>and</strong> implemented to support<br />
the following interconnection scenarios:<br />
User<br />
Servic<br />
es<br />
1/2<br />
From way<br />
G<br />
W To<br />
Provide<br />
r<br />
External<br />
service Remarks<br />
Voice NR - NR <strong>ANWI</strong> VoIP on NR BUS to BUS soft clients<br />
PUBL G<br />
VoIP session between <strong>ANWI</strong> PUBLIC to <strong>ANWI</strong> NR (From GW3<br />
IC <br />
NAT<br />
O <br />
NR ><br />
NAT<br />
O <br />
PUBL<br />
IC ><br />
NR <br />
PUBL<br />
IC <br />
W3 NR <strong>ANWI</strong><br />
to GW2 to NR)<br />
G<br />
VoIP session between NATO VoIP Networks to <strong>ANWI</strong> NR (From<br />
W3 NR NGCS -<br />
GW3 to GW2 to NR)<br />
G exter<br />
VoIP session between External Networks to <strong>ANWI</strong> NR (From<br />
W3 nal NGCS -<br />
GW3 to GW2 to NR)<br />
G<br />
W3 NU NGCS - VoIP session between NATO Networks / <strong>ANWI</strong> NU<br />
G exter<br />
W3 nal NGCS - VoIP session between External Networks to <strong>ANWI</strong> PUBLIC<br />
G exter Commer<br />
W3 nal cial - Commercial Backup Route for Above NGCS link<br />
G exter Commer<br />
W3 nal cial - Commercial Backup Route for Above NGCS link<br />
Table 15.3 Voice service interconnections<br />
15.2.3 Service Requirements<br />
15.2.3.1 Domains<br />
15.2.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install the voice service on<br />
the NATO SECRET, BUSINESS (software clients) <strong>and</strong> PUBLIC networks.<br />
15.2.3.1-p2 All NNHQ users shall access commercial <strong>and</strong> NATO core network<br />
telephony via the PBX/Soft PBX located on the BUSINESS network.<br />
15.2.3.1-p3 NNHQ secured voice shall be provided via VOIP phones routed<br />
through the NGCS’ NATO SECRET wide area network.<br />
15.2.3.2 Location<br />
15.2.3.2-p1 The <strong>ANWI</strong> Contractor’s UCC service voice components shall be<br />
delivered <strong>and</strong> installed in the two NNHQ server rooms per the physical layout <strong>and</strong><br />
limits defined in the communications’ room Appendix (Annex B).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-321 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.2.3.2-p2 The <strong>ANWI</strong> voice endpoints shall be distributed across the NNHQ<br />
campus <strong>and</strong> remote offices as described in Annex M.<br />
15.2.3.2-p3 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the voice service<br />
in accordance to the following:<br />
A. Functional, performance <strong>and</strong> Interface details of the Voice Service<br />
component <strong>and</strong> integration capability are outlined in the following sections.<br />
B. The <strong>ANWI</strong> Contractor shall provide a new voice service component for the<br />
NNHQ which shall integrate with the current NATO wide voice service<br />
component.<br />
15.2.3.3 Functional requirements:<br />
15.2.3.3-p1 The NNHQ voice service component has to have at a minimum, the<br />
same functionality as the current NATO wide voice services.<br />
15.2.3.3-p2 The delivered NATO HQ Voice <strong>System</strong> (NVOS) equipment shall be<br />
modular <strong>and</strong> exp<strong>and</strong>able as follows:<br />
A. The initially delivered hardware <strong>and</strong> software equipment for 6000 users<br />
shall have expansion capability up to 10,000 users which should be<br />
reached by only making minor (configurational) changes.<br />
B. The delivered equipment shall allow expansion up to 15,000 by addition of<br />
hardware <strong>and</strong> software.<br />
C. The <strong>ANWI</strong> Contractor shall specify the limitation of the expansion required<br />
above in the UCC Detailed <strong>Technical</strong> Design.<br />
15.2.3.3-p3 The NATO HQ Voice <strong>System</strong> shall provide Call management <strong>and</strong><br />
<strong>System</strong> management functions via dedicated Consoles.<br />
15.2.3.3-p4 The NATO HQ Voice <strong>System</strong> (NVOS) shall be made of an IP<br />
Private Branch Exchange (IP PBX) using Voice over IP (VoIP) <strong>and</strong> Telephony over<br />
IP (ToIP) technology <strong>and</strong> principles. The delivered IP PBX shall be composed as a<br />
minimum of the following components:<br />
A. A call / session manager.<br />
B. A Gateway.<br />
C. A management system.<br />
15.2.3.3-p5 Call Admission Control shall be enforced to meet the service<br />
performance requirements.<br />
15.2.3.3-p6 5 levels of priority for each provided UCC services <strong>and</strong> features<br />
shall be delivered<br />
15.2.3.3-p7<br />
Dial <strong>and</strong> DTMF tones <strong>and</strong> announcements shall be provided.<br />
15.2.3.3-p8 The system shall ensure that the authorized precedence level is not<br />
exceeded by the user.<br />
15.2.3.3-p9 The voice routing plans shall comply with numbering schemes such<br />
as STANAG4214, ITU-T E.164 <strong>and</strong> the NGCS 7 digit-numbering scheme.<br />
15.2.3.3-p10 Echo cancellation shall meet the requirements of ITU<br />
Recommendation G.165 <strong>and</strong> G.168.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-322 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.2.3.3-p11 The Voice Service Component shall be built on a common<br />
Integrated Session Management function based on RFC 3261 / RFC 4411 / RFC<br />
4412 based MLPP capable SIP protocol.<br />
15.2.3.3-p12 The NVOS shall be capable of providing following types of trunks<br />
interfaces:<br />
A. SIP Trunking.<br />
B. Analogue trunk access.<br />
C. EURO ISDN BRA (2B + D).<br />
D. EURO ISDN PRA (30B + D, E1 or fractional E1).<br />
E. QSIG (st<strong>and</strong>ard ETS 300 172 of ETSI).<br />
F. DPNSS1 (E1 or fractional E1).<br />
G. CAS (Channel Associated Signalling).<br />
15.2.3.3-p13 The NVOS shall provide different subscriber types:<br />
A. Analogue subscribers.<br />
B. ISDN subscribers using Basic Rate interfaces.<br />
C. VoIP subscribers using SIP interfaces.<br />
D. VoIP subscribers using H 323 interfaces.<br />
E. DECT subscribers (GAP Compliant).<br />
15.2.3.3-p14 The NVOS shall provide the following basic telephone services for<br />
all subscriber types (PSTN, ISDN, VOIP, DECT):<br />
A. Direct call to internal network.<br />
B. Direct call to NCN.<br />
C. Direct call to local <strong>and</strong> national PTT.<br />
D. Direct call to international PTT.<br />
E. Direct call to other connected private or corporate telephone network.<br />
F. Direct calls from any external networks.<br />
15.2.3.3-p15 The NVOS shall offer a minimum of seven classes of service so that<br />
users can be allocated access to networks in accordance with the staff function<br />
performed. The seven classes of service shall be individually <strong>and</strong> collectively<br />
assignable <strong>and</strong> are the following:<br />
A. Access to the international public network.<br />
B. Access to the national public network.<br />
C. Access to the local public network.<br />
D. Access to the NATO Core network.<br />
E. Access to the National Defence Network to which the switch is connected.<br />
F. Access to an International Virtual Private Network (IVPN).<br />
G. Access to other extensions on the same IP PBX.<br />
15.2.3.3-p16<br />
The user shall be notified of missed calls.<br />
15.2.3.3-p17 NVOS shall be capable of providing interfaces to user client devices<br />
(not enabled with IP-VOIP interface) by either using interface cards or terminal<br />
adapters.<br />
15.2.3.3-p18<br />
The NVOS shall permit the hot swap replacements of system parts.<br />
15.2.3.3-p19 The <strong>ANWI</strong> Contractor equipment shall implement the configuration<br />
of the numbering plan as currently in use by NATO.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-323 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-324 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.2.3.3-p20 The <strong>ANWI</strong> Contractor equipment shall allow number range<br />
expansion <strong>and</strong> re-configuration of the initial numbering plan.<br />
15.2.3.3-p21 The <strong>ANWI</strong> Contractor equipment shall provide public service<br />
provider features through a personal subscriber identification code.<br />
15.2.3.3-p22 The NVOS shall include as a minimum the following supplementary<br />
services <strong>and</strong> features:<br />
A. Abbreviated dialling (general).<br />
B. Abbreviated dialling (individual).<br />
C. Calling line identification presentation (CLIP).<br />
D. Connected identification presentation (COLP).<br />
E. Call transfer (XFER).<br />
F. Call forwarding busy (CFB).<br />
G. Call forwarding no reply (CFNR).<br />
H. Call forwarding unconditional (CFU).<br />
I. Call Wait (WAIT).<br />
J. Call completion to a busy subscriber (CCBS).<br />
K. Add-on conference call (CONF).<br />
L. Pre-set conference.<br />
M. Closed User group (CUG).<br />
N. Hotline (automatic call to a pre-set number).<br />
O. Night service (all incoming calls automatically re-directed).<br />
P. Call pick up (any member of a group of users to pick-up).<br />
Q. Group hunting.<br />
R. Help line (in case of failure of the CTN, automatic connection to PTT line).<br />
S. Notification of missed calls.<br />
T. Audio conferencing for 3 or more user clients.<br />
U. Automatic call back on busy subscriber.<br />
15.2.3.3-p23 The NVOS shall allow remote access of centralised management by<br />
the NCIA NATO Wide Voice <strong>System</strong> Management Team.<br />
15.2.3.3-p24<br />
15.2.3.3-p25<br />
The NVOS shall implement call billing <strong>and</strong> accounting per user.<br />
The NVOS shall allow its management using SNMPv3.<br />
15.2.3.3-p26 The <strong>ANWI</strong> Contractor shall deliver an automatic pager or SMS<br />
capability to forward alarms to technicians in the event of an equipment failure. The<br />
level of alarm shall be configurable <strong>and</strong> related to failure types as defined by the<br />
maintenance team.<br />
15.2.3.4 Performance requirements<br />
15.2.3.4-p1 The delivered NVOS shall be configurable in redundant<br />
configurations so that failure of one piece of equipment shall not render the session<br />
management service unavailable.<br />
15.2.3.4-p2 The delivered NVOS shall have an architecture that provides full<br />
redundancy of all critical elements. Critical elements are elements whose failure<br />
causes a loss of NVOS capability (connection, services <strong>and</strong> features) <strong>and</strong> currently<br />
processed calls. This particularly implies the redundancy of at least power supply <strong>and</strong><br />
call processing devices/cards.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.2.3.4-p3 The availability of any subscriber telephone line shall be as a<br />
minimum of 99.95%.<br />
15.2.3.5 Protocol Requirements<br />
15.2.3.5-p1 The Voice system components shall support the following Interfaces<br />
<strong>and</strong> protocols:<br />
A. Ethernet, ISDN <strong>and</strong> Analogue interfaces.<br />
B. IP protocols SIP, RFC 3261 / RFC 4411 / RFC 4412 based MLPP<br />
capable SIP, RTP/SRTP.<br />
C. QSIG on ISDN interfaces.<br />
D. Simplified Message Desk Interface (SMDI).<br />
15.2.3.5-p2 The Voice component shall be able to interface to H323.<br />
15.2.3.5-p3 The SIP RFCs implemented within the delivered UCC capability<br />
shall be listed in the UCC Detailed <strong>Technical</strong> Design.<br />
15.2.4 Management <strong>and</strong> Operational Requirements<br />
15.2.4.1 Internal Interfaces<br />
Processing<br />
Storage<br />
Printing<br />
User<br />
Services<br />
Voice X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
15.2.4.2 Cross Domain interfaces<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
PUB-CD3 Two way PUB-NVO NATO voice VOIP<br />
Two way PUB-CVO Comm. voice PSTN, ISDN, VOIP<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-CVO Telephony PSTN Commercial voice<br />
Two way BUS-NVO Telephony VOIP NATO voice<br />
15.2.4.3 Backup <strong>and</strong> Recovery<br />
15.2.4.3-p1 RTO: 30 minutes<br />
15.2.4.3-p2 RPO: 30 minutes<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-325 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.2.5 Testing<br />
15.2.5.1 End-to-End Test Scenario<br />
15.2.5.1-p1 All scenarios described in Section 15.2.2-p2 of this Annex shall be<br />
included as test cases.<br />
15.2.5.1-p2<br />
Hardware Inspection – Physical inspection of the components<br />
15.2.5.1-p3 Capacity Tests:<br />
A. Concurrent use.<br />
15.2.5.1-p4 Availability Test<br />
A. Demonstrate High availability.<br />
B. Simulate Server room fail-over.<br />
C. Simulate component failure (disk, interface, controller).<br />
D. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
15.2.5.1-p5 Performance tests (test shall be conducted over a predefined period<br />
not point in time test):<br />
A. Call drops monitoring.<br />
B. Call quality monitoring.<br />
15.2.5.1-p6 Overall reporting using SMC service:<br />
A. Call details (lists/logs).<br />
B. Statistical usage details (totals, time based distributions, averages).<br />
15.2.5.1-p7 IA tests shall include the following minimum set where applicable:<br />
A. Access Control Mechanism<br />
B. Detection Performance (Malware, Content Checking)<br />
C. Releasability Control<br />
D. Integrity Checking<br />
E. Intrusion Detection<br />
F. Logging<br />
G. Auditing<br />
15.2.6 Training<br />
15.2.6-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff on how to install,<br />
configure <strong>and</strong> troubleshoot the following areas to support the storage service:<br />
A. Hardware installation <strong>and</strong> configuration<br />
B. Hardware troubleshooting <strong>and</strong> fault finding<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades)<br />
D. Software installation<br />
E. Software troubleshooting<br />
F. Basic configuration <strong>and</strong> management<br />
1. User / Line management<br />
G. Advanced configuration <strong>and</strong> management<br />
1. HA policy <strong>and</strong> failover scripts<br />
15.2.6-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
Voice service<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-326 of 532
N A T O U N C L A S S I F I E D<br />
15.3 APPENDIX 3: Voicemail ServiceComponent<br />
15.3.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.3.1-p1 Voice Mail services shall support the overall UCC solution to<br />
complement the voice services with the capability to store messages for missed calls,<br />
to be presented to the user when he/she is available, through the voice system <strong>and</strong><br />
email.<br />
15.3.2 Scope / Scenario<br />
15.3.2-p1 The voicemail service shall be available to all authorized UCC users,<br />
configurable by system administrator.<br />
15.3.2-p2 The voicemail service shall cover the following scenarios:<br />
A. Customize the greeting message (centrally <strong>and</strong> by user if authorized).<br />
B. Customize a PIN number for the user<br />
C. Answer unanswered calls (if configured).<br />
D. Answer second calls if line is busy (if configured).<br />
E. Answer all calls (if configured).<br />
F. Record message by calling party, if the caller wishes to do so.<br />
G. Indicate that new voicemail is received in all relevant UCC interfaces.<br />
H. Enable processing of messages (listen/reply/forward/delete/store)<br />
I. Enable listening voicemail through all relevant UCC interfaces, including<br />
but not limited to:<br />
1. Voice clients / software clients.<br />
2. Email attachment.<br />
15.3.3 Service Requirements<br />
15.3.3.1 Domains<br />
15.3.3.1-p1<br />
PUBLIC.<br />
15.3.3.2 Location<br />
The Voicemail service shall be available on: BUSINESS (NR) <strong>and</strong><br />
15.3.3.2-p1 The UCC service components shall be delivered <strong>and</strong> installed in two<br />
NNHQ server rooms. The <strong>ANWI</strong> Contractor shall design a physical layout in<br />
compliance with the limits defined in the Processing Services Location (Section<br />
15.2.3.2).<br />
15.3.3.3 General Requirements<br />
15.3.3.3-p1 The <strong>ANWI</strong> Contractor shall provide a new voicemail service<br />
component for the NNHQ which shall integrate with the current NATO wide voice<br />
service component.be capable of answering all incoming calls <strong>and</strong> recording<br />
messages based on the configuration.<br />
15.3.3.3-p2 Functional, performance <strong>and</strong> interface details of the Voice Service<br />
component <strong>and</strong> integration capability are outlined in the following sections.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-327 of 532
15.3.3.4 Functional Requirements<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.3.3.4-p1 The <strong>ANWI</strong> Contractor shall deliver a voice mailbox feature which<br />
shall provide to all users their own voice mailbox accessible via personal<br />
password/PIN.<br />
15.3.3.4-p2 The <strong>ANWI</strong> Contractor shall deliver customizable IVR features for the<br />
user voicemail box:<br />
A. Customize the greeting message (centrally <strong>and</strong> by user if authorized).<br />
B. Customize a PIN number for the user<br />
C. Answer unanswered calls (if configured).<br />
D. Answer second calls if line is busy (if configured).<br />
E. Answer all calls (if configured).<br />
F. Record message by calling party, if the caller wishes to do so.<br />
G. Indicate that new voicemail is received in all relevant UCC interfaces.<br />
H. Enable processing of messages (listen/reply/forward/delete/store)<br />
I. Enable listening voicemail through all relevant UCC interfaces, including<br />
but not limited to:<br />
1. Voice clients / software clients.<br />
2. Email attachment.<br />
15.3.3.4-p3<br />
15.3.3.4-p4<br />
15.3.3.4-p5<br />
15.3.3.4-p6<br />
15.3.3.4-p7<br />
The voicemail system shall allow skipping of voicemail messages.<br />
Voicemail shall be accessible via any fixed or mobile client.<br />
The Client shall display a message waiting indicator.<br />
The messages shall be stored for a configurable amount of time.<br />
Deleted messages shall be reported to the user.<br />
15.3.3.5 Protocol Requirements<br />
15.3.3.5-p1 The voicemail messaging system shall comply with section 15.2.3.6:<br />
Voice Service components - Protocols.<br />
15.3.4 Management <strong>and</strong> Operational Requirements<br />
15.3.4.1 Internal Interfaces<br />
Processing<br />
Storage<br />
Printing<br />
User<br />
Services<br />
Voice X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
15.3.4.2 Cross Domain interfaces<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-328 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
PUB-CD3 Two way PUB-NVO NATO voice VOIP<br />
Two way PUB-CVO Comm. voice PSTN, ISDN, VOIP<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-CVO Telephony PSTN Commercial voice<br />
Two way BUS-NVO Telephony VOIP NATO voice<br />
15.3.4.3 Backup <strong>and</strong> Recovery<br />
15.3.4.3-p1<br />
15.3.4.3-p2<br />
15.3.5 Testing<br />
RTO: 30 minutes<br />
RPO: 30 minutes<br />
15.3.5.1 End-to-End Test Scenario<br />
15.3.5.1-p1 All scenarios described in Section 15.3.2 of this Annex shall be<br />
included as test cases.<br />
15.3.5.1-p2<br />
Hardware Inspection – Physical inspection of the components<br />
15.3.5.1-p3 Capacity Tests:<br />
A. Concurrent use.<br />
B. Per user message capacity.<br />
C. Total message capacity.<br />
15.3.5.1-p4 Availability test:<br />
A. Demonstrate High availability.<br />
B. Simulate Server room fail-over.<br />
C. Simulate component failure (e.g. disk, interface, controller).<br />
D. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
15.3.5.1-p5 Performance tests (test shall be conducted over a predefined period<br />
not point in time test):<br />
A. Answered calls monitoring.<br />
B. Call quality monitoring.<br />
15.3.5.1-p6 Overall reporting using SMC service:<br />
A. Answered Call details (lists/logs).<br />
B. Statistical usage details (totals, time based distributions, averages).<br />
15.3.5.1-p7 IA tests shall include the following minimum set where applicable:<br />
A. Access Control Mechanism<br />
B. Detection Performance (Malware, Content Checking)<br />
C. Releasability Control<br />
D. Integrity Checking<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-329 of 532
E. Intrusion Detection<br />
F. Logging<br />
G. Auditing<br />
15.3.6 Training<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.3.6-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff on how to install,<br />
configure <strong>and</strong> troubleshoot the following areas to support the voicemail service:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
D. Software installation.<br />
E. Software troubleshooting.<br />
F. Basic configuration <strong>and</strong> management.<br />
1. User / Voicemail box management.<br />
G. Advanced configuration <strong>and</strong> management<br />
1. HA policy <strong>and</strong> failover scripts.<br />
15.3.6-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
Voicemail service.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-330 of 532
N A T O U N C L A S S I F I E D<br />
15.4 APPENDIX 4: VTC ServiceComponent<br />
15.4.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.4.1-p1 VTC/VMR/Desktop VTC services shall be delivered as a part of the<br />
UCC capability, in close coordination with NATO Wide VTC Project <strong>and</strong> HN BE AVI<br />
Project.<br />
15.4.1-p2 The complete capability will be a sum of HN BE AVI project, NATO<br />
Wide VTC project <strong>and</strong> <strong>ANWI</strong> VTC/VMR/Desktop VTC capabilities.<br />
15.4.2 Scope / Scenario<br />
15.4.2-p1<br />
The service shall cover the following scenarios:<br />
User Services From 1/2 way GW To Provider External srv Remarks<br />
VTC/VMR NSWAN GW1 NS NGCS NATO Wide VTC VTC session btw <strong>ANWI</strong> <strong>and</strong> NATO Wide VTC<br />
Services NRWAN GW2 NR NGCS NATO Wide VTC VTC session btw <strong>ANWI</strong> <strong>and</strong> NATO Wide VTC<br />
NSWAN GW1 AVI NGCS NATO Wide VTC VTC session btw AVI <strong>and</strong> NATO Wide VTC<br />
NRWAN GW2 AVI NGCS NATO Wide VTC VTC session btw AVI <strong>and</strong> NATO Wide VTC<br />
NS - NS HN BE AVI VTC session btw <strong>ANWI</strong> <strong>and</strong> AVI endpoints<br />
NR - NR HN BE AVI VTC session btw <strong>ANWI</strong> <strong>and</strong> AVI endpoints<br />
NU - NU HN BE AVI VTC session btw <strong>ANWI</strong> <strong>and</strong> AVI endpoints<br />
NS - NS <strong>ANWI</strong> - VTC session within <strong>ANWI</strong> endpoints<br />
NR - NR <strong>ANWI</strong> - VTC session within <strong>ANWI</strong> endpoints<br />
NU - NU <strong>ANWI</strong> - VTC session within <strong>ANWI</strong> endpoints<br />
15.4.3 Service Requirements<br />
15.4.3.1 Domains<br />
15.4.3.1-p1<br />
(NR).<br />
15.4.3.2 Location<br />
The VTC service shall be available on: NATO SECRET, BUSINESS<br />
15.4.3.2-p1 The UCC service components shall be delivered <strong>and</strong> installed in two<br />
NNHQ server rooms. The <strong>ANWI</strong> Contractor shall design a physical layout in<br />
compliance with the limits defined in the Processing Services Location (Section<br />
15.2.3.2).<br />
15.4.3.2-p2 The VTC services shall, in addition to the VTC/VMR endpoints in<br />
the NNHQ main building , be provided to remote locations as specified in Annex M.<br />
15.4.3.3 General Description<br />
15.4.3.3-p1 The <strong>ANWI</strong> Contractor shall provide a VTC system which shall offer<br />
similar functions as listed in Project NATO Wide VTC [Ref: CO-13093-VTC].<br />
15.4.3.3-p2 The delivered UCC capability shall integrate a VTC capability which<br />
shall be compliant with the NCIA Contract Reference CO-13093-VTC <strong>Technical</strong><br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-331 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
requirements as expressed in the related SOW <strong>and</strong> technical annexes, specifically<br />
the NGTS-56.<br />
15.4.3.3-p3 The Video Service Component shall be built on a common<br />
Integrated Session Management function based on SIP protocol.<br />
15.4.3.4 Functional Requirement<br />
15.4.3.4-p1 See General description section 15.4.3.3.<br />
15.4.3.5 Performance Requirements<br />
15.4.3.5-p1 See General description section 15.4.3.3.<br />
15.4.3.6 Interface <strong>and</strong> protocols<br />
15.4.3.6-p1 See General description section 15.4.3.3.<br />
15.4.4 Management <strong>and</strong> Operational Requirements<br />
15.4.4.1 Internal Interfaces<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
VTC services X X X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
15.4.4.2 Cross Domain Interfaces<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
PUB-CD3 Two way PUB-NVTC VTC & VMR<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-NTVC VTC<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
NS-GW1 Two way NS-NVTC VTC NATO wide VTC<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-332 of 532
15.4.4.3 Backup <strong>and</strong> Recovery<br />
15.4.4.3-p1<br />
15.4.4.3-p2<br />
15.4.5 Testing<br />
N A T O U N C L A S S I F I E D<br />
RTO: 30 minutes<br />
RPO: 30 minutes<br />
15.4.5.1 End-to-End Test Scenario<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-333 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.4.5.1-p1 All scenarios described in Section 15.4.2 of this Annex shall be<br />
included as test cases.<br />
15.4.5.1-p2<br />
15.4.5.1-p3 Capacity Tests:<br />
A. Concurrent use.<br />
Hardware Inspection – Physical inspection of the components.<br />
15.4.5.1-p4 Availability Test:<br />
A. Demonstrate High availability.<br />
B. Simulate Server room fail-over.<br />
C. Simulate component failure (e.g. disk, interface, controller).<br />
D. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
15.4.5.1-p5 Performance tests (test shall be conducted over a predefined period<br />
not point in time test):<br />
A. Call drops monitoring.<br />
B. Call quality monitoring.<br />
15.4.5.1-p6 Overall reporting using SMC service:<br />
A. Call details (lists/logs).<br />
B. Statistical usage details (totals, time based distributions, averages).<br />
15.4.5.1-p7 IA tests shall include the following minimum set where applicable:<br />
A. Access Control Mechanism<br />
B. Detection Performance (Malware, Content Checking)<br />
C. Releasability Control<br />
D. Integrity Checking<br />
E. Intrusion Detection<br />
F. Logging<br />
G. Auditing<br />
15.4.6 Training<br />
15.4.6-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff on how to install,<br />
configure <strong>and</strong> troubleshoot the following areas to support the VTC service:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
D. Software installation.<br />
E. Software troubleshooting.<br />
F. Basic configuration <strong>and</strong> management:<br />
1. User / Line management.<br />
G. Advanced configuration <strong>and</strong> management:
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
1. HA policy <strong>and</strong> failover scripts.<br />
15.4.6-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
VTC service.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-334 of 532
N A T O U N C L A S S I F I E D<br />
15.5 APPENDIX 5: Email Service Component<br />
15.5.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.5.1-p1 The <strong>ANWI</strong> email service is a strategic capability for NNHQ users <strong>and</strong><br />
other systems <strong>and</strong> shall be provided as part of the UCC services as described in this<br />
Appendix.<br />
15.5.2 Scope / Scenario<br />
15.5.2-p1 The <strong>ANWI</strong> Contractor shall design a robust <strong>and</strong> highly available email<br />
service into the <strong>ANWI</strong> to ensure continuous email <strong>and</strong> messaging support.<br />
15.5.2-p2 The <strong>ANWI</strong> email service not only includes the back-end server<br />
components but shall also include the user side software to provide end-to-end<br />
delivery.<br />
15.5.2-p3 The <strong>ANWI</strong> email service shall be designed <strong>and</strong> implemented to support<br />
the following scenarios:<br />
User<br />
Service<br />
s From<br />
1/2<br />
way<br />
GW To<br />
Provide<br />
r<br />
External<br />
service<br />
Remarks<br />
Email NR - NR <strong>ANWI</strong> - Email within <strong>ANWI</strong> NR<br />
NRWA GW<br />
N 2 NR ? NATO NR mail Email between <strong>ANWI</strong> NR <strong>and</strong> NATO Federated NR<br />
GW Interne<br />
NR 3 t NGCS PIA gateway Email between <strong>ANWI</strong> NR <strong>and</strong> Internet Via GW2 -> GW3<br />
NS - NS <strong>ANWI</strong> - Email within <strong>ANWI</strong> NS<br />
NSWA GW<br />
N 1 NS NCIA Bi-SC AIS Email between <strong>ANWI</strong> NS <strong>and</strong> NATO Federated NS<br />
EAPC - EAPC <strong>ANWI</strong> - Email within <strong>ANWI</strong> EAPC<br />
NS <br />
GW<br />
4 EAPC <strong>ANWI</strong> - Email between <strong>ANWI</strong> NS <strong>and</strong> <strong>ANWI</strong> EAPC<br />
GW<br />
Email NOTIFICATION ONLY from <strong>ANWI</strong> NS to <strong>ANWI</strong><br />
NS > 5 NR <strong>ANWI</strong> -<br />
NR<br />
15.5.3 Service Requirements<br />
15.5.3.1 Domains<br />
15.5.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install the MS Exchange<br />
email service on 3 networks: NATO SECRET, EAPC SECRET, <strong>and</strong> BUSINESS<br />
(NR).<br />
15.5.3.2 Location<br />
15.5.3.2-p1 The <strong>ANWI</strong> Contractor’s UCC service components shall be factored<br />
into the server room design then delivered <strong>and</strong> installed in the two NNHQ server<br />
rooms per the physical layout <strong>and</strong> limits defined in the Processing Services Location<br />
(Section 15.2.3.2).<br />
15.5.3.2-p2 The <strong>ANWI</strong> Contractor shall provision the email service client<br />
software as described in Annex H.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-335 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.5.3.2-p3 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the email service<br />
in accordance to the following:<br />
A. A separate email system per classification shall be delivered.<br />
B. The mail systems shall be to the same as the existing Bi-SC AIS email<br />
architecture <strong>and</strong> software which is currently based on MS Exchange.<br />
C. Cross domain <strong>and</strong> inter-site emails shall pass through an edge mail server<br />
that validates mail label requirements.<br />
D. The NS email organization will have one unique X400 namespace.<br />
E. Each email organization may have multiple SMTP namespaces.<br />
F. DNS MX records will allow delivery of SMTP messages from other mail<br />
organisations directly to the mailbox server assigned to a specified<br />
comm<strong>and</strong>.<br />
15.5.3.2-p4 The <strong>ANWI</strong> Contractor shall deliver the email service to comply with<br />
the following functional requirements:<br />
A. The following functions shall be supported on all four classifications:<br />
1. User/shared Mailboxes.<br />
2. Calendaring.<br />
3. Mail exchange.<br />
4. A directory offering the global address list functionality.<br />
5. Workstation Mail MAPI Client.<br />
6. Mail Formats: plain text, RTF, HTML, MIME.<br />
B. The Business network shall provide web based access to the email<br />
services for remote/mobility clients.<br />
C. The following requirements shall also be provided:<br />
1. Anti-Virus/SPAM filtering.<br />
2. Mail Priority Marking.<br />
3. Mail Delivery Notification Status.<br />
4. Out of office notification.<br />
5. Mailbox filtering capability.<br />
6. Mailbox archive.<br />
D. The email system shall allow use of “notification messages” to a<br />
configured recipient, without revealing the content or metadata of the<br />
message causing the trigger, to allow informing users on lower<br />
classification (e.g. NS to BUSINESS notification for the user to check NS<br />
Email).<br />
E. A redundant, active-active setup of the email environment shall be<br />
installed:<br />
1. All email databases shall be available in both server rooms.<br />
2. Processing capacity for the email service shall be available in both<br />
server rooms.<br />
F. Loss of up to a server room shall not hinder availability of the email service<br />
(some performance degradation is allowed).<br />
G. UNDELETE functionality shall be possible without restoring a complete<br />
database.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-336 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
H. Restoring a mailbox shall be possible without restoring a complete<br />
database.<br />
I. Email (including attachments) shall be archived for legal purposes for 5<br />
years.<br />
15.5.3.2-p5 The <strong>ANWI</strong> Contractor’s email service shall be designed <strong>and</strong><br />
implemented to use the following interfaces <strong>and</strong> protocols:<br />
A. The following different NATO systems shall require interfaces to the new<br />
NATO HQ email system:<br />
1. The NATO legacy Informal Email system (i.e. the ‘NATO Email’<br />
organisation).<br />
2. The NATO HQ informal Email system.<br />
3. The NATO nations informal email systems.<br />
4. The NATO systems embedding an email capability (they are MAPI<br />
compliant).<br />
5. The NATO legacy Formal Messaging system (only available on NS).<br />
6. The NATO Enclaves informal email systems.<br />
B. The Email service shall support as a minimum the following Interfaces <strong>and</strong><br />
protocols:<br />
1. SMTP.<br />
2. MAPI/IMAP/POP3.<br />
3. HTTP/HTTPS.<br />
4. MIME/SMIME.<br />
5. HTML/RTF/plain text.<br />
15.5.3.2-p6 The <strong>ANWI</strong> Contractor’s provided email service shall conform to the<br />
following Capacity Requirements:<br />
A. Minimum user mailbox size (excluding legal archive requirement): 5 GB<br />
15.5.4 Management <strong>and</strong> Operational Requirements<br />
15.5.4.1 Interfaces<br />
15.5.4.1-p1 The <strong>ANWI</strong> email service design shall describe the following internal<br />
interfaces <strong>and</strong> dependencies.<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
Email X X X X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
15.5.4.1-p2 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall document<br />
<strong>and</strong> support the following cross domain interfaces:<br />
A. The following table describes the email interfaces for the Business<br />
Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-INT Internet HTTP, HTTPS, SMTP Internet, NUWAN<br />
Two way BUS-NMSG NR Email SMTP NRWAN<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-337 of 532<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
CD5-BUS One way NS-BUS Email XML Notification only<br />
BUS-APP - - ICTM Apps<br />
B. The following table describes the email interfaces for the EAPC Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
CD4-EAPC Two way NS-EAPC Email SMTP Releasable to EAPC<br />
EAPC-APP - - ICTM Apps<br />
C. The following table describes the email interfaces for the NS Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
NS-GW1 Two way NS-NMSG Email SMTP Bi-SC AIS email<br />
NS-GW4 Two way NS-EAPC Email SMTP Releasable to EAPC<br />
NS-GW5 One way NS-BUS Email SMTP Notification only<br />
NS-APP Two way ICTM Apps<br />
NS-PNWI - -<br />
15.5.4.2 Backup <strong>and</strong> Recovery<br />
15.5.4.2-p1 The <strong>ANWI</strong> Contractor’s email capability shall be configured across<br />
both server rooms guaranteeing that messages shall be kept in sync on the storage<br />
systems in both server rooms.<br />
15.5.4.2-p2 The <strong>ANWI</strong> Contractor shall ensure that in case of a server room<br />
failure the surviving server room’s email components shall continue the service<br />
without any data loss.<br />
15.5.4.2-p3 The <strong>ANWI</strong> Contractor, as part of the <strong>ANWI</strong>’s data life cycle<br />
management concept, shall provide an email solution that includes data backup<br />
strategies to safeguard the data against a catastrophic event <strong>and</strong> supports long term<br />
data backup <strong>and</strong> archival (ex. forensic investigation)<br />
15.5.4.2-p4 The <strong>ANWI</strong> Contractor’s email service shall be fully integrated into<br />
the <strong>ANWI</strong> backup strategy <strong>and</strong> provide a RTO of 30 minutes.<br />
15.5.5 Testing<br />
15.5.5-p1 The <strong>ANWI</strong> Contractor shall test the email service using the following<br />
End-to-End Test Scenarios:<br />
A. All scenarios described in Section 15.5.2-p3 of this Annex shall be<br />
included as test cases.<br />
B. Hardware Inspection – Physical inspection of the components.<br />
C. Capacity Tests:<br />
1. Individual mailbox capacities.<br />
2. Total service capacity.<br />
D. Availability Test:<br />
1. Demonstrate Features in support of High availability.<br />
2. Simulate Server room fail-over.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-338 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
3. Simulate component failure (e.g. disk, interface, controller).<br />
4. RTO <strong>and</strong> RPO reporting (e.g. requirements vs. test results).<br />
E. Performance tests (test shall be conducted over a predefined period<br />
notpoint in time test):<br />
1. Inbound message throughput.<br />
2. Outbound message throughput.<br />
F. Overall reporting using SMC service:<br />
1. Message details (lists/logs).<br />
2. Statistical usage details (totals, time based distributions, averages).<br />
G. IA tests shall include the following minimum set where applicable:<br />
1. Access Control Mechanism<br />
2. Detection Performance (Malware, Content Checking)<br />
3. Releasability Control<br />
4. Integrity Checking<br />
5. Intrusion Detection<br />
6. Logging<br />
7. Auditing<br />
15.5.6 Training<br />
15.5.6-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff on how to install,<br />
configure <strong>and</strong> troubleshoot the following areas to support the email service:<br />
A. Hardware installation <strong>and</strong> configuration<br />
B. Hardware troubleshooting <strong>and</strong> fault finding<br />
C. Software installation<br />
D. Software troubleshooting<br />
E. Basic software configuration <strong>and</strong> management<br />
F. User account management<br />
15.5.6-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
Email service.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-339 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-340 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.6 APPENDIX 6: Unified Messaging Service Component<br />
15.6.1 Definition<br />
15.6.1-p1 The unified messaging service shall enable convergence / cross service<br />
access to the various messaging service components within the UCC Service as<br />
described in this Appendix.<br />
15.6.2 Scope / Scenario<br />
15.6.2-p1<br />
The service shall cover the following interconnection scenarios:<br />
User Services From 1/2 way GW To Provider External srv Remarks<br />
UM NR - NR <strong>ANWI</strong> - <strong>ANWI</strong> Internal NR<br />
15.6.3 Service Requirements<br />
15.6.3.1 Domains<br />
15.6.3.1-p1 The Unified Messaging service shall be made available on:<br />
BUSINESS (NR).<br />
15.6.3.2 Location<br />
15.6.3.2-p1 The UCC service components shall be delivered <strong>and</strong> installed in two<br />
NNHQ server rooms. The <strong>ANWI</strong> Contractor shall design a physical layout in<br />
compliance with the limits defined in the Processing Services Location (Section<br />
15.2.3.2).<br />
15.6.3.3 General Description<br />
15.6.3.3-p1<br />
<strong>System</strong>.<br />
The delivered UCC Capability shall provide a Unified Messaging<br />
15.6.3.3-p2 The Unified messaging system shall provide messaging features<br />
<strong>and</strong> service integration <strong>and</strong> translation to/from the following different types:<br />
A. Voice – voicemail.<br />
B. Video.<br />
C. Data – email, IM.<br />
D. Mobile – SMS,MMS, IM, Email.<br />
15.6.3.4 Functional Requirement<br />
15.6.3.4-p1 The Unified messaging system shall allow all authorized users to<br />
send, receive, retrieve or leave messages based on the table below.<br />
Service<br />
Voice<br />
Video Call<br />
Email<br />
<strong>ANWI</strong> Unified Messaging Services Matrix<br />
Message<br />
Text to Speech to<br />
Message Stored<br />
Message Retrieved Natively Retrievable<br />
Speech Text<br />
Natively<br />
Through<br />
Through Email As Required Required<br />
Voicemail Phone Device / Soft Phone Attachment Only Metadata YES<br />
Videomail Video Phone / VTC / Soft VTC Attachment Only Metadata YES<br />
Email Email Client / Web Mail Native YES N/A
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
<strong>ANWI</strong> Unified Messaging Services Matrix<br />
Service<br />
IM<br />
SMS<br />
MMS<br />
FAX<br />
Message<br />
Text to Speech to<br />
Message Stored<br />
Message Retrieved Natively Retrievable<br />
Speech Text<br />
Natively<br />
Through<br />
Through Email As Required Required<br />
Instant Message IM Client / Web IM Email YES N/A<br />
Text Message Phone Device / Soft Phone Email YES N/A<br />
Multimedia Message Phone Device / Soft Phone Attachment YES YES<br />
Document FAX Device / Printer Attachment Only Metadata N/A<br />
Table: 15.6<strong>ANWI</strong> Unified Messaging Service Matrix<br />
15.6.3.4-p2 The Unified messaging system shall provide reliable translation for<br />
unified messaging where no information shall be lost due to the translation.<br />
15.6.3.4-p3 Text-to-speech services shall be provided both for the English <strong>and</strong><br />
French language.<br />
15.6.3.5 Performance Requirements<br />
15.6.3.5-p1 The Unified messaging service shall process messages in less than<br />
60 seconds. This is measured starting from the time the message is stored natively<br />
to the time UM Service processing has been completed.<br />
15.6.4 Testing<br />
15.6.4.1 End-to-End Test Scenario<br />
15.6.4.1-p1 All scenarios described in Section 15.6.2 of this Annex shall be<br />
included as test cases.<br />
15.6.4.1-p2<br />
Hardware Inspection – Physical inspection of the components.<br />
15.6.4.1-p3 Capacity Tests:<br />
A. Concurrent use.<br />
B. Individual UM capacity.<br />
C. Total UM capacity.<br />
15.6.4.1-p4 Availability Test:<br />
A. Demonstrate High availability.<br />
B. Simulate Server room fail-over.<br />
C. Simulate component failure (e.g. disk, interface, controller).<br />
D. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
15.6.4.1-p5 Performance tests (Test shall be conducted over a predefined<br />
period not point in time test):<br />
A. Inbound messages throughput.<br />
15.6.4.1-p6 Overall reporting using SMC service:<br />
A. Message details (lists/logs).<br />
B. Statistical usage details (totals, time based distributions, averages).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-341 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.6.4.1-p7 IA tests shall include the following minimum set where applicable:<br />
A. Access Control Mechanism<br />
B. Detection Performance (Malware, Content Checking)<br />
C. Releasability Control<br />
D. Integrity Checking<br />
E. Intrusion Detection<br />
F. Logging<br />
G. Auditing<br />
15.6.5 Training<br />
15.6.5-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff on how to install,<br />
configure <strong>and</strong> troubleshoot the following areas to support the Unified Messaging<br />
service:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
D. Software installation.<br />
E. Software troubleshooting.<br />
F. Basic configuration <strong>and</strong> management:<br />
1. User / Line management.<br />
G. Advanced configuration <strong>and</strong> management:<br />
H. HA policy <strong>and</strong> failover scripts.<br />
15.6.5-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
Unified Messaging service.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-342 of 532
N A T O U N C L A S S I F I E D<br />
15.7 APPENDIX 7: FAX Service Component<br />
15.7.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.7.1-p1 The <strong>ANWI</strong> Contractor shall provide FAX services (send <strong>and</strong> receive<br />
classified <strong>and</strong> non-classified faxes) to all users from the <strong>ANWI</strong> provided client device.<br />
15.7.2 Scope / Scenario<br />
15.7.2-p1 The <strong>ANWI</strong> FAX service shall be designed <strong>and</strong> implemented to support<br />
the following scenarios:<br />
Fax NS GW1 NSWAN - UCC integrated.<br />
NR GW3 external Commercial - UCC integrated, via GW2 -> GW3.<br />
NU GW3 external Commercial - UCC integrated.<br />
15.7.3 Service Requirements<br />
15.7.3.1 Domains<br />
15.7.3.1-p1 The FAX service shall be delivered <strong>and</strong> installed on the <strong>ANWI</strong> to be<br />
available on the NATO SECRET, <strong>and</strong> BUSINESS (NR) [the NS shall be via the<br />
registry].<br />
15.7.3.2 Location<br />
15.7.3.2-p1 The <strong>ANWI</strong> Contractor’s UCC service components shall be delivered<br />
<strong>and</strong> installed in the two NNHQ server rooms per the physical layout limits defined in<br />
the Processing Services Location (Section 15.2.3.3.1).<br />
15.7.3.2-p2 The <strong>ANWI</strong> Contractor shall provision the FAX service client software<br />
as described in Annex H.<br />
15.7.3.2-p3 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the FAX service<br />
in accordance to the following:<br />
A. The delivered UCC Capability shall provide a centralised Fax services<br />
system.<br />
B. The delivered Centralised Fax system shall be connected to the Public<br />
network.<br />
15.7.3.2-p4 The <strong>ANWI</strong> Contractor shall deliver the FAX service to comply with<br />
the following functional requirements:<br />
A. The delivered centralised Fax system shall allow all authorised users to<br />
send <strong>and</strong> receive Faxes via a specific internal email address.<br />
B. The delivered centralised Fax system shall be reachable from users<br />
external to NATO HQ via a local <strong>and</strong>/or international telephone number<br />
C. The delivered centralised Fax system shall allow the temporary storage of<br />
all incoming <strong>and</strong> outgoing faxes in electronic format for the last 30 days.<br />
D. The delivered centralised Fax system shall allow transferring the stored<br />
faxes in electronic format to a long term storage appliance <strong>and</strong>/or server.<br />
E. The delivered Centralised Fax system shall provide incoming document<br />
with a resolution of a minimum of 600x600 dpi to the users.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-343 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.7.3.2-p5 The <strong>ANWI</strong> Contractor’s FAX service shall be designed <strong>and</strong><br />
implemented to use the following interface <strong>and</strong> protocols:<br />
A. The Fax service shall support the following Interfaces <strong>and</strong> protocols:<br />
1. FAX3-T4.<br />
2. FAX4-T6.<br />
3. FAX – T38.<br />
15.7.3.2-p6 Interfaces<br />
A. The <strong>ANWI</strong> FAX service design shall describe the following internal<br />
interfaces <strong>and</strong> dependencies shown through Voice services as FAX<br />
service is achieved through the Voice connectivity):<br />
Voice<br />
User Services<br />
Processing<br />
Storage<br />
Printing<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
IM<br />
X X X X X X X X X X X X X X X X X<br />
15.7.3.2-p7 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall document<br />
<strong>and</strong> support the following cross Domain interfaces:<br />
A. The following table describes the FAX interfaces for the Public Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
PUB-CD3 Two way PUB-NVO NATO voice VOIP FAX<br />
Two way PUB-CVO Comm. voice PSTN, ISDN, VOIP FAX<br />
B. The following table describes the FAX interfaces for the Business<br />
Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-CVO Telephony PSTN FAX<br />
Two way BUS-NVO Telephony VOIP FAX<br />
C. The following table describes the FAX interfaces for the Secret Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
NS-GW1 Two way NS-NSVO VoSIP FAX<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
15.7.3.3 Backup <strong>and</strong> Recovery<br />
15.7.3.3-p1 The <strong>ANWI</strong> Contractor’s FAX service shall be fully integrated into the<br />
<strong>ANWI</strong> backup strategy <strong>and</strong> provide a RTO of 30 minutes.<br />
15.7.4 Testing<br />
15.7.4-p1 The <strong>ANWI</strong> Contractor shall test the FAX service using the following<br />
End-to-End Test Scenarios:<br />
A. All scenarios described in Section 15.7.2 of this Annex shall be included<br />
as test cases.<br />
B. Hardware Inspection – Physical inspection of the components.<br />
C. Capacity Tests:<br />
1. Concurrent use.<br />
D. Availability Test:<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-344 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
1. Demonstrate High availability.<br />
2. Simulate Server room fail-over.<br />
3. Simulate component failure (e.g. disk, interface, controller).<br />
4. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
E. Performance tests (Test shall be conducted over a predefined period not<br />
point in time test):<br />
1. Inbound messages throughput.<br />
F. Overall reporting using SMC service:<br />
1. Message details (lists/logs).<br />
2. Statistical usage details (totals, time based distributions, averages).<br />
G. IA tests shall include the following minimum set where applicable:<br />
1. Access Control Mechanism<br />
2. Detection Performance (Malware, Content Checking)<br />
3. Releasability Control<br />
4. Integrity Checking<br />
5. Intrusion Detection<br />
6. Logging<br />
7. Auditing<br />
15.7.5 Training<br />
15.7.5-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff onhow to install,<br />
configure <strong>and</strong> troubleshoot the following areas to support the FAX service:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
D. Software installation.<br />
E. Software troubleshooting.<br />
15.7.5-p2<br />
service.<br />
The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the Fax<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-345 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-346 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.8 APPENDIX 8: Instant Messaging/Chat Service Component<br />
15.8.1 Definition<br />
15.8.1-p1 The <strong>ANWI</strong> IM/chat service shall provide all authorized NATO HQ users<br />
with the ability to find users in a central directory <strong>and</strong> create a contact list on any<br />
designated UCC client showing the contacts <strong>and</strong> location information, <strong>and</strong> use<br />
instant messages to communicate through an instant messaging client, <strong>and</strong> other<br />
relevant <strong>ANWI</strong> provided UCC interfaces.<br />
15.8.2 Scope / Scenario<br />
15.8.2-p1 The <strong>ANWI</strong> IM service shall be designed <strong>and</strong> implemented to support the<br />
following scenarios:<br />
User Services From 1/2 way GW To Provider External srv Remarks<br />
IM NS - NS <strong>ANWI</strong> - <strong>ANWI</strong> NS Internal<br />
NSWAN GW1 NS NCIA Bi-SC AIS <strong>ANWI</strong> NS to federated or Single Domain NS<br />
NR - NR <strong>ANWI</strong> - <strong>ANWI</strong> NR Internal<br />
NRWAN GW2 NR ? NRNRWAN <strong>ANWI</strong> NR to federated or Single Domain NR<br />
15.8.3 Service Requirements<br />
15.8.3.1 Domains<br />
15.8.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install the IM/chat service on<br />
the NATO SECRET <strong>and</strong> BUSINESS (NR) networks.<br />
15.8.3.2 Location<br />
15.8.3.2-p1 The <strong>ANWI</strong> Contractor’s UCC service components shall be factored<br />
into the server room design then delivered <strong>and</strong> installed in the two NNHQ server<br />
rooms per the physical layout <strong>and</strong> limits defined in the Processing Services Location<br />
(Section 15.2.3.2).<br />
15.8.3.2-p2 The <strong>ANWI</strong> Contractor shall provision the IM/chat service client<br />
software as described in Annex H.<br />
15.8.3.2-p3 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the IM/chat<br />
service in accordance to the following:<br />
A. The IM system shall allow all NATO HQ users to send, receive instant<br />
messages <strong>and</strong> identify user presence <strong>and</strong> location via UCC clients on the<br />
business network.<br />
B. The IM system shall be compatible with existing NATO instant messaging<br />
architectures on classified networks (Ref 1.1.1.8.23 <strong>and</strong> 1.1.1.8.24).<br />
15.8.3.2-p4 The <strong>ANWI</strong> Contractor shall deliver the IM/chat service to comply<br />
with the following functional requirement<br />
A. The following functional requirements shall be available:<br />
1. Integration with Desktop Office suite.<br />
2. Integration of presence.<br />
3. Person to Person Chat.<br />
4. Multi-User Chat.
N A T O U N C L A S S I F I E D<br />
5. Permanent Chat Rooms.<br />
6. Classification/ labelling on sessions & Chat rooms.<br />
7. Web Based Instant Messaging Client Access.<br />
8. Active Directory (LDAP) Integration.<br />
9. Enterprise Server to Server Message Relay.<br />
10. Integration with cross domain solution options.<br />
B. The IM service shall have 99.99% availability.<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.8.3.2-p5 The <strong>ANWI</strong> Contractor’s IM/chat service shall be designed <strong>and</strong><br />
implemented to use the following interface <strong>and</strong> protocols:<br />
A. The IM/Chat service shall support the following Interfaces <strong>and</strong> protocols:<br />
1. XMPP.<br />
2. SIP/SIMPLE.<br />
3. HTTP/HTTPS.<br />
15.8.4 Management <strong>and</strong> Operational Requirements<br />
15.8.4.1 Interfaces<br />
15.8.4.1-p1 The <strong>ANWI</strong> IM/chat service design shall describe the following<br />
internal interfaces <strong>and</strong> dependencies:<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
IM X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
15.8.4.1-p2 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall document<br />
<strong>and</strong> support the following Cross Domain interfaces:<br />
A. The following table describes the IM interfaces for the Business Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-INT Internet Chat HTTP(S), SIP, XMPP Internet, NUWAN<br />
Two way BUS-NMSG NR Chat HTTP(S), SIP, XMPP NRWAN<br />
B. The following table describes the IM interfaces for the NS Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
NS-GW1 Two way NS-NMSG NS Chat HTTP(S), SIP, XMPP Bi-SC AIS Chat<br />
15.8.4.2 Backup <strong>and</strong> Recovery<br />
15.8.4.2-p1 The <strong>ANWI</strong> Contractor’s IM/chat service shall be fully integrated into<br />
the <strong>ANWI</strong> backup strategy <strong>and</strong> provide a RTO of 30 minutes.<br />
15.8.5 Testing<br />
15.8.5-p1 The <strong>ANWI</strong> Contractor shall test the IM/chat service using the following<br />
End-to-End Test Scenarios:<br />
A. All scenarios described in Section 15.8.2. of this Annex shall be included<br />
as test cases.<br />
B. Hardware Inspection – Physical inspection of the components.<br />
C. Capacity Tests:<br />
N A T O U N C L A S S I F I E D<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Book II Page IV-347 of 532<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC
N A T O U N C L A S S I F I E D<br />
1. Individual user contact list capacities.<br />
2. Total service capacity.<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
D. Availability Test:<br />
1. Demonstrate High availability.<br />
2. Simulate Server room fail-over.<br />
3. Simulate component failure (e.g. disk, interface, controller).<br />
4. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
E. Performance tests (test shall be conducted over a predefined period not<br />
point in time test):<br />
1. Inbound messages throughput.<br />
2. Outbound messages throughput.<br />
F. Overall reporting using SMC service:<br />
1. Message details (lists/logs).<br />
2. Statistical usage details (totals, time based distributions, averages).<br />
G. IA tests shall include the following minimum set where applicable:<br />
1. Access Control Mechanism<br />
2. Detection Performance (Malware, Content Checking)<br />
3. Releasability Control<br />
4. Integrity Checking<br />
5. Intrusion Detection<br />
6. Logging<br />
7. Auditing<br />
15.8.6 Training<br />
15.8.6-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff onhow to install,<br />
configure <strong>and</strong> troubleshoot the following areas to support the IM/chat service:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
D. Software installation.<br />
E. Software troubleshooting.<br />
F. Basic configuration <strong>and</strong> management:<br />
1. User / Line chat room set up.<br />
15.8.6-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
Instant Messaging service,<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-348 of 532
N A T O U N C L A S S I F I E D<br />
15.9 APPENDIX 9: Presence Service Component<br />
15.9.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.9.1-p1 The <strong>ANWI</strong> Presence service is a critical element of the <strong>ANWI</strong> UCC<br />
concept <strong>and</strong> shall provide all authorized NATO HQ users with the ability to observe<br />
presence information of other users <strong>and</strong> publish their presence status either manually<br />
or through automation of predefined stages (such as calendar based updates).<br />
15.9.2 Scope / Scenario<br />
15.9.2-p1 The <strong>ANWI</strong> presence service shall be designed <strong>and</strong> implemented to<br />
support the following scenarios:<br />
User Services From 1/2 way GW To Provider External srv Remarks<br />
Presence NS - NS <strong>ANWI</strong> - <strong>ANWI</strong> NS Internal<br />
NSWAN GW1 NS NGCS NSNSWAN <strong>ANWI</strong> NS to federated or single domain NS<br />
NR - NR <strong>ANWI</strong> - <strong>ANWI</strong> NR Internal<br />
NRWAN GW5 NR NGCS NRNRWAN <strong>ANWI</strong> NR to federated or single domain NR<br />
15.9.3 Service Requirements<br />
15.9.3.1 Domains<br />
15.9.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install the Presence service<br />
on the NATO SECRET <strong>and</strong> BUSINESS (NR) networks.<br />
15.9.3.2 Location<br />
15.9.3.2-p1 The <strong>ANWI</strong> Contractor’s UCC service components shall be factored<br />
into the server room design then delivered <strong>and</strong> installed in the two NNHQ server<br />
rooms per the physical layout <strong>and</strong> limits defined in the Processing Services Location<br />
(Section 15.2.3.2).<br />
15.9.3.2-p2 The <strong>ANWI</strong> Contractor shall provision the presence service client<br />
software as described in Annex H.<br />
15.9.3.2-p3 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the presence<br />
service in accordance to the following:<br />
15.9.3.2-p4 The Presence service shall provide all NATO HQ users with the<br />
ability to find users in a central directory <strong>and</strong> create a contact list on any designated<br />
UCC client showing the contacts’ presence <strong>and</strong> location information.<br />
15.9.3.2-p5 The <strong>ANWI</strong> Contractor shall deliver the presence service to comply<br />
with the following functional requirements:<br />
A. The Presence service shall have integration with Desktop Office suite.<br />
B. There shall be Presence Awareness <strong>and</strong> Location notification.<br />
C. There shall be integration with all UCC service components.<br />
D. The user shall be able to manage authorization for publishing presence<br />
information.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-349 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.9.3.2-p6 The service shall display the presence information of users, with<br />
status labels:<br />
A. Busy.<br />
B. Connected.<br />
C. Offline.<br />
D. Office.<br />
E. Home.<br />
F. Mobile.<br />
G. Editable by user.<br />
15.9.3.2-p7 The <strong>ANWI</strong> Contractor’s presence service shall be designed <strong>and</strong><br />
implemented to use the following interface <strong>and</strong> protocols:<br />
The Presence service shall support the following Interfaces <strong>and</strong> protocols:<br />
o SIP/SIMPLE.<br />
o XMPP.<br />
o LDAP/X.500.<br />
o HTTP/HTTPS.<br />
o XML.<br />
15.9.4 Management <strong>and</strong> Operational Requirements<br />
15.9.4.1 Interfaces<br />
15.9.4.1-p1 The <strong>ANWI</strong> presence service design shall describe the following<br />
internal interfaces <strong>and</strong> dependencies:<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
Presence X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
15.9.4.1-p2 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall document<br />
<strong>and</strong> support the following Cross Domain interfaces<br />
The following table describes the Presence interfaces for the Business<br />
Network<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-INT Internet Presence HTTP(S), SIP, XMPP Internet, NUWAN<br />
<br />
Two way BUS-NMSG NR Presence HTTP(S), SIP, XMPP NRWAN<br />
Email<br />
The following table describes the Presence interfaces for the NS Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
NS-GW1 Two way NS-NMSG NS Presence HTTP(S), SIP, XMPP Bi-SC AIS Presence<br />
15.9.4.2 Backup <strong>and</strong> Recovery<br />
15.9.4.2-p1 The <strong>ANWI</strong> Contractor’s presence service shall be fully integrated<br />
into the <strong>ANWI</strong> backup strategy <strong>and</strong> provide a RTO of 30 minutes.<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-350 of 532
15.9.5 Testing<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.9.5-p1 The <strong>ANWI</strong> Contractor shall test the presence service using the following<br />
End-to-End Test Scenarios:<br />
15.9.5-p2 All scenarios described in Section 15.9.2 of this Annex shall be included<br />
as test cases.<br />
15.9.5-p3<br />
Hardware Inspection – Physical inspection of the components.<br />
15.9.5-p4 Capacity Tests:<br />
A. Individual user contact list capacities.<br />
B. Total service capacity.<br />
15.9.5-p5 Availability Test:<br />
A. Demonstrate High availability.<br />
B. Simulate Server room fail-over.<br />
C. Simulate component failure (e.g. disk, interface, controller).<br />
D. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
15.9.5-p6 Performance tests (test shall be conducted over a predefined period not<br />
point in time test):<br />
A. Status change responsiveness.<br />
15.9.5-p7 Overall reporting using SMC service:<br />
A. Presence details (lists/logs).<br />
B. Statistical usage details (totals, time based distributions, averages).<br />
15.9.5-p8 IA tests shall include the following minimum set where applicable:<br />
A. Access Control Mechanism<br />
B. Detection Performance (Malware, Content Checking)<br />
C. Releasability Control<br />
D. Integrity Checking<br />
E. Intrusion Detection<br />
F. Logging<br />
G. Auditing<br />
15.9.6 Training<br />
15.9.6-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff on how to install,<br />
configure <strong>and</strong> troubleshoot the following areas to support the presence service:<br />
A. Software installation.<br />
B. Software troubleshooting.<br />
C. Basic configuration <strong>and</strong> management:<br />
1. User management.<br />
15.9.6-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
Presence service.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-351 of 532
N A T O U N C L A S S I F I E D<br />
15.10 APPENDIX 10: UCC Directory Service Component<br />
15.10.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.10.1-p1 The <strong>ANWI</strong> UCC Directory service shall provide the central directory<br />
repository function for all relevant UCC services.<br />
15.10.2 Scope / Scenario<br />
15.10.2-p1 The <strong>ANWI</strong> directory service shall be designed <strong>and</strong> implemented to<br />
support the following scenarios:<br />
User<br />
Services From<br />
1/2<br />
way<br />
GW To<br />
Provid<br />
er<br />
External<br />
service<br />
Remarks<br />
UCC<br />
Directo<br />
ry NR - NR <strong>ANWI</strong> - UCC Directory to support <strong>ANWI</strong> NR<br />
NRWA<br />
N <br />
NR <br />
GW<br />
2 NR ?<br />
GW<br />
3<br />
NATO NR<br />
mail<br />
Directory Exchange between <strong>ANWI</strong> NR <strong>and</strong> NATO<br />
Federated NR<br />
PUBLI<br />
C <strong>ANWI</strong> - Directory Exchange between <strong>ANWI</strong> NR <strong>and</strong> <strong>ANWI</strong> PUBLIC<br />
NS - NS <strong>ANWI</strong> - UCC Directory to support <strong>ANWI</strong> NS<br />
NSWA GW<br />
Directory Exchange between <strong>ANWI</strong> NS <strong>and</strong> NATO<br />
N 1 NS NCIA Bi-SC AIS Federated NS<br />
NUWA GW PUBLI<br />
Directory Exchange between <strong>ANWI</strong> PUBLIC <strong>and</strong> NATO<br />
N 3 C NCIA Bi-SC AIS Federated NU<br />
PUBLI<br />
C -<br />
PUBLI<br />
C <strong>ANWI</strong> UCC Directory to support <strong>ANWI</strong> PUBLIC<br />
15.10.3 Service Requirements<br />
15.10.3.1 Domains<br />
15.10.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install the Directory service<br />
on all 4 domains: NATO SECRET, EAPC SECRET, BUSINESS (NR) <strong>and</strong> PUBLIC.<br />
15.10.3.2 Location<br />
15.10.3.2-p1 The <strong>ANWI</strong> Contractor’s UCC service components shall be factored<br />
into the server room design then delivered <strong>and</strong> installed in the two NNHQ server<br />
rooms per the physical layout <strong>and</strong> limits defined in the Processing Services Location<br />
(Section 15.2.3.2).<br />
15.10.3.2-p2 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the directory service<br />
in accordance to the following:<br />
A. Directory services shall be available on all security domains <strong>and</strong> shall<br />
provide a central repository which can be used by all UCC services.<br />
B. Directory services shall integrate to <strong>and</strong>/or be compatible with the existing<br />
Microsoft Windows Active Directory services which will be used in the<br />
NNHQ.<br />
15.10.3.2-p3 The <strong>ANWI</strong> Contractor shall deliver the directory service to comply with<br />
the following functional requirement<br />
A. The Directory service shall interface to all UCC services.<br />
B. The Directory service shall be integrated with Active Directory.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-352 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
C. The Directory service shall have NATO Enterprise Directory Service<br />
(NEDS) compatibility.<br />
D. The Directory service shall have the capability to find users <strong>and</strong> their<br />
accessible services from the directory.<br />
15.10.3.2-p4 The <strong>ANWI</strong> Contractor’s email service shall be designed <strong>and</strong><br />
implemented to use the following interface <strong>and</strong> protocols:<br />
A. The Directory service shall support the following Interfaces <strong>and</strong> protocols:<br />
1. LDAP/X.500.<br />
2. HTTP/HTTPS.<br />
3. XML.<br />
15.10.4 Management <strong>and</strong> Operational Requirements<br />
15.10.4-p1 The <strong>ANWI</strong> Directory service design shall describe the following<br />
internal interfaces <strong>and</strong> dependencies:<br />
Us<br />
er<br />
Se<br />
rvi<br />
ces<br />
Di<br />
rec<br />
tor<br />
y<br />
Processing<br />
Storage<br />
Printing<br />
Directory<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Email<br />
X X X 1. X X X X X X X X<br />
IM<br />
X<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-353 of 532<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
X X X X X X X X X X X X X<br />
15.10.4-p2 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall document<br />
<strong>and</strong> support the following Cross Domain interfaces:<br />
A. The following table describes the UCC Directory interfaces for the<br />
Business Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-INT Internet DirExc HTTP(S), LDAP Internet, NUWAN<br />
Two way BUS-NMSG NR DirExc HTTP(S), LDAP NRWAN<br />
B. The following table describes the UCC Directory interfaces for the NS<br />
Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
NS-GW1 Two way NS-NMSG NS DirExc HTTP(S), LDAP Bi-SC AIS Directory<br />
NS-GW1 Two way NS-NEDS NEDS LDAP Interface to NEDS<br />
15.10.4.1 Backup <strong>and</strong> Recovery<br />
15.10.4.1-p1 The <strong>ANWI</strong> Contractor’s directory service shall be fully integrated<br />
into the <strong>ANWI</strong> backup strategy <strong>and</strong> provide a RTO of 30 minutes.<br />
15.10.5 Testing<br />
15.10.5-p1 The <strong>ANWI</strong> Contractor shall test the directory service using the<br />
following End-to-End Test Scenarios:<br />
15.10.5-p2 All scenarios described in Section 15.10.2 of this Annex shall be<br />
included as test cases.<br />
15.10.5-p3<br />
Hardware Inspection – Physical inspection of the components.<br />
SMC
15.10.5-p4 Capacity Tests:<br />
A. Total service capacity.<br />
N A T O U N C L A S S I F I E D<br />
15.10.5-p5 Availability Test:<br />
A. Demonstrate High availability.<br />
B. Simulate Server room fail-over.<br />
C. Simulate component failure (e.g. disk, interface, controller).<br />
D. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.10.5-p6 Performance tests (test shall be conducted over a predefined period<br />
not point in time test):<br />
A. Concurrent user / service load test.<br />
15.10.5-p7 Overall reporting using SMC service:<br />
A. Directory request details (lists/logs).<br />
B. Directory modification details (lists/logs).<br />
C. Statistical usage details (totals, time based distributions, averages).<br />
15.10.5-p8 IA tests shall include the following minimum set where applicable:<br />
A. Access Control Mechanism<br />
B. Detection Performance (Malware, Content Checking)<br />
C. Releasability Control<br />
D. Integrity Checking<br />
E. Intrusion Detection<br />
F. Logging<br />
G. Auditing<br />
15.10.6 Training<br />
15.10.6-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff on how to<br />
install, configure <strong>and</strong> troubleshoot the following areas to support the directory<br />
service:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
D. Software installation.<br />
E. Software troubleshooting.<br />
F. Basic configuration <strong>and</strong> management:<br />
1. AD management.<br />
2. Interface connections between <strong>ANWI</strong> <strong>and</strong> NEDS.<br />
15.10.6-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
UCC Directory service.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-354 of 532
N A T O U N C L A S S I F I E D<br />
15.11 APPENDIX 11: Collaboration Service Component<br />
15.11.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.11.1-p1 The <strong>ANWI</strong> Collaboration service shall provide all authorized NATO<br />
HQ users with the ability to share (based on the shared user’s specific approval) a<br />
computing device’s screen or a subset such as an application window (whiteboard),<br />
with other users, for read only, remote access or co-editing scenarios.<br />
15.11.2 Scope / Scenario<br />
15.11.2-p1 The <strong>ANWI</strong> collaboration service shall be designed <strong>and</strong> implemented<br />
to support the following scenarios:<br />
User Services From 1/2 way GW To Provider External srv Remarks<br />
Collaboration NS - NS <strong>ANWI</strong> - <strong>ANWI</strong> NS Internal<br />
NSWAN GW1 NS NGCS NSNSWAN <strong>ANWI</strong> NS to federated or single domain NS<br />
NR - NR <strong>ANWI</strong> - <strong>ANWI</strong> NR Internal<br />
NRWAN GW2 NR NGCS NRNRWAN <strong>ANWI</strong> NR to federated or single NR<br />
NU - NU <strong>ANWI</strong> - NU extranet portal-based coll. (EIM/ERP)<br />
15.11.3 Service Requirements<br />
15.11.3.1 Domains<br />
15.11.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install the Collaboration<br />
service on the NATO SECRET <strong>and</strong> BUSINESS (NR) networks.<br />
15.11.3.2 Location<br />
15.11.3.2-p1 The <strong>ANWI</strong> Contractor’s UCC service components shall be factored<br />
into the server room design then delivered <strong>and</strong> installed in the two NNHQ server<br />
rooms per the physical layout <strong>and</strong> limits defined in the Processing Services Location<br />
(Section 15.2.3.2).<br />
15.11.3.2-p2 The <strong>ANWI</strong> Contractor shall provision the collaboration client<br />
software as described in Annex H.<br />
15.11.3.2-p3 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the collaboration<br />
service in accordance to the following:<br />
A. Collaboration shall consist of:<br />
1. Shared workspace.<br />
2. Application <strong>and</strong> Document sharing.<br />
3. Calendar sharing.<br />
4. Whiteboard sharing.<br />
B. NATO HQ users shall have the ability to collaborate from the desktop<br />
client with multiple participants in real-time on the Business network.<br />
C. NATO HQ users shall have the ability to collaborate with multiple<br />
participants on remote NATO locations across different domain networks.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-355 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-356 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.11.3.2-p4 The <strong>ANWI</strong> Contractor shall deliver the collaboration service to<br />
comply with the following functional requirements:<br />
A. NATO HQ users shall have the ability to store, share, present <strong>and</strong> edit<br />
documents integrated through EIM portals<br />
B. There shall be integration with existing NATO Bi-SC AIS shared<br />
workspace users.<br />
C. There shall be integration with Desktop Office suite.<br />
D. There shall be integration Presence.<br />
E. There shall be integration with Active Directory (LDAP).<br />
F. The service shall provide public <strong>and</strong> corporate portals/storage.<br />
G. The service shall conform to NATO IKM/EIM portal st<strong>and</strong>ards.<br />
H. The Collaboration Service Component shall be capable to share, edit <strong>and</strong><br />
update files <strong>and</strong> share desktop/application GUI in real-time with multiple<br />
users.<br />
i. Users shall have the ability to share <strong>and</strong> delegate calendar read/write<br />
access to multiple users.<br />
J. Users shall have the ability to share <strong>and</strong> edit graphics <strong>and</strong> freeform text<br />
online in real-time between multiple users/clients.<br />
K. Users shall have the ability to upload documents or graphical files <strong>and</strong> to<br />
edit or highlight the document in freeform.<br />
L. There shall be Web Client integration.<br />
15.11.3.2-p5 The <strong>ANWI</strong> Contractor’s collaboration service shall be designed <strong>and</strong><br />
implemented to use the following interface <strong>and</strong> protocols:<br />
A. The Collaboration service shall support the following Interfaces <strong>and</strong><br />
protocols:<br />
1. SIP.<br />
2. LDAP/X.500.<br />
3. RDP.<br />
4. HTTP/HTTPS.<br />
5. XML.<br />
15.11.4 Management <strong>and</strong> Operational Requirements<br />
15.11.4.1 Interfaces<br />
15.11.4.1-p1 The <strong>ANWI</strong> collaboration service design shall describe the following<br />
internal interfaces <strong>and</strong> dependencies:<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
Collaboration X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
15.11.4.1-p2 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall document<br />
<strong>and</strong> support the following cross Domain interfaces:<br />
A. The following table describes the Collaboration interfaces for the Business<br />
Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
BUS-CD2 Two way BUS-INT Internet Chat HTTP(S), SIP, XMPP, RDP Internet, NUWAN<br />
Two way BUS-NMSG NR Collaboration HTTP(S), SIP, XMPP, RDP NRWAN<br />
B. The following table describes the Collaboration interfaces for the NS<br />
Network:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
NS-GW1 Two way NS-NMSG NS Collaboration HTTP(S), SIP, XMPP, RDP Bi-SC AIS Collaboration<br />
15.11.4.2 Backup <strong>and</strong> Recovery<br />
15.11.4.2-p1 The <strong>ANWI</strong> Contractor’s collaboration service shall be fully integrated<br />
into the <strong>ANWI</strong> backup strategy <strong>and</strong> provide a RTO of 30 minutes.<br />
15.11.5 Testing<br />
15.11.5-p1 The <strong>ANWI</strong> Contractor shall test the collaboration service using the<br />
following End-to-End Test Scenarios:<br />
A. All scenarios described in Section 15.11.2 of this Annex shall be included<br />
as test cases.<br />
B. Hardware Inspection – Physical inspection of the components.<br />
C. Capacity Tests:<br />
1. Total service capacity.<br />
D. Availability Test:<br />
1. Demonstrate High availability.<br />
2. Simulate Server room fail-over.<br />
3. Simulate component failure (e.g. disk, interface, controller).<br />
4. RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
E. Performance tests (test shall be conducted over a predefined period not<br />
point in time test):<br />
1. Responsiveness of shared screen / application.<br />
F. Overall reporting using SMC service:<br />
1. Session details (lists/logs).<br />
2. Directory modification details (lists/logs).<br />
3. Statistical usage details (totals, time based distributions, averages).<br />
G. IA tests shall include the following minimum set where applicable:<br />
1. Access Control Mechanism<br />
2. Detection Performance (Malware, Content Checking)<br />
3. Releasability Control<br />
4. Integrity Checking<br />
5. Intrusion Detection<br />
6. Logging<br />
7. Auditing<br />
15.11.6 Training<br />
15.11.6-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff on how to<br />
install, configure <strong>and</strong> troubleshoot the following areas to collaboration the storage<br />
service:<br />
A. Software installation.<br />
B. Software troubleshooting.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-357 of 532
N A T O U N C L A S S I F I E D<br />
C. Basic configuration <strong>and</strong> management:<br />
1. User / application management.<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.11.6-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
Collaboration service.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-358 of 532
N A T O U N C L A S S I F I E D<br />
15.12 APPENDIX 12: Mobility Service Component<br />
15.12.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.12.1-p1 The <strong>ANWI</strong> Mobility service shall provide authorized NATO HQ users<br />
with the ability to use a variety of <strong>ANWI</strong> provided end user devices to seamlessly<br />
access the UCC services.<br />
15.12.2 Scope / Scenario<br />
15.12.2-p1 The service shall cover the following scenarios:<br />
A. <strong>ANWI</strong> users shall be able to initiate <strong>and</strong> receive voice calls from any voice<br />
capable UCC device that they are logged on to.<br />
B. <strong>ANWI</strong> users shall be able to initiate <strong>and</strong> receive video calls from any voice<br />
capable UCC device that they are logged on to.<br />
C. <strong>ANWI</strong> users shall be able to initiate /join chat sessions from any IM<br />
capable UCC device that they are logged on to.<br />
D. <strong>ANWI</strong> users shall be able to switch between logged on devices to continue<br />
active communication sessions (such as continuing a chat session started<br />
using a smartphone, <strong>and</strong> switching to a laptop if extensive typing is<br />
needed).<br />
E. For calls / messages received while offline, (<strong>and</strong> if configuration is set for<br />
it), messages shall be stored until the user logs on from a capable device<br />
<strong>and</strong> receives the messages left (see Unified Messaging Service)<br />
15.12.3 Service Requirements<br />
15.12.3.1 Domains<br />
15.12.3.1-p1 The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> install the mobility service on<br />
the BUSINESS (NR).<br />
15.12.3.2 Location<br />
15.12.3.2-p1 The <strong>ANWI</strong> Contractor’s UCC service components shall be factored<br />
into the server room design then delivered <strong>and</strong> installed in the two NNHQ server<br />
rooms per the physical layout <strong>and</strong> limits defined in the Processing Services Location<br />
(Section 15.2.3.3.1).<br />
15.12.3.2-p2 The <strong>ANWI</strong> Contractor shall provision the mobility service client<br />
software on Business mobile clients as described in Annex H.<br />
15.12.3.2-p3 The <strong>ANWI</strong> Contractor shall design <strong>and</strong> implement the mobility<br />
service in accordance to the following:<br />
A. User experience shall be consistent between device types <strong>and</strong> only limited<br />
by the device technical limitations.<br />
B. The <strong>ANWI</strong> Contractor shall deliver the mobility service to comply with the<br />
following functional requirement<br />
C. The UCC capability shall provide a follow-me unique id.<br />
D. The UCC capability shall provide roaming <strong>and</strong> device mobility.<br />
E. Users shall be able to change the connection point of their devices to the<br />
network <strong>and</strong> have access to their services automatically.<br />
F. Incoming sessions shall be directed to the user preferred device.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-359 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-360 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
G. The network administrator/user shall be able to define the order of<br />
preference of access methods in the case of devices with multiple access<br />
technology capabilities.<br />
H. Users shall be able to leave <strong>and</strong> re-join the session from a different client.<br />
i. The Mobility service shall be designed <strong>and</strong> implemented to support the<br />
following Interfaces <strong>and</strong> protocols:<br />
1, SIP.<br />
15.12.4 Management <strong>and</strong> Operational Requirements<br />
15.12.4.1 Backup <strong>and</strong> Recovery<br />
15.12.4.1-p1 The <strong>ANWI</strong> Contractor’s mobility service shall be fully integrated into<br />
the <strong>ANWI</strong> backup strategy <strong>and</strong> provide a RTO of 30 minutes.<br />
15.12.4.1-p2 The <strong>ANWI</strong> Contractor’s design <strong>and</strong> implementation shall document<br />
<strong>and</strong> support the following Cross Domain interfaces:<br />
A. The mobility service does not provide additional user interfaces but<br />
enables use of multiple end devices or interfaces to access information<br />
made available by other UCC services such as voice. Thus, no additional<br />
specific interface definitions are provided in this section.<br />
B. The Contractor shall perform the required analysis based on the proposed<br />
mobility solution to enhance identify, propose <strong>and</strong> implement any<br />
necessary additional cross domain information exchange.<br />
15.12.5 Testing<br />
15.12.5-p1 All scenarios described in Section 15.12.2 of this Annex shall be<br />
included as test cases.<br />
15.12.5-p2 The <strong>ANWI</strong> Contractor shall test the mobility service using the<br />
following End-to-End Test Scenarios:<br />
A. Hardware Inspection – Physical inspection of the components.<br />
B. Capacity Tests:<br />
o Total service capacity.<br />
C. Availability Test:<br />
o Demonstrate High availability.<br />
o Simulate Server room fail-over.<br />
o Simulate component failure (e.g. disk, interface, controller).<br />
o RTO <strong>and</strong> RPO reporting (requirements vs. test results).<br />
D. Performance tests (test shall be conducted over a predefined period not<br />
point in time test):<br />
o Performance tests for functions across multiple end point devices.<br />
o Responsiveness of switching to the configured device to takeover functions.<br />
E. Overall reporting using SMC service:<br />
o Session details (lists/logs).<br />
o Directory modification details (lists/logs).<br />
o Statistical usage details (totals, time based distributions, averages).<br />
F. IA tests shall include the following minimum set where applicable:
N A T O U N C L A S S I F I E D<br />
o 1. Access Control Mechanism<br />
o 2. Detection Performance (Malware, Content Checking)<br />
o 3. Releasability Control<br />
o 4. Integrity Checking<br />
o Intrusion Detection<br />
o Logging<br />
o Auditing<br />
15.12.6 Training<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
15.12.6-p1 The <strong>ANWI</strong> Contractor shall train the NNHQ-SPA staff on how to<br />
install, configure <strong>and</strong> troubleshoot the following areas to support the mobility service:<br />
A. Hardware installation <strong>and</strong> configuration.<br />
B. Hardware troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
D. Software installation.<br />
E. Software troubleshooting.<br />
F. Basic configuration <strong>and</strong> management:<br />
1. User / application management.<br />
15.12.6-p2 The <strong>ANWI</strong> Contractor shall train the NNHQ users on how to use the<br />
Mobility service.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-361 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 16. ANNEX H: CLIENT-PROVISIONING SERVICE<br />
16.1 APPENDIX 1: Introduction to Client Provisioning Services<br />
16.1.1 Definition<br />
16.1.1-p1 Client provisioning is the process of providing users with access to data<br />
<strong>and</strong> technology resources. Provisioning can be thought of as a combination of the<br />
duties of a service provider, where users are given access to data repositories or<br />
granted authorization to systems, applications <strong>and</strong> databases based on a unique<br />
user identity, <strong>and</strong> supplying users with the appropriate fit-for-purpose client form<br />
factor hardware resources, such as desktops, laptops or phones. User rights <strong>and</strong><br />
privileges shall be monitored <strong>and</strong> tracked to ensure the security of the enterprise<br />
resources.<br />
16.1.2 Service Overview<br />
16.1.2-p1 The client provisioning service has two (2) distinct parts:<br />
A. Software provisioning service: this is the back-end capability that provides<br />
the Operating systems <strong>and</strong> applications to the users. There are several<br />
different ways to provide software provisioning capability; these are<br />
described in Appendix 2 of this Annex.<br />
B. Client Devices: this encompasses the provision of a physical <strong>and</strong>/or virtual<br />
device to the end-users with which they receive access to the software<br />
provisioning service. These devices include:<br />
1. Office Desktop PC, st<strong>and</strong>ard desktop for normal office workers.<br />
2. High Performance workstations used for applications that are processor<br />
intensive, e.g. CIS management workstations <strong>and</strong> INFOSEC<br />
management workstations.<br />
3. Thin client for Virtual desktop provisioning.<br />
3. Laptops / Tablets for mobile users.<br />
4. Feature rich Unified Communication <strong>and</strong> Collaboration (UCC) User<br />
access device.<br />
5. PDA or portable communicator device for mobile users (using NR<br />
approved security settings).<br />
6. Print <strong>and</strong> scan devices.<br />
16.1.3 Scope<br />
16.1.3-p1 The client provisioning service shall be provided through the following<br />
sub-services:<br />
A. Software provisioning.<br />
B. Client Devices.<br />
16.1.3-p2 Figure 16.1 illustrates the mapping of the client provisioning services to<br />
the services taxonomy as introduced in Annex C.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-362 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.1.3-p3 The services which are further specified in this annex mapped to the<br />
appendices are as follows:<br />
A. Appendix 2, Software Provisioning, will specify the provisioning of<br />
common, specific application <strong>and</strong> operating system software provisioning<br />
service.<br />
B. Appendix 3, Client Devices, will specify the various client devices <strong>and</strong><br />
common CoI user applications <strong>and</strong> operating system services baseline (in<br />
short: NATO desktop baseline).<br />
Figure 16.1: Client provisioning services mapping to services taxonomy<br />
16.1.4 Service Requirements<br />
16.1.4-p1 Infrastructure shall be available on all 4 networks – NATO SECRET,<br />
EAPC SECRET, BUSINESS (NR) <strong>and</strong> PUBLIC with the following possibilities for<br />
client <strong>and</strong> software provisioning:<br />
Network (Qty) Client Processing Storage Technology<br />
NS (1306) Desktop Local Central Streaming<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-363 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Network (Qty) Client Processing Storage Technology<br />
Central Central SBC/VDI<br />
Thin Client Central Central SBC/VDI<br />
EAPC (150) Desktop Local Central Streaming<br />
Central Central SBC/VDI<br />
Thin Client Central Central SBC/VDI<br />
Business (1600) Laptop / Tablet Local Local NRoI/local applications<br />
Local Central Application streaming<br />
Central Central SBC/VDI for applications<br />
Business (633) Desktop Local Central Streaming<br />
Central Central SBC/VDI<br />
Thin Client Central Central SBC/VDI<br />
Public (34) Desktop Local Central Streaming<br />
Central Central SBC/VDI<br />
Thin Client Central Central SBC/VDI<br />
Guest (n.a.) BYOD Local Local Only Wireless limited Access<br />
Table 16.1a: Client <strong>and</strong> software provisioning possibilities<br />
16.1.4-p2 In order to provide a comprehensive <strong>and</strong> flexible solution for <strong>ANWI</strong> the<br />
contractor shall provide a similar solution for the NATO Secret, EAPC <strong>and</strong> public<br />
network as well as the “desktop“ clients on the Business network. For the mobile<br />
Business users a solution based on mobile clients (laptops/tablets) shall be used.<br />
16.1.4-p3 The <strong>ANWI</strong> Contractor shall provide flexible client provisioning solutions<br />
for four (4) networks:<br />
A. For the Business network the preferred client shall be mobile clients<br />
(laptops/tablets), however some desktops will also be required for specific<br />
functions. The mobile clients shall use a NATO approved secure VPN<br />
capability that will allow them to connect to the Business network from any<br />
public network through a secure VPN/NPKI solution.. For accessing the<br />
business network inside the HQ the business user will connect to the<br />
<strong>ANWI</strong> public Wireless network <strong>and</strong> establish a VPN connection to the<br />
Business network. The VPN connection shall utilise the VPN service that<br />
can be accessed via Cross Domain Gateway 2.<br />
B. The NATO secret <strong>and</strong> EAPC networks require mostly desktop clients.<br />
These shall be deployed without local storage capability for the st<strong>and</strong>ard<br />
desktops. Specific exceptions can get a high performance workstation that<br />
has local storage capabilities.<br />
C. The public network clients shall consist of a number of “kiosk” machines<br />
that can be used by multiple users. No specific applications beyond the<br />
st<strong>and</strong>ard desktop are required. The main function of these clients will be to<br />
provide internet access to HQ visitors. The public clients shall use the<br />
same provisioning technology <strong>and</strong> clients as the NATO Secret <strong>and</strong> EAPC<br />
solution.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-364 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
D. Clients shall comply with the MHWPS (ref 1.1.1.5.1). The current version<br />
of the MHWPS does not contain minimum specifications for a Thin Client<br />
or a Tablet. Therefore, Table 16.1b below provides the minimum<br />
specifications for a Thin Client, <strong>and</strong> Table 16.1c for a Tablet.<br />
Item<br />
Client capabilities<br />
Display<br />
Security<br />
NIC<br />
Sound<br />
Keyboard<br />
Mouse<br />
Noise emission<br />
Power supply <strong>and</strong><br />
cords<br />
Ports<br />
Case<br />
Power consumption<br />
Manageability<br />
Minimum Requirements<br />
Fully supporting operations using:<br />
Microsoft RDP/RemoteFX<br />
Citrix ICA/HDX<br />
VMware VDI/<strong>View</strong><br />
Two outputs, supporting a minimum resolution of<br />
1920x1200@60Hz in single display <strong>and</strong> of 1024x768 in dual<br />
display, 16-bit colour<br />
SSL 3.0/TLS 1.0 or higher, Setup/boot password/system<br />
configuration protection & cabinet lock<br />
100Base-T RJ-45 or 100Base-FX LC/SC<br />
Audio input <strong>and</strong> output using 3.5mm jack<br />
US QWERTY keyboard<br />
Optical/laser scroll mouse<br />
Silent (fan-less)<br />
According to local requirements (CEE 7/7 power plugs)<br />
minimum 1 USB 2.0 or higher <strong>and</strong> 1 USB 3.0 port available,<br />
excluding Keyboard <strong>and</strong> Mouse connection<br />
Small Form Factor<br />
Average below 10W<br />
Supported remote wake-on-LAN, monitoring, control <strong>and</strong><br />
patching<br />
All identified components installed/integrated into the<br />
system<br />
Overall hardware configuration must be robust in order to<br />
support business type operations<br />
Table 16.1b: Thin Client Minimum Hardware requirements<br />
Item<br />
Minimum Requirements Optimal Requirements (highperformance<br />
(basic – on Atom Z2460)<br />
– on i5-3470T)<br />
Compatibility Windows 7 <strong>and</strong> 8 compatible<br />
Processor Dual thread or more Dual core or more<br />
Maximum/turbo frequency: 1.6 Maximum/turbo frequency: 3.0 GHz<br />
GHz or faster<br />
or faster<br />
Support for EIST, Execute Support for EIST, Execute Disable<br />
Disable Bit<br />
Bit, 64bit instruction set, AES-NI,<br />
(Optional: support for 64bit VT-x, VT-d<br />
instruction set)<br />
Memory 2GB dual channel LPDDR2- 4GB dual channel DDR3-1333 or<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-365 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-366 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Item<br />
Minimum Requirements<br />
(basic – on Atom Z2460)<br />
Optimal Requirements (highperformance<br />
– on i5-3470T)<br />
800 or faster faster<br />
Storage 60GB of flash storage 120GB of flash storage<br />
Screen Min. 9-10” IPS or AM-OLED Min. 9-10” IPS 1920x1080 or higher<br />
1280x800 or higher resolution resolution<br />
Anti-glare coating, contrast<br />
500:1, brightness 350 nits<br />
(cd/m 2 )<br />
Anti-glare coating, contrast 500:1,<br />
brightness 300 nits (cd/m 2 )<br />
Horizontal <strong>and</strong> vertical viewing angle<br />
Horizontal <strong>and</strong> vertical viewing at least 160º<br />
angle at least 160º<br />
Four-points or more multitouch<br />
Four-points or more multi-touch<br />
support<br />
support<br />
GPU<br />
Keyboard<br />
Battery<br />
Wi-Fi<br />
Bluetooth<br />
USB<br />
Modem<br />
Case<br />
Drivers<br />
Power<br />
supply<br />
Weight<br />
Support for:<br />
- DirectX 9.L, OpenGL ES2.0 or<br />
higher<br />
- H.264 MPEG4/2, VC1, WMV9<br />
hardware decoding<br />
- Support for 1280x1024 or<br />
higher resolutions<br />
- HDMI (mini/micro/normal) 1.3<br />
or MHL or DisplayPort 1.1<br />
connectivity for external<br />
display supporting a minimum<br />
of 1920x1080p resolution<br />
Attachable US QWERTY keyboard<br />
min. 8 hours running time<br />
battery<br />
max. 4 hours loading time to<br />
80%<br />
Wireless LAN 802.11 b/g/n<br />
2.4GHz<br />
(Optional: 2.4GHz <strong>and</strong> 5GHz<br />
dual-b<strong>and</strong>)<br />
Bluetooth 3.0 or higher<br />
1x free USB 2.0 port<br />
(excluding Smart Card Reader<br />
port if used via USB)<br />
Support for:<br />
- QuickSync Video enc/dec<br />
- DirectX 11, OpenGL 3.1 or higher<br />
- H.264 MPEG4/2, VC1, WMV9<br />
hardware decoding<br />
- Support for 1920x1080 or higher<br />
resolutions<br />
- HDMI (mini/micro/normal) 1.3 or MHL<br />
or DisplayPort 1.1 connectivity for<br />
external display supporting a minimum<br />
of 1920x1080p resolution<br />
min. 6 hours running time battery<br />
max. 2 hours loading time to 80%<br />
Wireless LAN 802.11 b/g/n 2.4GHz<br />
2x2 MIMO<br />
(Optional: 2.4GHz <strong>and</strong> 5GHz dualb<strong>and</strong>)<br />
1x free USB 3.0 port (excluding<br />
Smart Card Reader port if used via<br />
USB)<br />
Optional:<br />
Integrated HSPA (800/850/900/1900/2100MHz) of maximum<br />
theoretical b<strong>and</strong>width min.: download 14Mbps, upload 5Mbps<br />
A sleeve <strong>and</strong> carrying case enabling self-st<strong>and</strong>ing position of the<br />
device<br />
All drivers must be compatible with the hardware <strong>and</strong> software used<br />
Auto sensing 110/220V power with local power cord<br />
Less than 1.1kg with its power<br />
supply<br />
Less than 1.4kg with its power<br />
supply
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Item<br />
Minimum Requirements<br />
(basic – on Atom Z2460)<br />
Optimal Requirements (highperformance<br />
– on i5-3470T)<br />
Security Trusted Platform Module (TPM) 1.2 (or later) chip on the<br />
motherboard<br />
Smart Card reader (embedded or through an USB port)<br />
Docking A dedicated docking station or a port replicator having at least:<br />
- 100BaseT RJ45 interface or faster<br />
- a minimum of 2 x USB 2.0 <strong>and</strong> 1 x USB 3.0 ports<br />
- Audio input <strong>and</strong> output<br />
- DVI or HDMI or DisplayPort video output<br />
Other Integrated flash card reader (SD, µSD or newer)<br />
Integrated Webcam<br />
Integrated speaker <strong>and</strong> microphone<br />
3.5mm headphone <strong>and</strong> microphone jack (through a TRRS<br />
connector)<br />
Table 16.1c: Tablet Minimum Hardware requirements<br />
E. Where possible, a desktop Keyboard, Video <strong>and</strong> Mouse (KVM) switch<br />
shall be used to reduce the number of screens, monitors <strong>and</strong> mice on the<br />
desktop (the number of thin clients or PCs shall remain the same).<br />
16.1.4-p4 The <strong>ANWI</strong> Contractorshall base his estimates for sizing of the<br />
infrastructure capabilities on the figures provided in Appendix 3 of this Annex.<br />
16.1.5 Service Level Agreement / Targets.<br />
16.1.5-p1 The two distinct parts of the Client provisioning service have different<br />
service level targets:<br />
A. Software provisioning: this back-end capability has the entire HQ in its<br />
scope <strong>and</strong> it services all users. This requires a high available capability.<br />
The software provisioning capability requires 99.99% availability. In case<br />
of a catastrophic event (up to one server room failure) a maximum service<br />
performance impact of 25% to the required service performance is<br />
acceptable.<br />
. bEnd-user client devices have a much smaller scope, mostly on individual<br />
basis, therefore high availability is difficult to achieve. Client faults <strong>and</strong><br />
failure are h<strong>and</strong>led as incidents that shall get a specific priority. Users<br />
should be able to work on multiple devices (roaming) <strong>and</strong> exchanging<br />
devices should be supported without the need for extensive<br />
reconfigurations. The <strong>ANWI</strong> Contractor shall provide information on client<br />
MTBF figures <strong>and</strong> warranty concepts <strong>and</strong> onsite spare requirement for the<br />
different clients.<br />
16.1.6 Service Testing <strong>and</strong> Reporting<br />
16.1.6-p1 The Client provisioning service is managed through the SMC. The SMC<br />
shall also provide the capability to provide reports on the software provisioning<br />
capability <strong>and</strong> client devices. These reports shall also be required to measure the<br />
compliance of the system towards the SLA requirements.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-367 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.1.6-p2 Individual sub-services shall be tested for compliance on the technical<br />
requirements of the specific sub-service. Overall end-to-end client provisioning<br />
integration tests shall be conducted to verify the integration of the individual<br />
capabilities into the client provisioning service. These integration tests shall include<br />
the SMC <strong>and</strong> IA capabilities <strong>and</strong> requirements.<br />
16.1.7 Dependencies<br />
16.1.7-p1 The client provisioning service interfaces mainly with the <strong>ANWI</strong><br />
infrastructure services <strong>and</strong> passive network infrastructure (PNWI) with respect to the<br />
back-end interfaces <strong>and</strong> with the actual end-users on the presentation level, as<br />
visualized in figure 16.1.<br />
16.1.7-p2 Mobile users on the business network also interface with commercial<br />
services when working outside the HQ (internet providers for access to the NRoI<br />
VPN through the PIA gateway)<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-368 of 532
N A T O U N C L A S S I F I E D<br />
16.2 APPENDIX 2: Software Provisioning<br />
16.2.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.2.1-p1 The Software Provisioning service is an essential back-end service<br />
providing the capability to deploy Operating <strong>System</strong>s for servers <strong>and</strong> clients, <strong>and</strong><br />
make software available for user to use, on (terminal) server, desktop, laptops <strong>and</strong><br />
other client devices (for information on Client devices see Appendix 3 of this Annex).<br />
16.2.2 Scope/Scenario<br />
16.2.2-p1<br />
service.<br />
The Software provisioning service is part of the Client provisioning<br />
16.2.2-p2 The Software Provisioning capability shall deliver Operating <strong>System</strong>s<br />
<strong>and</strong> applications on all classification networks, to all involved client devices.<br />
16.2.2-p3 The Software Provisioning capability shall consider deployment using<br />
various methods to all locations involved in the NNHQ, including remote offices <strong>and</strong><br />
remote (VPN) users.<br />
16.2.2-p4 The software provisioning capability shall be sized to meet the following<br />
capacity requirements.<br />
16.2.3 Domains<br />
16.2.3-p1 The Software provisioning service shall be available on all 4 networks –<br />
NATO SECRET, EAPC SECRET, BUSINESS (NR) <strong>and</strong> PUBLIC.<br />
16.2.4 Location<br />
16.2.4-p1 The locations of the servers for all the Software provisioning services<br />
are both server rooms. These basic services are expected to keep running even in<br />
case of a major failure, up to losing one of the server rooms.<br />
16.2.5 Client Platform Provisioning<br />
16.2.5-p1 NATO HQ users inside <strong>and</strong> outside of the building are expected to use<br />
a variety of client form factors including desktop computers, mobile computers,<br />
tablets <strong>and</strong> smartphones. To provide an effective client capability in a centrally<br />
managed manner, capable of providing a heterogeneous software portfolio including<br />
legacy applications, a combination of the following provisioning technologies shall be<br />
utilized:<br />
A. Physical Client Platform with Local Storage <strong>and</strong> Processing: This defines a<br />
physical device with local storage <strong>and</strong> processing capabilities. Local<br />
storage is essential for mobile platforms as they are expected to function<br />
offline or while not directly connected to the <strong>ANWI</strong>. The software platform<br />
on such devices will be centrally managed. Examples of such platforms<br />
are Traditional Desktops <strong>and</strong> Laptops, NRoI clients.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-369 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
B. Physical Client Platform with Central Storage <strong>and</strong> with Local Processing<br />
[OS Streaming]: This defines a “diskless client” capability, where the client<br />
devices are directly connected to the <strong>ANWI</strong> services, <strong>and</strong> they rely on the<br />
central storage infrastructure to be virtually presented as a local disk<br />
through the network. The disk images are managed <strong>and</strong> stored centrally,<br />
<strong>and</strong> when the devices are turned off, no data is stored on the client. This<br />
type of provisioning is also called Desktop Streaming. NCIA NS clients are<br />
such examples. As the processing happens at the client <strong>and</strong> the OS is<br />
running directly on the local hardware, not a server (compared to VDI<br />
below), this option has a much wider flexibility in terms of accessing<br />
legacy or state of the art peripherals, the multimedia capabilities are only<br />
limited to the ability of the client, <strong>and</strong> device drivers are running on the<br />
native hardware as they are majorly tuned to do, but not on a virtual<br />
platform.<br />
Note that although this is mainly considered to be a physical platform, such provisioning can also be<br />
provided to a virtual machine. This enables the virtual platform to be stateless (storing no local data)<br />
thus limits the access to the environment to online use within NATO HQ.<br />
C. Physical Client Platform with Central Storage <strong>and</strong> Processing [Server<br />
Based Computing]: This option is where the client software runs on a<br />
central server infrastructure, <strong>and</strong> a client desktop is provided to the users<br />
through a remote desktop protocol, which provides a remote view of the<br />
desktop running on the central server. Note that this option relies on an<br />
access capability being used to reach the service provided on the server<br />
infrastructure. The access capability can be provided through the options<br />
defined in a). b). above, or through thin clients.<br />
D. Virtual Client Platform with Central Storage <strong>and</strong> Processing [VDI]: This<br />
defines a set of virtual clients running on a server platform, using the<br />
central storage. The OS on these clients can be local (to the VM, not the<br />
endpoint) or streamed through the same mechanism for the Diskless<br />
clients. This method has a few specific features, which are potentially an<br />
advantage for implementations where the hardware <strong>and</strong> multimedia<br />
requirements are significantly homogeneous <strong>and</strong> well defined, <strong>and</strong> where<br />
a variety of client software configurations need to be frequently redeployed<br />
(such as training <strong>and</strong> test facilities).<br />
Note that this option relies on an access capability being used to reach the service provided on the<br />
server infrastructure. The access capability can be provided through the options defined in a). b). c)<br />
above, or through thin clients.<br />
16.2.5-p2 In order to provide a comprehensive <strong>and</strong> flexible solution for <strong>ANWI</strong> the<br />
contractor shall provide a similar solution for the NATO Secret, EAPC <strong>and</strong> public<br />
network as well as the “desktop”clients on the Business network. For the mobile<br />
Business users a solution in line with option a. shall be used.<br />
16.2.5-p3 The <strong>ANWI</strong> contractor shall support specific COI’s (ex. Graphic<br />
designers) with an adequate Client provisioning solution. Due to the nature of the<br />
activities performed by these COI’s a deviation from the st<strong>and</strong>ard client provisioning<br />
method shall be required (ex. Graphic intensive workloads, Video editing <strong>and</strong><br />
CAD/CAM activities)<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-370 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-371 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.2.5-p4 Whether using only one of the above solutions, or any combination of<br />
these options, on all four possible security networks, all HQ users should have a<br />
consistent experience when using the NNHQ ICT environment.<br />
A. The User experience for accessing resources on the NNHQ environment<br />
shall be the same, whichever provisioning combination is used.<br />
B. The operating system shall use the NATO desktop baseline.<br />
16.2.5-p5 NATO currently has an Enterprise Agreement with Microsoft, <strong>and</strong> all<br />
current client computers are Microsoft Operating <strong>System</strong> <strong>and</strong> Office Suite based.The<br />
contractor shall deliver every client with an OEM Windows professional version. The<br />
purchaser will provide the Microsoft enterprise desktop as PFE. Included in the MS<br />
enterprise desktop package is:<br />
A. Office Professional Plus.<br />
B. Enterprise Client Access Licenses (e-CAL) for Windows Server, Exchange<br />
Server, SharePoint Server, Lync Server, <strong>System</strong> Center, Forefront <strong>and</strong><br />
SQL Server.<br />
16.2.6 Application Provisioning<br />
16.2.6-p1 With any of the possible client platform provisioning solutions<br />
mentioned in the previous paragraph, applications need to be deployed to have users<br />
be able to do their work. All applications shall be manageable centrally, deployed<br />
from central depositories. To provide an effective client capability in a centrally<br />
managed manner, capable of providing a heterogeneous software portfolio including<br />
legacy applications, a combination of the following application provisioning<br />
technologies shall be utilized:<br />
A. Through a central software deployment solution, like SCCM, software is<br />
deployed to a workstation <strong>and</strong> installed locally. Through the central<br />
management console, the software can be kept up to date, with patches<br />
<strong>and</strong> new releases.<br />
B. In addition to installing software locally, it is also possible to use<br />
applications without leaving a “footprint” on the local Operating <strong>System</strong>.<br />
Application streaming provides a method of delivering applications to the<br />
Client Platform, without the need for a local installation. Application<br />
Streaming retains centralised application management, whilst using local<br />
processing power to run the applications. A package is prepared on a<br />
central server <strong>and</strong> is then streamed to clients the first time the application<br />
is run, after which the application runs locally until a new configuration is<br />
deployed centrally.<br />
C. The client software runs on a central server infrastructure, <strong>and</strong> the<br />
application is published to the users through a remote desktop protocol,<br />
which provides a remote screen view of an application running on the<br />
central server.<br />
16.2.6-p2 The <strong>ANWI</strong> contractor shall also support HQ Support Staff during the<br />
migration of the business applications. The <strong>ANWI</strong> client provisioning solution shall be<br />
able to support the different ICTM Business applications.<br />
16.2.6-p3 As with the client-provisioning, whatever combination is used, the user<br />
experience should be the same for all users. Central management shall also include
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
methods of restricting software usage, <strong>and</strong> shall have clear reporting on which<br />
software is in use, based on the number of concurrent <strong>and</strong> licensed users.<br />
A. Licensing: All software in use shall be licensed.<br />
B. Monitoring: All software usage shall be centrally monitored.<br />
C. Software use: Software use can be centrally restricted.<br />
D. Reporting: (Concurrent) Use of software can be reported on.<br />
16.2.7 Client provisioning infrastructure<br />
16.2.7-p1 The <strong>ANWI</strong> Contractor shall design the client provisioning infrastructure<br />
to support all the required client in a high available setup. In case of catastrophic<br />
event (Server room failure) the client provisioning solution shall still be able to<br />
available to all users with a maximum performance degradation of 25% to the<br />
required service performance.<br />
16.2.7-p2 The <strong>ANWI</strong> Contractor shall design a scalable <strong>and</strong> flexible solution that<br />
includes a 25% spare capacity <strong>and</strong> allows for easy capacity expansion beyond the<br />
25%. The table below provides the required initial capacity numbers:<br />
Client provisioning Capacity<br />
NATO Secret 2,000<br />
EAPC 200<br />
Business 2,500<br />
Public 50<br />
Table 16.1d Client Provisioning per Domain<br />
16.2.7-p3 The client provisioning usage shall not cause any degradation to the<br />
other infrastructure services like storage or network performance due to specific<br />
events (ex. Logon Storm). Sufficient infrastructure resources for processing, storage<br />
<strong>and</strong> networking shall be provisioned in the infrastructure services or dedicated in the<br />
client provisioning service. (ex. SAN).<br />
16.2.8 Service Level Agreement/Target<br />
Service Level Target Parameters<br />
Capacity SLTs<br />
Availability SLTs<br />
Service Availability (%) 99,99%<br />
Max number for scheduled downtimes (month) 1<br />
Manageability SLTs<br />
Frequency of Service Measurements<br />
Frequency of SLA Reports<br />
Reliability SLTs<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-372 of 532<br />
Continuous<br />
Daily/Weekly
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Service Level Target Parameters<br />
Service reliability (%) >99,99%<br />
Maintainability SLTs<br />
Mean Time To Restore (MTTR) (hours) 4<br />
Performance Parameters<br />
Time to deploy a st<strong>and</strong>ard non-mobile client.<br />
Max 30 minutes<br />
Time to deploy a mobile client<br />
Max 2 hours<br />
Time to deploy a baseline Image<br />
Next business day<br />
Time to provision anew application (high priority)<br />
Next business day<br />
16.2.9 Management <strong>and</strong> Operational Requirements<br />
16.2.9.1 Interfaces<br />
16.2.9.1-p1 The following internal interfaces <strong>and</strong> dependencies shall be<br />
described for the Software provisioning capability.<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
Client Provisioning X X X X X X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
16.2.9.2 Backup <strong>and</strong> Recovery<br />
NAC<br />
Client Provisioning<br />
LAN<br />
16.2.9.2-p1 All Software Provisioning Servers <strong>and</strong> underlying data <strong>and</strong><br />
databases shall be backed up online <strong>and</strong> offline.<br />
Cross Domain<br />
16.2.9.2-p2 In case of failures the capability availability is set in the service level<br />
target. The recovery target for restoring the failed service components is:<br />
16.2.9.2-p3<br />
16.2.10 Testing<br />
RTO: 4 hours<br />
16.2.10-p1 End-to-End Test Scenario<br />
A. Deployment of Operating systems to all devices on all networks.<br />
B. Deployment of Applications to all devices, on all networks.<br />
C. Deployment of patches updates <strong>and</strong> upgrades, on all device, on all<br />
networks.<br />
D. Stress test: Deployment of multiple devices (20) at the same time.<br />
E. Deployment to remote offices <strong>and</strong> remote users.<br />
F. Monitoring of license use for deployed applications.<br />
G. Limiting the use of software for deployed applications.<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-373 of 532
16.2.11 Training<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.2.11-p1 ICTM staff shall need to know how to install, configure <strong>and</strong><br />
troubleshoot the following areas to support the Software Provisioning service:<br />
A. Server/Service installation <strong>and</strong> configuration.<br />
B. Server/Service troubleshooting <strong>and</strong> fault finding.<br />
C. Configuration <strong>and</strong> installation of updates for applications/OS.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-374 of 532
16.3 APPENDIX 3: Client Devices<br />
16.3.1 Definition<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.3.1-p1 This appendix specifies the client device form factors <strong>and</strong> client device<br />
requirements that will enable the various user types to get access to the required<br />
information <strong>and</strong> UCC services.<br />
16.3.1-p2 The client devices are part of a holistic concept, as explained in the<br />
UCC concept that will allow users to access the NNHQ ICT services or a subset of<br />
those services dependent on the type of client device <strong>and</strong> its mobility features.<br />
16.3.1-p3 The <strong>ANWI</strong> client devices are indicated in table 16.2.<br />
Type of Client Description Comment<br />
Fixed Desktop (Ultra) Small form factor desktop Diskless<br />
Fixed High Performance Desktop High Performance Workstation Form factor is fat client<br />
Fixed Desktop Network Agnostic (Ultra) Small form factor desktop Needed in conference areas where<br />
Client<br />
network classification will switch – no<br />
information should be stored or left on<br />
the client – diskless.<br />
Thin Client Thin client VDI / SBC solutions<br />
Mobile Client Laptop or Tablet Needs to support the NATO OS<br />
baseline.<br />
Basic Desk phone<br />
Normal desk phone<br />
Secretarial Desk phone<br />
Desk phone with enhancements<br />
PDA/Smart phone<br />
Small form factor device with GSM<br />
option<br />
KVM<br />
Needed to switch single Keyboard Not a client device<br />
Video Mouse to different clients<br />
connected to different networks<br />
Table 16.2: <strong>ANWI</strong> client devices identification<br />
16.3.2 Scope<br />
16.3.2-p1 Partly due to security considerations, desktops are the primary working<br />
environment at NATO. For HIGH security networks this will be the case for quite<br />
some time, as other solution will have to be accredited to be used for these<br />
classifications. For the other networks Laptops are already in use <strong>and</strong> smartphones<br />
are already used to connect to business resources. With the rapidly changing market<br />
for mobile devices, where all devices from smartphones to laptops will blur into a<br />
group best described as mobility devices, enterprise environments will also change.<br />
Add to that the changing OS environments, with desktop OS en smartphone OS<br />
blurring in functionality <strong>and</strong> it becomes clear that in the near future a smartphone can<br />
be “docked” <strong>and</strong> used as a desktop device.<br />
16.3.2-p2 For the current environment, the NS, EAPC <strong>and</strong> public networks shall<br />
use mostly desktop devices. The Business network shall use a combination of<br />
desktop devices <strong>and</strong> mobile devices. In order to limit the number of devices on the<br />
desk the <strong>ANWI</strong> contractor shall implement a KVM solution to connect the desktop<br />
keyboard, mouse, monitor <strong>and</strong> other peripherals to all possible classifications.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-375 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.3.2-p3 Table 16.3 summarises the user community, by user type <strong>and</strong> network<br />
classification<br />
User Type<br />
Quantity Comments<br />
Staff Member<br />
4.500 Including 2000 IS/IMS, 2000 National <strong>and</strong> 500 partner delegates<br />
Conference Visitor 1.500<br />
NS User<br />
2.700 Including 1500 National delegates<br />
EAPC User 600<br />
NU/NR User<br />
4.000 Including 2000 National delegates<br />
Public User 2.000<br />
Table 16.3: User community per network<br />
16.3.2-p4 The number of clients required to implement the client solutions<br />
described in this chapter are listed in Table 16.4 below.<br />
User / Location NS EAPC NU/NR Public Comments<br />
U1 - NATO HQ User 1,200 100 400 -<br />
U2 - NATO HQ Nation User 56 - 56 -<br />
U3 - NATO HQ Partner User - 50 - -<br />
U7 - NATO HQ Mobile User (NRoI) - - 1,600 -<br />
U8 - NATO HQ Remote User (RU) 40 - 60 -<br />
Office wings - - 63 - It is assumed that all 21 IS/IMS office wings have 3 devices<br />
in the 'collaboration area'<br />
Press Area - Library - - - 10 10 PC's in the Public area<br />
Visitors area - Business Centre - - - 16<br />
Conference Rooms<br />
234 The devices in the conference centre are agnostic of the<br />
network.<br />
Agora - - 4 4 4 PC's in the Public area <strong>and</strong> 4 PC's for NATO staff in the<br />
Agora (switchable)<br />
Basement<br />
Briefing Room<br />
10 The devices in the conference rooms are agnostic of the<br />
network.<br />
Senior Decision Makers Room<br />
10 The devices in the conference rooms are agnostic of the<br />
network.<br />
Watch Room<br />
10 The devices in the conference rooms are agnostic of the<br />
network.<br />
Multi Media - VTC Room<br />
15 The devices in the conference rooms are agnostic of the<br />
network.<br />
Training Room - - 20 -<br />
Ground Floor VTC Room<br />
5 The devices in the conference rooms are agnostic of the<br />
network.<br />
Site Security Control Room 1 - 6 -<br />
Alternate Site Security Control Room 1 - 6 -<br />
Crisis Centre Monitoring Room 6 - 6 -<br />
Staff Centre - - 10 4 10 PC's in the training room <strong>and</strong> 4 PC's in the Public area<br />
Industrial Infrastructure - - 14 -<br />
Guard Houses 2 - 8 -<br />
284 The total number of devices that are agnostic of the<br />
network (switchable)<br />
Subtotal Fixed End user devices 1,306 150 653 34<br />
Subtotal Mobile devices 1,600<br />
TOTAL 1,306 150 2,253 34<br />
Table 16.4: Client Numbers per Network<br />
16.3.2-p5<br />
16.5.<br />
The distribution of <strong>ANWI</strong> client types per network is provided in table<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-376 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
desktop/laptop Nr Client Tot<br />
(Thin Client/<br />
(diskless<br />
desktop)<br />
Hig Perf.<br />
Client<br />
Mobile<br />
(Laptop)<br />
Mobile<br />
(Tablet)<br />
Network<br />
Agnostic<br />
Desktop KVM<br />
NATO Secret 1306 95% 5% (283) 1266<br />
EAPC 150 95% 5% (283)<br />
Business 2253 25% 4% 53% 18% (283)<br />
Public 34 100% (283)<br />
*Softphone on mobile client devices<br />
Secretarial<br />
Phone<br />
Voice Nr Client Tot Basic Phone<br />
NATO Secret N.A.<br />
EAPC - - - -<br />
Business 1600* - - -<br />
Smart Phone<br />
PDA<br />
Public 1232 43% 10.5% 46.5%<br />
Table 16.5: Distribution of <strong>ANWI</strong> clients device types per network<br />
16.3.2-p6 The client devices are located in different wings per classification. NS<br />
<strong>and</strong> Business desktops are located in the wings for NATO personnel, EAPC devices<br />
are to be found in the EAPC <strong>and</strong> NATO area <strong>and</strong> Public devices are only to be found<br />
in the public areas.<br />
16.3.3 Service Requirements<br />
16.3.3-p1 The NNHQ is effectively a large glass building <strong>and</strong> cooling this building<br />
has its consequences. For that reason power consumption of computer devices is<br />
restricted.<br />
A. The maximum power usage per seat is 180 W, due to building airconditioning<br />
restrictions.<br />
16.3.3-p2 In accordance with design considerations mentioned in Annex A, the<br />
following list describes some design requirements for the desktop environment:<br />
A. The <strong>ANWI</strong> Contractor shall provide all client patch cables<br />
B. The computers <strong>and</strong> monitors shall have a low power state, such as a<br />
st<strong>and</strong>by or sleep mode.<br />
C. For all workspace equipment default energy savings settings shall be set.<br />
D. There shall be an automated process for turning off devices.<br />
E. Desktop hardware shall be fit for purpose.<br />
F. All client devices shall support Power management policies through the<br />
Central SMC capability.<br />
G. Devices shall use SSD, or be diskless clients, to lower power<br />
consumption.<br />
H. The highest possible efficiency power supply shall be used (>90%).<br />
i. St<strong>and</strong>ardization: A minimal numbers of different configurations shall be<br />
used.<br />
J. The network cards shall support IPv4 <strong>and</strong> IPv6.<br />
K. Desktop devices shall be (ultra) small form factor devices.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-377 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-378 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.3.3-p3 The proposed AIS desktop configuration is based on the st<strong>and</strong>ard<br />
NATO desktop core components, as described in the latest NCIA Approved Fielded<br />
Product List (see 1.1.1.8.4).<br />
A. Desktop OS with NATO approved user <strong>and</strong> security settings<br />
http://nww.ncirc.nato.int (on NS WAN).<br />
B. Core Tools Components. The actual components to be provided will<br />
depend on the client hardware (PC, High performance workstation,<br />
Laptop, PDA), <strong>and</strong> the network. The versions will be based on the latest<br />
approved.<br />
C. Software components: The latest approved version of the NATO Desktop<br />
will provide the essential office automation <strong>and</strong> collaboration functionality<br />
to the user population in support of their daily duties (see<br />
http://www.ia.nato.int/niapc/ (Internet – NU version) <strong>and</strong> http://nww.NCIA<br />
.nato.int/NCIA HQ/<strong>System</strong>Mana/CMO (on NS WAN)).<br />
16.3.3-p4 HIGH security classification devices, devices on the NS <strong>and</strong> EAPC<br />
networks, have several different requirements, due to security reasons. The following<br />
is a list of requirements for these devices:<br />
A. Device form factor: High security classification devices may not be mobile<br />
deviceswith the exception of the mobile travel kit (ref. Annex M).<br />
B. Network: High security classification devices are connected to the network<br />
through fibre connections.<br />
C. Internal storage: A device on a high secure classification network shall not<br />
have an internal storage device.<br />
D. High security classification devices shall include a smart card reader.<br />
E. Computer devices shall automatically lock after not being used for 15<br />
minutes.<br />
F. Antivirus software shall be installed on all computer devices.<br />
G. An e-mail labelling software tool shall be installed on all client devices.<br />
16.3.3-p5 LOW security classification devices, NU <strong>and</strong> NR devices will be a<br />
combination of mobile <strong>and</strong> desktop devices. Desktop devices for those place where<br />
mobility is not needed or wanted <strong>and</strong> mobile devices for all other users.<br />
Requirements for NR desktop devices are:<br />
A. Network: NR classification desktop devices are connected to the network<br />
through fibre connections.<br />
16.3.3-p6 In support of mobile users the following additional features need to be<br />
included to support the Business network users that use the same client capability<br />
both on-travel as well as in-the-office:<br />
A. Laptop devices shall have a battery that supplies the laptop for at least<br />
three hours under normal load.<br />
B. Laptop devices shall have at least 2 USB ports (or, by 2015, similar<br />
industrial st<strong>and</strong>ard connectivity options).<br />
C. Laptop devices shall have an industry st<strong>and</strong>ard external video output<br />
connector.<br />
D. Laptop devices shall have speakers.<br />
E. Laptop devices shall have a microphone.<br />
F. Laptop devices shall have a camera.<br />
G. Laptop devices shall have the option to connect an external microphone.
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-379 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
H. Laptop devices shall have the option to connect an external headset.<br />
i. Docking stations for mobile devices shall also be included.<br />
J. Interface into the Network Access Control Services to assure compliancy<br />
of the returning laptop with the internal LAN security policies.<br />
K. Portable computing devices shall indicate discreetly to the user the highest<br />
classification of information that may be stored on them.<br />
16.3.3-p7 In order to minimize the number of devices on the desktop the<br />
keyboard, mouse <strong>and</strong> monitor(s) shall be shared between the different Classifications<br />
by usage of a KVM switch. The <strong>ANWI</strong> Contractor shall provide a common set of<br />
input/output devices per workspace consisting of:<br />
A. 20/21” TFT Monitor or larger<br />
B. Multimedia Keyboard<br />
C. Mouse<br />
D. Smart Card Reader<br />
E. Speaker/Microphone (can be integrated in the monitor)<br />
16.3.3-p8 Throughout the building corridors there will be phones which can be<br />
used for emergency calling. These phones will shall be passively directly connected<br />
(through copper) to the UCC IP PBX infrastructure. On the NR level Business<br />
Network there will be active UCC connected devices used as phones. The<br />
requirements for the NU <strong>and</strong> NR phones are:<br />
A. NU voice OR UCC devices shall communicate through VOIP.<br />
B. Most (see table 16.5) NU/NR voice/UCC devices shall be wired devices.<br />
C. There shall be some (see table 16.5) voice/UCC devices with extended<br />
capabilities, for connecting devices, conferencing (e.g. for secretaries).<br />
D. There shall be some (see table 16.5) voice/UCC devices which shall be<br />
wireless.<br />
16.3.3-p9 The following requirements for KVM switches (see 1.1.1.6.26.) are<br />
applicable:<br />
A. KVM switches shall not be used with desktop components that contain<br />
digital memory (e.g. programmable keyboards, <strong>and</strong> devices with smart<br />
card readers).<br />
B. The KVM switch shall only connect the desktop keyboard, monitor <strong>and</strong><br />
mouse (the user level interface hardware) to one LAN at a time <strong>and</strong> will<br />
not allow sharing of information between the LAN environments connected<br />
to the switch.<br />
C. The KVM switch shall be an optically coupled switch.<br />
D. The KVM switch shall be manually operated.<br />
E. The KVM switch shall not contain any processors <strong>and</strong> little or no memory.<br />
F. When the switch is in a specific position, it shall providea visual indication<br />
of which LAN the user is currently operating on.<br />
G. The each LAN shall have differently configured end connectors to prevent<br />
accidental interconnection between different security domains.<br />
H. The network connectors shall be coloured coded <strong>and</strong> have specific<br />
shaped physical connectors to ensure that no accidental cross<br />
connections can occur.<br />
i. Appropriate separation between cabling of different level systems shall be<br />
maintained in accordance with Ref. 1.1.1.3.3.
N A T O U N C L A S S I F I E D<br />
16.3.4 ClientDevice’s Information Assurance<br />
16.3.4-p1<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
The client computers require the following security components:<br />
16.3.4.1 Common Security Components:<br />
16.3.4.1.1 Anti-virus<br />
A. Every client computer shall have an antivirus product (NATO-approved<br />
anti-Virus solution (listed on current (at implementation time) version of<br />
AFPL - 1.1.1.8.4) installed <strong>and</strong> running.<br />
B. Antivirus software shall be kept up to date<br />
C. The anti-virus software shall be managed by the infrastructure anti-virus<br />
management server.(see 15.2.3.7-p7).<br />
16.3.4.1.2 <strong>System</strong> Management Agent<br />
A. A system management agent shall be installed on all clients.<br />
B. The agent shall be integrated with the <strong>ANWI</strong> SMC (Ref Annex E, Appendix<br />
1).<br />
C. The system management agent shall provide visibility of patching status<br />
<strong>and</strong>, application of security settings.<br />
16.3.4.1.3 User <strong>and</strong> computer identification <strong>and</strong> authentication<br />
A. Each user <strong>and</strong> computer is required to perform identification <strong>and</strong><br />
authentication (I&A) before accessing the network <strong>and</strong> systems.<br />
B. I&A for users shall be provided as an integrated part of the client computer<br />
operating system.<br />
C. I&A for guests on the Public network shall be based on the issuance of<br />
temporary access credentials.<br />
D. Computer authentication shall be based on port security as described in<br />
[Ref GG].Ref GG: see 1.1.1.6.36.<br />
16.3.4.1.4 PKI client, token <strong>and</strong> token reader<br />
<br />
<br />
<br />
A PKI software client license, hardware token <strong>and</strong> token reader shall be<br />
provided on all client computers (desktop <strong>and</strong> mobile client devices)that<br />
require PKI services, including Business, NS <strong>and</strong> EAPC.<br />
Separate Tokens & Client licences shall be provided for NU/NR <strong>and</strong> NC/NS.<br />
Tokens for use on the Secret networks shall be approved by the national<br />
COMSEC Authority– PKI tokens shall be provided as PFE.<br />
16.3.4.1.5 Removable Storage Management <strong>System</strong><br />
16.3.4.1.5-p1 Removable mass storage (RMS) is a term used to describe USB<br />
storage tokens, CD/DVD RW/R.<br />
16.3.4.1.5-p2 A mechanism to manage removable mass storage (RMS) media<br />
shall be implemented.<br />
A. Data imported via an RSM shall be checked for malicious code.<br />
B. Data export to an RSM shall be access controlled based on user identity.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-380 of 532
16.3.4.1.6 Tokens<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.3.4.1.6-p1 The term token shall apply to a traditional ISO 7816 smart card<br />
or any other appropriate form factor.<br />
16.3.4.1.6-p2<br />
Clients shall support two factor authentication using NPKI.<br />
16.3.4.1.6-p3 Client workstations at the Secret level shall require a token in<br />
order to complete the logon.<br />
16.3.4.1.6-p4<br />
password.<br />
The presentation of a token shall be in addition to the use of a<br />
16.3.4.1.6-p5 The logon session <strong>and</strong> associated network access shall<br />
terminate immediately on token removal.<br />
16.3.4.1.6-p6<br />
identity.<br />
The token shall be cryptographically bound to the user’s real<br />
16.3.4.1.6-p7 User certificates used in this process shall be compliant with the<br />
NATO PKI Certificate Policy.<br />
16.3.4.2 Additional Countermeasures Applicable to Mobile Devices<br />
16.3.4.2.1 Adapted requirements for NRoI<br />
16.3.4.2.1-p1 When an NRoI laptop is connected to Business network, the antivirus<br />
software shall be managed by the anti-virus management server(ref SOW<br />
13.2.2).<br />
16.3.4.2.1-p2 For remote access from NRoI laptop to the Business network two<br />
factor authentication shall be used (token & password).<br />
16.3.4.2.1-p3 Wireless shall support authentication using the NPKI<br />
infrastructure. Ref 1.1.1.6.24.<br />
16.3.4.2.2 Wireless Network Encryption<br />
16.3.4.2.2-p1 The strongest available commercial Wireless network encryption<br />
shall be enabled for mobile systems up to NR.<br />
16.3.4.2.2-p2<br />
infrastructure.<br />
16.3.4.2.3 Hard disk encryption<br />
16.3.4.2.3-p1<br />
16.3.4.2.3-p2<br />
Restricted.<br />
16.3.4.2.3-p3<br />
16.3.4.2.4 VPN client<br />
16.3.4.2.4-p1<br />
mobile devices.<br />
Wireless shall support authentication using the NPKI<br />
Full hard disk encryption shall be installed on Mobile NR devices.<br />
Disk encryption shall be approved for use up to NATO<br />
Disk encryption for NR shall be software based.<br />
A NATO Approved NR VPN client shall be installed on NR<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-381 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.3.4.2.4-p2<br />
Password.<br />
16.3.4.2.4-p3<br />
VPN Authentication shall combine a physical Token <strong>and</strong> a<br />
The Token shall support the use of NATO PKI X.509 Certificates.<br />
16.3.4.2.5 Host firewall<br />
16.3.4.2.5-p1<br />
computers.<br />
Centrally managed Local Firewall shall be activated on client<br />
16.3.4.2.5-p2 The Firewall shall be built in to the Operating <strong>System</strong> or a<br />
centrally managed desktop firewall solution (compliant with NCIRC <strong>and</strong>/or listed on<br />
AFPL – 1.1.1.8.4.) shall be implemented.<br />
16.3.4.2.5-p3<br />
traffic flows.<br />
16.3.4.2.6 Security Management<br />
The Firewall shall support mediation of IPv4 <strong>and</strong> IPv6 based<br />
16.3.4.2.6-p1 Security management performed by the CIS Management<br />
<strong>System</strong> will address INFOSEC <strong>and</strong> Information Assurance management tasks such<br />
as patching, vulnerability scanning, online computer forensics, computer operating<br />
system security settings <strong>and</strong> policy compliance monitoring.<br />
The NCIRC st<strong>and</strong>ard online computer forensics agent shall be installed <strong>and</strong><br />
configured on the client.<br />
The NCIRC st<strong>and</strong>ard anti-virus agent shall be installed <strong>and</strong> configured on the<br />
client.<br />
The st<strong>and</strong>ard compliance monitoring agent shall be installed <strong>and</strong> configured<br />
on the client.<br />
16.3.4.2.7 Host-based Intrusion Detection <strong>System</strong> (HIDS)<br />
16.3.4.2.7-p1 HIA Host Intrusion Detection <strong>System</strong> (HIDS) shall be installed on<br />
mobile devices classified NR or above.<br />
16.3.4.2.7-p2 The solution shall be compatible with the existing NCIRC HIDS<br />
management system<strong>and</strong>/or listed on AFPL – 1.1.1.8.4).<br />
16.3.4.2.8 Web-filter<br />
16.3.4.2.8-p1<br />
mobile devices.<br />
A NATO approved web filtering application shall be installed on<br />
16.3.4.2.8-p2 The web filtering solution shall be centrally managed by CIS<br />
Management <strong>System</strong>.<br />
16.3.4.3 Service Management<br />
16.3.4.3-p1 The software distribution <strong>and</strong> deployment server shall provide<br />
automated software deployment, inventory, patching, license metering, installation,<br />
etc. The product shall be interoperable with <strong>System</strong> Centre Configuration Manager<br />
(SCCM) 2007 or later.<br />
16.3.4.3-p2 AIS Configuration Manager shall provide the site server role.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-382 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
16.3.4.3-p3 Software update manager (such as WSUS/SCCM) shall support the<br />
regular software updates for the operating systems <strong>and</strong> the various core applications<br />
(such as IE, Office).<br />
16.3.4.3-p4 The AIS monitoring manager shall monitor the base operating system.<br />
16.3.5 Service Testing <strong>and</strong> Reporting<br />
16.3.5-p1 The client devices <strong>and</strong> their interfaces are tested as part of end-to-end<br />
services testing related to the other <strong>ANWI</strong> service. The client devices should be<br />
tested <strong>and</strong> inspected to work properly from a user h<strong>and</strong>ling perspective.<br />
16.3.6 Dependencies<br />
16.3.6-p1 Internal interfaces are shown in table 16.7, where the <strong>ANWI</strong> Contractor<br />
shall describe the interfaces <strong>and</strong> dependencies.<br />
Processing<br />
Storage<br />
Printing<br />
User Services<br />
Client Provisioning X X X X X X X X X X X X X X X X X X X X X X<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
Table 16.7: Client to <strong>ANWI</strong> internal interfaces<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-383 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 17. ANNEX I: SUPPLEMENTARY SERVICES<br />
17.1 APPENDIX 1: Introduction to Supplementary Services<br />
17.1.1 Definition<br />
17.1.1-p1 Supplementary services are services provided by <strong>ANWI</strong>, which don’t fall<br />
under any of the other categories.<br />
17.1.2 Service Overview<br />
17.1.2-p1 The supplementary services are a collection of capabilities which aren’t<br />
directly connected to core <strong>ANWI</strong> office environment of the NNHQ, but which are<br />
needed as additional features for the <strong>ANWI</strong> users. Some of these services are<br />
provided by external (commercial) parties.<br />
17.1.3 Scope<br />
17.1.3-p1 The Supplementary services group the following capabilities:<br />
A. GSM service.<br />
B. GSM blocking service.<br />
C. Wireless blocking service.<br />
D. Secure communications (Tetra).<br />
E. IPTV services.<br />
17.1.3-p2 Figure 17.1 identifies the mapping of the supplementary services to the<br />
services taxonomy as introduced in Annex C<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-384 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 17.1: Mapping of Supplementary services to services taxonomy.<br />
17.1.4 Service Requirements<br />
17.1.4-p1 The <strong>ANWI</strong> Contractorshall design the infrastructure services<br />
considering all the required capabilities including the high level capabilities<br />
requirements of service management <strong>and</strong> information management.<br />
17.1.4-p2 The <strong>ANWI</strong> Contractorshall clearly describe how the service <strong>and</strong> the<br />
individual capabilities are integrated in the service management <strong>and</strong> control (SMC)<br />
<strong>and</strong> Information Assurance (IA) Services in support of the overall ICT SMC <strong>and</strong> IA<br />
management concept as indicated in figure 17.1.<br />
17.1.4-p3 The <strong>ANWI</strong> Contractor shall provide information on future technologies<br />
<strong>and</strong> enhancement that can be in scope of the supplementary services towards 2015.<br />
17.1.4-p4 The specific capability requirements are provided in the respective<br />
appendices.<br />
17.1.5 Service Level Agreement / Targets<br />
17.1.5-p1 As the supplementary services cannot be perceived as a fully integrated<br />
service capability it is not possible to define a target on service level. The individual<br />
capabilities however shall meet the service level targets as indicated in their<br />
respective capability appendix.<br />
17.1.6 Service Testing <strong>and</strong> Reporting<br />
17.1.6-p1 The supplementary services are managed through the SMC, if<br />
applicable. The SMC shall also provide the capability to provide reports on the<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-385 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
different supplementary sub-services. These reports shall also be required to<br />
measure the compliance of the system towards the SLA requirements.<br />
17.1.6-p2 Individual sub-services shall be tested for compliance on the technical<br />
requirements of the specific sub-service.<br />
17.1.7 Dependencies<br />
17.1.7-p1 There are certain dependencies of the supplementary service<br />
capabilities with other <strong>ANWI</strong> services, for example dependencies on the<br />
Infrastructure <strong>and</strong> UCC services. The detailed dependencies of the different<br />
capabilities are described in the respective appendices.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-386 of 532
N A T O U N C L A S S I F I E D<br />
17.2 APPENDIX 2: GSM Service continuity<br />
17.2.1 Definition<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
17.2.1-p1 The GSM service continuity capability is providing GSM coverage <strong>and</strong><br />
capacity to a defined geographical area to deliver voice, messaging <strong>and</strong> data to: 2G,<br />
3G <strong>and</strong> 4G h<strong>and</strong>sets.<br />
17.2.2 Scope/Scenario<br />
17.2.2-p1 The <strong>ANWI</strong> Contractor shall coordinate with Mobile Network Operators<br />
(MNOs) in Belgium <strong>and</strong> assure that NNHQ campus has 100% indoor <strong>and</strong> outdoor<br />
coverage <strong>and</strong> capacity to support the volume of prospective users <strong>and</strong> that all public<br />
services are available within the campus for all Belgium operators. It is believed that<br />
the building may not allow GSM signals to propagate into the complete building. The<br />
<strong>ANWI</strong> Contractor shall identify a solution to provide GSM coverage throughout the<br />
building <strong>and</strong> to act as an interface between the users’ personal GSM h<strong>and</strong>set <strong>and</strong><br />
his/her GSM provider without any additional roaming charges in case the personal<br />
GSM is using one of the Belgian GSM providers.<br />
17.2.3 Service Requirements<br />
17.2.3-p1 The <strong>ANWI</strong> Contractor shall provide GSM services continuity within the<br />
NATO HQ compound, including all buildings.<br />
17.2.3-p2 The <strong>ANWI</strong> Contractor shall provide GSM services continuity which shall<br />
allow all Mobile Telephony operators providing services in Belgium to provide the<br />
same level of services throughout the NATO compound.<br />
17.2.3-p3 The <strong>ANWI</strong> Contractor shall provide GSM services continuity within the<br />
NATO HQ compound at no additional cost for the users of mobile telephony services.<br />
17.2.3-p4 The <strong>ANWI</strong> Contractor shall provide GSM services continuity at a unique<br />
one off cost for NATO covering the initial investment required for implementing the<br />
technical solution required for the service provision.<br />
17.2.3-p5 The <strong>ANWI</strong> Contractor shall not charge NATO for the cost of the support<br />
of the technical solution required for the service provision.<br />
17.2.3-p6 The <strong>ANWI</strong> Contractor shall provide GSM services continuity as a<br />
minimum for the following st<strong>and</strong>ards:<br />
A. 2G GSM.<br />
B. 2.5G GPRS.<br />
C. 2.75G EDGE.<br />
D. 3G CDMA 200 1xEV <strong>and</strong> UMTS.<br />
E. 3.5G HSDPA <strong>and</strong> HSUPA.<br />
F. 3.75G HSOPA.<br />
G. 4G LTE <strong>and</strong> WIMAX.<br />
17.2.3-p7 The <strong>ANWI</strong> Contractor shall deliver required services without installing<br />
antennae on the roof of the NNHQ.<br />
17.2.3-p8 NATO will grant permanent access to the personnel which will be in<br />
charge of the maintenance of the technical solution required for the service provision<br />
extension within the NATO HQ with a maximum of 4 persons.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-387 of 532
17.2.4 Service Level Agreement/Target<br />
Service Level Target Parameters<br />
Capacity SLTs (6 months period)<br />
N A T O U N C L A S S I F I E D<br />
Number of Capacity Shortfall Incidents 2<br />
Number of Capacity Modifications 1<br />
Resolution Time for Capacity Adjustments (hours) 1<br />
Capacity Reserve (%) 25<br />
Availability SLTs (6 months period)<br />
Service Availability (%) 99.99<br />
Response Time (s)<br />
Number of Service Interruptions 1<br />
Duration of Service Interruptions (hours) 1<br />
Number of Service Availability Measurements<br />
Reliability SLTs (6 months period)<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-388 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
<br />
Mean Time Between Failures (MTBF) (hours) 4380<br />
Mean Time Between Critical Failures (hours) 4380<br />
Number of Critical Failures 0<br />
Maintainability SLTs (6 months period)<br />
Mean Time To Replace / Repair (MTTR) (hours) 4<br />
Number of Corrective Maintenance Actions<br />
Number of Preventive Maintenance Actions<br />
17.2.5 Testing<br />
17.2.5.1 End-to-End Test Scenario<br />
17.2.5.1-p1<br />
applicable<br />
Continuous<br />
<br />
<br />
St<strong>and</strong>ard service levels provided by operators to public shall be<br />
17.2.5.1-p2 UCC integration for Mobility, Voice Mail, Call Forwarding <strong>and</strong><br />
Unified messaging.<br />
GSM GSM - - Commercial Commercial Voice<br />
GSM GW3 Public <strong>ANWI</strong> Voice<br />
GSM GW3 Public <strong>ANWI</strong> Data (IP) Can be tested with Browsing / Email<br />
GSM GW3 Public <strong>ANWI</strong> SMS Can be tested in conjunction with UCC unified messaging<br />
17.3 APPENDIX 3: GSM Blocking<br />
17.3.1 Definition<br />
17.3.1-p1 Commercial GSM coverage will be available all over the NNHQ <strong>and</strong><br />
surrounding buildings. Some areas will have the possibility to be blacked out, when<br />
needed, for example when a classified meeting takes place.<br />
17.3.2 Scope/Scenario<br />
17.3.2-p1 The <strong>ANWI</strong> Contractor shall provide complete solutions for jamming in<br />
physically secure environments while blocking the publicly available network. The<br />
solution shall ensure zero cell phone activity within its coverage area. The solution<br />
provided shall also be remote controlled.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
17.3.2-p2 The blocking capability shall provide fixed devices in the NAC <strong>and</strong> the<br />
EAPC conference room. Mobile device to be used anywhere on the NNHQ campus,<br />
where <strong>and</strong> when needed.<br />
17.3.2-p3 The GSM <strong>and</strong> Wireless (Appendix 3) blocking may be done with the<br />
same device.<br />
17.3.3 Service Requirements<br />
17.3.3-p1 The <strong>ANWI</strong> Contractor shall implement a GSM Blocking capability in the<br />
new NATO HQ.<br />
17.3.3-p2 The GSM Blocking capability shall allow the NATO HQ designated<br />
personnel to bar access to any GSM service provision network within the conference<br />
areas.<br />
17.3.3-p3 The GSM Blocking capability shall be compliant with the Health <strong>and</strong><br />
Safety laws, rules <strong>and</strong> regulations applicable in Belgium.<br />
17.3.3-p4 The GSM Blocking capability shall as a minimum deny services of the<br />
following mobile telephony st<strong>and</strong>ards:<br />
A. 2G GSM.<br />
B. 2.5G GPRS.<br />
C. 2.75G EDGE.<br />
D. 3G CDMA 200 1xEV <strong>and</strong> UMTS.<br />
E. 3.5G HSDPA <strong>and</strong> HSUPA.<br />
F. 3.75G HSOPA.<br />
G. 4G LTE <strong>and</strong> WIMAX.<br />
17.3.4 Service Level Agreement/Target<br />
Service Level Target Parameters<br />
Capacity SLTs (6 months period)<br />
Number of Capacity Shortfall Incidents 2<br />
Number of Capacity Modifications 1<br />
Resolution Time for Capacity Adjustments (hours) 1<br />
Capacity Reserve (%) 25<br />
Availability SLTs (6 months period)<br />
Service Availability (%) 99.99<br />
Response Time (s)<br />
Number of Service Interruptions 1<br />
Duration of Service Interruptions (hours) 1<br />
Number of Service Availability Measurements<br />
Reliability SLTs (6 months period)<br />
<br />
Mean Time Between Failures (MTBF) (hours) 4380<br />
Mean Time Between Critical Failures (hours) 4380<br />
Number of Critical Failures 1<br />
Maintainability SLTs (6 months period)<br />
Mean Time To Replace / Repair (MTTR) (hours) 24<br />
Number of Corrective Maintenance Actions<br />
Number of Preventive Maintenance Actions<br />
Continuous<br />
<br />
<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-389 of 532
N A T O U N C L A S S I F I E D<br />
17.3.5 Management <strong>and</strong> Operational Requirements<br />
17.3.5.1 Interfaces<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
17.3.5.1-p1 The service does not interact with any other service, except to<br />
disrupt GSM communication.<br />
17.3.5.2 Backup <strong>and</strong> Recovery<br />
17.3.5.2-p1<br />
needed.<br />
17.3.6 Testing<br />
17.3.6-p1<br />
Configuration files shall be available offline, to be restored if<br />
End-to-End Test Scenario<br />
17.3.6-p2 User testing shall be conducted if the entire HQ has GSM coverage.<br />
When the Blocking devices are turned on, users should not be able to use GSM<br />
anywhere in the rooms where the Blocking is turned on, but they should have GSM<br />
coverage outside of these areas.<br />
17.3.7 Training<br />
17.3.7-p1 ICTM staff shall need to know how to install, configure, operate <strong>and</strong><br />
troubleshoot the following areas to support the GSM Blocking capability:<br />
A. Installation <strong>and</strong> configuration.<br />
B. Troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-390 of 532
N A T O U N C L A S S I F I E D<br />
17.4 APPENDIX 4: Wireless Blocking<br />
17.4.1 Definition<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-391 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
17.4.1-p1 Wireless network coverage will be available all over the NNHQ <strong>and</strong><br />
surrounding buildings. Some areas will have the possibility to be blacked out, when<br />
needed, for example when a classified meeting takes place.<br />
17.4.2 Scope/Scenario<br />
17.4.2-p1 The capability shall provide fixed devices in the NAC <strong>and</strong> the EAPC<br />
conference room. Mobile device to be used anywhere on the NNHQ campus, where<br />
<strong>and</strong> when needed.<br />
17.4.2-p2 The GSM (Appendix 2) <strong>and</strong> Wireless Blocking may be done with the<br />
same device.<br />
17.4.3 Service Requirements<br />
17.4.3-p1 The <strong>ANWI</strong> Contractor shall implement a Wireless Blocking capability in<br />
the new NATO HQ.<br />
17.4.3-p2 The Wireless Blocking capability shall allow the NATO HQ designated<br />
personnel to bar access to any Wireless network within the conference areas <strong>and</strong><br />
elsewhere on the NNHQ campus, with the mobile jammers.<br />
17.4.3-p3 The Wireless Blocking capability shall be compliant with the Health <strong>and</strong><br />
Safety laws, rules <strong>and</strong> regulations applicable in Belgium.<br />
17.4.3-p4 The Wireless Blocking capability shall as a minimum deny services on<br />
the following Wireless st<strong>and</strong>ards <strong>and</strong> frequencies:<br />
A. 802.11 legacy 2,4GHz.<br />
B. 802.11b 2,4GHz.<br />
C. 802.11a 2,4GHz/5GHz.<br />
D. 802.11g 2,4GHz.<br />
E. 802.11n 2,4GHz/5GHz.<br />
F. WiGig * . 2,4GHz/5GHz/60GHz.<br />
17.4.3-p5 WiGig is not yet a st<strong>and</strong>ard, but will possibly be the next st<strong>and</strong>ard for<br />
Wireless. The newest technology st<strong>and</strong>ard for Wireless shall be considered when<br />
considering Wireless blocking.<br />
A. Bluetooth is often included in Blocking devices. Bluetooth Blocking shall<br />
also be considered when considering the solution for Wireless Blocking.<br />
17.4.4 Service Level Agreement/Target<br />
Service Level Target Parameters<br />
Capacity SLTs (6 months period)<br />
Number of Capacity Shortfall Incidents 2<br />
Number of Capacity Modifications 1<br />
Resolution Time for Capacity Adjustments (hours) 1<br />
Capacity Reserve (%) 25<br />
Availability SLTs (6 months period)<br />
Service Availability (%) 99.99
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Service Level Target Parameters<br />
Response Time (s)<br />
Number of Service Interruptions 1<br />
Duration of Service Interruptions (hours) 1<br />
Number of Service Availability Measurements<br />
Reliability SLTs (6 months period)<br />
<br />
Mean Time Between Failures (MTBF) (hours) 4380<br />
Mean Time Between Critical Failures (hours) 4380<br />
Number of Critical Failures 1<br />
Maintainability SLTs (6 months period)<br />
Mean Time To Replace / Repair (MTTR) (hours) 24<br />
Number of Corrective Maintenance Actions<br />
Number of Preventive Maintenance Actions<br />
17.4.5 Management <strong>and</strong> Operational Requirements<br />
17.4.5.1 Interfaces<br />
Continuous<br />
<br />
<br />
17.4.5.1-p1 The service does not interact with any other service, except to<br />
disrupt Wireless communication.<br />
17.4.6 Testing<br />
17.4.6-p1<br />
End-to-End Test Scenario<br />
17.4.6-p2 User testing shall be conducted if the entire HQ has Wireless coverage.<br />
When the Blocking devices are turned on, users should not be able to use Wireless<br />
anywhere in the rooms where the Blocking is turned on, on any frequency (on<br />
network Legacy, A, B, G, N, WiGig) but they should have Wireless coverage outside<br />
of these areas.<br />
17.4.7 Training<br />
17.4.7-p1 ICTM staff shall need to know how to install, configure, operate <strong>and</strong><br />
troubleshoot the following areas to support the Wireless Blocking capability:<br />
A. Installation <strong>and</strong> configuration.<br />
B. Troubleshooting <strong>and</strong> fault finding.<br />
C. Hardware maintenance tasks (e.g. Firmware <strong>and</strong> Bios upgrades).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-392 of 532
N A T O U N C L A S S I F I E D<br />
17.5 APPENDIX 5: Site Security Comms (TETRA)<br />
17.5.1 Definition<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-393 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
17.5.1-p1 Terrestrial Trunked Radio (TETRA) is a professional mobile radio <strong>and</strong><br />
two-way transceiver specification.<br />
17.5.2 Scope/Scenario<br />
17.5.2-p1 The TETRA service shall start with a site survey of the NNHQ to assess<br />
the TETRA’s signal penetration throughout the building.<br />
17.5.2-p2 If the signal propagates sufficiently to cover the entire NNHQ the <strong>ANWI</strong><br />
Contractor shall:<br />
A. The <strong>ANWI</strong> Contractor shall extend the existing mobile communication<br />
system use by the NATO security personnel (h<strong>and</strong>sets <strong>and</strong> vehicle<br />
mounted) by relocating the TETRA radio antenna from the current NATO<br />
HQ location to the NNHQ antenna farm.<br />
B. The <strong>ANWI</strong> Contractor shall relocate the NATO HQ’s current base station<br />
to the NNHQ, when NATO security is able to enter <strong>and</strong> occupy the NNHQ.<br />
(the movement of this antenna <strong>and</strong> base unit will not impact the system up<br />
time as the alternate system, located in Batiment Z, shall become the<br />
operational system during the move <strong>and</strong> after the move again serve as the<br />
back up unit with possible coverage issues).<br />
C. The <strong>ANWI</strong> Contractor shall provide the following:<br />
1. The <strong>ANWI</strong> Contractor shall migrate the existing TETRA system<br />
currently operational in the existing NATO HQ <strong>and</strong> implement additional<br />
equipment as required to meet the coverage requirements.<br />
2. The <strong>ANWI</strong> Contractor shall deliver additional terminals as described in<br />
the SSS.<br />
17.5.2-p3 If the signal does not propagate sufficiently to cover the entire NNHQ<br />
the <strong>ANWI</strong> Contractor shall provide a base station inside the building (but ensure that<br />
3V/m is not exceeded).<br />
17.5.3 Service Requirements<br />
17.5.3-p1 The following is a list for the requirements of the Site Security<br />
Communications system. The technical specifications of the existing Security<br />
Communications system can be found in Annex B.<br />
A. The <strong>ANWI</strong> Contractor shall deliver <strong>and</strong> implement a security<br />
communications system which:<br />
1. shall be based on a TETRA radio system.<br />
2. shall provide a full coverage, 100% of internal <strong>and</strong> external area, of the<br />
NNHQ campus <strong>and</strong> all its associated buildings.<br />
17.5.4 Service Level Agreement/Target<br />
Service Level Target Parameters<br />
Capacity SLTs (6 months period)<br />
Number of Capacity Shortfall Incidents 2<br />
Number of Capacity Modifications 1<br />
Resolution Time for Capacity Adjustments (hours) 1
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Service Level Target Parameters<br />
Capacity Reserve (%) 25<br />
Availability SLTs (6 months period)<br />
Service Availability (%) 99.99<br />
Response Time (s)<br />
Number of Service Interruptions 1<br />
Duration of Service Interruptions (hours) 1<br />
Number of Service Availability Measurements<br />
Reliability SLTs (6 months period)<br />
<br />
Mean Time Between Failures (MTBF) (hours) 4380<br />
Mean Time Between Critical Failures (hours) 4380<br />
Number of Critical Failures 0<br />
Maintainability SLTs (6 months period)<br />
Mean Time To Replace / Repair (MTTR) (hours) 24<br />
Number of Corrective Maintenance Actions<br />
Number of Preventive Maintenance Actions<br />
17.5.5 Management <strong>and</strong> Operational Requirements<br />
17.5.5.1 Interfaces<br />
Continuous<br />
<br />
<br />
17.5.5.1-p1 The Site security communication services must be fully integrated<br />
with: local telephony services, the TETRA-system <strong>and</strong> (selected) local emergency<br />
services (Belgian ASTRID emergency communications system for local police,<br />
national police, local fire department, etc.).<br />
17.5.6 Testing<br />
17.5.6.1 End-to-End Test Scenario<br />
17.5.6.1-p1<br />
17.5.7 Training<br />
17.5.7-p1<br />
The <strong>ANWI</strong> Contractor shall provide the End to End testing scenario.<br />
The <strong>ANWI</strong> Contractor shall recommend <strong>and</strong> provide training.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-394 of 532
17.6 APPENDIX 6: IPTV<br />
17.6.1 Definition<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
17.6.1-p1 Internet Protocol television (IPTV) is a system through which television<br />
services are delivered using the Internet Protocol Suite over a packet-switched<br />
network like the Internet, instead of being delivered through traditional terrestrial,<br />
satellite signal, <strong>and</strong> cable television formats.<br />
17.6.2 Scope/Scenario<br />
17.6.2-p1<br />
site.<br />
The Contractor shall provide an IPTV point of presence at the NNHQ<br />
17.6.2-p2 IPTV service shall be consumed through hardware nodes (Set Top<br />
Boxes (STB) or similar) for required locations <strong>and</strong> also be available through software<br />
nodes (web browser, soft client) on Public <strong>and</strong> Business networks.<br />
17.6.2-p3 The Contractor shall provide as a service the selected TV channels as<br />
identified <strong>and</strong> listed in reference 1.1.1.7.11.<br />
17.6.2-p4<br />
The system shall support restricting available channels per node.<br />
17.6.2-p5 The service is to be provided as an outsourced service, hence detailed<br />
equipment details are not required.<br />
17.6.2-p6 A metering <strong>and</strong> billing service will also be required to bill the consumers<br />
of the IPTV service.<br />
17.6.2-p7<br />
This service shall also be extended to all nations as well as IMS <strong>and</strong> IS.<br />
17.6.3 Service Requirements<br />
17.6.3-p1 The following general requirements have been identified for the IP TV<br />
Capability:<br />
A. The Contractor shall provide IP TV capability to the New NATO HQ by<br />
providing the two following components:<br />
1. IP TV services consisting of provisioning TV channels at the interface<br />
delivery point at the New NATO HQ.<br />
2. An IP TV system for distribution of the provided IP TV channels within<br />
the New NATO HQ infrastructure.<br />
B. The IP TV Capability shall be composed of <strong>and</strong> provide the interfaces as<br />
described in the following picture.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-395 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
IP TV SYSTEM<br />
NGCS<br />
(NATO WAN)<br />
Terrestrial Fibre<br />
Optic Connection<br />
Management<br />
<strong>System</strong><br />
Web Portal Server<br />
Smart Phone<br />
Tablet<br />
SATCOM Connection<br />
LAN<br />
IP TV Core <strong>System</strong><br />
Laptop<br />
Terrestrial Aerial<br />
Connection<br />
Desktop<br />
NATO VTC<br />
NATO TV<br />
Channels<br />
Public Access TV<br />
(Channel choice via Web)<br />
Figure 17.2: IPTV architecture<br />
17.6.3-p2 IP TV <strong>System</strong> Requirements:<br />
A. As part of the IP TV capability, the Contractor shall deliver an IP TV<br />
<strong>System</strong> which shall allow the reception of public TV channels <strong>and</strong> the redistribution<br />
of these TV channel to NATO users’ community.<br />
B. The delivered IP TV <strong>System</strong> shall allow the reception of NATO VTC<br />
sessions as well as NATO TV channels <strong>and</strong> the re-distribution of these<br />
VTC sessions <strong>and</strong> NATO TV Channels to the NATO users’ community.<br />
C. The delivered IP TV <strong>System</strong> shall allow the re-distribution of all received<br />
TV channels (Public <strong>and</strong> NATO) to the NATO users’ community being<br />
either located in NATO HQ or anywhere in the NATO network (NGCS).<br />
D. The IP TV <strong>System</strong> shall allow the direct reception of all TV channels to<br />
public TV sets distributed across the NATO HQ LAN.<br />
E. The IP TV <strong>System</strong> shall provide an IP TV <strong>System</strong> Web portal which shall<br />
allow the selection of the TV channel to be displayed on public TV via an<br />
intuitive interface.<br />
F. The IP TV <strong>System</strong> shall allow the reception of all TV channels to the<br />
following types of users clients via the embedded UCC client application:<br />
1. Desktop stations.<br />
2. Laptop.<br />
3. Tablet.<br />
4. Smart Phones.<br />
5. Multi-Media SIP Telephone Set.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-396 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
G. The delivered IP TV <strong>System</strong> shall be compliant with the OPEN IPTV<br />
Forum Release 2 Specifications.<br />
H. The provided channels shall be provided at the highest st<strong>and</strong>ard definition<br />
at which they are available for commercial distribution.<br />
17.6.3-p3 IPTV Client Requirements:<br />
The Contractor shall deliver dedicated IPTV clients that shall be installed throughout<br />
the NNHQ campus. There shall be 425 IPTV clients, these clients shall be based on<br />
60” displays with integrated IPTV functionality. The minimum IPTV client<br />
specifications are provided in Table 17.1.<br />
Display<br />
Item<br />
Minimum Requirements<br />
Enclosure<br />
Rugged for commercial indoor usage with flexible mounting<br />
options using VESA mounting<br />
Operation type Designed for continuous operation in 24x7 mode<br />
Size<br />
Min. 60” diagonal<br />
Native resolution Min. 1920x1080<br />
Brightness >=450 nits (or cd/m 2 )<br />
Contrast (static) >=4000:1<br />
<strong>View</strong>ing angles 170º horizontally <strong>and</strong> vertically, anti-glare coating<br />
Response time Gray-to-Gray =
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-398 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
IPTV Player<br />
Item<br />
Minimum Requirements<br />
Enclosure<br />
Rugged for commercial indoor usage mountable to a display<br />
Operation type Designed for continuous operation in 24x7 mode<br />
Noise<br />
Up to 35dB in room conditions<br />
Inputs - Network: 100Base-T, (Optional 802.11gn)<br />
Outputs<br />
Through direct connection with the display (plug-in module)<br />
or<br />
- Video: DVI, DSUB15, HDMI 1.3<br />
- Audio: RCA / stereo mini-jack or SPDIF<br />
Operating<br />
Min. 5°C-40°C<br />
temperature<br />
Power consumption =
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Service Level Target Parameters<br />
Number of Corrective Maintenance Actions<br />
Number of Preventive Maintenance Actions<br />
Performance parameters<br />
Delay factor<br />
<br />
<br />
< 50 ms<br />
Media Loss Rate < 4 x 10-3<br />
17.6.4-p1 The Contractor shall monitor the delivered TV Services in real time <strong>and</strong><br />
shall report disruption of services through an automatic <strong>and</strong> electronic monitoring<br />
tool. The contractor shall report data with respect to the following criteria defining<br />
availability, degradation <strong>and</strong> unavailability of the delivered services:<br />
Parameter<br />
Delay<br />
Factor<br />
Media Loss<br />
Rate<br />
Service<br />
Service<br />
Available if Degraded if<br />
0 all values in 50 ms one value 100 ms<br />
this window minimum is in<br />
0 4x10-3 this window, 8x10-3<br />
the other being<br />
available<br />
Service<br />
Unavailable if<br />
one value<br />
minimum is in<br />
this area<br />
17.6.4-p2 As specified in the Contract Special provisions, the Contractor shall pay<br />
Service Credit in case the delivered TV Services is Degraded or Unavailable as<br />
defined in paragraph 17.6.4.1. The Contractor shall calculate the amount of the<br />
service credit as follows:<br />
A. For Degraded services, the following table shall be applied for calculation<br />
of service credits, where TA equals the time during which the service shall<br />
be available:<br />
Duration of Status (worst case)<br />
0 < T < TA 0<br />
Degraded services penalties<br />
TA < T < 1h 0.25 x channel(s) daily rate / 24 * 1<br />
1h < T < 4h 0.5 x channel(s) daily rate / 24 * 6<br />
4h < T < 24h<br />
0.75 x channel(s) daily rate<br />
B. For Unavailable services, the following table shall be applied for<br />
calculation of service credits, where TA equals the time during which the<br />
service shall be Unavailable services penalties.<br />
Duration of Status (worst case)<br />
0 < T < TA 0<br />
Unavailable services penalties<br />
TA < T < 1h 0.5 x channel(s) daily rate / 24 * 1<br />
1h < T < 4h 1.0 x channel(s) daily rate / 24 * 6<br />
4h < T < 24h<br />
1.5 x channel(s) daily rate<br />
C. The status of any TV Channel will be declared available, degraded or<br />
unavailable after one continuous minute during which the parameters will<br />
meet conditions of paragraph 17.6.4.1.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-399 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
17.6.5 Management <strong>and</strong> Operational Requirements<br />
17.6.5.1 Interfaces<br />
17.6.5.1-p1 The following internal interfaces <strong>and</strong> dependencies shall be<br />
described for the IPTV capability:<br />
User Services<br />
Processing<br />
Storage<br />
Printing<br />
AD<br />
DNS<br />
DHCP<br />
NTP<br />
NAC<br />
Client Provisioning<br />
LAN<br />
Cross Domain<br />
IPTV X X X X X X X X X X X<br />
17.6.5.1-p2 Cross-domain interfaces:<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
CD3-PUB One way IPTV-PUB IPTV<br />
Email<br />
IM<br />
Voice<br />
VTC services<br />
Presence<br />
Collaboration<br />
IPTV<br />
File services<br />
Remote users<br />
Browsing<br />
ESS<br />
BMS<br />
ICTM applications<br />
Web Publishing<br />
SMC<br />
Flow 1/2 way Service Service name Supported Protocols Remarks<br />
CD2-BUS One way IPTV-BUS IPTV IPTV->CD3->CD2->NR<br />
17.6.6 Testing<br />
17.6.6-p1 End-to-End Test Scenario<br />
IPTV - > GW3 NU Commercial -<br />
- > GW3 NR Commercial -<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-400 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 18. ANNEX J: INTEGRATION AND TESTING<br />
SERVICES<br />
18.1 APPENDIX 1: Introduction to Integration <strong>and</strong> Testing Services<br />
18.1-p1 The Integration <strong>and</strong> Testing Services (ITS) shall be implemented, operated<br />
<strong>and</strong> maintained by the <strong>ANWI</strong> Contractor at NCIA Brussels facilities (Bâtiment Z). This<br />
facility will serve as the main integrationtestbed for all projects that are part of the ICT<br />
programme, including building support systems. It will be used to test the different<br />
portions in a single (logical) environment to mitigate the integration risks. Integration<br />
with other testing facilities already procured for the Bi-SC AIS programme will be<br />
pursued.<br />
18.1.1 Interfaces<br />
18.1.1-p1 The ITS will interface with the NATO Wide Services Reference Test <strong>and</strong><br />
Integration Services (AIS, NGCS, PIA, NCIRC <strong>and</strong> NPKI) <strong>and</strong> with Commercial<br />
Services Test <strong>and</strong> Integration Services.<br />
18.1.2 Security<br />
18.1.2-p1 The ITS will operate at NU level <strong>and</strong> should not be subject to security<br />
accreditation. It will provide a test environment to simulate NS, Business <strong>and</strong> Public<br />
services. It will not process, store or retrieve classified information. The ITS should<br />
not directly support the <strong>ANWI</strong> security accreditation process but it can be used to<br />
perform security tests.<br />
18.1.3 Training<br />
18.1.3-p1 It is not planned that training on ITS will be required for the <strong>ANWI</strong><br />
project implementation as provision, operation <strong>and</strong> maintenance of the ITS shall be<br />
under the entire responsibility of the <strong>ANWI</strong> Contractor during this phase.<br />
18.1.3-p2 However, ITS being ultimately a NATO property, training may be<br />
required in the case ITS is planned to continue to be used by NATO after project<br />
implementation.<br />
18.1.3-p3 Therefore, training requirements for operation <strong>and</strong> maintenance of the<br />
ITS shall be provided by the <strong>ANWI</strong> Contractor.<br />
18.1.4 Requirements<br />
18.1.4-p1<br />
capabilities.<br />
The ITS shall reflect the performances to be provided by the <strong>ANWI</strong><br />
18.1.4-p2 The ITS shall include all the <strong>ANWI</strong> services as identified in Annex C <strong>and</strong><br />
all <strong>ANWI</strong> services internal <strong>and</strong> external interfaces as identified in Annex D.<br />
18.1.4-p3<br />
capabilities.<br />
The ITS shall reflect the expected operational use of the <strong>ANWI</strong><br />
18.1.4-p4 The ITS availability is subject to the SLA in Appendix 3.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-401 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.1.4-p5 The <strong>ANWI</strong> Contractor shall put in place appropriate Back-up/Recovery<br />
measures in order to meet the ITS SLA requirements.<br />
18.1.4-p6 The ITS <strong>and</strong> the supported tests to be performed shall be subject to<br />
Configuration Management in order to have appropriate records of the test facilities<br />
baseline <strong>and</strong> of the tests configurations.<br />
18.1.5 Acceptance<br />
18.1.5-p1 The ITS will be accepted as part of the final <strong>ANWI</strong> acceptance process.<br />
Conformance to the SLA will be part of the acceptance criteria.<br />
18.1.5-p2 Hardware <strong>and</strong> software, procured as part of the ITS, shall be subject to<br />
normal warranty conditions.<br />
18.1.6 Documentation<br />
18.1.6-p1 ITS hardware <strong>and</strong> software st<strong>and</strong>ard documentation shall be provided<br />
by the Contractor.<br />
18.1.6-p2 All documents related to installation, operation (including all testing<br />
activities) <strong>and</strong> maintenance shall be provided by the Contractor.<br />
18.1.6-p3 Training requirements documentation for possible reuse of the ITS by<br />
NATO shall be provided by the Contractor.<br />
18.1.7 <strong>Architecture</strong> <strong>and</strong> Services<br />
18.1.7-p1 The <strong>ANWI</strong> contractor shall support the ITS architecture as introduced in<br />
figure 18.1 below:<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-402 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 18.1: ITS high level architecture<br />
18.1.7-p2 The ITS shall support the following key features:<br />
A. The ITS shall allow Host Nations to test systems <strong>and</strong> services at the<br />
physical, logical <strong>and</strong> service interface levels;<br />
B. Physical interface testing shall be done at the ITS location;<br />
C. The ITS shall offer an external network interface through the NATO<br />
assigned testbed interconnection network to allow HNs to perform remote<br />
testing;<br />
D. The ITS shall support the following four “simulated”security classifications:<br />
1. NATO Secret.<br />
2. EAPC Secret<br />
3. NATO Restricted.<br />
4. NATO Unclassified [default classification].<br />
18.1.8 Location <strong>and</strong> Facility Context<br />
18.1.8-p1<br />
The ITS shall be based at the NCIA Brussels facilities (Bâtiment Z).<br />
18.1.8-p2 Room-space shall separate at least three functions: server space, user<br />
space, little office space.<br />
18.1.8-p3 The <strong>ANWI</strong> contractor shall provide NATO with an ITS floor space<br />
design that will identify at the minimum:<br />
Facilities requirements (Cooling, Power, Floorspace).<br />
Network requirements (External connectivity to NATO Testbeds <strong>and</strong> Internet).<br />
Security requirements.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-403 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.1.8-p4 The Purchaser will providethe <strong>ANWI</strong> contractor the following<br />
systems/services from NATO for the duration that the ITS services are needed:<br />
A. Room-space that reasonably complies with the <strong>ANWI</strong> contractor provided<br />
ITS floor space design.<br />
B. Access to the following NATO network services:<br />
1. NATO wide test service network at the various classification domains.<br />
2. Equipment available via HN Belgium.<br />
a. Racks.<br />
b. Cabling.<br />
18.1.9 Organisational Support Requirements<br />
18.1.9-p1 The <strong>ANWI</strong> contractor shall be responsible for managing the ITS as a<br />
service <strong>and</strong> shall involve the required personnel to execute the ITS Concept of<br />
Operations as specified in Paragraph 18.1.11.<br />
18.1.9-p2 The <strong>ANWI</strong> contractor shall ensure that the ITS administrator, indicated<br />
in paragraph 18.1.9.3., is full time available to the Purchaser at the ITS location.<br />
18.1.9-p3 The <strong>ANWI</strong> Contractor shall assure the following minimum manning of<br />
the ITS during office hours:<br />
A. ITS administrator.<br />
B. ITS team manager/engineer.<br />
18.1.9-p4 The <strong>ANWI</strong> contractor shall assure that, in support of the full lifecycle of<br />
the HN tests, qualified personnel areavailable at the right time <strong>and</strong> with the proper<br />
subject matter expertise level to support the ITS’ services.<br />
18.1.10 Management Requirements<br />
18.1.10-p1<br />
The <strong>ANWI</strong> contractor shall manage ITS capability until FOC.<br />
18.1.10-p2 The ITS capability may be required to be managed until FSA. The<br />
<strong>ANWI</strong> Contractor shall be prepared tosupport an extension to the operation of the<br />
ITS.<br />
18.1.10-p3 The <strong>ANWI</strong> Contractor shall treat the ITS capability as the <strong>ANWI</strong>prelife<br />
system ensuring that the implemented <strong>and</strong> delivered configuration is under<br />
configuration management control.<br />
18.1.10-p4 The <strong>ANWI</strong> contractor shall provide ITS support to NNHQ related<br />
projects in the full test lifecycle of performing integration tests at the ITS as a<br />
prerequisite for deployment to the NNHQ site.<br />
18.1.10-p5 The <strong>ANWI</strong> contractor shall start providing the ITS services <strong>and</strong><br />
complete the services by the end of the Post FSA operational testing <strong>and</strong><br />
improvement activity as specified in paragraph 6.19.<br />
18.1.10-p6 The <strong>ANWI</strong> contractor shall assure that the ITS at all times is a 100%<br />
accurate representation of the <strong>ANWI</strong> capability as implemented or planned to be<br />
implemented in the new building.<br />
18.1.10-p7 The <strong>ANWI</strong> contractor shall update the <strong>ANWI</strong> ITS technologies in<br />
accordance with the technology confirmation principle as specified in paragraph<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-404 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
3.7.2-p1 <strong>and</strong> this shall be reflected in the implementation plan. Three major update<br />
cycles are foreseen as (timelines are per Annex A):<br />
A. <strong>Initial</strong> ITS operation based on the <strong>ANWI</strong> design .<br />
B. <strong>ANWI</strong> IOC operation, including a major technology refresh based on the<br />
final design of the backend infrastructure (server room based) .<br />
C. <strong>ANWI</strong> FOC operation, including a major technology refresh primarily<br />
focused on the end-user devices .<br />
18.1.10-p8 The <strong>ANWI</strong> contractor shall provide ITS support during the various<br />
NNHQ ICT system/services life-cycle phases:<br />
A. Pre-migration <strong>and</strong> integration testing <strong>and</strong> validation prior to deployment of<br />
ICT systems to the new building.<br />
B. Post FSA Integration testing in support of system/services improvement<br />
<strong>and</strong> change management.<br />
C. [Option] O&M based continued integration test services.<br />
18.1.11 Concept of Operations<br />
18.1.11-p1 The <strong>ANWI</strong> Contractor shall operate the ITS as a service <strong>and</strong><br />
support the full test life-cycle as shown in the process diagram in figure 8.2.<br />
18.1.11-p2 The General ITS life-cycle model will be divided into 6 main phases,<br />
as shown in Figure 18.22 below:<br />
Figure 18.2: ITS Life-cycle Model<br />
18.1.11.1 Planning <strong>and</strong> Controlling the ITS<br />
18.1.11.1-p1 The <strong>ANWI</strong> Contractor shall plan <strong>and</strong> control the use of the ITS <strong>and</strong><br />
all testing activities performed on it throughout the whole duration of the <strong>ANWI</strong><br />
project.<br />
18.1.11.1-p2 The <strong>ANWI</strong> Contractor shall develop an ITS Master Test Plan (MTP)<br />
for the purpose of informing all stakeholders concerning the generic description of<br />
testing approach, schedule, budget, activities <strong>and</strong> products to be delivered.<br />
18.1.11.1-p3 The ITS MTP shall include Generic Test Agreements, Test Policy<br />
<strong>and</strong> testing line organization.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-405 of 532
N A T O U N C L A S S I F I E D<br />
18.1.11.2 Setting Up <strong>and</strong> Maintaining the ITS Infrastructure<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-406 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.1.11.2-p1 The <strong>ANWI</strong> Contractor shall set up <strong>and</strong> maintain the ITS<br />
infrastructure from the timeline as specified in Annex A, till FSA (see paragraph<br />
6.19).<br />
18.1.11.2-p2 The <strong>ANWI</strong> Contractor shall develop an ITS Infrastructure<br />
Specification Document that will include the following elements:<br />
A. Detailed specification of operational workplace.<br />
B. Detailed specification of operational test environment.<br />
C. Description of Test tools installed.<br />
D. “Workplace intake” Checklist.<br />
E. “Test environment intake” Checklist.<br />
F. “Test tools intake” Checklist.<br />
G. Intake procedure.<br />
H. Operational <strong>and</strong> Maintained infrastructure.<br />
18.1.11.3 Test Preparation <strong>and</strong> Specification<br />
18.1.11.3-p1 For the use of the ITS, the Host Nations (HN) will develop <strong>and</strong><br />
submit a Test Plan derived from the ITS MTP <strong>and</strong> will also nominate a Test Manager<br />
who will be responsible for the whole Test Execution phase. The Test Plan will<br />
include the following elements:<br />
A. Establishment of Assignment.<br />
B. Definition of Test basis.<br />
C. Analysis of Product risks.<br />
D. Definition of Test Strategy.<br />
E. Estimation of Effort.<br />
F. Proposed Planning.<br />
G. Roll Back Plan.<br />
H. Allocation of Test Units <strong>and</strong> Test Techniques.<br />
i. Definition of Test products.<br />
J. Definition of the organization.<br />
K. Definition of the Infrastructure.<br />
L. Description of the management.<br />
M. Identification of Test risks <strong>and</strong> countermeasures.<br />
18.1.11.3-p2 On reception of the Test Plan, the <strong>ANWI</strong> Contractor <strong>and</strong> NATO will<br />
review the document, with the support of the IV&V Team. Upon agreement of the<br />
Test Plan <strong>and</strong> designation by the <strong>ANWI</strong> Contractor of an ITS Administrator <strong>and</strong>/or<br />
Engineer who will support the Test Manager, the test execution phase can start.<br />
18.1.11.3-p3 The HN Test Manager will confirm validity of the Test Plan <strong>and</strong>, on<br />
that basis, develop Test specifications.<br />
18.1.11.4 Test Execution <strong>and</strong> Completion<br />
18.1.11.4-p1 The HN Test Manager, with the support of the ITS Administrator<br />
<strong>and</strong>/or Engineer, will execute the Test <strong>and</strong> produce a test report which will include<br />
the test results.<br />
18.1.11.4-p2 The <strong>ANWI</strong> Contractor shall provide an ITS Test report from an<br />
<strong>ANWI</strong> perspective.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.1.11.4-p3 In the case of differences between expectations <strong>and</strong> obtained test<br />
results, investigations will be carried out immediately after test execution <strong>and</strong> when<br />
test results are available. These differences can be caused by one or more of the<br />
following reasons:<br />
A. Tested product fault.<br />
B. Error in test basis.<br />
C. Error in test environment.<br />
D. Error in the test specification.<br />
18.1.11.5 Test Re-execution<br />
18.1.11.5-p1 In case of test failure, under the direction of the customer, the <strong>ANWI</strong><br />
Contractor shall take all necessary measures to plan a test re-execution if this<br />
decision is taken by the Customer.<br />
18.1.11.6 Information Flow Diagram<br />
18.1.11.6-p1 The information flow diagram during the Test execution phase is<br />
described in the following figure 18.3.<br />
Figure 18.3: Information flow diagram<br />
18.2 APPENDIX 2: ITS Reference Environment<br />
18.2.1 Introduction<br />
18.2.1-p1 ITS is a reference system for the <strong>ANWI</strong> project.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-407 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.2.1-p2 It shall host a simulated environment representing all <strong>ANWI</strong> services to<br />
enable testing, verification <strong>and</strong> validation of the interconnections <strong>and</strong> interfacing<br />
between the <strong>ANWI</strong> services.<br />
18.2.1-p3 ITS shall also provide resources capacity to test the interfacing <strong>and</strong><br />
integration of the HN Belgium components of ESS, BMS <strong>and</strong> AVI as well as the test<br />
<strong>and</strong> verification platform for the ICTM business application migration <strong>and</strong><br />
integration.The contractor shall be responsible to provide the proper interfaces for the<br />
references systems to use <strong>and</strong> interact with <strong>ANWI</strong> services <strong>and</strong> provide support the<br />
different tests.<br />
18.2.2 Testing<br />
18.2.2-p1 ITS shall represent a simulated <strong>ANWI</strong> environment with a test capacity<br />
for up to 100 concurrent simulated <strong>ANWI</strong> users (from a services perspective).<br />
A. UCC Services<br />
B. SMC<br />
C. Cross-domain capabilities<br />
D. Client Provisioning<br />
18.2.2-p2<br />
Reserved<br />
18.2.3 ITS Infrastructure<br />
18.2.3.1 <strong>ANWI</strong> Services<br />
18.2.3.1-p1 The contactor shall design <strong>and</strong> size the ITS components like<br />
processing, Storage, networking <strong>and</strong> Clients in such a manner that all the <strong>ANWI</strong><br />
services based on a 100 concurrent user capacity can be hosted. Furthermore shall<br />
the contractor take into account an additional 50% processing resources to cover for<br />
HN Belgium <strong>and</strong> ICTM services.<br />
18.2.3.1-p2 From a storage perspective the contractor shall provide 10TB<br />
usable SAN space to host "simulated” data. This storage capacity is on top of the<br />
required Storage to host the ITS <strong>ANWI</strong> services <strong>and</strong> corresponding backup<br />
capability.<br />
18.2.3.2 Availability<br />
18.2.3.2-p1 As part of the <strong>ANWI</strong> ITS infrastructure the contractor shall be able to<br />
demonstrate the high availability <strong>and</strong> fail-over requirements of the actual <strong>ANWI</strong><br />
services.<br />
18.2.3.3 Cross-Domain Services<br />
18.2.3.3-p1 In order to test <strong>and</strong> validate the Cross-domain functionalities the<br />
contractor shall provide a simulated CMD environment capable of simulating the<br />
required <strong>and</strong> proposed cross-domain traffic. This includes a both the sending <strong>and</strong><br />
receiving network in case of cross domain transfers.This shall enable the contractor<br />
to test the cross-domain services requirements (ref. SOW Annex E Appendix 2).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-408 of 532
18.2.3.4 ITS Optimization<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.2.3.4-p1 In order to avoid an extensive ITS infrastructure the contractor shall<br />
propose a flexible ITS solution capable of staging <strong>and</strong> storing different "scenario's"<br />
(virtual images of specific configurations) without the need for dedicated<br />
infrastructure for every use case. (Ex. ITS shall be able to simulate different<br />
scenarios for testing using the same infrastructure). The ITS infrastructure should be<br />
able to simulate all possible <strong>ANWI</strong> services as well as support the interfaces to other<br />
systems as identified in Annex D.<br />
18.2.3.5 Physical Client<br />
18.2.3.5-p1 From a physical client perspective the contractor shall provide for 40<br />
client configurations to include at least 10 each of every proposed client<br />
configuration.<br />
A. Desktopclient device (st<strong>and</strong>ard / high Performance / Agnostic)<br />
B. Mobile Client device<br />
C. Laptop/Tablet<br />
D. IP Phones (st<strong>and</strong>ard <strong>and</strong> secretarial)<br />
E. PDA/Smartphone<br />
18.2.3.6 Dedicated Test Hardware<br />
18.2.3.6-p1 As part of the ITS environment the contractor shall also provide<br />
dedicated test hardware <strong>and</strong>/or software (ex. Traffic/Load generators) required to<br />
support the different test scenarios.In order to run in-depth test the contractor shall<br />
provide tools that run tests automatically overnight, <strong>and</strong> produce reports about any<br />
failures.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-409 of 532
N A T O U N C L A S S I F I E D<br />
18.3 APPENDIX 3: ITS Service Level Agreement (SLA)<br />
18.3.1 Introduction<br />
18.3.1.1 Background<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.3.1.1-p1 This Service Level Agreement is part of the Contract CO-13300-<br />
<strong>ANWI</strong> <strong>and</strong> it establishes a commitment for the provision <strong>and</strong> management of<br />
Integration <strong>and</strong> Testing Services (ITS) <strong>and</strong> associated infrastructure between the<br />
Service Contractor (<strong>ANWI</strong> Main Contractor) <strong>and</strong> Customer. This document defines<br />
the specifics of the Service Level Agreement (SLA) to be put into effect between the<br />
Customer (NATO) <strong>and</strong> the Service Contractor.<br />
18.3.1.2 Scope of Agreement<br />
18.3.1.2-p1 This SLA is established between NATO (The Customer) <strong>and</strong> the<br />
<strong>ANWI</strong> Contractor. It describes the Services under the provision of Integration <strong>and</strong><br />
Testing Services.<br />
18.3.1.2-p2 The SLA documents the terms <strong>and</strong> conditions under which, the<br />
<strong>ANWI</strong> Contractor shall deliver the Services to the Customer. The main objective is to<br />
provide ITS in an efficient <strong>and</strong> cost-effective manner throughout the whole duration of<br />
the <strong>ANWI</strong> Project.<br />
18.3.1.3 Contact Points<br />
18.3.1.3-p1 The services to be provided involve a number of <strong>ANWI</strong> Project<br />
stakeholders <strong>and</strong> of Contact Points who are identified in the table 18.1 below.<br />
Position Name Telephone Fax<br />
<strong>ANWI</strong> Contractor<br />
<strong>ANWI</strong> Project Manager TBD TBD TBD<br />
ITS Team Manager/Engineer TBD TBD TBD<br />
ITS Administrator TBD TBD TBD<br />
NATO<br />
HQPO TBD TBD TBD<br />
NCIA TBD TBD TBD<br />
ICTM TBD TBD TBD<br />
BELGIUM<br />
TBD TBD TBD TBD<br />
Table 18.1: Customer <strong>and</strong> Contractor Contact Points<br />
18.3.1.4 SLA Review Procedure<br />
18.3.1.4-p1 The SLA is reviewed each month. The review will be based on input<br />
from both parties, including the outcomes of user surveys, technological<br />
opportunities, developing requirements, tests reports <strong>and</strong> issues raised at the<br />
quarterly Customer/Contractor performance review meetings.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-410 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-411 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.3.1.4-p2 This SLA will be reviewed periodically <strong>and</strong> an out of cycle review will<br />
be held under the following circumstances:<br />
A. The Contractor fails to achieve the service level targets detailed in this<br />
document for two consecutive weeks or;<br />
B. Any two in four consecutive weeks.<br />
18.3.2 Service Delivery<br />
18.3.2.1 Service Levels<br />
18.3.2.1-p1 The Contractor shall deliver agreed Services under this SLA in<br />
accordance with the <strong>ANWI</strong> SOW, Customer priorities <strong>and</strong> the Service Levels<br />
indicated in Paragraph 18.3.2.3.<br />
18.3.2.1-p2 The Customer shall have full read access to the monitoring <strong>and</strong><br />
reporting mechanisms of the <strong>ANWI</strong> Contractor. This is required for the Customer to<br />
allow trend analysis on performances <strong>and</strong> availability of the delivered Services, as<br />
the services provided under this Agreement are directly linked to services provided in<br />
Customer owned internal SLAs <strong>and</strong> other Formal Arrangements.<br />
18.3.2.1-p3 The <strong>ANWI</strong> Contractor shall ensure that the customer has full access<br />
to a dashboard(s) that displays all the agreed up on Service levels as recorded in<br />
Paragraph 18.3.2.3 or in any part of this Agreement.<br />
18.3.2.2 Service Continuity<br />
18.3.2.2-p1 The <strong>ANWI</strong> Contractor shall notify the Customer of any scheduled<br />
maintenance or outages at least 10 working days in advance. Scheduled outages of<br />
ITS shall be coordinated with the Customer’s Project Manager <strong>and</strong> approved by the<br />
Customer. For scheduled events, the <strong>ANWI</strong> Contractor shall contact the Customer<br />
for confirmation 5 working days prior to executing the outage. Provided there are no<br />
overruns, scheduled outages periods will not count towards performance indicator<br />
calculations.<br />
18.3.2.2-p2 The <strong>ANWI</strong> Contractor shall provide roll-back plans for all scheduled<br />
maintenance. The plans shall be submitted to the customer with the outage request.<br />
These plans are to identify: impact analysis on ITS availability, functionality <strong>and</strong> time<br />
thresholds that can be initiated by either the <strong>ANWI</strong> Contractor or the Customer when<br />
any threshold identified in the outage plan is reached. This may include unscheduled<br />
events elsewhere, requiring the restoration of the Service element undergoing<br />
maintenance in order to comply with agreed Service Levels.<br />
18.3.2.2-p3 The <strong>ANWI</strong> Contractor shall provide the maintenance requirements,<br />
if any, <strong>and</strong> send them to the Customer’s Project Manager, as identified in the table<br />
18.1, via email or another common approved form.<br />
18.3.2.2-p4 It is the Customer's responsibility to inform the <strong>ANWI</strong> Contractor at<br />
least 10 working days in advance of any projects or events to be undertaken on life<br />
support Services (electricity, air conditioning, etc.) that may potentially impact any<br />
portion, component or segment of the ITS provided under this agreement.<br />
18.3.2.2-p5 In either of the above cases, interruption of Services should be kept<br />
to a minimum <strong>and</strong> scheduled outside normal office hours (08H00-18H00 Brussels
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Time) unless approved by the Customer, <strong>and</strong> must be officially requested <strong>and</strong> fully<br />
coordinated ahead of time with the appropriate POCs for both parties.<br />
18.3.2.2-p6 All upgrades to operating systems Hardware/Software (HW/SW)<br />
shall be completed without unscheduled downtime where this is not possible then it is<br />
m<strong>and</strong>atory that the Contractor uses the Service Continuity procedure.<br />
18.3.2.2-p7<br />
All planned outages will be agreed <strong>and</strong> approved by the Customer.<br />
18.3.2.2-p8 The <strong>ANWI</strong> Contractor shall keep the Configuration Change Log Up<br />
to Date after every maintenance window.<br />
18.3.2.3 Support Services<br />
18.3.2.3-p1 From the date of availability of the ITS, the services to be provided<br />
will be subject to this SLA <strong>and</strong> will be monitored according to the following indicators:<br />
Event <strong>ANWI</strong> Contractor Action Quality Indicator<br />
Type Supporting Type<br />
Supporting Documents<br />
Documents<br />
Request to Letter<br />
Reply to the request Letter<br />
Response time:<br />
conduct a test Test Plan Review Test Plan<br />
confirm test execution<br />
schedule<br />
Comments on Test Plan<br />
Confirmation of test<br />
execution<br />
Nominate Test<br />
Administrator<br />
2 working days<br />
Test<br />
execution<br />
Test<br />
completed<br />
Provide technical support<br />
during all test execution<br />
Personnel availability: 100 %<br />
Test report Produce ITS Test Report ITS Test report Document delivery:<br />
2 working days after test<br />
completion<br />
Test failure Test report Confirm test re-execution<br />
schedule<br />
Confirmation of test reexecution<br />
schedule<br />
Table 18.2: ITS indicators<br />
Response time:<br />
5 working days<br />
18.3.3 SLA Change Management<br />
18.3.3.1 Changes to the SLA<br />
18.3.3.1-p1<br />
other party.<br />
If changes are required to this SLA they shall be agreed by the<br />
18.3.3.1-p2 This shall be achieved by the requesting party documenting the<br />
change(s) required <strong>and</strong> the reason for the change(s) <strong>and</strong> forwarding this document to<br />
the appropriate contact point as follows:<br />
A. Changes requested by the <strong>ANWI</strong> Contractor should be addressed to the<br />
Purchaser’s Project Manager, as identified in Para 18.2.1.3.<br />
B. Changes requested by the Purchaser should be addressed to the<br />
Contractor’s Project Manager, as identified in Para 18.2.1.3.<br />
18.3.3.1-p3 Once the request is received this shall be approved via the change<br />
control process within the <strong>ANWI</strong> project.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-412 of 532
18.3.3.2 Control of the SLA<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-413 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.3.3.2-p1 The <strong>ANWI</strong> Contractor’s Project Manager shall be responsible for<br />
updating this agreement <strong>and</strong> shall ensure that all changes have been approved <strong>and</strong><br />
significant changes highlighted before the new version is distributed.<br />
18.3.3.2-p2 This SLA <strong>and</strong> any subsequent changes must be approved by the<br />
Customer’s Project Manager.<br />
18.3.3.2-p3 This SLA will be distributed in accordance with the defined<br />
distribution list. It shall be available through the Project Manager to the <strong>ANWI</strong><br />
Contractor personnel responsible for the delivery of the service so that they become<br />
familiar with this SLA <strong>and</strong> Service requirements.<br />
18.3.3.3 SLA Change Control Authorisation<br />
18.3.3.3-p1 This section covers the request for additional services <strong>and</strong> changes<br />
to the SLA. The SLA shall be reviewed regularly <strong>and</strong> any changes to the SLA will be<br />
made as part of that process. However, during the course of the service provision it<br />
may be necessary to request services additional to those provided by the SLA or to<br />
request temporary changes to the service.<br />
18.3.3.3-p2<br />
of the parties.<br />
This agreement shall be amended upon the written mutual consent<br />
18.3.3.4 Changes to Service Provision<br />
18.3.3.4-p1 A change to the contracted service must be proposed in written<br />
format by both parties. All agreed changes shall be made in accordance with the<br />
defined <strong>and</strong> agreed change management procedure.<br />
18.3.3.4-p2 Requests for changes shall only be accepted <strong>and</strong> approved by the<br />
following personnel:<br />
A. The Customer’s Project Manager.<br />
B. The <strong>ANWI</strong> Contractor’s Project Manager.<br />
18.3.4 Roles <strong>and</strong> Responsibilities<br />
18.3.4.1 Customer Responsibilities<br />
18.3.4.1-p1 The Customer will:<br />
A. Allow the Contractor to carry out its ITS operations by affording<br />
appropriate physical facilities <strong>and</strong> systems. It is the goal to have a fully<br />
integrated solution allowing both parties full visibility of the integrated<br />
components <strong>and</strong> Services.<br />
B. Provide the contractor personnel with space offices, <strong>and</strong> generic office<br />
automation (Phone, classified <strong>and</strong> unclassified E-mail) in the NATO<br />
facilities.<br />
C. Provide direction, information, prioritisation, authorisations or decisions<br />
that are reasonably necessary for the <strong>ANWI</strong> Contractor to deliver the ITS<br />
Services.<br />
D. Serve as the Security Authority <strong>and</strong> Security Accreditation Authority. The<br />
Customer will ensure that pertinent security measures are implemented in<br />
accordance with NATO regulations.
N A T O U N C L A S S I F I E D<br />
18.3.4.2 <strong>ANWI</strong> Contractor Responsibilities<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
18.3.4.2-p1 The <strong>ANWI</strong> Contractor will:<br />
A. Deliver Services in accordance with customer-established priorities <strong>and</strong><br />
identified Service Levels.<br />
B. Provide Services in a manner consistent with applicable NATO <strong>and</strong><br />
relevant national technical <strong>and</strong> security st<strong>and</strong>ards, codes <strong>and</strong> best<br />
practices.<br />
C. Keep the Customer informed of developments that may affect the level of<br />
Service provided under this Agreement.<br />
D. Ensure that all Services are performed by appropriately qualified, trained<br />
<strong>and</strong> English speaking personnel.<br />
E. Deliver the Service in accordance with the provisions of the SOW.<br />
F. Ensure that all Services are performed with due care <strong>and</strong> diligence,<br />
including conducting periodic quality audits of the Service <strong>and</strong> associated<br />
documentation <strong>and</strong> supporting databases.<br />
G. Provide sufficient resource to meet delivery of the Service to the agreed<br />
level of service.<br />
H. Work closely with other support teams, in particular for problem resolution<br />
<strong>and</strong> change control.<br />
I. Advise the Customer of any patches or upgrades which it may be<br />
necessary to load.<br />
J. Adhere to the working practices agreed between the <strong>ANWI</strong> Contractor <strong>and</strong><br />
the Customer, including all aspects of the corporate data policy.<br />
K. Provide adequate <strong>and</strong> full information, as far as is reasonably practical, to<br />
enable incident <strong>and</strong> problem resolution.<br />
L. Submit problems which may be, as far as can be reasonably discerned,<br />
within the <strong>ANWI</strong> Contractor’s scope of responsibility.<br />
M. Provide appropriate points of response or contact for passing back<br />
solutions <strong>and</strong> information, such as direct phone numbers, e-mail or fax.<br />
N. Notify impending outages in areas within the Customer responsibility on<br />
which the Service is dependent. This notice will be on the same terms as<br />
that expected from the <strong>ANWI</strong> Contractor as detailed in Para 18.2.2.2.<br />
O. Notify forecasts, trends or projections of growth where these may affect<br />
the overall Service performance.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-414 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 19. ANNEX K: DOCUMENTATION AND REPORTS<br />
19.1 Appendix 1: <strong>ANWI</strong> Document Requirements<br />
19.1.1 Purpose<br />
19.1.1-p1 This Annex describes the requirements for each document that that the<br />
<strong>ANWI</strong> Contractor shall provide as part of the <strong>ANWI</strong> contract.<br />
19.1.1-p2 This introductory section identifies the general guidelines <strong>and</strong><br />
requirements for <strong>ANWI</strong> documentation submitted as part of this contract.<br />
19.1.2 Format Requirements for Project Documentation<br />
19.1.2-p1 The <strong>ANWI</strong> Contractor shall ensure that all delivered documentation<br />
complies with the identified format <strong>and</strong> content specifications as identified in the<br />
following appendices.<br />
19.1.2-p2 Where no format is specified, the <strong>ANWI</strong> Contractor shall propose a<br />
format from his selected management methodology to the Purchaser to agree on the<br />
structure <strong>and</strong> content of the document.<br />
19.1.2-p3 All documentation provided to the Purchaser shall be written in English<br />
with spelling <strong>and</strong> usage based on the Concise Oxford English Dictionary, 11th<br />
edition.<br />
19.1.2-p4 The convention to be used for numbers appearing in textual documents<br />
is for a comma to be the thous<strong>and</strong>s separator <strong>and</strong> a period to be the decimal<br />
separator (e.g., 1,365,276.24).<br />
19.1.2-p5 The convention to be used for dates appearing in free text (e.g., quoting<br />
dates of meetings) is day-month-year (25 May 2013).<br />
19.1.2-p6 Documentation labelling:<br />
A. Documentation shall neither be marked with corporate logos nor contain<br />
warnings limiting the rights to use or reproduction.<br />
B. Every page shall include a header <strong>and</strong> footer indicating the highest<br />
classification of content on that page using one of the following labels:<br />
NATO CONFIDENTIAL (as built document containing IP addresses <strong>and</strong><br />
locations), NATO RESTRICTED (sensitive information identifying a named<br />
location or security assessment), or NATO UNCLASSIFIED<br />
C. If the <strong>ANWI</strong> information is to be released to a non-NATO nation (partner),<br />
the originator shall mark the document or equipment in accordance with its<br />
classification level, <strong>and</strong> add a “RELEASABLE TO EAPC” tag, after the<br />
appropriate classification marking.<br />
D. The document’s cover page’s header <strong>and</strong> footer shall reflect the highest<br />
classification of content in the document<br />
E. All project documentation shall contain a version number appropriate to<br />
the major / minor concept (e.g. v1.0, v1.1, v1.2, v2.0, v3.0) where the first<br />
number represents a major release or significant change to the content<br />
while the second number represents a smaller change (e.g. spelling<br />
corrections, formatting or minor adjustments).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-415 of 532
N A T O U N C L A S S I F I E D<br />
19.1.3 Submission of Project Documentation<br />
Book II Page IV-416 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.1.3-p1 The Contractor shall submit documentation as follows:<br />
A. The <strong>ANWI</strong> Contractor shall submit all contracting documentation (e.g.,<br />
change proposals, invoices) in paper form.<br />
B. The <strong>ANWI</strong> Contractor shall submit all project management documentation<br />
(e.g., plans, schedules, reports, etc.) as electronic copies in MS Office<br />
2010 format to the Purchaser for review <strong>and</strong> comment.<br />
C. The <strong>ANWI</strong> Contractor shall submit all other types of deliverables as an<br />
electronic copy in a format which is best suited for review <strong>and</strong><br />
maintenance per the following guidelines: Microsoft Word shall be used for<br />
generating text document; Microsoft Excel shall be used for tabular or<br />
matrix data; Microsoft Visio shall be used for drawings; Microsoft Project<br />
shall be used for schedule; <strong>and</strong> Microsoft PowerPoint shall be used for<br />
briefings.<br />
19.1.3-p2 The <strong>ANWI</strong> Contractor shall provide a first draft (version 0.1) of each<br />
deliverable for Purchaser review by the date specified in the Schedule of Supplies<br />
<strong>and</strong> Services or as agreed between the Purchaser’s Contracting Officer <strong>and</strong><br />
Contractor.<br />
19.1.3-p3 The <strong>ANWI</strong> Contractor’s first draft shall be substantially complete,<br />
consistent <strong>and</strong> correct.<br />
19.1.3-p4 The <strong>ANWI</strong> Contractor shall not provide any contractual documentation<br />
in a partial or gradual manner.<br />
19.1.3-p5 The <strong>ANWI</strong> Contractor shall not rely on the Purchaser’s review to fill in<br />
deficiencies or obtain missing Purchaser information.<br />
19.1.4 Delivery <strong>and</strong> Distribution of Project Documentation<br />
19.1.4-p1 The <strong>ANWI</strong> Contractor shall deliver project documentation to the NCIA’s<br />
Contracting Officer<br />
19.1.4-p2 The <strong>ANWI</strong> Contractor shall place an electronic copy of the<br />
delivered/issued document on the Project’s Website, <strong>and</strong> send a link to the<br />
Purchaser<br />
19.1.4-p3 The Purchaser’s Contracting Officer will distribute the delivered/issued<br />
<strong>ANWI</strong> document link to:<br />
A. the Purchaser’s Project Manager<br />
B. the <strong>Technical</strong> Leader<br />
C. the <strong>ANWI</strong> IV&V Contractor<br />
19.1.5 Review of Project Documentation<br />
19.1.5-p1 The Purchaser will provide comments, corrections, <strong>and</strong> suggested<br />
changes to the Contractor’s version 0.1 within two (2) weeks of receipt, unless<br />
otherwise specified in the SOW appendix covering the document in question.<br />
19.1.5-p2 The Purchaser reserves the right to return without review a document<br />
that has significant deficiencies (e.g. a document only including a table of contents); if<br />
this is the case the <strong>ANWI</strong> Contractor shall resubmit a new document as version 0.1<br />
within 1 week.<br />
N A T O U N C L A S S I F I E D
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.1.5-p3 The <strong>ANWI</strong> Contractor shall repair all reported deficiencies <strong>and</strong> submit<br />
the revised draft (version 0.2) incorporating the Purchaser's comments within two (2)<br />
weeks after receipt, unless otherwise specified in the SOW appendix covering the<br />
document in question.<br />
19.1.5-p4 The <strong>ANWI</strong> Contractor’s changes shall be provided in the form of:<br />
A. change pages for contractual documentation; pen <strong>and</strong> ink corrections or<br />
‘track changes’ shall not be acceptable.<br />
B. track changes for all other project documentation requiring an iterative<br />
review processes is acceptable.<br />
19.1.5-p5 The Purchaser will review <strong>and</strong> respond to the <strong>ANWI</strong> Contractor’s<br />
version 0.2 within one (1) week of receipt.<br />
19.1.5-p6 The <strong>ANWI</strong> Contractor shall review <strong>and</strong> repair any last (reported)<br />
deficiencies <strong>and</strong> provide the Final (version 1.0) document within one (1) week of<br />
receipt of the Purchaser's comments on the revised draft.<br />
19.1.5-p7 The Purchaser will, within two weeks, either accept version 1.0 as the<br />
baseline or revert to version 0.2 to the <strong>ANWI</strong> Contractor.<br />
19.1.5-p8 If the document is included as part of a Development Baseline, Product<br />
Baseline or Project Management documentation, the <strong>ANWI</strong> Contractor shall remain<br />
responsible for updating the document to reflect changes in: project management,<br />
system requirements, design, or support arrangements as part of Contractor’s<br />
Configuration Management tasks throughout the contract.<br />
19.1.6 Control Information for Project Documentation<br />
19.1.6-p1 Every document submitted to NATO shall contain the following pages<br />
<strong>and</strong> section in addition to the specific content identified in the appropriate appendix:<br />
19.1.6-p2<br />
Cover Page<br />
19.1.6-p3<br />
The cover page shall contain the following information:<br />
Header Classification<br />
Title<br />
Contract number (CO-13300-<strong>ANWI</strong>)<br />
Version X.X<br />
Delivery date (DD MMM YYYY)<br />
Footer Classification<br />
The control information section shall contain the following information:<br />
Information Page<br />
Status<br />
draft, review, released, approved, rejected<br />
Due Date<br />
Day, month <strong>and</strong> year – DD MMM YYYY<br />
Delivery Date<br />
Day, month <strong>and</strong> year – DD MMM YYYY<br />
CLIN<br />
Number from the <strong>ANWI</strong> SSS<br />
Version/Revision History<br />
Optional for internal documents while in<br />
draft <strong>and</strong> review, but is m<strong>and</strong>atory for<br />
released documents <strong>and</strong> those reviewed.<br />
Major versions are those approved by<br />
NCIA <strong>and</strong> are identified as #.0; minor<br />
versions will be identified as #.x reflecting<br />
the revision number<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-417 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Document Approval<br />
Table showing those reviewing the<br />
document <strong>and</strong> the date reviewed<br />
Table of Contents Page<br />
Self-explanatory<br />
Table of Figures Page<br />
Self-explanatory<br />
Table of Tables (DRAWINGS,<br />
Self-explanatory<br />
ILLUSTRATIONS, CHARTS) Page<br />
19.1.6-p4 Every document shall contain an abbreviations section that contains<br />
only those abbreviations/acronyms used in the provided document.<br />
19.1.6-p5 Every document shall include, as needed, a section for references used<br />
in the writing of the document.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-418 of 532
N A T O U N C L A S S I F I E D<br />
19.2 APPENDIX 2: Design Document<br />
19.2.1 Introduction/Purpose<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.2.1-p1 The purpose of the design document is to obtain agreement from all<br />
NNHQ parties on the vision <strong>and</strong> plans for the <strong>ANWI</strong> design to support the<br />
implementation of the New NATO Headquarters.<br />
19.2.2 Scope/Assumptions<br />
19.2.2-p1 The <strong>ANWI</strong> Contractor shall produce <strong>and</strong> maintain the <strong>ANWI</strong> design<br />
document which implements the <strong>ANWI</strong> technical requirements in accordance with the<br />
<strong>ANWI</strong> SOW<br />
19.2.2-p2 The <strong>ANWI</strong> Contractor shall produce the <strong>ANWI</strong> design in accordance<br />
with the ‘document structure’ section defined below.<br />
19.2.2-p3 The <strong>ANWI</strong> design document shall addresses the <strong>ANWI</strong> service<br />
requirements, environment, services, service management concept, detailed service<br />
design, processing logic, <strong>and</strong> external interfaces to build the various services that<br />
together are the <strong>ANWI</strong>.<br />
19.2.2-p4 The <strong>ANWI</strong> design document shall also describe the architecture,<br />
technologies, st<strong>and</strong>ards, <strong>and</strong> equipment to deliver the needed capabilities as well as<br />
how the capabilities shall be bundled to support the needs of the services identified in<br />
the SOW <strong>and</strong> finally how they shall be technically managed.<br />
19.2.3 Reporting& Provisioning<br />
19.2.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the CMP.<br />
19.2.3-p2 The Contractor shall deliver the design document in accordance with<br />
the Schedule of Supplies <strong>and</strong> Services.<br />
19.2.3-p3 The <strong>ANWI</strong> Contractor shall update <strong>and</strong> adjust the document, as<br />
required, after every review <strong>and</strong> as needed during the period Effective Date of<br />
Contract (ED) through Final Operating Capability (FOC).<br />
19.2.4 Document Structure<br />
19.2.4-p1<br />
below:<br />
Section<br />
#<br />
The Design Document shall be structured according to the format<br />
Section Title<br />
Executive Summary<br />
Section Description<br />
Provides a managerial description of the<br />
project from <strong>and</strong> an overview of the<br />
framework used to develop the conceptual<br />
<strong>ANWI</strong> design.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-419 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-420 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
1 Introduction This section defines the purpose <strong>and</strong> overall<br />
objective of the document focusing on<br />
delivery, installation, <strong>and</strong> configuration for the<br />
various networks <strong>and</strong> how capabilities <strong>and</strong><br />
services fit together. It also addresses the<br />
baselines used, service management <strong>and</strong> the<br />
goals of the design.<br />
1.1 Purpose <strong>and</strong> Scope State the purpose of the <strong>ANWI</strong> Design<br />
Document <strong>and</strong> identify the materiel to which<br />
the design is to be applied <strong>and</strong> the<br />
management/acquisition philosophy to which<br />
it is tailored.<br />
High level discussion of the design’s<br />
deliverables<br />
1.2 Document<br />
Organization<br />
This section describes the organization of the<br />
<strong>System</strong>s Design Document.<br />
1.3 Points of Contact Provides the title <strong>and</strong> organization of the key<br />
points of contact for the overall design <strong>and</strong><br />
each subsystem of the <strong>ANWI</strong> system<br />
implementation. These points of contact<br />
must also include/identify the project’s:<br />
Quality Assurance (QA) Manager, Security<br />
Manager, <strong>and</strong> Configuration Manager.<br />
1.4 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 Requirements<br />
2.1 Location<br />
requirements<br />
2.2 Information<br />
Exchange<br />
Requirements<br />
2.3 Security<br />
Requirements <strong>and</strong><br />
Constraints<br />
2.4 Service Management<br />
<strong>and</strong> Control (SMC)<br />
This section identifies the physical campus<br />
locations <strong>and</strong> how they are to be overall<br />
supported.<br />
This section identifies the types of<br />
information <strong>and</strong> their flows through the<br />
system <strong>and</strong> outside the system.<br />
This section identifies the definitions /<br />
specifications needed to provide the<br />
information assurance capabilities for the<br />
<strong>ANWI</strong> design <strong>and</strong> any provided appliances.<br />
This section identifies the<br />
definitions/specifications needed to provide<br />
the SMC hardware <strong>and</strong> software capabilities<br />
to deliver monitor <strong>and</strong> manage the <strong>ANWI</strong><br />
capabilities.<br />
This section also addresses how the <strong>ANWI</strong><br />
SMC interfaces with the NCIA main service
Section<br />
#<br />
N A T O U N C L A S S I F I E D<br />
Section Title<br />
2.5 Security Domains<br />
<strong>and</strong> Remote Sites<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-421 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
management node for reporting <strong>and</strong> how<br />
NCIA will be able to provide management<br />
oversight of the NNHQ assets<br />
This section identifies the definitions /<br />
specifications needed to deliver the campus’<br />
4 network security domains, <strong>and</strong> to support<br />
the remote NATO sites<br />
2.6 Network Services This section identifies the definitions /<br />
specifications needed to provide high<br />
availability <strong>and</strong> redundant (failover) network<br />
services required in the annexes <strong>and</strong><br />
appendices<br />
2.7 Client Services This section identifies the definitions /<br />
specifications needed to provide the client<br />
service capabilities <strong>and</strong> configurations<br />
required in the annexes <strong>and</strong> appendices<br />
2.8 Unified<br />
Communications &<br />
Collaboration (UCC)<br />
2.9 Supplementary<br />
Services<br />
2.10 Integration & Test<br />
Service (ITS)<br />
This section identifies the definitions /<br />
specifications <strong>and</strong> integration needed to<br />
provide the UCC capabilities required for the<br />
configurations<br />
This section identifies the definitions /<br />
specifications needed to provide the<br />
supplementary services’ <strong>and</strong> meet EU<br />
emission (health <strong>and</strong> ) st<strong>and</strong>ards supporting<br />
the <strong>ANWI</strong><br />
This section identifies the definitions /<br />
specifications needed to provide the ITS<br />
capability to ensure the complete testing of<br />
services prior to installation on the <strong>ANWI</strong><br />
2.11 Service Interfaces This section identifies the definitions /<br />
specifications needed to describe the service<br />
interface points supporting the delivery of the<br />
<strong>ANWI</strong>.<br />
2.12 Service Delivery This section identifies the definitions /<br />
specifications needed to describe how each<br />
service is to be packaged to meet the<br />
specified requirements<br />
2.13 Environmental<br />
Controls <strong>and</strong> Power<br />
requirements<br />
3 <strong>Architecture</strong>&<br />
Performance<br />
This section addresses how the Contractor<br />
will meet the ‘green IT’ requirements <strong>and</strong> its<br />
application in the <strong>ANWI</strong> design criteria<br />
In this section, describe the <strong>ANWI</strong> services<br />
<strong>and</strong> it subsystem(s) architecture for the<br />
projectstressing the incorporation<br />
ofmodularity <strong>and</strong> interface design as defined<br />
in the Target <strong>Architecture</strong>.
Section Section Title<br />
#<br />
3.1 Architectural<br />
Principles<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-422 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
This introductory section describes the <strong>ANWI</strong><br />
architecture’s adoption of the basic principles<br />
described in the SOW <strong>and</strong> explains how the<br />
<strong>ANWI</strong> design ensures that the following<br />
principles are incorporated into the design<br />
3.1.1 Performance This subparagraph describes how the<br />
contractor is going to design a system that<br />
meets the performance requirements found<br />
in the SOW’s annexes.<br />
3.1.1,1 Reliability This subparagraph explains how the<br />
contractor will identify <strong>and</strong> implement quality<br />
reliable COTS products to reduce the length<br />
of time between service or component<br />
failures<br />
3.1.1.2 Availability This subparagraph describes how the<br />
contractor is going to design a robust system<br />
that minimises downtime versus uptime<br />
though the provision of highly available<br />
services <strong>and</strong> capabilities<br />
3.1.1.3 Scalability This subparagraph explains the contractor’s<br />
concept of accommodating the scalability <strong>and</strong><br />
flexibility of processing, memory usage <strong>and</strong><br />
storage capacity as defined in the service<br />
parameters found in the SOW’s annexes<br />
3.1.1.4 Flexibility This subparagraph describes the contractor’s<br />
concept of supporting the dynamic increase<br />
<strong>and</strong> release of server/storage services based<br />
on dem<strong>and</strong> within the parameters of the<br />
SOW<br />
3.1.1.5 Confidentiality This subparagraph explains the high level<br />
concept of how the contractor will ensure that<br />
proper information assurance measures are<br />
implemented to prevent data loss, data<br />
leakage <strong>and</strong> information integrity<br />
3.1.1.6 Continuity This subparagraph describes how the<br />
contractor will ensure that the time to restore<br />
a service is per recovery targets<br />
3.1.1.7 Maintainability This subparagraph explains how the design<br />
of the overall system will minimise the<br />
average time to repair a service, capability or<br />
component<br />
3.1.1.8 Serviceability This subparagraph discusses how the<br />
delivered capabilities will be monitored<br />
demonstrating that the provided services <strong>and</strong><br />
capabilities are meeting the terms of the<br />
service contract
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-423 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
3.1.2 St<strong>and</strong>ardisation This subparagraph addresses how the <strong>ANWI</strong><br />
design will minimize the variation of<br />
components <strong>and</strong> products in the ICT<br />
infrastructure through the use of a set of welldefined<br />
products that are st<strong>and</strong>ardized to the<br />
extent possible across the four networks.<br />
3.2 Logical Layout This section addresses the logical layout of<br />
the various capabilities reflecting the<br />
connections <strong>and</strong> services<br />
3.2.1 NATO SECRET (NS)<br />
network<br />
This section logically depicts the NS network<br />
with its server room configurations,<br />
communications connections, TER<br />
connectivity, services on this security domain<br />
<strong>and</strong> how services will be delivered to the<br />
users for each of the networks <strong>and</strong> their<br />
associated services<br />
3.2.2 EAPC network This section logically depicts the EAPC<br />
network with its server room configurations,<br />
communications connections, TER<br />
connectivity, services on this security domain<br />
<strong>and</strong> how services will be delivered to the<br />
users for each of the networks <strong>and</strong> their<br />
associated services<br />
3.2.3 Business (NR)<br />
network<br />
This section logically depicts the Business<br />
network with its server room configurations,<br />
communications connections, TER<br />
connectivity, services on this security domain<br />
(as well as its hosted NATO Unclassified<br />
services) <strong>and</strong> how services will be delivered<br />
to the users for each of the networks <strong>and</strong><br />
their associated services<br />
3.2.4 Public Network This section logically depicts the network with<br />
its server room configurations,<br />
communications connections, TER<br />
connectivity, services on this security domain<br />
<strong>and</strong> how services will be delivered to the<br />
users for each of the networks <strong>and</strong> their<br />
associated services<br />
3.2.5 Cross Domain<br />
Modules (CDMs)<br />
This section logically depicts the cross<br />
domain module <strong>and</strong> its CDGWs with their<br />
configurations, communications connections,<br />
TER connectivity, <strong>and</strong> the services offered<br />
via these modules<br />
3.3 Physical architecture This section addresses the interconnection of<br />
the various capabilities reflecting the
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-424 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
interfaces <strong>and</strong> st<strong>and</strong>ards used, as referred to<br />
in Annexes C <strong>and</strong> D<br />
3.3.1 Hardware<strong>Architecture</strong> Describes the overall system hardware<br />
including a list of hardware components (with<br />
a brief description of each item), how the<br />
hardware will be monitored by the SMC <strong>and</strong><br />
diagrams showing the connectivity between<br />
the components <strong>and</strong> subsystems (use<br />
3.3.2 Core Service<br />
Software <strong>Architecture</strong><br />
3.3.3 Communications<br />
<strong>Architecture</strong><br />
subsections to show each <strong>ANWI</strong> subsystem).<br />
Describe the overall system software by:<br />
including a list of software applications <strong>and</strong>/or<br />
modules; a brief description of the<br />
purpose/use of each item (use subsections to<br />
address each application <strong>and</strong>/or module);<br />
maps the software to its service capability;<br />
define its security rolesettings<strong>and</strong> how the<br />
software will be monitored by the SMC. Use<br />
diagrams to map the data flow <strong>and</strong><br />
processes.<br />
Describe the overall communication (internal<br />
<strong>and</strong> external to NATO) in the system <strong>and</strong><br />
provide diagrams showing the<br />
communications path(s) between the system<br />
<strong>and</strong> subsystem modules (use subsections for<br />
each subsystem flow) also in view of the<br />
redundancy requirements<br />
3.3.4 Technology Forecast Describe the possible impact of the trends in<br />
technology <strong>and</strong> the long term (5 year) viability<br />
of the proposed architecture <strong>and</strong><br />
technologies with respect to these trends<br />
3.3.5 Future Contingencies Describe any contingencies that are<br />
deployed to support the <strong>ANWI</strong>’s technical<br />
evolution due to technology updates <strong>and</strong> new<br />
hardware/software releases. Also address<br />
interfacing systems <strong>and</strong> services, even<br />
whilethe <strong>ANWI</strong>is still beinginstalled.<br />
4 Design<br />
4.1 Design/<strong>System</strong><br />
Overview<br />
Provides a non-technical description of the<br />
<strong>ANWI</strong> in narrative form. It provides a highlevel<br />
system architecture diagram showing<br />
<strong>ANWI</strong> subsystem breakout. The high-level<br />
system architecture <strong>and</strong> subsystem diagrams<br />
must show interfaces to external systems<br />
<strong>and</strong> a high-level context diagram for the<br />
system <strong>and</strong> subsystems. Ensure that this is
Section<br />
#<br />
N A T O U N C L A S S I F I E D<br />
Section Title<br />
4.2 Design Constraints<br />
<strong>and</strong> Assumptions<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
mapped to the requirements traceability<br />
matrix to satisfy the requirements in this<br />
design document<br />
Describes any constraints in the design <strong>and</strong><br />
include any assumptions made in developing<br />
the system design as well as addressing the<br />
relationship to other plans/projects<br />
4.2.1 Assumptions This section provides the list of assumptions<br />
for the design for the <strong>ANWI</strong><br />
4.2.2 Dependency<br />
Constraints<br />
This section identifies<br />
anydependencyconstraints to the project<br />
4.2.3 Environmental<br />
Constraints<br />
This section identifies the power, cooling <strong>and</strong><br />
UPS constraints in the server rooms,<br />
communications rooms, <strong>and</strong> TERs based on<br />
the proposed design<br />
4.3 NATO SECRET<br />
Security Domain<br />
4.3.1 Concept of<br />
Operations<br />
4.3.2 Location<br />
requirements<br />
4.3.3 St<strong>and</strong>ardisation of<br />
components & Reuse<br />
This section addresses how the services use<br />
the various capabilities to deliver the full<br />
scope of the service <strong>and</strong> how these services<br />
shall be managed <strong>and</strong> controlled to meet the<br />
SLAs. Additionally, this section shows how all<br />
the services integrate to deliver a coherent<br />
solution supporting the user requirements.<br />
This section addresses the physical locations<br />
of devices <strong>and</strong> rack configurations in the<br />
server rooms <strong>and</strong> TERs<br />
This subparagraph addresses how the<br />
<strong>ANWI</strong>’sNS design minimizes the variation of<br />
components <strong>and</strong> products in the overall<br />
<strong>ANWI</strong> ICT infrastructure through the use of a<br />
set of well-defined common products that are<br />
st<strong>and</strong>ardized to the extent possible across<br />
the four networks.<br />
4.3.4 Service Delivery This section addresses how each capability<br />
of the NS is bundled to meet the<br />
performance, reliability, availability,<br />
scalability, security, maintainability <strong>and</strong><br />
serviceability of each required service (by<br />
annex). Additionally, it addresses how the NS<br />
services are managed by the SMC to meet<br />
the SLAs.<br />
4.3.4.1 Network Services This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-425 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-426 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
provide the information assurance<br />
capabilities of the NS. This also section<br />
addresses the design scope <strong>and</strong><br />
configuration of the NS portion of the <strong>ANWI</strong>.<br />
Its subsections will detail the various services<br />
provided on <strong>and</strong> via the NS network.<br />
4.3.4.1.1 Wired This section identifies the switched design for<br />
this network<br />
The number of servers <strong>and</strong> clients<br />
to be included on the network<br />
LAN topology<br />
Configuration <strong>and</strong> settings<br />
4.3.4.1.2 Processing This section identifies the server room<br />
configuration/rack layout <strong>and</strong> defines how the<br />
processing requirement is to be satisfied<br />
meeting the availability, reliability, scalability,<br />
flexibility <strong>and</strong> performance requirements<br />
addressing items like:<br />
Power input requirements for each<br />
component<br />
Network connector specifications<br />
Server memory <strong>and</strong> local disk<br />
space requirements<br />
Processor requirements (speed<br />
<strong>and</strong> functionality)<br />
Graphical representation of the<br />
racks<br />
Server room cable type(s) <strong>and</strong><br />
length(s)<br />
Rack console(s)<br />
4.3.4.1.3 Storage This section describes the storage design,<br />
availability, reliability, scalability, flexibility<br />
<strong>and</strong> performance requirements<br />
4.3.4.1.4 Infrastructure This section identifies how these services will<br />
be provided on the NS <strong>and</strong> integrated with<br />
the wider NS WAN<br />
4.3.4.1.5 Print & Scan This section describes how these services<br />
will be provided on the NS<br />
4.3.4.2 Unified<br />
Communications &<br />
Collaboration (UCC)<br />
Services<br />
This section addresses the hardware <strong>and</strong><br />
software definitions/specifications <strong>and</strong><br />
integration needed to provide the required<br />
UCC capabilities <strong>and</strong>service<br />
4.3.4.3 Client Services This section addresses the hardware<br />
configurations <strong>and</strong> software<br />
definitions/specifications needed to provide
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
4.3.4.4 Security<br />
Configurations<br />
Section Description<br />
the <strong>ANWI</strong> NS client capabilities<br />
Power input requirements for the<br />
device <strong>and</strong> monitor<br />
Memory<br />
Connectivity to storage<br />
Processor requirements (speed<br />
<strong>and</strong> functionality)<br />
Wall-device cable type(s) <strong>and</strong><br />
length(s)<br />
User interfaces<br />
Hard drive/floppy drive/CD-ROM<br />
requirements<br />
Monitor resolution<br />
The section explains the security<br />
components used <strong>and</strong> how they combine to<br />
satisfy theinformation assurance<br />
requirements. It also explains the need <strong>and</strong><br />
configuration for any security appliances.<br />
Finally identifies security risks <strong>and</strong><br />
configurations needed for the services <strong>and</strong><br />
networks to secure accreditation<br />
Internal security to restrict access<br />
of critical data items to only those<br />
access types required by users<br />
Audit procedures to meet control,<br />
reporting, <strong>and</strong> retention period<br />
requirements for operational <strong>and</strong><br />
management reports<br />
Application audit trails to<br />
dynamically audit retrieval access<br />
to designated critical data<br />
4.3.4.5 Service Management<br />
<strong>and</strong> Control (SMC)<br />
This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
provide the information assurance<br />
capabilities related to SMC.<br />
This section also explains how the services<br />
are to be managed <strong>and</strong> monitored across the<br />
various networks into the NNHQ network<br />
operations centre (NOC). Additionally, it<br />
explains how the operational status/metrics<br />
shall be captured, routed, monitored, ‘billed’<br />
<strong>and</strong> displayed in the NOC to show that the<br />
service is meeting its SLA <strong>and</strong> how the<br />
information will be decomposed to show what<br />
part of the service is causing the issue.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-427 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-428 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
4.3.5 Service Interfaces A Service Interface Profile (reference Annex<br />
K Appendix 17 - SIP) will be developed that<br />
specifies the interface logical <strong>and</strong> physical<br />
characteristics <strong>and</strong> configuration parameters<br />
for all service (internal <strong>and</strong> external)<br />
interfaces.<br />
4.3.6 Service Integration As there are numerous networks <strong>and</strong><br />
numerous services, this section addresses<br />
how the <strong>ANWI</strong> contractor <strong>and</strong> subcontractors<br />
shall deliver <strong>and</strong> seamlessly integrate the<br />
<strong>ANWI</strong> deliverables <strong>and</strong> NATO PFE into a<br />
coherent highly available network to provide<br />
the required end-to-end services as well as to<br />
support provision of end-to-end services by<br />
services provides that need <strong>ANWI</strong> services.<br />
4.3.7 <strong>System</strong> Attributes &<br />
Configuration<br />
documentation<br />
4.3.8 Environmental<br />
Controls <strong>and</strong> Power<br />
requirements<br />
Inclusion of system-to-systems matrix.<br />
This section identifies <strong>and</strong> documents the<br />
service elements <strong>and</strong> their attribute settings<br />
to establish the configuration baseline<br />
This section addresses the power, cooling<br />
<strong>and</strong> rack UPS requirements need to sustain<br />
the suite of devices <strong>and</strong> racks located in<br />
server rooms, <strong>and</strong> TER<br />
4.3.9 Remote Sites This section addresses the hardware<br />
definitions/specifications needed to provide<br />
the remote site capabilities. Also identifies<br />
the NS wireless solution that will be used by<br />
the <strong>ANWI</strong>’s limited <strong>and</strong> selected users<br />
4.4 EAPC Security<br />
Domain<br />
4.4.1 Concept of<br />
Operations<br />
4.4.2 Location<br />
requirements<br />
4.4.3 St<strong>and</strong>ardisation of<br />
components & Reuse<br />
This section addresses how the services use<br />
the various capabilities to deliver the full<br />
scope of the service <strong>and</strong> how these services<br />
shall be managed <strong>and</strong> controlled to meet the<br />
SLAs. Additionally, this section shows how all<br />
the services integrate to deliver a coherent<br />
solution supporting the user requirements.<br />
This section addresses the physical locations<br />
of devices <strong>and</strong> rack configurations in the<br />
server rooms <strong>and</strong> TERs<br />
This subparagraph addresses how the <strong>ANWI</strong><br />
EAPC design minimizes the variation of<br />
components <strong>and</strong> products in the overall<br />
<strong>ANWI</strong> ICT infrastructure through the use of a<br />
set of well-defined common products that are
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-429 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
st<strong>and</strong>ardized to the extent possible across<br />
the four networks.<br />
4.4.4 Service Delivery This section addresses how each capability<br />
of the EACP is bundled to meet the<br />
performance, reliability, availability,<br />
scalability, security, maintainability <strong>and</strong><br />
serviceability of each required service (by<br />
annex). Additionally, it addresses how the NS<br />
services are managed by the SMC to meet<br />
the SLAs.<br />
4.4.4.1 Network Services This section addresses the hardware<br />
definitions/specifications needed to provide<br />
the information assurance capabilities of the<br />
EAPC security domain. This section<br />
addresses the design scope <strong>and</strong><br />
configuration of the EAPC portion of the<br />
<strong>ANWI</strong>. Its subsections will detail the various<br />
services provided on <strong>and</strong> via the NS.<br />
4.4.4.1.1 Wired This section identifies the switched design for<br />
this network<br />
The number of servers <strong>and</strong> clients<br />
to be included on the network<br />
LAN topology<br />
Configuration <strong>and</strong> settings<br />
4.4.4.1.2 Processing This section identifies the server room<br />
configuration/rack layout <strong>and</strong> defines how the<br />
processing requirement is to be satisfied<br />
meeting the availability, reliability, scalability,<br />
flexibility <strong>and</strong> performance requirements<br />
addressing items like:<br />
Power input requirements for each<br />
component<br />
Network connector specifications<br />
Server memory <strong>and</strong> local disk<br />
space requirements<br />
Processor requirements (speed<br />
<strong>and</strong> functionality)<br />
Graphical representation of the<br />
racks<br />
Server room cable type(s) <strong>and</strong><br />
length(s)<br />
Rack console(s)<br />
4.4.4.1.3 Storage This section describes the storage design,<br />
availability, reliability, scalability, flexibility<strong>and</strong><br />
performance requirements<br />
4.4.4.1.4 Infrastructure This section identifies how these services will
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
be provided<br />
4.4.4.1.5 Print & Scan This section describes how these services<br />
4.4.4.2 Unified<br />
Communications &<br />
Collaboration (UCC)<br />
Services<br />
will be provided<br />
This section addresses the hardware <strong>and</strong><br />
software definitions/specifications <strong>and</strong><br />
integration needed to provide the required<br />
UCC capabilities <strong>and</strong> service<br />
4.4.4.3 Client Services This section addresses the hardware<br />
configurations <strong>and</strong> software<br />
definitions/specifications needed to provide<br />
the <strong>ANWI</strong> EAPC client capabilities<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Power input requirements for the<br />
device <strong>and</strong> monitor<br />
Memory<br />
Connectivity to<br />
Processor requirements (speed<br />
<strong>and</strong> functionality)<br />
Wall-device cable type(s) <strong>and</strong><br />
length(s)<br />
User interfaces<br />
Hard drive/floppy drive/CD-ROM<br />
requirements<br />
Monitor resolution<br />
4.4.4.4 Security<br />
Configurations<br />
The section explains the security<br />
components used <strong>and</strong> how they combine to<br />
provide information assurance requirements.<br />
It also explains the need <strong>and</strong> configuration for<br />
any security appliances. Finally identifies<br />
security risks <strong>and</strong> configurations needed for<br />
the services <strong>and</strong> networks to secure<br />
accreditation<br />
4.4.4.5 Service Management<br />
<strong>and</strong> Control (SMC)<br />
This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
provide the information assurance<br />
capabilities related to SMC.<br />
This section explains how the services are to<br />
be managed <strong>and</strong> monitored across the<br />
various networks into the NNHQ network<br />
operations centre (NOC). Additionally, it<br />
explains how the operational status/metrics<br />
shall be captured, routed <strong>and</strong> displayed in the<br />
NOC to show that the service is meeting its<br />
SLA <strong>and</strong> how the information will be<br />
decomposed to show what part of the service<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-430 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
is causing the issue. The capture,<br />
measurement <strong>and</strong> monitoring of service<br />
metrics is key to this area<br />
4.4.5 Service Interfaces A Service Interface Profile (Annex K<br />
Appendix 17) will be developed that specifies<br />
the interface’s logical <strong>and</strong> physical<br />
characteristics <strong>and</strong> configuratin parameters<br />
for all service (internal <strong>and</strong> external)<br />
interfaces.<br />
4.4.6 Service Integration As there are numerous networks <strong>and</strong><br />
numerous services, this section addresses<br />
how the <strong>ANWI</strong> contractor <strong>and</strong> outsourced<br />
service providers shall deliver <strong>and</strong><br />
seamlessly integrate the deliverables into a<br />
coherent highly available network to provide<br />
the required end-to-end services as well as to<br />
support provision of end-to-end services by<br />
services providers that need <strong>ANWI</strong> services.<br />
4.4.7 <strong>System</strong> Attributes &<br />
Configuration<br />
documentation<br />
4.4.8 Environmental<br />
Controls <strong>and</strong> Power<br />
requirements<br />
4.5 Business (NATO<br />
RESTRICTED <strong>and</strong><br />
NATO<br />
UNCLASSIFIED)<br />
Security Domain<br />
4.5.1 Concept of<br />
Operations<br />
4.5.2 Location<br />
requirements<br />
4.5.3 St<strong>and</strong>ardisation of<br />
components & Reuse<br />
Inclusion of system-to-systems matrix.<br />
This section identifies the elements <strong>and</strong> their<br />
attribute settings to establish the<br />
configuration baseline<br />
This section addresses the power, cooling<br />
<strong>and</strong> UPS requirements need to sustain the<br />
suite of devices <strong>and</strong> racks located in server<br />
rooms, TER, user areas <strong>and</strong> printing areas<br />
This section addresses how the services use<br />
the various capabilities to deliver the full<br />
scope of the service <strong>and</strong> how these services<br />
shall be managed <strong>and</strong> controlled to meet the<br />
SLAs. Additionally, this section shows how all<br />
the services integrate to deliver a coherent<br />
solution supporting the user requirements.<br />
This section addresses the physical locations<br />
of devices <strong>and</strong> rack configurations in the<br />
server rooms <strong>and</strong> TERs<br />
This subparagraph addresses how the<br />
<strong>ANWI</strong>’s Business design minimizes the<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-431 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
variation of components <strong>and</strong> products in the<br />
overall <strong>ANWI</strong> ICT infrastructure through the<br />
use of a set of well-defined common products<br />
that are st<strong>and</strong>ardized to the extent possible<br />
across the four networks.<br />
4.5.4 Service Delivery This section addresses how each capability<br />
of the Business network is bundled to meet<br />
the performance, reliability, availability,<br />
scalability, security, maintainability <strong>and</strong><br />
serviceability of each required service (by<br />
annex). Additionally, it addresses how the<br />
supplementary services <strong>and</strong> associated HN<br />
Belgium services (ESS, BMS <strong>and</strong> AVI) are<br />
integrated to provide an overall coherent<br />
service via the Business network. Finally, it<br />
will address the SMC of Business services to<br />
meet their SLAs.<br />
4.5.4.1 Network Services This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
provide the information assurance<br />
capabilities of the Business network. This<br />
section also addresses the design scope <strong>and</strong><br />
configuration of the Business portion of the<br />
<strong>ANWI</strong>. Its subsections will detail the various<br />
services provided on <strong>and</strong> via the Business<br />
network (wired <strong>and</strong> wireless).<br />
4.5.4.1.1 Wired & wireless This section identifies the switched design for<br />
this wired <strong>and</strong> wireless network<br />
The number of servers <strong>and</strong> clients<br />
to be included on the network<br />
<br />
<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-432 of 532<br />
LAN topology<br />
Design of the wireless network with<br />
its planning parameters for user<br />
distribution across <strong>and</strong> locations of<br />
Access Points<br />
Configuration <strong>and</strong> settings<br />
4.5.4.1.2 Processing This section identifies the server room<br />
configurations/rack layout <strong>and</strong> defines how<br />
the processing requirement is to be satisfied<br />
meeting the availability, reliability, scalability,<br />
flexibility <strong>and</strong> performance requirements<br />
addressing items like:<br />
<br />
<br />
Power input requirements for each<br />
component<br />
Network connector specifications
N A T O U N C L A S S I F I E D<br />
Book II Page IV-433 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
Server memory <strong>and</strong> local disk<br />
space requirements<br />
Processor requirements (speed<br />
<strong>and</strong> functionality)<br />
Graphical representation of the<br />
racks<br />
Server room cable type(s) <strong>and</strong><br />
length(s)<br />
Rack console(s)<br />
4.5.4.1.3 Storage This section describes the storage design,<br />
availability, reliability, scalability, flexibility<br />
<strong>and</strong> performance requirements<br />
4.5.4.1.4 Infrastructure This section identifies how these services will<br />
be provided on the Business <strong>and</strong> integrated<br />
with the wider NR WAN<br />
4.5.4.1.5 Print & Scan This section describes how these services<br />
will be provided on the Business <strong>and</strong> how<br />
cross domain printing is to be addressed<br />
4.5.4.2 Unified<br />
Communications<br />
&Collaboration (UCC)<br />
Services<br />
This section addresses the hardware <strong>and</strong><br />
software definitions/specifications <strong>and</strong><br />
integration needed to provide the required<br />
UCC capabilities <strong>and</strong> service<br />
4.5.4.3 Client Services This section addresses the hardware<br />
configurations <strong>and</strong> software<br />
definitions/specifications needed to provide<br />
the <strong>ANWI</strong> Business client capabilities (wired<br />
<strong>and</strong> wireless)<br />
4.5.4.4 Security<br />
Configurations<br />
Power input requirements for the<br />
device <strong>and</strong> monitor<br />
Memory<br />
Connectivity to storage<br />
Processor requirements (speed<br />
<strong>and</strong> functionality)<br />
Wall-device cable type(s) <strong>and</strong><br />
length(s)<br />
User interfaces<br />
Hard drive/floppy drive/CD-ROM<br />
requirements<br />
Monitor resolution<br />
The section explains the security<br />
components used <strong>and</strong> how they combine to<br />
provide information assurance requirements.<br />
It also explains the need <strong>and</strong> configuration for<br />
any security appliances. Finally identifies<br />
security risks <strong>and</strong> configurations needed for<br />
the services <strong>and</strong> networks to secure<br />
N A T O U N C L A S S I F I E D
Section<br />
#<br />
N A T O U N C L A S S I F I E D<br />
Section Title<br />
4.5.4.5 Service Management<br />
<strong>and</strong> Control (SMC)<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
accreditation<br />
Internal security to restrict access<br />
of critical data items to only those<br />
access types required by users<br />
Audit procedures to meet control,<br />
reporting, <strong>and</strong> retention period<br />
requirements for operational <strong>and</strong><br />
management reports<br />
Application audit trails to<br />
dynamically audit retrieval access<br />
to designated critical data<br />
This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
provide the information assurance<br />
capabilities related to SMC.<br />
This section also explains how the services<br />
are to be managed <strong>and</strong> monitored across the<br />
various networks into the NNHQ network<br />
operations centre (NOC). Additionally, it<br />
explains how the operational status/metrics<br />
shall be captured, routed, monitored <strong>and</strong><br />
displayed in the NOC to show that the<br />
service is meeting its SLA <strong>and</strong> how the<br />
information will be decomposed to show what<br />
part of the service is causing the issue.<br />
4.5.5 Service Interfaces A Service Interface Profile (reference Annex<br />
K Appendix 17 - SIP) will be developed that<br />
specifies the interface logical <strong>and</strong> physical<br />
characteristics <strong>and</strong> configuration parameters<br />
for all service internal <strong>and</strong> external interfaces.<br />
4.5.6 Service Integration As there are numerous networks <strong>and</strong><br />
numerous services, this section addresses<br />
how the <strong>ANWI</strong> contractor <strong>and</strong> subcontractors<br />
shall deliver <strong>and</strong> seamlessly integrate the<br />
<strong>ANWI</strong> deliverables <strong>and</strong> NATO PFE into a<br />
coherent highly available network to provide<br />
the required end-to-end services as well as to<br />
support provision of end-to-end services by<br />
services providers that need <strong>ANWI</strong> services.<br />
4.5.7 <strong>System</strong> Attributes &<br />
Configuration<br />
documentation<br />
Inclusion of system-to-systems matrix.<br />
This section identifies <strong>and</strong> documents the<br />
service elements <strong>and</strong> their attribute settings<br />
to establish the configuration baseline<br />
4.5.8 Environmental This section addresses the power, cooling<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-434 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Controls <strong>and</strong> Power<br />
requirements<br />
4.6 PUBLIC (Non-<br />
CLASSIFIED <strong>and</strong><br />
NATO<br />
UNCLASSIFIED<br />
Releasable to the<br />
Internet) Security<br />
Domain<br />
4.6.1 Concept of<br />
Operations<br />
4.6.2 Location<br />
requirements<br />
4.6.3 St<strong>and</strong>ardisation of<br />
components & Reuse<br />
Section Description<br />
<strong>and</strong> rack UPS requirements need to sustain<br />
the suite of devices <strong>and</strong> racks located in<br />
server rooms, <strong>and</strong> TER<br />
This section addresses how the services use<br />
the various capabilities to deliver the full<br />
scope of the service <strong>and</strong> how these services<br />
shall be managed <strong>and</strong> controlled to meet the<br />
SLAs. Additionally, this section shows how all<br />
the services integrate to deliver a coherent<br />
solution supporting the user requirements.<br />
This section addresses the physical locations<br />
of devices <strong>and</strong> rack configurations in the<br />
server rooms <strong>and</strong> TERs<br />
This subparagraph addresses how the<br />
<strong>ANWI</strong>’s Public design minimizes the variation<br />
of components <strong>and</strong> products in the overall<br />
<strong>ANWI</strong> ICT infrastructure through the use of a<br />
set of well-defined common products that are<br />
st<strong>and</strong>ardized to the extent possible across<br />
the four networks.<br />
4.6.4 Service Delivery This section addresses how Public capability<br />
is bundled to meet the performance,<br />
reliability, availability, scalability, security,<br />
maintainability <strong>and</strong> serviceability of each<br />
required service (by annex). Additionally, it<br />
addresses how the Public services are<br />
managed by the SMC to meet the SLAs<br />
4.6.4.1 Network Services This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
provide the information assurance<br />
capabilities of the Public security domain.<br />
This section addresses the design <strong>and</strong><br />
configuration of the network (wired <strong>and</strong><br />
wireless) specifying protocols, evolution of<br />
the switching environment <strong>and</strong> failover/high<br />
availability configurations.<br />
4.6.4.1.1 Wired & wireless This section identifies the switched design for<br />
this network <strong>and</strong> how it supports the access<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-435 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-436 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
to Business network<br />
4.6.4.1.2 Processing This section defines how the processing<br />
requirement is to be satisfied <strong>and</strong> meet the<br />
availability, reliability, scalability, flexibility<br />
<strong>and</strong> performance requirements<br />
Power input requirements for each<br />
component<br />
Network connector specifications<br />
Server memory <strong>and</strong> local disk<br />
space requirements<br />
Processor requirements (speed<br />
<strong>and</strong> functionality)<br />
Graphical representation of the<br />
racks<br />
Server room cable type(s) <strong>and</strong><br />
length(s)<br />
Rack console(s)<br />
4.6.4.1.3 Storage This section describes the storage design,<br />
availability, reliability, scalability, flexibility<br />
<strong>and</strong> performance requirements<br />
4.6.4.1.4 Infrastructure This section identifies how these services will<br />
be provided on the Public security domain<br />
4.6.4.1.5 Print & Scan This section describes how these services<br />
will be provided via the Public kiosks<br />
4.6.4.2 Client Services This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
provide the Public kiosk capabilities. Also<br />
address the provisioning <strong>and</strong> monitoring of a<br />
user’s Internet access from a Bring Your Own<br />
Device (BYOD) concept.<br />
4.6.4.3 Security<br />
Configurations<br />
4.6.4.4 Service Management<br />
<strong>and</strong> Control (SMC)<br />
The section explains the security<br />
components used <strong>and</strong> how they combine to<br />
provide the Public network’s information<br />
assurance requirements. It also explains the<br />
need <strong>and</strong> configuration for any security<br />
appliances. Finally identifies security risks<br />
<strong>and</strong> configurations needed for the services<br />
<strong>and</strong> networks to secure accreditation.<br />
This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
provide the information assurance<br />
capabilities related to SMC.<br />
This section also explains how the services<br />
are to be managed <strong>and</strong> monitored across the<br />
various networks into the NNHQ network
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
operations centre (NOC). Additionally, it<br />
explains how the operational status/metrics<br />
shall be captured, routed, monitored <strong>and</strong><br />
displayed in the NOC to show that the<br />
service is meeting its SLA <strong>and</strong> how the<br />
information will be decomposed to show what<br />
part of the service is causing the issue.<br />
4.6.5 Service Interfaces A Service Interface Profile (reference Annex<br />
K Appendix 17 - SIP) will be developed that<br />
specifies the interface logical <strong>and</strong> physical<br />
characteristics <strong>and</strong> configuration parameters<br />
for all service internal <strong>and</strong> external interfaces.<br />
4.6.6 Service Integration As there are numerous networks <strong>and</strong><br />
numerous services, this section addresses<br />
how the <strong>ANWI</strong> contractor, subcontractors <strong>and</strong><br />
outsourced service (WCM) providers shall<br />
deliver <strong>and</strong> seamlessly integrate the<br />
deliverables into a coherent highly available<br />
network to provide the required end-to-end<br />
services as well as to support provision of<br />
end-to-end services by services providers<br />
that need <strong>ANWI</strong> services.<br />
4.6.7 <strong>System</strong> Attributes &<br />
Configuration<br />
documentation<br />
4.6.8 Environmental<br />
Controls <strong>and</strong> Power<br />
requirements<br />
4.7 Cross Domain<br />
Gateways / Module<br />
4.7.1 Concept of<br />
Operations<br />
4.7.2 Location<br />
requirements<br />
Inclusion of system-to-systems matrix.<br />
This section identifies <strong>and</strong> documents the<br />
elements <strong>and</strong> their attribute settings to<br />
establish the configuration baseline<br />
This section addresses the power, cooling<br />
<strong>and</strong> rack UPS requirements need to sustain<br />
the suite of devices <strong>and</strong> racks located in<br />
server rooms, <strong>and</strong> TER<br />
This section addresses the various cross<br />
domain gateways / modules <strong>and</strong> how the<br />
various services use the modules’<br />
capabilities to deliver the full scope of the<br />
service <strong>and</strong> how these services shall be<br />
managed <strong>and</strong> controlled to meet the SLAs.<br />
Additionally, this section shows how all the<br />
services integrate to deliver a coherent<br />
solution supporting the user requirements.<br />
This section addresses the physical locations<br />
of devices <strong>and</strong> rack configurations in the<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-437 of 532
Section<br />
#<br />
N A T O U N C L A S S I F I E D<br />
Section Title<br />
4.7.3 St<strong>and</strong>ardisation of<br />
components & Reuse<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-438 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
server rooms <strong>and</strong> TERs<br />
This subparagraph addresses how the <strong>ANWI</strong><br />
design will minimize the variation of<br />
components <strong>and</strong> products in the ICT<br />
infrastructure through the use of a set of welldefined<br />
set of products that are st<strong>and</strong>ardized<br />
to the extent possible across the four<br />
networks.<br />
Components that perform the same function<br />
across different locations, domains networks<br />
within <strong>ANWI</strong> shall be of same br<strong>and</strong>, model,<br />
capacity <strong>and</strong> feature.<br />
The Contractor shall clearly document the<br />
justification <strong>and</strong> the results of exceptional<br />
cases where use of same equipment is not<br />
possible.<br />
4.7.4 Service Delivery This section addresses how each CDGW as<br />
an integrated part of the CDM is bundled to<br />
meet the performance, reliability, availability,<br />
scalability, security, maintainability <strong>and</strong><br />
serviceability of each required CDGW<br />
4.7.4.1 CDGW1 This section addresses the hardware<br />
definitions/specifications needed to provide<br />
the information assurance capabilities<br />
required in the CDGW configuration. It<br />
addresses the design, protocols,<br />
management <strong>and</strong> configuration of the<br />
CDGW <strong>and</strong> its environment as part of the<br />
CDM to provide the information assurance<br />
requirements <strong>and</strong> failover/high availability<br />
configurations. Finally identifies security risks<br />
<strong>and</strong> configurations needed for the services<br />
<strong>and</strong> networks to secure accreditation<br />
4.7.4.2 CDGW2 This section addresses the hardware<br />
definitions/specifications needed to provide<br />
the information assurance capabilities<br />
required in the CDGW configuration. It<br />
addresses the design, protocols,<br />
management <strong>and</strong> configuration of the CDM’s<br />
environment as part of the CDMto provide<br />
the information assurance requirements <strong>and</strong><br />
failover/high availability configurations.<br />
Finally identifies security risks <strong>and</strong><br />
configurations needed for the services <strong>and</strong><br />
networks to secure accreditation<br />
4.7.4.3 CDGW3 This section addresses the hardware
N A T O U N C L A S S I F I E D<br />
Book II Page IV-439 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
definitions/specifications needed to provide<br />
the information assurance capabilities<br />
required in the CDGW configuration. It<br />
addresses the design,<br />
protocols,management <strong>and</strong> configuration of<br />
the CDMGW <strong>and</strong> its environment as part of<br />
the CDM to provide the information<br />
assurance requirements <strong>and</strong> failover/high<br />
availability configurations. Finally identifies<br />
security risks <strong>and</strong> configurations needed for<br />
the services <strong>and</strong> networks to secure<br />
accreditation<br />
4.7.4.4 CDGW4 This section addresses the hardware<br />
definitions/specifications needed to provide<br />
the information assurance capabilities<br />
required in the CDGW configuration. It<br />
addresses the design, protocols,<br />
management <strong>and</strong> configuration of the CDGW<br />
<strong>and</strong> its environment as part of the CDM to<br />
provide the information assurance<br />
requirements <strong>and</strong> failover/high availability<br />
configurations. Finally identifies security risks<br />
<strong>and</strong> configurations needed for the services<br />
<strong>and</strong> networks to secure accreditation<br />
4.7.4.5 CDGW5 This section addresses the hardware<br />
definitions/specifications needed to provide<br />
the information assurance capabilities<br />
required in the CDGW configuration. It<br />
addresses the design, protocols,<br />
management <strong>and</strong> configuration of the CDGW<br />
<strong>and</strong> its environment as part of the CDM to<br />
provide the information assurance<br />
requirements <strong>and</strong> failover/high availability<br />
configurations. Finally identifies security risks<br />
<strong>and</strong> configurations needed for the services<br />
<strong>and</strong> networks to secure accreditation<br />
4.7.4.6 CDGW6 This section addresses the hardware<br />
definitions/specifications needed to provide<br />
the information assurance capabilities<br />
required in the CGW configuration. It<br />
addresses the design, protocols,<br />
management <strong>and</strong> configuration of the CDGW<br />
<strong>and</strong> its environment as part of the CDM to<br />
provide the information assurance<br />
requirements <strong>and</strong> failover/high availability<br />
configurations. Finally identifies security risks<br />
<strong>and</strong> configurations needed for the services<br />
N A T O U N C L A S S I F I E D
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
4.7.4.5 Service Management<br />
<strong>and</strong> Control (SMC)<br />
Section Description<br />
<strong>and</strong> networks to secure accreditation<br />
This section explains how the operational<br />
status/metrics shall be captured, routed <strong>and</strong><br />
displayed in the NNHQ <strong>and</strong> provided to the<br />
Mons’NOC thus showing that the service is<br />
meeting its SLA. It will also show how the<br />
information will be decomposed to show what<br />
part (if any) of the service is causing an issue<br />
to the SLA.<br />
4.7.5 CDM Integration As there are numerous networks <strong>and</strong><br />
numerous services, this section addresses<br />
how the <strong>ANWI</strong> contractor <strong>and</strong> outsourced<br />
service providers shall deliver <strong>and</strong><br />
seamlessly integrate the deliverables into a<br />
coherent highly available network meeting all<br />
security requirements to provide the required<br />
end-to-end services that traverse across<br />
multiple security domains as well as to<br />
support provision of end-to-end services by<br />
services providers that need <strong>ANWI</strong> services.<br />
4.7.6 <strong>System</strong> Attributes &<br />
Configuration<br />
documentation<br />
4.8 Integration Test<br />
Service (ITS)<br />
4.8.1 Concept of<br />
Operations<br />
4.8.2 Location<br />
requirements<br />
4.8.3 St<strong>and</strong>ardisation of<br />
components & Reuse<br />
Inclusion of system-to-systems matrix.<br />
This section identifies the elements <strong>and</strong> their<br />
attribute settings to establish the<br />
configuration baseline<br />
This section addresses how the services use<br />
the various capabilities to deliver the full<br />
scope of the ITS service <strong>and</strong> how these<br />
services shall be managed <strong>and</strong> controlled to<br />
initially test the various SLAs. Additionally,<br />
this section shows how all the services will be<br />
provided to demonstrate <strong>and</strong> test the<br />
integrationof a coherent solution supporting<br />
the <strong>ANWI</strong> requirements.<br />
This section addresses the physical locations<br />
of devices <strong>and</strong> rack configurations in the<br />
server rooms <strong>and</strong> TERs <strong>and</strong> cable runs<br />
This subparagraph addresses how the <strong>ANWI</strong><br />
design will minimize the variation of<br />
components <strong>and</strong> products in the ICT<br />
infrastructure through the use of a set of welldefined<br />
set of products that are st<strong>and</strong>ardized<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-440 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
to the extent possible across the four<br />
networks.<br />
Components that perform the same function<br />
across different locations, domains networks<br />
within <strong>ANWI</strong> shall be of same br<strong>and</strong>, model,<br />
capacity <strong>and</strong> feature.<br />
The Contractor shall clearly document the<br />
justification <strong>and</strong> the results of exceptional<br />
cases where use of same equipment is not<br />
possible.<br />
4.8.4 Service Delivery This section addresses how the ITS will be<br />
able to assert that the environment will<br />
replicate the <strong>ANWI</strong>networks in terms of all<br />
aspects of performance, reliability,<br />
availability, scalability, security,<br />
maintainability <strong>and</strong> serviceability of each<br />
required service to attest to the validity of the<br />
test environment.<br />
4.8.4.1 Network Services This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
provide <strong>and</strong> test the information assurance<br />
capabilities of any two networks<br />
(concurrently). This section also addresses<br />
the design <strong>and</strong> configuration of the replicated<br />
networks (wired <strong>and</strong>/or wireless) replicating<br />
protocols, the switching environment <strong>and</strong><br />
failover/high availability configurations to<br />
ensure a properly replicated network for<br />
testing.<br />
4.8.4.2 Unified<br />
Communications &<br />
Collaboration (UCC)<br />
Services<br />
This section addresses the hardware <strong>and</strong><br />
software definitions/specifications <strong>and</strong><br />
integration needed to provide <strong>and</strong> test the<br />
required UCC capabilities<br />
4.8.4.3 Client Services This section addresses the hardware <strong>and</strong><br />
software definitions/specifications needed to<br />
provide <strong>and</strong> test the full suite of client<br />
capabilities required in the <strong>ANWI</strong><br />
4.8.4.4 Supplementary<br />
Services<br />
This section addresses the hardware <strong>and</strong><br />
software needs of supplementary services<br />
<strong>and</strong> any contractual conditions for contractor<br />
provided appliances for testing a simulated<br />
<strong>ANWI</strong> security domain.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-441 of 532
Section Section Title<br />
#<br />
4.8.4.5 Security<br />
Configurations<br />
4.8.4.6 Service Management<br />
<strong>and</strong> Control (SMC)<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-442 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
The section explains the security<br />
components used can be adjusted to support<br />
any security domain <strong>and</strong> cross domain<br />
module <strong>and</strong> how they combine to support the<br />
testing of the information assurance<br />
requirements. It also explains how the<br />
baselines will be maintained <strong>and</strong> managed to<br />
expedite testing <strong>and</strong> any security<br />
accreditation needs.<br />
This section addresses how the hardware<br />
definitions/specifications to provide the<br />
information assurance <strong>and</strong> SMC capabilities<br />
will be maintained <strong>and</strong> managed.<br />
Additionally, it explains how the operational<br />
status/metrics demonstrate <strong>and</strong> evaluatethe<br />
capture, routing <strong>and</strong> display of parameters to<br />
show that the tested service may suitably<br />
meet its SLA <strong>and</strong> how the information will<br />
assessed <strong>and</strong> offered to NCIA .<br />
4.8.5 Service Interfaces A Service Interface Profile (reference Annex<br />
K Appendix 17 - SIP) will be developed that<br />
specifies the interface logical <strong>and</strong> physical<br />
characteristics <strong>and</strong> configuration parameters<br />
for all service internal <strong>and</strong> external interfaces.<br />
4.8.6 Service Integration .As there are numerous networks <strong>and</strong><br />
numerous services, this section addresses<br />
how the <strong>ANWI</strong> contractor will provide<br />
sufficient equipment to test the integration of<br />
the deliverables on a highly available ITS<br />
network<br />
4.8.7 <strong>System</strong> Attributes &<br />
Configuration<br />
documentation<br />
4.8.8 Environmental<br />
Controls <strong>and</strong> Power<br />
requirements<br />
4.9 Supplementary<br />
Services<br />
This section identifies the elements <strong>and</strong> their<br />
attribute settings to establish the<br />
configuration baseline<br />
This section addresses the power, cooling<br />
<strong>and</strong> UPS requirements need to sustain the<br />
suite of devices (organic to the ITS <strong>and</strong><br />
tested equipment) <strong>and</strong> racks located in the<br />
ITS<br />
This section addresses the hardware <strong>and</strong><br />
software needs of supplementary services<br />
<strong>and</strong> any contractual conditions for contractor<br />
provided appliances.<br />
4.9.1 GSM This section will address the provisioning<br />
design of the GSM solution in the NNHQ as<br />
well as describes the selection of<br />
GSM/smartphone selection
Section Section Title<br />
#<br />
4.9.2 GSM & Wireless<br />
Blocking<br />
4.9.3 Site Security<br />
Communications<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-443 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
This section discusses the implementation<br />
<strong>and</strong> blocking solutions, as well as addresses<br />
the design, support <strong>and</strong> implementation of<br />
the 3 V/m rule.<br />
This sections provides the design, coverage<br />
area <strong>and</strong> implementation of the NNHQ’s Site<br />
Security Communications<br />
4.9.4 IPTV This section addresses the design of the<br />
IPTV solution <strong>and</strong> how the TV signal will be<br />
distributed to fixed TVs <strong>and</strong> broadcasted to<br />
<strong>and</strong> displayed on fixed <strong>and</strong>/or mobile user<br />
devices (per service catalogue ‘purchase’)<br />
irrespective of the user device footprint<br />
4.10 Migration This section addresses the migration of HQ<br />
to NNHQ servers <strong>and</strong> storage<br />
4.10.1 User E-Mail /<br />
calendar / contacts<br />
This section describes the process that will<br />
be used to ensure that a user’s HQ e-<br />
mail/calendar/contact data is migrated to the<br />
user’s <strong>ANWI</strong> e-mail account while<br />
maintaining access permissions <strong>and</strong> currency<br />
of data ensuring no data loss.<br />
4.10.2 User Share Data This section explains how a user’s Windows<br />
share data will be migrated to an <strong>ANWI</strong><br />
Windows share while maintaining access<br />
permissions <strong>and</strong> currency of data ensuring<br />
no data loss.<br />
4.10.3 Voice <strong>and</strong> voicemail This section explains how a user’s telephone<br />
information (saved voice mail, speed dial <strong>and</strong><br />
phone configuration/permissions) will be<br />
migrated to the <strong>ANWI</strong> UCC solution while<br />
maintaining currency of data ensuring no<br />
data loss.<br />
5 Risks<br />
5.1 Design Risks This section identifies the risks to the <strong>ANWI</strong><br />
system<br />
5.2 Security Risk<br />
Assessment<br />
This section identifies the security risks to the<br />
<strong>ANWI</strong>’s system<br />
6 Administration &<br />
Support<br />
6.1 Warranty This section addresses the hardware <strong>and</strong><br />
software warranty conditions <strong>and</strong> how the<br />
<strong>ANWI</strong> Contractor proposes to manage <strong>and</strong><br />
support these conditions<br />
6.2 Training This section identifies the results of the<br />
Contractor’s training needs assessment of<br />
skills <strong>and</strong> provides a recommended number
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
of staff needed to properly support <strong>and</strong><br />
maintain each provided capability <strong>and</strong> service<br />
included in the <strong>ANWI</strong> design<br />
6.3 Documentation This section identifies & provides the<br />
supporting, installation <strong>and</strong> configuration<br />
documentation<br />
6.4 Drawings This sections shall hold the ‘to be’ drawings<br />
<strong>and</strong> later replaced by the ‘as built’<br />
6.5 Requirements This section shall contain the requirements<br />
trace from the contractual specifications<br />
through the approved requirements review<br />
into the design document. The Contractor’s<br />
Requirements Traceability Matrix reflects this<br />
trace.<br />
6.6 Design st<strong>and</strong>ard This section shall define the selected<br />
international/NATO design st<strong>and</strong>ard that the<br />
Contractor will use for the <strong>ANWI</strong> design,as<br />
well as the adaptations to that st<strong>and</strong>ard that<br />
the Contractors will apply.<br />
6.7 Verification This section shall provide a verification matrix<br />
that defines how to verify all requirements,<br />
<strong>and</strong> which acceptance criteria to apply.<br />
Appendix 1 Server room design This appendix provides the layout of the<br />
server room detailing the network-rack<br />
distribution; room scaling; power <strong>and</strong> cooling<br />
needs; failover between server rooms <strong>and</strong><br />
connectivity to the TER (communications <strong>and</strong><br />
switching)<br />
Appendix 2 Traceability Matrix This appendix provides a table (or database)<br />
that traces the totality of the <strong>ANWI</strong><br />
requirements to their associated service,<br />
hardware/software <strong>and</strong> supporting<br />
configuration<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-444 of 532
N A T O U N C L A S S I F I E D<br />
19.3 Appendix 3: Project Management Plan (PMP)<br />
19.3.1 Introduction/Purpose<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.3.1-p1 The purpose of this plan is to documentthe project management<br />
structure <strong>and</strong> methodology of the Contractor.<br />
19.3.1-p2 The PMP shall also explain the organisation, relation <strong>and</strong> roles of the<br />
sub-contractors.<br />
19.3.2 Scope/Assumptions<br />
19.3.2-p1 The <strong>ANWI</strong> Contractor shall establish <strong>and</strong> maintain a Project<br />
Management Plan (PMP) for the project.<br />
19.3.2-p2 The PMP shall cover all aspects of the project’s management including<br />
its project management structure <strong>and</strong> processes, personnel assignments, external<br />
relationships, <strong>and</strong> other necessary management aspects to provide the capability as<br />
required by the <strong>ANWI</strong> contract.<br />
19.3.2-p3 The PMP shall identify all major <strong>ANWI</strong> Contractor operating units <strong>and</strong><br />
any Sub-Contractors/partners involved in the delivery of the <strong>ANWI</strong> including a<br />
description <strong>and</strong> quantification (%) of the portion of the overall effort or deliverable<br />
item for which each is responsible.<br />
19.3.2-p4 The PMP shall contain an organisational chart showing the members of<br />
the <strong>ANWI</strong> Contractor’s Project Team (including the members of the PMO) <strong>and</strong><br />
showing their respective responsibilities <strong>and</strong> Authority.<br />
19.3.2-p5 The PMP shall be detailed to ensure that the Purchaser is able to<br />
assess the <strong>ANWI</strong> Contractor’s plans, capabilities, <strong>and</strong> ability to manage the entire<br />
project <strong>and</strong> implement it in conformance with the requirements as specified in this<br />
SOW.<br />
19.3.2-p6 The initial version of the PMP shall be provided to the Purchaser for<br />
acceptance.<br />
19.3.2-p7 After Purchaser Acceptance, the PMP shall be placed under the<br />
Contractors Configuration Control <strong>and</strong> any changes to the PMP shall be brought<br />
forward to the Purchaser PM for acceptance.<br />
19.3.2-p8 The acceptance of the PMP by the Purchaser signifies only that the<br />
Purchaser agrees to the <strong>ANWI</strong> Contractor’s approach in meeting the requirements.<br />
This acceptance in no way relieves the <strong>ANWI</strong> Contractor from its responsibilities to<br />
meet the requirements stated in this Contract.<br />
19.3.2-p9 The <strong>ANWI</strong> Contractor shall ensure that the PMP remains current<br />
throughout the duration of the Project through monthly updates to reflect the actual<br />
state of the <strong>ANWI</strong> Contractor's organisation <strong>and</strong> efforts.<br />
19.3.3 Reporting& Provisioning<br />
19.3.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the PMP.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-445 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-446 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.3.3-p2 The <strong>ANWI</strong> Contractor shall deliver the PMP in accordance with the<br />
Schedule of Supplies <strong>and</strong> Services.<br />
19.3.3-p3 The <strong>ANWI</strong> Contractor shall update the PMP after each meeting <strong>and</strong><br />
adjust the document throughout the project to FOC.<br />
19.3.4 Document Structure<br />
19.3.4-p1<br />
Section<br />
#<br />
The PMP shall be structured according to the format below:<br />
Section Title<br />
Executive Summary<br />
Section Description<br />
Provides the managerial approach for the<br />
project <strong>and</strong> how the project will be managed.<br />
1 Introduction This section provides a high level overview of<br />
the project management <strong>and</strong> how the<br />
contractor will manage the project<br />
1.1 Purpose <strong>and</strong> Scope State the scope of the project <strong>and</strong> how .<br />
1.2 Document<br />
Organization<br />
This section describes the organization of the<br />
project management plan<br />
1.3 Points of Contact Provides the title <strong>and</strong> organization of the key<br />
points of contact for the project<br />
1.4 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 Project Team This section identifies the<br />
contractors/partners that comprise the <strong>ANWI</strong><br />
contractor team<br />
2.1 Project Management<br />
Structure<br />
This section identifies the relationship among<br />
the various <strong>ANWI</strong> contractors <strong>and</strong> provides a<br />
diagram of the organisational structure of the<br />
team<br />
2.2 Prime Contractor This section identifies the scope of the main<br />
contractor <strong>and</strong> defines the roles <strong>and</strong><br />
responsibilities of key staff provided by the<br />
contractor<br />
2.3 Consortium Partner This section identifies the scope of the<br />
consortium partner(s) <strong>and</strong> defines the roles<br />
<strong>and</strong> responsibilities of key staff provided by<br />
the contractor<br />
2.4 Sub-contractors This section identifies the scope of the subcontractors<br />
<strong>and</strong> defines the roles <strong>and</strong><br />
responsibilities of key staff provided by the<br />
sub-contractor<br />
3 Management<br />
Processes<br />
This section defines the main project<br />
management processes, procedures <strong>and</strong><br />
templates that will be used during the <strong>ANWI</strong><br />
project.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
3.1 Change Management This section describes the contractor’s<br />
change control process that will be used in<br />
managing the project; as well as identify the<br />
approval process for changes; who <strong>and</strong> how<br />
they are submitted; <strong>and</strong> how they will be<br />
tracked <strong>and</strong> monitored<br />
3.2 Communications<br />
Management<br />
This section defines the communication<br />
requirements for the project <strong>and</strong> how<br />
information flows <strong>and</strong> will be distributed.<br />
Communications management provides the<br />
following in a RACI matrix:<br />
Communication requirements by roles<br />
What information is to be<br />
communicated<br />
How the information is communicated<br />
When will information be distributed<br />
Who is responsible for the<br />
communication<br />
Who receives the communication<br />
3.3 Scope Management This section identifies how the <strong>ANWI</strong><br />
Contractor will define, track <strong>and</strong> manage the<br />
<strong>and</strong> then how the <strong>ANWI</strong> Contractor will<br />
measure <strong>and</strong> verify the scope (i.e. Quality<br />
Checklists, Scope Baseline, Work<br />
Performance Measurements, etc.)<br />
3.4 Relationship to other<br />
plans<br />
4 Project Management<br />
Activities <strong>and</strong> Controls<br />
This section address how the other project<br />
related plans (PIP, RMP, CMP, etc) are<br />
managed, reviewed <strong>and</strong> updated.<br />
This section identifies the management tasks<br />
that are to be fulfilled as part of the <strong>ANWI</strong><br />
project <strong>and</strong> how they will be controlled.<br />
4.1 Project Key Dates This section provides a discussion of how the<br />
PIP’s key project dates are identified <strong>and</strong> will<br />
be controlled.<br />
4.2 Project Control &<br />
Corrective Actions<br />
4.2.1 Managerial Reporting<br />
Activities<br />
4.2.2 Integration Testing<br />
Service (ITS)<br />
This section identifies how the <strong>ANWI</strong><br />
Contractor will manage <strong>and</strong> control the<br />
project <strong>and</strong> support the integration of NATO<br />
PFE<br />
This section identifies the <strong>ANWI</strong> Contractor’s<br />
reporting procedures for status reports from<br />
his sub-contractors <strong>and</strong> how they will be<br />
validated.<br />
This section identifies how the <strong>ANWI</strong><br />
Contractor is going to manage <strong>and</strong> control the<br />
ITS to ensure synchronisation of test activities<br />
with all dependent project parties (ESS, BMS,<br />
AVI, VTC, NEDS, NPKI, etc.)<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-447 of 532
4.2.3 Project Progress<br />
Review Meeting<br />
(PPRM)<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
This section explains how the contractor will<br />
use the PPRM to provide information, raise<br />
issues/concerns <strong>and</strong> report progress.<br />
4.2.4 Design Reviews This section explains how the <strong>ANWI</strong><br />
Contractor will use the design process <strong>and</strong><br />
design reviews to manage the implemented<br />
solution to ensure that the <strong>ANWI</strong> does<br />
support innovation, delivery of current<br />
technology <strong>and</strong> is properly integrated with<br />
NATO PFE <strong>and</strong> SMC.<br />
4.2.5 Contractor Meetings This section outlines how the <strong>ANWI</strong><br />
Contractor plans to work with the other<br />
dependent projects to ensure that the <strong>ANWI</strong><br />
can interface with the provided services<br />
4.2.6 Problem Reporting &<br />
Monitoring<br />
This section identifies how the Contractor will<br />
identify, report <strong>and</strong> manage <strong>ANWI</strong> problems<br />
that require the Purchaser’s support<br />
Annex A <strong>ANWI</strong> Project Team This annex contains the Curriculum Vitae of<br />
the project’s key personnel<br />
A.1 <strong>ANWI</strong> Project Manager<br />
(PM)<br />
Contains the CV of the Purchaser approved<br />
<strong>ANWI</strong> PM<br />
A.2 <strong>ANWI</strong> <strong>Technical</strong> Lead<br />
(TL)<br />
Contains the CV of the Purchaser approved<br />
<strong>ANWI</strong> TL<br />
A.3 <strong>ANWI</strong> Test Director<br />
(TD)<br />
Contains the CV of the Purchaser approved<br />
<strong>ANWI</strong> TD<br />
A.4 Additional This section identifies other personnel<br />
needed, outlining a description of their<br />
functions, duties <strong>and</strong> responsibilities as well<br />
as how they will be used in the project. This<br />
list can include but is not limited to:<br />
<br />
<br />
<br />
<br />
Quality Assurance Manager<br />
Site Implementation <strong>and</strong> Support<br />
Manager(s)<br />
Trainer(s)<br />
Test Expert<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-448 of 532
N A T O U N C L A S S I F I E D<br />
19.4 Appendix 4: Project Implementation Plan (PIP)<br />
19.4.1 Introduction/Purpose<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.4.1-p1 The purpose of the Project Implementation Plan (PIP) is to document<br />
the plan for the implementation of the <strong>ANWI</strong>.<br />
19.4.1-p2 The primary focus of the PIP is the project schedule which not only<br />
dictates the timeline of <strong>ANWI</strong> activities/deliverables but also identifies the necessary<br />
sequencing for coordination of dependent <strong>ANWI</strong> activities.<br />
19.4.2 Scope/Assumptions<br />
19.4.2-p1<br />
The PIP shall explain the project’s scope, objectives <strong>and</strong> deliverables.<br />
19.4.2-p2 The <strong>ANWI</strong> Contractor shall provide <strong>and</strong> maintain a PIP consisting of an<br />
implementation plan, schedule, <strong>and</strong> work breakdown structure (WBS).<br />
19.4.2-p3 The <strong>ANWI</strong> Contractor shall structure the PIP so that general<br />
implementation information is maintained in the body of the plan <strong>and</strong> site-specific<br />
details (e.g. site installation <strong>and</strong> activation checklists) are kept as annexes.<br />
19.4.2-p4 Project Schedule<br />
A. The <strong>ANWI</strong> Contractor shall identify key dates <strong>and</strong> milestones in the project<br />
schedule.<br />
B. The <strong>ANWI</strong> Contractor’s project schedule shall include <strong>and</strong> reflect the<br />
dependencies of the NNHQ Programme’s key programme milestones as<br />
identified in this IFB’s Annex A.<br />
C. The <strong>ANWI</strong> Contractor’s project schedule shall depict the sequence,<br />
duration, <strong>and</strong> interdependencies among the project’s work breakdown<br />
structure’s work packages to include internal QA events.<br />
D. The <strong>ANWI</strong> Contractor’s project schedule shall include activity network,<br />
activity Gantt, milestone, <strong>and</strong> critical path views of the project schedule.<br />
19.4.2-p5 Work Breakdown Structure.<br />
A. The <strong>ANWI</strong> Contractor shall establish <strong>and</strong> maintain a Project Work<br />
Breakdown Structure (PWBS) as it is the primary framework for Contract<br />
planning <strong>and</strong> reporting to the Purchaser.<br />
B. The <strong>ANWI</strong> Contractor shall use the latest commercial version of the MS<br />
Project to create the work breakdown schedule (WBS) <strong>and</strong> shall use that<br />
version of MS Project throughout the life of the <strong>ANWI</strong> project.<br />
C. The WBS shall define the <strong>ANWI</strong> tasks needed to guarantee the successful<br />
management, delivery <strong>and</strong> acceptance of the <strong>ANWI</strong>: design, site survey,<br />
testing, delivery, installation, training, capability, service <strong>and</strong> site<br />
activation, system acceptance, <strong>and</strong> support as well as management<br />
products (e.g. project plans, Project Status Reports, Purchaser reviews,<br />
provision of specific Purchaser-furnished items), including at least the<br />
initial version <strong>and</strong> the final one.<br />
D. The WBS shall identify the start <strong>and</strong> finish dates, duration, predecessors,<br />
successors, <strong>and</strong> resource requirements for each task.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-449 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-450 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
E. The WBS shall decompose all <strong>ANWI</strong> tasks to a level that exposes all<br />
project risk factors <strong>and</strong> allows accurate estimation of each task’s duration,<br />
resource requirements, inputs <strong>and</strong> outputs, <strong>and</strong> predecessors <strong>and</strong><br />
successors.<br />
F. The WBS shall be traceable to performance <strong>and</strong> delivery requirements of<br />
the Schedule of Supplies <strong>and</strong> Services.<br />
G. The <strong>ANWI</strong> Contractor shall not change the WBS without the approval of<br />
the Purchaser.<br />
H. The WBS shall be provided to the Purchaser for acceptance <strong>and</strong> any<br />
changes to the PWBS are required to be approved by the Purchaser’s PM<br />
for acceptance.<br />
19.4.2-p6 The site survey(s) <strong>and</strong> installation sequence <strong>and</strong> dates reflected in the<br />
PIP shall be co-ordinated by the <strong>ANWI</strong> Contractor with the Purchaser <strong>and</strong> the Site<br />
Point of Contacts (POC) to accommodate site-specific requirements, exercises,<br />
holiday periods, <strong>and</strong> other considerations.<br />
19.4.2-p7 The <strong>ANWI</strong> Contractor shall update <strong>and</strong> maintain the PIP to reflect the<br />
findings <strong>and</strong> results of the Site Survey activities <strong>and</strong> in relation with the progress of<br />
installation <strong>and</strong> activation activities.<br />
19.4.2-p8 The <strong>ANWI</strong> implementation <strong>and</strong> migration activities may generate<br />
outages at NATO HQ <strong>and</strong>/or the NNHQ site during the period between IOC <strong>and</strong><br />
FOC.<br />
19.4.2-p9 The <strong>ANWI</strong> Contractor shall ensure that any NATO HQ <strong>and</strong>/or<br />
NNHQoutages be kept short (less than 3 hours in duration), planned (approved by<br />
the Purchaser at least 48 hours in advance based on an <strong>ANWI</strong> Contractor-provided<br />
back-out plan to restore functionality within 30 minutes), <strong>and</strong> localised (limited to<br />
areas agreed to by the Purchaser).<br />
19.4.3 Reporting & Provisioning<br />
19.4.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the PIP.<br />
19.4.3-p2 The <strong>ANWI</strong> Contractor shall deliver the PIP in accordance with the<br />
Schedule of Supplies <strong>and</strong> Services.<br />
19.4.3-p3 The PIP shall be placed under Configuration Control <strong>and</strong> provided to<br />
the Purchaser for acceptance.<br />
19.4.3-p4 The acceptance of the Product Baseline by the Purchaser signifies only<br />
that the Purchaser agrees to the <strong>ANWI</strong> Contractor's approach in meeting the<br />
requirements. This acceptance in no way relieves the <strong>ANWI</strong> Contractor from its<br />
responsibilities to meet the requirements stated in this Contract.<br />
19.4.3-p5<br />
The <strong>ANWI</strong> Contractor shall review the PIP prior to each project meeting.<br />
19.4.3-p6 The <strong>ANWI</strong> Contractor shall report the project’s schedule status <strong>and</strong><br />
suggest/request any changes, as needed, for Purchaser consideration at project<br />
meetings.<br />
19.4.3-p7<br />
decision.<br />
The <strong>ANWI</strong> Contractor shall adjust the PIP based on the Purchaser’s
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.4.3-p8 The PIP is a ‘living document’ that the <strong>ANWI</strong> Contractor shall maintain<br />
(update <strong>and</strong> adjust the document, as required) from Effective Date of Contract (ED)<br />
through Final Operating Capability (FOC).<br />
19.4.4 Document Structure<br />
19.4.4-p1<br />
Section<br />
#<br />
The PIP shall be structured according to the format below:<br />
Section Title<br />
Executive Summary<br />
Section Description<br />
Provides a managerial description of how the<br />
project will be implemented.<br />
1 Introduction This section explains the purpose <strong>and</strong> overall<br />
objective of the PIP <strong>and</strong> identifys the major<br />
activities to be undertaken in the <strong>ANWI</strong><br />
project.<br />
1.1 Purpose <strong>and</strong> Scope State the purpose of the PIP <strong>and</strong> explicitly<br />
state that this is a living document <strong>and</strong> that it<br />
is to be updated as the project evolves.<br />
1.2 Document<br />
Organization<br />
This section describes the organization of the<br />
PIP.<br />
1.3 Points of Contact Provides the title <strong>and</strong> organization of the key<br />
points of contact for the production, analysis<br />
<strong>and</strong> assertions made in the PIP<br />
1.4 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 Assumptions <strong>and</strong><br />
Constraints<br />
This section describes the assumptions <strong>and</strong><br />
constraintsconcerning the development <strong>and</strong><br />
execution of the implementation plan<br />
addressing items like:<br />
o Schedule<br />
o Hardware<br />
o Software <strong>and</strong> other technology to<br />
be reused or purchased,<br />
o Interfaces constraints<br />
3 Implementation Plan This section provides the framework for the<br />
approach taken to create the project<br />
schedule.<br />
3.1 Major Tasks This section describes the major <strong>ANWI</strong><br />
(generic or overall) project tasks required to<br />
deliver both the ITS as well as the <strong>ANWI</strong><br />
(hardware, software, migration, <strong>and</strong> validate<br />
the <strong>ANWI</strong> services <strong>and</strong> system). This<br />
ultimately concludes with the construction of a<br />
complete Work Breakdown Structure.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-451 of 532
3.2 Implementation<br />
Schedule<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-452 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
This subsection of the Project Implementation<br />
Plan provides a schedule of activities to be<br />
accomplished. Show the required tasks<br />
(described in Subsection 3.1, Major Tasks) in<br />
chronological order, with the beginning <strong>and</strong><br />
end dates of each task. If MS Project is used<br />
to plan the implementation, include the<br />
project Gantt chart. Include any milestones<br />
from the projects that are dependent on this<br />
project <strong>and</strong> vice-versa<br />
This includes the scheduling tool/format,<br />
schedule milestones, <strong>and</strong> schedule<br />
development roles <strong>and</strong> responsibilities.<br />
3.3 Project Milestone List This section provides a discussion of the<br />
milestones <strong>and</strong> a summary list of project<br />
milestones <strong>and</strong> their associated dates.<br />
3.4 Security This section provides an overview <strong>and</strong><br />
discussion of the security aspects related to<br />
the <strong>ANWI</strong> implementation concerning<br />
security:<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
o<br />
Personnel clearances<br />
Screening of equipment<br />
Storage of equipment<br />
Movement <strong>and</strong> transportation<br />
Security testing & evaluation<br />
Documentation <strong>and</strong> review<br />
Migration of <strong>ANWI</strong> core data from<br />
the existing HQ<br />
3.5 Design This section shall address the tasks needed<br />
to produce the ITS <strong>and</strong> <strong>ANWI</strong> designs <strong>and</strong><br />
supporting reviews.<br />
4 Implementation This section describes the site-specific<br />
implementation requirements <strong>and</strong><br />
procedures.<br />
4.1 NNHQ Campus This section defines the requirements that<br />
must be satisfied for the orderly<br />
implementation of the <strong>ANWI</strong> services <strong>and</strong><br />
system for the main campus<br />
4.1.1 NATO SECRET This section addresses the implementation<br />
specifics of the NS including an overview<br />
description of the implementation: team,<br />
schedule, procedures, <strong>and</strong> data.<br />
4.1.2 EAPC This section addresses the implementation<br />
specifics for the EAPC including an overview<br />
description of the implementation: team,<br />
schedule, procedures, <strong>and</strong> data.<br />
4.1.3 Business This section addresses the implementation<br />
specifics for the Business including an
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-453 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
overview description of the implementation:<br />
team, schedule, procedures, <strong>and</strong> data.<br />
4.1.4 Public This section addresses the implementation<br />
specifics for the Public including an overview<br />
description of the implementation: team,<br />
schedule, procedures, <strong>and</strong> data.<br />
4.2 Cross Domain<br />
Gateways<br />
This section addresses the implementation<br />
specifics for the cross domain gateways<br />
including an overview description of the<br />
implementation: team, schedule, procedures,<br />
<strong>and</strong> data.<br />
4.3 Remote Sites This section addresses the specifics of the<br />
implementation for the remote sites including<br />
an overview description of the<br />
implementation: team, schedule, procedures,<br />
<strong>and</strong> data.<br />
4.4 Risk <strong>and</strong> Contingency<br />
Planning<br />
This section identifies the risks <strong>and</strong> actions to<br />
take in the event the implementation fails or<br />
needs to be altered at any point <strong>and</strong> includes<br />
the factors to be used for making the decision<br />
(refer to the Risk Management Plan as<br />
needed)<br />
4.5 Acceptance Criteria This subsection of the Project Implementation<br />
Plan establishes the exit or acceptance<br />
criteria for transitioning the system into<br />
production. Identify the criteria that will be<br />
used to determine the acceptability of the<br />
deliverables as well as any required technical<br />
processes, methods, tools, <strong>and</strong>/ or<br />
performance benchmarks required for product<br />
acceptance<br />
5 Implementation<br />
Support<br />
This section describes the general support<br />
required for the implementation.<br />
5.1 Hardware This section provides a list of all hardware<br />
needed for installing <strong>and</strong> testing the <strong>ANWI</strong><br />
services. Identify the hardware by make,<br />
model <strong>and</strong> configuration; also add information<br />
about warranty/maintenance contract(s). If<br />
this information is provided in another<br />
document identify that item here <strong>and</strong><br />
reference appropriately otherwise add as an<br />
Annex to this document.<br />
5.2 Software This section provides a list of all software<br />
(software, operating systems, utilities, etc <strong>and</strong><br />
identify the software as COTS, custom<br />
developed or legacy) required to<br />
implementation the <strong>ANWI</strong>. Identify the
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
software by name/acronym, version & release<br />
numbers, <strong>and</strong> configuration settings; as well<br />
as add information about vendor support,<br />
licensing, usage, <strong>and</strong> maintenance contract<br />
<strong>and</strong> associated costs. If this information is<br />
provided in another document identify that<br />
item here <strong>and</strong> reference appropriately<br />
otherwise add as an Annex to this document.<br />
5.3 Facilities This section identifies the physical facilities<br />
(space), accommodations, location(s) <strong>and</strong><br />
time (hours per day needed, number of days,<br />
<strong>and</strong> anticipated dates) required to support the<br />
storing, staging, implementing <strong>and</strong> support of<br />
the <strong>ANWI</strong>.<br />
5.4 Issues This section addresses any known issues or<br />
problems with respect to implementation<br />
planning.<br />
5.5 Performance<br />
Monitoring<br />
5.6 Configuration<br />
Management Interface<br />
This section describes how the <strong>ANWI</strong><br />
Contractor will monitor the performance <strong>and</strong><br />
determine if the implementation’s progress<br />
This section addresses the relationship<br />
between implementation <strong>and</strong> Configuration<br />
Management (e.g. when versions will be<br />
distributed)<br />
6 Implementation Impact This section describes how the migration is<br />
expected to impact the <strong>ANWI</strong>’s<br />
implementation for the HQ with respect to<br />
Annex A<br />
<strong>ANWI</strong> Project Gantt<br />
Chart<br />
o<br />
o<br />
o<br />
o<br />
Network / infrastructure<br />
User community<br />
Impact to the ITS.<br />
Service Level Agreements<br />
requirements (performance,<br />
availability, security)<br />
o <strong>System</strong> backups, expected<br />
transaction rates<br />
o Storage requirements (with<br />
expected growth rate)<br />
o Help desk support requirements<br />
This annex provides the MS Project portion of<br />
the PIP<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-454 of 532
N A T O U N C L A S S I F I E D<br />
19.5 Appendix 5: Risk Management Plan (RMP)<br />
19.5.1 Introduction/purpose<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.5.1-p1 The purpose of this plan is to document the policies <strong>and</strong> procedures<br />
that will be used for identifying <strong>and</strong> h<strong>and</strong>ling project risks.<br />
19.5.1-p2 Risk must be considered as those items that will possibility result in a<br />
negative impact on the project, be it decreased quality, increased cost, delays, or<br />
failure.<br />
19.5.2 Scope/assumptions<br />
19.5.2-p1 The <strong>ANWI</strong> Contractor shall establish <strong>and</strong> maintain an overall Risk<br />
Management Plan (RMP) <strong>and</strong> risk process for the project.<br />
19.5.2-p2 The <strong>ANWI</strong> Contractor’s RMP shall establish <strong>and</strong> maintain a Risk Log for<br />
the project which is available on the <strong>ANWI</strong> project website.<br />
19.5.2-p3 The <strong>ANWI</strong> Contractor shall ensure that risks are identified early,<br />
assessed accurately, <strong>and</strong> quickly mitigated with the Purchaser.<br />
19.5.2-p4 The <strong>ANWI</strong> Contractor shall identify any management, technical,<br />
schedule, <strong>and</strong> cost risks, evaluate each risk, <strong>and</strong> select a proposed response for<br />
each risk mentioned in the Risk Log.<br />
19.5.2-p5<br />
impact.<br />
Each risk shall be rated based on its probability of occurrence <strong>and</strong><br />
19.5.2-p6 The <strong>ANWI</strong> Contractor shall propose an appropriate response for each<br />
risk from the following list:<br />
A. Prevention: Terminate the risk – by doing things differently <strong>and</strong> thus<br />
removing the risk, where it is feasible to do so. Countermeasures are put<br />
in place that either stop the threat or problem from occurring or prevent it<br />
from having any impact on the project or business.<br />
B. Reduction: Treat the risk – take action to control it in some way where the<br />
action either reduce the likelihood of the risk developing or limit the impact<br />
on the project to acceptable levels.<br />
C. Acceptance: Tolerate the risk – e.g. if nothing can be done at a reasonable<br />
cost to mitigate it or the likelihood <strong>and</strong> impact of the risk occurring are at<br />
an acceptable level.<br />
D. Contingency: plan <strong>and</strong> organise actions to come into force as <strong>and</strong> when<br />
the risk occurs.<br />
E. Transference: Pass the management of the risk to a third party (e.g.<br />
insurance policy or penalty clause), such that the impact of the risk is no<br />
longer an issue for the health of the project.<br />
19.5.2-p7 The <strong>ANWI</strong> Contractor shall include in the Project Status Report a chart<br />
that lists all active risks rated high on any factor <strong>and</strong> note any significant forecasted<br />
changes in these risks.<br />
19.5.2-p8 The <strong>ANWI</strong> Contractor shall update <strong>and</strong> brief the Risk Log at every<br />
Project Progress Review Meeting <strong>and</strong> Design Review Meeting.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-455 of 532
19.5.3 Reporting& Provisioning<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.5.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the RMP.<br />
19.5.3-p2 The <strong>ANWI</strong> Contractor shall deliver the RMP in accordance with the<br />
Schedule of Supplies <strong>and</strong> Services.<br />
19.5.3-p3 The <strong>ANWI</strong> Contractor shall update the RMP after each meeting <strong>and</strong><br />
adjust the document throughout the project to FOC.<br />
19.5.4 Document Structure<br />
19.5.4-p1<br />
Section<br />
#<br />
The RMP shall be structured according to the format below:<br />
Section Title<br />
Executive Summary<br />
Section Description<br />
Provides a managerial description of the<br />
project’srisk management concept <strong>and</strong> how<br />
risks will be addressed throughout the<br />
project.<br />
1 Introduction<br />
1.1. Purpose This section identifies <strong>and</strong> explains the<br />
purpose of the risk management plan.<br />
1.2 Intended Audience Describes the intended audience of the plan,<br />
including the sub-contractor team.<br />
1.3 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 Risk Management<br />
Approach<br />
This section identifies the overall risk<br />
management approach <strong>and</strong> should follow the<br />
st<strong>and</strong>ard risk management approach of:<br />
analyse, plan monitor <strong>and</strong> controlidentification<br />
2.1 Risk Identification This section will explain how the sources of<br />
risk, possible risk events <strong>and</strong> risk symptoms<br />
will be determined (details <strong>and</strong> specifics are<br />
addressed later in the document).<br />
2.2 Risk Analysis This section explains how the following will be<br />
determined: the value of opportunities to<br />
pursue vs. the threats to avoid <strong>and</strong> the<br />
opportunities to ignore vs. the threats to<br />
accept (details <strong>and</strong> specifics are addressed<br />
later in the document).<br />
2.3 Response Planning This section explains the response planning<br />
process <strong>and</strong> its relationship between risk<br />
management <strong>and</strong> contingency plans (details<br />
<strong>and</strong> specifics are addressed later in the<br />
document).<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-456 of 532
Section Section Title<br />
#<br />
2.4 Risk Monitoring <strong>and</strong><br />
Control per milestone<br />
3 Roles <strong>and</strong><br />
Responsibilities<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-457 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
This section explains the risk monitoring <strong>and</strong><br />
control process <strong>and</strong> how corrective action<br />
plans are developed, implemented, <strong>and</strong><br />
monitored (details <strong>and</strong> specifics are<br />
addressed later in the document).<br />
For each project role, this section will<br />
describe the responsibilities with respect to<br />
risk; additional roles can be added.<br />
3.1 Project Manager The section formalises that the project<br />
manager is responsible for approval of the<br />
risk management plan (this document), leads<br />
<strong>and</strong> participates in the risk management<br />
process, <strong>and</strong> takes ownership of risk<br />
mitigation/contingency planning <strong>and</strong><br />
execution, ultimately making the project<br />
manager responsible for the decisions on risk<br />
actions, in coordination with the project<br />
sponsors.<br />
3.2. Project Team The section explains how the project team<br />
members (analysts/product managers,<br />
designers, developers, testers, <strong>and</strong><br />
deployment team members) will participate in<br />
the risk identification, monitoring <strong>and</strong><br />
mitigation process/activities.<br />
3.3. Quality Assurance<br />
Lead<br />
This section addresses how the quality<br />
assurance (QA) lead will be involved in<br />
ensuring that identified risks are being<br />
managed per the risk management plan <strong>and</strong><br />
his/herinvolvement in identifying new risks<br />
<strong>and</strong>/or proposing mitigation strategies <strong>and</strong><br />
contingency plans, along with proposing<br />
improvements to the risk management plan<br />
<strong>and</strong> processes.<br />
3.4. Project Sponsors Project sponsors participate in risk<br />
identification <strong>and</strong> risk activities, as necessary.<br />
Project sponsors also receive escalated risks<br />
<strong>and</strong> assist with mitigation <strong>and</strong> contingency<br />
actions for escalated risks<br />
3.5. Project Stakeholders Stakeholders assist in monitoring risk action<br />
effectiveness <strong>and</strong> participate in risk<br />
escalation, as necessary.<br />
4. Risk Identification<br />
4.1 Sources This section provides the detailed description<br />
of how risk identification will be done<br />
throughout the project’slife-cycle even though<br />
the majority of the risks should be identified
Section<br />
#<br />
Section Title<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
early on in the project. The following may be<br />
considered as tools <strong>and</strong> techniques for risk<br />
identification:<br />
Analysis of high-level deliverables<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Analysis of the PIP<br />
Analysis of change requests<br />
Analysis of project assumptions<br />
Project team input<br />
Lessons learned<br />
QA audits <strong>and</strong> reviews<br />
Performance <strong>and</strong> status reports<br />
Diagramming techniques<br />
4.2 Risk Register This section identifies <strong>and</strong> documents the<br />
selection logic for the risk sources, events<br />
<strong>and</strong> symptoms <strong>and</strong> collects the risks’<br />
information<strong>and</strong> builds/establishes the<br />
principle <strong>and</strong> need for the risk register<br />
(maintain as a separate document) where the<br />
following information should be noted:<br />
Risk category<br />
<br />
<br />
<br />
<br />
<br />
Risk trigger<br />
Potential outcome<br />
Raised By<br />
Date Raised<br />
Source<br />
4.2.1 Taxonomy of the<br />
Identified Risks<br />
This should be explained here <strong>and</strong> provided<br />
in RMP Appendix A<br />
4.2.2 Operational Risks This section identifies the list of operational<br />
risks<br />
4.2.3 Support Risks This section identifies the list of support<br />
related risks<br />
4.2.4 External Risks This section identifies the list of dependency<br />
<strong>and</strong> external (project) risks<br />
5. Risk<br />
Analysis/Assessment<br />
5.1. Background This section describes the summary of the<br />
Risk Management Process against the<br />
following criteria:<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-458 of 532
Section<br />
#<br />
Section Title<br />
N A T O U N C L A S S I F I E D<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-459 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
Methods of Risk Assessment<br />
Probability estimationof the risk<br />
occurrence<br />
Impact estimationof the risk, if it<br />
occurs<br />
Cost estimation<br />
Schedule estimation<br />
External risks<br />
Risk Ranking for the phases of the of<br />
the project: design,<br />
implementation,operations, <strong>and</strong><br />
support<br />
5.1.1. Qualitative Analysis This section describes the qualitative analysis<br />
process used to determine:<br />
The likelihood of the risk occurring<br />
<br />
<br />
The qualitative impact on the project<br />
The quality of the risk data being<br />
utilized<br />
5.1.2. Quantitative Analysis If quantitative analysis is to be used, this<br />
section should contain information on:<br />
The criteria for which risks will<br />
undergo quantitative analysis<br />
<br />
<br />
Technique(s) to be utilized<br />
o The impact to cost or schedule<br />
for risks<br />
o The probability of meeting<br />
project cost <strong>and</strong>/or schedule<br />
targets<br />
o Realistic project targets on cost,<br />
schedule, <strong>and</strong>/or scope<br />
Expected outputs of analysis<br />
5.2. Documentation The results of risk analysis should be<br />
documented in the risk register. The<br />
following information shall be entered in the<br />
register:<br />
Risk impact<br />
<br />
<br />
Risk probability<br />
Risk matrix score – computed by the
Section<br />
#<br />
Section Title<br />
N A T O U N C L A S S I F I E D<br />
<br />
<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-460 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
risk register spreadsheet after impact<br />
<strong>and</strong> probability are entered<br />
Risk priority – computed by the risk<br />
register spreadsheet after impact <strong>and</strong><br />
probability are entered<br />
Qualitative impact – descriptive<br />
comments about the potential risk<br />
impact<br />
6. Response Planning<br />
6.1. Background This section describes the risk strategy <strong>and</strong><br />
planning processto minimize the effects of the<br />
risk <strong>and</strong> how it will be controlled <strong>and</strong><br />
managed.<br />
Risk H<strong>and</strong>ling Process<br />
<br />
<br />
Evaluation <strong>and</strong> Selection of options<br />
Tracking of the process<br />
6.2. Risk Strategies This section describes the methods for<br />
responding to risks <strong>and</strong> defines the various<br />
terms.<br />
6.2.1. Avoid<br />
6.2.2. Transfer<br />
6.2.3. Mitigate<br />
6.2.4. Accept<br />
6.3. Documentation This paragraph addresses the risk register<br />
showing:<br />
Issues<br />
<br />
<br />
<br />
Response strategy (avoid, transfer,<br />
mitigate, or accept)<br />
Response notes<br />
Risk owner<br />
7. Risk Monitoring <strong>and</strong><br />
Control<br />
7.1. Background This section identifies the monitoring <strong>and</strong><br />
control of the risk environment <strong>and</strong> describes<br />
the following tasks are performed:<br />
Identification <strong>and</strong> planning for new<br />
risks<br />
<br />
<br />
Tracking of identified risks <strong>and</strong> their<br />
trigger conditions<br />
Periodicallyreview risk <strong>and</strong> issue
Section<br />
#<br />
Section Title<br />
N A T O U N C L A S S I F I E D<br />
<br />
<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
status/review as part of project<br />
performance information<br />
Re-analyze existing risks to see if the<br />
response plan must change<br />
Review the effectiveness of the RMP<br />
7.2. Timing This section discusses how often the risk<br />
monitoring <strong>and</strong> control process will occur over<br />
the lifetime of the project.<br />
7.3. Documentation This section identifies the updating of the risk<br />
register with information based on the status<br />
of the risk item:<br />
Identified – Risk documented, but<br />
analysis not performed<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Analysis Complete – Risk analysis<br />
done, but response planning not<br />
performed<br />
Planning Complete – Response<br />
planning complete<br />
Triggered – Risk trigger has occurred<br />
<strong>and</strong> threat has been realized<br />
Resolved – Realized risk has been<br />
contained<br />
Retired – Identified risk no longer<br />
requires active monitoring (e.g. risk<br />
trigger has passed)<br />
Trigger Date – if the risk has been<br />
triggered<br />
Comments/notes<br />
8. Appendix A:<br />
Definitions<br />
8.1. Risk Categories The following diagram offers pre-defined risk<br />
categories for consideration. Risk categories<br />
should be used to support the identification of<br />
risks.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-461 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Table 1 – Risk Categories<br />
8.2. Risk Probability Definitions The contractor should use a table like<br />
this to identify the risk probability<br />
definitions.<br />
Probability<br />
Probability Description<br />
Category<br />
Very High 0.90 Risk event is expected to occur<br />
High 0.70 Risk event is likely to occur<br />
Medium 0.50 Risk event may or may not occur<br />
Low 0.30 Risk event is not likely to occur<br />
Very Low 0.10 Risk event is not expected to occur<br />
Table 2 – Risk Probability Definitions<br />
8.3. Risk Impact Definitions The following chart should be used to<br />
show risk impact definitions across<br />
each of the potentially impacted<br />
project areas (cost, schedule, scope,<br />
<strong>and</strong> quality). During the risk analysis<br />
the potential impact of each risk is<br />
analyzed <strong>and</strong> an appropriate impact<br />
level (0.05, 0.10. 0.20, 0.40, or 0.80)<br />
is selected from the chart below<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-462 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Project<br />
Objective<br />
Cost<br />
Schedule<br />
Scope<br />
Quality<br />
Very Low<br />
0.10<br />
Insignifican<br />
t cost<br />
impact<br />
Insignifican<br />
t schedule<br />
impact<br />
Barely<br />
noticeable<br />
Barely<br />
noticeable<br />
Low<br />
0.30<br />
< 10% cost<br />
impact<br />
< 5%<br />
schedule<br />
impact<br />
Minor<br />
areas<br />
impacted<br />
Only very<br />
dem<strong>and</strong>ing<br />
application<br />
s impacted<br />
Moderate<br />
0.50<br />
10-30%<br />
cost impact<br />
5-10%<br />
schedule<br />
impact<br />
Major<br />
areas<br />
impacted<br />
Sponsor<br />
must<br />
approve<br />
quality<br />
reduction<br />
High<br />
0.80<br />
30-50%<br />
cost impact<br />
10-20%<br />
schedule<br />
impact<br />
Changes<br />
unacceptab<br />
le to<br />
sponsor<br />
Quality<br />
reduction<br />
unacceptab<br />
le to<br />
sponsor<br />
Table 3 – Definition of Risk Impact Scales<br />
Very High<br />
0.90<br />
> 50% cost<br />
impact<br />
> 20%<br />
schedule<br />
impact<br />
Product<br />
becomes<br />
effectively<br />
useless<br />
Product<br />
becomes<br />
effectively<br />
useless<br />
8.4. Risk Probability <strong>and</strong> Impact<br />
Matrix<br />
The risk probability <strong>and</strong> impact matrix<br />
should be used to show the<br />
combination of risk impact <strong>and</strong><br />
probability <strong>and</strong> should be used to<br />
decide the relative priority of risks.<br />
Risks falling into the red-shaded cells<br />
are the high priority <strong>and</strong> those that fall<br />
into the yellow-shaded cells are the<br />
next highest priority, followed by risks<br />
that fall into the green-shaded cells.<br />
Probabilit Impact<br />
y<br />
0.10 0.30 0.50 0.70 0.90<br />
0.90 0.09 0.27 0.45 0.63 0.81<br />
0.70 0.07 0.21 0.35 0.49 049<br />
0.50 0.05 0.15 0.25 0.21 0.45<br />
0.30 0.03 0.09 0.15 0.21 0.27<br />
0.10 0.01 0.03 0.05 0.07 0.09<br />
Table 4 – Risk Probability <strong>and</strong> Impact Matrix<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-463 of 532
N A T O U N C L A S S I F I E D<br />
19.6 APPENDIX 6: Quality Assurance Plan (QAP)<br />
19.6.1 Introduction/Purpose<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.6.1-p1 The purpose of the Quality Assurance Plan (QAP) is to identify the<br />
planned <strong>and</strong> systematic activities to be implemented in in the <strong>ANWI</strong> project so that<br />
the quality requirements for the services will be fulfilled.<br />
19.6.1-p2 Essential discussions in the QAP are the determination of a service’s “fit<br />
for purpose" <strong>and</strong> how the <strong>ANWI</strong> Contractor will implement controls, processes, <strong>and</strong><br />
inspections to catch <strong>and</strong> eliminate mistakes.<br />
19.6.2 Scope/Assumptions<br />
19.6.2-p1 The <strong>ANWI</strong> Contractor shall establish, execute, document <strong>and</strong> maintain<br />
an effective Quality Assurance (QA) programme throughout the Contract’s lifetime<br />
(see references 1.1.1.1.1 – 1.1.1.1.3).<br />
19.6.2-p2 The <strong>ANWI</strong> Contractor‘s QA effort shall meet the requirements of the<br />
QAP for installation <strong>and</strong> integration activities.<br />
19.6.2-p3 The <strong>ANWI</strong> Contractor‘s QA effort shall apply to all services <strong>and</strong> all<br />
products (both management products <strong>and</strong> specialist products) to be provided by the<br />
<strong>ANWI</strong> Contractor under this contract (this includes all hardware <strong>and</strong> software –<br />
COTS as well as developed for this project – documentation <strong>and</strong> supplies that are<br />
designed, developed, acquired, maintained or used, including deliverable <strong>and</strong> nondeliverable<br />
items).<br />
19.6.2-p4 The <strong>ANWI</strong> Contractor ‘s QA effort shall ensure that procedures are<br />
developed, implemented <strong>and</strong> maintained to adequately control the design,<br />
development, production, purchasing, installation, inspection, testing, configuration<br />
management <strong>and</strong> customer support of all services <strong>and</strong> all products (both<br />
management products <strong>and</strong> specialist products), in accordance with the requirements<br />
of this Contract.<br />
19.6.2-p5 The <strong>ANWI</strong> Contractor‘s QA effort shall be described in detail in the<br />
Quality Assurance Plan (QAP).<br />
19.6.2-p6 The QAP shall clearly indicate the QA activities, responsibilities, <strong>and</strong><br />
checks for the Contractor <strong>and</strong> any sub-contractors.<br />
19.6.3 Reporting& Provisioning<br />
19.6.3-p1 The initial version of the QAP shall be configuration controlled <strong>and</strong><br />
provided to the Purchaser for acceptance.<br />
19.6.3-p2 The acceptance of the QAP by the Purchaser signifies only that the<br />
Purchaser agrees to the <strong>ANWI</strong> Contractor’s approach in meeting the requirements.<br />
This acceptance in no way relieves the Contractor from its responsibilities to meet<br />
the requirements stated in this Contract.<br />
19.6.3-p3 The <strong>ANWI</strong> Contractor shall review his QA programme periodically <strong>and</strong><br />
audit it for adequacy, compliance <strong>and</strong> effectiveness.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-464 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.6.3-p4 If the Purchaser detects that the <strong>ANWI</strong> Contractor does not respect the<br />
QA programme as described in the QAP, the Purchaser has the right to suspend the<br />
Contractor’s activities without any compensation for the Contractor.<br />
19.6.3-p5 Purchaser Quality Assurance Representative<br />
A. The Purchaser has the right under STANAG 4107 to delegate some of the<br />
Quality Assurance Representative (QAR) responsibilities to a National<br />
Quality Assurance Representative (NQAR) <strong>and</strong> the Purchaser will employ<br />
an Independent Verification & Validation (IV&V) Contractor to fulfil a<br />
portion of this role.<br />
B. The <strong>ANWI</strong> Contractor shall agree to provide all necessary assistance to<br />
the NATO QAR or his delegated NQAR.<br />
19.6.3-p6 The <strong>ANWI</strong> Contractor shall make his quality records, <strong>and</strong> those of his<br />
subcontractors, available for evaluation by the QAR/NQAR throughout the duration of<br />
the Contract. Note: quality audits at the <strong>ANWI</strong> Contractor or subcontractors premises<br />
will in principle only be executed by the QAR/NQAR if the quality records provided by<br />
the <strong>ANWI</strong> Contractor do not provide sufficient evidence that an effective <strong>and</strong><br />
economical QA system is operational is available.<br />
19.6.3-p7 The QAR will use AQAP-160 (see reference 1.1.1.1.3) <strong>and</strong> ISO/IEC<br />
9126 as guides for QA reviews of software <strong>and</strong> software based customisation that<br />
have to be developed under this Contract.<br />
19.6.3-p8 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the QAP.<br />
19.6.3-p9 The Contractor shall deliver the QAP in accordance with the Schedule<br />
of Supplies <strong>and</strong> Services.<br />
19.6.3-p10 The <strong>ANWI</strong> Contractor shall update the document, as required, from<br />
the delivery date of the initial QAP through Final Operating Capability (FOC).<br />
19.6.4 Document Structure<br />
19.6.4-p1 The <strong>ANWI</strong> Contractor shall produce the <strong>ANWI</strong> design in accordance<br />
with the ‘document structure’ section defined below.<br />
Section<br />
#<br />
Section Title<br />
Executive Summary<br />
Section Description<br />
Provides a managerial description of how the<br />
project’s quality management will be<br />
implemented.<br />
1 Introduction This section explains the purpose <strong>and</strong> overall<br />
objective of the PIP identifying the major<br />
activities to be undertaken in the <strong>ANWI</strong><br />
project.<br />
1.1 Purpose <strong>and</strong> Scope State the purpose of the QAP <strong>and</strong> explicitly<br />
state that this is a living document <strong>and</strong> that it<br />
is to be updated as the project evolves.<br />
1.2 Document<br />
Organization<br />
This section describes the organization of the<br />
QAP.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-465 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-466 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
1.3 Points of Contact Provides the title <strong>and</strong> organization of the key<br />
points of contact for the quality assurance<br />
activities<br />
1.4 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 General This section explains how the <strong>ANWI</strong><br />
Contractor will ensure necessary resources<br />
(manpower, facilities, training, equipment<br />
etc.) needed for carrying out the required<br />
activities are provided. The QAP should<br />
address the relationship between the QAP<br />
<strong>and</strong> the Risk Management Plan specifying:<br />
risk analysis, risk mitigation activities, <strong>and</strong> the<br />
methods of risk management.<br />
2.1 Organization <strong>and</strong><br />
Responsibilities<br />
2.2 Quality Management<br />
<strong>System</strong> Activities<br />
2.2.1 Processes (General<br />
requirements)<br />
2.2.2 Documentation<br />
requirements<br />
3 Product Realization<br />
Activities<br />
3.1 Planning of product<br />
realization<br />
This section describes how the quality<br />
requirements for management review will be<br />
fulfilled. It will clearly state how requirements<br />
related to management commitment,<br />
customer focus <strong>and</strong> quality policy are met<br />
This section describes how the requirements<br />
are flowed down to where the work is being<br />
performed (e.g. through work instructions,<br />
computerized production management<br />
system, work orders etc.) <strong>and</strong> focuses on how<br />
the performance of work is expected to be<br />
continuously measured <strong>and</strong> reported to the<br />
<strong>ANWI</strong> Contractor’s management.<br />
This section describes the quality metrics that<br />
will be used for monitoring the effectiveness<br />
of the <strong>ANWI</strong>’s Quality Management<br />
performance under the QAP. It also provides<br />
an audit plan that covers contract specific<br />
processes <strong>and</strong> activities, including those at<br />
sub-suppliers.<br />
This section describes how the QAP is<br />
expected to be maintained <strong>and</strong> controlled<br />
during the contract period as well as how the<br />
required <strong>and</strong>/or involved plans, documents,<br />
procedures etc will be controlled <strong>and</strong> how<br />
project records will be established,<br />
maintained, <strong>and</strong> stored.<br />
This section describes how product<br />
conformance to contract requirements will be<br />
provided (e.g. processes needed,
3.2 Customer related<br />
processes<br />
3.3 Design <strong>and</strong><br />
development<br />
3.4 Control of subsuppliers<br />
3.5 4.7.5 Production <strong>and</strong><br />
service provisioning<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-467 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
requirements for the product, criteria for<br />
product acceptance <strong>and</strong> the method of<br />
inspection, verification, validation etc).<br />
Additionally, the relevant quality activities for<br />
delivery, installation <strong>and</strong> placing into<br />
operational order (commissioning) form part<br />
of this section<br />
This section explains that the <strong>ANWI</strong><br />
Contractor underst<strong>and</strong>s that the Purchaser’s<br />
IV&V will serve as NATO’s QAR <strong>and</strong> how the<br />
<strong>ANWI</strong> Contractor will interface with the NATO<br />
IV&V<br />
This section describes how quality assurance<br />
will be applied <strong>and</strong> recorded with respect to<br />
the design <strong>and</strong> development of the <strong>ANWI</strong>’s<br />
service requirements; as well as how the<br />
design <strong>and</strong> development outputs are<br />
provided, verified, <strong>and</strong> approved.<br />
This section also describes the processes<br />
<strong>and</strong> plans for performing systematic design,<br />
development review, test methods <strong>and</strong><br />
verification <strong>and</strong> validation in order to ensure<br />
that the services meet the requirements <strong>and</strong><br />
how changes are to be controlled forming<br />
part of the requirement.<br />
This section describes how the <strong>ANWI</strong><br />
Contractor will control the service delivery &<br />
implementation information <strong>and</strong> how<br />
requirements are flowed down to subsuppliers,<br />
<strong>and</strong> how verification that the<br />
services meet the requirements are to be<br />
carried out. This also must include a<br />
review/audit plan for the inspection of<br />
incoming products <strong>and</strong>/or services<br />
This section describes the requirements<br />
explaining how validation of processes for<br />
production <strong>and</strong> service provisioning will be<br />
carried out to demonstrate their ability to<br />
achieve planned results. Procedures for<br />
identification of the product should be<br />
included. If product traceability is required,<br />
procedures for control <strong>and</strong> record of the<br />
unique identity of the product should be<br />
defined. The procedures of exercising care<br />
with customer property should be<br />
documented. The methods used to preserve<br />
the conformity of the product should be<br />
described. Contract specific requirements for<br />
storage, preservation <strong>and</strong> h<strong>and</strong>ling should be<br />
N A T O U N C L A S S I F I E D
3.6 Control of monitoring<br />
<strong>and</strong> measuring devices<br />
3.7 Configuration<br />
management<br />
3.8 Reliability <strong>and</strong><br />
Maintainability<br />
4 Measurement,<br />
Analysis <strong>and</strong><br />
Improvement Activities<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-468 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
documented.<br />
This section describes how the <strong>ANWI</strong><br />
Contractor will monitor <strong>and</strong> control testing of<br />
components <strong>and</strong> service deliverables<br />
This section describes how the <strong>ANWI</strong><br />
Contractor will apply the CM practices<br />
(defined in the CMP) to documents, plans,<br />
components <strong>and</strong> service deliverables<br />
This section describes how the <strong>ANWI</strong><br />
Contractor will ensure reliability <strong>and</strong><br />
maintainability of documents, plans,<br />
components <strong>and</strong> service deliverables<br />
This section describes how the <strong>ANWI</strong><br />
Contractor will measure, analyse <strong>and</strong> improve<br />
documents, plans, components <strong>and</strong> service<br />
deliverables<br />
4.1 Customer satisfaction This section describes how the <strong>ANWI</strong><br />
Contractor will demonstrate product<br />
conformity to customer requirements,<br />
processes <strong>and</strong> products, h<strong>and</strong>ling of nonconformities,<br />
customer claims etc<br />
4.2 Internal audit This section describes the <strong>ANWI</strong> Contractor’s<br />
internal auditing mechanisms <strong>and</strong> processes<br />
4.3 Analysis of data This section describes the process the <strong>ANWI</strong><br />
Contractor will use to analyse the<br />
4.4 Control of nonconforming<br />
product<br />
4.5 Certificate of<br />
Conformity<br />
5 NATO Additional<br />
Requirements<br />
This section describes the process the <strong>ANWI</strong><br />
Contractor will use when he determines a<br />
component or service does not conform to the<br />
SOW’s requirements<br />
The requirement is applicable when the<br />
supplier is required to provide Certificate of<br />
Conformity at product release. An example of<br />
a suitable form is found in AQAP2070 Annex<br />
B5.<br />
The requirement includes how information<br />
required by the GQAR <strong>and</strong>/or Acquirer<br />
should be provided.<br />
The requirement includes how the supplier<br />
should perform review, inspection,<br />
verification, validation <strong>and</strong> test activities to<br />
demonstrate product conformity.<br />
6 Referenced<br />
Documents<br />
This section provides the list of QA<br />
documents supporting the QAP<br />
6.1 Contractual documents This section provides the list of other plans<br />
<strong>and</strong> quality related contractual documents<br />
that need to be referred:<br />
<br />
<br />
Project Management Plan<br />
Project Implementation Plan
6.2 Supplier internal<br />
quality related<br />
documents<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Risk Management Plan<br />
Configuration Management Plan<br />
Development Plan<br />
Test <strong>and</strong> Acceptance Plans<br />
This section provides the list of QA internal<br />
guidance that the <strong>ANWI</strong> Contractor used to<br />
create the QAP ( e.g. the QAP should crossreference<br />
the contractor’s internal<br />
mechanisms where functions <strong>and</strong> processes<br />
are clearly described)<br />
6.3 Other documents This section provides the list of any other<br />
relevant documents such as, related plans,<br />
interface documents, procedures <strong>and</strong><br />
documents, including those of sub-suppliers<br />
that contribute to the delivered product as<br />
specified in the contract<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-469 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.7 APPENDIX 7: Configuration Management Plan (CMP)<br />
19.7.1 Introduction/Purpose<br />
19.7.1-p1 The Configuration Management programme, the <strong>ANWI</strong> Contractor shall<br />
create a Configuration Management Plan (CMP) that ensures all required elements<br />
of Configuration Management are applied in such a manner as to provide a<br />
comprehensive <strong>and</strong> overall Configuration Management programme.<br />
19.7.1-p2 The <strong>ANWI</strong> Contractor’s Configuration Management programme will<br />
identify the means by which continuity of effort <strong>and</strong> underst<strong>and</strong>ing is achieved within<br />
the Contractor’s organization, <strong>and</strong> between the Contractor <strong>and</strong> the sub-contractors,<br />
as well as between the PM <strong>and</strong> Contractor <strong>and</strong> internally, for the allocated<br />
Configuration Items, integrating, interfacing or otherwise related Configuration Items,<br />
contractor organizations, test <strong>and</strong> evaluation activities, project documentation <strong>and</strong><br />
managers.<br />
19.7.2 Scope/Assumprion<br />
19.7.2-p1 The <strong>ANWI</strong> Contractor shall produce <strong>and</strong> maintain a Configuration<br />
Management Plan (CMP) which shall be used to carry out the Configuration<br />
Management functions (configuration item identification, configuration control,<br />
configuration status accounting, <strong>and</strong> configuration verification) in support of the <strong>ANWI</strong><br />
project.<br />
19.7.2-p2 The <strong>ANWI</strong> Contractor’s CMP shall establish the <strong>ANWI</strong> Contractor’s<br />
internal Configuration Management requirements for the <strong>ANWI</strong> contract deliverables<br />
<strong>and</strong> defines these procedures in the Contractor’s <strong>ANWI</strong> CMP.<br />
19.7.2-p3 The <strong>ANWI</strong> Contractor shall ensure that an effective CM organisation is<br />
established <strong>and</strong> maintained to implement the CMP <strong>and</strong> apply all necessary CM<br />
procedures, in accordance with the requirements <strong>and</strong> guidance applicable for this<br />
contract, throughout the duration of the contract.<br />
19.7.2-p4 The <strong>ANWI</strong> Contractor shall describe the Configuration Management<br />
programme <strong>and</strong> CM organisation in the CMP which is referenced by the Project<br />
Management Plan.<br />
19.7.2-p5 The <strong>ANWI</strong> Contractor shall establish a configuration identification<br />
system for use in the project.<br />
19.7.2-p6 Configuration Item (CI) Identification<br />
A. The <strong>ANWI</strong> Contractor shall designate the set of all management products<br />
<strong>and</strong> specialist products as Configuration Items (CIs).<br />
B. The <strong>ANWI</strong> Contractor shall create a CI tree structure with NNHQ <strong>ANWI</strong><br />
being the top level CI <strong>and</strong> show the relationships between the lower level<br />
CIs.<br />
C. The <strong>ANWI</strong> Contractor’s CI system shall provide the ability to easily trace<br />
higher <strong>and</strong> subordinate CIs using configuration item identifiers<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-470 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-471 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
D. The <strong>ANWI</strong> Contractor shall provide an explanation of the rationale <strong>and</strong><br />
criteria used in the process of selecting CIs assuring visibility <strong>and</strong> ease of<br />
management throughout the development effort <strong>and</strong> the support to the<br />
operational NNHQ <strong>ANWI</strong> after acceptance (based CI selection criteria on<br />
ACMP-3)<br />
E. Every CI shall have a unique identifier.<br />
F. All Commercial Off The Shelf (COTS), adapted, <strong>and</strong> developed software<br />
shall be designated as CIs.<br />
G. Services as identified in paragraph 2.5.3 shall be identified as CI items<br />
<strong>and</strong> form the top of the CI tree structure.<br />
H. Where COTS can be installed in a modular fashion, the description of the<br />
CI shallunambiguously identify the complete list of installed components.<br />
I. All complete hardware elements shall be designated as CIs.<br />
J. The <strong>ANWI</strong> Contractor shall maintain <strong>and</strong> update all project CIs as<br />
requested through change proposals.<br />
19.7.2-p7 Configuration Control<br />
A. The <strong>ANWI</strong> Contractor shall maintain a version control system as part of its<br />
CMP.<br />
B. The <strong>ANWI</strong> Contractor’s version control system shall allow for the unique<br />
identification of all changes to the CIs, no matter how minor the change.<br />
19.7.2-p8 Configuration Status Accounting (CSA)<br />
A. The <strong>ANWI</strong> Contractor shall be fully responsible for the CSA for all CIs in<br />
accordance with ACMP-4 or his equivalent National procedures.<br />
B. The <strong>ANWI</strong> Contractor shall prepare CSA reports in a manner, <strong>and</strong> format<br />
which shall be proposed by the Contractor in his CMP.<br />
C. The <strong>ANWI</strong> Contractor shall deliver CSA reports to the Purchaser both as<br />
part of management products <strong>and</strong> specialist products in this contract <strong>and</strong><br />
also as st<strong>and</strong>alone documents at the Purchaser's request.<br />
D. The <strong>ANWI</strong> Contractor shall deliver a set of final CSA reports for each CI in<br />
both hard copy <strong>and</strong> in electronic media at FSA.<br />
19.7.2-p9 Configuration Verification<br />
A. The <strong>ANWI</strong> Contractor shall, upon request from the Purchaser, support<br />
configuration audits to demonstrate that the actual status of all CIs<br />
matches the authorised state of CIs as registered in the CSA reports.<br />
19.7.2-p10 Baselines<br />
A. The Purchaser reserves the right to modify the CI structure prior to it being<br />
baselined.<br />
B. The CM Plan shall provide the baselining of ICT into a Developmental<br />
Baseline <strong>and</strong> a Product Baseline <strong>and</strong> the maintenance of these baselines<br />
throughout the duration of the contract.<br />
C. For the purpose of this project, a Baseline is defined as one (or a<br />
consistent set of) CI(s) that has been accepted by the Purchaser <strong>and</strong> that<br />
can therefore be used as the basis for subsequent project activities by the<br />
Purchaser <strong>and</strong> by the Contractor.<br />
D. This section describes the three baselines defined for this project: the<br />
Functional Baseline, the Developmental Baseline, <strong>and</strong> the Product<br />
Baseline.
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
E. The <strong>ANWI</strong> service requirements shall be considered the Functional<br />
Baseline.<br />
F. The Developmental Baseline for NNHQ <strong>ANWI</strong> shall include the NNHQ<br />
<strong>ANWI</strong> Design Documentation, the <strong>System</strong> Test Documentation Package,<br />
Security Documentation set <strong>and</strong> any other documentation deemed<br />
appropriate by the Contractor to ensure NNHQ <strong>ANWI</strong> requirements are<br />
reflected in the system during development <strong>and</strong> integration, can be<br />
demonstrated through a comprehensive set of tests, <strong>and</strong> can be delivered<br />
in the form of the Product Baseline.<br />
G. The <strong>ANWI</strong> Contractor shall deliver the Product Baseline which contains<br />
the configuration documentation of the delivered product CIs at the<br />
activation of the NNHQ <strong>ANWI</strong> <strong>and</strong> at any subsequent releases.<br />
19.7.2-p11 Configuration Management Tools<br />
A. The <strong>ANWI</strong> Contractor shall establish the baselines referred to above using<br />
automated tools.<br />
B. The <strong>ANWI</strong> Contractor shall deliver a version source code control<br />
programme for any custom software development <strong>and</strong> COTS software<br />
customisations.<br />
C. The <strong>ANWI</strong> Contractor shall use the version source code control<br />
programme for any custom software development <strong>and</strong> COTS software<br />
customisations.<br />
19.7.2-p12 The <strong>ANWI</strong> Contractor shall h<strong>and</strong> over the configuration<br />
management tools used to the Purchaser as a part of FSA.<br />
19.7.3 Reporting& Provisioning<br />
19.7.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the CMP.<br />
19.7.3-p2 The <strong>ANWI</strong> Contractor shall deliver the CMP in accordance with the<br />
Schedule of Supplies <strong>and</strong> Services.<br />
19.7.3-p3 The CMP is a ‘living document’ that the <strong>ANWI</strong> Contractor shall maintain<br />
(update <strong>and</strong> adjust the document, as required) from Effective Date of Contract (ED)<br />
through Final Operating Capability (FOC).<br />
19.7.3-p4 The <strong>ANWI</strong> Contractor shall place all baseline documents under<br />
Configuration Control prior to providing them to the Purchaser for acceptance.<br />
19.7.3-p5 Any changes to the Developmental Baseline shall be forwarded to the<br />
Purchaser for approval.<br />
19.7.3-p6 The <strong>ANWI</strong> Contractor shall keep the contents of the Developmental <strong>and</strong><br />
Product Baseline current to reflect the progress of the project activities.<br />
19.7.3-p7 The <strong>ANWI</strong> Contractor shall deliver the Product Baseline documentation<br />
on magnetic media (database) suitable for continued life cycle configuration<br />
management, in a format agreed by the Purchaser.<br />
19.7.3-p8 The acceptance of the Product Baseline by the Purchaser signifies only<br />
that the Purchaser agrees to the <strong>ANWI</strong> Contractor's approach in meeting the<br />
requirements. This acceptance in no way relieves the <strong>ANWI</strong> Contractor from its<br />
responsibilities to meet the requirements stated in this Contract.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-472 of 532
19.7.4 Document Structure<br />
19.7.4-p1<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
The CMP shall be structured according to the format below:<br />
Section Section Title<br />
Section Description<br />
#<br />
1 Introduction<br />
1.1 Purpose <strong>and</strong> Scope State the purpose of the CMP <strong>and</strong> identify the<br />
materiel to which the plan is to be applied <strong>and</strong><br />
the management/acquisition philosophy to<br />
which it is tailored<br />
1.2 Description of the CI This section identifies the CI selection<br />
process, it shall contain:<br />
A description of the selection criteria<br />
<strong>and</strong> the associated rationale employed<br />
to select the CI;<br />
A description of the function of the top<br />
level CI <strong>and</strong> its inter-relationship to<br />
other system functions; <strong>and</strong> a<br />
description of applicable Purchaser<br />
Furnished Equipment/Property;<br />
A description of key lower level CI<br />
(hardware <strong>and</strong> software) including<br />
training devices <strong>and</strong> simulators<br />
showing their relationship to the work<br />
breakdown structure of the complete<br />
project<br />
1.3 Definitions Glossary containing accepted definitions of<br />
terminology<br />
1.4 Project Phasing <strong>and</strong><br />
Milestones<br />
A milestone chart shall be included which<br />
depicts the CM activities <strong>and</strong> their relationship<br />
to the major overall project milestones. The<br />
relationship between events critical to CM<br />
<strong>and</strong> to the schedule / control of the project<br />
shall be specifically defined. This should<br />
include the sequencing of design reviews, the<br />
release of engineering documentation, <strong>and</strong><br />
the start of production, the test programme,<br />
logistic support <strong>and</strong> audit events<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-473 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
1.5 Special Features Addresses major product improvement<br />
programmes which will result in more than<br />
one configuration to be supported in the field<br />
with more than one product baseline, or major<br />
model differences in systems or weapons<br />
designed for varying applications;<br />
preproduction evaluation, use of many<br />
commercial items, use of existing drawings<br />
<strong>and</strong> specifications, or employment of an<br />
integrating contractor) will be described here.<br />
Innovations intended to increase the<br />
effectiveness of the CM programme will also<br />
be described here<br />
2 Organization Provides the relationship <strong>and</strong> integration of<br />
the contractor's project management <strong>and</strong> CM<br />
organizations <strong>and</strong> describe the organizational<br />
relationship of the individuals <strong>and</strong> activities<br />
involved in the CM programme. The<br />
responsibilities of each individual or group<br />
shall be defined as well as the policy<br />
directives that govern the contractors CM<br />
programme<br />
2.1 Project Management<br />
Structure<br />
Provides an organization chart, which<br />
illustrates his project management structure.<br />
The chart, supplemented by a description or<br />
flow diagrams, shall illustrate the<br />
Authority/responsibility of the key<br />
organizational elements impacted by<br />
2.2 Configuration<br />
Management Structure<br />
2.3 Configuration<br />
Management<br />
Personnel<br />
contractual requirements for CM.<br />
Provides charts supplemented by narrative<br />
descriptions shall define the relationships<br />
between activities directly involved in the CM<br />
programme; also identify the<br />
interrelationships, if applicable, among the<br />
contractor's software <strong>and</strong> hardware CM<br />
organizations. Each activity or individual<br />
shown on the organization chart(s) shall be<br />
the subject of a subparagraph, which will<br />
detail the Authority <strong>and</strong> responsibility for<br />
which CM is assigned.<br />
Describe by title <strong>and</strong> qualifications the<br />
positions which shall perform contractor CM<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-474 of 532
Section Section Title<br />
#<br />
2.4 Configuration Control<br />
Board<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
Describe the organisational structure of the<br />
contractor's CC; Interrelationship of CCB if<br />
there is more than one level or separate<br />
software CCB; Membership of the CCB by<br />
organization <strong>and</strong> functional group; <strong>and</strong><br />
effective date of operational status (the CCB<br />
shall be in operational status when the<br />
functional baseline is established).<br />
2.5 Policy Directives Identify all policy directives directly related to<br />
CM<br />
2.6 Reference Documents List only those documents which are referred<br />
to in the CMP<br />
2.7 Subcontractor / Vendor<br />
Control<br />
3 CM Responsibilities<br />
Configuration<br />
Identification <strong>and</strong><br />
Documentation<br />
3.1 Selection <strong>and</strong><br />
Description of the CI<br />
Identifies the methods used for the control of<br />
subcontractors <strong>and</strong> vendors<br />
Describe the methods to be used for<br />
identifying (e.g., naming, marking, numbering)<br />
documents <strong>and</strong> physical items (CI); Methods<br />
to achieve configuration traceability from<br />
requirements to equipment, components,<br />
computer software, facility sites <strong>and</strong> spares<br />
shall also be described. Requirements for the<br />
preparation, submission <strong>and</strong> subsequent<br />
release of PM approved documentation which<br />
defines each of the required baselines shall<br />
also be described in this section. The<br />
contractor's methods under which the<br />
documentation will be prepared <strong>and</strong> released<br />
internally shall also be described<br />
The contractor shall select, recommend <strong>and</strong><br />
obtain the approval of the customer for<br />
potential CI where the CI, or family of CI, shall<br />
be briefly described <strong>and</strong> information provided<br />
in a way to avoid security classification of the<br />
plan, if possible. Sufficient detail shall be<br />
presented to permit a basic underst<strong>and</strong>ing of<br />
the CI <strong>and</strong> their complexities<br />
3.2 Identification of the CI Issues unique identifiers for the CI <strong>and</strong> the<br />
configuration documentation <strong>and</strong> maintain the<br />
configuration identification to facilitate<br />
effective logistics support of items in service<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-475 of 532
Section Section Title<br />
#<br />
3.2.1 Hardware CI<br />
Identification<br />
3.2.2 Computer Software CI<br />
Identification (CSCI)<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-476 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
Describe the plan <strong>and</strong> procedure for HW CI,<br />
part identification, <strong>and</strong> serialisation; list the<br />
criteria used in applying serial numbers; the<br />
contractor's plans <strong>and</strong> identify his procedures<br />
<strong>and</strong> capabilities of generating <strong>and</strong> maintaining<br />
a record which describes the relationship<br />
between the "as designed," "as built," <strong>and</strong> "as<br />
modified" configurations<br />
Part/Item Numbering<br />
NATO Supply Code for Manufactures<br />
Additional Numbering<br />
Serial/LOT Numbering<br />
Each CSCI; The version, release, change<br />
status, <strong>and</strong> any other identification details of<br />
each deliverable item; The version of each<br />
CSCI to which the corresponding software<br />
documentation applies; The software<br />
documentation <strong>and</strong> the computer software<br />
media containing code, software<br />
documentation or both that are placed under<br />
configuration control; <strong>and</strong> the specific version<br />
of software contained on a deliverable<br />
medium, including all changes incorporated<br />
since its last release<br />
Computer Programme Identification<br />
Software File Identification<br />
Source File Identification<br />
Executable File Identification<br />
Patch Identification<br />
Build Identification<br />
Firmware Identification<br />
3.2.3 Documentation CI Describe the plan <strong>and</strong> procedure for<br />
documentation CI, list the criteria used in<br />
applying versioning; the contractor's plans<br />
<strong>and</strong> identify his procedures <strong>and</strong> capabilities of<br />
generating <strong>and</strong> maintaining a record of<br />
managing the creation, updating <strong>and</strong><br />
review/release process for documents like:<br />
Project Management Plan<br />
Project Implementation Plan<br />
Security Risk Assessment<br />
…<br />
3.3 Nomenclature Address the process of nomenclature<br />
assignment <strong>and</strong> the requirements for titling<br />
specifications <strong>and</strong> drawings
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-477 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
3.4 Product Marking <strong>and</strong><br />
labelling.<br />
Describe the method to be used for marking<br />
<strong>and</strong> labelling CIs<br />
3.5 Configuration<br />
Documentation<br />
3.5.1 Document Numbering Describe the assignment of numbers for<br />
documents <strong>and</strong> numbering system to be used<br />
for drawings <strong>and</strong> specifications are stated<br />
here<br />
3.2 Configuration<br />
Baselines<br />
3.2.1 Functional Baseline<br />
(FBL)<br />
3.2.2 Allocated<br />
(development)<br />
Baseline (ABL)<br />
3.2.3 Developmental<br />
Configuration<br />
3.2.4 Product Baseline<br />
(PBL)<br />
Describe <strong>and</strong> document the functional<br />
baseline; outlines the procedure for review<br />
<strong>and</strong> release, <strong>and</strong> the plan for proposing<br />
changes to the baseline<br />
Lists of all existing <strong>and</strong> required specifications<br />
shall be included in specification tree format;<br />
<strong>and</strong> plan for proposing changes to this<br />
baseline shall be outlined; identify existing<br />
specifications or specifications that the<br />
contractor shall prepare for the CI or family of<br />
CI; identify the drawings <strong>and</strong> diagrams that<br />
are a part of or shall be a part of the Allocated<br />
(development) Baseline. A list of interface<br />
control drawings for both hardware <strong>and</strong><br />
software shall be described here or in a<br />
separate appendix<br />
Describes the developmental configuration<br />
management process; change <strong>and</strong> issue<br />
process <strong>and</strong> tracking, reporting, <strong>and</strong><br />
recording problems are maintained for the life<br />
of the contract.<br />
Describes his plans for preparation, review,<br />
release <strong>and</strong> control of the specifications <strong>and</strong><br />
drawings <strong>and</strong> CSCI code st<strong>and</strong>ards; identify<br />
the hardware <strong>and</strong> software specifications<br />
which the contractor shall prepare to establish<br />
the product baseline <strong>and</strong> the format to which<br />
they will be prepared; <strong>and</strong> define the drawing<br />
(interface control drawings <strong>and</strong> the<br />
identification of interface parameters)<br />
practices for application to the CI<br />
3.3 Documentation library. Describes his CI documentation library <strong>and</strong><br />
procedures for controlling the documents<br />
residing within the documentation library<br />
3.4 Drawing library. Describes his drawing library <strong>and</strong> procedures<br />
for controlling the drawings
Section Section Title<br />
#<br />
3.5 Software Development<br />
Library.<br />
3.6 Engineering Release<br />
<strong>System</strong><br />
3.6.1 Engineering Release<br />
Record<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
Describes his software development library<br />
(SDL) <strong>and</strong> the procedures for controlling <strong>and</strong><br />
safeguarding the software residing within the<br />
SDL<br />
Describes his plan to ensure that each<br />
engineering release record (contractor,<br />
subcontractor, or vendor supplied) shall<br />
contain: the CI number <strong>and</strong> serial numbers (if<br />
applicable) of the items affected; <strong>and</strong> for each<br />
document listed, the document number, title,<br />
NSCM number, number of sheets, date of<br />
release, revision index <strong>and</strong> the engineering<br />
change number, if applicable<br />
4 Configuration Control Defines the responsibilities <strong>and</strong> procedures<br />
used within the contractor's organization for<br />
configuration control<br />
4.1 Configuration Control<br />
Board (CCB)<br />
4.2 Configuration Changes<br />
Procedures<br />
Defines the Authority <strong>and</strong> responsibility of the<br />
contractor's CCB<br />
Describes the processes <strong>and</strong> submission of<br />
Engineering Change Proposals (ECP) in<br />
combination with Notice of Revisions (NOR),<br />
<strong>and</strong> Requests For Deviations/ Requests For<br />
Waivers (RFD/RFW) shall be described;<br />
procedures for approving changes to<br />
configuration identification, production, spare<br />
parts, retrofit <strong>and</strong> technical publications<br />
programmes; procedures to ensure feedback<br />
to the purchaser are described; <strong>and</strong> how<br />
changes shall be monitored.<br />
4.2.1 Processing of<br />
Engineering change<br />
proposals.<br />
4.2.2 Notice of Revision.<br />
4.2.3 Request for Deviations<br />
<strong>and</strong> Waivers.<br />
4.3 Parts Substitution. Describes the procedure for parts substitution<br />
<strong>and</strong> how he will obtain approval by the<br />
Purchaser – how it will be used for technology<br />
refresh<br />
4.4 Interface Management Describes the documentation <strong>and</strong> control of<br />
all physical <strong>and</strong> functional interfaces of<br />
systems, equipment, software, facilities <strong>and</strong><br />
installation requirements<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-478 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
4.4.1 Documentation Specifies the documentation to be generated<br />
as part of the interface control <strong>and</strong> identifies<br />
interface parameters on the production<br />
documentation<br />
4.4.2 Interface Control<br />
4.4.3 Interface Control<br />
Working Group<br />
(ICWG)<br />
5 Configuration Status<br />
Accounting <strong>and</strong><br />
Configuration Data<br />
Management.<br />
5.1 Configuration Data<br />
H<strong>and</strong>ling.<br />
Describes his methods for collecting,<br />
recording, processing <strong>and</strong> maintaining data<br />
necessary to provide an adequate<br />
configuration data management <strong>and</strong> status<br />
accounting<br />
5.2 Reporting. Identifies the current approved configuration<br />
documentation <strong>and</strong> configuration identifiers<br />
associated with each CI; Status of proposed<br />
engineering changes from initiation to<br />
implementation; Results of configuration<br />
audits, status, Action items <strong>and</strong> disposition<br />
<strong>and</strong> discrepancies; Status of deviations <strong>and</strong><br />
waivers; traceability of changes from baseline<br />
documentation of each CI; <strong>and</strong> effectiveness<br />
<strong>and</strong> installation status of configuration<br />
changes to all CI at all locations<br />
5.3 Configuration Data<br />
access<br />
5.4 Configuration<br />
Management Metrics.<br />
6 Configuration Audits Describes the plans, procedures <strong>and</strong><br />
documentation, for the conduct of the<br />
Functional <strong>and</strong> Physical Configuration Audits;<br />
the format for reporting results of<br />
configuration audits; <strong>and</strong> schedule periods<br />
<strong>and</strong> agendas for the conduct of CM audits<br />
7 <strong>Technical</strong> Reviews Defines the schedule for <strong>and</strong> the degree of<br />
participation of CM personnel in technical<br />
reviews<br />
8 Abbreviations List of the abbreviations used in the<br />
document<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-479 of 532
N A T O U N C L A S S I F I E D<br />
19.8 APPENDIX 8: Test <strong>and</strong> Acceptance Plan (TAP)<br />
19.8.1 Introduction/Purpose<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-480 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.8.1-p1 The purpose of the Test <strong>and</strong> Acceptance Plan (TAP) is to document the<br />
policies <strong>and</strong> procedures that will be used for testing <strong>and</strong> accepting components <strong>and</strong><br />
services in the <strong>ANWI</strong> project.<br />
19.8.2 Scope/Assumptions<br />
19.8.2-p1 The <strong>ANWI</strong> Contractor shall establish <strong>and</strong> maintain Test <strong>and</strong> Acceptance<br />
Plan (TAP) for the project.<br />
19.8.2-p2 The TAP shall address the Contractor’s overall concept of testing <strong>and</strong><br />
accepting the delivered: <strong>ANWI</strong> capabilities, <strong>ANWI</strong> services, <strong>and</strong> the overall <strong>ANWI</strong><br />
system.<br />
19.8.2-p3 The <strong>ANWI</strong> Contractor shall acknowledge in the TAP that testing <strong>and</strong><br />
acceptance are uniquely distinct tasks.<br />
19.8.2-p4 The <strong>ANWI</strong> TAP shall define the set of testing activities to verify a<br />
deliverable’s compliance with the contractual requirements, to demonstrate its<br />
operational suitability, <strong>and</strong> to evaluate its performance to establish benchmarks for<br />
future enhancements.<br />
19.8.2-p5 The <strong>ANWI</strong> Contractor shall have the overall responsibility for meeting<br />
<strong>ANWI</strong> testing requirements <strong>and</strong> conducting all related activities; including the<br />
development of all test documentation required under this contract, the conduct of all<br />
testing, <strong>and</strong> the evaluation <strong>and</strong> documentation of the tests results.<br />
19.8.2-p6 The <strong>ANWI</strong> Contractor’s testing approach shall consist of a series of five<br />
tests to deploy the <strong>ANWI</strong>:<br />
1) Capability Acceptance Tests (CATs). The CAT shall demonstrate that a specific<br />
capability as identified in an appendix meets the operational, functional <strong>and</strong><br />
technical requirements. This testing shall occur in either the ITS or other<br />
Purchaser approved NNHQ campus location that is physically interconnected to<br />
the ITS (e.g. the NNHQ server rooms, the NNHQ, the user space, etc) to<br />
demonstrate the specific capability <strong>and</strong> successfully concludes with the<br />
capability / function being “fit for use” for use by a service <strong>and</strong>/or user.<br />
2) Proof of Concept Testing (PCT).The PCT shall occur at the ITS <strong>and</strong><br />
concentrates on assessing the service catalogue entries of the <strong>ANWI</strong>’s SMC,<br />
UCC, Client Provisioning <strong>and</strong> CDGW services. This test concludes with the<br />
definition of the item for the Service Catalogue <strong>and</strong> a green field accreditation<br />
review. The conclusion of these test results in the validation <strong>and</strong> confirmation<br />
of technical <strong>and</strong> user-related useability features for the SCT <strong>and</strong> <strong>ANWI</strong> Service<br />
Catalogue input.<br />
3) Service Certification Tests (SCT). The SCT shall test the system engineering,<br />
integration, <strong>and</strong> monitoring of the services as delivered <strong>and</strong> monitored in the<br />
NNHQ Network Operations Centre. The successful conclusion of this test<br />
activates an <strong>ANWI</strong> service for use in the NNHQ <strong>and</strong> finalises the Service<br />
Catalogue entry.<br />
4) <strong>System</strong> Activation Testing (SAT). The SAT provides the overall operational<br />
testing of all <strong>ANWI</strong> integrated services offered on the NNHQ site. The
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-481 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
successful conclusion of this test defines the integrated back-end, specific CoI<br />
<strong>and</strong> supplemental services are “fit for purpose”.<br />
5) Final Site Testing (FST). FST focuses on the installation of user devices <strong>and</strong><br />
activation of the user’s requested service catalogue choices to the user<br />
device.<br />
19.8.2-p7 Before each test session the <strong>ANWI</strong> Contractor shall ensure that all<br />
required hardware, software, test equipment, instrumentation, supplies, facilities,<br />
system test documentation <strong>and</strong> personnel are available <strong>and</strong> in place to conduct the<br />
test session.<br />
19.8.2-p8 The Purchaser will monitor <strong>and</strong> inspect the <strong>ANWI</strong> Contractor’s test<br />
activities to ensure compliance.<br />
19.8.2-p9 The <strong>ANWI</strong> Contractor shall develop the necessary <strong>System</strong> Test<br />
Documentation Package for each test.<br />
19.8.2-p10 The <strong>System</strong> Test Documentation Package shall comprise the following<br />
documents:<br />
1) The Test Plan.<br />
2) The Security Test <strong>and</strong> Evaluation Plan (ST&E)<br />
3) The Security Implementation Verification Procedures demonstrating for the<br />
local Security Accreditation Authority (SAA) that the capability <strong>and</strong> service<br />
complies with the proposed <strong>and</strong> agreed security configuration <strong>and</strong> settings.<br />
4) The <strong>System</strong> Version Definition Document consisting of:<br />
a) List of differences between this <strong>and</strong> the previous <strong>System</strong> version.<br />
b) List of capabilities of this <strong>System</strong> version.<br />
c) Guidelines on how to install this <strong>System</strong> version.<br />
d) Breakdown of the system into configuration items (Cis) <strong>and</strong> provision of<br />
accurate identification information for every CI.<br />
5) The description of the ITS (complete list of system Cis to be installed on the<br />
ITS, complete description of the test environment, all configuration<br />
information).<br />
6) The test procedures consisting of:<br />
a) The scenario.<br />
b) ITS objective, by clearly identifying the <strong>ANWI</strong> requirements to be tested<br />
(subset of the Requirements Traceability Matrix) by the test procedure.<br />
c) The NNHQ <strong>ANWI</strong> Cis <strong>and</strong> facilities <strong>and</strong> test equipment involved.<br />
d) Any conditions which shall be satisfied prior to application of the test.<br />
e) A block diagram showing the proposed method of meeting the test<br />
requirements.<br />
f) The data to be collected.<br />
g) The sequence of testing steps in the procedure, to a level of detail that<br />
enables full underst<strong>and</strong>ing by the Purchaser of the purpose <strong>and</strong> effect of<br />
each test step.<br />
h) The expected outcome.<br />
i) The means of measurement or assessment for the test to determine<br />
success.<br />
7) Any submitted test waivers together with supporting material.<br />
8) As needed, an updated system Off-specifications Document
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
a) Off-specification identification.<br />
b) Description of the Off-specification.<br />
c) Related test (if the Off-specification was raised further to a test failure).<br />
d) Severity (Major if to be corrected before deployment, otherwise Minor).<br />
e) Cis affected.<br />
f) Action taken.<br />
g) Fault Resolution status:<br />
i) Open=the Off-specification is identified.<br />
ii) Resolved= remedial action has been taken by the Contractor <strong>and</strong><br />
demonstrated through tests conducted by the Contractor without<br />
official witnessing by the Purchaser.<br />
iii) Closed= the resolution was officially demonstrated to the Purchaser.<br />
h) Comments.<br />
9) The results of the dry-runs performed by the <strong>ANWI</strong> Contractor as a<br />
preparation for the upcoming test session.<br />
19.8.2-p11 The <strong>ANWI</strong> Contractor shall request acceptance of a capability, service,<br />
or system following a successful test, with any <strong>and</strong> all deficiencies corrected.<br />
19.8.2-p12 The acceptance of a capability, service, or system closely follows the<br />
five tests to deploy the <strong>ANWI</strong>:<br />
1) Capability Acceptance Test (CAT) acceptance confirms the successful testing<br />
<strong>and</strong> approved documentation <strong>and</strong> concludes that the capability / function is<br />
agreed “fit for use” by the Purchaser <strong>and</strong> permits the <strong>ANWI</strong> Contractor to<br />
invoice the capability.<br />
2) Proof of Concept Testing (PCT) acceptance agrees the UCC, Client<br />
Provisioning <strong>and</strong> CDM service entries for inclusion on the ICTM Service<br />
Catalogue <strong>and</strong> inclusion into the <strong>ANWI</strong>’s SMC.<br />
3) Service Certification Test acceptance results in the service being added to the<br />
Service Catalogue <strong>and</strong> inclusion into the <strong>ANWI</strong>’s SMC.<br />
4) <strong>System</strong> Activation Testing (SAT) acceptance agrees that all back-end, specific<br />
CoI <strong>and</strong> supplemental services are “fit for purpose” <strong>and</strong> shall permit the <strong>ANWI</strong><br />
Contractor to be able to request the <strong>Initial</strong> Operating Capability meeting.<br />
5) Final Site Testing (FST) acceptance permits the <strong>ANWI</strong> Contractor to request<br />
the Final Operating Capability meeting.<br />
19.8.3 Reporting & Provisioning<br />
19.8.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the TA.<br />
19.8.3-p2 The <strong>ANWI</strong> Contractor shall deliver the TAP in accordance with the<br />
Schedule of Supplies <strong>and</strong> Services.<br />
19.8.3-p3 The <strong>ANWI</strong> Contractor shall update the TAP after each meeting <strong>and</strong><br />
adjust the document throughout the project while the ITS is operational.<br />
19.8.3-p4 The <strong>ANWI</strong> Contractor shall review all test reports <strong>and</strong> have all testing<br />
deficiencies corrected by FOC.<br />
19.8.4 Document Structure<br />
19.8.4-p1<br />
The TAP shall be structured according to the format below:<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-482 of 532
Section<br />
#<br />
Section Title<br />
Executive Summary<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-483 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
Provides a managerial description of the<br />
project’s Test <strong>and</strong> Acceptance concept <strong>and</strong><br />
how the Test <strong>and</strong> Acceptance Plan (TAP) will<br />
be applied to the ITS <strong>and</strong> system<br />
acceptance.<br />
1 Introduction<br />
1.1. Purpose This section identifies <strong>and</strong> explains the<br />
purpose of the TAP.<br />
1.2 Intended Audience Describes the intended audience of the TAP,<br />
including the sub-contractor team <strong>and</strong><br />
dependent projects/PFE testing.<br />
1.3 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 Integration Testing<br />
Service (ITS)<br />
This section explains the role <strong>and</strong><br />
environment of the ITS, as well as its<br />
manning <strong>and</strong> support requirements.<br />
3 Testing This section identifies the test process from<br />
component through service to system testing<br />
as controlled <strong>and</strong> defined in the configuration<br />
management process<br />
3.1 Approach This section identifies the overall test strategy<br />
<strong>and</strong> is related to configuration management,<br />
change management, configurations, metrics,<br />
tools needed, unique hard/software,<br />
regression testing, <strong>and</strong> process<br />
3.2 Responsibilities This section describes the roles <strong>and</strong><br />
responsibilities of the staff needed to support<br />
the testing facility’s ITS, testing staff <strong>and</strong><br />
actors involved in the testing process<br />
(scheduling, de-conflicting, decision making,<br />
etc)with respect to the suite of <strong>ANWI</strong> testing<br />
steps<br />
3.2.1 Test Manager<br />
3.2.2 Testing Team<br />
3.2.3 NATO QAR<br />
3.2.4 Purchaser Monitor<br />
3.3 Schedule This section identifies the scheduling process<br />
<strong>and</strong> creation of a realistic schedule (showing<br />
planning, development of test cases, setup,<br />
testing, etc). Will also address the planning<br />
impact of schedule slips, failed or stopped<br />
tests <strong>and</strong> how these will be resolved to<br />
minimise the overall impact to the <strong>ANWI</strong><br />
schedule
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-484 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
3.4 Environmental Needs This section identifies any special needs<br />
(power, space, equipment, software, etc) <strong>and</strong><br />
dependent PFE availability<br />
3.5 Reports This section defines the reports <strong>and</strong> records<br />
developed, produced <strong>and</strong> maintained as a<br />
result of the testing process<br />
3.5.1 Test Items This section identifies all items to be tested<br />
<strong>and</strong> implemented in the NNHQ or remote site,<br />
whether it is a client facing or back-end<br />
service<br />
3.5.2 Risk Issues This section identifies the critical areas for<br />
testing:<br />
Interfaces<br />
Security compliance<br />
COTS products<br />
Contractor developed integration<br />
products<br />
Complex functions (e.g. UCC<br />
integration)<br />
Modifications due to changes<br />
Poorly documented modules<br />
as well as misunderst<strong>and</strong>ing <strong>ANWI</strong> original<br />
requirements.<br />
3.5.3 Features to be Tested This section lists the user <strong>and</strong> service<br />
functions to test based on what the <strong>ANWI</strong> is<br />
to do with associated risk level for each<br />
component , software item, integration aspect<br />
<strong>and</strong> service<br />
3.5.4 Features not to be<br />
Tested<br />
This section lists what is not to be tested from<br />
a configuration management /version control<br />
view of the component or service or system. It<br />
will include an explanation why the item is not<br />
to be tested<br />
3.5.5 Test Case Reports This section defines how the test cases are to<br />
be documented <strong>and</strong> recorded<br />
This section identifies the need for special<br />
skills <strong>and</strong> Purchaser support<br />
3.6 Staffing <strong>and</strong> Training<br />
Needs<br />
4 Testing Prerequisites This section outlines the requirements to be<br />
satisfied <strong>and</strong> implemented prior to testing<br />
4.1 Quality Assurance Refers to the QAP needs <strong>and</strong> requirements<br />
for testing a service<br />
4.2 Test Cases This section addresses the review <strong>and</strong><br />
acceptance process of the test cases<br />
4.3 Test Data This section identifies any test data<br />
requirements <strong>and</strong> who is responsible for<br />
providing what data
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
5 Test Procedures<br />
5.1 Test Schedule This section identifies the testing periods<br />
5.2 Planning Risks <strong>and</strong><br />
Contingencies<br />
This section relates testing to the Risk<br />
Management Plan <strong>and</strong> addresses how the<br />
risks are to be addressed <strong>and</strong>/or mitigated<br />
5.2 Test Results This section identifies the documenting of the<br />
test results<br />
5.2.1 Item Pass/Fail Criteria This section identifies the completion criteria<br />
for the service in terms of entrance <strong>and</strong> exit<br />
criteria <strong>and</strong> resolution of test deficiencies<br />
5.2.2 Suspension Criteria<br />
<strong>and</strong> Resumption<br />
Requirements<br />
This section explains when a test will be<br />
paused; specifies what constitutes a<br />
stoppage; <strong>and</strong> what is the acceptable level of<br />
deficiencies/defects that are accepted before<br />
a test is stopped. This section also explains<br />
the actions that will take place when testing is<br />
paused or stopped.<br />
5.2.3 Test Deliverables This section identifies the test deliverables<br />
before during <strong>and</strong> after:<br />
Test plan<br />
Test cases<br />
Test design specification &<br />
configuration<br />
Interfaces<br />
Restore points<br />
Logs (error <strong>and</strong> execution)<br />
Reports (errors, problems, corrective<br />
actions, successes)<br />
5.2.4 Remaining Test Tasks This section describes the steps/stages of the<br />
<strong>ANWI</strong> testing from components to service to<br />
integrated system<br />
5.3 Corrective Actions This section addresses how corrective<br />
actions will be addressed <strong>and</strong> processed<br />
5.4 Acceptance <strong>and</strong><br />
Release<br />
This section defines the steps needed to<br />
determine if a component or service has<br />
passed all tests <strong>and</strong> is ready for the<br />
production environment <strong>and</strong> acceptance by<br />
the Purchaser<br />
5.5 Suspend Testing This section identifies the criteria to end<br />
testing <strong>and</strong> close the ITS<br />
5.6 Documentation Provides the comprehensive list of<br />
documentation defines as the ‘<strong>System</strong> Test<br />
Documentation Package’<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-485 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-486 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.9 APPENDIX 9: Integrated Logistics Support Plan (ILSP)<br />
19.9.1 Introduction/Purpose<br />
19.9.1-p1 The purpose of the Integrated Logistics Support Plan (ILSP) is to<br />
document how the <strong>ANWI</strong> Contractor will provide logistics, operations <strong>and</strong><br />
maintenance support for the NNHQ.<br />
19.9.1-p2 The ILSP will address all service models applicable to the <strong>ANWI</strong>: NATO<br />
Owned NATO Operated (NONO) NATO Owned Contractor Operated (NOCO) <strong>and</strong><br />
Contractor Owned Contractor Operated (COCO), as COCO services are identified<br />
<strong>and</strong> NOCO service selections will be decided based on a combination of Total Cost<br />
of Ownership (TCO) <strong>and</strong> NATO’s need to operate the selected service(s).<br />
19.9.2 Scope/Assumptions<br />
19.9.2-p1 The <strong>ANWI</strong> Contractor shall develop <strong>and</strong> maintain an <strong>ANWI</strong> Integrated<br />
Logistics Support Plan (ILSP).<br />
19.9.2-p2 The <strong>ANWI</strong> Contractor provided ILSP shall detail how Integrated<br />
Logistics Support is provided to the Purchaser.<br />
19.9.2-p3 The Contractor shall maintain <strong>and</strong> update the ILSP as required to reflect<br />
changes in the Project Baselines, in the SOW, or in support arrangements for any<br />
NNHQ <strong>ANWI</strong> Configuration Items.<br />
19.9.3 Reporting & Provisioning<br />
19.9.3-p1 The <strong>ANWI</strong> Contractor shall provide the initial version of the ILSP to the<br />
Purchaser for acceptance.<br />
19.9.3-p2 The Purchaser’s acceptance of the ILSP only signifies that the<br />
Purchaser agrees to the Contractor’s approach in meeting the requirements <strong>and</strong> this<br />
acceptance in no way relieves the Contractor from its responsibilities to meet the<br />
requirements stated in this Contract.<br />
19.9.3-p3 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the ILSP.<br />
19.9.3-p4 The <strong>ANWI</strong> Contractor shall deliver the ILSP in accordance with the<br />
Schedule of Supplies <strong>and</strong> Services.<br />
19.9.3-p5<br />
FSA.<br />
19.9.3-p6<br />
lifetime.<br />
The <strong>ANWI</strong> Contractor shall review the ILSP as part of IOC, FOC <strong>and</strong><br />
The <strong>ANWI</strong> Contractor ILSP shall be provided throughout the contract’s<br />
19.9.4 Document Structure<br />
19.9.4-p1<br />
Section<br />
#<br />
The PIP shall be structured according to the format below:<br />
Section Title<br />
Executive Summary<br />
Section Description<br />
Provides a managerial description of how the<br />
project’s Integrated Logistics Support will be
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-487 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
implemented.<br />
1 Introduction This section explains the purpose <strong>and</strong> overall<br />
objective of the ILSP <strong>and</strong> identifies the major<br />
activities to be undertaken in supporting the<br />
<strong>ANWI</strong> project.<br />
1.1 Purpose <strong>and</strong> Scope State the purpose of the ILSP <strong>and</strong> explicitly<br />
state that this is a living document <strong>and</strong> that it<br />
is to be updated as the project evolves.<br />
1.2 Document<br />
Organization<br />
This section describes the organization of the<br />
ILSP.<br />
1.3 Points of Contact Provides the title <strong>and</strong> organization of the key<br />
points of contact for the production, analysis<br />
<strong>and</strong> assertions made in the ILSP<br />
1.4 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 Delivery of equipment This section identifies the physical delivery of<br />
equipment <strong>and</strong> processes to ensure that the<br />
warranty will not become void prior to<br />
expiration<br />
3 Supporting<br />
documentation<br />
4 <strong>System</strong> Operations<br />
<strong>and</strong> Maintenance<br />
4.1 NATO Owned NATO<br />
Operated (NONO)<br />
4.2 NATO Owned<br />
Contractor Operated<br />
(NOCO)<br />
4.3 Contractor Owned<br />
Contractor Operated<br />
(COCO)<br />
This section identifies the documents that<br />
shall be provided with the COTS equipment<br />
(hard/software)<br />
This section addresses the provision of <strong>ANWI</strong><br />
systems operations <strong>and</strong> maintenance<br />
This section addresses the warranty,<br />
licensing <strong>and</strong> training requirements of a<br />
NONO provided service<br />
This section addresses the warranty <strong>and</strong><br />
licensing requirements of a NOCO provided<br />
service <strong>and</strong> how the <strong>ANWI</strong> Contractor will<br />
provide the service in accordance with the<br />
SLA <strong>and</strong> SLTs<br />
This section addresses the SLA <strong>and</strong> SLT<br />
metrics for the COCO provided service, as<br />
well as contact information for<br />
issues/problems<br />
4.4 Warranty & Licenses This section provides all warranty information<br />
for NATO owned hard/software, providing<br />
contact information, terms of agreement,<br />
effective dates of warranty, etc.<br />
4.5 Training This section addresses any training provided<br />
for NATO operated hard/software. It will<br />
address the training strategy, class modules,<br />
instructor modules, student/instructor material<br />
<strong>and</strong> the right for NATO to reproduce it to train
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
5 Compliancy with the<br />
ILS based Service<br />
Level Targets (SLTs)<br />
NATO staff without extra cost or limitation<br />
This section addresses how the SLTs will be<br />
managed via the Service Desk<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-488 of 532
N A T O U N C L A S S I F I E D<br />
19.10 APPENDIX 10: NATO Material Data Sheet<br />
19.10.1 Introduction/Purpose<br />
Item Description<br />
1 Contract Line Item Identification Number (CLIN).<br />
2 NATO Stock Number (NSN, if known).<br />
3 Item Name.<br />
4 Expendable or Non-Expendable Code.<br />
5 True Manufacturer Part Identification.<br />
6 True Manufacturer code or complete name <strong>and</strong> address.<br />
7 Vendor/Contractor Code or complete name <strong>and</strong> address.<br />
8 Vendor/Contractor part number.<br />
9 Quantity ordered.<br />
10 Order Unit<br />
11 Serialized item tag.<br />
12 Serial Number.<br />
13 Software Revision Level.<br />
14 Hardware Revision Level.<br />
15 Other Serial Number Attributes.<br />
16 Accountable Item Flag.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-489 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.10.1-p1 The purpose of the NATO Material Data Sheet is to support the<br />
<strong>ANWI</strong> <strong>and</strong> NNHQ inventory process.<br />
19.10.2 Scope/Assumptions<br />
19.10.2-p1 The <strong>ANWI</strong> Contractor shall ensure the provision of an inventory<br />
down to the Lowest Replaceable Unit (LRU) level of all the equipment, software,<br />
training <strong>and</strong> other documentation supplied.<br />
19.10.3 Reporting & Provisioning<br />
19.10.3-p1 The <strong>ANWI</strong> Contractor shall create a codification numbering system<br />
(as described in Clause 33 of the NC3O General Provisions) unless an adequate<br />
COTS manufacturer’s identification numbering system is in place <strong>and</strong> will be used.<br />
19.10.3-p2 The <strong>ANWI</strong> Contractor shall deliver the applicable NATO Material<br />
Data Sheet not later than ten (10) working days prior to the first shipment of the<br />
equipment to the Purchaser<br />
19.10.3-p3 The <strong>ANWI</strong> Contractor shall deliver the NATO Material Data<br />
information for each item in Microsoft Excel format.<br />
19.10.3-p4<br />
Contractor.<br />
19.10.3-p5<br />
portal.<br />
19.10.4 Data Sheet Structure<br />
The Purchaser will provide a copy of the template to the <strong>ANWI</strong><br />
The <strong>ANWI</strong> Contractor shall post a softcopy of the inventory on the<br />
19.10.4-p1 The NATO Material Data Sheet’s inventory information shall, as a<br />
minimum, include the following data elements:
N A T O U N C L A S S I F I E D<br />
17 Currency.<br />
18 Price.<br />
19 Warranty Expiration Date.<br />
20 Receiving/ Inspection Depot<br />
21 Issue to customer flag<br />
22 Extended Line Item Description (if applicable).<br />
23 Part Number of Next Higher Assembly.<br />
24 Quantity in Next Higher Assembly.<br />
25 Test<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-490 of 532
N A T O U N C L A S S I F I E D<br />
19.11 APPENDIX 11: Security Risk Assessment<br />
19.11.1 Introduction/Purpose<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-491 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.11.1-p1 The purpose of the Security Risk Assessment (SRA) is to identify<br />
the risks that exist, identify the current security posture of the <strong>ANWI</strong>’s ICT in respect<br />
to storing, processing or communicating information, <strong>and</strong> then assemble the<br />
information necessary for the selection of effective security countermeasures, based<br />
upon NATO security policy <strong>and</strong> supporting directives <strong>and</strong> guidance.<br />
19.11.1 -p2 ‘Progressive risk assessment’ is a mainstay of the accreditation<br />
process <strong>and</strong> will be delivered as a series of SRAs. The SRA is key to the<br />
identification of security risks (i.e. the threats, vulnerabilities <strong>and</strong> associated adverse<br />
impacts upon the ICT infrastructure). These risk assessments will determine the<br />
magnitude of residual risk <strong>and</strong> identify areas that need additional safeguards or<br />
countermeasures (which, in turn, identify specific security ‘requirements’) to be<br />
implemented.<br />
19.11.2 Scope/Assumptions<br />
19.11.2-p1 The <strong>ANWI</strong> Contractor shall produce <strong>and</strong> maintain the SRA covering<br />
the scope of the full systems/solutions, from the first design review through final<br />
operating capability (FOC).<br />
19.11.2-p2 The SRA shall include a ‘high-level’ assessment of risks associated<br />
with any of the deployed technologies to be used within the design. Specific<br />
evaluation of these technologies is needed to ensure that they do not compromise<br />
the overall design.<br />
19.11.2-p3 The SRA shall also provide an overall assessment of the <strong>ANWI</strong>,<br />
which addresses:<br />
1) the environment for technical information security measures<br />
2) The impact of the <strong>ANWI</strong> upon the electronic security system (ESS), which<br />
integrates all physical security measures (cameras, intruder detection sensors,<br />
access control devices) <strong>and</strong> provides communications between these<br />
components over a single (connected) IP environment.<br />
3) the impact of the <strong>ANWI</strong> upon the AVI <strong>and</strong> VTC systems, which integrate all<br />
video cameras, room display devices (projectors, Visual Display Unit, etc.)<br />
other audio visual equipment <strong>and</strong> any remote VTC connectivity for meetings<br />
<strong>and</strong> provides communications <strong>and</strong> storage between these components over a<br />
single (connected) IP environment.<br />
4) the cross domain modules <strong>and</strong> influence of NCIRC <strong>and</strong> NPKI<br />
5) the <strong>ANWI</strong> services, <strong>and</strong><br />
6) the arrangements for system management <strong>and</strong> control (SMC).<br />
19.11.3 Reporting& Provisioning<br />
19.11.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the SRA.<br />
19.11.3-p2 The <strong>ANWI</strong> Contractor shall deliver the SRA in accordance with the<br />
Schedule of Supplies <strong>and</strong> Services.
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-492 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.11.3-p3 The <strong>ANWI</strong> Contractor shall update the SRA after each design<br />
review <strong>and</strong> adjust the document throughout the implementation period to FOC.<br />
19.11.4 Document Structure<br />
19.11.4-p1 The SRA, supported by the risk management processes, will follow<br />
a structured approach (<strong>and</strong> may use an automated tool, where appropriate) <strong>and</strong> will<br />
include a description of the countermeasures to be implemented, <strong>and</strong> a description of<br />
the residual risk.<br />
19.11.4-p2<br />
Section<br />
#<br />
The SRA shall be structured according to the format below:<br />
Section Title<br />
Executive Summary<br />
Section Description<br />
Provides a managerial description of the<br />
project <strong>and</strong> an overview of the framework<br />
used to develop the conceptual <strong>ANWI</strong><br />
design.<br />
1 Introduction This section explains the overall purpose <strong>and</strong><br />
objective of the SRA identifying what the<br />
<strong>ANWI</strong> delivers, the associated risks, <strong>and</strong> what<br />
is being done to reduce the risk.<br />
1.1 Purpose <strong>and</strong> Scope State the purpose of the SRA <strong>and</strong> explicitly<br />
state that this is a living document <strong>and</strong> that it<br />
is to be updated as the design evolves <strong>and</strong><br />
the risks <strong>and</strong> threats change.<br />
1.2 Document<br />
Organization<br />
This section describes the organization of the<br />
SRA.<br />
1.3 Points of Contact Provides the title <strong>and</strong> organization of the key<br />
points of contact for the production, analysis<br />
<strong>and</strong> assertions made in the SRA<br />
1.4 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 <strong>System</strong>/Component Identification of the system <strong>and</strong> associated<br />
system component(s) that is the subject of<br />
the risk assessment<br />
3 Security Relevance Identify whether or not (<strong>and</strong> if so, how) this<br />
system/ component:<br />
1. Enforces or supports a particular security<br />
mechanism that will be used to provide a<br />
security service within the NNHQ (if so, what<br />
security mechanism is involved).<br />
2. Is intended for use as part of the security<br />
system <strong>and</strong> supports information assurance<br />
3. Uses other security services as part of its<br />
functionality<br />
4. Relies upon security mechanisms provided
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
by others<br />
5. Provides security mechanisms that are<br />
used by others<br />
4 Security-relevant data Identify the nature <strong>and</strong> classification of data<br />
that will be processed by or used by the<br />
system/component<br />
5 Vulnerability Describe the potential<br />
vulnerability/vulnerabilities of the solution <strong>and</strong><br />
how this might affect the overall security<br />
posture of the NNHQ’s <strong>ANWI</strong><br />
6 Probability of<br />
exploitation<br />
Assess the likelihood that each vulnerability<br />
will be exploited <strong>and</strong> identify any known<br />
attack mechanisms or methods that might be<br />
employed<br />
7 Security Risk Qualitative assessment of the initial risk<br />
(Low/Medium/ High), with attendant<br />
justification<br />
8 Mitigation measures/<br />
security ‘requirements’<br />
Define any security requirements or<br />
countermeasures that, if employed, would<br />
address/mitigate the effects of the security<br />
risk identified<br />
9 Residual Risk Re-assess the security risk if the<br />
countermeasures were to be in place<br />
(Low/Med/High), explaining how the<br />
mitigating measures decrease the risk (i.e the<br />
vulnerability <strong>and</strong>/or the probability of<br />
occurrence)<br />
10 Recommendations Identify any necessary recommendations<br />
associated with the solution that would<br />
maintain or enhance the security of the<br />
system/component in question<br />
11 Conclusions Present a summary of key findings <strong>and</strong><br />
recommendations that ‘must’ be observed to<br />
preserve the security posture of the solution<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-493 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-494 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.12 APPENDIX 12: Security Test <strong>and</strong> Evaluation (ST&E) Plan<br />
19.12.1 Introduction/Purpose<br />
19.12.1-p1 The purpose of the Security Test <strong>and</strong> Evaluation (ST&E) Plan is to<br />
document the policies <strong>and</strong> procedures that will be used for the security testing <strong>and</strong><br />
evaluation of components <strong>and</strong> services in the <strong>ANWI</strong> project.<br />
19.12.1-p2 The ST&E is to address the <strong>ANWI</strong>‘s confidentiality, integrity, <strong>and</strong><br />
availability requirements providing the necessary security protection to secure <strong>and</strong><br />
accredit the system.<br />
19.12.1-p3 Risk must be considered as those items that will possibility result in<br />
a negative impact on the project, be it decreased quality, increased cost, delays, or<br />
failure.<br />
19.12.2 Scope/Assumptions<br />
19.12.2-p1 The <strong>ANWI</strong> Contractor shall provide <strong>and</strong> maintain a Security Test<br />
<strong>and</strong> Evaluation (ST&E) Plan that details the tests by which he will demonstrate<br />
compliance with the security requirements of the Certificate Practice Statement<br />
(CPS), <strong>System</strong>-specific Security Requirement Statement (SSRS), <strong>and</strong> <strong>System</strong><br />
Interconnection Security Requirement Statement (SISRS).<br />
19.12.2-p2 The ST&E shall address the following types of testing.<br />
A. Demonstration – the evaluation by operation, movement, or adjustment<br />
under a specific condition to determine the capability to satisfy a stated<br />
requirement.<br />
B. Inspection – the physical examination or review of the feature, such as<br />
review of a configuration file or software version number/patch level.<br />
C. Test – the collection, analysis, <strong>and</strong> evaluation through systematic h<strong>and</strong>son<br />
measurement under appropriate conditions<br />
D. Develop<br />
19.12.2-p3 The <strong>ANWI</strong> shall use appropriate security test procedures to support:<br />
A. functional testing<br />
B. system integration testing<br />
C. stress testing<br />
D. vulnerability analysis<br />
19.12.2-p4 The ST&E’s test results shall be sufficient to obtainthe accreditation<br />
of the <strong>ANWI</strong>’s design <strong>and</strong> services; ultimately allowing the <strong>ANWI</strong> to be implemented<br />
<strong>and</strong> made available to users.<br />
19.12.3 Reporting & Provisioning<br />
19.12.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the ST&E Plan.<br />
19.12.3-p2 The <strong>ANWI</strong> Contractor shall deliver the ST&E Plan in accordance<br />
with the Schedule of Supplies <strong>and</strong> Services.<br />
19.12.3-p3 The <strong>ANWI</strong> Contractor shall maintain the ST&E Plan throughout the<br />
contract duration.
19.12.4 Document Structure<br />
19.12.4-p1<br />
Section<br />
#<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-495 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
The ST&E shall be structured according to the format below:<br />
Section Title<br />
Executive Summary<br />
Section Description<br />
Provides a managerial description of the<br />
project’s Security Test <strong>and</strong> Evaluation<br />
concept <strong>and</strong> how the ST&E will be applied to<br />
the ITS <strong>and</strong> system acceptance.<br />
1 Introduction The section identifies that the results in this<br />
document address the potential<br />
vulnerabilities, <strong>and</strong> identification <strong>and</strong><br />
validation of security controls <strong>and</strong> risk-based<br />
controls documented in the <strong>ANWI</strong>’s Security<br />
Risk Assessment (RSA)<br />
1.1. Purpose This section identifies <strong>and</strong> explains that the<br />
purpose of the ST&E is to verify the<br />
compliance with security policy guidelines<br />
<strong>and</strong> evaluation their effectiveness against<br />
anticipated threats.<br />
1.2 Intended Audience Describes the intended audience of the<br />
ST&E, including the sub-contractor team <strong>and</strong><br />
dependent projects/PFE testing.<br />
1.3 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 Integration Testing<br />
Service (ITS)<br />
This section explains the role <strong>and</strong><br />
environment of the ITS, as well as its<br />
manning <strong>and</strong> support requirements.<br />
3 ST&E Requirements This section identifies the criteria that the<br />
<strong>ANWI</strong> components <strong>and</strong> services are to be<br />
tested against (SRA, certification/<br />
accreditation assessments, configuration<br />
management, system/core information<br />
integrity, media protection, network access<br />
controls, identification <strong>and</strong> authentication,<br />
audit <strong>and</strong> accountability, etc)<br />
4 ST&E Team<br />
4.1 Composition This section identifies the composition of the<br />
ST&E team<br />
4.2 Roles <strong>and</strong><br />
Responsibilities<br />
4.3 External (Purchaser)<br />
Support<br />
This section provides the responsibilities for<br />
each team role<br />
This section identifies what expertise is<br />
required <strong>and</strong> when to monitor <strong>and</strong> approve<br />
the test results<br />
5 ST&E Approach This section identifies the test process from<br />
component through service to system testing<br />
as controlled <strong>and</strong> defined in the configuration<br />
N A T O U N C L A S S I F I E D
Section<br />
#<br />
Section Title<br />
5.1 Operational Service<br />
Approach<br />
5.2 <strong>System</strong> Tests <strong>and</strong><br />
Protocols<br />
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
management process with regard to how well<br />
the <strong>ANWI</strong> supports the security requirements<br />
<strong>and</strong> identifies any unsupported requirements<br />
or requirements that are not fully supported<br />
per the Security Risk Assessment<br />
This section will address any testing that<br />
interfaces with a currently operational service<br />
explaining that the test approach was<br />
designed to avoid possible disruption to<br />
ongoing activities <strong>and</strong> uses a non-intrusive<br />
set of tests.<br />
This section addresses the types of test plans<br />
<strong>and</strong> that the results will need to be reviewed y<br />
the Security Accreditation Authority (SAA)<br />
<strong>and</strong> that the results & recommendations from<br />
these tests will be reported<br />
5.2.1 Operational Tests This section identifies that these type of tests<br />
focus on demonstrating that operational<br />
requirements have been met <strong>and</strong> that a<br />
mitigation plan has been developed <strong>and</strong><br />
accepted to resolve deficiencies<br />
demonstrating that the <strong>ANWI</strong> is operationally<br />
effective <strong>and</strong> operationally suitable for use<br />
<strong>and</strong> more importantly that the services are<br />
ready to be certified <strong>and</strong> accredited.<br />
5.2.2 Penetration Test This section explains that penetration tests<br />
will be performed by attempting to circumvent<br />
the <strong>ANWI</strong> security features to gain access to<br />
the services <strong>and</strong> should be monitored by the<br />
Purchaser’s SAA<br />
5.2.3 <strong>System</strong> Test This section defines the series of tests that<br />
will verify the <strong>ANWI</strong> meets its specified<br />
requirements. Subsets of this test (per NCIA<br />
testing) are operational tests, integration tests<br />
<strong>and</strong> user acceptance tests where each test<br />
satisfied the functional <strong>and</strong> non-functional<br />
requirements associated with the service.<br />
5.2.4 Vulnerability Test This section addresses how the tester will try<br />
<strong>and</strong> identify security vulnerabilities that may<br />
compromise the <strong>ANWI</strong> by using an approved<br />
vulnerability scanning method. These may<br />
include, but are not limited to, port scans,<br />
available services, password checks, <strong>and</strong><br />
system patches<br />
5.3 Testing This section identifies the testing process<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-496 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
5.3.1 Test Procedures This section addresses the tests to be used to<br />
verify the <strong>ANWI</strong>’s compliance with the<br />
security measures <strong>and</strong> that each test<br />
procedure is traceable to a security<br />
specification <strong>and</strong> addresses all of the security<br />
requirements without ambiguous results.<br />
5.3.2 Corrective Actions This section documents the process <strong>and</strong> plan<br />
for corrective actions resulting from an ST&E<br />
<strong>and</strong> how the contractor will implement <strong>and</strong><br />
manage the corrective action plan<br />
5.4 Schedule<br />
6 ST&E Results This section documents the ST&E results in a<br />
tabular form based on the security testing<br />
requirements (e.g. NIST SP 800)<br />
Annex Vulnerability<br />
Assessment<br />
This section provides the result of the<br />
vulnerability scan<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-497 of 532
N A T O U N C L A S S I F I E D<br />
19.13 APPENDIX 13: Security Documentation Input<br />
19.13.1 Introduction/pPurpose<br />
19.13.1-p1<br />
use.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-498 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
The <strong>ANWI</strong> <strong>and</strong> its components must be accredited by NATO prior to<br />
19.13.1-p2 The <strong>ANWI</strong> accreditation process requires technical information<br />
supporting the design <strong>and</strong> implementation to produce the following elements of the<br />
security Accreditation Document Set (ADS): <strong>System</strong> Security Requirement Statement<br />
(SSRS), the <strong>System</strong> Interconnection Security Requirement Statement (SISRS) <strong>and</strong><br />
Security Operating Procedures (SecOPs).These documents, together with the SRA<br />
(Annex K, Appendix 11) <strong>and</strong> ST&E (Annex K, Appendix 12), constitute the “Security<br />
Documentation Input” for the <strong>ANWI</strong><br />
19.13.1-p3 The Purchaser is responsible for the submission <strong>and</strong> securing of the<br />
<strong>ANWI</strong>’s accreditationwith the <strong>System</strong> Accreditation Authority (SAA).<br />
19.13.1-p4 The <strong>ANWI</strong> Contractor shall provide the above ADS elements,<br />
containing such technical details as are appropriate to describe the essential<br />
technical input for the purpose of supporting the accreditation process for the <strong>ANWI</strong>.<br />
19.13.2 Scope/Assumptions<br />
19.13.2-p1 The Security Risk Assessment (SRA, Annex K Appendix 11) serves<br />
as the assessment foundation for the security design, in that it identifies residual risks<br />
<strong>and</strong> informs the need for mitigation/countermeasures to be fed-back into the design.<br />
The final SRA, reflecting the implemented design solutions, together with the final<br />
ST&E are both constituent parts of the final Security Documentation Input.<br />
19.13.2-p2 The Security Documentation Input document shall provide the<br />
content for the <strong>ANWI</strong>’s accreditation based on the <strong>ANWI</strong>’s security design <strong>and</strong><br />
including the detailed implementation descriptions that address <strong>and</strong> describe the<br />
security measures <strong>and</strong> countermeasures to be implemented in the <strong>ANWI</strong>.<br />
A. The SSRS portion of this document identifies the technical implementation<br />
of security features related to the storing, processing or transmitting of<br />
NATO classified information within the <strong>ANWI</strong>, within each of its security<br />
domains <strong>and</strong> within each service. It is acceptable to reference established<br />
& published external documents (technical st<strong>and</strong>ards, ‘as built’, design,<br />
etc.) rather than reproducing or quoting the full source document directly.<br />
B. The SISRS portion of this document identifies each network/security<br />
domain interconnection <strong>and</strong> its technical interconnection requirements<br />
providing the security agreement between the two parties.<br />
C. The SecOPs portion of this document specifies the detailed procedures to<br />
be followed thus ensuring that the <strong>ANWI</strong> is operated in a secure manner.<br />
19.13.2-p3 The <strong>ANWI</strong> contractor is required to provide support to the<br />
accreditation process (in addition to the technical input to various ADS elements<br />
described above), as defined within the NNHQ Security Accreditation Directive<br />
(Reference 1.1.1.7.2) paras 60 – 72. An <strong>ANWI</strong> Contractor staff with technical<br />
knowledge of the installation, system, components <strong>and</strong> services shall attend one (1)<br />
NATO security meeting a month (1/2 day) to address security matters supporting the<br />
<strong>ANWI</strong>’s accreditation.
19.13.3 Reporting& Provisioning<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-499 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.13.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the security documentation.<br />
19.13.3-p2 The Contractor shall deliver the security document in accordance<br />
with the Schedule of Supplies <strong>and</strong> Services.<br />
19.13.3-p3 The <strong>ANWI</strong> Contractor shall deliver the appropriate parts of this<br />
document (Security Documentation Input) immediately after each design session;<br />
adjust the document, as required, after a service’s testing; <strong>and</strong> as needed during the<br />
period <strong>Initial</strong> Operating Capability (IOC) through Final Operating Capability (FOC).<br />
19.13.3-p4<br />
format below:<br />
The security document input shall be structured according to the<br />
Section Section Title<br />
Section Description<br />
#<br />
Executive Summary Provides a managerial description of the<br />
1 Introduction This section identifies the <strong>ANWI</strong> <strong>and</strong> a brief<br />
description of the overall concept <strong>and</strong> role of<br />
the <strong>ANWI</strong>.<br />
1.1 Purpose <strong>and</strong> Scope This section provides the overview of what it<br />
means for the <strong>ANWI</strong> to be secure <strong>and</strong><br />
identifies how security is to be achieved; as<br />
well as stating that this document will be used<br />
as a reference point for security reviews <strong>and</strong><br />
inspections.<br />
1.2 Document<br />
Organization<br />
1.3 Location of the CIS<br />
<strong>and</strong> its Components<br />
This section describes the organization of this<br />
document.<br />
This section identifies in general terms the<br />
locations of the <strong>ANWI</strong> <strong>and</strong> its remote sites<br />
supported by the <strong>ANWI</strong><br />
1.4 Points of Contact Provides the title <strong>and</strong> organization of the key<br />
points of contact for the production, analysis<br />
<strong>and</strong> assertions made in the SSRS, SISRS<br />
<strong>and</strong> SecOPS<br />
1.5 Glossary Includes a glossary of all terms <strong>and</strong><br />
abbreviations used in this document. If the<br />
glossary is several pages in length, it may be<br />
included as an appendix<br />
2 <strong>System</strong> Security<br />
Requirement<br />
Statement (SSRS)<br />
This section describes the overall security<br />
profile for the <strong>ANWI</strong> <strong>and</strong> defines the security<br />
profile for each security domain as well as<br />
provides the specific security design <strong>and</strong><br />
configuration for each service provided in the<br />
security domain.<br />
2.1 CIS Description This section describes the <strong>ANWI</strong> in terms of:<br />
2.1.1 Role of the <strong>ANWI</strong> Operational concept in terms of data<br />
processing, storage, <strong>and</strong> communications
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-500 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
2.1.2 Information Type, volume <strong>and</strong> classification of information<br />
to be stored, processes <strong>and</strong> transmitted by<br />
network type<br />
2.1.3 <strong>Architecture</strong> Description of hardware, firmware <strong>and</strong><br />
software functional elements of the <strong>ANWI</strong><br />
services <strong>and</strong> connections/interconnections<br />
of/to networks<br />
2.2 Security Requirements This section identifies the security<br />
requirements as complemented by the<br />
Security Risk Assessment (SRA) <strong>and</strong><br />
describes the following:<br />
2.2.1 Minimum St<strong>and</strong>ards Security st<strong>and</strong>ards <strong>and</strong> methods used<br />
2.2.2 Criticality of<br />
Information <strong>and</strong><br />
Supporting <strong>System</strong><br />
Services <strong>and</strong><br />
resources<br />
This section addresses the importance of the<br />
information <strong>and</strong> system with respect to the<br />
loss of: confidentiality, integrity <strong>and</strong><br />
availability are addressed <strong>and</strong><br />
2.3 Security Measures This section describes the implemented<br />
<strong>ANWI</strong> security configuration <strong>and</strong> features to<br />
support the secure operations of each<br />
security domain.<br />
2.3.1 NATO SECRET (NS) This section states the security measures<br />
which are taken in the NS network/security<br />
domain to achieve security in terms of:<br />
access control, identification, authentication,<br />
accounting, security audit, integrity <strong>and</strong><br />
availability, data exchange/communications,<br />
<strong>and</strong> any residual risk from the SRA<br />
2.3.2 EAPC This section states the security measures<br />
which are taken in the EAPC network/security<br />
domain to achieve security in terms of:<br />
access control, identification, authentication,<br />
accounting, security audit, integrity <strong>and</strong><br />
availability, data exchange/communications,<br />
<strong>and</strong> any residual risk from the SRA<br />
2.3.3 BUSINESS (NR/NU) This section states the security measures<br />
which are taken in the Business<br />
network/security domain to achieve security<br />
in terms of: access control, identification,<br />
authentication, accounting, security audit,<br />
integrity <strong>and</strong> availability, data<br />
exchange/communications, <strong>and</strong> any residual<br />
risk from the SRA<br />
2.3.4 PUBLIC (Non-<br />
CLASSIFIED)<br />
This section states the security measures<br />
which are taken in each network/security<br />
domain to achieve security in terms of:<br />
access control, identification, authentication,<br />
accounting, security audit, integrity <strong>and</strong>
2.3.5 Cross Domain<br />
Modules<br />
3 <strong>System</strong><br />
Interconnection<br />
Security Requirement<br />
Statement (SISRS)<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-501 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
availability, data exchange/communications,<br />
<strong>and</strong> any residual risk from the SRA<br />
This section states the security measures<br />
which are taken in CDMs to achieve security<br />
in terms of: access control, identification,<br />
authentication, accounting, security audit,<br />
integrity <strong>and</strong> availability, data<br />
exchange/communications, <strong>and</strong> any residual<br />
risk from the SRA<br />
This section identifies <strong>and</strong> describes the<br />
security criteria governing the elements that<br />
form the <strong>ANWI</strong> interconnections<br />
3.1 NS-Business (NR/NU) The section addresses the technical<br />
description; operational requirement; security<br />
modes of operation, <strong>and</strong> functional<br />
capabilities; location of the connection points;<br />
exchange services; protocols; <strong>and</strong><br />
classification/marking for the Cross Domain<br />
Module<br />
3.2 NS-EAPC The section addresses the technical<br />
description; operational requirement; security<br />
modes of operation, <strong>and</strong> functional<br />
capabilities; location of the connection points;<br />
exchange services; protocols; <strong>and</strong><br />
classification/marking for the Cross Domain<br />
Module<br />
3.3 NS-Public (Non-<br />
CLASSIFIED or NATO<br />
UNCLASSIFIED<br />
Releasable to the<br />
Internet)<br />
The section addresses the technical<br />
description; operational requirement; security<br />
modes of operation, <strong>and</strong> functional<br />
capabilities; location of the connection points;<br />
exchange services; protocols; <strong>and</strong><br />
classification/marking for the Cross Domain<br />
Module<br />
3.4 Business-Public The section addresses the technical<br />
description; operational requirement; security<br />
modes of operation, <strong>and</strong> functional<br />
capabilities; location of the connection points;<br />
exchange services; protocols; <strong>and</strong><br />
classification/marking for the Cross Domain<br />
Module<br />
3.5 NS-NS The section addresses the technical<br />
description; operational requirement; security<br />
modes of operation, <strong>and</strong> functional<br />
capabilities; location of the connection points;<br />
exchange services; protocols; <strong>and</strong><br />
classification/marking for the inter-network<br />
connections
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-502 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
3.6 Business-NR The section addresses the technical<br />
description; operational requirement; security<br />
modes of operation, <strong>and</strong> functional<br />
capabilities; location of the connection points;<br />
exchange services; protocols; <strong>and</strong><br />
classification/marking for the inter-network<br />
connections<br />
3.7 Public-Internet (PIA) The section addresses the technical<br />
description; operational requirement; security<br />
modes of operation, <strong>and</strong> functional<br />
capabilities; location of the connection points;<br />
exchange services; protocols; <strong>and</strong><br />
classification/marking for the inter-network<br />
connections<br />
4 Security Operating<br />
Procedures (SecOPs)<br />
4.1 Service Management<br />
& Control<br />
This section of the document specifies the<br />
detailed procedures to be followed thus<br />
ensuring that the <strong>ANWI</strong> is operated in a<br />
secure manner.<br />
This section addresses the procedures<br />
needed to securely operate <strong>and</strong> manage the<br />
SMC services (service management console,<br />
user self-services, etc.) as well as the remote<br />
access <strong>and</strong> reporting of information ‘up the<br />
support chain’.<br />
4.2 Information Assurance This section addresses the procedures to<br />
securely manage <strong>and</strong> operate the cross<br />
domain gateways <strong>and</strong> internal <strong>ANWI</strong> security<br />
capabilities.<br />
4.3 Infrastructure Services This section addresses the procedures to<br />
securely manage <strong>and</strong> operate the <strong>ANWI</strong>’s<br />
processing, storage <strong>and</strong> infrastructure<br />
services.<br />
4.4 UCC This section addresses the procedures to<br />
securely manage <strong>and</strong> operate the integrated<br />
UCC service.<br />
4.5 Client Provisioning This section addresses the procedures to<br />
securely manage <strong>and</strong> operate the<br />
provisioning of client hardware <strong>and</strong> software<br />
<strong>and</strong> control of ports with respect to data loss<br />
prevention.<br />
4.6 Supplementary<br />
Services<br />
5 Administration of<br />
Security<br />
5.1 Security Risk<br />
Management<br />
This section addresses the procedures to<br />
securely manage <strong>and</strong> operate the<br />
supplementary services offered by/through<br />
<strong>ANWI</strong>.<br />
This section provides information on what<br />
responsibilities<br />
This section provides about the procedures to<br />
be followed during the project how security
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
risk management will be undertaken<br />
5.2 Configuration Control This section identifies the process to approve<br />
security changes<br />
6 Security Risk<br />
Assessment<br />
Final version of SRA including mitigation/<br />
countermeasures, outst<strong>and</strong>ing vulnerabilities<br />
<strong>and</strong> residual risk.<br />
7 ST&E Final version of ST&E, incorporating results<br />
<strong>and</strong> non-conformities.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-503 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-504 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.14 APPENDIX 14: Project Progress Review Meeting (PPRM)<br />
19.14.1 Introduction/Purpose<br />
19.14.1-p1 The purpose of the Project Progress Review Meeting (PPRM) is to<br />
check whether the project is progressing as planned, to discuss problems, to agree<br />
on changes etc. in a face-to-face meeting.<br />
19.14.2 Scope/Assumptions<br />
19.14.2-p1 The <strong>ANWI</strong> Contractor shall coordinate <strong>and</strong> hold Project Progress<br />
Review Meetings (PPRMs) with the Purchaser serving as chairman.<br />
19.14.2-p2 The <strong>ANWI</strong> Contractor shall schedule the PPRMs in the PIP <strong>and</strong>,<br />
when possible, schedule the PPRM with other project related meetings.<br />
19.14.2-p3 Attendance by key personnel (needed based on the agenda) in<br />
person is required; by exception key personnel may participate via video or<br />
telephone conference after prior approval by the Purchaser <strong>and</strong> when it can be<br />
arranged by the parties.<br />
19.14.3 Reporting & Provisioning<br />
19.14.3-p1 The <strong>ANWI</strong> Contractor shall hold every other PPRM at his facility<br />
until the start of the server room installation; thereafter, PPRMs shall be held monthly<br />
on the NNHQ campus.<br />
19.14.3-p2 The <strong>ANWI</strong> Contractor shall provide PPRM information (slides, PSR,<br />
etc) no later than five (5) working days before the meeting.<br />
19.14.3-p3<br />
PPRM.<br />
The <strong>ANWI</strong> Contractor shall present the PPRM information at the<br />
19.14.3-p4 The <strong>ANWI</strong> Contractor shall provide notes (action items, minutes,<br />
decisions made, etc) of the meeting per the documentation requirements of this<br />
SOW.<br />
19.14.3-p5 The <strong>ANWI</strong> Contractor shall post a softcopy of the presentation <strong>and</strong><br />
notes on the portal within 48 hours.<br />
19.14.4 Reporting Structure<br />
19.14.4-p1 The PPRM shall report the status of the following items, based on<br />
the PSR, or indicate if there is no change since the last PPRM:<br />
Item Description Comment<br />
1 Project Management Plan Status Identify any upcoming changes to<br />
the PMP<br />
2 Review of On-Going Action Items Review the status of the project’s<br />
open action items<br />
3 Project Schedule: Status of On- Identify the status of the PIP <strong>and</strong><br />
Going Tasks <strong>and</strong> WBS<br />
4 Accomplishments &Status of<br />
Current Contract Deliverables<br />
state of current activities<br />
List major tasks/accomplishments<br />
completed <strong>and</strong>/or milestones<br />
achieved since the last meeting
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
5 Invoices Review of new acceptance<br />
documents <strong>and</strong> status of invoices<br />
6 Testing Status Review testing timeline <strong>and</strong><br />
status of testing<br />
7 Status of Problems with Delivered<br />
Capabilities<br />
Review deliverable <strong>and</strong> test<br />
problems/deficiencies <strong>and</strong><br />
corrective action status<br />
8 Risk Review Review the Risk Register for the<br />
current phase/stage of the project<br />
9 Problems <strong>and</strong> Issues New or potential problems/issues<br />
for action/decision<br />
10 Changes Review status of Change<br />
Requests<br />
11 Activities for the Next Period Identify major<br />
tasks/accomplishments to be<br />
completed <strong>and</strong>/or milestones to<br />
achieve before the next meeting<br />
12 Any Other Business Identify the date of the next<br />
meeting <strong>and</strong> any other points for<br />
discussion<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-505 of 532
N A T O U N C L A S S I F I E D<br />
19.15 APPENDIX 15: Project Status Report (PSR)<br />
19.15.1 Introduction/Purpose<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-506 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.15.1-p1 The Project Status Report (PSR) is an <strong>ANWI</strong> deliverable to support<br />
the monitoring of the project’s progress outside the PPRM periods.<br />
19.15.2 Scope/Assumptions<br />
19.15.2-p1<br />
have a PPRM<br />
The <strong>ANWI</strong> Contractor shall provide PSRs in the months that do not<br />
19.15.2-p2 The <strong>ANWI</strong> Contractor’s PSR shall serve as the replacement of the<br />
face-to-face PPRM.<br />
19.15.2-p3 The <strong>ANWI</strong> Contractor’s PSR shall provide an accurate summary of<br />
the project’s:<br />
A. Activities (completed <strong>and</strong> planned) during the period<br />
B. Current issues<br />
C. PIP status<br />
D. Upcoming potential problems/risks.<br />
19.15.3 Reporting & Provisioning<br />
19.15.3-p1 The <strong>ANWI</strong> Contractor shall provide the PSR by email to the<br />
Purchaser no later than the fifth (5th) business day of the month.<br />
19.15.3-p2 The <strong>ANWI</strong> Contractor PSR shall follow the release, submit <strong>and</strong><br />
review process specified in Annex K<br />
19.15.3-p3<br />
The <strong>ANWI</strong> Contractor shall post a softcopy of the PSR on the portal.<br />
19.15.3-p4 The <strong>ANWI</strong> Contractor shall promptly identify <strong>and</strong> discuss problems<br />
with the Purchaser’s Project Manager <strong>and</strong> not wait until the next PPRM<br />
19.15.4 Reporting Structure<br />
19.15.4-p1<br />
The PSR shall provide the following in the report:<br />
Item Title Section Description<br />
Header<br />
Identifies the report identification number,<br />
author <strong>and</strong> date of release<br />
1 Period of Report This section identifies the start <strong>and</strong> end date<br />
of the reporting period<br />
2 Activities This section lists the contractor activities that<br />
occurred during the reporting period <strong>and</strong><br />
includes the status of current <strong>and</strong> pending<br />
tasks/action items<br />
3 Schedule Impact This section identifies the status of the plan<br />
<strong>and</strong> associated deliverables <strong>and</strong> whether<br />
they are on time or delayed<br />
4 Products Completed This section lists the products <strong>and</strong><br />
deliverables with their status (delivered,<br />
reviewed, approved) as well as invoices
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
sent<br />
5 Tests Carried Out This section lists the tests conducted in the<br />
ITS during the reporting period <strong>and</strong> their<br />
status (in progress, tested pass, tested<br />
failed)<br />
6 Change Status Summary <strong>and</strong> status of Change Requests<br />
requested, pending or approved during the<br />
period<br />
7 Actual/Potential Issues <strong>and</strong><br />
Risks<br />
This section describes any identified<br />
problems, anomalies <strong>and</strong> high risk areas with<br />
proposed solutions or corrective actions<br />
identified in the reporting period – <strong>and</strong> linked<br />
to project issue <strong>and</strong>/or Risk Register<br />
8 Next Period’s Planned Work This section identifies the activities<br />
scheduled for the upcoming reporting period<br />
(which may be a PPRM)<br />
9 Upcoming Deliverables This section identifies the Schedule of<br />
Supplies <strong>and</strong> Services (SSS) items that will<br />
be delivered in the upcoming period<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-507 of 532
N A T O U N C L A S S I F I E D<br />
19.16 ANNEX K APPENDIX 16: Migration Plan<br />
19.16.1 Introduction/Purpose<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-508 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.16.1-p1 The purpose of the Migration Plan is to document the migration<br />
concept, methodology <strong>and</strong> processes needed to migrate the <strong>ANWI</strong>’s core service<br />
data (Active Directory, email, Windows Shares, etc) from the current HQ to the<br />
NNHQ’s appropriate security domains.<br />
19.16.2 Scope/Assumptions<br />
19.16.2-p1 The <strong>ANWI</strong> Contractor shall produce a Migration Plan (MP) that<br />
addresses the migration of user <strong>and</strong> system information <strong>and</strong> data as identified in<br />
document structure below.<br />
19.16.2-p2 The <strong>ANWI</strong> Contractor shall ensure that the MP complies with the<br />
<strong>ANWI</strong> service provisioning <strong>and</strong> integration requirements.<br />
19.16.2-p3 The <strong>ANWI</strong> Contractor Migration Plan shall address:<br />
A. Migrating user accounts (tool, naming convention, renaming users, Sid)<br />
B. Delegation of control <strong>and</strong> role based administration.<br />
C. Four security classification networks.<br />
D. User passwords.<br />
E. Migration tools to be used <strong>and</strong> a clear statement on what the migration<br />
restrictions of this tool are.<br />
F. Options for migration scenario’s, if applicable.<br />
G. Intermediate situation, where HQ <strong>and</strong> NNHQ are connected, <strong>and</strong> services<br />
from either side can be used by either side.<br />
H. What b<strong>and</strong>width exist, for migration (<strong>and</strong> synchronization) of data, if done<br />
over the network.<br />
I. Detailed Migration Schedule per <strong>ANWI</strong> capability services <strong>and</strong> support to<br />
migration of services by the other Host Nations.<br />
J. User data <strong>and</strong> settings migration.<br />
K. Bulk data migration.<br />
L. Data Archiving.<br />
M. Migration Roll-Back <strong>and</strong> Disaster Recovery Plan (where <strong>and</strong> when<br />
needed).<br />
N. Operations <strong>and</strong> Support Plan during migration stage.<br />
O. Migration QA Process.<br />
P. Migration Information Assurance aspects.<br />
Q. Migration Communication Plan.<br />
19.16.3 Reporting & Provisioning<br />
19.16.3-p1 The <strong>ANWI</strong> Contractor shall use the review <strong>and</strong> acceptance process<br />
described in Annex K Appendix 1for the MP.<br />
19.16.3-p2 The <strong>ANWI</strong> Contractor shall deliver sections of the MP as they apply<br />
to the <strong>ANWI</strong> design’s section (e.g. <strong>ANWI</strong> UCC design will be accompanied by a MP<br />
section addressing email, voice, collaboration, etc.).<br />
19.16.3-p3 The <strong>ANWI</strong> Contractor shall maintain the coherency of the MP<br />
sections through FOC.
19.16.4 Document Structure<br />
19.16.4-p1<br />
below:<br />
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-509 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
The Migration Plan shall be structured according to the format<br />
Section Section Title<br />
Section Description<br />
#<br />
Executive Summary<br />
Provides a managerial description of the project from<br />
<strong>and</strong> an overview of the framework used to develop the<br />
conceptual <strong>ANWI</strong> design.<br />
1 Introduction This section defines the purpose <strong>and</strong> overall objective of<br />
the document focusing on delivery, installation, <strong>and</strong><br />
configuration for the various networks <strong>and</strong> how<br />
capabilities <strong>and</strong> services fit together. It also addresses<br />
the baselines used, service management <strong>and</strong> the goals<br />
of the design.<br />
1.1 Purpose <strong>and</strong> Scope State the purpose of the <strong>ANWI</strong> migration plan <strong>and</strong><br />
identify the materials to be applied <strong>and</strong> the<br />
management/acquisition philosophy to which it is<br />
tailored. High level discussion of the migration’s<br />
deliverables<br />
1.2 Document Organization This section describes the organization of the migration<br />
plan.<br />
1.3 Points of Contact Provides the title <strong>and</strong> organization of the key points of<br />
contact for the migration <strong>and</strong> each subsystem of the<br />
<strong>ANWI</strong> that must be migrated. These points of contact<br />
must also include/identify the project’s: Quality<br />
Assurance (QA) Manager, Security Manager, <strong>and</strong><br />
Configuration Manager.<br />
1.4 Glossary Includes a glossary of all terms <strong>and</strong> abbreviations used<br />
in this document. If the glossary is several pages in<br />
length, it may be included as an appendix<br />
2 Considerations The discussion will address that the initial <strong>ANWI</strong> concept<br />
identifies that the <strong>ANWI</strong> design will be new <strong>and</strong><br />
independent of other activities that recently occurred at<br />
NATO HQ. The <strong>ANWI</strong> concept identifies that all<br />
equipment will be new but may accept (re)used<br />
equipment if NATO recently purchased new hardware,<br />
realised during the site survey, <strong>and</strong> fits into the <strong>ANWI</strong><br />
design.<br />
2.1 Constraints This section identifies how the <strong>ANWI</strong> Contractor will<br />
connect to existing services:<br />
Joining the Bi-SC AIS AD environment (single<br />
forest, single domain model).<br />
Joining the Bi-SC AIS Email organization.<br />
Interfacing with the existing NEDS directory<br />
services (On NS level).<br />
Connecting to the NATO wide voice systems<br />
Using NGCS for connectivity to NATO<br />
comm<strong>and</strong>s.<br />
Using the PIA gateway services for Internet<br />
Access (browsing, remote users, remote<br />
offices).<br />
Integrating the services of a commercial IPTV<br />
provider.<br />
Connecting with the NATO wide VTC services.<br />
Connecting with existing web solutions in other
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
<br />
Section Description<br />
NATO Organizations/Agencies.<br />
Connecting to <strong>and</strong> using the NPKI.<br />
2.2 Restrictions This section identifies how the <strong>ANWI</strong> Contractor will<br />
comply with the following policies:<br />
NCIRC rules<br />
INFOSEC policies<br />
Using the following products:<br />
o Microsoft Windows <strong>and</strong> Office desktop<br />
environment.<br />
o COTS use<br />
Security roles.<br />
2.3 Dependencies This section identifies how the <strong>ANWI</strong> Contractor will<br />
ensure that projects involved with ICT for the NNHQ:<br />
PNWI for all passive cabling needs <strong>and</strong><br />
patching.<br />
Server room design (power/cooling restrictions)<br />
TER power <strong>and</strong> cooling design<br />
ESS interface, switching, storage/archive <strong>and</strong><br />
processing (as needed)<br />
AVI interface, switching <strong>and</strong> storage/archive<br />
BMS – for power reporting <strong>and</strong> monitoring of<br />
building<br />
ICTM Application migration<br />
2.4 Design considerations This section identifies how the <strong>ANWI</strong> Contractor will<br />
ensure that migration addresses/supports:<br />
Green IT.<br />
Virtualisation.<br />
Service Oriented <strong>Architecture</strong>:<br />
o Infrastructure as a Service.<br />
o St<strong>and</strong>ardization.<br />
o One user experience.<br />
o IPv6 compatibility.<br />
Redundancy <strong>and</strong> high availability of services<br />
3 <strong>ANWI</strong> Services<br />
3.1 Service management This section addresses that this service is a new<br />
environment for NNHQ but should address migration of<br />
any current HQ knowledge bases, application/update<br />
‘push packages’, <strong>and</strong> reporting services (e.g. asset<br />
management system).<br />
3.2 Information Assurance IA is not new but a major consideration in designing <strong>and</strong><br />
migrating data <strong>and</strong> users from the existing environment,<br />
it shall address security <strong>and</strong> the new cross domain<br />
gateways capabilities.<br />
3.2.1 Security The section addresses the new environment based on<br />
NCIRC <strong>and</strong> INFOSEC policies <strong>and</strong> how these will be<br />
applied, noting migration <strong>and</strong> preservation of access<br />
rights<br />
3.2.2 Cross Domain Gateway<br />
Services<br />
This section address if any items will be reused <strong>and</strong> how<br />
they will fit into the operational support concept:<br />
CDGW1 – new design, new equipment,<br />
greenfield situation<br />
CDGW2 – new design, new equipment,<br />
greenfield situation<br />
CDGW3 – new design, new equipment,<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-510 of 532
Section<br />
#<br />
Section Title<br />
N A T O U N C L A S S I F I E D<br />
<br />
<br />
<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-511 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
greenfield situation<br />
CDGW4 – new design, new equipment,<br />
greenfield situation<br />
CDGW5 – new design, new equipment,<br />
greenfield situation<br />
CDGW6 – new design, new equipment,<br />
greenfield situation<br />
4 Infrastructure<br />
4.1 Processing This section addresses the services sub-elements, as<br />
required.<br />
4.1.1 Physical servers The physical server environment will be ‘greenfield’ <strong>and</strong><br />
even though no servers, or other hardware, from the<br />
existing HQ will be reused, unless there are reasons that<br />
these must be used (continuity of ICT services), the<br />
<strong>ANWI</strong> Contractor will address how the service will be<br />
implemented (with security role adaption).<br />
4.1.2 Hypervisor The virtual server environment will be completely new<br />
but will address the settings <strong>and</strong> security roles <strong>and</strong><br />
movement of VMs from the current HQ.<br />
4.1.3 Operating systems This section defines how (physical <strong>and</strong> virtual) servers<br />
will be “migrated” from current HQ to NNHQ <strong>and</strong> the<br />
adaption of security roles to the new OS.<br />
4.2 Storage services This section is a new design, new equipment, greenfield<br />
situation must address data migration <strong>and</strong> how currency<br />
of data is to be ensured<br />
4.3 Printing <strong>and</strong> Scanning<br />
Services<br />
4.4 Network Infrastructure<br />
services<br />
New design, new equipment, greenfield situation but will<br />
address how the users will leverage this service; <strong>and</strong> if<br />
cross domain printing is offered – how this will be<br />
provided.<br />
This section addresses the NNHQ design <strong>and</strong> its<br />
migration to the NNHQ<br />
Active Directory<br />
o Current Bi-SC AIS AD design<br />
o Requirements for joining Bi-SC AIS AD<br />
o Naming convention<br />
o Depending upon the version of the<br />
servers, which server versions are<br />
allowed to join<br />
<br />
<br />
<br />
<br />
o Current password policies <strong>and</strong> future<br />
password policies<br />
NTP: Joining Bi-SC AIS AD on NS level with<br />
PDC = timeservers<br />
DNS: DNS design Bi-SC AIS<br />
DHCP: IP number plan from NGCS New design,<br />
greenfield environment<br />
NAC/NAP New functionality, new design,<br />
greenfield<br />
4.5 LAN services The interconnection between current HQ <strong>and</strong> NNHQ, will<br />
be a direct connection (under administration by ICTM) or<br />
will it be a connection over the NGCS link (still LAN, but<br />
routable over the NGCS router <strong>and</strong> administered by<br />
them)<br />
<br />
Wired – new design, new equipment, greenfield<br />
situation
Section<br />
#<br />
Section Title<br />
N A T O U N C L A S S I F I E D<br />
<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
Wireless – new design, new equipment,<br />
greenfield situation<br />
This section addresses how the current <strong>and</strong> NNHQ will<br />
be interconnected while users move between the 2<br />
buildings<br />
5 UCC Services<br />
5.1 Voice This section address how voice services between the 2<br />
buildings (current <strong>and</strong> NNHQ) will be provided as well as<br />
how telephone numbers will be provided <strong>and</strong> made<br />
known to voice users.<br />
<br />
Insecure Voice<br />
o Connect to existing voice environment<br />
o Intermediate period where users located<br />
in the HQ need to talk to users located<br />
in the NNHQ.<br />
o<br />
o<br />
Possible issues.<br />
Roll back, where <strong>and</strong> when needed.<br />
5.2 Video This section will explain the connectivity <strong>and</strong> how the<br />
users will be provided seamless connectivity while users<br />
move between the 2 buildings<br />
Connect to existing NATO wide VTC.<br />
Connect to commercial IPTV provider<br />
Intermediate period where users located in the<br />
HQ need to contact users located in the NNHQ<br />
Possible issues<br />
5.3<br />
19.16.4.1.1 Email<br />
This section will explain user <strong>and</strong> system email account<br />
migration; the connectivity to the AIS email system <strong>and</strong><br />
how the users will be provided seamless connectivity<br />
while users move between the 2 buildings<br />
Email <strong>and</strong> its relation to the Bi-SC AIS’ design.<br />
Email naming convention.<br />
Which version of Exchange may connect in the<br />
existing environment<br />
Migrate mailbox history.<br />
Calendar (future appointments <strong>and</strong> history).<br />
Rights on other users mailboxes.<br />
Whether user connects to multiple mailboxes.<br />
Inbox rules.<br />
Intermediate situation where users will be<br />
located in both HQ <strong>and</strong> NNHQ.<br />
Naming convention (different from the current<br />
environment)<br />
Connectivity on older email addresses, after<br />
migration.<br />
Roll back, where <strong>and</strong> when needed.<br />
Tools used <strong>and</strong> clear statement on what the<br />
migration restrictions of this tool are.<br />
Possible scenarios, pros <strong>and</strong> cons<br />
5.4 Other This section will address how these will be migrated if<br />
already existing in the current HQ <strong>and</strong> is targeted for<br />
reuse:<br />
Presence<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-512 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-513 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Section Title<br />
Section Description<br />
#<br />
IM<br />
Collaboration<br />
6 Client Provisioning Service<br />
6.1 General This section will address user core service migration<br />
onto the new footprint<br />
OS deployment<br />
App deployment<br />
Software Client<br />
Devices<br />
6.2 Users<br />
6.2.1 User Migration<br />
This section will address how fileshare data will be<br />
copied to/synchronized with the <strong>ANWI</strong> design,<br />
specifically addressing:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
How to migrate fileshare data.<br />
Roll back, if needed.<br />
Favorites<br />
How to migrate this data<br />
Profile information<br />
Depending on the final solution, what info to<br />
migrate or not, if any.<br />
Possible issues on migrating these settings.<br />
Roll Back, but probably not needed here.<br />
Mailbox<br />
Application dependency<br />
Needed: Business application list (ICTM).<br />
6.2.2 User working environment This section addresses the moment a user migrates<br />
from the current network, to the NNHQ environment, the<br />
user’s expectation will be that all will be as it was, with<br />
regards to applications, data <strong>and</strong> sometimes even user<br />
settings, like his background or the remembered<br />
passwords for his favourite web sites. But at the same<br />
time, users will most probably be located in both the old<br />
<strong>and</strong> the new HQ, so there needs to be a working<br />
environment where users from both buildings can do the<br />
same work, using the same data set (or there can/will be<br />
discrepancies in the data). In case all users can be<br />
moved in a big bang, there will still be an intermediate<br />
situation with (business) apps located in both<br />
environments, essentially still the same issue.<br />
Future functionality for users, on different<br />
devices (laptop, desktop, VDI, Citrix, diskless<br />
clients).<br />
How to h<strong>and</strong>le changes for the users<br />
(communication, training).<br />
Home drive<br />
How to migrate this data.<br />
Roll back, if needed.<br />
6.2.3 Local data This section addresses dependencies between<br />
applications <strong>and</strong> user groups using these applications.<br />
Business applications are a driver in the schedule for<br />
migrating. Groups of user have rights to applications <strong>and</strong><br />
when users are migrated from an old environment to
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Section Title<br />
Section Description<br />
something new, access to that application is still needed.<br />
In the simplest <strong>and</strong> most straightforward case, when a<br />
group of users is migrated, all applications are also<br />
migrated. However, this scenario often isn’t this simple,<br />
as some of the applications used are more users than<br />
just those in this one group. With users located on both<br />
the old <strong>and</strong> the new network, using the application from<br />
both sides means that an intermediate situation is<br />
created, where access to the application is one factor,<br />
but possibly accessing data from this application, either<br />
data on a file share, or because data from the<br />
applications is accessed by another process, which also<br />
needs to be migrated at some point in time<br />
(interdependencies between apps).<br />
How to create an intermediate situation, where<br />
applications can be used from both<br />
environments, if needed.<br />
Scenarios, pros <strong>and</strong> cons.<br />
Roll back, where <strong>and</strong> when needed.<br />
19.16.4.1.2<br />
6.2.4 File services Info if file services are use, <strong>and</strong> how. Departmental data,<br />
or is that located in a document management system?<br />
Application data, located on file-shares <strong>and</strong> not in<br />
databases.<br />
How to migrate the data.<br />
How to integrate this in the user migration<br />
scheduling.<br />
How to do this in an intermediate situation with<br />
users on both sides, old <strong>and</strong> new.<br />
How to keep the data synchronized, if on<br />
different networks.<br />
19.16.4.1.3<br />
6.2.5 Web browsing This section will address the migration of favourites <strong>and</strong><br />
user access – or reference where this is already<br />
addressed<br />
7 Supplementary Services<br />
7.1 Site Security<br />
Communications<br />
This section shall be provided with the initial security<br />
domain design. The section will explain how the <strong>ANWI</strong><br />
Contractor will support the migration of TETRA to the<br />
NNHQ <strong>and</strong> the period between contract award <strong>and</strong> the<br />
Connect to existing Site Security Comms<br />
Intermediate period where users located in the<br />
HQ need to talk to users located in the NNHQ.<br />
Roll back, where <strong>and</strong> when needed.<br />
7.2 Other Supplementary items This section will address how these will be migrated if<br />
already existing in the current HQ <strong>and</strong> is targeted for<br />
reuse:<br />
GSM New environment<br />
GSM Blocking New functionality<br />
Wireless Blocking New functionality<br />
IPTV New functionality<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-514 of 532
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-515 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.17 ANNEX K APPENDIX 17: Service Interface Profile (SIP)<br />
19.17.1 Introduction/Purpose<br />
19.17.1-p1 The purpose of the Service Interface Profile (SIP) is to provide an<br />
outline for use in the specification of each of the internal or external service’<br />
interfaces as identified by the <strong>ANWI</strong> services annexes through a SIP.<br />
19.17.2 Scope/Assumptions<br />
19.17.2-p1 The <strong>ANWI</strong> Contractor’s SIP shall be managed as a configuration<br />
item that falls under formal configuration <strong>and</strong> change management. In case of any<br />
changes to any of the internal or external interfaces of a particular <strong>ANWI</strong> service the<br />
SIP shall be changed/updated<br />
19.17.3 Reporting & Provisioning<br />
19.17.3-p1 The <strong>ANWI</strong> Contractor shall use the review <strong>and</strong> acceptance process<br />
described in Annex K Appendix 1for the SIP.<br />
19.17.3-p2 The <strong>ANWI</strong> Contractor shall deliver a SIP for each service of the<br />
<strong>ANWI</strong> design’s section.<br />
19.17.3-p3<br />
through FSA.<br />
19.17.4 Document Structure<br />
19.17.4-p1<br />
Section<br />
#<br />
The <strong>ANWI</strong> Contractor shall maintain the <strong>ANWI</strong> services’ SIPs<br />
A SIP shall be structured according to the format below:<br />
Section Title<br />
Executive Summary<br />
Section Description<br />
Provides a managerial description of the project<br />
from <strong>and</strong> an overview of the framework used to<br />
develop the conceptual <strong>ANWI</strong> design.<br />
1 Introduction This section defines the purpose <strong>and</strong> overall<br />
objective of the service being provided<br />
1.1 Purpose <strong>and</strong> Scope State that the purpose of the SIP is to provide<br />
instructions on how to interface with <strong>and</strong><br />
consume the service.<br />
1.2 Document Organization This section describes the structure of the SIP<br />
document.<br />
1.3 Points of Contact Provides the title <strong>and</strong> organization of the key<br />
points of contact for the SIP.<br />
1.4 Glossary Includes a glossary of all terms <strong>and</strong> abbreviations<br />
used in this document. If the glossary is several<br />
pages in length, it may be included as an<br />
appendix<br />
1.5 References Includes a list of references for the service’s SIP<br />
2 Service Interface (s)<br />
Description<br />
This section contains a full identification of the<br />
systems/services participating in the interface, the<br />
contractors developing the systems/services, the<br />
interfacing entities, <strong>and</strong> the interfaces to which<br />
this document applies, including, as applicable,
Section<br />
#<br />
Section Title<br />
N A T O U N C L A S S I F I E D<br />
<br />
<br />
<br />
<br />
<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-516 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section Description<br />
identification numbers(s),<br />
title(s),<br />
abbreviation(s),<br />
version number(s),<br />
release number(s),<br />
or any lower level version descriptors<br />
used.<br />
A separate paragraph should be included for<br />
each component that comprises the interface<br />
2.1 Service St<strong>and</strong>ard This section provides an overview of the interface<br />
<strong>and</strong> the data exchanged between the services. It<br />
also identifies the st<strong>and</strong>ards used (NATO or<br />
international).<br />
2.2 Service Operations This section provides a list of service operations<br />
2.2.1 Service Operation<br />
Relations<br />
2.2.2 Input – Output<br />
Relationships<br />
that can be called by a service consumer<br />
This section describes the service’s<br />
operation. It should include a diagram of the<br />
service’s functionality.<br />
This section describes for each of the service<br />
operations, as identified above, the inputoutput<br />
relationship for the service<br />
2.2.3 Errors This section describes,for each of the service<br />
operations identified above, the possible error<br />
states <strong>and</strong> messages<br />
3 Interface<br />
3.1 Data format <strong>and</strong> data<br />
types<br />
This section describesdetailed data<br />
format/type definition used in/by the service.<br />
If the format is a composite data type, a XML<br />
definition should be provided.<br />
3.2 Protocol This section provides the information or data<br />
transfer protocol(s) used<br />
3.3 Physical Interface This section describesthe physical interface<br />
st<strong>and</strong>ard, as applicable.<br />
4 Service Level Targets This section describesthe availability <strong>and</strong><br />
performance metrics<br />
5 Security<br />
5.1 Classification This section Security Classification, security<br />
domain <strong>and</strong> releasability conditions for the<br />
service<br />
5.2 Service Access This section addresses the Identity <strong>and</strong><br />
Access Method used to achieve authorisation<br />
to use the services<br />
6 Services access point If applicable, provide the URI/DNS address<br />
where the service can be reached/access
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Section<br />
#<br />
Appendices<br />
Section Title<br />
Section Description<br />
This section allows some information to be<br />
placed in appendices to the SIP (e.g. charts<br />
<strong>and</strong> classified data are typical examples).<br />
Table 19.17 – SIP Template<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-517 of 532
N A T O U N C L A S S I F I E D<br />
19.18 ANNEX K APPENDIX 18: Service Level Agreement<br />
19.18.1 Introduction/Purpose<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-518 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
19.18.1-p1 The purpose of the SLA is to describe a service’s delivery<br />
framework <strong>and</strong> set the expectation for its availability, reliability <strong>and</strong> performance.<br />
19.18.2 Scope/Assumptions<br />
19.18.2-p1 The SLA shall define the SLT quality criteria, period of the SLA,<br />
delivery parameters, monitoring <strong>and</strong> processes a service is to be provided<br />
19.18.3 Reporting &Provisions<br />
19.18.3-p1 The <strong>ANWI</strong> Contractor shall use the review processes described in<br />
Annex K Appendix 1for the SLA.<br />
19.18.3-p2 The Contractor shall deliver the SLAs in accordance with the<br />
Schedule of Supplies <strong>and</strong> Services.<br />
19.18.3-p3 The <strong>ANWI</strong> Contractor shall review <strong>and</strong> adjust the SLAs annually<br />
with the Purchaser.<br />
19.18.4 Document Structure<br />
19.18.4-p1 The SLA shall be structured according to the outline below:<br />
A. Name of the IT Service<br />
B. Clearance information (with location <strong>and</strong> date)<br />
1. Service Level Manager<br />
2. Client representative<br />
C. Contact persons<br />
1. Name of the Service Provider<br />
2. Name of the Service recipient<br />
3. Contact partners/ persons in charge (on client-side as well as on the<br />
side of the IT Organization) for<br />
a. Contractual changes<br />
b. Complaints <strong>and</strong> suggestions<br />
c. Escalations in the case of contractual infringements<br />
d. Service reviews<br />
e. Emergencies<br />
D. Contract duration<br />
1. Contract start<br />
2. Contract end<br />
3. Rules for changes to the SLA<br />
a. How requests for change are submitted (deletions, additions or<br />
changes to components of the SLA)?<br />
b. How are the requests for change <strong>and</strong> their implementation<br />
controlled?<br />
c. Who is responsible for the clearance of the changes?<br />
4. Rules for termination of the SLA<br />
E. Service description
N A T O U N C L A S S I F I E D<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-519 of 532<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
1. Short description of Service<br />
2. Users of the IT Service on the client-side<br />
3. Breakdown of the offered Service into Service groups, e.g. along<br />
infrastructure components or IT applications<br />
4. For each Service group:<br />
a. Which Services are offered, e.g.<br />
b. H<strong>and</strong>ling of Service interruptions (by telephone, by remote access,<br />
on site?)<br />
c. User Services (user administration, installation, …)<br />
d. What quality is required of the offered Services, e.g.<br />
e. Service times<br />
f. Availability requirements<br />
g. Number of interruptions allowed<br />
h. Availability thresholds (xx,xx %)<br />
i. Downtimes for maintenance (number of allowed downtimes, prenotification<br />
periods)<br />
j. Procedure for announcing interruptions to the Service (planned/<br />
unplanned)<br />
k. Performance requirements<br />
l. Required capacity (lower/upper limit) for the Service<br />
m. Allowed workload/ usage of the Service<br />
n. Response times from applications<br />
o. Reaction <strong>and</strong> resolution times (according to priorities, definition of<br />
priorities e.g. for the classification of Incidents)<br />
p. Requirements for the maintenance of the Service in the event of a<br />
disaster<br />
F. Relations to other IT Services<br />
G. Procedures for requesting the IT Service<br />
1. Requests possible by telephone/fax/mail, ... (addresses, telephone<br />
numbers, etc.)<br />
H. Responsibilities<br />
1. Of the client (also within the field of IT Security)<br />
2. Responsibilities <strong>and</strong> liability of the IT Organization<br />
I. Quality assurance <strong>and</strong> Service Level Reporting<br />
1. Measurement procedures<br />
a. Which indicators<br />
b. With which measurement procedures<br />
c. At which intervals<br />
d. Collated into which reports<br />
2. SLA Reviews<br />
a. Intervals at which SLA reviews are to be held<br />
J. Service accounting<br />
1. Costs for the provision of the Service<br />
2. Accounting method for the Service<br />
3. Intervals for invoicing<br />
K. Glossary
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 20. ANNEX L: NATIONS AND PARTNERS<br />
20.1 Purpose<br />
20.1-p1 This Annex describes the <strong>ANWI</strong> deliverables required by the NATO <strong>and</strong><br />
partner nations’ delegations.<br />
20.1-p2 Nations <strong>and</strong> NATO partners located in the NNHQ will be given the<br />
opportunity to use this contract to procure services from the Service Catalogue as<br />
they deem necessary.<br />
20.1-p3 The equipment identified in this Annex shall be the same as that defined,<br />
identified <strong>and</strong> delivered in accordance with the technical Annexes <strong>and</strong> Appendices of<br />
this SOW.<br />
20.2 NATO Nation<br />
20.2-p1 The <strong>ANWI</strong> Contractor shall provide each NATO national delegation two (2)<br />
NS workstations <strong>and</strong> two (2) Business workstations with the st<strong>and</strong>ard <strong>ANWI</strong> Office<br />
Automation configuration; connected to the respective networks.<br />
20.2-p2 The table below shows the order of magnitude of potential additional<br />
devices/services that may be purchased over <strong>and</strong> above the Contract (as Contract<br />
options).<br />
<strong>ANWI</strong> Services<br />
NS Services<br />
NS Workstation 636<br />
NS User account (additional) 25<br />
NS Network printer 44<br />
NU/NR Services<br />
NU/NR Workstation 332<br />
NU/NR Smartphone 80<br />
NU/NR User Account (additional) 1<br />
NU/NR High Volume Network printer 9<br />
NU/NR Network printer 25<br />
Services (provided on any network)<br />
Public Telephone 278<br />
IPTV Display 63<br />
Meeting Room VTC kit 8<br />
Virtual Meeting Room 3<br />
Potential Additional<br />
Devices Needed<br />
Table 20.1 Overview of possible <strong>ANWI</strong> quantities for NATO nations<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-520 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
20.2-p3 After contract award, the Purchaser will identify the list of <strong>ANWI</strong> equipment<br />
required for installation by each NATO nation’s delegation on the NS <strong>and</strong>/or Business<br />
domains as options to the contract.<br />
20.3 Partner Nations<br />
20.3-p1 The <strong>ANWI</strong> Contractor shall provide each partner nation a telephone for<br />
voice service<br />
20.3-p2 The <strong>ANWI</strong> Contractor shall provide each partner nation two (2) client<br />
devices with the st<strong>and</strong>ard <strong>ANWI</strong> Office Automation configuration <strong>and</strong> connected to<br />
the EAPC network.<br />
20.3-p3 After contract award, the Purchaser will identify the list of <strong>ANWI</strong> equipment<br />
required for installation by each partner nation’s delegation on the EAPC domainas<br />
options to the contract.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-521 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 21. ANNEX M: REMOTE SITES<br />
21.1 Purpose<br />
21.1-p1 This Annex describes the <strong>ANWI</strong> deliverables required for NATO’s remote<br />
sites.<br />
21.2 Remote Sites<br />
21.2-p1 NATO HQ supports the connection to five (5) remote sites.<br />
21.2-p2 Each remote site is a ‘long local’ of the NATO Headquarters.<br />
21.2-p3 RESERVED.<br />
21.2-p4 Services for remote workers are to be provided at the NATO RESTRICTED<br />
(NR) level <strong>and</strong> up to <strong>and</strong> including the NATO SECRET (NS) level.<br />
21.2-p5 The <strong>ANWI</strong> Contractor shall install <strong>and</strong> configure the hardware <strong>and</strong> software<br />
at the remote sites under the supervision of the local NATO staff.<br />
21.2-p6 The locations of the remote sites are identified below:<br />
Site 1: Brussels, Belgium<br />
Site 2: New York City, USA<br />
Site 3: Kabul, Afghanistan<br />
Site 4: Moscow, Russia<br />
Site 5: Kiev, Ukraine<br />
21.2-p7 The below table identifies the equipment that the <strong>ANWI</strong> Contractor shall<br />
deliver, install <strong>and</strong> configure at each site.<br />
<strong>ANWI</strong> Equipment Site 1 Site 2 Site 3 Site 4 Site 5<br />
<strong>ANWI</strong> Services<br />
Cryptographic<br />
Equipment<br />
Router<br />
Small LAN switch<br />
Device cables<br />
NS Services<br />
PFE PFE PFE PFE<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-522 of 532<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
PFE<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
TBD by<br />
Contractor<br />
NS Workstation 5 2 4 2 2<br />
NS Network printer<br />
NU/NR Services<br />
NU/NR<br />
Workstation<br />
NU/NR<br />
Smartphone<br />
NU/NR Network<br />
printer<br />
30 30
N A T O U N C L A S S I F I E D<br />
Table 21.1: Services in remote locations<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
21.2-p8 The <strong>ANWI</strong> contractor shall provide all <strong>ANWI</strong> services that are available to<br />
users in the NNHQ building to users at the remote locations<br />
21.2-p9 The <strong>ANWI</strong> Contractor shall coordinate the installations of the remote sites<br />
through the Purchaser.<br />
21.2-p10 The <strong>ANWI</strong> Contractor’s remote site installation staff shall be in<br />
possession of valid NATO SECRET clearances.<br />
21.2-p11 The <strong>ANWI</strong> Contractor shall configure <strong>and</strong> test the remote site’s<br />
configuration in the ITS prior to delivery.<br />
21.2-p12 The <strong>ANWI</strong> Contractor shall remove, pack <strong>and</strong> deliver the tested<br />
equipment to the required sites per the delivery instructions defined in SECTION 5.<br />
21.2-p13 The <strong>ANWI</strong> Contractor shall reuse the local cryptographic equipment for<br />
the remote site’s installation.<br />
21.2-p14<br />
The <strong>ANWI</strong> Contractor shall install <strong>and</strong> test the configuration.<br />
21.2-p15 The <strong>ANWI</strong> Contractor shall remove the packing material per the<br />
instruction of the local site staff.<br />
21.2-p16 The local NATO staff will supervise <strong>and</strong> witness the <strong>ANWI</strong> Contractor’s<br />
on-site activities.<br />
21.2-p17 The <strong>ANWI</strong> Contractor shall provide user familiarisation for the hardware<br />
devices installed.<br />
21.2-p18 The <strong>ANWI</strong> Contractor shall conduct the remote site acceptance with the<br />
local NATO staff.<br />
21.3 Supporting Additional Remote Needs<br />
21.3-p1 In addition to the locations specified above, the following facilities shall<br />
deliver all services (up to <strong>and</strong> including NS) to certain staffs who are working at other<br />
remote locations for a certain well defined time period such as NATO summits,<br />
conferences, etc.<br />
21.3-p2 Figure 21.1. Shows the two additional ad-hoc/deployable architectures that<br />
<strong>ANWI</strong> shall provide <strong>and</strong> support:<br />
A. Travel Kits<br />
B. Deployable ICT KIT<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-523 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
Figure 21.1: Additional Remote Services <strong>Architecture</strong> Options<br />
21.3.1 Travel Kits.<br />
21.3.1-p1 The Private Office of the Secretary General requires 10 ‘travel kits’; the<br />
composition of these remote user ‘travel kits’ <strong>and</strong> the provision of their component<br />
equipment.<br />
21.3.1-p2<br />
The travel kit shallbe operated at the NS level.<br />
21.3.1-p3 The travel kit shall be composed of the following components:<br />
A. Based on Mobile Desktop (Laptop) compliant with <strong>ANWI</strong> defined NS<br />
baseline HW <strong>and</strong> SW, to include NPKI based smartcard authentication.<br />
B. HW based NS certified disk encryption<br />
C. HW based NS level VPN encryption that can setup an encrypted tunnel<br />
over the Internet/Public Network anywhere in the world.<br />
D. Integrated portable small form factor printing capability.<br />
21.3.1-p4 The following backend equipment shall be provided:<br />
A. NS VPN concentrator Gateway that can support 20 concurrent sessions.<br />
B. NS VPN concentrator Gateway to be integrated DMZ segment of CDGW1.<br />
C. A small (DMZ) switch.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-524 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
21.3.1-p5 The travel kit operation requires it to be compact <strong>and</strong> portable<br />
supported by the following facility:<br />
A. Purpose build leather business suitcase.<br />
21.3.1-p6 Unpacking, connection <strong>and</strong> startup time as well as tear-down time shall<br />
take no longer than starting up a normal mobile laptop <strong>and</strong> VPN.<br />
21.3.1-p7 The communications equipment that would be needed to establish such<br />
links is within scope.<br />
21.3.1-p8 The secure communication links (via the Internet) between the NNHQ<br />
<strong>and</strong> other locations (using the travel kits) are in scope of the <strong>ANWI</strong> project.<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-525 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
SECTION 22. ACRONYMS<br />
ABL<br />
ACL<br />
ACMP<br />
ACP<br />
ACT<br />
AD<br />
ADS<br />
AEDC<br />
AIS<br />
AMSG<br />
<strong>ANWI</strong><br />
AP<br />
API<br />
AQAP<br />
AV<br />
AVI<br />
AVI<br />
BE<br />
Bi-SC<br />
BMS<br />
BPC<br />
CAB<br />
CACM<br />
CAM<br />
CAT<br />
CC<br />
CC<br />
CCB<br />
CCBS<br />
CCLM<br />
CCP<br />
CDGW<br />
CDM<br />
CDR<br />
CDRL<br />
CFB<br />
CFNR<br />
CFU<br />
CIS<br />
CIs<br />
Allocated (development) Baseline<br />
Access Control List<br />
Allied Communication Management Publication<br />
Allied Communication Publication<br />
Allied Comm<strong>and</strong> Transformation<br />
Active Directory<br />
Accreditation Document Set<br />
After Effective Date of Contract<br />
Automated Information <strong>System</strong><br />
Allied Military Security Guideline<br />
Active Network Infrastructure<br />
Access Points<br />
Application Programming Interface<br />
Allied Quality Assurance Publications<br />
Anti-Virus<br />
Integrated audio-visual equipment<br />
Audio Visual Infrastructure<br />
Backend<br />
Bi-Strategic Comm<strong>and</strong><br />
Building Management <strong>System</strong><br />
Boundary Protection Components<br />
Change Advisory Board<br />
Core AIS Client Module<br />
Core AIS Module<br />
Capability Acceptance Test<br />
Confrence Center<br />
Common Criteria<br />
Configuration Control Board<br />
Call completion to a busy subscriber<br />
Core Communications LAN Module<br />
Configuration Control Plan<br />
Cross-Domain Gateway<br />
Cross Domain Module<br />
Critical Design Review<br />
Contract Data Requirements List<br />
Call forwarding busy<br />
Call forwarding no reply<br />
Call forwarding unconditional<br />
Communication <strong>and</strong> Information <strong>System</strong>s<br />
Configuration Items<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-526 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
CISOA<br />
CLIN<br />
CLIP<br />
CM<br />
CMDB<br />
CMP<br />
COCO<br />
CoI<br />
COLP<br />
CONF<br />
CONOPS<br />
COTS<br />
CP<br />
CPS<br />
CRL<br />
CSA<br />
CSF<br />
CSI<br />
CSMCS<br />
CSRS<br />
CSV<br />
CUG<br />
D2D<br />
DAG<br />
DB<br />
DECT<br />
DHCP<br />
DML<br />
DMZ<br />
DNS<br />
DPNSS<br />
EA<br />
EAPC<br />
EDC<br />
EIM<br />
EIMP<br />
ELM<br />
EM<br />
EMS<br />
ERM<br />
ESB<br />
ESS<br />
FAT<br />
CIS Operating Authority<br />
Contract Line Item<br />
Calling line identification presentation<br />
Configuration Management<br />
configuration management database<br />
Configuration Management Plan<br />
Contractor-Owned / Contractor-Operated<br />
Community of interest<br />
Connected identification presentation<br />
Add-on conference call<br />
Concept of Operations<br />
Commercial Off The Shelf<br />
Consolidation Points<br />
Certificate Practice Statement<br />
Certificate Revocation Lists<br />
Configuration Status Accounting<br />
Critical Success Factors<br />
Continual Service Improvement<br />
Central Security Management <strong>and</strong> Control Services<br />
Community Security Requirements Statement<br />
Comma Separated Value<br />
Closed User group<br />
Disk to Disk<br />
Database Availability Group<br />
Database<br />
Digital Enhanced Cordless Telecommunications<br />
Dynamic Host Configuration Protocol<br />
Definitive Media Library<br />
demilitarized zone<br />
Domain Name <strong>System</strong><br />
Digital Private Network Signalling <strong>System</strong><br />
Enterprise Architect<br />
Euro Atlantic Partnership Council<br />
Effective Date of Contract<br />
Enterprise Information Management<br />
Enterprise Information Management Project<br />
ELement Management<br />
Executive Management<br />
Enterprise Management <strong>System</strong><br />
Enterprise Resource Management<br />
enterprise service bus<br />
Electronic Security <strong>System</strong>s<br />
Factory Acceptance Tests<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-527 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
FC<br />
FCIP<br />
FCoE<br />
FE<br />
FOC<br />
FPC<br />
FSA<br />
FST<br />
GAL<br />
GCC<br />
GH<br />
GSM<br />
GUI<br />
GW<br />
HN<br />
HQ<br />
HQPO<br />
HTML<br />
IA<br />
IAM<br />
IATO<br />
ICD<br />
ICT<br />
ICTM<br />
IDP<br />
IDS<br />
IEG<br />
IERs<br />
IFB<br />
II<br />
ILS<br />
ILSP<br />
IM<br />
IMS<br />
INFOSEC<br />
IOC<br />
IOC<br />
IOSS<br />
IP<br />
iPBX<br />
IPMT<br />
IPTV<br />
IS<br />
Fibre Channel<br />
Fibre Channel over IP<br />
Fibre Channel over Ethernet<br />
front end<br />
Final Operating Capability<br />
Full Packet Capture<br />
Full <strong>System</strong>s Acceptance<br />
Final Site Testing<br />
Global Address List<br />
Global Construction Contract<br />
Guard House<br />
Global <strong>System</strong> for Mobile Communications<br />
Graphics Unit Interface<br />
Gateway<br />
Host Nation<br />
Headquarters<br />
NATO Headquarters Programme Office<br />
Hypertext Mark-up Language<br />
Information Assurance<br />
Information Assurance Policies & Management<br />
Interim approval To Operate<br />
Interface Control Document<br />
Information, Communications <strong>and</strong> Technology<br />
HN NATO HQ ICT Management<br />
Intrusion Detection <strong>and</strong> Prevention<br />
Intrusion Detection <strong>System</strong><br />
Information Exchange Gateway<br />
Information Exchange Requirements<br />
Invitation for Bid<br />
Industrial Infrastructure<br />
Integrated Logistics Support<br />
Integrated Logistics Support Plan<br />
Instant Messaging<br />
International Military Staff<br />
Information Security<br />
<strong>Initial</strong> Operating Capability<br />
<strong>Initial</strong> Operational Capability<br />
Integrated Operation Support <strong>System</strong><br />
Internet Protocol<br />
IP Private Branch Exchange<br />
Integrated Project Management Team<br />
IP Television<br />
International Staff<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-528 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
ISDN<br />
ISG<br />
ISO<br />
ITIL<br />
ITS<br />
ITSM<br />
ITU<br />
IV&V<br />
KEB<br />
KPI<br />
KVM<br />
LAN<br />
LDAP<br />
MIB<br />
MMI<br />
MP<br />
MPLS<br />
MS<br />
MTBF<br />
MTTR<br />
NAC<br />
NAC/NAP<br />
NATO<br />
NC3A<br />
NC3B<br />
NCIA<br />
NCIRC<br />
NCN<br />
NCSA<br />
NCIA SMD<br />
NEDS<br />
NGCS<br />
NISP<br />
NNHQ<br />
NOCO<br />
NONO<br />
NOS<br />
NPKI<br />
NQAR<br />
NR<br />
NR2<br />
NRoI<br />
Integrated Services Digital Network<br />
Internet Services Gateway<br />
International Organization for St<strong>and</strong>ardization<br />
Information Technology Infrastructure Library<br />
Integration <strong>and</strong> Testing Services<br />
Information Technology Service Management<br />
International Telecommunication Union<br />
Independent Verification & Validation<br />
Known Error Database<br />
Key Performance Indicators<br />
Keyboard, Video <strong>and</strong> Mouse<br />
Local Area Network<br />
through Lightweight Directory Access Protocol<br />
Management Information Base<br />
Man-Machine Interface<br />
Migration Plan<br />
Multiprotocol Label Switching<br />
Mission Secret<br />
Mean Time Between Failures<br />
Mean Time To Replace / Repair<br />
North Atlantic Council<br />
Network Access Control/Network Access Protection<br />
North Atlantic Treaty Organisation<br />
NATO Consultation, Comm<strong>and</strong> <strong>and</strong> Control (C3)Agency<br />
NATO Consultation, Comm<strong>and</strong> <strong>and</strong> Control (C3) Board<br />
NATO Communications <strong>and</strong> Information Agency<br />
NATO Computer Incident Response Capability<br />
NATO Core Network<br />
NATO CIS Support Agency<br />
NCIA <strong>System</strong> Management Division<br />
NATO Enterprise Directory Services<br />
NATO General purpose segment Communication<br />
<strong>System</strong><br />
NATO Interoperability St<strong>and</strong>ards & Profiles<br />
New NATO Headquarters<br />
NATO-Owned / Contractor Operated<br />
NATO-Owned / NATO-Operated<br />
NATO Office of Security<br />
NATO Public Key Infrastructure<br />
National Quality Assurance Representative<br />
NATO RESTRICTED<br />
Network Realignment <strong>and</strong> Robustness<br />
NATO Restricted over the Internet<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-529 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
NS<br />
NSVO<br />
NTERs<br />
NU<br />
NVOS<br />
O&M<br />
OLA<br />
ORs<br />
OS<br />
OSI<br />
OSR<br />
PBS<br />
PBX<br />
PDA<br />
PDF<br />
PDR<br />
PFD<br />
PFE<br />
PIA<br />
PIP<br />
PM<br />
PMIC<br />
PMO<br />
PMP<br />
PMP 1<br />
PMS<br />
PNWI<br />
POC<br />
POP<br />
PPRMs<br />
PRM<br />
PSA<br />
PSR<br />
PSTN<br />
PTERs<br />
PTP<br />
PTT<br />
PVLAN<br />
PWBS<br />
QA<br />
QAP<br />
QAR<br />
NATO SECRET<br />
NATO Secure Voice<br />
National TERs<br />
NATO Unclassified<br />
NATO HQ Voice <strong>System</strong><br />
Operations <strong>and</strong> Maintenance<br />
Operational level agreement<br />
Off-specification Reports<br />
Operating <strong>System</strong><br />
Open <strong>System</strong>s Interconnection<br />
Off-specification Reports<br />
Product Breakdown Structure<br />
Private Branch Exchange<br />
Personal Digital Assistant<br />
Portable Document Format<br />
Preliminary Design Review<br />
Product Flow Diagram<br />
Purchaser Furnished Infrastructure & Service<br />
(Equipment)<br />
Public Internet Access<br />
Project Implementation Plan<br />
Project Manager<br />
Programme Management <strong>and</strong> Integration Capability<br />
Project Management Office<br />
Project Management Plan<br />
Project Management Professional<br />
Project Master Schedule<br />
Passive Network Infrastructure<br />
Point of Contact<br />
Point of Presence<br />
Project Progress Review Meetings<br />
Project Review Meeting<br />
Provisional Site Activation<br />
Project Status Report<br />
Public Switched Telephone Network<br />
Partner TERs<br />
Project Test Plan<br />
Postal, Telephone, <strong>and</strong> Telegraph<br />
Private Virtual Local Area Network<br />
Project Work Breakdown Structure<br />
Quality Assurance<br />
Quality Assurance Plan<br />
Quality Assurance Representative<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-530 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
RA<br />
RMP<br />
RPO<br />
RTO<br />
RTP<br />
SA<br />
SAA<br />
SACEUR<br />
SACT<br />
SAN<br />
SBC<br />
SC<br />
SCCM<br />
SCIP<br />
SCOM<br />
SCT<br />
SDIP<br />
SDS<br />
SECAN<br />
SECOPS<br />
SFSD<br />
SHAPE<br />
SIDs<br />
SIOP<br />
SIP<br />
SISRS<br />
SIVP<br />
SLA<br />
SLM<br />
SLT<br />
SMC<br />
SMDI<br />
SOW<br />
SRA<br />
SRs<br />
SRS<br />
SRTP<br />
SSC<br />
SSH<br />
SSO<br />
SSRS<br />
SSS<br />
Registration Authority<br />
Risk Management Plan<br />
Recovery point objective<br />
Recovery time objective<br />
Real Time Transfer Protocol<br />
Site Activation<br />
Security Accreditation Authority<br />
Supreme Allied Comm<strong>and</strong>er Europe<br />
Supreme Allied Comm<strong>and</strong>er Transformation<br />
Storage Area Network<br />
Server Based Computing<br />
Staff Centre<br />
<strong>System</strong> Center Configuration Manager<br />
Secure Communications Interoperability Protocol<br />
<strong>System</strong> Center Operations Manager<br />
Service Certification Tests<br />
SECAN Doctrine <strong>and</strong> Information Publications<br />
<strong>System</strong> Design Specification<br />
Security And Evaluation Agency<br />
Security Operating Procedures<br />
Single Forest Single Domain<br />
Supreme Headquarters Allied Powers Europe<br />
Service Interface Documents<br />
Service Interoperability Point<br />
Service Interface Profile<br />
<strong>System</strong> Interconnection Security Requirements<br />
Statement<br />
Security Implementation Verification Procedures<br />
Service Level Agreement<br />
Service Level Management<br />
Service Level Target<br />
Service Management Capability<br />
Simplified Message Desk Interface<br />
Statement of Work<br />
Security Risk Assessment<br />
Server Rooms<br />
Security Requirements Statement<br />
Secure Real Time Transfer Protocol<br />
Site Security Centre<br />
Secure Shell<br />
Single Sign-On<br />
<strong>System</strong>-specific Security Requirements Statement<br />
Schedule of Supplies <strong>and</strong> Services<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-531 of 532
N A T O U N C L A S S I F I E D<br />
IFB-CO-13300-<strong>ANWI</strong>-AMD-2<br />
ST&E<br />
STANAG<br />
STP<br />
TAP<br />
TBA<br />
TBD<br />
TCF<br />
TCO<br />
TD<br />
TER<br />
TETRA<br />
TL<br />
ToIP<br />
TS<br />
TSR<br />
UCC<br />
UPS<br />
USM<br />
VACL<br />
VDC<br />
VDI<br />
VLAN<br />
VoIP<br />
VoSIP<br />
VPLS<br />
VPN<br />
vSwitch<br />
VTC<br />
WAIT<br />
WAN<br />
WBS<br />
WLAN<br />
XFER<br />
XML<br />
Security Test <strong>and</strong> Evaluation<br />
St<strong>and</strong>ards NATO Agreement<br />
Security Test Plan<br />
Test & Acceptance Plan<br />
To Be Advised<br />
To Be Determined<br />
<strong>Technical</strong> Communications Facility<br />
Total Cost of Ownership<br />
Test Director<br />
Terminal Equipment Room<br />
Terrestrial Trunked Radio<br />
<strong>Technical</strong> Lead<br />
Telephony over IP<br />
<strong>Technical</strong> Specification<br />
<strong>Technical</strong> Specifications Review<br />
Unified Communications <strong>and</strong> Collaboration<br />
Uninterruptable Power Supply<br />
User-based Security Model<br />
VLAN Access Control List<br />
Virtual Device Context<br />
Virtual Desktop Infrastructure<br />
Virtual Local Area Network<br />
Voice over IP<br />
Voice over Secure IP<br />
Virtual Private LAN Service<br />
Virtual Private Network<br />
Virtual Switch<br />
Video TeleConferencing<br />
Call Wait<br />
Wide Area Network<br />
Work Breakdown Structure<br />
Wireless LAN<br />
Call transfer<br />
eXtensible Mark-up Language<br />
N A T O U N C L A S S I F I E D<br />
Book II Page IV-532 of 532