The purpose of the US Agency for International Development (USAID) Cybersecurity for Critical Infrastructure in Ukraine Activity is to strengthen the resilience of Ukraine’s critical infrastructure from cyberattacks by establishing trusted collaboration between key cybersecurity stakeholders in the government, private sector, academia, and civil society. The activity aims to achieve this goal by implementing the following activity components:
Component 1: Strengthen the cybersecurity enabling environment
The legal, regulatory, and institutional framework for national cybersecurity in Ukraine needs to be strengthened and aligned with international standards and best practices. This component will strengthen the cybersecurity resilience of Ukraine’s critical infrastructure sectors by addressing legislative gaps, promoting good governance, enabling collaboration between stakeholders, and supporting cybersecurity institutions. This component will also build the technical capacity of key sectors through increased access to cybersecurity technology and equipment.
Component 2: Develop Ukraine’s cybersecurity workforce
Ukraine suffers from a severe shortage of cybersecurity professionals. This component of the USAID Cybersecurity for Critical Infrastructure in Ukraine Activity will address workforce gaps through activities that develop new cybersecurity talent and build the capacity of existing talent. These activities will address the entire workforce pipeline, the quality of education received by cybersecurity specialists, and industry training programs to rapidly upskill Ukraine’s workforce to respond to immediate cybersecurity vulnerabilities.
Component 3: Build a resilient cybersecurity industry
A growing cybersecurity industry in Ukraine will contribute directly to national security and prosperity. This component will seek to build trust and collaboration between the public and private sector to develop innovative solutions for future cybersecurity challenges; spur investment and growth in the broader cybersecurity market in Ukraine through greater access to financing; support smaller cybersecurity companies to rapidly increase the number of local cybersecurity service providers; and offer mechanisms for Ukrainian firms to connect with industry partners to enable better access to innovations and business opportunities.
2. The Context:
The State Service for Special Communications and Information Protection (SSSCIP) is a specialized central executive body, which performs activities as national defense and security sector entity, but also possesses civilian regulatory authority in the field of electronic communications, protection of information and critical information infrastructure cybersecurity (92 functions in total).
The Laws on National Security of Ukraine, on the Basic Principles of Cybersecurity in Ukraine, on Telecommunications, on SSSCIP, other laws and secondary legislation regulate the activity of the SSSCIP. SSSCIP is a key cyber protection agency of Ukraine, responsible for coordination of cyber protection/defense actions by other entities at national level. The State Cyber Protection Center (SCPC) is a division of the SSSCIP responsible for operational cyber protection functions, including identification and detection of cyber threats. The governmental Computer Emergency Response Team (CERT-UA) is a unit of the SCPC, accredited by the international organization FIRST, to represent Ukraine in the global cybersecurity emergency network.
The plans for reform of SSSCIP were announced in October 2019 and the process of designing the concept for restructuring the entity is hampered by the complexity of the organization and political sensitivities. The new National Cybersecurity Strategy called for under the National Security Strategy enacted in September 2020, is being developed by the National Coordination Center for Cybersecurity under National Security and Defense Council of Ukraine. The Strategy will shape the cybersecurity authorities’ missions and roles accordingly to identify cybersecurity priorities.
While reforms are likely to influence the architecture of cybersecurity governance, including distribution of authorities and responsibilities among existing or even new cybersecurity agencies, the State Center for Cyber Protection will very likely retain its cyber protection functions. The Activity therefore seeks to build the capacity of the SCPC on the human/organizational, operational, and technical levels.
3. Objectives and Duties
In order to increase the capacity of SCPC to perform cyber protection operational functions, cyber threat and incidents communications and skills-training, the Activity is seeking a short-term expert to perform a functional audit of the organization to identify opportunities for improvements based on a comparative analysis to similar bodies in the U.S.(CERT-US) and European Union (NIS Directive CSIRT requirements) and design an action plan for improvements. The expert will serve in a dedicated (embedded) capacity to SSSCIP, while working under the oversight of the Enabling Environment Lead and COP in close coordination with the Implementing Partners. The expert will provide several discrete services, with associated objectives.
4. Expected Results/Deliverables:
Deliverables |
Deadline |
Assessment of the existing functions/services of SCPC and their relevance to model CERT/CSIRT organizations (NIS Directive requirements for CSIRT, CERT-US) (report with analysis and recommendations) |
December 22, 2020 |
Develop an upgraded catalogue of services (catalogue with description of services as a report and presentation) |
January 13, 2020 |
Assessment of CERT-UA/SOC’s cyber-maturity level based on ENISA methodology (report with analysis and recommendations) |
January 27, 2021 |
Assessment of human resources management, workforce development and cyber talent retention policy for SCPC based on the current Ukrainian context and international best practices (report with recommendations) |
February 24, 2021 |
5. Presentation of deliverables:
The reports shall be submitted in English and Ukrainian with executive summaries (max 1 page long) of the main findings. The expert shall prepare and deliver presentations of the main findings of each assessment to the Activity team and beneficiaries (tentatively in a week after submission of each reports).
6. Required Qualifications:
Qualified candidates should send their CV and cover letter to [email protected]. Only short-listed candidates will receive notice requesting additional information.
Коментарі