Legislаtive Assessment Consultаnt for USAID Cybersecurity for Critical Infrastructure in Ukrаine Activity

Background:

The USAID Cybersecurity for Critical Infrastructure in Ukraine Activity is funded by USAID and implemented by DAI. The purpose of the Activity is to strengthen the resilience of Ukraine’s critical infrastructure from cyberattacks by establishing trusted collaboration between key cybersecurity stakeholders in the government, private sector, academia, and civil society.

In coordination with USAID, the Activity must work closely with GOU and other stakeholders to review existing, drafted or planned cybersecurity legislation, policies, and institutional reform strategies relevant to critical infrastructure protection and security, to develop a National Cybersecurity Roadmap (“Roadmap”). The Roadmap must support implementation of the National Cybersecurity Strategy by providing the implementation details, prioritization and sequencing currently absent from the Strategy.

As a first step to developing the Roadmap, the Activity must conduct a Legislative Assessment to review existing, drafted or planned cybersecurity legislation, policies, and institutional reform strategies relevant to critical infrastructure protection and security and develop an approach for the legal, regulatory, and institutional reforms to be addressed in the Roadmap. The Activity must coordinate with other programs that have already carried out assessments of the cybersecurity legal framework, in order determine what the gaps are and develop a scope for the assessment. To carry out this task, the Activity seeks services of professional legal/policy consultant.

Initial Findings:

• To date, the following assessments of the broader cybersecurity legal framework have been carried out:
• IFES (2019, Ukrainian Cybersecurity Legal Framework: Overview and Analysis, report presents an analysis of the cybersecurity of the upcoming elections, identifies risks to elections technologies and supporting IT systems, assesses capabilities of Ukrainian stakeholders to handle cyber-incidents and provides recommendations for the improvement of cybersecurity of the upcoming elections);

• Blueprint Energy Solutions (12/2019, Blueprint cyber, report includes analysis of the energy sector cybersecurity resilience in Ukraine, including assessment of gaps in cybersecurity related institutional and legal frameworks);
• EU Delegation to Ukraine (2/2019, Final Report EU Support to Cyber Leg; analysis of the Ukrainian cybersecurity legal framework in terms of their sufficiency for the implementation of the EU NIS Directive).
• MITRE (12/2018, Stakeholder Re-calibration and Election Security Engagements, report examined the various roles of some key stakeholders, identified institutional gaps in the national security system);

The legal framework is based on the Cybersecurity Strategy (Strategy), endorsed by the NSDC in late 2015, and the Law on Main Principles of Maintaining Cybersecurity of Ukraine (Cybersecurity Law), adopted in 2017. The enforcement of the primary cybersecurity legislation still requires development of the respective secondary legislation, by-laws and regulations. While the Concept of the Establishment of State System of Critical Infrastructure Protection was approved in 2017, there is regulatory lagoon for governing Critical Infrastructure Protection, institutional and operational capacities in general and by sectors. While identifying general gaps in the domestic cybersecurity legal framework, the previous assessments in some cases lack specific recommendations for tangible reforms.

Based on this context, the Activity is soliciting the services of professional legal/policy consultant to review the existing assessments referenced above and identify any gaps in those assessments that need to be addressed in additional reviews. The consultant would also determine whether recommendations to addressing gaps identified in these assessments can realistically be addressed and what steps are needed to close those gaps. Under oversight of the Enabling Environment Lead and in close coordination with the implementing partners, the consultant will design a follow-up assessment that would update any missing data needed for comprehensive recommendations and for informing the Cybersecurity Roadmap and Action Plan, including required laws, policies, regulations and institutional developments. S/he will prepare the Cybersecurity Roadmap and Action Plan outlines (concepts) drafts based on the performed comprehensive assessment and recommendations, including implementation details, prioritization and sequencing, preparing analysis and other materials for discussions with stakeholders, participation in the discussions/workshops (at least 2 workshops/round tables)

• Conduct a follow-up assessment of the regulatory framework to identify missing implementation details, prioritization and sequencing currently absent from relevant legal and regulatory documents including the Strategy and the Cybersecurity Law

• Develop recommended next steps for incorporation into the Cybersecurity Roadmap and Action Plan
  • the required development of the respective secondary legislation, by-laws and regulations in line with the EU cybersecurity for critical infrastructure landscape (NIS Directive, CI Directive, EU Cybersecurity Act)
• Draft the Cybersecurity Roadmap and Action Plan outlines (concepts).

Scope of Work

The list of tasks and responsibilities includes the following:

• Carry out a desk review of existing assessments of the cybersecurity legal framework, including those referenced above:
  • Identify recommendations from those assessments and the status of their implementation
  • Determine which of those recommendations we should consider incorporating into the Roadmap
  • Identify gaps in the existing assessments that need to be addressed in a follow-up assessment
• Assess the legal, regulatory, and institutional cybersecurity framework
  • Following a review of existing assessments, determine gaps in those assessments to design the scope of a follow-up assessment
  • Review of existing institutional structures and organizations in Ukraine related to cybersecurity in critical infrastructure and options for reform based on discussions with stakeholders
  • Assistance in preparing analysis, presentations and other materials for discussions with stakeholders, participation in workshops/round tables, parliamentary hearings
  • Conduct a follow-up assessment of the regulatory framework to identify missing implementation details, prioritization and sequencing currently absent from relevant legal and regulatory documents including the Strategy and the Cybersecurity Law
  • Develop recommended next steps for incorporation into the Cybersecurity Roadmap and Action Plan, the required development of the respective secondary legislation, by-laws and regulations in line with the EU cybersecurity for critical infrastructure landscape (NIS Directive, CI Directive, EU Cybersecurity Act)
• Draft the Cybersecurity Roadmap and Action Plan outlines (concepts)
  • Incorporate into the drafts of Cybersecurity Roadmap and Action Plan outlines (concepts) all the required developments, implementation details, prioritization and sequencing based on the performed comprehensive assessment and recommendations
  • Assistance in preparing analysis, presentations and other materials for discussions of Cybersecurity Roadmap and Action Plan outlines (concepts) drafts with stakeholders, participation in workshops/round tables, parliamentary hearings

Required Qualifications:

• Master or PhD Degree in Law, Public Management, Cybersecurity Governance or other relevant IT fields
• Good communication skills and ability to cooperate
• Good command of Ukrainian and English
• Minimum 10 (ten) years professional experience in legal practice, public administration in cybersecurity and IT law and policy in Ukraine
• Experience with international projects on developing cybersecurity, data protection, e-governance policy and regulatory assessments with the GOUs stakeholders

Selection Criteria:

• Meeting qualification requirements – 30
• Relevant experience in conducting similar legal assignments in cybersecurity area – 30
• Understanding of the problem statement and implementation approach – 40

Qualified candidates should send their CV and cover letter to [email protected]. Only short-listed candidates will receive notice requesting additional information.