Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Contract 37646
CrTY SECRETARY L�� � CONOTRACT NO PROFESSIONAL SERVICES AGREEMENT This PROFESSIONAL SERVICES AGREEMENT ("Agreement") is made and entered into by and between the CITY OF FORT WORTH (the "City"), a home rule municipal corporation situated in portions of Tarrant, Denton and Wise Counties, Texas, acting by and through Karen L. Montgomery, its duly authorized Assistant City Manager, and CIBER, INC. ("Consultant"), a Delaware corporation and acting by and through its duly authorized representative. The Contract Documents for this Agreement shall consist of the following: A. This Professional Service Agreement B. Exhibit A Statement of Work C. Exhibit B Limited Access Agreement D. Exhibit C DIR Contract DIR-SDD-685 In the event of a conflict between the documents, the order of precedence shall be (1) this Professional Service Agreement, (2) the Statement of Work, and (3) DIR Contract DIR DIR-SDD-685. All documents listed above are attached hereto and made a part of this Agreement for all purposes. 1. SCOPE OF SERVICES. Consultant hereby agrees to provide the City with professional consulting services for the purpose of performing Phase I Security Architecture System Assessment of the Computer Aided Dispatch (CAD) System Architecture. Attached hereto and incorporated for all purposes incident to this Agreement is Exhibit "A," Statement of Work, more specifically describing the services to be provided hereunder. 2. TERM. This Agreement shall commence upon the last date that both the City and Consultant have executed this Agreement ("Effective Date") and shall continue in full force and effect until completion of all services contemplated herein, unless terminated earlier in accordance with the provisions of this Agreement. S. COMPENSATION. The City shall pay Consultant an amount not to exceed $15,865 in accordance with the provisions of this Agreement. Consultant shall not perform any additional services for the City not specified by this Agreement unless the City requests and approves in writing the additional costs for such services. The City shall not be liable for any additional expenses of Consultant not specified by this Agreement unless the City first approves such expenses in writing. 4. TERMINATION, 4.1, Written Notice. The City or Consultant may terminate this Agreement at any time and for any reason by providing the other party with 30 days written notice of termination. 4.2 Non -appropriation of Funds. In the event no funds or insufficient funds are appropriated by the City in any fiscal period for any payments due hereunder, City will notify Consultant of such occurrence and this Agreement shall terminate on the last day of the fiscal period for which appropriations were Professional Services Agreement Ciber, Inc. Page 1 of 7 _..:CORD CITY SECRETARY A �� : � ' WORTH, TX received without penalty or expense to the City of any kind whatsoever, except as to the portions of the payments herein agreed upon for which funds shall have been appropriated. 4.3 Duties and Obligations of the Parties. In the event that this Agreement is terminated prior to the Expiration Date, the City shall pay Consultant for services actually rendered up to the effective date of termination and Consultant shall continue to provide the City with services requested by the City and in accordance with this Agreement up to the effective date of termination. 5. DISCLOSURE OF CONFLICTS AND CONFIDENTIAL INFORMATION. Consultant hereby warrants to the City that Consultant has made full disclosure in writing of any existing or potential conflicts of interest related to Consultant's services under this Agreement. In the event that any conflicts of interest arise after the Effective Date of this Agreement, Consultant hereby agrees immediately to make full disclosure to the City in writing. Consultant, for itself and its officers, agents and employees, further agrees that it shall treat all information provided to it by the City as confidential and shall not disclose any such information to a third party without the prior written approval of the City. Consultant shall store and maintain City Information in a secure manner and shall not allow unauthorized users to access, modify, delete or otherwise corrupt City Information in any way. Consultant shall notify the City immediately if the security or integrity of any City information has been compromised or is believed to have been compromised. 6. RIGHT TO AUDIT. Consultant agrees that the City shall, until the expiration of three (3) years after final payment under this contract, have access to and the right to examine at reasonable times any directly pertinent books, documents, papers and records of the consultant involving transactions relating to this Contract at no additional cost to the City. Consultant agrees that the City shall have access during normal working hours to all necessary Consultant facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this section. The City shall give Consultant reasonable advance notice of intended audits. Consultant further agrees to include in all its subcontractor agreements hereunder a provision to the effect that the subcontractor agrees that the City shall, until expiration of three (3) years after final payment of the subcontract, have access to and the right to examine at reasonable times any directly pertinent books, documents, papers and records of such subcontractor involving transactions related to the subcontract, and further that City shall have access during normal working hours to all subcontractor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this paragraph. City shall give subcontractor reasonable notice of intended audits. Nothing in this agreement shall require Consultant or its subcontractor to produce or provide access to any document, materials, or information in any form or on any media, which is subject to a legitimate claim of exclusion, privilege, or protection recognized under federal or state law, including, but not limited to, the attorney -client and the attorney work product privileges. 7. INDEPENDENT CONTRACTOR. It is expressly understood and agreed that Consultant shall operate as an independent contractor as to all rights and privileges granted herein, and not as agent, representative or employee of the City. Subject to and in accordance with the conditions and provisions of this Agreement, Consultant shall have the exclusive right to control the details of its operations and activities and be solely responsible for the acts and omissions of its officers, agents, servants, employees, contractors and subcontractors. Consultant acknowledges that the doctrine of respondeat superior shall not apply as Professional Services Agreement Ciber, Inc. Page 2 of 7 between the City, its officers, agents, servants and employees, and Consultant, its officers, agents, employees, servants, contractors and subcontractors. Consultant further agrees that nothing herein shall be construed as the creation of a partnership or joint enterprise between City and Consultant. Notwithstanding the foregoing, the City acknowledges and agrees that in its performance of the services, Consultant is entitled to reasonably rely on the information and materials the City, its officers, agents, servants and employees, provide to the Consultant, its officers, agents, employees, servants, contractors and subcontractors. 8. LIABILITY AND INDEMNIFICATION. The parties agree that the provisions of Exhibit C, DIR Contract No. DIR-SDD-685, Appendix A, Standard Terms and Conditions for Services Contracts, page 8, Section 7.A.2. Vendor Responsibilities, Indemnification, Acts or Omission Subsection C shall apply to this Agreement. 9. ASSIGNMENT AND SUBCONTRACTING. Consultant shall not assign or subcontract any of its duties, obligations or rights under this Agreement without the prior written consent of the City. If the City grants consent to an assignment, the assignee shall execute a written agreement with the City and the Consultant under which the assignee agrees to be bound by the duties and obligations of Consultant under this Agreement. The Consultant and Assignee shall be jointly liable for all obligations under this Agreement prior to the assignment. If the City grants consent to a subcontract, the subcontractor shall execute a written agreement with the Consultant referencing this Agreement under which the subcontractor shall agree to be bound by the duties and obligations of the Consultant under this Agreement as such duties and obligations may apply. The Consultant shall provide the City with a fully executed copy of any such subcontract. 10. INSURANCE. Consultant shall provide the City with certificates) of insurance documenting policies of the following minimum coverage limits that are to be in effect prior to commencement of any work pursuant to this Agreement: 10.1 Coverage and Limits (a) Commercial General Liability $110001000 Each Occurrence $1,000,000 Aggregate (b) Automobile Liability $1,000,000 Each accident on a combined single limit basis or $250,000 Property damage $500,000 Bodily injury per person per occurrence Coverage shall be on any vehicle used by the Consultant, its employees, agents, representatives in the course of the providing services under this Agreement. "Any vehicle" shall be any vehicle owned, hired and non -owned (c) Worker's Compensation Statutory limits Employer's liability $100,000 Each accident/occurrence $100,000 Disease per each employee $500,000 Disease - policy limit This coverage may be written as follows: Professional Services Agreement Ciber, Inc. Page 3 of 7 Workers' Compensation and Employers' Liability coverage with limits consistent with statutory benefits outlined in the Texas workers' Compensation Act (Art. 8308 — 1.01 et seq. Tex. Rev. Civ. Stat.) and minimum policy limits for Employers' Liability of $100,000 each accident/occurrence, $500,000 bodily injury disease policy limit and $100,000 per disease per employee (d) Technology Liability (Errors &Omissions) $1,000,000 Each Claim Limit $1,000,000 Aggregate Limit Technology coverage may be provided through an endorsement to the Commercial General Liability (CGL) policy, or a separate policy specific to Technology E&O. Either is acceptable if coverage meets all other requirements. Coverage shall be claims -made, and maintained for the duration of the contractual agreement and for two (2) years following completion of services provided. An annual certificate of insurance shall be submitted to the City to evidence coverage. 10.2 Certificates. Certificates of Insurance evidencing that the Consultant has obtained all required insurance shall be delivered to the City prior to Consultant proceeding with any work pursuant to this Agreement. The Commercial General Liability and Automobile Liability policies shall be endorsed to name the City as an additional insured thereon, as its interests may appear. The term City shall include its employees, officers, officials, agent, and volunteers in respect to the contracted services. Any failure on the part of the City to request required insurance documentation shall not constitute a waiver of the insurance requirement. A minimum of thirty (30) days notice of cancellation or reduction in limits of coverage shall be provided to the City. Ten (10) days notice shall be acceptable in the event of non-payment of premium. Such terms shall be endorsed onto Consultant's insurance policies. Notice shall be sent to the Risk Manager, City of Fort Worth, 1000 Throckmorton, Fort Worth, Texas 76102, with copies to the City Attorney at the same address. 11. COMPLIANCE WITH LAWS ORDINANCES RULES AND REGULATIONS. Consultant agrees to comply with all applicable federal, state and local laws, ordinances, rules and regulations. If the City notifies Consultant of any violation of such laws, ordinances, rules or regulations, Consultant shall immediately desist from and correct the violation. 12. NON-DISCRIMINATION COVENANT. Consultant, for itself, its personal representatives, assigns, subcontractors and successors in interest, as part of the consideration herein, agrees that in the performance of Consultant's duties and obligations hereunder, it shall not discriminate in the treatment or employment of any individual or group of individuals on any basis prohibited by law. If any claim arises from an alleged violation of this non- discrimination covenant by Consultant, its personal representatives, assigns, subcontractors or successors in interest, Consultant agrees to assume such liability and to indemnify and defend the City and hold the City harmless from such claim. 13. NOTICES. Notices required pursuant to the provisions of this Agreement shall be conclusively determined to have been delivered when (1) hand -delivered to the other party, its agents, employees, servants or Professional Services Agreement Ciber, Inc. Page 4 of 7 representatives, (2) delivered by facsimile with electronic confirmation of the transmission, or (3) received by the other party by United States Mail, registered, return receipt requested, addressed as follows: To The CITY: City of Fort Worth/IT Solutions 1000 Throckmorton Fort Worth TX 76102-6311 Facsimile: (817) 392-8654 14. SOLICITATION OF EMPLOYEES. To CONSULTANT: CIBER, Inc. 4515 Seton Center Parkway, Suite 100 Austin TX 78759 With a copy to: CIBER, Inc. 5251 DTC Parkway, Suite 1400 Greenwood Village, CO 80111 Attn Law Department Phone (303) 220-0100 Fax (303) 2244125 Neither the City nor Consultant shall, during the term of this agreement and additionally for a period of one year after its termination, solicit for employment or employ, whether as employee or independent contractor, any person who is or has been employed by the other during the term of this agreement, without the prior written consent of the person's employer. This provision does not prohibit either party from soliciting employment through general circulation advertising that is not targeted at the employees of the other party. 15. GOVERNMENTAL POWERS. It is understood and agreed that by execution of this Agreement, the City does not waive or surrender any of its governmental powers. 16. NO WAIVER. The failure of the City or Consultant to insist upon the performance of any term or provision of this Agreement or to exercise any right granted herein shall not constitute a waiver of the City's or Consultant's respective right to insist upon appropriate performance or to assert any such right on any future occasion. 17. GOVERNING LAW /VENUE. This Agreement shall be construed in accordance with the internal laws of the State of Texas. If any action, whether real or asserted, at law or in equity, is brought on the basis of this Agreement, venue for such action shall lie in state courts located in Tarrant County, Texas or the United States District Court for the Northern District of Texas, Fort Worth Division, 18. SEVERABILITY. If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired. 19. FORCE MAJEURE. The parties agree that the provisions of Exhibit C DIR Contract No. DIR-SDD-685 Appendix A, Professional Services Agreement Ciber, Inc. Page 5 of 7 Standard Terms and Conditions for Services Contracts, page 15, Section 8.C. Force Majeure shall apply to this Agreement. 20. HEADINGS NOT CONTROLLING. Headings and titles used in this Agreement are for reference purposes only and shall not be deemed a part of this Agreement. 21. REVIEW OF COUNSEL. The parties acknowledge that each party and its counsel have reviewed and revised this Agreement and that the normal rules of construction to the effect that any ambiguities are to be resolved against the drafting party shall not be employed in the interpretation of this Agreement or exhibits hereto. 22. AMENDMENTS /MODIFICATIONS / EXTENSTIONS. No extension, modification or amendment of this Agreement shall be binding upon a party hereto uMess such extension, modification, or amendment is set forth in a written instrument, which is executed by an authorized representative and delivered on behalf of such party. 23. ENTIRETY OF AGREEMENT. This Agreement, including the schedule of exhibits attached hereto and any documents incorporated herein by reference, contains the entire understanding and agreement between the City and Consultant, their assigns and successors in interest, as to the matters contained herein. Any prior or contemporaneous oral or written agreement is hereby declared null and void to the extent in conflict with any provision of this Agreement. 24. LIMITATION OF LIABILITY. For any claim or cause of action arising under or related to this Agreement, none of the parties shall be liable to the other for punitive, special, or consequential damages, even if it is advised of the possibility of such damages. [SIGNATURE PAGE FOLLOWS] Professional Services Agreement Ciber, Inc. Page 6 of 7 IN ITNESS WHEREOF, the parties hereto have executed this Agreement in multiples this ` day of 200'. CITY OF FORT WORTH: Assistant City Manager /CFO Date: % / 0 4' ATTEST: y Hendrix Secretary APPROVED AS TQ-FORM AND LEGALITY: MalesWig B. Farmer Assistant City Attorney Professional Services Agreement Ciber, Inc. Page 7 of 7 CIBER, INC. Name: � A,� /'�'► � //� ►� tie:��t �'rLvcv� Date: ATTEST: FA r OFFICIAL RECORD CITY 5ECF2ET'AR9� FT. WORTH, TX City of Fort Worth CAD System Assessment —Phase Statement of Work DRAFT Version 1.0 6/27/2008 SOW Prepared For: SOW Prepared For: Alan Girton Senior Manager, Information Security City Of Fort Worth (817) 392-8484 Submitted in Confidence by: CIBER, Inc. Mary Anne Clement Senior Solutions Consultant 4515 Seton Center Parkway, Suite 100 Austin, Texas 78759 (972) 831-3357 or (512) 983-0884 FORT WORTH maclemenQw. duer.com CAD Security Assessment Statement of Work Table U1 Contents � aber� ALWAYS ABLE 1 INTRODUCTION............................................................................................................................................ 1 2 SCOPE........................................................................................................................................................... 1 3 WORK APPROACH......................................................................................................................................... 1 3.1 Phase I: CAD/MDC Security Architecture and Deployment Risk Assessment..............................................2 4 DELIVERABLES...............................................................................................................................................2 4.1 Security Assessment Report......................................................................................................................... 2 4.2 Spot Vulnerability Reports (as necessary)....................................................................................................4 5 SCHEDULE.................................................................................................................................................4 6 ROLES AND RESPONSIBILITIES....................................................................................................................... 5 6.1 Project Organization.....................................................................................................................................5 6.2 CIBER Roles and Responsibilities..................................................................................................................6 6.3 City of Fort Worth Roles and Responsibilities..............................................................................................7 7 Engagement management.. soosesseald message mad evessam Rose@@@ wool 8 7.1 Issue Management.......................................................................................................................................8 7.2 Risk Management. 2 m 0 0 0 0 0 0 9 m 0 0 0 m s 9 0 0 * 4 a a s 0 0 0 a 0 m 0 4 0 * 4 0 0 4 0 4 4 0 0 0 so 0 0 0 0 0 * 0 a 4 0 0 0 4 0 0 a * a 0 0 a 0 * a 6 8 0 0 4 a 0 0 0 0 a & a 0 a 6 0 8 6 0 a 6 a 6 a 0 a a 9 0 0 9 6 0 a 0 1 0 0 0 0 a a s a 9 0 0 1 a 9 0 0 a 0 0 a 0 a 0 0 0 0 0 0 0 0 9 7.3 Project Communications. . a a a 6 * 0 6 a 6 0 * 6 9 * 0 * 0 6 v 6 * 0 6 0 * 0 a 4 0 9 a a 6 0 6 0 a 6 0 0 9 0 0 0 0 0 a 0 0 * 0 0 0 0 0 0 0 0 9 0 a 0 0 0 a a a a 0 a 0 0 a 0 a a a 0 0 0 0 0 a 0 0 a m a 0 a 6 a * 0 6 0 a 0 m 0 a m 0 0 a 0 m m 6 0 a 6 a a m m 0 9 t a m 0 0 a 6 9 7.4 Change Management. 8 0 s 0 0 0 0 m 0 0 * 0 4 0 0 4 0 4 a * m 4 m * s 0 0 4 8 * 0 0 0 & e 0 0 0 4 0 0 4 8 4 a a 0 0 a 8 0 0 0 8 a 0 a 6 0 & a 0 a a a 0 a 6 a * 0 a a 6 a a 0 * * a 0 a a 0 * a 0 0 a 0 0 a 0 a a 0 0 a 0 0 a 0 a 9 0 0 a 0 0 0 0 6 0 0 0 a 0 0 0 0 a 6 a a 0 0 a a 10 7.5 Quality Assurance.......................................................................................................................................12 7.6 Acceptance Management...........................................................................................................................12 8 PROJECT FEES......... man *managed asoonvaboom news nowssawassesDasm man season memos 0 9 4 9 a a 0 a a a a a a 0 4 0 a 0 a 8 9 a 8 a a a a 0 8 a a 8 a 0 814 9 APPROVALS.................................................................................................................................................15 Appendix A —Sample Change Request Form........................................................................................................16 Appendix B —Sample Deliverable/Service Acceptance Form................................................................................17 AppendixC —Sample Project Plan........................................................................................................................18 USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction antllor further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page ii FORT WORTH Security Assessment Statement of Work 1 INTRODUCTION 'ber�ALWAYS ABLE CIBER is pleased to submit this Statement of Work (SOW) for Security Assessment Services on behalf of the City of Fort Worth (Fort Worth). For this project, CIBER will use the expertise of its Global Security Practice. This SOW defines the formal agreement to provide a security assessment related to the implementation of the new computer -aided dispatch (CAD) system for the police department. The SOW includes a basic summary of the project approach, the project deliverables, defines the schedule for delivery of these deliverables, and defines the parameters for project control. This time -tested CIBER methodology will ensure that this project will be delivered with the utmost attention to completeness and professionalism. 2 SCOPE The purpose of this section is to define the level of effort required for each phase of this project so that CIBER can meet the expectations of Fort Worth. This SOW covers only Phase I. Phases II, III and IV are subject to the City having funding and will not be pursued until fiscal year 2009. Phase I is described in more detail in Section 3: Work Approach. • Phase I -CAD/MDC Security Architecture Review: CIBER will evaluate the network architecture as it pertains to the CAD/MDC environment. • Phase II -Policy and Practices Assessment: CIBER will perform 16 hours of on -site interviews and review up to 30 pages of security policies and supporting documents. • Phase II -Vulnerability Assessment: CIBER will utilize automated and manual techniques to scan and evaluate CAD/MDC systems. The scope of the vulnerability assessment will be determined after the conclusion of the Security Architecture review. The initial estimate is for 20 IP addresses externally and 100 IP addresses internally. • Phase IV -Ethical Hacking: CIBER will leverage results from the Vulnerability Assessment to identify targets and attack vectors for attempted exploitation. Execution of exploit activities will not exceed 12 hours. This following section details the approach that CIBER's Global Security Practice will follow for Phase I. USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction and/or further distribution of This information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 1 FORT WORTH CAD Security Assessment Statement of Work Giber--� ALWAYS ABLE ' 3.1 Phase k CAD/MDC Security Architecture and Deployment Risk Assessment CIBER will conduct gain an understanding of the CAD/MDC environment, architecture, and deployment of hardware and remote devices through interviews, document and diagram reviews, and configuration of servers and remote devices. Information gathered will be analyzed to identify risks to the environment, and recommendations for improvement will be provided as needed. During this phase, CIBER will; • Interview Stakeholders, engineers, and end -users to understand business drivers and needs. • Examine network diagrams and supporting documentation. • Review the security configuration and implementation of Active Directory and mobile cards in the environment. ® Perform a desktop analysis of system connections and trust relationships between servers and hosts. o Attempt to identify areas where security controls can be improved and provide practical recommendations. The results of this analysis will be detailed in the CAD/MDC Security Architecture Report. 4 DELIVERABLES In accordance with the project approach, the Security Assessment Report will be delivered in phases. Each new phase will be appended to the existing report as it is completed. The Security Assessment Report will initially be delivered in Draft form for Fort Worth's review (electronically in Microsoft Word format). After final review and appropriate updates, the Final Report will be delivered in PDF format both electronically and on CD- ROM. 4.1 Security Assessment Report The Security Assessment Report captures our collective efforts and is a key document for managers responsible for the security infrastructure and who desire more analysis dialogue for technical and/or program controls. • Recommendations will include Root Causes as appropriate. USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction antl/or further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page Z FORT WORTH CAD Security Assessment Statement of Work ciber-� ALWAYS ABLE • The Security Assessment Report documents the results of our analysis for all phases of the engagement. Each section of the report addresses a major activity and all of its components. • The report idenes each activity and fully discusses the results of our analysis (findings) in terms of presence and effectiveness of technical and/or non- technical controls. Conclusions and recommendations for improvement from all components of the assessment are contained within this comprehensive report. • The report will include a graphical analysis of both technical and non -technical security controls. Figure 1: Technical Control Effectiveness Graph is an example of the Technical Controls Graph. 5 4.5 1 0.5 0 Figure 1: Technical Control Effectiveness Graph aN y y e J�e� ti°re a�J� 4yo Gr' P The report is organized in the following manner: • Executive Summary —The Executive Summary provides an overview of the project and an overview of control strengths and weaknesses. USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction and/or further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 3 FORT WORTH CAD Security Assessment Statement of Work �= ciber� ALWAYS ABLE • Project Background and Approach — Project Background documents detailed foundational information as well as scoping factors and imposed constraints. The approach section fully discusses how each phase of the project was accomplished in terms of methodology used and tools employed. • Findings and Recommendations —The Findings and Recommendations section details findings within each phase of the assessment (such as external controls, penetration efforts, architecture, firewalls, routers, etc.) in terms of what we found, what it means, and how it can be fixed. Each weakness is identified as a high, medium, or low vulnerability based on its potential of being exploited. As appropriate, technical data in the form of screen prints and/or tables are provided to amplify the finding and analyst's comments. Additional technical information is available by following a reference to the appropriate appendix. • Recommendations on how to remediate the findings are provided in a narrative form. When suggested recommendations contain more than one course of action, the recommendations will be prioritized. • Appendices will be added as necessary. Note: Since identified vulnerabilities are often manifestations of deeper root causes (e.g., current patches not applied may be the result of an under -funded information security program, the lack of a software maintenance contract, or the administrator's inattention to user group or vendor advisories), GIBER will provide recommendations to remediate not only the identified vulnerability but also the root cause when it can be identified within the scope of the engagement. 4.2 Spot Vulnerability Reports (as necessary) During the course of the engagement, GIBER may observe a technical or non -technical control vulnerability that has the potential to critically affect the confidentiality, integrity, or availability of Fort Worth's private information (e.g., a "show stopper"). If this happens, GIBER will immediately notify the Fort Worth contact and issue a Spot Vulnerability Report. The report discloses the system, what we observed, and a recommended corrective action. The issuance of the Spot Vulnerability Report is immediate and not tied to deliverable dates. 5 SCHEDULE GIBER is prepared to commence work on the engagement within two weeks of Fort Worth's acceptance. We anticipate the Architecture Review to require approximately two weeks. USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to GIBER, Inc. Reproduction andlor further distribution of this information must be approved by GIBER. © 2008 GIBER, Inc. All Rights Reserved Page 4 FORT WORTH CAD Security Assessment Statement of Work 6 ROLES AND RESPONSIBILITIES 6.1 Project Organization Coordination , --------------- Communication ----- Oversight Management Direction Sr. Technical Assessor Figure 2 -Project Organization Fort Worth Project Sponsor Alan Girton ciber- ALWAYS ABLE Sr. Non -Tech Assessor Figure 2 above shows the key roles for CIBER and Fort Worth in executing this project, and Table 1 and Table 2 explain the roles of CIBER and of Fort Worth. USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction andlor further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 5 FORT WORTH CAD Security Assessment Statement of Work 6.de CIBER Roles and Responsibilities 6.2.1 CIBER Roles Table 1 -CIBER Roles aber�ALWAYS ABLE R.- Project Responsibilities CIBER Branch Office — Provides account management, project oversight, and Engagement and Relationship customer care. Alternative point of contact for issue Management escalation. CIBER Global Security Practice Provides management direction to the project team. — Delivery Management Source of security vision, technical guidance, methodologies, tools, and supplemental resources. Project Manager and/or Provides leadership and project management for all Assessment Lead tasks. Primary contact for project communications and issue resolution. Directs the work of project team. Ensures deadlines and commitments are met. Performs key assessment activities. Project Team Members Carries out security assessment activities as directed by the Project Manager. 6.2.2 CIBER Responsibilities • CIBER will provide all tools and consultant laptops to perform the work described in this SOW. • CIBER will work within mutually agreed upon testing windows for any activity that involves live production systems (and CIBER will NOT run automated security tools against platforms or associated processing environments without the ability to communicate directly with a designated Fort Worth liaison.) • Based upon Fort Worth's preferred testing window(s), this may require availability of Fort Worth resources after normal business hours. • CIBER will endeavor to keep operational risks, inherent in this type of engagement, to a minimum and cease our activities if we perceive they will be disruptive to your operations. Despite our best efforts, automated security tools can sometimes impact network performance or crash servers. Problems are rare and are generally easily corrected in a manner of minutes (most severe problems require, at most, a system re -boot). However, it must be mutually agreed that there are risks, including the possibility of an inadvertent denial of service (DoS), USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction and/or further distribution of this information must be approved by CIBER. ©2008 CIBER, Inc. All Rights Reserved Page 6 FORT WORTH CAD Security Assessment Statement of Work Giber -i — — ALWAYS ABLE and that the risks associated with this type of engagement are acknowledged and accepted by Fort Worth. 6.3 City of Fort Worth Roles and Responsibilities 6.3.1 City of Fort Worth Roles Project Sponsor 6.3.2 Fort Worth Roles Table 2 —City of Fort Worth Roles Provides project direction and guidance. Functions as the formal escalation point for the CIBER delivery team for all issues, risks, and problems. The Project Sponsor will assure that all Fort Worth documentation is provided to CIBER on the first day of the project (could include firewall configuration logs, ACL's, and scanning authorization forms; as well as security policies and procedures). The Project Sponsor will also facilitate all resource and m access. • To assure that all deliverables can be completed per the project schedule, it will be critical that Fort Worth resources are available for interviews (with reasonable scheduling notice); that requested access to the internal network, network devices, files, and other technical resources are provided on a timely basis; and that Fort Worth resources are also available during scheduled testing windows to address any issues that may arise. • For internal testing, Fort Worth will provide a workspace with access to the network segments to be assessed. During testing, Fort Worth will provide user, local administrator, and administrator account access as needed by CIBER. • Fort Worth will provide system administrator support to obtain softcopy (preferred) or hardcopy configuration files for device configuration reviews. • Fort Worth will identify a contact person (trusted agent) who is authorized to make real-time decisions relative to this engagement on behalf of Fort Worth. USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction and/or further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 7 FORT WORTH CAD Security Assessment Statement of Work fiber i ALWAYS ABLE • A Fort Worth contact will be in the incident escalation chain to preclude CIBER assessment activities being inadvertently identified and externally reported as attacks. • Fort Worth understands and accepts that because system and application vulnerabilities are being discovered and reported on a daily basis, not all vulnerabilities present in the designated Fort Worth systems and associated processing environment may be detected. 7 ENGAGEMENT MANAGEMENT CIBER follows a rigorous process for engagement and project management, as outlined in this section, to assure that the project will be completed on time, within the budget, and meeting the quality requirements specified. These processes control scope creep, enforce standards for quality assurance, and manage issues and risks. Project controls include: • Issue Management • Risk Management • Project Communications • Change Management • Quality Assurance • Acceptance Management 7.1 Issue Management Issue Management is a structured approach to identifying, assessing, tracking, and resolving problems during a project. Issues surface unexpectedly and must be addressed expeditiously. The CIBER Project Manager is responsible for documenting, tracking, and bringing to closure project issues. Often, CIBER can execute a project of this size and complexity without encountering any significant issues. If issues are identified during this project by Fort Worth or CIBER, the CIBER Project Manager will maintain an Issues Matrix as part of the Project Status Report containing descriptions, responsibilities, dates, and severity of issues identified during the course of the project. If necessary, a Change Order may be agreed to by both parties to aid in resolving a project issue (for an explanation of the Change Request process and form, see Change Management) USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction and/or further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 8 FORT WORTH CAD Security Assessment Statement of Work 7.2 Risk Management Cciber. ALWAYS ABLE Project risk is an event or condition that may have a negative effect on a project objective. Risk Management is the structured approach to assessing, tracking and minimizing the probability and consequences of adverse events through mitigation strategies and contingency planning. The CIBER Project Manager is responsible for assessing, planning for, tracking, and addressing project risks. Due to the relatively small size and duration of this project, CIBER considers this a low -risk project. If risks are identified by Fort Worth or CIBER during this project, the CIBER Project Manager will maintain a Risk Matrix as part of the Project Status Report containing descriptions, responsibilities, dates, and severity of risk identified during the course of the project. 7.3 Project Communications Appropriate oversight and effective problem resolution are keys to project success. CIBER will maintain an open line of communication with Fort Worth during this engagement, and will review the project status with the Fort Worth Project Sponsor on a weekly basis by phone call or other agreed upon method. 7.3.1 Status Reporting The CIBER Project Manager will send a status report by a -mail each week on a day mutually agreed upon between CIBER and Fort Worth. The CIBER Project Manager will review the status report with the Fort Worth Project Sponsor each week by telephone or other agreed upon method on a day mutually agreed upon between CIBER and Fort Worth. CIBER's standard weekly project status report will provide a: • Summary of Accomplishments for the past week. • Summary of Planned Activities for the next week. • Status of Milestones and Deliverables. • Analysis of Plan Variances. • Summary of Issues, Risks, and Change Requests. Management Review CIBER projects undergo scheduled internal progress reviews to ensure that established standards and processes are being followed and that the project is proceeding according to plan. Corrective actions are identified, implemented and USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction andlor further distribution of this information must be approved by CIBER. ©2008 CIBER, Inc. All Rights Reserved Page 9 FORT WORTH Ober_ cAAYS ABLE CAD Security Assessment Statement of Work monitored through project completion. These reviews are performed monthly or as needed during the project. 7.4 Change Management Project Change Management is a process by which requests for modifications to the established scope, schedule, or cost are controlled and managed. A defined process for managing change is essential to completing initiatives on time and within budget. The CIBER Project Manager is responsible for ensuring that Change Requests are documented, tracked, and closed. 7.4.1 Project Change Management Process —Overview Project Change Requests for expanded effort, longer timelines, and other project items that may impact cost will be addressed using the Change Request form (see Appendix A — Sample Change Request Form). The CIBER Project Manager will analyze each Change Request for its impact to the project scope, schedule, and budget. The impacts will be documented as a component of the original Change Request, CIBER's Project Manager or Engagement Manager will prepare a recommendation for each Change Request and present it for Fort Worth's approval using a Change Request Form. The CIBER Project Manager will implement, close, or defer the Change Request based upon Fort Worth's decision to approve, disapprove, or defer the request. For approved Change Requests, the Change Request Form will be appended to this Statement of Work and scope, schedule, and budget impacts will be reflected in an updated baseline Project Plan. Project Change Management Process —Project Specific Policies The following Change Management Process policies apply: • Alternatives to formal client signatures on Change Request Forms: • In lieu of a signed Change Request Form, an e-mail message sent directly from Fort Worth Project Sponsor to the CIBER Project Manager indicating approval or rejection of a Change Request constitutes formal approval or rejection for this project. • Approval or rejection turnaround timeframe: • The Fort Worth Project Sponsor will approve or reject the Change Request within three (3) business days from the receipt of the Change Request Form if initiated by CIBER. The CIBER Project Manager will USE AND DISCLOSURE OF INFORMATION IN TNIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction and/or further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 10 FORT WORTH fiber --- ALWAYS ABLE CAD Security Assessment Statement of Work accept or reject the Change Request within three (3) business days from receipt of the Change Request Form if initiated by Fort Worth. • If the Change Request equates to 20% of the total project cost or higher or more than $25,000, approval will be subject to the City of Fort Worth's formal approval process and may extend beyond three (3) business days. • Course of action if an Approver is unavailable or does not respond with a A ecision in the timeframe specified: • If the Fort Worth Project Sponsor does not approve or reject the Change Request within three (3) business days from the receipt of the Change Request Form, and does not communicate a timeframe in which a decision will be made: •The Change Request decision will be logged, tracked and managed as a 'Deferred' request. • Work will progress without incorporating the requested change into the work plan. • Where an approval or rejection decision is necessary for the project to progress, the Change Request decision will be logged, tracked and escalated as a project issue in accordance with the project's Issue Management Process. • Analysis of 'out -of -scope' Change Requests: • For Change Requests that are determined to be outside the stated project scope, the Fort Worth Project Sponsor will authorize cost and/or schedule allowance on a Time & Materials basis for the initial analysis of a Change Request, either as direct funding for the analysis effort or as part of the overall funding for the implementation of an approved request. • Resolution of scope disputes: • The CIBER Engagement Manager or Project Manager and the Fort Worth Project Sponsor will try to resolve any dispute regarding the `in -scope' or 'out -of -scope' classification of work by referring to this Statement of Work, the Contract; and any changes, amendments, and attachments to these documents to which the parties have previously agreed in writing. If the CIBER Project Manager and the Fort Worth Project Sponsor cannot reach agreement within 3 business days, dispute resolution will be escalated to the Fort Worth Project Sponsor and the CIBER VP and/or Area Director (or their respective designees) per the Master Agreement. • Fort Worth Change Request Approvers: USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction and/or further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 11 FORT WORTH CAD Security Assessment Statement of Work ciber� --- --ALWAYS ABLE • The following person has been designated by Fort Worth as the Approver of Change Requests for the project: Alan Girton • Alternate approvers may be designated by Fort Worth. 7.5 Quality Assurance CIBER's Quality Assurance Process will: • Evaluate processes, work products, and services against the applicable process descriptions, standards, and procedures. • Identify and document noncompliance issues. • Provide feedback regarding quality assurance to engagement staff and managers. A trained CIBER resource, typically a senior member of the CIBER Global Security Practice staff, will conduct Quality Reviews of the Project Plan and all deliverable reports to assess compliance to CIBER policy and standards and document any observed noncompliance. Corrective actions will be noted to assist the project team in addressing each noncompliance observation. The CIBER Engagement Manager will ensure implementation of corrective actions resulting from the Quality Assurance reviews. 7.6 Acceptance Management CIBER's Acceptance Management Process ensures that deliverables or services provided by CIBER during the engagement are presented to Fort Worth for acceptance. Formal acceptance by Fort Worth indicates that the deliverable or service has been completed in accordance with this Statement of Work. The CIBER Project Manager is responsible for ensuring that engagement deliverables and services are formally accepted by Fort Worth. 7.6.1 Acceptance Management Process —Overview The CIBER Project Manager or designee will declare a deliverable or service complete and ready for acceptance when: • Task work efforts have been completed. • Internal Quality Assurance efforts have been conducted. • The CIBER Project Manager or designee will validate that the deliverable or service is ready for acceptance and present the deliverable or service, or representative documentation, to Fort Worth for acceptance. USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction antllor further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 12 FORT WORTH CAD Security Assessment Statement of Work _Giber ALWAYS ABLE Fort Worth will formally accept the deliverable or service as complete and in conformance with this Statement of Work, or reject the deliverable or service and state reasons for rejection. See Appendix B — Sample Deliverable/Service Acceptance Form. The CIBER Project Manager or designee will coordinate efforts to redress deliverables or services rejected by Fort Worth. 7.6.2 Acceptance Management Process —Engagement Specific Policies The following Acceptance Management Process policies apply: • Alternatives to formal client signatures on paper documents: • In lieu of a signed Deliverable Acceptance Form, an a -mail message sent directly from the Fort Worth Approver to the CIBER Project Manager indicating acceptance or rejection of a deliverable or service constitutes formal acceptance or rejection. • Approval or rejection turnaround timeframe: • The Fort Worth Approver will accept or reject the deliverable or service within five (5) business days from the receipt of the Deliverable Acceptance Form. • Course of action if an Approver is unavailable or does not respond with a decision in the time specified: • If the Fort Worth Approver does not acceptor reject the deliverable or service within five (5) business days from the receipt of the Deliverable Acceptance Form and does not communicate a timeframe in which a decision will be made: • The acceptance or rejection decision will be logged, tracked and escalated as an engagement issue in accordance with the engagement's Issue Management Process. • Work will progress to maintain the established engagement schedule, with the understanding that any work dependent upon a rejected deliverable or service is at risk of rework. • A Change Request may result if mocations to the deliverable or service are required and those modifications affect other engagement work, or work that proceeded at risk. USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction and/or further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 13 FORT WORTH E �(Aber � ALWAYS ABLE CAD Security Assessment Statement of Work • Fort Worth Approvers) for engagement deliverables and/or services: Alan Girton. Alternate approvers may be designated by Fort Worth. PROJECT FEES GIBER will perform all work for a fixed price for each phase, exclusive of travel. Travel and living expenses will be invoiced as incurred (at cost). When travel is required, we will obtain services that represent good value per travel dollar. Naturally, we do everything possible to minimize our expenses consistent with completing the work in a professional manner. As a matter of convenience, expense reimbursements, if any, will be billed together with professional fees. Table 3: Engagement Pricing Phase Price Texas DIR Price Estimated Expenses (not to exceed) Phase I: Architecture and Deployment $17,264 $12,865 $3,000 Assessment All other terms and conditions, not described above, are governed by the Contract #DIR- SDD-685 between Texas Department of Information Resources and GIBER, Inc., dated March 25th, 2008. The attached Customer Services Agreement is the agreement between City of Fort Worth and CIBER. The full contract and additional terms and conditions can be accessed at http://www.dir.state.tx.us/store/busops/it security services.htm#cib. Note: Scope changes, unrealized assumptions, and/or unfulfilled requests could impact our ability to perform in a timely manner. We will notify our Fort Worth contact if any unanticipated event surfaces that might impact our ability to perform for the stated fee. USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction antllor further distribution of this infom�ation must be approved by GIBER. ©2008 GIBER, Inc. All Rights Reserved Page 14 FORT WORTH CAD Security Assessment Statement of Work 9 APPROVALS (Aber ALWAYS ALWAYS ABLE The terms and conditions of this Statement of Work, including all rates and pricing provisions, shall not be binding on CIBER unless this Statement of Work is signed by CIBER and Fort Worth on or before September 12, 2008. IN WITNESS WHEREOF, the parties have executed this Statement of Work on the date or dates indicated below. Fort Worth NAME: naren L. rivti�gwncry ss s an y anager TITLE: DATE: ASSISTA�,T CITY ATTORNEY At>�ested by° CIBER, Inc. TITLE: DATE: O��oC�A� �EC�RD CITY SECRETARY FT. WORTH, TX USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction and/or further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 15 FORT WORTH �ciber-� - ALWAYS ABLE CAD Security Assessment Statement of Work APPENDIX A - SAMPLE CHANGE REQUEST FORM cIlber Change Request Form Client: Date Requested: Requested by: Project: Change Control #: Requested Priority: Description of Change: Reason for Change: Change Request Analysis (by CIBER: Conducted by: Schedule Impact (days): Impact on Project (Scope, Quality, Critical Path): Budget Impact ($): Time to complete analysis: Hours Date Completed: Recommendation: Resolution & Approvals: Fort Worth: ❑ Approved ❑ Rejected ❑ On Hold Signature: Name/Title: Date: Reason for Rejection, if Applicable: CIBER: ❑ Approved ❑ Rejected ❑ On Hold Signature: Name/Title: Date: USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction antllor further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 16 FORT WORTH CAD Security Assessment Statement of Work 'ber�ALWAYS ABLE APPENDIX B — SAMPLE DELIVERABLE/SERVICE ACCEPTANCE FORM cIlber Deliverable/Service Acceptance Form Client: Project: Deliverable/Service: Completion Date: Value of Deliverable/Service: Resolution & Approvals: CLIENT: ❑ Accept ❑ Reject for Cause Reason for Rejection, if Applicable: Remarks: Fort Worth: Signature: Name/Title: Date: CIBER: Signature: Name/Title: Date: USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction andlor further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 17 FORT WORTH CAD Security Assessment Statement of Work APPENDIX C -SAMPLE PROJECT PLAN ber iALWAYS ABLE The project plan sample in this appendix has been developed using Microsoft Word. The CIBER Project Manager might choose to use Microsoft Excel, Microsoft Project, or some other tool. Also, the column and row content varies as required by the project. The milestones and dates in a project plan can be changed using the change request process that has been approved by both CIBER and Fort Worth. c.ber Sample Project Plan eliverable Du Security Testing Project Initiation Meetings Preliminary Kickoff Kickoff Meeting Customer Care Meeting Organizational Culture Integration Fort Worth Public Tour Project Integration Discussion Discussion of Test Plan Discussion of ROE CIBER Legal Review Test Sessions Receipt of Signed Rules of Engagement External Assessment Internal Assessment Host Assessment Application Security Assessment Policy and Procedure Assessment Presentation of Findings Security Assessment Report Spot Vulnerability Reports Detailed Automated Reports Executive Briefing USE AND DISCLOSURE OF INFORMATION IN THIS DOCUMENT This document contains information that is proprietary to CIBER, Inc. Reproduction andlor further distribution of this information must be approved by CIBER. © 2008 CIBER, Inc. All Rights Reserved Page 18 cioer HLYYAIJ AEBL1 EXHIBIT B LIMITED ACCESS AGREEMENT This LIMITED ACCESS AGREEMENT ("Agreement") is made and entered into by and between the CITY OF FORT WORTH ("City"), a home rule municipal corporation organized under the laws of the State of Texas and situated in portions of Tarrant, Denton and Wise Counties, Texas, and CIBER INC., ("Contractor"). The following statements are true and correct and form the basis of this Agreement: WHEREAS: A. The City owns and operates a file server computer system and network (collectively the "Network"). Contractor wishes to have access to the City's network. B. Contractor wishes to perform activities as defined in Exhibit "A" CAD System Assessment — Phase I Statement of Work, together with any amendments, appendixes or future statement(s) of work. C. In order to perform the necessary duties, Contractor needs access to City's CAD/MDC Security Architecture, D. The City is willing to grant Contractor access to the Network, subject to the terms and conditions set forth in this Agreement, and in the City's standard outside connections policy, ("Extranet Standard") attached as Exhibit "A" and hereby incorporated by reference and made a part of this Agreement for all purposes herein. NOW, THEREFORE, the City and Contractor hereby agree as follows: 1. GRANT OF LIMITED ACCESS. Contractor is hereby granted a limited right of access to the City's Network for the sole purpose of evaluating the network architecture as it pertains to the CAD/MDC environment. The City will provide Contractor with a password and access number or numbers as necessary to perform Contractor's duties. 2. NETWORK RESTRICTIONS. 2.1. Contractor may not share any passwords or access number or numbers provided by the City except with Contractor's officers, agents, servants or employees who work directly with this project. 2.2. Contractor acknowledges, agrees and hereby gives its authorization to the City to monitor Contractor's use of the City's Network in order to ensure Contractor's compliance with this Agreement. 2.3. A breach by Contractor, its officers, agents, servants or employees, of this Agreement and any other written instructions or guidelines that the City provides to Contractor pursuant to this Agreement shall be grounds for the City immediately to deny Contractor access to the Network and Contractor's Data in addition to pursing any other remedies that the City may have under this Agreement or at law or in equity. 2.4. The City may terminate this Agreement at any time and for any reason. 3. LIABILITY AND INDEMNIFICATION. The parties agree that the provisions of Exhibit C, DIR Contract No. DIR-ODD-685, Appendix A, Standard Terms and Conditions for Services Contracts, page 8, Section 7.A.2. Vendor Responsibilities, Indemnification, Acts or Omission Subsection C shall apply to this Agreement. 4. AMENDMENTS. The terms of this Agreement shall not be waived, altered, modified, supplemented, or amended in any manner except by written instrument signed by an authorized representative of both the City and Contractor. 5. ENTIRE AGREEMENT. This Agreement is cumulative of and in addition to any written contracts, agreements, understandings or acknowledgments with the City signed by Contractor. This Agreement and any other documents incorporated herein by reference constitute the entire understanding and Agreement between the City and Contractor as to the matters contained herein regarding Contractor's access to and use of the City's Network. In the event of conflict between this Agreement and the Professional Services Agreement entered into between the parties, as it relates to Network access, this Agreement shall control. 6. CONFIDENTIAL INFORMATION. Contractor, for itself and its officers, agents and employees, agrees that it shall treat all information provided to it by the City as confidential and shall not disclose any such information to a third party without the prior written approval of the City. Contractor further agrees that it shall store and maintain City Information in a secure manner and shall not allow unauthorized users to access, modify, delete or otherwise corrupt City Information in any way. Contractor shall notify the City immediately if the security or integrity of any City information has been compromised or is believed to have been compromised. 7. RIGHT TO AUDIT Contractor agrees that the City shall, during the initial term, and until the expiration of three (3) years after termination or expiration of this Agreement, have access to and the right to examine at reasonable times any directly pertinent books, data, documents, papers and records, both hard copy and electronic, of the Contractor involving transactions relating to this Contract. Contractor agrees that the City shall have access during normal working hours to all necessary Contractor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this section. The City shall give Contractor reasonable advance notice of intended audits. Contractor further agrees to include in all its subcontractor agreements hereunder a provision to the effect that the subcontractor agrees that the City shall, during the initial term, and until expiration of three (3) years after termination or expiration of the subcontract, have access to and the right to examine at reasonable times any directly pertinent books, data, documents, papers and records, both hard copy and electronic, of such subcontractor involving transactions related to the subcontract, and further that City shall have access during normal working hours to all subcontractor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this paragraph. City shall give subcontractor reasonable notice of intended audits. Nothing in this agreement shall require Consultant or its subcontractor to produce or provide access to any document, materials, or information in any form or on any media, which is subject to a legitimate claim of exclusion, privilege, or protection recognized under federal or state law, including, but not limited to, the attorney -client and the attorney work product privileges. ►a 7. SIGNATURE AUTHORITY. The person signing this agreement hereby warrants that he/she has the legal authority to execute this agreement on behalf of the respective party, and that such binding authority has been granted by proper order, resolution, ordinance or other authorization of the entity. The other party is fully entitled to rely on this warranty and representation in entering into this Agreement. 8. LIMITATION OF LIABILITY. For any claim or cause of action arising under or related to this Agreement, none of the parties shall be liable to the other for punitive, special, or consequential damages, even if it is advised of the possibility of such damages. [Remainder of Page Intentionally Left Blank] IN WITNESS WHEREOF, the parties ereto have executed this Agreement on this �i day of 1200 CITY OF FORT WORTH: ATl By:. i4 Assistant City Manager retary AND LEGALITY: Assistant City Attorney M & C: none reauired CIBER INC.: Au Pri Si nature OFFICIAL RECORD CITY SECRETARY FT. WORTH, TX 0 EXHIBIT "A" EXTRANET STANDARD Overview The purpose of this standard is to establish the requirements under which third party organizations may connect to the City of Fort Worth networks for the purpose of transacting City business. The standards listed are specific activities required by Section 2.2 of the City of Fort Worth Information Security Policy, Scoae Connections between third parties that require access to non-public City of Fort Worth resources fall under this standard, regardless of whether a telecommunications circuit (such as frame relay or ISDN) or Virtual Privacy Network (VPN) technology is used for the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide Internet access for the City of Fort Worth or to the Public Switched Telephone Network do not fall under this standard. Standard Security Review All new extranet connectivity will go through a security review with the Information Security department (IT Solutions). The reviews are to ensure that all access matches the business requirements in a best possible way, and that the principle of least access is followed. Third Party Connection Agreement All new connection requests between third parties and the City of Fort Worth require that the third party and the City of Fort Worth representatives agree to and sign a third party agreement. This agreement must be signed by the Director of the sponsoring organization as well as a representative from the third party who is legally empowered to sign on behalf of the third party. The signed document is to be kept on He with IT Solutions. All documents pertaining to connections into the City of Fort Worth labs are to be kept on file with IT Solutions. Business Case All production extranet connections must be accompanied by a valid business justification, in writing, that is approved by a project manager in IT Solutions. Lab connections must be approved by IT Solutions. Typically this function is handled as part of a third party agreement. The sponsoring organization must designate a person to be the Point of Contact (POC) for the Extranet connection. The POC acts on behalf of the sponsoring organization, and is responsible for those portions of this policy and the third party agreement that pertain to it. In the event that the POC changes, IT Solutions must be informed promptly. Establishing Connectivity Sponsoring organizations within the City of Fort Worth that wish to establish connectivity to a third party are to file a new site request with IT Solutions to address security issues inherent in the project. If the proposed connection is to terminate within a lab at the City of Fort Worth, the sponsoring organization must engage IT Solutions. The sponsoring organization must provide full and complete information as to the nature of the proposed access to the extranet group and IT Solutions, as requested. All connectivity established must be based on the least -access principle, in accordance with the approved business requirements and the security review. In no case will the City of Fort Worth rely upon the third party to protect the City %J Fort Worth's network or resources. 5 Modifying or Changing Connectivity and Access All changes in access must be accompanied by a valid business justification, and are subject to security review. Changes are to be implemented via corporate change management process. The sponsoring organization is responsible for notifying IT Solutions when there is a material change in their originally provided information so that security and connectivity evolve accordingly. Terminating Access When access is no longer required, the sponsoring organization within the City of Fort Worth must notify IT Solutions, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. IT Solutions must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are found to be deprecated, and/or are no longer being used to conduct the City of Fort Worth business, will be terminated immediately. Should a security incident or a finding that a circuit has been deprecated and is no longer being used to conduct the City of Fort Worth business necessitate a modification of existing permissions, or termination A connectivity, IT Solutions will notify the POC or the sponsoring organization of the change prior to taking any action. Definitions Circuit Sponsoring Organization Third Party For the purposes of this policy, circuit refers to the method of network access, whether it's through traditional ISDN, Frame Relay etc, or via VPN encryption technologies. The City of Fort Worth organization that requested that the third party have access to the City of Fort Worth network. A business that is not a formal or subsidiary part of the City of Fort Worth. EXHIBIT "C" DIR Contract No. DIR-SDD- 685 Vendor Contract No. STATE OF TEXAS DEPARTMENT OF INFORMATION RESOURCES CONTRACT FOR SERVICES CIBER, INC. 1. Introduction A. Parties This Contract for services is entered into between the State of Texas, acting by and through the Department of Information Resources (hereinafter "DIR") with its principal place of business at 300 West 151h Street, Suite 1300, Austin, Texas 78701, and CIBER, Inc. (hereinafter "Vendor"), with its principal place of business at 5251 DTC Parkway, Suite 1400, Greenwood Village, CO 80111. B. Compliance with Procurement Laws This Contract is the result of compliance with applicable procurement laws of the State of Texas. DIR issued a solicitation on the Comptroller of Public Accounts' Electronic State Business Daily, Request for Offer (RFO) DIR-SDD-TMP-100, on March 1, 2007, for Information Technology Security Services. Upon execution of this Contract, a notice of award for RFO DIR-SDD-TMP400 shall be posted by DIR on the Electronic State Business Daily. C. Order of Precedence This Contract; Appendix A, Standard Terms and Conditions For Services Contracts; Appendix B, Vendor's Historically Underutilized Businesses Subcontracting Plan; Appendix C, Customer Service Agreement; Appendix D, Pricing and Services Index; Exhibit 1, Vendor's Response to RFO DIR-SDD-TMP400, including all addenda; and Exhibit 2, RFO DIR-SDD-TMP400, including all addenda; are incorporated by reference and constitute the entire agreement between DIR and Vendor. In the event of a conflict between the documents listed in this paragraph, the controlling document shall be this Contract, then Appendix A, then Appendix B, then Appendix C, then Appendix D, then Exhibit 1, and finally Exhibit 2. In the event and to the extent any provisions contained in multiple documents address the same or substantially the same subject matter but do not actually conflict, the more recent provisions shall be deemed to have superseded earlier provisions. 2. Term of Contract The term of this Contract shall be two (2) years commencing on the last date of approval by DIR and Vendor. Prior to expiration of the original term, DIR and Vendor may extend this Contract, upon mutual agreement, for up to two (2) optional one-year terms. DIR Contract No. DIR-SDD- 685 Vendor Contract No. 3. Service Offerings Services available under this Contract are limited to Information Technology Security Services as specified in Appendix D, Pricing and Services Index. Vendor may incorporate changes to their services offerings however, any changes must be within the scope of services awarded based on the posting described in Section LB above. 4. Pricing A. Manufacturer's Suggested Retail Price (MSRP) MSRP is defined as the sales price suggested by the manufacturer or publisher of the service. B. Customer Discount The minimum Customer discount for all services will be the percentage off MSRP as specified in Appendix D, Pricing and Services Index. Customer Discount includes the DIR administrative Fee specified in Section 5. C. Customer Price 1) The price to the Customer shall be calculated as follows: Customer Price = MSRP —Customer Discount 2) Customers purchasing services under this Contract may negotiate more advantageous pricing or participate in special promotional offers. In such event, a copy of such better offerings shall be furnished to DIR upon request. 3) If pricing for services available under this Contract are provided at a higher discount to: (i) an eligible Customer who is not purchasing those services under this Contract or (ii) any other entity or consortia authorized by Texas law to sell said services to eligible Customers, then the available discounts in this Contract shall be adjusted to that higher discount. This Contract shall be amended within ten (10) business days to reflect the higher discounts. D. DIR Administrative Fee The administrative fee specified in Section 5 below shall not be broken out as a separate line item when pricing or invoice is provided to Customer. E. Tax -Exempt As per Section 151.309, Texas Tax Code, Customers under this Contract are exempt from the assessment of State sales, use and excise taxes. Further, Customers under this Contract are exempt from Federal Excise Taxes, 26 United States Code Sections 4253(i) and 0). Page 2 of 8 DIR Contract No. DIR-SDD- 685 Vendor Contract No. F. Travel Expense Reimbursement Pricing for services provided under this Contract are exclusive of any travel expenses that may be incurred in the performance of those services. Travel expense reimbursement may include personal vehicle mileage or commercial coach transportation, hotel accommodations, parking and meals; provided, however, the amount of reimbursement by Customers shall not exceed the amounts authorized by the current State Travel Regulations. Travel time may not be included as part of the amounts payable by Customer for any services rendered under this Contract. The DIR administrative fee specified in Section 5 below is not applicable to travel expense reimbursement. Anticipated travel expenses must be pre -approved in writing by Customer. H. Changes to Prices Vendor may change the price of any service at any time, based upon changes to the MSRP, but discount levels shall remain consistent with the discount levels specified in this Contract. Price decreases shall take effect automatically during the term of this Contract and shall be passed onto the Customer immediately. 5. DIR Administrative Fee A) The administrative fee to be paid by the Vendor to DIR based on the dollar value of all sales to Customers pursuant to this Contract is two percent (2%). Payment will be calculated for all sales, net of returns and credits. For example, the administrative fee for sales totaling $100,000 shall be $2,000. B) All prices quoted to Customers shall include the administrative fee. DIR reserves the right to change this fee upwards or downwards during the term of this Contract, upon written notice to Vendor. Any change in the administrative fee shall be incorporated in the price to the Customer. 6. Notification All notices under this Contract shall be sent to a party at the respective address indicated below. If sent to the State: Sherri Parks, Director Contracting & Procurement Services Department of Information Resources 300 W. 15th St., Suite 1300 Austin, Texas 78701 Phone: (512) 4754700 Facsimile: (512) 4754759 Email: sherri.parks@dir.state.tx.us If sent to the Vendor: Mary Anne Clement GIBER, Inc. 4515 Seton Center Parkway, Suite 100 Austin, TX 78759 Phone: (512) 458-6650 Facsimile: (512) 458-6648 Email: maclement a ciber.com Page 3 of 8 DIR Contract No. DIR.SDD- 685 Vendor Contract No. 7. Customer Service Agreement Services provided under this Contract shall be in accordance with the Service Agreement as set forth in Appendix C of this Contract. No changes to the Service Agreement terms and conditions may be made unless previously agreed to by Vendor and DIR. 8. Authorized Exceptions to Appendix A, Standard Terms and Conditions for Services Contracts. A. Section 5, Purchase Orders, Invoices, and Payments, A. Purchase Orders is hereby replaced in its entirety as follows: All Customer Purchase Orders will be placed directly with the Vendor. Accurate Purchase Orders shall be effective and binding upon Vendor when accepted by Vendor. Vendor reserves the right to negotiate the terms of the Purchase Order not addressed in this contract, including but not limited to, Scope of Work, Method of Performance, Terms of Acceptance, Customer Responsibilities, and Confidentiality and Ownership. B. Section 7. Vendor Responsibilities, A. Indemnification, 1) Independent Contractor is hereby replaced in its entirety as follows: VENDOR AGREES AND ACKNOWLEDGES THAT DURING THE EXISTENCE OF THIS CONTRACT, IT IS FURNISHING SERVICES IN THE CAPACITY OF AN INDEPENDENT CONTRACTOR AND THAT VENDOR IS NOT AN EMPLOYEE OF THE CUSTOMER, DIR OR THE STATE OF TEXAS. Nothing in this Agreement will be construed to make Vendor or the State partners, joint venturers, principals, agents or employees of the other. No officer, director, employee, agent, affiliate or contractor employed by Vendor to perform work on a Customer's behalf under this Agreement will be deemed to be an employee, agent or contractor of the Customer. Neither party will have any right, power or authority, express or implied, to bind or make representations on behalf of the other. C. Section 7. Vendor Responsibilities, A. Indemnification, 2) Acts or Omissions is hereby replaced in its entirety as follows: Vendor shall indemnify and hold harmless the State of Texas and Customers, AND/OR THEIR EMPLOYEES, AGENTS, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES FROM ANY AND ALL LIABILITY, ACTIONS, CLAIMS, DEMANDS, OR SUITS, AND ALL RELATED COSTS, ATTORNEY FEES, AND EXPENSES for injury to persons or damage to real or tangible personal property to the extent directly caused by any acts or omissions of the Vendor or its agents, employees, subcontractors, Order Fulfillers, or suppliers of subcontractors in the execution or performance of the Contract and any Purchase Orders issued under the Contract. VENDOR SHALL PAY ALL COSTS OF DEFENSE INCLUDING ATTORNEYS FEES. THE DEFENSE SHALL BE DIR Contract No. DIR-SDD= 685 Vendor Contract No. COORDINATED BY THE OFFICE OF THE ATTORNEY GENERAL FOR TEXAS STATE AGENCY CUSTOMERS AND BY CUSTOMER'S LEGAL COUNSEL FOR NON -STATE AGENCY CUSTOMERS. D. Section 7. Vendor Responsibilities, A. Indemnification, 3) Infringement, hereby added as follows: c) If the remedies set forth in (i) or (ii) are not available on commercially reasonable terms, Vendor may terminate the license for the allegedly infringing products or services, and upon receipt of the products or services, return the fees paid by Customer for such products or services, prorated over a five year term from the applicable delivery date. For purposes of this indemnity, products and services do not include any third party products or services, whether or not supplied by Vendor. As to such third party products or services, Vendor shall exercise commercially reasonable efforts to secure for the Customer the remedies, if any, offered by the third party. This Section 7.A.3)c) states Vendor's entire liability and Customer's exclusive remedy for infringement of intellectual property rights. E. Section 7. Vendor Responsibilities, B. Taxes/Worker's Compensation/ UNEMPLOYMENT INSURANCE, 2) is hereby replaced in its entirety as follows: 2) VENDOR AGREES TO INDEMNIFY AND HOLD HARMLESS CUSTOMERS, THE STATE OF TEXAS AND/OR THEIR EMPLOYEES, AGENTS, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES FROM ANY AND ALL LIABILITY, ACTIONS, CLAIMS, DEMANDS, OR SUITS, AND ALL RELATED COSTS, ATTORNEY FEES, AND EXPENSES, RELATING TO TAX LIABILITY, UNEMPLOYMENT INSURANCE AND/OR WORKERS' COMPENSATION OR EXPECTATIONS OF THOSE BENEFITS BY VENDOR, ITS EMPLOYEES, REPRESENTATIVES, . AGENTS OR SUBCONTRACTORS IN ITS PERFORMANCE UNDER THIS CONTRACT. VENDOR SHALL BE LIABLE TO PAY ALL COSTS OF DEFENSE INCLUDING ATTORNEYS' FEES. THE DEFENSE SHALL BE COORDINATED BY THE OFFICE OF THE ATTORNEY GENERAL FOR TEXAS STATE AGENCY CUSTOMERS AND BY CUSTOMER'S LEGAL COUNSEL FOR NON -STATE AGENCY CUSTOMERS. F. Section 7. Vendor Responsibilities, H. Security of Premises, Equipment, Data and Personnel is hereby replaced in its entirety as follows: Vendor may, from time to time during the performance of the Contract, have access to the personnel, premises, equipment, and other property, including data, files and /or materials (collectively referred to as "Data") belonging to the Customer. Vendor shall use their commercially reasonable best efforts to preserve the safety, security, and the integrity of the personnel, premises, equipment, Data and other property of the Customer, in accordance with the instruction of the Customer. Subject to all DIR Contract No. DIR-SDD- 685 Vendor Contract No. conditions, limits and exclusions in this Contract, Vendor shall be responsible for damage to Customer's equipment, workplace, and its contents to the extent such damage is caused by the negligent conduct of its employees or subcontractors in their performance of the work under this Contract. Vendor's liability of loss of data or information shall be limited to the reasonable direct costs to restore the data on the most recent backup materials kept by the State. G. Section 8. Contract Enforcement, C. Force Majeure is hereby replaced in its entirety as follows: DIR, Customer, or Vendor may be excused from performance under the Contract for any period when performance is prevented as the result of circumstance beyond a part's reasonable control, including, by way of example and not by way of limitation, an act of God, strike, war, civil disturbance, epidemic, court order, embargo, blockage, work stoppage, acts of the public enemy, acts of terrorism, provided that the party experiencing the event of Force Majeure has prudently and promptly acted to take any and all steps that are within the parry's control to ensure performance and to shorten the duration of the event of Force Majeure. The party suffering an event of Force Majeure shall provide notice of the event to the other parties when commercially reasonable. Subject to this provision, such non- performance shall not be deemed a default or a ground for termination. However, a Customer may terminate a Purchase Order if it is determined by the Customer that Vendor will not be able to deliver services in a timely manner to meet the business needs of the Customer. H. New Section 11. Ownership of Information is hereby added as follows: Unless Vendor and the Customer agree otherwise in writing, the Work Products developed for the Customer by Vendor pursuant to this Agreement and any SOW will belong to the Customer. This provision does not apply to third party works or products Vendor provides to the Customer or to Vendor Materials (as defined below). The acknowledges that Vendor is in the business of providing information technology consulting services and has accumulated expertise in this field and agrees that Vendor will retain all right, title, and interest in and to all Vendor Materials. "Vendor Materials" means all discoveries, concepts and ideas, whether or not registrable under patent, copyright or similar statutes, including, without limitation, patents, copyright, trade secrets, processes, methods, formulae, techniques, tools, solutions, programs, data and documentation, and related modifications, improvements, and know-how, that Vendor, alone, or jointly with others, its agents or employees, conceives, makes develops, acquires or obtains knowledge of at any time before, after or during the term of this Agreement without breach of Vendor's duty of confidentiality to the Customer. If Vendor Materials are included with or embodied in any Work Product, the Customer will have a perpetual, irrevocable, nonexclusive, worldwide, royalty - free license to use, execute, reproduce, display, perform, distribute internally, and prepare for internal use "derivative works" as defined in the Copyright Act, 17 U.S.C. §101, based upon, the Vendor Materials in each case solely in conjunction with the DIR Contract No. DIR-SDD- 685 Vendor Contract No. Work Product delivered hereunder. Any interest in the Services and Work Products granted hereunder by Vendor to the Customer shall be effective upon and to the extent of payment by the Customer of the fees and expenses invoiced by Vendor pursuant to this Agreement. Notwithstanding anything to the contrary in this Agreement, Vendor and its personnel are free to use and employ their general skills, know-how, and expertise, and to use, disclose, and employ any generalized ideas, concepts, know-how, methods, techniques, or skills gained or learned during the course of this Agreement so long as they acquire and apply such information without any unauthorized use or disclosure of confidential or proprietary information of the Customer. Warranty and Disclaimer. Vendor warrants that it will (a) perform all Services in a professional and workmanlike manner and (b) provide Work Products that conform in all materials respects to the specifications set forth in the Agreement. The Customer must report any deficiencies to Vendor in writing within ninety (90) days from the date of Vendor's delivery of the Services or Work Products, to receive warranty remedies. The Customer's exclusive remedy and Vendor's entire liability is to provide Services to correct the deficiencies. If Vendor is unable to correct the deficiencies, the Customer is entitled to recover the fees paid to Vendor for the deficient portion of the Services or Work Product. VENDOR DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR PARTICULAR PURPOSE. Vendor makes no warranties regarding any portion of any deliverable developed by the Customer or by any third party, including any third party software, hardware, or other third party products provided by Vendor. I. New Section 12. Acceptance is hereby added as follows: The parties agree that acceptance criteria for any services materials, software or equipment should, if possible, be set forth in each Order. Promptly following Vendor's completion of any Services or delivery of any Work Product, the Customer will examine the Services and/or Work Product to confirm conformance with specifications. If Vendor has not received written notice from the Customer within fifteen (15) business days following completion of the services or delivery of the materials, software or equipment, the applicable services or deliverables will be deemed accepted by the Customer. Furthermore, if acceptance criteria are not specified in an Order, the applicable services or deliverable will be deemed accepted by the Customer on the date of delivery unless Vendor receives written notice from tOle Customer specifying the reason for non -acceptance within fifteen (15) business days after completion of the services or delivery of the materials, software or equipment. DIR Contract No. DIR-SDD- 685 Vendor Contract No. This Contract is executed to be effective as of the date of last signature. GIBER, Inc. Authorized By: Signature on File Name: John Miller Title: Area Director Date: 03/21/08 The State of Texas, acting by and through the Department of Information Resources Authorized By: Signature on File Name: Cindy Reed Title: Deputy Executive Director Operations & Statewide Technology Sourcing Date: 03/25/08 Legal: Signature on File 03/25/08 Amendment Number I to Contract Number DIR-SDD-685 between State of Texas, acting by and through the Department of Information Resources anA Ciber, Inc. This Amendment Number 1 to Contract Number DIR-SDD-685 Contract is between the Department of Information Resources ("DIR") and Ciber, Inc. ("Vendor"). DIR and Vendor agree to modify the terms and conditions of the Contract as follows: 1. Appendix D, Pricing and Services Index, is hereby revised and replaced in its entirety and attached hereto. 2. All other terms and conditions of the Contract, not specifically modified herein, shall remain in full force and effect. In the event of conflict among the provisions, the order of precedence shall be this Amendment Number 1, and then the Contract. IN WITNESS WHEREOF, the parties hereby execute this amendment to be effective as of the date of last signature. Ciber, Inc. By: Signature on file Name: John Miller Title: Area Director Date: 5/27/08 DIR Contract Number: DIR-SDD-685 Page I Amendment Number I The State of Texas, acting by and through the Department of Information Resources By: Signature on file Name: Cindy Reed Title: Deputy Executive Director Operations &Statewide Technology Sourcing Date: 5/29/08 Legal: 5/29/08 Appendix A Standard Terms and Conditions For Services Contracts Table of Contents 1. No Quantity Guarantees......................................................................................................... 1 2. Definitions..............................................................................................................................1 3. General Provisions................................................................................................................. 2 A. Entire Agreement.......................................................................................................... 2 B. Modification of Contract Terms and/or Amendments .................................................. 2 C. Invalid Term or Condition............................................................................................ 2 D. Assignment................................................................................................................... 2 E. Survival. 0 9 3 F. Choice of Law............................................................................................................... 3 4. Contract Fulfillment and Promotion...................................................................................... 3 A. Service, Sales and Support of the Contract................................................................... 3 B. Internet Access to Contract and Pricing Information.....................:............................. 3 1) Vendor Website...................................................................................................... 3 2) Accurate and Timely Contract Information............................................................ 3 3) Website Compliance Checks.................................................................................. 3 4) Website Changes............... 0 6 6 * a a a 0 a a *sees a as 0 so & 0 a 6 0 0 0 9 a 4 0 0 9 0 9 a a 0 0 & 0 4 0 2 0 0 0 a 0 0 4 a 0 a 0 9 0 6 0 6 a a 9 0 0 0 0 0 0 0 & a 0 & a 0 a 0 3 5) Use of Access Data Prohibited.....................................:......................................... 4 6) Responsibility for Content...................................................................................... 4 C. DIR Logo...................................................................................................................... 4 D. Vendor Logo...................................................................................:............................. 4 E. Trade Show Participation.............................................................................................. 4 F. Performance Review Meetings..................................................................................... 5 G. DIR Cost Avoidance..................................................................................................... 5 5. Purchase Orders, Invoices, and Payments............................................................................. 5 A. Purchase Orders............................................................................................................ 5 Be Invoices......................................................................................................................... 5 C. Payments....................................................................................................................... 5 6. Contract Administration......................................................................................................... 5 A. Contract Administrators. . * e 0 P a 0 9 0 * A & 0 * 0 0 * 6 a 0 a 6 W a a 0 8 & * a & 0 a & 0 a * a * 0 a a & 6 & 0 a a 0 & 6 D a a 0 a a & 0 a 0 0 0 & 4 * * 6 * a * a & & a * a 0 6 & 0 & a 0 6 0 W & 0 0 a a 0 6 a 5 1) State Contract Administrator.................................................................................. 5 2) Vendor Contract Administrator...:.......................................................................... 6 Be Reporting and Administrative Fees.............................................................................. 6 1) Reporting Responsibility........................................................................................ 6 2) Detailed Monthly Report ........................................................................................ 6 3) Historically Underutilized Businesses Subcontract Reports ................................... 6 4) DIR Administrative Fee.......................................................................................... 6 5) Accurate and Timely Submission of Reports......................................................... 7 C. Records and Audit......................................................................................................... 7 01/07/08 f/ 10. Appendix A Standard Terms and Conditions For Services Contracts D. Contract Administration Notification........................................................................... 8 VendorResponsibilities......................................................................................................... 8 A. Indemnification............................................................................................................. 8 B. Taxes/Worker's Compensation/UNEMPLOYMENT INSURANCE .......................... 9 C. Vendor Certifications.................................................................................................. 10 D. Ability to Conduct Business in Texas......................................................................... 11 E. Equal Opportunity Compliance.................................................................................. 11 F. Use of Subcontractors................................................................................................. 11 G. Responsibility for Actions.......................................................................................... 11 H. Confidentiality........................................................................................................... 12 I. Security of Premises, Equipment, Data and Personnel.......... 12 J. Background and/or Criminal History Investigation. . 12 K. Limitation of Liability................................................................................................. 12 L. Purchase of Commodity Items (Applicable to State Agency Purchases Only)........................................................................................................................... 12 M. Overcharges................................................................................................................ 13 N. Prohibited Conduct..................................................................................................... 13 ContractEnforcement.......................................................................................................... 13 A. Enforcement of Contract and Dispute Resolution...................................................... 13 B. Termination.................................................................................................................14 1) Termination for Non-Appropriation..................................................................... 14 2) Absolute Right...................................................................................................... 14 3) Termination for Convenience............................................................................... 14 4) Termination for Cause.......................................................................................... 14 a) Contract...........................................................................................................14 b) Purchase Order....................................................................:........................... 14 5) Customer Rights Under Termination.................................................................... 15 6) Vendor Rights Under Termination....................................................................... 15 C. Force Majeure............................................................................................................ 15 Notification.......................................................................................................................... 15 A. Notices........................................................................................................................ 15 B. Handling of Written Complaints................................................................................. 15 Captions............................................................................................................................... 16 01/07/08 ii Appendix A Standard Terms and Conditions For Services Contracts 1. No Quantity Guarantees The Contract is not exclusive to the Vendor. Customers may obtain services from other sources during the term of the Contract. DIR makes no express. or implied warranties whatsoever that any particular quantity or dollar amount of services will be procured through the Contract. 2. Definitions A. Customer -any Texas state agency, unit of local government, institution of higher education as defined in Section 2054.003, Texas Government Code, and those state agencies purchasing from a DIR contract through an Interagency Agreement, as authorized by Chapter 771, Texas Government Code, any local government as authorized through the Interlocal Cooperation Act, Chapter 791, Texas Government Code, the state agencies and political subdivisions of other states as authorized by Section 2054.0565, Texas Government Code, and, except for telecommunications services under Chapter 2170, Texas Government Code, assistance organizations as defined in Section 2175.001, Texas Government Code to mean: i. A non-profit organization that provides educational, health or human services or assistance to homeless individuals; ii. A nonprofit food bank that solicits, warehouses, and redistributes edible but unmarketable food to an agency that feeds needy families and individuals; iii. Texas Partners of the Americas, a registered agency with the Advisory Committee on Voluntary Foreign Aid, with the approval of the Partners of the Alliance Office of the Agency for International Development; iv. A group, including a faith -based group, that enters into a financial or non -financial agreement with a health or human services agency to provide services to that agency's clients; v. A local workforce development board created under Section 2308.253; VI* A nonprofit organization approved by the Supreme Court of Texas that provides free legal services for low-income households in civil matters; Vile The Texas Boll Weevil Eradication Foundation, Inc., or an entity designated by the commissioner of agriculture as the foundation's successor entity under Section 74.1011, Texas Agriculture Code; viii. A nonprofit computer bank that solicits, stores, refurbishes and redistributes used computer equipment to public school students and their families; and ix. A nonprofit organization that provides affordable housing. B. Contract — the document executed between DIR and Vendor into which this Appendix A is incorporated. C. CPA — refers to the Texas Comptroller of Public Accounts D. Day - shall mean business days, Monday through Friday, except for State and Federal holidays. If the Contract calls for performance on a day that is not a business day, then performance is intended to occur on the next business day. E. Purchase Order - the Customer's fiscal form or format, which is used when making a purchase (e.g., formal written Purchase Order, Procurement Card, Electronic Purchase Order, or other authorized instrument). O1/07/08 Page 1 of 16 Appendix A Standard Terms and Conditions For Services Contracts F. State — refers to the State of Texas. 3. General Provisions A. Entire Agreement The Contract and its Appendices constitute the entire agreement between DIR and the Vendor. No statement, promise, condition, understanding, inducement or representation, oral or written, expressed or implied, which is not contained in the Contract or its Appendices shall be binding or valid. B. Modification of Contract Terms and/or Amendments 1) The terms and conditions of the Contract shall govern all transactions by Customers under the Contract. The Contract may only be modified or amended upon mutual written agreement of DIR and Vendor. 2) Customers shall not have the authority to modify the terms of the Contract; however, additional Customer terms and conditions that do not conflict with the Contract and are acceptable to Vendor may be added in a Purchase Order and given effect. No additional term or condition added in a Purchase Order issued by a Customer can weaken a term or condition of the Contract. Pre-printed terms and conditions on any Purchase Order issued by Customer hereunder will have no force and effect. In the event of a conflict between a Customer's Purchase Order and the Contract, the Contract term shall control. C. lnvalid Term or Condition 1) To the extent any term or condition in the Contract conflicts with the applicable Texas and/or United States law or regulation, such Contract term or condition is void and unenforceable. By executing a contract which contains the conflicting term or condition, DIR makes no representations or warranties regarding the enforceability of such term or condition and DIR does not waive the applicable Texas and/or United States law or regulation which conflicts with the Contract term or condition. 2) If one or more term or condition in the Contract, or the application of any term or condition to any party or circumstance, is held invalid, unenforceable, or illegal in any respect by a final judgment or order of the State Office of Administrative Hearings or a court of competent jurisdiction, the remainder of the Contract and the application of the term or condition to other parties or circumstances shall remain valid and in full force and effect. D. Assignment DIR or Vendor may assign the Contract without prior written approval to: i) a successor in interest (for DIR, another state agency as designated by the Texas Legislature), or ii) a subsidiary, parent company or affiliate, or iii) as necessary to satisfy a regulatory requirement imposed upon a parry by a governing body with the appropriate authority. Assignment of the Contract under the above terms shall require written notification by the assigning party. Any other assignment by a party shall require the written consent of the other party. Each party agrees to cooperate to amend the Contract as necessary to maintain an accurate record of the contracting parties. O1/07/08 Page 2 of 16 Appendix A Standard Terms and Conditions For Services Contracts E. Survival All applicable service agreements that were entered into between Vendor and a Customer under the terms and conditions of the Contract shall survive the expiration or termination of the Contract. All Purchase Orders issued and accepted by Vendor shall survive expiration or termination of the Contract. F. Choice of Law The laws of the State of Texas shall govern the construction and interpretation of the Contract. Nothing in the Contract or its Appendices shall be construed to waive the State's sovereign immunity. 4. Contract Fulfillment and Promotion A. Service, Sales and Support of the Contract Vendor shall provide service, sales and support resources to serve all Customers throughout the State. It is the responsibility of the Vendor to sell, market, and promote services available under the Contract. Vendor shall use its best efforts to ensure that potential Customers are made aware of the existence of the Contract. All sales to Customers for services available under the Contract shall be processed through the Contract. B. Internet Access to Contract and Pricing Information 1) Vendor Website Within thirty (30) days from the effective date of the Contract, Vendor will establish and maintain a website specific to the service offerings under the Contract which is clearly distinguishable from other, non-DIR Contract offerings at Vendor's website. The website must include: the services offered, service specifications, Contract pricing, contact information for Vendor, instructions for obtaining quotes and placing Purchase Orders. The Vendor's website shall list the DIR Contract number, reference the DIR Go DIRect program, display the DIR logo in . accordance with the requirements in paragraph D of this Section, and contain a link to the DIR website for the Contract. 2) Accurate and Timely Contract Information Vendor warrants and represents that the website information specified in the above paragraph will be accurately and completely posted, maintained and displayed in an objective and timely manner. Vendor, at its own expense, shall correct any non- conforming or inaccurate information posted at Vendor's website within ten (10) business days after written notification by DIR. 3) Website Compliance Checks Periodic compliance checks of the information posted for the Contract on Vendor's website will be conducted by DIR. Upon request by DIR, Vendor shall provide verifiable documentation that pricing listed upon this website is uniform with the pricing as stated within Section 4 of the Contract. 4) Website Changes Vendor hereby consents to a link from the DIR website to Vendor's website in order to facilitate access to Contract information. The establishment of the link is provided Ol/07/08 Page 3 of 16 Appendix A Standard Terms and Conditions For Services Contracts solely for convenience in carrying out the business operations of the State. DIR reserves the right to terminate or remove a link at any time, in its sole discretion, without advance notice, or to deny a future request for a link. DIR will provide Vendor with subsequent notice of link termination or removal. Vendor shall provide DIR with timely written notice of any change in URL or other information needed to access the site and/or maintain the link. 5) Use of Access Data Prohibited If Vendor stores, collects or maintains data electronically as a condition of accessing Contract information, such data shall only be used internally by Vendor for the purpose of implementing or marketing the Contract, and shall not be disseminated to third parties or used for other marketing purposes. The Contract constitutes a public document under the laws of the State and Vendor shall not restrict access to Contract terms and conditions including pricing, i.e., through use of restrictive technology or passwords. 6) Responsibility for Content Vendor is solely responsible for administration, content, intellectual property rights, and all materials at Vendor's website. DIR reserves the right to require a change of listed content if, in the opinion of DIR, it does not adequately represent the Contract. C. DIR Logo Vendor may use the DIR logo in the promotion of the Contract to .Customers with the following stipulations: (i) the logo may not be modified in any way, (ii) when displayed, the size of the DIR logo must be equal to or smaller than the Vendor logo, (iii) the DIR logo is only used to communicate the availability of services under the Contract to Customers, and (iv) any other use of the DIR logo requires prior written permission from DIR. D. Vendor Logo DIR may use the Vendor's name and logo in the promotion of the Contract to communicate the availaty of services under the Contract to Customers. Use of the logos may be on the DIR website or on printed materials. Any use of Vendor's logo by DIR must comply with and be solely related to the purposes of the Contract and any usage guidelines communicated to DIR from time to time. Nothing contained in the Contract will give DIR any right, title, or interest in or to Vendor's trademarks or the goodwill associated therewith, except for the limited usage rights expressly provided by Vendor. E. Trade Show Participation At DIR's discretion, Vendor may be required to participate in one or more DIR sponsored trade shows each calendar year. Vendor understands and agrees that participation, at the Vendor's expense, includes providing a manned booth display or similar presence. DIR will provide four months advance notice of any required participation. Vendor must display the DIR logo at all trade shows that potential Customers will attend. DIR reserves the right to approve or disapprove of the location or the use of the DIR logo in or on the Vendor's booth. O1/07/08 Page 4 of 16 Appendix A Standard Terms and Conditions For Services Contracts F. Performance Review Meetings DIR will require the Vendor to attend periodic meetings to review the Vendor's performance under the Contract. The meetings will be held within the Austin, Texas area at a date and time mutually acceptable to DIR and the Vendor. DIR shall bear no cost for the time and travel of the Vendor for attendance at the meeting. G. DIR Cost Avoidance As part of the performance measures reported to state leadership, DIR must provide the cost avoidance the State has achieved through the Contract. Upon request by DIR, Vendor shall provide DIR with a detailed report of a representative sample of service sold under the Contract. The report shall contain: service description, list price, price to Customer under the Contract, and pricing from three (3) alternative sources under which DIR customers can procure the services. 5. Purchase Orders, Invoices, and Payments A. Purchase Orders All Customer Purchase Orders will be placed directly with the Vendor. Accurate Purchase Orders shall be effective and binding upon Vendor when accepted by Vendor. B. Invoices 1) Invoices shall be submitted by the Vendor directly to the Customer and shall be issued in compliance with Chapter 2251, Texas Government Code. All payments for services purchased under the Contract and any provision of acceptance of such services shall be made by the Customer to the Vendor. 2) Invoices must be timely and accurate. Each invoice must match Customer's Purchase Order and include any written changes that may apply, as it relates to services, prices and quantities. Invoices must include the Customer's Purchase Order number or other pertinent information for verification of receipt of the services by the Customer. C. Payments Customers shall comply with Chapter 2251, Texas Government Code, in making payments to Vendor. Payment under the Contract shall not foreclose the right to recover wrongful payments. 6. Contract Administration A. Contract Administrators DIR and the Vendor will each provide a Contract Administrator to support the Contract. Information regarding the Contract Administrators will be posted on the Internet website designated for the Contract. 1) State Contract Administrator DIR shall provide a Contract Administrator whose duties shall include but not be limited to: i) supporting the marketing and management of the Contract, ii) advising DIR of Vendor's performance under the terms and conditions of the Contract, and iii) Ol/07l08 Page 5 of 16 Appendix A Standard Terms and Conditions For Services Contracts periodic verification of pricing and monthly reports submitted by Vendor. 2) Vendor Contract Administrator Vendor shall provide a dedicated Contract Administrator whose.duties shall include but not be limited to: i) supporting the marketing and management of the Contract, ii) facilitating dispute resolution between Vendor and a Customer, and iii) advising DIR of Vendor's performance under the terms and conditions of the Contract. DIR reserves the right to require a change in Vendor's then -current Contract Administrator if the assigned Contract Administrator is not, in the opinion of DIR, adequately serving the needs of the State. B. Reporting and Administrative Fees 1) Reporting Responsibility a) Vendor shall be responsible for reporting all services purchased under the Contract. Vendor shall file the monthly reports, subcontract reports, and pay the administrative fees in accordance with the due dates specified in this section. b) DIR shall have the right to verify required reports and to take any actions necessary to enforce its rights under this section, including but not limited to, compliance checks of Vendor's applicable Contract books at DIR's expense. 2) Detailed Monthly Report Vendor shall electronically provide DIR with a detailed monthly report in the format required by DIR showing the dollar volume of any and all sales under the Contract for the previous month period. Reports shall be submitted to the DIR Go DIRect Coordinator. Reports are due on the fifteenth (15t') calendar day after the close of the previous month period. The monthly report shall include, per transaction: the detailed sales for the period, Customer name, invoice date, invoice number, description, quantity, unit price, extended price, Customer Purchase Order number, contact name, Customer's complete billing address, and other information as required by DIR. Each report must contain all information listed above per transaction or the report will be rejected and returned to the Vendor for correction in accordance with this section. 3) Historically Underutilized Businesses Subcontract Reports a) Vendor shall electronically provide each Customer with their relevant Historically Underutilized Business Subcontracting Report, pursuant to the Contract, as required by Chapter 2161, Texas Government Code. Reports shall also be submitted to DIR. b) Reports shall be due in accordance with the CPA rules. 4) DIR Administrative Fee a) An administrative fee shall be paid by Vendor to DIR to defray the DIR costs of negotiating, executing, and administering the Contract. The administrative fee shall be specified in the Contract. Payment of the administrative fee shall be due on the fifteenth (15t") calendar day after the close of the previous month period. b) Vendor shall reference the DIR Contract number on any remittance instruments. O1/07/08 Page 6 of 16 Appendix A Standard Terms and Conditions For Services Contracts 5) Accurate and Timely Submission of Reports a) The reports and administrative fees shall be accurate and timely and submitted in accordance with the due dates specified in this section. Vendor shall correct any inaccurate reports or administrative fee payments within three (3) business days upon written notification by DIR. Vendor shall deliver any late reports or late administrative fee payments within three (3) business. days upon written notification by DIR. If Vendor is unable to correct inaccurate reports or administrative fee payments or deliver late reports and fee payments within three (3) business days, Vendor must contact DIR and provide a corrective plan of action, including the timeline for completion of correction. The corrective plan of action shall be subject to DIR approval. b) Should Vendor fail to correct inaccurate reports or cure the delay in timely delivery of reports and payments within the corrective plan of action timeline, DIR reserves the right to require an independent third party audit of the Vendor's records as specified in C.3 of this Section, at DIR's expense. C. Records and Audit 11 Acceptance of funds under the Contract by Vendor acts as acceptance of the authority of the State Auditor's Office, or any successor agency, to conduct an audit or investigation in connection with those funds. Vendor further agrees to cooperate fully with the State Auditor's Office or its successor in the conduct of the audit or investigation, including providing all records requested. Vendor will ensure that this clause concerning the authority to audit funds received indirectly by subcontractors through Vendor and the requirement to cooperate is included in any subcontract it awards pertaining to the Contract. Under the direction of the Legislative Audit Committee, a Vendor that is the subject of an audit or investigation by the State Auditor's Office must provide the State Auditor's Office with access to any information the State Auditor's Office considers relevant to the investigation or audit. 2) Vendor shall maintain adequate records to establish compliance with the Contract until the later of a period of four (4) years after termination of the Contract or until full, final and unappealable resolution of all Compliance Check or litigation issues that arise under the -Contract. Such records shall include per transaction: Customer name, invoice date, invoice number, description, quantity, unit price, extended price, Customer Purchase Order number, contact name, Customer's complete billing address, the calculations supporting each administrative fee owed DIR under the Contract, Historically Underutilized Businesses Subcontracting reports, and such other documentation as DIR may request. 3) Vendor shall grant access to all paper and electronic records, books, documents, accounting procedures, practices and any other items relevant to the performance of the Contract to DIR, including the compliance checks designated by DIR, the State Auditor's Office and of the United States, and such other persons or entities designated by DIR for the purposes of inspecting, Compliance Checking and/or copying such books and records. Vendor shall provide copies and printouts requested by DIR without charge. DIR shall provide Vendor ten (10) business days' notice prior to inspecting, Compliance Checking, and/or copying Vendor's records. O1/07/08 Page 7 of 16 Appendix A Standard Terms and Conditions For Services Contracts Vendor's records, whether paper or electronic, shall be made available during regular office hours. Vendor personnel familiar with the Vendor's books and records shall be available to DIR staff and designees as needed. Vendor shall provide adequate office space to DIR staff during the performance of Compliance Check. 4) For procuring State Agencies whose payments are processed by the Texas Comptroller of Public Accounts, the volume of payments made to Vendor through the Texas Comptroller of Public Accounts and the administrative fee based thereon shall be presumed correct unless Vendor can demonstrate to DIR's satisfaction that Vendor's calculation of DIR's administrative fee is correct. D. Contract Administration Notification 1) Upon execution of the Contract, Vendor shall provide DIR with written notification of the following: i) Vendor Contract Administrator name and contact information, ii) Vendor sales representative name and contact information, and iii) name and contact information of Vendor personnel responsible for submitting reports and payment of administrative fees. 2) Upon execution of the Contract, DIR shall provide Vendor with written notification of the following: i) DIR Contract Administrator name and contact information, and ii) DIR Go DIRect Coordinator name and contact information. 7. Vendor Responsibilities A. Indemnification 1) INDEPENDENT CONTRACTOR VENDOR AGREES AND ACKNOWLEDGES THAT DURING THE EXISTENCE OF THIS CONTRACT, IT IS FURNISHING SERVICES IN THE CAPACITY OF AN INDEPENDENT CONTRACTOR AND THAT VENDOR IS NOT AN EMPLOYEE OF THE CUSTOMER, DIR OR THE STATE OF TEXAS. 2) Acts or Omissions Vendor shall indemnify and hold harmless the State of Texas and Customers, AND/OR THEIR EMPLOYEES, AGENTS, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES FROM ANY AND ALL LIABILITY, ACTIONS, CLAIMS, DEMANDS, OR SUITS, AND ALL RELATED COSTS, ATTORNEY FEES, AND EXPENSES arising out of, or resulting from any acts or omissions of the Vendor or its agents, employees, subcontractors, Order Fulfillers, or suppliers of subcontractors in the execution or performance of the Contract and any Purchase Orders issued under the Contract REGARDLESS OF THE NEGLIGENCE OF THE CUSTOMER, THE STATE OF TEXAS AND/OR THEIR EMPLOYEES, AGENTS, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES. VENDOR SHALL PAY ALL COSTS OF DEFENSE INCLUDING ATTORNEYS FEES, THE DEFENSE SHALL BE COORDINATED BY THE OFFICE OF THE ATTORNEY GENERAL FOR Ol/07/08 Page 8 of 16 Appendix A Standard Terms and Conditions For Services Contracts TEXAS STATE AGENCY CUSTOMERS AND BY CUSTOMER'S LEGAL COUNSEL FOR NON - STATE AGENCY CUSTOMERS. 3) Infringements a) Vendor shall indemnify and hold harmless the State of Texas and Customers, AND/OR THEIR EMPLOYEES,, AGENTS, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES from any and all third party claims involving infringement of United States patents, copyrights, trade and service marks, and any other intellectual or intangible property rights in connection with the PERFORMANCES OR ACTIONS OF VENDOR PURSUANT TO THIS CONTRACT, VENDOR AND THE CUSTOMER AGREE TO FURNISH TIMELY WRITTEN NOTICE TO EACH OTHER OF ANY SUCH CLAIM. VENDOR SHALL BE LIABLE TO PAY ALL COSTS OF DEFENSE INCLUDING ATTORNEYS' FEES, THE DEFENSE SHALL BE COORDINATED BY THE OFFICE OF THE ATTORNEY GENERAL FOR TEXAS STATE AGENCY CUSTOMERS AND BY CUSTOMER'S LEGAL COUNSEL FOR NON -STATE AGENCY CUSTOMERS. b) If Vendor becomes aware of an actual or potential claim, or Customer provides Vendor with notice of an actual or potential claim, Vendor may (or in the case of an injunction against Customer, shall), at Vendor's sole option and expense: (i) procure for the Customer the right to continue to use the affected portion of the product or service, or (ii) modify or replace the affected portion of the product or service with functionally equivalent or superior product or service so that Customer's use is non - infringing. 4) PROPERTY DAMAGE IN THE EVENT OF LOSS, DAMAGE, OR DESTRUCTION.OF ANY PROPERTY OF CUSTOMER OR THE STATE DUE TO THE NEGLIGENCE, MISCONDUCT, WRONGFUL ACT OR OMISSION ON THE PART OF THE VENDOR, ITS EMPLOYEES, AGENTS, REPRESENTATIVES, OR SUBCONTRACTORS, THE VENDOR SHALL PAY THE FULL COST OF EITHER REPAIR, RECONSTRUCTION, OR REPLACEMENT OF THE PROPERTY, AT THE CUSTOMER'S SOLE ELECTION, SUCH COST SHALL BE DETERMINED BY THE CUSTOMER AND SHALL BE DUE AND PAYABLE BY THE VENDOR NINETY (90) CALENDAR DAYS AFTER THE DATE OF THE VENDORS RECEIPT FROM THE CUSTOMER OF A WRITTEN NOTICE OF THE AMOUNT DUE. B. Taxes/Worker's Compensation/UNEMPLOYMENT INSURANCE 1) VENDOR AGREES AND ACKNOWLEDGES THAT DURING THE EXISTENCE OF THIS CONTRACT, VENDOR SHALL BE ENTIRELY O1/07/08 Page 9 of 16 Appendix A Standard Terms and Conditions For Services Contracts RESPONSIBLE FOR THE LIABILITY AND PAYMENT OF VENDOR' S AND VENDOR'S EMPLOYEES' TAXES OF WHATEVER KIND, ARISING OUT OF THE PERFORMANCES IN THIS CONTRACT, VENDOR AGREES TO COMPLY WITH ALL STATE AND FEDERAL LAWS APPLICABLE TO ANY SUCH PERSONS, INCLUDING LAWS REGARDING WAGES, TAXES, INSURANCE, AND WORKERS' COMPENSATION. VENDOR AGREES AND ACKNOWLEDGES THAT VENDOR ITS EMPLOYEES, REPRESENTATIVES, AGENTS OR SUBCONTRACTORS SHALL NOT BE ENTITLED TO ANY STATE BENEFIT OR BENEFIT OF ANOTHER GOVERNMENTAL ENTITY CUSTOMER. THE CUSTOMER AND/OR THE STATE SHALL NOT BE LIABLE TO THE VENDOR ITS EMPLOYEES, AGENTS, OR OTHERS FOR THE PAYMENT OF TAXES OR THE PROVISION OF UNEMPLOYMENT INSURANCE AND/OR WORKERS' COMPENSATION OR ANY BENEFIT AVAILABLE TO A STATE EMPLOYEE OR EMPLOYEE OF ANOTHER GOVERNMENTAL ENTITY CUSTOMER. 2) VENDOR AGREES TO INDEMNIFY AND HOLD HARMLESS CUSTOMERS, THE STATE OF TEXAS AND/OR THEIR EMPLOYEES, AGENTS, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES FROM ANY AND ALL LIABILITY, ACTIONS, CLAIMS, DEMANDS, OR SUITS, AND ALL RELATED COSTS, ATTORNEY FEES, . AND EXPENSES, RELATING TO TAX LIABILITY, UNEMPLOYMENT INSURANCE AND/OR WORKERS' COMPENSATION OR EXPECTATIONS OF BENEFITS BY VENDOR, ITS EMPLOYEES, REPRESENTATIVES, AGENTS OR SUBCONTRACTORS IN ITS PERFORMANCE UNDER THIS CONTRACT. VENDOR SHALL BE LIABLE TO PAY ALL COSTS OF DEFENSE INCLUDING ATTORNEYS' FEES. THE DEFENSE SHALL BE COORDINATED BY THE OFFICE OF THE ATTORNEY GENERAL FOR TEXAS STATE AGENCY CUSTOMERS AND BY CUSTOMER'S LEGAL COUNSEL FOR NON -STATE AGENCY CUSTOMERS. C. Vendor Certifications Vendor certes that it: (i) has not given, offered to give, and does not intend to give at any time hereafter any economic opportunity, future employment, gift, loan, gratuity, special discount, trip, favor, or service to a public servant in connection with the Contract, (ii) is not currently delinquent in the payment of any franchise tax owed the State of Texas and is not ineligible to receive payment under §231.006 of the Texas Family Code and acknowledge the Contract may be terminated and payment withheld if this certification is inaccurate, (iii) neither they, nor anyone acting for them, have violated the antitrust laws of the United States or the State of Texas, nor communicated directly or indirectly to any competitor or any other person engaged in such line of business for the purpose of obtaining an unfair price advantage, (iv) has not received payment from DIR or any of its employees for participating in -the preparation of the Contract, (v) under Section 2155.004, Texas Government Code, the vendor certifies that the individual or business entity named in this bid or contract is not ineligible to receive the specified contract and acknowledges that this contract may be terminated and O1l07/08 Page 10 of 16 Appendix A Standard Terms and Conditions For Services Contracts payment withheld if this certification is inaccurate, (vi) to the best of their knowledge and belief, there are no suits or proceedings pending or threatened against or affecting them, which if determined adversely to them will have a material adverse effect on the ability to fulfill their obligations under the Contract, (vii) are not suspended or debarred from doing business with the federal government as listed in the Excluded Parties List System (EPLS) maintained by the General Services Administration, and (viii) as of the effective date of the Contract, are not listed in the prohibited vendors list authorized by Executive Order #13224, "Blocking Property and Prohibiting Transactions with Persons Who Commit, Threaten to Commit, or Support Terrorism". published by the United States Department of the Treasury, Office of Foreign Assets Control. In addition, Vendor acknowledges the applicability of §2155.444 and §2155.4441, Texas Government Code, in fulfilling the terms of the Contract. D. Ability to Conduct Business in Texas Vendor shall be an entity authorized and validly existing under the laws of its state of organization, and shall be authorized to do business in the State of Texas. E. Equal Opportunity Compliance Vendor agrees to abide by all applicable laws, regulations, and executive orders pertaining to equal employment opportunity, including federal laws and the laws of the State in which its primary place of business is located. In accordance with such laws, regulations, and executive orders, the Vendor agrees that no person in the United States shall, on the grounds of race, color, religion, national origin, sex, age, veteran status or handicap, be excluded from employment with or participation in, be denied the benefits of, or be otherwise subjected to discrimination under any program or activity performed by Vendor under the Contract. If Vendor is found to be not in compliance with these requirements during the term of the Contract, Vendor agrees to take appropriate steps to correct these deficiencies. Upon request, Vendor will furnish information regarding its nondiscriminatory hiring and promotion policies, as well as specific information on the composition of its principals and staff, including the identification of minorities and women in management or other positions with discretionary or decision -making authority. F. Use of Subcontractors If Vendor uses any subcontractors in the performance of this Contract, Vendor must make a good faith effort in the submission of its Subcontracting Plan in accordance with the State's Policy on Utilization of Historically Underutilized Businesses. A revised Subcontracting Plan shall be required before Vendor can engage additional subcontractors in the performance of this Contract. Vendor shall remain solely responsible for the performance of its obligations under the Contract. G. Responsibility for Actions Vendor is solely responsible for its actions and those of its agents, employees, or subcontractors, and agrees that neither Vendor nor any of the foregoing has any authority to act or speak on behalf of DIR or the State. O1/07/08 Page 11 of 16 Appendix A Standard Terms and Conditions For Services Contracts H. Confidentiality 1) Vendor acknowledges that DIR is a government agency subject to the Texas Public Information Act. Vendor also acknowledges that DIR will comply with the Public Information Act, and with all opinions of the Texas Attorney General's office concerning this Act. 2) Under the terms of the Contract, DIR may provide Vendor with information related to Customers. Vendor shall not re -sell or otherwise distribute or release Customer information to any party in any manner. I. Security of Premises, Equipment, Data and Personnel Vendor may, from time to time during the performance of the Contract, have access to the personnel, premises, equipment, and other property, including data, files and /or materials (collectively referred to as "Data") belonging to the Customer. Vendor shall use their best efforts to preserve the safety, security, and the integrity of the personnel, premises, equipment, Data and other property of the Customer, in accordance with the instruction of the Customer. Vendor shall be responsible for damage to Customer's equipment, workplace, and its contents when such damage is caused by its employees or subcontractors. J. Background and/or Criminal History Investigation Prior to commencement of any services, background and/or criminal history investigation of the Vendor's employees and subcontractors who will be providing services to the Customer under the Contract may be performed by certain Customers having legislative authority to require such investigations. Should any employee or subcontractor of the Vendor who will be providing services to the Customer under the Contract not be acceptable to the Customer as a result of the background and/or criminal history check, then Customer may immediately terminate its Purchase Order and related Service Agreement or request replacement of the employee or subcontractor in question. K. Limitation of Liability For any claim or cause of action arising under or related to the Contract: i) none of the parties shall be liable to the other for punitive, special, or consequential damages, even if it is advised of the possibility of such damages; and ii) Vendor's liability for damages of any kind to the Customer shall be limited to the total amount paid to Vendor under the Contract during the twelve months immediately preceding the accrual of the claim or cause of action. L. Purchase of Commodity Items (Applicable to State Agency Purchases Only) 1) Texas Government Code, §2157.068 requires State agencies to buy' commodity items, as defined in 7.L.2 below, in accordance with contracts developed by DIR, unless the agency obtains an exemption from DIR. 2) Commodity items are commercially available software, hardware and technology services that are generally available to businesses or the public and for which DIR determines that a reasonable demand exists in two or more state agencies. Hardware is the physical technology used to process, manage, store, transmit, receive or deliver information. Software is the commercially available programs that operate hardware O1/07/08 Page 12 of 16 Appendix A Standard Terms and Conditions For Services Contracts and includes all supporting documentation, media on which the software may be contained or stored, related materials, modifications, versions, upgrades, enhancements, updates or replacements. Technology services are the services, fUnctions and activities that facilitate the design, implementation, creation, or use of software or hardware. Technology services include seat management, staffing augmentation, training, maintenance and subscription services. Technology services do not include telecommunications services. Seat management is services through which a state agency transfers its responsibilities to a vendor to manage its personal computing needs, including all necessary hardware, software and technology services. 3) Vendor agrees to coordinate all State agency commodity item sales through existing DIR contracts. Institutions of higher education are exempt from Subsection 7.L. M. Overcharges Vendor hereby assigns to DIR any and all of its claims for overcharges associated with this contract which arise under the antitrust laws of the United States, 15 U.S.C.A. Section 1, et seq., and which arise under the antitrust laws of the State of Texas, Tex. Bus. and Comm. Code Section 15.01, et seq. N. Prohibited Conduct Vendor represents and warrants that, to the best of its knowledge as of the date of this certification, neither Vendor nor any Order Fulfiller, subcontractor, firm, corporation, partnership, or institution represented by Vendor, nor anyone acting for such Order Fulfiller, subcontractor, firm, corporation or institution has: (1) violated the antitrust laws of the State of Texas under Texas Business & Commerce Code, Chapter 15, or the federal antitrust laws; or (2) communicated its response to the Request for Offer directly or indirectly to any competitor or any other person engaged in such line of business during the procurement for the Contract. 8. Contract Enforcement A. Enforcement of Contract and Dispute Resolution 1) Vendor and DIR agree to the following: (i) a parry's failure to require strict performance of any provision of the Contract shall not waive or diminish that parry's right thereafter to demand strict compliance with that or any other provision, (ii) for disputes not resolved in the normal course of business, the dispute resolution process provided for in Chapter 2260, Texas Government Code, shall be used, and (iii) actions or proceedings arising from the Contract shall be heard in a state court of competent jurisdiction in Travis County, Texas. 2) Disputes arising between a Customer and the Vendor shall be resolved in accordance with the dispute resolution process of the Customer that is not inconsistent with subparagraph A.1 above. DIR shall not be a party to any such dispute unless DIR, Customer, and Vendor agree in writing. O1/07/08 Page 13 of 16 Appendix A Standard Terms and Conditions For Services Contracts B. Termination 1) Termination for Non -Appropriation Customer may terminate Purchase Orders if funds sufficient to pay its obligations under the Contract are not appropriated by the governing body on behalf of local governments, or by the Texas legislature on behalf of state agencies. In the event of non -appropriation, Vendor will be provided ten (10) calendar days written notice of intent to terminate. Notwithstanding the foregoing, if a Customer issues a Purchase Order and has accepted delivery of the services, they are obligated to pay for those services. 2) Absolute Right DIR shall have the absolute right to terminate the Contract without recourse in the event that: i) Vendor becomes listed on the prohibited vendors list authorized by Executive Order #13224, 'Blocking Property and Prohibiting Transactions with Persons Who Commit, Threaten to Commit, or Support Terrorism published by the United States Department of the Treasury, Office of Foreign Assets Control, or ii) Vendor becomes suspended or debarred from doing business with the federal government as listed in the Excluded Parties List System (EPLS) maintained by the General Services Administration. Vendor shall be provided written notice in accordance with Section 9.A, Notices, of intent to terminate. 3) Termination for Convenience DIR or Vendor may terminate the Contract, in whole or in part, by giving the other party thirty (30) calendar days written notice. A Customer may terminate a Purchase Order if it is determined by the Customer that Vendor will not be able to deliver services in a timely manner to meet the business needs of the Customer. 4) Termination for Cause a) Contract Either DIR or Vendor may issue a written notice of default to the other upon the occurrence of a material breach of any covenant, warranty or provision of the Contract. The non -defaulting party shall give the defaulting party thirty (30) calendar days from receipt of notice to cure said default. If the defaulting party fails to cure said default within the timeframe allowed, the non -defaulting party may, at its option and in addition to any other remedies it may have available, cancel and terminate the Contract. Customers purchasing services under the Contract have no power to terminate the Contract for default. b) Purchase Order Customer or Vendor may terminate a Purchase Order upon the occurrence of a material breach of any term or condition: (i) of the Contract, or (ii) included in the Purchase Order in accordance with Section 3.13.2 above. The non -defaulting party shall give the defaulting party thirty (30) calendar days from receipt of notice to cure said default. If the defaulting party fails to cure said default within the timeframe allowed, the non -defaulting party may, at its option and in addition to any other remedies it may have available, cancel and terminate the Purchase Order. O1/07/08 Page 14 of 16 Appendix A Standard Terms and Conditions For Services Contracts 5) Customer Rights Under Termination In the event the Contract expires or is terminated for any reason, a Customer shall retain its rights under the Contract and the Purchase Order issued with respect to all services ordered and accepted prior to the effective termination date. 6) Vendor Rights Under Termination In the event a Purchase Order is terminated or the Contract expires or is terminated for any reason, a Customer shall pay all amounts due for services ordered prior to the effective termination date and ultimately accepted. C. Force Majeure DIR, Customer, or Vendor may be excused from performance under the Contract for any period when performance is prevented as the result of an act of God, strike, war, civil disturbance, epidemic, or court order, provided that the party experiencing the event of Force Majeure has prudently and promptly acted to take any and all steps that are within the parry's control to ensure performance and to shorten the duration of the event of Force Majeure. The party suffering an event of Force Majeure shall provide notice of the event to the other parties when commercially reasonable. Subject to this provision, such non-performance shall not be deemed a default or a ground for termination. However, a Customer may terminate a Purchase Order if it is determined by the Customer that Vendor will not be able to deliver services in a timely manner to meet the business needs of the Customer. 9. Notification A. Notices All notices, demands, designations, certificates, requests, offers, consents, approvals and other instruments given pursuant to the Contract shall be in writing and shall be validly given on: (i) the date of delivery if delivered by email, facsimile transmission, mailed by registered or certified mail, or hand delivered, or (ii) three business days after being mailed via United States Postal Service. All notices under the Contract shall be sent to a party at the respective address indicated in Section 6 of the Contract or to such other address as such party shall have notified the other party in writing. B. Handling of Written Complaints In addition to other remedies contained in the Contract, a person contracting with DIR may direct their written complaints to the following office: Public Information Office Department of Information Resources Attn: Public Information Officer 300 W. 15`h Street, Suite 1300 Austin, Texas 78701 (512) 4754759, facsimile. O1/07/08 Page 15 of 16 Appendix A Standard Terms and Conditions For Services Contracts 10. Captions The captions contained in the Contract and its Appendices are intended for convenience and reference purposes only and shall in no way be deemed to define or limit any provision thereof Ol/07/08 Page 16 of 16