The URL can be used to link to this page

Home My WebLink AboutContract 40661CITY SECRETARY CONTRACT NO.�92(yaia.�- PROFESSIONAL SERVICES AGREEMENT This PROFESSIONAL SERVICES AGREEMENT ("Agreement") is made and entered into by and between the CITY OF FORT WORTH (the "City"), a home rule municipal corporation situated in portions of Tarrant, Denton and Wise Counties, Texas, acting by and through Karen L. Montgomery, its duly authorized Assistant City Manager, and CIBER, INC ("Consultant"), a Delaware corporation and acting by and through its duly authorized representative. The Contract Documents for this Agreement shall consist of the following: A. This Professional Services Agreement B. Exhibit A Statement of Work C. Exhibit B Limited Access Agreement D. Exhibit C DIR Contract DIR-SDD-685 In the event of a conflict between the documents, the order of precedence shall be (1) this Professional Services Agreement, (2) the Statement of Work, and (3) DIR Contract DIR-SDD-685. All documents listed above are attached hereto and made a part of this Agreement for all purposes. 1. SCOPE OF SERVICES. Consultant hereby agrees to provide the City with professional consulting services for the purpose of performing an application assessment on the application Special Needs Assessment Program (SNAP). Attached hereto and incorporated for all purposes incident to this Agreement is Exhibit "A," Statement of Work, more specifically describing the services to be provided hereunder. 2. TERM. This Agreement shall commence upon the last date that both the City and Consultant have executed this Agreement ("Effective Date") and shall continue in full force and effect until completion of all services contemplated herein but no later than July 1,2011, unless terminated earlier in accordance with the provisions of this Agreement. S. COMPENSATION. The City shall pay Consultant an amount not to exceed $15,900.00 in accordance with the provisions of this Agreement. Consultant shall not perform any additional services for the City not specified by this Agreement unless the City requests and approves in writing the additional costs for such services. The City shall not be liable for any additional expenses of Consultant not specified by this Agreement unless the City first approves such expenses in writing. 4. TERMINATION. 4.1, Written Notice. The City or Consultant may terminate this Agreement at any time and for any reason by providing the other party with 30 days written notice of termination. 4.2 Non -appropriation of Funds. In the event no funds or insufficient funds are appropriated by the City in any fiscal period for any payments due hereunder, City will notify Consultant of such occurrence and this Agreement shall terminate on the last day of the fiscal period for which appropriations were received without penalty or expense to the City of any kind whatsoever, exc ptasto iee&- OFFICIAL RECORD Professional Services Agreement CITY SECRETARY CIBER, INC. 08-O60 10 Au9 :55 I N Page 1 of 8 FT. WORTH, TX of the payments herein agreed upon for which funds shall have been appropriated. 4.3 Duties and Obligations of the Parties. In the event that this Agreement is terminated prior to the Expiration Date, the City shall pay Consultant for services actually rendered up to the effective date of termination and Consultant shall continue to provide the City with services requested by the City and in accordance with this Agreement up to the effective date of termination. 5. DISCLOSURE OF CONFLICTS AND CONFIDENTIAL INFORMATION. Consultant hereby warrants to the City that Consultant has made full disclosure in writing of any existing or potential conflicts of interest related to Consultant's services under this Agreement. In the event that any conflicts of interest arise after the Effective Date of this Agreement, Consultant hereby agrees immediately to make full disclosure to the City in writing. Consultant, for itself and its officers, agents and employees, further agrees that it shall treat all information provided to it by the City as confidential and shall not disclose any such information to a third party without the prior written approval of the City. Consultant shall store and maintain City Information in a secure manner and shall not allow unauthorized users to access, modify, delete or otherwise corrupt City Information in any way. Consultant shall notify the City immediately if the security or integrity of any City information has been compromised or is believed to have been compromised. 6. RIGHT TO AUDIT. Consultant agrees that the City shall, until the expiration of three (3) years after final payment under this contract, have access to and the right to examine at reasonable times any directly pertinent books, documents, papers and records of the consultant involving transactions relating to this Contract at no additional cost to the City. Consultant agrees that the City shall have access during normal working hours to all necessary Consultant facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this section. The City shall give Consultant reasonable advance notice of intended audits. Consultant further agrees to include in all its subcontractor agreements hereunder a provision to the effect that the subcontractor agrees that the City shall, until expiration of three (3) years after final payment of the subcontract, have access to and the right to examine at reasonable times any directly pertinent books, documents, papers and records of such subcontractor involving transactions related to the subcontract, and further that City shall have access during normal working hours to all subcontractor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this paragraph. City shall give subcontractor reasonable notice of intended audits. Unless otherwise required by applicable law, governing ruling, regulation or court order, nothing in this agreement shall require Consultant or its subcontractor to produce or provide access to any document, materials, or information in any form or on any media, which is subject to a legitimate claim of exclusion, privilege, or protection recognized under federal or state law, including, but not limited to, the attorney -client and the attorney work product privileges. 7. INDEPENDENT CONTRACTOR. It is expressly understood and agreed that Consultant shall operate as an independent contractor as to all rights and privileges granted herein, and not as agent, representative or employee of the City. Subject to and in accordance with the conditions and provisions of this Agreement, Consultant shall have the exclusive right to control the details of its operations and activities and be solely responsible for the acts and omissions of its officers, agents, servants, employees, contractors and Professional Services Agreement CIBER, INC. Page 2 of 8 subcontractors. Consultant acknowledges that the doctrine of respondeat superior shall not apply as between the City, its officers, agents, servants and employees, and Consultant, its officers, agents, employees, servants, contractors and subcontractors. Consultant further agrees that nothing herein shall be construed as the creation of a partnership or joint enterprise between City and Consultant. Notwithstanding the foregoing, the City acknowledges and agrees that in its performance of the services, Consultant is entitled to reasonably rely on the information and materials the City, its officers, agents, servants and employees, provide to the Consultant, its officers, agents, employees, servants, contractors and subcontractors. 8. LIABILITY AND INDEMNIFICATION. The parties agree that the provisions of Exhibit C, DIR Contract No. DIR-SDD-685, Appendix A, Standard Terms and Conditions for Services Contracts, page 8, Section 7.A.2. Vendor Responsibilities, Indemnification, Acts or Omission Subsection C shall apply to this Agreement. 9. ASSIGNMENT AND SUBCONTRACTING. Consultant shall not assign or subcontract any of its duties, obligations or rights under this Agreement without the prior written consent of the City. If the City grants consent to an assignment, the assignee shall execute a written agreement with the City and the Consultant under which the assignee agrees to be bound by the duties and obligations of Consultant under this Agreement. The Consultant and Assignee shall be jointly liable for all obligations under this Agreement prior to the assignment. If the City grants consent to a subcontract, the subcontractor shall execute a written agreement with the Consultant referencing this Agreement under which the subcontractor shall agree to be bound by the duties and obligations of the Consultant under this Agreement as such duties and obligations may apply. The Consultant shall provide the City with a fully executed copy of any such subcontract. 10. INSURANCE. Consultant shall provide the City with certificates) of insurance documenting policies of the following minimum coverage limits that are to be in effect prior to commencement of any work pursuant to this Agreement: 10.1 Coverage and Limits (a) Commercial General Liability $1,000,000 Each Occurrence $1,000,000 Aggregate (b) Automobile Liability $1,000,000 Each occurrence on a combined single limit basis Coverage shall be on any vehicle used by the Consultant, its employees, agents, representatives in the course of the providing services under this Agreement. "Any vehicle" shall be any vehicle owned, hired and non -owned (c) Worker's Compensation -Statutory limits Employer's liability $100,000 Each accident/occurrence $100,000 Disease -per each employee $500,000 Disease - policy limit Professional Services Agreement CIBER, INC. Page 3 of 8 This coverage may be written as follows: Workers' Compensation and Employers' Liability coverage with limits consistent with statutory benefits outlined in the Texas workers' Compensation Act (Art. 8308 — 1.01 et seq. Tex. Rev. Civ. Stat.) and minimum policy limits for Employers' Liability of $100,000 each a ccident/occurrence, $500,000 bodily injury disease policy limit and $100,000 per disease per employee (d) Technology Liability (Errors &Omissions) $1,000,000 Each Claim Limit $1,000,000 Aggregate Limit Technology coverage may be provided through an endorsement to the Commercial General Liability (CGL) policy, or a separate policy specific to Technology E&O. Either is acceptable if coverage meets all other requirements. Coverage shall be claims -made, and maintained for the duration of the contractual agreement and for two (2) years following completion of services provided. An annual certificate of insurance shall be submitted to the City to evidence coverage. 10.2 General Re uirements (a) The commercial general liability and automobile liability policies shall name the City as an additional insured thereon, as its interests may appear. The term City shall include its employees, officers, officials, agents, and volunteers in respect to the contracted services. (b) The workers' compensation policy shall include a Waiver of Subrogation (Right of Recovery) in favor of the City of Fort Worth. (c) A minimum of Thirty (30) days notice of cancellation or reduction in limits of coverage shall be provided to the City. Ten (10) days notice shall be acceptable in the event of non-payment of premium. Notice shall be sent to the Risk Manager, City of Fort Worth, 1000 Throckmorton, Fort Worth, Texas 76102, with copies to the City Attorney at the same address. (d) The insurers for all policies must be licensed and/or approved to do business in the State of Texas. All insurers must have a minimum rating of A- VII in the current A.M. Best Key Rating Guide, or have reasonably equivalent financial strength and solvency to the satisfaction of Risk Management. If the rating is below that required, written approval of Risk Management is required. (e) Any failure on the part of the City to request required insurance documentation shall not constitute a waiver of the insurance requirement. (f) Certificates of Insurance evidencing that the Consultant has obtained all required insurance shall be delivered to the City prior to Consultant proceeding with any work pursuant to this Agreement. 11. COMPLIANCE WITH LAWS, ORDINANCES, RULES AND REGULATIONS. Consultant agrees to comply with all applicable federal, state and local laws, ordinances, rules and regulations. If the City notifies Consultant of any violation of such laws, ordinances, rules or regulations, Consultant shall immediately desist from and correct the violation. Professional Services Agreement CIBER, INC. Page 4 of 8 12. NON-DISCRIMINATION COVENANT. Consultant, for itself, its personal representatives, assigns, subcontractors and successors in interest, as part of the consideration herein, agrees that in the performance of Consultant's duties and obligations hereunder, it shall not discriminate in the treatment or employment of any individual or group of individuals on any basis prohibited by law. If any claim arises from an alleged violation of this non- discrimination covenant by Consultant, its personal representatives, assigns, subcontractors or successors in interest, Consultant agrees to assume such liability and to indemnify and defend the City and hold the City harmless from such claim. 13. NOTICES. Notices required pursuant to the provisions of this Agreement shall be conclusively determined to have been delivered when (1) hand -delivered to the other party, its agents, employees, servants or representatives, (2) delivered by facsimile with electronic confirmation of the transmission, or (3) received by the other party by United States Mail, registered, return receipt requested, addressed as follows: To The CITY: City of Fort WorthAT Solutions 1000 Throckmorton Fort Worth TX 76102-6311 Facsimile: (817) 392-8654 14. SOLICITATION OF EMPLOYEES. To CONSULTANT: CIBER, Inc. 700 State Highway 121 Bypass, Suite 180 Lewisville, TX 75067 Facsimile: (972) 5384302 With a copy to: CIBER, Inc. Attn: Law Department 6363 South Fiddler's Green Circle, Ste, 1400 Greenwood Village, CO 80111 Facsimile: (303) 2244125 Neither the City nor Consultant shall, during the term of this agreement and additionally for a period of one year after its termination, solicit for employment or employ, whether as employee or independent contractor, any person who is or has been employed by the other during the term of this agreement, without the prior written consent of the person's employer. 15. GOVERNMENTAL POWERS. It is understood and agreed that by execution of this Agreement, the City does not waive or surrender any of its governmental powers. 16. NO WAIVER. The failure of the City or Consultant to insist upon the performance of any term or provision of this Agreement or to exercise any right granted herein shall not constitute a waiver of the City's or Consultant's respective right to insist upon appropriate performance or to assert any such right on any future occasion. 17. GOVERNING LAW /VENUE. This Agreement shall be construed in accordance with the internal laws of the State of Texas. If any action, whether real or asserted, at law or in equity, is brought on the basis of this Agreement, venue Professional Services Agreement CIBER, INC. Page 5 of 8 for such action shall He in state courts located in Tarrant County, Texas or the United States District Court for the Northern District of Texas, Fort Worth Division. 18. SEVERABILITY. If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired. 19. FORCE MAJEURE. The parties agree that the provisions of Exhibit C DIR Contract No. DIR-SDD-685 Appendix A, Standard Terms and Conditions for Services Contracts, page 15, Section 8.C. Force Majeure shall apply to this Agreement. 20. HEADINGS NOT CONTROLLING. Headings and titles used in this Agreement are for reference purposes only and shall not be deemed a part of this Agreement. 21. REVIEW OF COUNSEL. The parties acknowledge that each party and its counsel have reviewed and revised this Agreement and that the normal rules of construction to the effect that any ambiguities are to be resolved against the drafting party shall not be employed in the interpretation of this Agreement or exhibits hereto. 22. AMENDMENTS /MODIFICATIONS / EXTENSTIONS. No extension, modification or amendment of this Agreement shall be binding upon a party hereto unless such extension, modification, or amendment is set forth in a written instrument, which is executed by an authorized representative and delivered on behalf of such party. 23. ENTIRETY OF AGREEMENT. This Agreement, including the schedule of exhibits attached hereto and any documents incorporated herein by reference, contains the entire understanding and agreement between the City and Consultant, their assigns and successors in interest, as to the matters contained herein. Any prior or contemporaneous oral or written agreement is hereby declared null and void to the extent in conflict with any provision of this Agreement. 24. SIGNATURE AUTHORITY. The person signing this agreement hereby warrants that he/she has the legal authority to execute this agreement on behalf of the respective party, and that such binding authority has been granted by proper order, resolution, ordinance or other authorization of the entity. The other party is fully entitled to rely on this warranty and representation into this Agreement. [SIGNATURE PAGE FOLLOWS] Professional Services Agreement CIBER, INC. Page 6 of 8 IN WITNESS WHEREOF, the parties hereto have executed this Agreement in multiples this day of 20_ CITY OF FORT WORTH: Date: 6 zo. y , 0 Marty Hendk�c City Secretary APPROVED AS T Malesh�B. Farmer Assistant City Attorney CONTRACT AUTHORIZATION: M&C: None required Date Approved: Professional Services Agreement CIBER, INC. Page 7 of 8 CIBER, INC.: By: Title: Date:3 /C7 7� ATTEST: 1( By:� z 4t�) OFFICIAL RECORD C�TYSECRETgRY FT wOR7'H, TX EXHIBIT A STATEMENT OF WORK Professional Services Agreement CIBER, INC. Page 2 of 8 Reaflon l esfing SOW Prepared For: Alan Girton Senior Manager City of Fort Worth Submitted in Confidence by: CIBER, Inc. 700 State Highway 121 Bypass Suite 180 Lewisville, TX. 75067 (972) 5384300 Application Testing and Consulting Statement of Work Table of Contents 1 INTRODUCTION...............................................................................................................................1 1.1 CIBER's Global Security Practice.................................................................................................1 2 SCOPE.................................................................................................................................................2 3 WORK APPROACH..........................................................................................................................3 3.1 Application Testing Process............ maps moboomens 9 6 a a 9 4 0 0 0 0 0 9 0 4 0 0 0 a a a a a 1 9 9 0 1 a a a 0 a a 0 0 0 0 0 a 0 a 0 a 0 0 6 a 0 0 a a 0 0 a 6 0 0 0 a a a a a a 6 a 04 4 DELIVERABLES...............................................................................................................................8 4.1 Application Testing Report............................................................................................................8 4.2 Remediation Testing Reporting.....................................................................................................9 4.3 Spot Vulnerability Reports (As Necessaiy)...................................................................................9 5 ROLES AND RESPONSIBILITIES...............................................................................................10 5.1 Project Organization....................................................................................................................10 5.2 Assuinptions.................................................................................................................................13 6 MANAGEMENT APPROACH.......................................................................................................13 6.1 Project Planning..........................................................................................................................013 6.2 Issue Management........................................................................................................................14 6.3 Risk Management.......................................................................................................................s 14 6.4 Project Communications.............................................................................................................014 6.5 Management Review. . 6 0 0 a 6 6 0 0 0 4 0 0 0 0 0 0 a a 6 0 a a a 0 0 6 6 Osseo 0 a a 0 0 0 a 6 4 6 0 0 0 0 0 0 0 a 0 a a 0 9 0 a 6 a 0 0 a 0 0 a 6 a 4 0 4 a 0 0 6 0 0 0 0 a a 0 9 a 9 a a 1 6 6.6 Change Management......................... 1 7 6.7 Quality Assurance........................................................................................................................18 6.8 Acceptance Management.............................................................................................................19 7 SCHEDULE.......................................................................................................................................21 8 PROJECT FEES...............................................................................................................................21 9 APPROVALS....................................................................................................................................21 AppendixA — Sample Change Request Form........................................................................................23 Appendix B — Sample Deliverable/Service Acceptance Form...............................................................24 AppendixC —Scanning Authorizaton Services Form...........................................................................25 Page ii Application Testing Statement of Work Giber 1 1.1 INTRODUCTION The City of fort Worth has engaged the CIBER Global Security Practice to perform an application assessment on the application — (SNAP) Special Needs Assessment Program. This statement of work is in response to that request and provides an approach and pricing for an assessment of this critical application. CIBER's Global Security Practice GIBER delivers security services through its Global Security Practice. With over 16 years experience in information security, the Security Practice has an outstanding history of helping clients assess their security postures and gain compliance with government security regulations and/or contractual security obligations. Legislated requirements include the Health Insurance Portability and Accountability Act (HIPAA), Gramm -Leach - Bliley (GLB), Sarbanes-Oxley, and other industry -specific federal, state, and/or local mandates. The CIBER Global Security Practice has accumulated a wealth of experience by providing security services to a wide spectrum of clients. We apply this depth and breadth of expertise to our client's benefit in defining, achieving, and maintaining the security of their mission -critical systems and applications. CIBER's Global Security Practice focuses on one thing and one thing only —information security. The Security Practice designs and deploys mature and comprehensive information security solutions that protect essential data and systems for global enterprises operating in high exposure environments. Our security solutions insulate and enable communications vital to national security; high -value scientific research satellites; commercial air traffic controls and, nearly $2 trillion in time -sensitive, high -volume electronic funds transactions. Our entire Global Security Practice technical and consulting staff is focused exclusively on providing information security services. We are proud to offer our services and eager to demonstrate our capabilities through superior offerings and competitive pricing. We feel that our Global Security Practice has the key discriminators to make CIBER the best value and lowest risk choice for such an important decision. A few attributes that separate us from others include: • Industry presence. With over 16 years of uninterrupted and focused information security services delivery, GIBER is a veteran in delivering information security consulting services. CIBER will utilize its Global Security Practice to deliver this project. This specialized group is solely focused on IT Security projects. • Small practice agility and focus, backed by the full resources of GIBER. Our legacy of "playing well with others" makes a huge difference in the outcome of the engagement and the opportunity for valuable knowledge transfer that we provide as a course of business. Our team understands how to engage with you as a client and adapt our services to precisely fit your needs. And because CIBER is a billion dollar company, our team will have significant reach -back capability to tap into specialized expertise elsewhere in the company as needed. Page 1 Application Testing and Consulting Statement of Work Giber 2 • Knowledge and expertise. Our consultants are Certified Information System Security Professionals (CISSPs). They have an average of 13 years of experience and the subject matter expertise that makes the difference when you consider that the results of this engagement will be the foundation for strategic planning and major follow-on investments of time and money. Great programs are built on great foundations. • Vendor neutral. CIBER does not depend on product sales, so we can recommend security solutions that are the best for you. We have not aligned our solutions to specific technology vendors because we recognize that there is no "one size fits all" and each situation is unique. • Proven approach. IT security assessments are a core offering of CIBER's Global Security Practice that are performed on a continual basis for a wide range of clients. We have assembled a team experienced in delivering similar engagements and armed them with the tools and time -tested methodologies to perform this engagement efficiently and effectively. Our approach represents a low -risk choice for the City of Fort Worth -- CIBER's approach is well - established and carefully tuned to deliver the results the City of Fort Worth expects within the promised timeframe. SCOPE This project will evaluate the City of Fort Worth's (SNAP) Special Needs Assessment Program application, assist in resolving identified vulnerabilities, and then re-evaluate the application to verify vulnerabilities have been fixed. The scope of this engagement is as follows: • Initial Application Testing: o CIBER will use automated tools and manual analysis of the (SNAP) Special Needs Assessment Program application to identify vulnerabilities present in the application that are accessible from the Internet. Automated and manual testing and validation will be conducted with a "time box" approach, not to exceed 36 hours. • Remediation Consulting: o CIBER will provide 4 hours of consultation in assisting the City of Fort Worth technical staff with resolving identified issues. The consultation will be conducted via phone and email. • Remediation Testing: o CIBER will use automated tools and manual analysis to determine if vulnerabilities identified in the initial testing have been fixed, partially Application Testing and Consulting Statement of Work Giber �j fixed, or not fixed. Testing will include all vulnerabilities identified during the initial testing. One remediation test will be conducted. • Executive Presentation: o GIBER will present the final report on -site and in person at the end of the project and to discuss a strategy for implementing a series of application assessments. WORK APPROACH The base task of our Project Approach is Application Testing of the application to ensure adequate security controls are in place prior to being placed into production.. This review will allow for a determination of the applications' levels of vulnerability. Once remediation is complete, CIBER will perform a second test to ensure that all pertinent issues have been resolved. CIBER will provide certified solutions architects to conduct application security testing of the application. Application security testing targets security capabilities of critical applications. GIBER will examine the application to ensure it has the capability to provide security for itself and if it does, if the capabilities have been fully utilized. GIBER will perform testing of the application, addressing the following types of application security controls: • Authentication —Mechanisms such as passwords or tokens that are used to authenticate the identity of the user, including an analysis of whether the login process can be bypassed. • Authorization —Mechanisms for controlling what application functionality and data are accessible to each user, including an analysis of anonymous access restrictions (what users can see without logging into the application). • Session Context Control —Mechanisms to ensure the integrity and segregation of user sessions, including an analysis of whether it is possible to spoof or hijack another user's session. • Data Privacy and Integrity —Mechanisms to protect the privacy and integrity of data exchanged with the user during an application session, including encryption of passwords and sensitive data, as well as detection of attempts to spoof or replay a user session (typically, this is provided by the Secure Sockets Layer (SSL) protocol for public web applications; Intranet or extranet applications typically use SSL or Virtual Private Network (VPN)). • Otlter security -relevant features present in the applications such as business logic failure and information leakage issues. Page 3 Application Testing and Consulting Statement of Work Cl�`��' A minimum list of checks performed in the technical portion of testing includes the checks described in Table 1: Table 1 -Technical Tests Parameter Injection Command Execution SQL Injection Cross -Site Scripting Directory Traversal Abnormal Input Parameter Overflow Buffer Overflow Parameter Addition Path Manipulation Path Truncation Character Encoding MS-DOS 8.3 Short Filename Character Stripping Site Search Application Mapping Crawl Automatic Form -Filling SSL Support Proxy Support Client Certificate Support State Management Directory Enumeration Web Server Assessment HTTP Compliance WebDAV Compliance SSL Strength Certificate Analysis Content Investigation Spam Gateway Detection Session Manipulation Sensitive Developer Comments WebServer/Web Package Identification Absolute Path Detection Error Message Identification Permissions Assessment Brute Force Authentication Attacks Known Attacks Fingerprinting Server -Side Include (SSI) Attacks LDAP Attacks XPath Injection For each application security deficiency identified in the security testing, CIBER will make recommendations for improving the security of the application. The results are detailed in the Application Testing Report, where we illustrate the evaluation of application controls against standards and describe strengths and weakness of utilized application controls. Finally, CIBER provides recommendation for mediating risks discovered during the security testing. 3.1 3.1.1 Application Testing Process CIBER's process for conducting the Application Assessment is described in the following sections. Kickoff Meeting /Application Walk-through The kickoffmeeting takes place with CIBER and the City of Fort Worth. The purpose of this meeting is to gather basic information about the application and determine dates and Application Testing and Consulting Statement of Work Giber 3.1.2 times allowable for testing. Following the Kickoff Meeting, the City of Fort Worth will walk GIBER through the application to point out any particularly sensitive areas and to explain any areas that may require specialized business knowledge. Execution Testing of the application and related infrastructure is performed using a series of tools and manual procedures on the servers) hosting the web application and on the application itself. In conducting Application Tests, CIBER employs methods outlined in the Open Web Application Security Project (OWASP) Testing Guide as well as best practices from other sources including the National Institute of Standards and Technology (MIST). The high-level testing steps CIBER uses are as follows: o Information gathering o Business logic testing o Authentication testing o Session management o Data validation testing o Web services testing (if required) Although the City of Fort Worth will provide CIBER with the technical details for the testing, GIBER will additionally gather information from public sources, such as Web sites and partner sites, to determine the City of Fort Worth's Internet presence. GIBER uses that information to explore weaknesses in the City of Fort Worth's external technical controls. The exploration of public information includes: o Performing Internet searches for the City of Fort Worth Web sites. o Interrogating web pages for trusted relationships and contact information. o Performing reverse look -ups for phone number ownership. o Perform public domain searches for IP Address ownership. Methods include: o Perform service identification scans to determine entry points to networked systems. o Perform vulnerability scans to identify weaknesses in server configurations exploits. o Whois Lookup o DNS information o Google searches o SSL certificate information Page 5 Application Testing and Consulting Statement of Work Giber NOTE: If, during the course of the testing, severe vulnerabilities are noted, CIBER will issue a Spot Vulnerability Report immediately so the City of Fort Worth can perform validation and/or remediation efforts to limit continued threat exposure. Specific tools and their acceptable use will be mutually agreed to by CIBER and the City of Fort Worth. Table 2 provides a list of some of the automated tools used by CIBER security professionals to support the manual testing effort. Table 2: Automated Tools. Tool Description Employed on: Testing includes simultaneous crawl and audit (SCA) and concurrent application scanning, resulting in fast and accurate automated web application security testing. Additional SPI Dynamics tools may include: o Web Proxy Cenzic Hailstorm o HTTP Editor Web sites o Cookie Cruncher o Encoder/Decoder o SQL Injector o Fuzzers Nmap ("Network Mapper") is a utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets to Nmap determine what hosts are available on the network, what services (ports) they are offering, what Operating System (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. eEye Retina is a network -based scanning tool which detects Windows, UNIX and Linux, as well as network Web sites eE e Retina y and many non -OS specific vulnerabilities. Retina has Networks and network over 1500 vulnerability checks and can be customized for specific vulnerability checks including denial of service segments and information gathering. Nessus is an industry -standard open source network vulnerability -scanning tool. Nessus scans for Windows, Tenable Nessus �� and Linux as well as many non -OS -specific vulnerabilities vulnerabilities. Nessus also performs information gathering, port scanning and denial of service tests. A network packet sniffer and protocol analyzer used to Wireshark/Ethereal examine network traffic. A small utility that allows a user to "ping" a system over a specified TCP port, such as HTTP (port 80). This Targeted networks and TCPing functionality assists in detecting using open ports on network segments firewalls to map networks. Application Testing and Consulting Statement of Work Giber Tool Description Employed on: Windows network tool suite, with some extra features for tracking unsolicited email (SPAM). There is also a web service that provides similar tools online, however, it has Web sites SamSpade not been maintained at the level it once was (www.samspade.org). Query tools: Zone Transfer, Networks and network SMTP Relay Check, Scan addresses for open ports, Crawl a website, Browse web, Traceroutes, Parse email segments headers Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially Nikto dangerous files/CGIs, versions on over 625 servers, and Web sites version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated. 3.1.3 Analysis During the analysis phase, GIBER professionals examine the results of the tests and assess the risks that may be introduced as a result of the identified vulnerabilities. GIBER uses its own proprietary database of application vulnerabilities along with public sources of vulnerability information such as CERT (http://www.cert.or�) to help analyze the collected data. In addition, GIBER classifies each of the findings by criticality and provides an application reference to show where the finding was discovered. GIBER will assign a criticality rating to each finding of Critical, High, Medium or Low. The ratings are based on the risk to the City of Fort Worth data processed by the application and are arrived at by looking at specific "acceptability" requirements described by the City of Fort Worth, CIBER's experience evaluating similar applications and by applying industry best practices. Occasionally a category of "Informational" might be used to report an issue that might be of interest but is not strictly considered a vulnerability (e.g. specific third party software used to develop a routine within the application). 3.1.4 Reporting The Application Testing report is provided to the City of Fort Worth at the end of the first engagement phase. A meeting to discuss the report is held with the City of Fort Worth personnel to review the detailed findings and to assist in the formation of a remediation plan. Once the testing is complete, all testing deliverables, including the raw data acquired via the testing will be provided to the City of Fort Worth for archival purposes. Page 7 Application Testing and Consulting Statement of Work Giber 3.1.5 3.1.6 C� 4.1 Remediation Consulting The CIBER engineers that perform the testing will provide assistance to the City of Fort Worth developers and security personnel in addressing identified vulnerabilities. The experience and expertise of our dedicated application testing engineers are well -versed in application vulnerabilities and are adept at identifying root cause issues and recommending solutions. Remediation Testing A remediation test of the application will be conducted when the City of Fort Worth feels the vulnerabilities from the original assessment have been addressed. The remediation testing phase follows the same methodology as the original assessment with an emphasis on determining if the original vulnerabilities have been eliminated. The purpose of this testing is to validate whether or not the vulnerabilities identified during an initial testing have been resolved. DELIVERABLES The ultimate measure of a project's success is in the deliverables produced. For your engagement, we will deliver the documents that are described in the following sections. Application Testing Report The Application Testing Report captures our collective efforts and is a key document for managers responsible for the security infrastructure and who desire more analysis dialogue for technical and/or non -technical controls. The report is a critical foundation document for tactical and strategic security decision - making. The Application Testing Report documents the results of our analysis for all phases of the engagement. Each section of the report addresses a major activity and all of its components. The report identifies each activity and fully discusses the results of our analysis (fmdings) in terms of presence and effectiveness of technical controls. Conclusions and recommendations for improvement from all components of the assessment are contained within this comprehensive report. The report is organized in the following manner: • .Executive Summary —The Executive Summary provides an overview of the project and an overview of control strengths and weaknesses. • Project Background and Approach —Project Background provides detail foundational information as well as scoping factors and imposed constraints. The Application Testing and Consulting Statement of Work Giber 4.2 d.3 Approach section fully discusses how each phase of the project was accomplished in terms of methodology used and tools employed. • Testing Parameters —This section contains test parameters as applicable to the project. • Findings and Recommendations —The Findings and Recommendations section details findings in terms of what we found, what it means, and how can it be fixed. Each weakness is identified as a critical, high, medium, low, or informational vulnerability based on its potential of being exploited. As appropriate, technical data in the form of screen prints and/or tables are provided to amplify the finding and analyst's comments. Additional technical information is available by following a reference to the appropriate Appendix. Recommendations on how to remediate the fmdings are provided in a narrative form. When suggested recommendations contain more than one course of action, the recommendations will be prioritized. Note 2: Certain vulnerabilities may carry more weight above the industry standard rating if they interrelate to other types of vulnerabilities. Where vulnerabilities may play off each other, they are noted as being "interlaced vulnerabitities". This circling of vulnerabilities, and the ultimate result of their compound impact, is discussed in detail in the report when they are discovered. Remediation Testing Reporting Remediation testing reporting follows the same format of the Application Testing report. An updated matrix will list the status of the original fmdings along with any new findings discovered during the remediation testing. The status can be one of four states: o New: Discovered for the first time during the current testing. o Fixed: Finding that was originally discovered is no longer present. o Still Exists: Finding that was originally discovered was still found to exist during the current testing. o Partially Fixed: Part of the finding was addressed, but the entire fmding has not been fixed. Full details will be documented (following the findings format from the original assessment) and provided for any vulnerabilities with a status of New, Partially Fixed or Still Exists. Spot Vulnerability Reports (As Necessary) During the course of the engagement, GIBER may observe a technical or non -technical control vulnerability that has the potential to critically affect the confidentiality, integrity, or availability of the City of Fort Worth's information (e.g., a "show stopper"). If this happens, GIBER will immediately notify the City of Fort Worth contact and issue a Spot Vulnerability Report. The report discloses the system, what we observed, and a recommended corrective action. The issuance of the Spot Vulnerability Report is immediate and not tied to deliverable dates. Page 9 Application Testing and Consulting Statement of Work �t�;1�r��C,:,� 5 ROLES AND RESPONSIBILITIES 5.1 Project Organization CIBER Engagement/ Relationship Manager Coordination CIBER Global Security Delivery Management Communication ----- Oversight Management Direction Figure 1-Project Organization Fort Worth Project Sponsor CIBER Project Manager Sr. Application Jr. Application Tester Tester Figure 1 above shows the key roles for CIBER and the City of Fort Worth in executing this project, and Table 3 and Table 4 explain the roles of CIBER and the City of Fort Worth. 5.1.1 CIBER Roles Table 3: CIBER Roles Page 10 Application Testing and Consulting Statement of Work Giber 5.1.2 GIBER Office —Engagement • Provides account management, project oversight, and and Relationship Management customer care. • Alternative point of contact for issue escalation. GIBER Global Security • Provides management direction to the project team. Practice —Delivery Source of security vision, technical guidance, Management methodologies, tools, and supplemental resources. GIBER Project Manager • First point of contact for issue escalation. • Ensures project deadlines are met. • Provides Quality Assurance on all deliverables. Senior Application Tester • Coordinates and Schedules testing activities. • Conduct analysis and make recommendations. • Provides remediation consulting. • Produces final deliverables. Junior Application Tester • Conducts scanning activities at the direction of the senior resource. • Provides input into deliverables. GIBER Responsibilities • GIBER will provide all tools to perform the work described in this SOW. • GIBER will work within mutually agreed upon testing windows for any activity that involves live production systems. • Based upon the City of Fort Worth's preferred testing window(s), this may require availability of the City of Fort Worth resources after normal business hours. • GIBER will endeavor to keep operational risks, inherent in this type of engagement, to a minimum and cease our activities if we perceive they will be disruptive to your operations. • Despite our best efforts, automated security tools can sometimes impact network performance or crash servers. Problems are rare and are generally easily corrected in a manner of minutes (most severe problems require, at most, a system re -boot). Page 11 Application Testing and Consulting Statement of Work Giber 5.1.3 5.1.4 However, it must be mutually agreed that there are risks, including the possibility of an inadvertent denial of service (DoS), and that the risks associated with this type of engagement are acknowledged and accepted by the City of Fort Worth. City of Fort Worth Roles Table 4 —City of Fort Woi•th Roles � - ' - . • � City of Fort Worth Project Provides project direction and guidance. Sponsor • Functions as the formal escalation point for the GIBER delivery team for all issues, risks, and problems. • Ensures that resources are available for interviews as needed. • Acts as an escalation point as needed when required resources are unresponsive. City of Fort Worth Technical • Provide required documentation, previous reports, Resources and technical information as available. • Primary point of contact for questions and issues. City of Fort Worth Responsibilities • Prior to the start of testing, City of Fort Worth will provide GIBER with documentation authorizing CIBER's activities and limiting GIBER, Inc.'s liability, see Appendix C —Scanning Authorizaton Services Form. • The City of Fort Worth will identify a contact person (trusted agent) who is authorized to make real-time decisions relative to this engagement on behalf of City of Fort Worth. • A City of Fort Worth contact will be in the incident escalation chain to preclude GIBER testing activities being inadvertently identified and externally reported as attacks. • The City of Fort Worth will identify the target IP addresses to GIBER as necessary to ensure smooth progression of the engagement. • The City of Fort Worth understands and accepts that because system and application vulnerabilities are being discovered and reported on a daily basis, not all Page 12 Application Testing and Consulting Statement of Work Giber 5.2 0 6.1 vulnerabilities present in the designated City of Fort Worth systems and associated processing environment may be detected. Assumptions • If both the `public' URL (httRs://www.snapforyou.com and https://www.snapfor o�g) point to the same location, GIBER will only test one of the links in detail and perform selective tests on the remaining link. • While all efforts will be made to schedule this assessment as soon as possible, GIBER will require up to 4 weeks advance notification. MANAGEMENT APPROACH This section provides an overview of the management approach that will be used to ensure that the project will be completed on time, will be within the budget, and will meet the quality requirements specified. These processes control scope, enforce standards for quality assurance, and manage issues and risks. Project controls include Issue Management, Risk Management, Project Communications, Change Management, Quality Assurance, and Acceptance Management. 6.1.1 6.1.2 Project Planning GIBER will create and maintain a baseline Project Plan throughout the project life cycle that represents CIBER's scope of work as defined in this SOW and those dependent work efforts that affect the project's schedule or budget. The initial project baseline is established with the City of Fort Worth's approval of this SOW as the approved budget, schedule, and scope of the project. Project Plan Content The baseline Project Plan will contain: • CIBER's major activities with detailed tasks and level -of --effort estimates. • Dependencies that affect the project's schedule or budget. • Specific resources allocated to project tasks. • Milestone and deliverable dates. • Project schedule and budget. Plan Management During the project, the GIBER Project Manager will: Page 13 Application Testing and Consulting Statement of Work Giber 6.2 6.3 6.4 • Manage the baseline Project Plan as a configuration item according to the project's Configuration Management Process. • Control change to the planned scope, budget, and schedule though the Project Change Management Process. • Track approved changes to scope, budget, and schedule by revising the baseline Project Plan and maintaining its currency. Issue Management Issue Management is a structured approach to identifying, assessing, tracking, and resolving problems during a project. Issues surface unexpectedly and must be addressed expeditiously. The GIBER Project Manager is responsible for documenting, tracking, and bringing to closure project issues. Often, GIBER can execute a project of this size and complexity without encountering any significant issues. If issues are identified during this project by City of Fort Worth or GIBER, the GIBER Project Manager will maintain an Issues Matrix as part of the Project Status Report containing descriptions, responsibilities, dates, and severity of issues identified during the course of the project. If necessary, a written change order to this SOW agreement may be submitted to aid in resolving project issues. This procedural step must be agreed to by both parties and exists to clearly define and document any significant issues, allowing the project to proceed. Risk Management Project risk is any event or condition that may have a negative effect on a project objective. Risk Management is the structured approach to assessing, tracking and minimizing the probability and consequences of adverse events through mitigation strategies and contingency planning. The GIBER Project Manager is responsible for assessing, planning for, tracking, and addressing project risks. Due to the relatively small size and duration of this project, GIBER considers this aloes -risk project. If risks are identified by the City of Fort Worth or GIBER during this project, the GIBER Project Manager will maintain a Risk Matrix as part of the Project Status Report containing descriptions, responsibilities, dates, and severity of risks identified during the course of the project. If necessary, a written change order to this SOW agreement maybe submitted to aid in resolving project risks. This procedural step must be agreed to by both parties and exists to clearly define and document any significant risks, allowing the project to proceed. Project Communications Appropriate oversight and effective problem resolution are keys to project success. GIBER will maintain an open line of communication with the City of Fort Worth during Page 14 Application Testing and Consulting Statement of Work Giber 6.4.1 this engagement, and will review the project status with the City of Fort Worth Project Sponsor on a weekly basis by phone call or other agreed upon method. Status Reporting CIBER will send a status report by e-mail each week on a day mutually agreed upon between CIBER and the City of Fort Worth. If requested by the City of Fort Worth, CIBER will review the status report with the City of Fort Worth Project Sponsor each week via telephone or other agreed upon method on a day mutually agreed upon between CIBER and City of Fort Worth. CIBER's standard weekly project status report will provide a: • Summary of Accomplishments for the past week • Summary of planned activities for the next week • Status of Milestones and Deliverables • Analysis of Plan Variances • Summary of issues, risks, and change requests Figure 2 illustrates the CIBER Status Report. Page 15 Application Testing and Consulting Statement of Work i 6.4.2 6.5 Financial Status curs emar s sur= ex�e - ,; art, sous ex�erate tc-�st= our crn,n,m=c 4lFr- rert,alR�lr� a e as s Tssk rams Due Date err Due DaL= Erpkrati��n ator slues Issue Crrrrzer fl ie D=scr'rpiicsn a�or is s L ikPt ea4.`irril mpa�n ange n m arm a:cnptx�n Fier rti�st tatus Figure 2: CIBER's Status Report Ternplate Project Team Meetings The Project Team will meet to review the Project Plan and each team member's progress toward the successful completion of their assigned tasks. The team will focus on Estimates to Complete and early identification and assessment of project issues and change requests. The CIBER Project Manager will hold project team meetings, produce status reports, and meet with City of Fort Worth's designated sponsor to discuss project progress every week either in person or via telephone. Management Review CIBER projects undergo scheduled internal progress reviews to ensure that established standards and processes are being followed and that the project is proceeding according to Page 16 Application Testing and Consulting Statement of Work Giber plan. Corrective actions are identified, implemented and monitored through project completion. These reviews are performed as needed during the project. 6.6 Change Management Project Change Management is a process by which requests for modifications to the established scope, schedule, or cost are controlled and managed. A defined process for managing change is essential to completing initiatives on time and within budget. The GIBER Project Manager is responsible for ensuring that Change Requests are documented, tracked, and closed. 6.6.1 Project Change Management Process —Overview Project Change Requests for expanded effort, longer timelines, and other project items that may impact cost will be addressed using the form in Appendix A —Sample Change Request Form. The GIBER Project Manager will analyze each Change Request for its impact to the project scope, schedule, and budget. The impacts will be documented as a component of the original Change Request. CIBER's Project Manager will prepare a recommendation for each Change Request and present it for City of Fort Worth's approval via a Change Request Form. (See Appendix A —Sample Change Request Form.) The GIBER Project Manager will implement, close, or defer the Change Request based upon City of Fort Worth's decision to approve, disapprove, or defer the request. For approved Change Requests, the Change Request Form will be appended to this Statement of Work and scope, schedule, and budget impacts will be reflected in an updated baseline Project Plan. 6.6.2 Project Change Management Process —Project Specific Policies The following Change Management Process policies apply. 6.6.2.1 ApprovaUrejection turnaround timeframe The City of Fort Worth Project Sponsor shall acknowledge the Change Request within five (5) business days from the receipt of the Change Request Form if initiated by GIBER, and communicate an anticipated timeframe in which a decision will be made.. The GIBER Project Manager will accept or reject the Change Request within five (5) business days from receipt of the Change Request Form if initiated by the City of Fort Worth. Approval or rejection will be in accordance with City of Fort Worth rules and regulations. 6.6.2.2 Course of action if an Approver is unavailable or does not respond ��ith a decision in the timeframe specified If the City of Fort Worth Project Sponsor does not acknowledge the Change Request within five (5) business days from the receipt of the Change Request Form, and does not communicate a timeframe in which a decision will be made: Page 17 Application Testing and Consulting Statement of Work Giber • The Change Request will be logged and closed as an unapproved request. • Project work will progress as originally approved without incorporating the requested change into the work plan. 6.6.2.3 Analysis of `out -of -scope' Change Requests For Change Requests that are determined to be outside the stated project scope, the City of Fort Worth Project Sponsor will, within City of Fort Worth rules and regulations, authorize cost and/or schedule allowance on a Time &Materials basis for the initial analysis of a Change Request, either as direct funding for the analysis effort or as part of the overall funding for the implementation of an approved request. 6.6.2.4 Resolution of scope disputes The GIBER Director of Delivery or Project Manager and the City of Fort Worth Project Sponsor will try to resolve any dispute regarding the `in -scope' or `out -of -scope' classification of work by referring to this Statement of Work; the Contract; and any changes, amendments, and attachments to these documents to which the parties have previously agreed in writing. If the GIBER Project Manager and the City of Fort Worth Project Sponsor cannot reach agreement within three (3) business days, dispute resolution will be escalated to the City of Fort Worth Project Sponsor and the GIBER VP/Area Director (or their respective designees) per the Master Agreement 6.6.2.5 City of Fort Worth Change Request Approvers The following person has been designated by the City of Fort Worth to be responsible for obtaining approval of Change Requests for the project: Security Manager. Alternate approvers may be designated by the City of Fort Worth. 6.7 Quality Assurance CIBER's Quality Assurance Process will: • Evaluate processes, work products, and services against the applicable process descriptions, standards, and procedures • Identify and document noncompliance issues • Provide feedback regarding quality assurance to engagement staff and management. A trained GIBER resource, typically a senior member of the GIBER Practice staff, will conduct Quality Reviews of the Project Plan and all deliverable reports to assess compliance to GIBER policy and standards and document any observed noncompliance. Corrective actions will be noted to assist the project team in addressing each noncompliance observation. The GIBER Director of Delivery will ensure implementation of corrective actions resulting from the Quality Assurance reviews. Page 18 Application Testing and Consulting Statement of Work Giber 6.8 Acceptance Management CIBER's Acceptance Management Process ensures that deliverables or services provided by GIBER during the engagement are presented to the City of Fort Worth for acceptance. Formal acceptance by the City of Fort Worth indicates that the deliverable or service has been completed in accordance with this Statement of Work. The CIBER Project Manager is responsible for ensuring that engagement deliverables and services are formally accepted by the City of Fort Worth. 6.8.1 Acceptance Management Process —Overview The GIBER Project Manager or designee will declare a deliverable or service complete and ready for acceptance when: • Task work efforts have been completed. • Internal Quality Assurance efforts have been conducted. • The GIBER Project Manager or designee will validate that the deliverable or service is ready for acceptance and present the deliverable or service, or representative documentation, to the City of Fort Worth for acceptance. The City of Fort Worth will formally accept the deliverable or service as complete and in conformance with this Statement of Work, or reject the deliverable or service and state reasons for rejection. (See Appendix B —Sample Deliverable/Service Acceptance Form.) The GIBER Project Manager or designee will coordinate efforts to redress deliverables or services rejected by the City of Fort Worth. G.8.2 Acceptance Management Process —Engagement Specific Policies The following Acceptance Management Process policies apply: 6.8.2.1 Alternatives to formal client signatures on paper documents: A signed Deliverable Acceptance Form indicating acceptance or rejection of a deliverable or service constitutes formal acceptance or rejection. 6.8.2.2 ApprovaUrejection turnaround timeframe: The City of Fort Worth Approver will accept or reject the deliverable or service within five (5) business days from the receipt of the Deliverable Acceptance Form. 6.8.2.3 Course of action if an Approver is unavailable or does not respond with a decision in the time specified The City of Fort Worth Approver shall accept or reject the deliverable or service within five (5) business days from the receipt of the Deliverable Acceptance Form or communicate a timeframe in which a decision will be made: Page 19 Application Testing and Consulting Statement of Work Giber • If a decision is not made within the stated timeframe, the acceptance/rejection request will be logged, tracked and escalated as an engagement issue in accordance with the engagement's Issue Management Process. A Change Request may result if modifications to the deliverable or service are required and those modifications affect other engagement work, or work that proceeded at risk. 6.8.2.4 City of Fort Worth Approvers) for engagement deliverables/services Alternate approvers may be designated by the City of Fort Worth. 6.8.2.5 Project Completion The project is considered complete under any of the following conditions: • All deliverables have been provided and accepted by the City of Fort Worth. • The total number of hours budget allotted to this project have been reached and no change order has been approved by the City of Fort Worth. GIBER and the City of Fort Worth agree in writing that the contract has been completed in accordance with the Acceptance Management process. Page 20 Application Testing and Consulting Statement of Work Giber 7 E SCHEDULE The estimate for completion of this effort is five weeks, as shown in Table 5. Please note that the schedule does not include the time required for the remediation activities to occur. Table 5: Project Schedule Service Week 1 Week 2 Week 3 Week 4 Week 5 Kickoff Scanning Analysis Reporting Remediation Consulting Remediation Activities* Remediation Testing Final Presentation *Remediation activities are performed by the City of Fort Worth development team. PROJECT FEES This engagement will be performed as a fixed price engagement for $15,900. This price is inclusive of traveling and lodging expenses for a single trip to the City of Ft. Worth to present the final report. If it is necessary to exceed the scope of this engagement, GIBER will inform the City of Fort Worth via the Project Change Management process. All changes to project cost and schedule will be agreed upon with the City of Fort Worth and documented and approved via a Project Change Request per Appendix A —Sample Change Request Form. All other terms and conditions, not described above, are governed by the Master Services Agreement between the City of Fort Worth and GIBER, Inc. Note: Scope changes, unrealized assumptions, and/or unfiilfilled requests could impact our ability to perform in a timely manner. We will notify our City of Fort Worth contact if any unanticipated event surfaces that might impact our ability to perform for the stated fee. APPROVALS The terms and conditions of this Statement of Work, including all rates and pricing provisions, shall not be binding on GIBER unless this Statement of Work is signed by GIBER and the City of Fort Worth on or before September 1, 2010. Page 21 Application Testing and Consulting Statement of Work Giber IN WITNESS WHEREOF, the parties have executed this Statement of Work on the date or dates indicated below. Ci of Fort orth CIBER, Inc. NAME: Karen L,. N(ontgomer NAME: �c�e'/ ` L1 � Gv��--- TITLE: TITLE: DATE: g' O DATE: d Ci of Fort Worth CIBER, Inc. BY: BY: NAME: NAME: TITLE: TITLE: DATE: DATE: Ci of Fort Worth CIBER, Inc. BY: BY: NAME: NAME: TITLE: TITLE: DATE: DATE: TO FORFq �- ' :�� a OFFICIAL RECORD CITY SECRETARY FT. WORTH, TX Page 22 Application Testing and Consulting Statement of Work Giber APPENDIX A -SAMPLE CHANGE REQUEST FORM cIlber �� , � � .. �1 't �' o Ali Client: Date Requested: Requested by: Project: Change Control #: Requested Priority: Descri tion of Chan e: Reason for Chan e: Chan a Re nest Anal sis (b CIBER): Conducted by: Schedule Impact (days): Impact on Project (Scope, Quality, Critical Path): Budget Impact ($): Time to complete analysis: Hours Date Completed: Recommendation: Resolution & A royals: «Client Nan7e»: ❑ Approved ❑ Rejected ❑ On Hold Signature: Name/Title: Date: Reason for Rejection, if Applicable: CIBER: Signature: Name/Title: Date: ❑ Approved ❑ Rejected ❑ On Hold Yage 23 Application Testing and Consulting Statement of Work 1 APPENDIX B —SAMPLE DELIVERABLE/SERVICE ACCEPTANCE FORM De�IlV�rr��/S�r��v�� A��t��rr>lc� �'®rl�rr� Client: Project: Deliverable/Service: Completion Date: Value of Deliverable/Service: Resolution &Approvals: CLIENT.• ❑ Accept ❑ Reject for Cause Reason for Re'ection, if A licable: Remarks: «Client Nan7e»: Signature: Name/Title: Date: CIBER.• Signature: Name/Title: Date: Page 24 Application Testing and Consulting Statement of Worlc ��:>1�1��C �� APPENDIX C - SCANNING AUTHORIZATON SERVICES FORM The purpose of this Attachment is to set out our agreement regarding security -scanning services offered by CIBER for the City of Fort Worth. This form is to be filled out during CIBER's first on site meeting with the customer to clearly identify the areas to be scanned for the SOW. Security Scanning Services CIBER shall utilize, but not be limited to, commercial, public domain, or custom security software such a -Eye Retina, Nessus, and Nmap to perform electronic scans of the City of Fort Worth' Internet presence, internal network components, hosts, servers, and/or workstations as indicated in the SOW and this attachment. The purpose of the scan is to identify exploitable vulnerabilities in the City of Fort Worth's security controls. Types of Scanning Services CIBER offers security -scanning services from onsite and remote site locations. CIBER shall perform its services only to the extent indicated in this attachment and in accordance with an agreed upon SOW. Access The City of Fort Worth shall provide CIBER access to its systems, networks, and/or firewalls sufficient for CIBER to perform the services authorized in this SOW and/or this attachment. For internal security scans, the City of Fort Worth shall provide protocols sufficient for CIBER to utilize the software to perform CIBER services remotely or connectivity to an internal network when work performance is onsite. Escalation POC The scans conducted by CIBER could initiate an incident -reporting scenario. The City of Fort Worth will identify an individual who can intervene in the escalation of incident reporting for any activity that might occur as a result of the audit activity. Confidentiality Except for the purposes of this agreement, CIBER shall not use or disclose the data derived from its scanning services. Page 25 Application Testing and Consulting Statement of Worlc Type of Service Q External Scanning Host Scanning Internal Network Scanning Level of Service Q Heavy -checks for most vulnerabilities. This level is unlikely to cause service disruptions of the devices scanned. Q Port Scanning —All scanning activities will be limited to system and service identification. WARNING: May cause various machines to go down or reboot temporarily. Networks to be Scanned (IP Addresses) IP Address Function Scanning Dates Scan authorized between , 2010 and Time Restrictions (Can be scanning time frame Time) Scan between Do NOT scan between 2010. or excluded time frames -please indicate in Mountain Standard MST and MST ONLY. MST and MST. Page 26 Application Testing and Consulting Statement of Worlc Escalation POC City of Fort Worth POC #1 City of Fort Worth POC #2 Name: Name: Title: Title: Phone No.: Phone No.: Cell No. Cell No. CIBER POC #1 CIBER POC #2 Name: Name: Title: Title: Phone No.: Phone No.: Cell No. Cell No. Certification I certify that I am the owner/authorized person responsible for the systems targeted for the aforementioned scan activity; that I am aware of the risks inherent with automated security scanning; that I have taken reasonable precautions with respect to critical data backups; and I authorize this activity to be performed in accordance with the attached agreement/statement of work. Signed on behalf of the City of Fort Worth by: Name: Title: Signature: Date: Page 27 This NETWORK ACCESS AGREEMENT ("Agreement") is made and entered into by and between the CITY OF FORT WORTH ("City"), a home rule municipal corporation with its principal location at 1000 Throckmorton Street, Fort Worth, Texas 76102, organized under the laws of the State of Texas and situated in portions of Tarrant, Denton and Wise Counties, Texas, and CONTRACTOR with its principal location at 6363 South Fiddler's Green Circle, Ste 1400, Greendwood Village, CO 80111, ("Contractor"). 1. The Network, The City owns and operates a computing environment and network (collectively the "Network"). Contractor wishes to access the City's network in order to provide [consulting services for the purpose of performing an application assessment on the application Special Needs Assessment Program (SNAP). In order to provide the necessary support, Contractor needs access to the Internet, Intranet, email, and SNAP System.]. 2. Grant of Limited Access. Contractor is hereby granted a limited right of access to the City's Network for the sole purpose of providing consulting services. Such access is granted subject to the terms and conditions forth in this Agreement and applicable provisions of the City's Administrative Regulation DJ (Electronic Communications Resource Use Policy), of which such applicable provisions are hereby incorporated by reference and made a part of this Agreement for all purposes herein and are available upon request. 3. Network Credentials. The City will provide Contractor with Network Credentials consisting of user IDs and passwords unique to each individual requiring Network access on behalf of the Contractor. Access rights will automatically expire one (1) year from the date of this Agreement. If this access is being granted for purposes of completing services for the City pursuant to a separate contract, then, this Agreement will expire at the completion of the contracted services, or upon termination of the contracted services, whichever occurs first. Services are being provided in accordance with City Secretary Contract No. 4. Renewal. At the end of the first year and each year thereafter, this Agreement may be renewed annually if the following conditions are met: 4.1 Contracted services have not been completed. 4.2 Contracted services have not been terminated. 4.3 Within the thirty (30) days prior to the scheduled annual expiration of this Agreement, the Contractor has provided the City with a current list of its officers, agents, servants, employees or representatives requiring Network credentials. Notwithstanding the scheduled contract expiration or the status of completion of services, Contractor shall provide the City with a current list of officers, agents, servants, employees or representatives that require Network credentials on an annual basis. Failure to adhere to this requirement may result in denial of access to the Network and/or termination of this Agreement. 5. Network Restrictions. Contractor officers, agents, servants, employees or representatives may not share the City -assigned user IDs and passwords. Contractor acknowledges, agrees and hereby gives its authorization to the City to monitor Contractor's use of the City's Network in order to ensure Contractor's compliance with this Agreement. A breach by Contractor, its officers, agents, servants, employees or representatives, of this Agreement and any other written instructions or guidelines that the City provides to Contractor pursuant to this Agreement shall be grounds for the City immediately to deny Contractor access to the Network and Contractor's Data, terminate the Agreement, and pursue any other remedies that the City may have under this Agreement or at law or in equity. 6. Termination. In addition to the other rights of termination set forth herein, the City may terminate this Agreement at any time and for any reason with or without notice, and without penalty to the City. Vendor Network Access Agreement Rev. 12/10/2009 Upon termination of this Agreement, Contractor agrees to remove entirely any client or communications software provided by the City from all computing equipment used and owned by the Contractor, its officers, agents, servants, employees and/or representatives to access the City's Network. 7. Information Security. Contractor agrees to make every reasonable effort in accordance with accepted security practices to protect the Network credentials and access methods provided by the City from unauthorized disclosure and use. Contractor agrees to notify the City immediately upon discovery of a breach or threat of breach which could compromise the integrity of the City's Network, including but not limited to, theft of Contractor -owned equipment that contains City -provided access software, termination or resignation of officers, agents, servants, employees or representatives with access to City -provided Network credentials, and unauthorized use or sharing of Network credentials. 8. LIABILITY AND INDEMNIFICATION. CONTRACTOR SHALL BE LIABLE AND RESPONSIBLE FOR ALL DAMAGES THAT THE CITY MAY INCUR DIRECTLY ON ACCOUNT OF ANY BREACH OF THIS AGREEMENT BY CONTRACTOR, ITS OFFICERS, AGENTS, SERVANTS OR EMPLOYEES. THE CITY, ITS OFFICERS, AGENTS, SERVANTS AND EMPLOYEES, SHALL NOT BE LIABLE FOR ANY DAMAGES THAT CONTRACTOR MAY INCUR AS A RESULT OF THE CITY'S RESTRICTIONS TO OR DENIAL OF ACCESS TO CONTRACTOR'S DATA ON ACCOUNT OF ANY BREACH OF THIS AGREEMENT BY CONTRACTOR, ITS OFFICERS, AGENTS, SERVANTS OR EMPLOYEES, OR FOR ANY REASONABLE SECURITY MEASURES TAKEN BY THE CITY. IN ADDITION, CONTRACTOR SHALL BE LIABLE AND RESPONSIBLE FOR ANY AND ALL PROPERTY LOSS, PROPERTY DAMAGE AND/OR PERSONAL INJURY, INCLUDING DEATH, AND ALL CLAIMS, DEMANDS AND JUDGMENTS THEREFOR, TO THE EXTENT CAUSED BY THE NEGLIGENT ACT(S) OR OMISSION(S) OR INTENTIONAL MISCONDUCT OF CONTRACTOR, ITS OFFICERS, AGENTS, SERVANTS AND/OR EMPLOYEES. CONTRACTOR, AT CONTRACTOR'S OWN COST OR EXPENSE, HEREBY AGREES TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE CITY, ITS OFFICERS, AGENTS, SERVANTS AND/OR EMPLOYEES FROM AND AGAINST ANY CLAIM, LAWSUIT, DEMAND OR OTHER ACTION TO THE EXTENT THAT THE SAME ARISES FROM THE NEGLIGENT ACT(S) OR OMISSION(S) OR INTENTIONAL MISCONDUCT OF CONTRACTOR, ITS OFFICERS, AGENTS, SERVANTS OR EMPLOYEES. 9. Confidential Information. Contractor, for itself and its officers, agents, employees, and representatives, agrees that it shall treat all information provided to it by the City as confidential and shall not disclose any such information to a third party without the prior written approval of the City. Contractor further agrees that it shall store and maintain City Information in a secure manner and shall not allow unauthorized users to access, modify, delete or otherwise corrupt City Information in any way. Contractor shall notify the City immediately if the security or integrity of any City information has been compromised or is believed to have been compromised. 10. Right to Audit. Contractor agrees that the City shall, during the initial term, any renewal terms, and until the expiration of three (3) years after termination or expiration of this contract, have access to and the right to examine at reasonable times any directly pertinent books, data, documents, papers and records, both hard copy and electronic, of the Contractor involving transactions relating to this Agreement. Contractor agrees that the City shall have access during normal working hours to all necessary Contractor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this section. The City shall give Contractor reasonable advance notice of intended audits. Contractor further agrees to include in all its subcontractor agreements hereunder a provision to the effect that the subcontractor agrees that the City shall, during the initial term, any renewal terms, and until expiration of three (3) years after termination or expiration of the subcontract, have access to and the right to examine at reasonable times any directly pertinent books, data, documents, papers and records, both hard copy and electronic, of such subcontractor involving transactions related to the subcontract, and further that City shall have access during normal working hours to all subcontractor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this paragraph. City shall give subcontractor reasonable notice of intended audits. Vendor Network Access Agreement 2 CONTRACTOR Rev. 12/10/2009 11. Agreement Cumulative. This Agreement is cumulative of and in addition to any written contracts, agreements, understandings or acknowledgments with the City signed by Contractor. This Agreement and any other documents incorporated herein by reference constitute the entire understanding and Agreement between the City and Contractor as to the matters contained herein regarding Contractor's access to and use of the City's Network, 12. Amendments. The terms of this Agreement shall not be waived, altered, modified, supplemented, or amended in any manner except by written instrument signed by an authorized representative of both the City and Contractor. 13. Assignment. Contractor may not assign or in any way transfer any of its interest in this Agreement. Any attempted assignment or transfer of all or any part hereof shall be null and void. 14. Severability. If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired. 15. Force Maieure. Each party shall exercise its best efforts to meet its respective duties and obligations as set forth in this Agreement, but shall not be held liable for any delay or omission in performance due to force majeure or other causes beyond their reasonable control (force majeure), including, but not limited to, compliance with any government law, ordinance or regulation, acts of God, acts of the public enemy, fires, strikes, lockouts, natural disasters, wars, riots, material or labor restrictions by any governmental authority, transportation problems and/or any other similar causes. 16. Governing Law /Venue. This Agreement shall be construed in accordance with the laws of the State of Texas. If any action, whether real or asserted, at law or in equity, is brought on the basis of this Agreement, venue for such action shall lie in state courts located in Tarrant County, Texas or the United States District Court for the Northern District of Texas, Fort Worth Division. 17. Signature Authority. The signature below of an authorized representative acknowledges that the Contractor has read this Agreement and agrees to be bound by terms and conditions set forth herein. ACCEPTED AND AGREED: CITY OF By: WORTH: Karen L. Montgomery �/ Assistant City Man ger Date: ATTEST: By: Marty Hendrix City Secretary APPROVE city FORMAND L CIBER, INC: Name: _ Title: _ Date: ATTEST: By: Name: y c� OFFICIAL RECORD CITY SECRETARY FT. WORTH, TX Vendor Network Access Agreement 3 CONTRACTOR Rev. 12/10/2009 Vendor Contract No. STATE OF TEXAS DEPARTMENT OF INFORMATION RESOURCES CONTRACT FOR SERVICES GIBER, INC. 1. Introduction A. Parties This Contract for services is entered into between the State of Texas, acting by and through the Department of Information Resources (hereinafter "DIR") with its principal place of business at 300 West 15t' Street, Suite 1300, Austin, Texas 78701, and GIBER, Inc. (hereinafter "Vendor"), with its principal place of business at 5251 DTC Parkway, Suite 1400, Greenwood Village, CO 80111. B. Compliance with Procurement Laws This Contract is the result of compliance with applicable procurement laws of the State of Texas. DIR issued a solicitation on the Comptroller of Public Accounts' Electronic State Business Daily, Request for Offer (RFO) DIR-SDD-TMP-100, on March 1, 2007, for Information Technology Security Services. Upon execution of this Contract, a notice of award for RFO DIR-S1313-TMP400 shall be posted by DIR on the Electronic State Business Daily. C. Order of Precedence This Contract; Appendix A, Standard Terms and Conditions For Services Contracts; Appendix B, Vendor's Historically Underutilized Businesses Subcontracting Plan; Appendix C, Customer Service Agreement; Appendix D, Pricing and Services Index; Exhibit 1, Vendor's Response to RFO DIR-SDD-TMP-100, including all addenda; and Exhibit 2, RFO DIR-SDD-TMP-100, including all addenda; are incorporated by reference and constitute the entire agreement between DIR and Vendor. In the event of a conflict between the documents listed in this paragraph, the controlling document shall be this Contract, then Appendix A, then Appendix B, then Appendix C, then Appendix D, then Exhibit 1, and finally Exhibit 2. In the event and to the extent any provisions contained in multiple documents address the same or substantially the same subject matter but do not actually conflict, the more recent provisions shall be deemed to have superseded earlier provisions. 2. Term of Contract The term of this Contract shall be two (2) years commencing on the last date of approval by DIR and Vendor. Prior to expiration of the original term, DIR and Vendor may extend this Contract, upon mutual agreement, for up to two (2) optional one-year terms. Page 1 of 8 DIR Contract No. DIR-SDD- 685 Vendor Contract No. 3. Service Offerings Services available under this Contract are limited to Information Technology Security Services as specified in Appendix D, Pricing and Services Index. Vendor may incorporate changes to their services offering; however, any changes must be within the scope of services awarded based on the posting described in Section 1.13 above. 4. Pricing A. Manufacturer's Suggested Retail Price (MSRP) MSRP is defined as the sales price suggested by the manufacturer or publisher of the service. B. Customer Discount The minimum Customer discount for all services will be the percentage off MSRP as specified in Appendix D, Pricing and Services Index. Customer Discount includes the DIR administrative Fee specified in Section 5. C. Customer Price 1) The price to the Customer shall be calculated as follows: Customer Price = MSRP —Customer Discount 2) Customers purchasing services under this Contract may negotiate more advantageous pricing or participate in special promotional offers. In such event, a copy of such better offerings shall be furnished to DIR upon request. 3) If pricing for services available under this Contract are provided at a higher discount to: (i) an eligible Customer who is not purchasing those services under this Contract or (ii) any other entity or consortia authorized by Texas law to sell said services to eligible Customers, then the available discounts in this Contract shall be adjusted to that higher discount. This Contract shall be amended within ten (10) business days to reflect the higher discounts. D. DIR Administrative Fee The administrative fee specified in Section 5 below shall not be broken out as a separate line item when pricing or invoice is provided to Customer. E. Tax -Exempt As per Section 151.309, Texas Tax Code, Customers under this Contract are exempt from the assessment of State sales, use and excise taxes. Further, Customers under this Contract are exempt from Federal Excise Taxes, 26 United States Code Sections 4253(i) and 0). Page 2 of 8 DIR Contract No. DIR-SDD- o85 Vendor Contract No. F. Travel Expense Reimbursement Pricing for services provided under this Contract are exclusive of any travel expenses that may be incurred in the performance of those services. Travel expense reimbursement may include personal vehicle mileage or commercial coach transportation, hotel accommodations, parking and meats; provided, however, the amount of reimbursement by Customers shall not exceed the amounts authorized by the current State Travel Regulations. Travel time may not be included as part of the amounts payable by Customer for any services rendered under this Contract. The DIR administrative fee specified in Section 5 below is not applicable to travel expense reimbursement. Anticipated travel expenses must be pre -approved in writing by Customer. H. Changes to Prices Vendor may change the price of any service at any time, based upon changes to the MSRP, but discount levels shall remain consistent with the discount levels specified in this Contract. Price decreases shall take effect automatically during the term of this Contract and shall be passed onto the Customer immediately. 5. DIR Administrative Fee A) The administrative fee to be paid by the Vendor to DIR based on the dollar value of all sales to Customers pursuant to this Contract is two percent (2%). Payment will be calculated for all sales, net of returns and credits. For example, the administrative fee fot sales totaling $100,000 shall be $2,000. B) All prices quoted to Customers shall include the. administrative fee. DIR reserves the right to change this fee upwards or downwards during the term of this Contract, upon written notice to Vendor. Any change in the administrative fee shall be incorporated in the price to the Customer. 6. Notification All notices under this Contract shall be sent to a party at the respective address indicated below. If sent to the State: Sherri Parks, Director Contracting & Procurement Services Department of Information Resources 300 W. 15`h St., Suite 1300 Austin, Texas 78701 Phone: (512) 4754700 Facsimile: (512) 475-4759 Email: sherri.parks@dir.state.tx.us If sent to the Vendor: Mary Anne Clement CIBER, Inc. 4515 Seton Center Parkway, Suite 100 Austin, TX 78759 Phone: (512) 458-6650 Facsimile: (512) 458-6648 Email: maclement<cciber.com Page 3 of 8 DIR Contract No. D1WSDD- 685 Vendor Contract No. 7. Customer Service Agreement Services provided under this Contract shall be in accordance with the Service Agreement as set forth in Appendix C of this Contract. No changes to the Service Agreement terms and conditions may be made unless previously agreed to by Vendor and DIR. S. Authorized Exceptions to Appendix A, Standard Terms and Conditions for Services Contracts. A. Section 5. Purchase Orders, Invoices, and Payments, A. Purchase Orders is hereby replaced in its entirety as follows: All Customer Purchase Orders will be placed directly with the Vendor. Accurate Purchase Orders shall be effective and binding upon Vendor when accepted by Vendor. Vendor reserves the right to negotiate the terms of the Purchase Order not addressed in this contract, including but not limited to, Scope of Work, Method of Performance, Terms of Acceptance, Customer Responsibilities, and Confidentiality and Ownership. B. Section 7. Vendor Responsibilities, A. Indemnification, I) Independent Contractor is hereby replaced in its entirety as follows: VENDOR AGREES AND ACKNOWLEDGES THAT DURING THE EXISTENCE OF THIS CONTRACT, IT IS FURNISHING SERVICES IN THE CAPACITY OF AN INDEPENDENT CONTRACTOR AND THAT VENDOR IS NOT AN EMPLOYEE OF THE CUSTOMER, DIR OR THE STATE OF TEXAS. Nothing in this Agreement will be construed to make Vendor or the State partners, joint venturers, principals, agents or employees of the other. No officer, director, employee, agent, affiliate or contractor employed by Vendor to perform work on a Customer's behalf under this Agreement will be deemed to be an employee, agent or contractor of the Customer. Neither party will have any right, power or authority, express or implied, to bind or make representations on behalf of the other. C. Section 7. Vendor Responsibilities, A. Indemnification, 2) Acts or Omissions is hereby replaced in its entirety as follows: Vendor shall indemnify and hold harmless the State of Texas and Customers, AND/OR THEIR EMPLOYEES, AGENTS, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES FROM ANY AND ALL LIABILITY, ACTIONS, CLAIMS, DEMANDS, OR SUITS, AND ALL RELATED COSTS, ATTORNEY FEES, AND EXPENSES for injury to persons or damage to real or tangible personal property to the extent directly caused by any acts or omissions of the Vendor or its agents, employees, subcontractors, Order Fulfillers, or suppliers of subcontractors in the execution or performance of the Contract and any Purchase Orders issued under the Contract. VENDOR SHALL PAY ALL COSTS OF DEFENSE INCLUDING ATTORNEYS FEES. THE DEFENSE SHALL BE Page 4 of 8 DIR Contract No. DIWSDD- 685 Vendor Contract No. COORDINATED BY THE OFFICE OF THE ATTORNEY GENERAL FOR TEXAS STATE AGENCY CUSTOMERS AND BY CUSTOMER'S LEGAL COUNSEL FOR NON -STATE AGENCY CUSTOMERS, D. Section 7. Vendor Responsibilities, A. Indemnification, 3) Infringement, c) is hereby added as follows: c) If the remedies set forth in (i) or (ii) are not available on commercially reasonable terms, Vendor may terminate the license for the allegedly infringing products or services, and upon receipt of the products or services, return the fees paid by Customer for such products or services, prorated over a five year term from the applicable delivery date. For purposes of this indemnity, products and services do not include any third party products or services, whether or not supplied by Vendor. As to such third party products or services, Vendor shall exercise commercially reasonable efforts to secure for the Customer the remedies, if any, offered by the third party. This Section 7.A.3)c) states Vendor's entire liability and Customer's exclusive remedy for infringement of intellectual property rights. E. Section 7. Vendor Responsibilities, B. Taxes/Worker's Compensation/ UNEMPLOYMENT INSURANCE, 2) is hereby replaced in its entirety as follows: 2) VENDOR AGREES TO INDEMNIFY AND HOLD HARMLESS CUSTOMERS, THE STATE OF TEXAS AND/OR THEIR EMPLOYEES, AGENTS, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES FROM ANY AND ALL LIABILITY, ACTIONS, CLAIMS, DEMANDS, OR SUITS, AND ALL RELATED COSTS, ATTORNEY FEES, AND EXPENSES, RELATING TO TAX LIABILITY, UNEMPLOYMENT INSURANCE AND/OR WORKERS' COMPENSATION OR EXPECTATIONS OF THOSE BENEFITS BY VENDOR, ITS EMPLOYEES, REPRESENTATIVES, AGENTS OR SUBCONTRACTORS IN ITS PERFORMANCE UNDER THIS CONTRACT, VENDOR SHALL BE LIABLE TO PAY ALL COSTS OF DEFENSE INCLUDING ATTORNEYS' FEES. THE DEFENSE SHALL BE COORDINATED BY THE OFFICE OF THE ATTORNEY GENERAL FOR TEXAS STATE AGENCY CUSTOMERS AND BY CUSTOMER'S LEGAL COUNSEL FOR NON -STATE AGENCY CUSTOMERS. F. Section 7. Vendor Responsibilities, H. Security of Premises, Equipment, Data and Personnel is hereby replaced in its entirety as follows: Vendor may, from time to time during the performance of the Contract, have access to the personnel, premises, equipment, and other property, including data, files and /or materials (collectively referred to as "Data") belonging to the Customer. Vendor shall use their commercially reasonable best efforts to preserve the safety, security, and the integrity of the personnel, premises, equipment, Data and other property of the Customer, in accordance with the instruction of the Customer. Subject to all Page 5 of 8 DIR Contract No. DIR-SDD- 685 Vendor Contract No. conditions, limits and exclusions in this Contract, Vendor shall be responsible for damage to Customer's equipment, workplace, and its contents to the extent such damage is caused by the negligent conduct of its employees or subcontractors in their performance of the work under this Contract. Vendor's liability of loss of data or information shall be limited to the reasonable direct costs to restore the data on the most recent backup materials kept by the State. G. Section 8. Contract Enforcement, C. Force Majeure is hereby replaced in its entirety as follows: DIR, Customer, or Vendor may be excused from performance under the Contract for any period when performance is prevented as the result of circumstance beyond a parry's reasonable control, including, by way of example and not by way of limitation, an act of God, strike, war, civil disturbance, epidemic, court order, embargo, blockage, work stoppage, acts of the public enemy, acts of terrorism, provided that the party experiencing the event of Force Majeure has prudently and promptly acted to take any and all steps that are within the party's control to ensure performance and to shorten the duration of the event of Force Majeure. The party suffering an event of Force Majeure shall provide notice of the event to the other parties when commercially reasonable. Subject to this provision, such non- performance shall not be deemed a default or a ground for termination. However, a Customer may terminate a Purchase Order if it is determined by the Customer that Vendor will not be able to deliver services in a timely manner to meet the business needs of the Customer. H. New Section 11.Ownership of Information is hereby added as follows: Unless Vendor and the Customer agree otherwise in writing, the Work Products developed for the Customer by Vendor pursuant to this Agreement and any SOW will belong to the Customer. This provision does not apply to third party works or products Vendor provides to the Customer or to Vendor Materials (as defined below). The acknowledges that Vendor is in the business of providing information technology consulting services and has accumulated expertise in this field and agrees that Vendor will retain all right, title, and interest in and to all Vendor Materials. "Vendor Materials" means all discoveries, concepts and ideas, whether or not registrable under patent, copyright or similar statutes, including, without limitation, patents, copyright, trade secrets, processes, methods, formulae, techniques, tools, solutions, programs, data and documentation, and related modifications, improvements, and know-how, that Vendor, alone, or jointly with others, its agents or employees, conceives, makes develops, acquires or obtains knowledge of at any time before, after or during the term of this Agreement without breach of Vendor's duty of confidentiality to the Customer. If Vendor Materials are included with or embodied in any Work Product, the Customer will have a perpetual, irrevocable, nonexclusive, worldwide, royalty - free license to use, execute, reproduce, display, perform, distribute internally, and prepare for internal use "derivative works" as defined in the Copyright Act, 17 U.S.C. § 101, based upon, the Vendor Materials in each case solely in conjunction with the Page 6 of $ L1L'��►C�71�.Y71 �;� Vendor Contract No. Work Product delivered hereunder. Any interest in the Services and Work Products granted hereunder by Vendor to the Customer shall be effective upon and to the extent of payment by the Customer of the fees and expenses invoiced by Vendor pursuant to this Agreement. Notwithstanding anything to the contrary in this Agreement, Vendor and its personnel are free to use and employ their general skills, know-how, and expertise, and to use, disclose, and employ any generalized ideas, concepts, know-how, methods, techniques, or skills gained or learned during the course of this Agreement so long as they acquire and apply such information without any unauthorized use or disclosure of confidential or proprietary information of the Customer. Warranty and Disclaimer. Vendor warrants that it will (a) perform all Services in a professional and workmanlike manner and (b) provide Work Products that conform in all materials respects to the specifications set forth in the Agreement. The Customer must report any deficiencies to Vendor in writing within ninety (90) days from the date of Vendor's delivery of the Services or Work Products, to receive warranty remedies. The Customer's exclusive remedy and Vendor's entire liability is to provide Services to correct the deficiencies. If Vendor is unable to correct the deficiencies, the Customer is entitled to recover the fees paid to Vendor for the deficient portion of the Services or Work Product. VENDOR DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR PARTICULAR PURPOSE. Vendor makes no warranties regarding any portion of any deliverable developed by the Customer or by any third party, including any third party software, hardware, or other third party products provided by Vendor. I. New Section 12. Acceptance is hereby added as follows: The parties agree that acceptance criteria for any services materials, software or equipment should, if possible, be set forth in each Order. Promptly following Vendor's completion of any Services or delivery of any Work Product, the Customer will examine the Services and/or Work Product to confirm conformance with ecifi spcations. If Vendor has not received written notice from the Customer within fifteen (15) business days following completion of the services or delivery of the materials, software or equipment, the applicable services or deliverables will be deemed accepted by the Customer. Furthermore, if acceptance criteria are not specified in an Order, the applicable services or deliverable will be deemed accepted by the Customer on the date of delivery unless Vendor receives written notice from the Customer specifying the reason for non -acceptance within fifteen (15) business days after completion of the services or delivery of the materials, software or equipment. Page 7 of 8 DIR Contract No. DIWSDD- 685 Vendor Contract No. This Contract is executed to be effective as of the date of last signature. GIBER, Inc. Authorized By: Signature on File Name: John Miller Title: Area Director Date: 03/21/08 The State of Texas, acting by and through the Department of Information Resources Authorized By: Signature on File Name• Cindy Reed Title: Deputy Executive Director Operations & Statewide Technology Sourcing Date: 03/25/08 Legal: Signature on File 03/25/08 APPENDIX C TO DIR CONTRACT NO. DIR-SDD-685 CUSTOMER SERVICES AGREEMENT This Customer Services Agreement ("Agreement"), is entered into this day of February 2008, ("Effective Date") by and between CIBER, Inc. a Delaware corporation ("CIBER"), and a ("Customer"). 1. SERVICES 1.1 Scope of Work. CIBER will provide the services described in one or more Statements of Work signed by an authorized representative of each party (each a "SOW"). Each SOW is incorporated by reference into, and will be governed by the provisions of, this Agreement and DIR Contract No. DIR-SDD-685. CIBER will perform only work that is documented in a SOW. CIBER may authorize a parent, subsidiary or affiliate of CIBER to enter into a SOW and for purposes of that SOW, such parent, subsidiary or affiliate will be deemed "CIBER." Each SOW will describe the services to be performed ("Services"), the deliverables to be provided ("Work Product"), the schedule, the charges and such additional information as the parties agree upon. In the event of inconsistency between this Agreement, a SOW, or any purchase orders/related supplemental agreements between CIBER and Customer, the following shall be the order of precedence among the documents: (1) the SOW; (2) this Agreement (3) DIR Contract No. DIR-SDD-685 and (4) any Purchase Orders/supplemental agreements. 1.2 Change Orders. If either party desires a modification to the Services, Work Product or schedule set forth in a SOW, or the addition of out -of --scope work to a NOW, such party will submit its requested modifications in writing to the other party. The recipient of requested modifications may accept or reject the requested modifications, or present a counter -proposal, in its sole discretion. CIBER may bill Customer, on a time and materials basis, for the work involved in analyzing the impact of any modification proposed by Customer. Changes to a SOW will be effective only when an authorized representative of each party executes a written amendment to the SOW that sets forth the changes to the Services and/or Work Product and any related changes to the schedule and charges (a "Change Order"). CIBER will not begin any Change Order work until a Change Order is effective. 1.3 Method of Performance. CIBER will determine the method, details, and means of performing the Services and providing the Work Product, provided that Customer may require CIBER's personnel to observe Customer's safety policies and building rules when on Customer's site. Each party has the right to control its own personnel. Designation of a particular CIBER individual in a SOW does not preclude CIBER's termination or re -assignment of the individual, provided that CIBER replaces the individual with a person with appropriate skills. 1.4 Acceptance. The parties agree that acceptance criteria for any Services and/or Work Product should, if possible, be set forth in each SOW. Promptly following CIBER's completion of any Services or delivery of any Work Product, Customer will examine the Services and/or Work Product to confirm conformance with specifications. If CIBER has not received written notice from Customer within ten (10) business days following completion of the Services or delivery of the Work Product, the applicable Services or Work Product will be deemed accepted by Customer. Furthermore, if acceptance criteria are not specified in a SOW, the applicable Services or Work Product will be deemed accepted by Customer on the date of delivery Mess CIBER receives written notice from Customer specifying the reason for non -acceptance within ten (10) business days after completion of the Service or delivery of the Work Product. 2. CUSTOMER RESPONSIBILITIES 2.I Access and Cooperation. Customer wilt provide the office accommodations, facilities, equipment, suitably configured computers (hardware and software) and personnel described in the SOW or otherwise reasonably required by CIBER. Customer acknowledges and agrees that CIBER's ability to perform any Services and/or provide any Work Product in a timely manner is contingent upon Customer's making available in a timely manner the resources required of it in the SOW making available the assistance and cooperation of Customer's officers, agents, and employees and providing complete and accurate Customer information and data. In the event of a delay caused by Customer's failure to perform an obligation or make delivery of a necessary item in a timely manner, the date of performance of CIBER's work will be extended for a period of time equal to the impact of the delay on the schedule. 2.2 File Back-up. Unless otherwise specified in the SOW, Customer will maintain comprehensive file back-ups for files, data and programs that could be affected by the Services and implement procedures for reconstruction of any lost or altered files, data and programs that are affected by the Services. 2.3 Health and Safety Hazards. Customer will provide CIBER with written notice of any known health and safety hazards and provide CIBER's personnel with appropriate safety procedures. 2.4 Work Rules and Conduct. Customer will provide CIBER with written copies of any applicable policies and procedures, including without limitation those that govern safety and security, use of equipment, sexual harassment and non-discrimination, alcohol and drug use, and integrity so that any personnel supplied by CIBER ("CIBER Personnel") will be aware of Customers rules regarding workplace conduct. Customer will also report to CIBER any alleged violation of Customer's workplace conduct rules involving any CIBER Personnel and cooperate with CIBER in any investigation of an alleged violation of Customer's workplace conduct rules involving any CIBER Personnel (each such incident an "Alleged Violation"). CIBER and Customer agree that should it be determined that the Alleged Violationresult of the action or inaction of Customer, to the extent authorized by Texas law and constitution, Customer shall indemnify and hold harmless CIBER from any liability incurred as a result of said violation. CIBER and Customer further agree that should it be determined that the Alleged Violation is a result of the action or inaction of CIBER, CIBER shall indemnify and hold harmless Customer from any liability incurred as a result of said violation. 2.5 Personnel Changes a. Personnel Schedule Changes. Customer may, in writing, request changes to the schedules of CIBER Personnel, provided that CIBER will charge Customer for Services that were to be performed by the affected CIBER Personnel if Customer does not provide such request at least five (5) business days prior to the schedule change. b. Open-ended Assignments. Customer may, in a writing, request the end of an assignment of CIBER Personnel to open-ended projects, provided that CIBER will charge Customer for up to 15 days of Services that were to be performed by the affected CIBER Personnel if Customer does not provide such request at least thirty (30) days prior to the end of the assignment. c. Extensions %J Assignments. CIBER considers its personnel for new deployments thirty (30) days prior to the expiration of an assignment. If Customer desires to extend the assignment of any CIBER Personnel to a Customer project, Customer must notify CIBER at least thirty (30) days before the scheduled expiration to assure continued availability. CIBER will use commercially reasonable efforts to accommodate extension requests received less than thirty (30) days in advance. 3. TERM AND TERMINATION 3.1 Term. The term of this Agreement commences on the Effective Date and continues until the date this Agreement is terminated as provided below. Termination of a SOW will not terminate the entire Agreement unless so stated in the termination notice. 3.2 Termination Termination shall be in accordance with Section 8.B. of Appendix A of the DIR Contract No. DIR-SDD-685. 4. RELATIONSHIP OF THE PARTIES CIBER is an independent contractor and nothing in this Agreement will be construed to make either CIBER or Customer partners, joint venturers, principals, agents or employees of the other. No officer, director, employee, agent, affiliate or contractor employed by CIBER to perform work on Customer's behalf under this Agreement will be deemed to be an employee, agent or contractor of Customer. Neither party will have any right, power or authority, express or implied, to bind or make representations on behalf of the other. 5. COMPENSATION Charges for all Services, or Product and expenses are set forth in each SOW. 5.1 Time and Materials. Customer will make payments at the rates set forth in the DIR Contract No. DIR-SDD-685. 5.2 Invoice and Payment. Invoicing and payment shall be in accordance with Section 5 of the DIR Contract No. DIR-SDD-685. 5.3 Taxes. As stated in Section 4.E. of the DIR Contract No. DIR-SDD-685, Customers under this Contract are exempt from the assessment of State sales, use and excise taxes per Section 151.309 of the Texas Tax Code. Further, Customers under this Contract are exempt from Federal Excise Taxes, 26 United States Code Sections 4253(i) and 0). 6. CONFIDENTIALITY AND OWNERSHIP 6.1 Confidentiality. Confidentiality shall be in accordance with Section 7.H. of Appendix A of the DIR Contract No. DIR-SDD-685 and this provision. As used herein, "Confidential Information" means any and all non-public technical or business information, including third party information, furnished or disclosed by one party (the "Customer") to the other party ("CIBER") that, if in a tangible medium, Customer has marked as "confidential," "proprietary" or similarly at the time of disclosure and that, if disclosed orally, Customer indicates as confidential or proprietary at the time of disclosure and subsequently, within twenty (20) days after the date of such oral disclosure, confirms as confidential or proprietary in a writing sent to CIBER that describes the information that is to be kept confidential. CIBER will maintain all Confidential Information it receives from the Customer in confidence using commercially reasonable standards and no less care than it uses with its own information, and will use and disclose such information only as contemplated by this Agreement or as authorized by Customer. CIBER will require its personnel to do likewise. These obligations do not apply to information that: (a) is generally available to the public other than by a breach of this Agreement; (b) is rightfully received from a third party lawfully in possession of the information and not subject to a confidentiality or nonuse obligation; (c) is independently developed by CIBER or its personnel, provided the persons developing the information have not had access to the information of Customer; or (d) was already known to CIBER prior to its receipt from Customer. In addition, CIBER will be allowed to disclose Confidential Information of Customer to the extent that such disclosure is: (x) approved in writing by Customer; (y) necessary for CIBER to enforce its rights under this Agreement in connection with a legal proceeding; or (z) required by law or by the order of a court of similar judicial or administrative body, provided that CIBER notifies Customer of such required disclosure promptly and in writing and cooperates with Customer, at Customer's reasonable request and expense, in any lawful action to contest or limit the scope of such required disclosure. In addition, CIBER shall not be required to keep confidential any ideas, concepts, know-how or techniques developed during the course of this Agreement by CIBER personnel or jointly by CIBER and Customer personnel. 6.2 Return of Confidential Material. To the extent consistent with applicable records retention laws and policies, upon termination of this Agreement or the Disclosing Party's request, the Receiving Party will promptly return any Confidential Information of the other party or destroy such at the request of the Disclosing Party. 6.3 Ownership. Unless CIBER and Customer agree otherwise in writing, the Work Products developed foI Customer by CIBER pursuant to this Agreement and any SOW will belong to Customer. This provision does not apply to third party works or products CIBER provides to Customer or to CIBER Materials (as defined below). Customer acknowledges that CIBER is in the business of providing information technology services and has accumulated expertise in this field and agrees that CIBER will retain all right, title and interest in and to all CIBER Materials. "CIBER Materials" means all discoveries, concepts and ideas, whether or not registrable under patent, copyright or similar statutes, including, without limitation, patents, copyright, trademarks, trade secrets, processes, methods, formulae, techniques, tools, solutions, programs, data and documentation, and related modifications, improvements and know-how, that CIBER, alone, or jointly with others, its agents or employees, conceives, makes, develops, acquires or obtains knowledge of at any time before, after or during the term of this Agreement without breach of CIBER's duty of confidentiality to Customer. If CIBER Materials are included with or embodied in any Work Product, Customer will have a perpetual, irrevocable, nonexclusive, worldwide, royalty -free license to use, execute, reproduce, display, perform, distribute internally, and prepare for internal use "derivative works" as defined in the Copyright Act, 17 U.S.C. §101, based upon, the CIBER Materials in each case solely in conjunction with the Work Product delivered hereunder. Any interest in the Services and Work Products granted hereunder by CIBER to Customer shall be effective upon and to the extent of payment by Customer of the fees and expenses invoiced by CIBER pursuant to this Agreement. 6.4 Residual Rights. Notwithstanding anything to the contrary in this Agreement, CIBER and its personnel are free to use and employ their general skills, know-how, and expertise, and to use, disclose, and employ any generalized ideas, concepts, know-how, methods, techniques, or skills gained or learned during the course of this Agreement so long as they acquire and apply such information without any unauthorized use or disclosure of confidential or proprietary information of Customer. psi/:c i ►I1 1 ►I I1 7.1 Warranty and Disclaimer. For a period of ninety (90) days from the date of Customer's acceptance (the "Warranty Period"), CIBER warrants that it will (a) perform all Services in a professional and workmanlike manner and (b) provide Work Products that conform in all material respects to the specifications set forth in the SOW. Customer must report any deficiencies to CIBER in writing within the Warranty Period to receive warranty remedies. Customer's exclusive remedy and CIBER's entire liability is to provide Services to correct the deficiencies. If CIBER is unable to correct the deficiencies, Customer is entitled to recover the fees paid to CIBER for the deficient portion of the Services or Work Product. CIBER DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR PARTICULAR PURPOSE. CIBER makes no warranties regarding any portion of any deliverable developed by Customer or by any third party, including any third party software, hardware, or other third party products provided by CIBER. 7.2 Limitations of Liability. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY LOST DATA, LOST PROFITS OR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, SPECIAL OR OTHER INDIRECT DAMAGES OF ANY KIND FOR ANY REASON WHATSOEVER INCLUDING, BUT NOT LIMITED TO, DAMAGES BASED UPON NEGLIGENCE, BREACH OF WARRANTY, STRICT LIABILITY, OR ANY OTHER THEORY EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Each party agrees that the other party's liability hereunder for damages, regardless of the form of action, will not exceed the total amount actually paid for Services and Work Product under the SOW giving rise to the damages. To the extent authorized by Texas law and constitution, notwithstanding the above, the liability of Customer may be increased to include CIBER's costs of collection of Services fees, including without limitation reasonable attorney's fees and court costs. The parties agree that amounts stated herein are fair under the circumstances and that the prices reflect this limitation of liability. 8. INDEMNITY Indemnification shall be in accordance with Section 7.A. of Appendix A of the DIR Contract No. DIR- SDD-685. 9. NONSOLICITATION During the term of this Agreement and for a period of one (1) year after its termination, neither party will directly or indirectly (a) solicit for hire or engagement any of the other party's personnel who were involved in the provision or receipt of Services under this Agreement or (b) hire or engage any person or entity who is or was employed or engaged by the other party and who was involved in the provision or receipt of Services under this Agreement until one hundred eighty (180) days following the termination of the person's or entity's employment or engagement with the other party. For purposes herein, "Solicit" does not include broad -based recruiting efforts, including without limitation help wanted advertising and posting of open positions on a party's Internet site. 10. DISPUTE RESOLUTION PROVISIONS 10.1 Dispute Resolution shall be in accordance with Section 8.A. of Appendix A of the DIR Contract No. DIR-SDD-685. 11. GENERAL PROVISIONS 11.1 Publicity. GIBER may not reference its general business relationship with Customer for marketing purposes without the Customer's prior written approval. 11.2 Applicable Laws. Each party will comply with applicable foreign, federal, state, and local laws, rules, regulations, orders, ordinances and government requirements, including without limitation, Executive Order 11246 -- Equal Employment Opportunity, 11.3 Export. Neither party will knowingly export or re-export or cause to be exported or re-exported any Work Product, to any country for which the U.S. government requires an export license or other government approval without first obtaining the required license or approval. 11.4 Notices. All notices for the DIR Contract shall be in accordance with Section 9.A. of the DIR Contract No. DIR-SDD-685. All notices for this Agreement must be written and will have been given (a) when delivered by hand, (b) on the next business day, if delivered by a recognized overnight courier, (c) on the third business day if mailed (by certified or registered mail, return receipt requested), (d) by electronic mail or (e) upon confirmed facsimile transmission to the following addresses or facsimile numbers: CUSTOMER GIBER Phone Fax GIBER, Inc. ATTN: Law Department 5251 DTC Parkway, Suite 1400 Greenwood Village, Colorado 80111 Phone 303-220-0100 Fax 303-267-3899 11.4 Entire Agreement of the Parties. DIR Contract No. DIR-SDD-685, this Agreement, and the applicable Exhibits and SOWs set forth the entire agreement of the parties relating to the Services and Work Product provided by CIBER and supersede all prior written or oral understandings, agreements or representations by or between the parties with respect to these subjects. Any modification or waiver of this Agreement is effective only if it is in writing signed by an authorized representative of the party to be charged. Provisions of a Customer purchase order or similar document are not applicable if they conflict with or add to the terms of this Agreement. In the event of a conflict between this Agreement and the DIR Contract No. DIR- SDD-685, the DIR Contract controls. 11.5 Waiver. No delay or failure by a party in exercising any right, power or privilege under this Agreement or any other instruments given in connection with or pursuant to this Agreement will impair any such right, power or privilege or be construed as a waiver of or acquiescence in any default. No single or partial exercise of any right, power or privilege will preclude the further exercise of that right, power or privilege or the exercise of any other right, power or privilege. 11.6 Survival. All terms and provisions of this Agreement that should by their nature survive the termination of this Agreement shall so survive. 11.7 Force Majeure. Force Majeure shall be in accordance with Section 8.C. of Appendix A of DIR Contract No. DIR-SDD-685. 11.8 Severability. If any provision of this Agreement is held invalid, void, or unenforceable to any extent, that provision will be enforced to the greatest extent permitted by law and the remainder of this Agreement and application of such provision to other persons or circumstances will not be affected. 11.9 Parties in Interest. This Agreement is enforceable only by CIBER and Customer. This Agreement is not a contract or assurance regarding compensation, continued employment, or benefit of any kind to any of CIBER's personnel or to any beneficiary of those personnel and those personnel or their beneficiaries will not be third -party beneficiaries of this Agreement. 11.10 Governing Law. This Agreement is governed by and construed in accordance with the laws of the State of Texas without regard to its conflict of law principles. Nothing herein shall be construed to waive the sovereign immunity of the State of Texas. 11.11 Assignment and Successors. Assignments shall be in accordance with Section 3.D. of Appendix A of the DIR Contract No. DIR-SDD-685. 11.12 Insurance. Upon request, GIBER will provide a certificate of insurance evidencing the workers' compensation, general liability, errors and omissions and automobile coverage it has in effect. IN WITNESS WHEREOF the parties have executed this Customer Services Agreement on the date first set forth above. CUSTOMER CIBER, INC. By: Printed Name: Title: By: Printed Name: Title: APPENDIX D PRICING AND SERVICES INDEX Ciber.Inc. DIR=SDD485 SecuriUN ervices Cate ones Customer Customer Customer DIR Managed IT Security Services A. External controlled peneftdon testing 1. Scanning 25.75% 25.76% 26.76% 2. Penetration testing 25.75% 25.75% 26.75% 3. WAR Dialing 25.75% 25.75% 26.75% 4. WAR Driving 26.75% 26.75% 26.75% S. Social Engineering 25.76% 25.76% 25.76% 6. Applications Assessment 25.76% 25.75% 25.76% IT SecudW Services A. Secudly Governance and Advisory Services WOMMEMN 1. Texas Administrative Code, Chapter 202 25.75% 26.75% 25.75% Oft2. Texas Government Code, Chapter 2059 25.75% 25.75% 26.75% B. Infisstructure Sen4ces 1. Firewall and VPN policy and architecture review 25.75% 25.75% 26.75% 2.1SB/IPS policy and architecture review 25.75% 25.76% 25.75% 3. Access controllidentity management reviewlintegration services 26.76% 25.75% 25.76% 4. Network architecture review 25.75% 2515% 25.75% 5. Host hardening and secure build development 25.76% 25.76% 25.76% C. Risk and Vulnerability Assessment Sen4ces 1. Perimeter vulnerability scans 2615% 25.75% 26.75% 2. Perimeter penetration scans 25.75% 25.75% 25.75% OWN 3. internal network vulnerability assessments 25.75% 25.75% 25.76% 4. Network risk assessments 25.75% 25.76% 25.75% 5. Host vulnerability assessments 25.75% 25.76% 25.76% 8. Host risk assessments 25.76% 25.75% 25.75% 7. Applications architecture assessment 26.75% 25.75% 25.75% 8.Applications penetration testing 25.75% 25.75% 25.76% 9.'Secure code reviews 25.76% 25.75% 25.75% 10'Commercial product assessment 25.75% 25.75% 25.75% 11.Data security assessment 25.75% 26.75% 25.75% D. Security Training Services 77TTi; Policy and Guideline Development 25.76% 25.75% 25.75% Amendment Number 1 to Contract Number DIR-SDD-685 between State of Texas, acting by and through the Department of Information Resources anA Ciber, Inc. This Amendment Number 1 to Contract Number DIR-SDD-685 Contract is between the Department of Information Resources ("DIR") and Ciber, Inc. ("Vendor"). DIR and Vendor agree to modify the terms and conditions of the Contract as follows: 1. Appendix D, Pricing and Services Index, is hereby revised and replaced in its entirety and attached hereto. 2. All other terms and conditions of the Contract, not specifically modified herein, shall remain in full force and effect. In the event of conflict among the provisions, the order of precedence shall be this Amendment Number 1, and then the Contract. IN WITNESS WHEREOF, the parties hereby execute this amendment to be effective as of the date of last signature. Ciber, Inc. By: Signature on file The State of Texas, acting by and through the Department of Information Resources By: Signature on file Name: John Miller Name: Cindv Reed Title: Area Director Date: 5/27/08 DIR Contract Number. DIR-SDD-685 Page I Amendment Number 1 Title: Deputy Executive Director Operations &Statewide Technology Sourcing Date: 5/29/08 Legal: 5/29/08 Amendment Number 2 to Contract Number DIR-SDD-685 between State of Texas, acting by and through the Department of Information Resources and Ciber, Inc. This Amendment Number 2 to Contract Number DIR-SDD-685 ("Contract") is between the Department of Information Resources ("DIR") and Ciber, Inc. (Vendor"). DIR and Vendor agree to modify the terms and conditions of the Contract as follows. 1. Contract, Section 2, Term of Contract, is hereby amended in its entirety as follows: The term of this Contract is extended through March 25, 2011. Prior to the expiration date of the term, DIR and Vendor may extend the Contract upon mutual agreement, for up to one (1) additional one-year term. 2. Contract, Section 3, Service Offerings, is hereby restated in its entirety as follows: Services available under this Contract are limited to Information Technology Security Services as specified in Appendix D, Pricing and Services Index. Vendor may incorporate changes to their services offering; however, any changes must be within the scope of services awarded based on the posting described in Section 1.13 above. Vendor may not add services which were not included in the Vendor's response to the solicitation described in Section 1,13 above. 3. Contract, Section 4, Pricing, subsection F. Travel Expense Reimbursement, is hereby restated in its entirety as follows: F. Travel Expense Reimbursement Pricing for services provided under this Contract are exclusive of any travel expenses that may be incurred in the performance of those services. Travel expense reimbursement may include personal vehicle mileage or commercial coach transportation, hotel accommodations, parking and meals; provided, however, the amount of reimbursement by Customers shall not exceed the amounts authorized for state employees as adopted by each Customer; and provided, further, that all reimbursement rates shall not exceed the maximum rates established for state employees under the current State Travel Management Program. Travel time may not be included as part of the amounts payable by Customer for any services rendered under this Contract. The DIR administrative fee specified in Section 5 below is not applicable to travel expense reimbursement. Anticipated travel expenses must be pre -approved in writing by Customer. 4. Contract, Section 5, DIR Administrative Fee A), is hereby restated in its entirety as follows: A) The administrative fee to be paid by the Vendor to DIR based on the dollar value of all sales to Customers pursuant to this Contract is one and one quarter percent (1.25%). Payment will be calculated for all sales, net of returns and credits. For example, the Amendment Number 2 Contract Number DIR-SDD-685 Page 1 administrative fee for sales totaling $100,000 shall be $1,250.00. The et ctive date of this change is April 1, 2010. 5. Contract, new Section 9, Intellectual Property Matters, is added to the Contract as follows: A. Definitions L" Work Product" means any and all deliverables produced by Vendor for Customer under a Statement of Work issued pursuant to this Contract, including any and all tangible or intangible items or things that have been or will be prepared, created, developed, invented or conceived at any time following the effective date of the Contract, including but not limited to any (1) works of authorship (such as manuals, instructions, printed material, graphics, artwork, images, illustrations, photographs, computer programs, computer software, scripts, object code, source code or other programming code, HTML code, flow charts, notes, outlines, lists, compilations, manuscripts, writings, pictorial materials, schematics, formulae, processes, algorithms, data, information, multimedia files, text web pages or web sites, other written or machine readable expression of such works fixed in any tangible media, and all other copyrightable works), (ii) trademarks, service marks, trade dress, trade names, logos, or other indicia of source or origin, (iii) ideas, designs, concepts, personality rights, methods, processes, techniques, apparatuses, inventions, formulas, discoveries, or improvements, including any patents, trade secrets and know-how, (iv) domain names, (v) any copies, and similar or derivative works to any of the foregoing, (vi) all documentation and materials related to any of the foregoing, (vii) all other goods, services or deliverables to be provided to Customer under the Contract or a Statement of Work, and (viii) all Intellectual Property Rights in any of the foregoing, and which are or were created, prepared, developed, invented or conceived for the use or benefit of Customer in connection with this Contract or a Statement of Work, or with funds appropriated by or for Customer or Customer's benefit: (a) by any Vendor personnel or Customer personnel, or (b) any Customer personnel who then became personnel to Vendor or any of its affiliates or subcontractors, where, although creation or reduction - to -practice is completed while the person is affiliated with Vendor or its personnel, any portion of same was created, invented or conceived by such person while affiliated with Customer. 2. "Intellectual Property Rights" means the worldwide legal rights or interests evidenced by or embodied in: (i) any idea, design, concept, personality right, method, process, technique, apparatus, invention, discovery, or improvement, including any patents, trade secrets, and know-how; (ii) any work of authorship, including any copyrights, moral rights or neighboring rights; (iii) any trademark, service mark, trade dress, trade name, or other indicia of source or origin; (iv) domain name registrations; and (v) any other proprietary or similar rights. The Intellectual Property Rights of a party include all worldwide legal rights or interests that the party may have acquired by assignment or license with the right to grant sublicenses. 3. "Statement of Work" means a document signed by Customer and Vendor describing a specific set of activities and/or deliverables, which may include Work Product and Intellectual Property Rights, that Vendor is to provide Customer, issued pursuant to the Contract. Amendment Number 2 Contract Number DIR-SDD-685 Page 2 4. "I hird Party IF means the Intellectual Property Rights of any third party not a party to this Contract, and which is not directly or indirectly providing any goods or services to Customer under this Contract. 5. "Vendor [P" shall mean all tangible or intangible items or things, including the Intellectual Property Rights therein, created or developed by Vendor (a) prior to providing any Services or Work Product to Customer and prior to receiving any documents, materials, information or funding from or on behalf of Customer relating to the Services or Work Product, or (b) after the Effective Date of the Contract if such tangible or intangible items or things were independently developed by Vendor outside Vendor's provision of Services or Work Product for Customer hereunder and were not created, prepared, developed, invented or conceived by any Customer personnel who then became personnel to Vendor or any of its affiliates or subcontractors, where, although creation or reduction4o-practice is completed while the person is affiliated with Vendor or its personnel, any portion of same was created, invented or conceived by such person while affiliated with Customer. B. Ownership. As between Vendor and Customer, the Work Product and Intellectual Property Rights therein are and shall be owned exclusively by Customer, and not Vendor. Vendor specifically agrees that the Work Product shall be considered "works made for hire" and that the Work Product shall, upon creation, be owned exclusively by Customer. To the extent that the Work Product, under applicable law, may not be considered works made for hire, Vendor hereby agrees that the Contract effectively transfers, grants, conveys, assigns, and relinquishes exclusively to Customer all right, title and interest in and to all ownership rights in the Work Product, and all Intellectual Property Rights in the Work Product, without the necessity of any further consideration, and Customer shall be entitled to obtain and hold in its own name all Intellectual Property Rights in and to the Work Product. Vendor acknowledges that Vendor and Customer do not intend Vendor to be a joint author of the Work Product within the meaning of the Copyright Act of 1976. Customer shall have access, during normal business hours (Monday thru Friday, 8AM to 5PM) and upon reasonable prior notice to Vendor, to all Vendor materials, premises and computer files containing the Work Product. Vendor and Customer, as appropriate, will cooperate with one another and execute such other documents as may be reasonably appropriate to achieve the objectives herein. No license or other right is granted hereunder to any Third Party IP, except as may be incorporated in the Work Product by Vendor. C. Further Actions. Vendor, upon request and without further consideration, shalt perform any acts that may be deemed reasonably necessary or desirable by Customer to evidence more fully the transfer of ownership and/or registration of all Intellectual Property Rights in all Work Product to Customer to the fullest extent possible, including but not limited to the execution, acknowledgement and delivery of such further documents in a form determined by Customer. In the event Customer shall be unable to obtain Vendor's signature due to the dissolution of Vendor or Vendor's unreasonable failure to respond to Customer's repeated requests for such signature on any document reasonably necessary for any purpose set forth in the foregoing sentence, Vendor hereby irrevocably designates and appoints Customer and its duly authorized officers and agents as Vendor's agent and Vendor's attorney -in -fact to act for and in Vendor's behalf and stead to execute and file any such document and to do all other lawfully permitted acts to Amendment Number 2 Contract Number DIR-SDD-685 Page 3 further any such purpose with the same force and effect as if executed and delivered by Vendor, provided however that no such grant of right to Customer is applicable if Vendor fails to execute any document due to a good faith dispute by Vendor with respect to such document. It is understood that such power is coupled with an interest and is therefore irrevocable. Customer shall have the full and sole power to prosecute such applications and to take all other action concerning the Work Product, and Vendor shall cooperate, at Customer's sole expense, in the preparation and prosecution of all such applications and in any legal actions and proceedings concerning the Work Product. D. Waiver of Moral Rights. Vendor hereby irrevocably and forever waives, and agrees never to assert, any Moral Rights in or to the Work Product which Vendor may now have or which may accrue to Vendor's benefit under U.S. or foreign copyright or other laws and any and all other residual rights and benefits which arise under any other applicable law now in force or hereafter enacted. Vendor acknowledges the receipt of equitable compensation for its assignment and waiver of such Moral Rights. The term "Moral Rights" shall mean any and all rights of paternity or integrity of the Work Product and the right to object to any modification, translation or use of the Work Product, and any similar rights existing under the judicial or statutory law of any country in the world or under any treaty, regardless of whether or not such right is denominated or referred to as a moral right. E. Confidentiality. All documents, information and materials forwarded to Vendor by Customer for use in and preparation of the Work Product, shall be deemed the confidential information of Customer, and subject to the license granted by Customer to Vendor under sub- paragraph H. hereunder, Vendor shall not use, disclose, or permit any person to use or obtain the Work Product, or any portion thereof, in any manner without the prior written approval of Customer. F. Injunctive Relief. The Contract is intended to protect Customer's proprietary rights pertaining to the Work Product, and the Intellectual Property Rights therein, and any misuse of such rights would cause substantial and irreparable harm to Customer's business. Therefore, Vendor acknowledges and stipulates that a court of competent jurisdiction may immediately enjoin any material breach of the intellectual property, use, and confidentiality provisions of this Contract, upon a request by Customer, without requiring proof of irreparable injury as same should be presumed. G. Return of Materials Pertaining to Work Product. Upon the request of Customer, but in any event upon termination or expiration of this Contract or a Statement of Work, Vendor shall surrender to Customer all documents and things pertaining to the Work Product, including but not limited to drafts, memoranda, notes, records, drawings, manuals, computer software, reports, data, and all other documents or materials (and copies of same) generated or developed by Vendor or furnished by Customer to Vendor, including all materials embodying the Work Product, any Customer confidential information, or Intellectual Property Rights in such Work Product, regardless of whether complete or incomplete. This section is intended to apply to all Work Product as well as to all documents and things furnished to Vendor by Customer or by anyone else that pertains to the Work Product, H. Vendor License to Use. Amendment Number 2 Contract Number D[R-SDD-685 Page 4 Customer hereby grants to Vendor a non -transferable, non-exclusive, royalty -free, fully paid -up license to use any Work Product solely as necessary to provide the Services to Customer. Except as provided in this Section, neither Vendor nor any Subcontractor shall have the right to use the Work Product in connection with the provision of services to its other customers without the prior written consent of Customer, which consent may be withheld in Customer's sole discretion. I. Third -Party Underlying and Derivative Works. To the extent that any Vendor IP or Third Party IP are embodied or reflected in the Work Product, or are necessary to provide the Services, Vendor hereby grants to the Customer, or shall obtain from the applicable third party for Customer's benefit, the irrevocable, perpetual, non-exclusive, worldwide, royalty -free right and license, for Customer's internal business purposes only, to (i) use, execute, reproduce, display, perform, distribute copies of, and prepare derivative works based upon such Vendor IP or Third Party IP and any derivative works thereof embodied in or delivered to Customer in conjunction with the Work Product, and (ii) authorize others to do any or all of the foregoing. Vendor agrees to notify Customer on delivery of the Work Product or Services if such materials include any Third Party IP. On request, Vendor shall provide Customer with documentation indicating a third party's written approval for Vendor to use any Third Party IP that may be embodied or reflected in the Work Product. J. Agreement with Subcontracts: Vendor agrees that it shall have written agreement(s) that are consistent with the provisions hereof related to Work Product and Intellectual Property Rights with any employees, agents, consultants, contractors or subcontractors providing Services or Work Product pursuant to the Contract, prior to their providing such Services or Work Product, and that it shall maintain such written agreements at all times during performance of this Contract, which are sufficient to support all performance and grants of rights by Vendor. Copies of such agreements shall be provided to the Customer promptly upon request. K. License to Customer. Vendor grants to Customer, a perpetual, irrevocable, royalty free license, solely for the Customer's internal business purposes, to use, copy, modify, display, perform (by any means), transmit and prepare derivative works of any Vendor IP embodied in or delivered to Customer in conjunction with the Work Product. The foregoing license includes the right to sublicense third parties, solely for the purpose of engaging such third parties to assist or carryout Customer's internal business use of the Work Product. Except for the preceding license, all rights in Vendor IP remain in Vendor. L. Vendor Development Rights. To the extent not inconsistent with Customer's rights in the Work Product or as set forth herein, nothing in this Contract shall preclude Vendor from developing for itself, or for others, materials which are competitive with those produced as a result of the Services provided hereunder, provided that no Work Product is utilized, and no Intellectual Property Rights of Customer therein are infringed by such competitive materials. To the extent that Vendor wishes to use the Work Product, or acquire licensed rights in certain Intellectual Property Rights of Customer therein in order to offer competitive goods or services to third parties, Vendor and Customer agree to negotiate in good faith regarding an appropriate license and royalty agreement to allow for such. Amendment Number 2 Contract Number DIR-SDD-685 Page 5 6. Appendix A, Section 3, General Provisions, subsection A. Entire Agrecment, is hereby restated in its entirety as follows: A. Entire Agreement The Contract, Appendices, and Exhibits constitute the entire agreement between DIR and the Vendor. No statement, promise, condition, understanding, inducement or representation, oral or written, expressed or implied, which is not contained in the Contract, Appendices, or its Exhibits shall be binding or valid. 7. Appendix A, Section 3, General Provisions, new subsection G. Limitation of Authority, is hereby added to the Contract as follows: G. Limitation of Authority Vendor shall have no authority to act for or on behalf of the Texas Department of Information Resources or the State of Texas except as expressly provided for in this Contract; no other authority, power or use is granted or implied. Contractor may not incur any debts, obligations, expenses, or liabilities of any kind on behalf of the State of Texas or Texas Department of Information Resources. 8. Appendix A, Section 6, Contract Administration, subsection B. Reporting and Administrative Fees, 2) Detailed Monthly Report, is hereby restated in its entirety as follows: 2) Detailed Monthly Report Vendor shall electronically provide DIR with a detailed monthly report in the format required by DIR showing the dollar volume of any and all sales under the Contract for the previous month period. Reports shall be submitted to the DIR Go DIRect E-Mail Box at GoDirect.Salesgdir.state.tx.us. Reports are due on the fifteenth (15t') calendar day after the close of the previous month period. The monthly report shall include, per transaction: the detailed sales for the period, Customer name, invoice date, invoice number, description, quantity, unit price, extended price, Customer Purchase Order number, contact name, Customer's complete billing address, and other information as required by DIR. Each report must contain all information listed above per transaction or the report will be rejected and returned to the Vendor for correction in accordance with this section. 9. Appendix A, Section 6, Contract Administration, subsection D. Contract Administration Notification, 2), is hereby restated in its entirety as follows: 2) Upon execution of the Contract, DIR shall provide Vendor with written notification of the following: i) DIR Contract Administrator name and contact information, and ii) DIR Go DIRect E-Mail Box information. 10. Appendix A, Section 7, Vendor Responsibilities, subsection C. Vendor Certifications, is hereby restated in its entirety as follows: Amendment Number 2 Contract Number DIR-SDD-fi$5 Page 6 C. Vendor Certifications Vendor certifies that it: (i) has not given, offered to give, and does not intend to give at any time hereafter any economic opportunity, future employment, gift, loan, gratuity, special discount, trip, favor, or service to a public servant in connection with the Contract, (ii) is not currently delinquent in the payment of any franchise tax owed the State of Texas and is not ineligible to receive payment under §231.006 of the Texas Family Code and acknowledge the Contract may be terminated and payment withheld if this certification is inaccurate, (iii) neither they, nor anyone acting for them, have violated the antitrust laws of the United States or the State of Texas, nor communicated directly or indirectly to any competitor or any other person engaged in such line of business for the purpose of obtaining an unfair price advantage, (iv) has not received payment from DIR or any of its employees for participating in the preparation of the Contract, (v) under Section 2155.004, Texas Government Code, the vendor certifies that the individual or business entity named in this bid or contract is not ineligible to receive the specified contract and acknowledges that this contract may be terminated and payment withheld if this certification is inaccurate, (vi) to the best of their knowledge and belief, there are no suits or proceedings pending or threatened against or affecting them, which if determined adversely to them will have a material adverse effect on the ability to fulfill their obligations under the Contract, (vii) are not suspended or debarred from doing business with the federal government as listed in the Excluded Parties List System (EPLS) maintained by the General Services Administration, and (viii) as of the effective date of the Contract, are not listed in the prohibited vendors list authorized by Executive Order #13224, "Blocking Property and Prohibiting Transactions with Persons Who Commit, Threaten to Commit, or Support Terrorism ", published by the United States Department of the Treasury, Office of Foreign Assets Control; (ix) Vendor agrees that any payments due under this contract will be applied towards any debt, including but not limited to delinquent taxes and child support that is owed to the State of Texas; (x) Vendor certifies that they are in compliance Section 669.003, Texas Government Code, relating to contracting with executive head of a state agency; (xi) Vendor represents and warrants that the Customer's payment to Vendor and Vendor's receipt of appropriated or other funds under this Agreement are not prohibited by Sections 556.005 or Section 556.008, Texas Government Code; and (xii) under Section 2155.006, Government Code, Vendor certifies that the individual or business entity in this contract is not ineligible to receive the specified contract and acknowledges that this contract may be terminated and payment withheld if this certification is inaccurate. In addition, Vendor acknowledges the applicability of §2155.444 and §2155.4441, Texas Government Code, in fulfilling the terms of the Contract. I1. Appendix A, Section 7, Vendor Responsibilities, subsection H. Confidentiality as amended through the Contract, is hereby updated to correct the lettering I. restated in its entirety as follows: H. Confidentiality 1) Vendor acknowledges that DIR and Customers that are state agencies are government agencies subject to the Texas Public Information Act. Vendor also acknowledges that DIR and Customers that are state agencies will comply with the Public Information Act, and with all opinions of the Texas Attorney General's office concerning this Act. 2) Under the terms of the Contract, DIR may provide Vendor with information related to Customers. Vendor shall not re -sell or otherwise distribute or release nmendmcnt Number 2 Contract Number DIR-SDll-685 Page 7 12. Appendix A, Section 7, Vendor Responsibilities, subsection H. Security of Premises, Equipment, Data and Personnel as amended through the Contract, is hereby updated to correct the lettering I. and is restated in its entirety as follows: I. Security of Premises, Equipment, Data and Personnel Vendor and/or Order Fulfiller may, from time to time during the performance of the Contract, have access to the personnel, premises, equipment, and other property, including data, files and /or materials (collectively referred to as "Data") belonging to the Customer. Vendor shall use reasonable care to preserve the safety, security, and the integrity of the personnel, premises, equipment, Data and other property of the Customer, in accordance with the instruction of the Customer. Vendor shall be responsible for damage to Customer's equipment and workplace when such damage is caused by its employees or subcontractors. If a Vendor and/or Order Fulfiller fails to comply with Customer's security requirements, then Customer may immediately terminate its Purchase Order and related Service Agreement, 13. Appendix A, Section 7, Vendor Responsibilities, subsection K Limitation of Liability, is hereby restated in its entirety as follows: K Limitation of Liability For any claim or cause of action arising under or related to the Contract: i) to the extent permitted by the Constitution and the laws of the State of Texas, none of the parties shall be liable to the other for punitive, special, or consequential or incidental damages, even if it is advised of the possibility of such damages; and ii) Vendor's liability for damages of any kind to the Customer shall be limited to the total amount paid to Vendor under the Contract during the twelve months immediately preceding the accrual of the claim or cause of action. However, this limitation of Vendor's liability shall not apply to claims of patent, trademark, or copyright infringement. 14. Appendix A, Section 7, Vendor Responsibilities, new subsection O. Required Insurance Coverage, is hereby added to the Contract as follows: O. Required Insurance Coverage As a condition of this Contract with DIR, Vendor shall provide the listed insurance coverage within 5 days of execution of the Contract if the Vendor is awarded services which require that Vendor's employees perform work at any Customer premises and/or use employer vehicles to conduct work on behalf of Customers. In addition, when engaged by a Customer to provide services on Customer premises, the Vendor shall, at its own expense, secure and maintain the insurance coverage specified herein, and shall provide proof of such insurance coverage to the related Customer within five (5) business days following the execution of the Purchase Order. Vendor may not begin performance under the Contract and/ora Purchase Order until such proof of insurance coverage is provided to, and approved by, DIR and the Customer. All required insurance must be issued by companies that are A+ financially rated and duly licensed, admitted, and authorized to do business in the State of Texas. The Customer and DIR will be named as Additional Insureds on all required coverage. Required coverage must remain in effect through the term of the Contract and each Purchase Order issued to Vendor there under. The minimum acceptable insurance provisions are as follows: Amendment Number 2 Contract Numlx;r DIR-SDD-685 Page 8 I) Commercial General Liability Commercial General Liability must include a combined single limit of $500,000 per occurrence for coverage A, B, & C including products/completed operations, where appropriate, with a separate aggregate of $500,000. The policy shall contain the following provisions: a) Blanket contractual liability coverage for liability assumed under the Contract; b) Independent Contractor coverage; c) State of Texas, DIR and Customer listed as an additional insured; d) 30-day Notice of Termination in favor of DIR and/or Customer; and e) Waiver of Transfer Right of Recovery Against Others in favor of DIR and/or Customer. 2) Workers' Compensation Insurance Workers' Compensation Insurance and Employers' Liability coverage must include limits consistent with statutory benefits outlined in the Texas Workers' Compensation Act (Art. 83ML01 et seq. Tex. Rev. Civ. Stat) and minimum policy limits for Employers' Liability of $250,000 bodily injury per accident, $500,000 bodily injury disease policy limit and $250,000 per disease per employee. 3) Business Automobile Liability Insurance Business Automobile Liability Insurance must cover all owned, non -owned and hired vehicles with a minimum combined single limit of $500,000 per occurrence for bodily injury and property damage. Alternative acceptable limits are $250,000 bodily injury per person, $500,000 bodily injury per occurrence and at least $100,000 property damage liability per accident. The policy shall contain the following endorsements in favor of DIR and/or Customer: a) Waiver of Subrogation; b) 30-day Notice of Termination; and c) Additional Insured. 15. Appendix A, Section 7, Vendor Responsibilities, new subsection P. Use of State Property, is hereby added to the Contract as follows: P. Use of State Property Vendor is prohibited from using the Customer's equipment, the Customer's Location, or any other resources of the Customer or the State of Texas for any purpose other than performing services under this Agreement. For this purpose, equipment includes, but is not limited to, copy machines, computers and telephones using State of Texas long distance services. Any charges incurred by Vendor using the Customer's equipment for any purpose other than performing services under this Agreement must be fully reimbursed by Vendor to the Customer immediately upon demand by the Customer. Such use shall constitute breach of contract and may result in termination of the contract and other remedies available to DIR and Customer under the contract and applicable law. 16. Appendix A, Section 7, Vendor Responsibilities, new subsection Q. Immigration, is hereby added to the Contract as follows: Q. Immigration Vendor shall comply with the requirements of the Illegal Immigration Reform and [mmigrant Responsibility Act of 1996 ("11RIRA"), and the Immigration Act of 1990 (8 Amendment Number 2 Contract Number DIR-SDU-685 Page 9 U.S.C.1101, et seq.) regarding employment verification and retention of verification forms for any individual(s) hired on or after the effective date of 1996 Act., who will perform any labor or services under this Contract. 17. Appendix A, Section 7, Vendor Responsibilities, new subsection R. Public Disclosure, is hereby added to the Contract as follows: R Public Disclosure No public disclosures or news releases pertaining to this contract shall be made without prior written approval of DIR. 18. Appendix A, Section 7, Vendor Responsibilities, new subsection S. Substitutions , is hereby added to the Contract as follows: S. Substitutions Substitutions are not permitted without the written permission of DIR or Customer. 19. Appendix A, Section 8, Contract Enforcement, subsection B., 2) Absolute Right, is hereby restated in its entirety as follows: 2) Absolute Right DIR shall have the absolute right to terminate the Contract without recourse in the event that: 1) Vendor becomes listed on the prohibited vendors list authorized by Executive Order # 13224, "Blocking Property and Prohibiting Transactions with Persons Who Commit, Threaten to Commit, or Support Terrorism". published by the United States Department of the Treasury, Office of Foreign Assets Control; ii) Vendor becomes suspended or debarred from doing business with the federal government as listed in the Excluded Parties List System (EPLS) maintained by the General Services Administration; or (iii) Vendor is found by DIR to be ineligible to hold this Contract under Subsection (b) of Section 2155.006, Texas Government Code. Vendor shall be provided written notice in accordance with Section 11.A, Notices, of intent to terminate. Z0. Appendix A, Section 8, Contract Enforcement, subsection B., 5� Customer Rights Under Termination, is hereby restated in its entirety as follows: S7 Customer Rights Under Termination In the event the Contract expires or is terminated for any reason, a Customer shall retain its rights under the Contract and the Purchase Order issued prior to the termination or expiration of the Contract. The Purchase Order survives the expiration or termination of the Contract for its then effective term. 21. Appendix A, Section 8, Contract Enforcement, subsection B., 6) Vendor or Fulfiller Under Termination, is hereby restated in its entirety as follows: 6) Vendor or Order Fulfiller Rights Under Termination In the event a Purchase Order expires or is terminated, a Customer shall pay: 1) all amounts due for products or services ordered prior to the effective termination date and ultimately accepted, and for work in progress and partially completed work as of the date of termination, and 2) any applicable early termination fees agreed to in such Purchase Order. Amendment Number 2 Contract Number DIR-SDD-685 Page 10 22. Appendix D, Product and Pricing Index, is hereby replaced in its entirety with the attached Appendix D, Product and Pricing Index. 23. All other terms and conditions of the Contract as amended, not specifically modified herein, shall remain in full force and effect. In the event of conflict among the provisions, the order of precedence shall be Amendment Number 2, Amendment Number I and then the Contract. Remainder of Page Intentionally Left Blank Amendment Number 2 ContractNwnber DIR-SDD-685 Page I l IN WITNESS WHEREOF, the parties hereby execute this amendment to be effective as of the date of the last party to sign, but in all events, no later than March 25, 20106 Ciber, Inc. Authorized By: signature on file Name: Scott Youneman Title: VP/Asst. Director Date: 3/23/10 The State of Texas, acting by and through the Department of Information Resources Authorized By: signature on file Name: Cindy Reed Title: Deputy Executive Director Operations & Statewide I echnolOSy Sourcing Date: 3/25/10 Legal: 3/25/10 Amendment Number 2 Contract Number DIR-SDD-685 Page 12 Filename: D1R-SDD-685-amendment-2.docx Directory: C:\ToWeb\03292010 Template: C:\Documents and Settings\Pheard\Application Data\Microsoft\Templates\Normal.dot Title: Amendment Number [amendment number = last amendment number on file + 1] Subject: Author: Wtatsch Keywords: Comments: Creation Date: 3/29/2010 3:15:00 PM Change Number: 3 Last Saved On. 3/29/2010 3:15:00 PM Last Saved By. Paige Heard Total Editing Time: 1 Minute Last Printed On: 3/29/2010 3#15900 PM As of Last Complete Printing Number of Pages: 12 Number of Words: 5,