The URL can be used to link to this page

Home My WebLink AboutContract 56755 FORT WORTH CSC No.56755 CITY OF FORT WORTH COOPERATIVE PURCHASE AGREEMENT This Cooperative Purchase Agreement ("Agreement") is entered into by and between Critical Start, Inc. ("Seller") and the City of Fort Worth, ("Buyer"), a Texas home rule municipality. The Cooperative Purchase Agreement includes the following documents which shall be construed in the order of precedence in which they are listed: 1. This Cooperative Purchase Agreement; 2. Exhibit A—City's Terms and Conditions; 3. Exhibit B—Conflict of Interest Questionnaire. 5. Exhibit C—TX Department of Information Resources DIR-TSO-4074. 6. Exhibit D—Pricing Index DIR-TSO-4074 Exhibits A, B, C, and D which are attached hereto and incorporated herein, are made a part of this Agreement for all purposes. Seller agrees to provide Buyer with the services and goods included in Exhibit C pursuant to the terms and conditions of this Cooperative Purchase Agreement, including all exhibits thereto. In the event of a conflict between Exhibit A—City's Terms and Conditions and Exhibit C —DIR-TSO-4074, then Exhibit A— City's Terms and Conditions shall control, but only to the extent allowable under the DIR-TSO-4074. Buyer shall pay Seller in accordance with the fee schedule in Exhibit C and in accordance with the provisions of this Agreement. Total payment made under this Agreement for the first year by Buyer shall not exceed One Hundred Thousand and 00/100 dollars ($100,000.00). Seller shall not provide any additional items or services or bill for expenses incurred for Buyer not specified by this Agreement unless Buyer requests and approves in writing the additional costs for such services. Buyer shall not be liable for any additional expenses of Seller not specified by this Agreement unless Buyer first approves such expenses in writing. The term of this Agreement is effective beginning on the date signed by the Assistant City Manager below ("Effective Date") and expires on January 24, 2022 to coincide with the Cooperative Purchase Agreement. Buyer shall be able to renew this agreement for one (1) one-year renewal option by written agreement of the parties. The undersigned represents and warrants that he or she has the power and authority to execute this Agreement and bind the respective Vendor. OFFICIAL RECORD CITY SECRETARY FT.WORTH, TX Cooperative Purchase Page 1 of 17 CITY OF FORT WORTH: CONTRACT COMPLIANCE MANAGER: klale /G By signing I acknowledge that I am the person By: Valerie Washington(Nov 30,2trll 10:18 CST) responsible for the monitoring and administration Name: Valerie Washington of this contract,including ensuring all performance Title: Assistant City Manager and reporting requirements. Date: Nov 30,2021 APPROVAL RECOMMENDED: By: Name: Justin Grace Title: Sr. IT Solutions Manager By: / APPROVED AS TO FORM AND LEGALITY: Name: Kevin Gunn Title: IT Solutions Director po�FORl�vna 0000,lYO9pd ATTEST: pro aid By: ap*% oo Name: Taylor Paris as°aoo FX"Spppd Title: Assistant City Attorney nuaaoo By: � � If+" CONTRACT AUTHORIZATION: Name: Ron Gonzales M&C: N/A Title: Acting City Secretary SELLER: Vendor ATTEST: By: 4&dz Aa4ft-rL By: Name: Alese Pantalion Name: Title: Sr. Contract Administrator Title: Date: 11/19/2021 OFFICIAL RECORD CITY SECRETARY FT.WORTH, TX Cooperative Purchase Page 2 of 17 Exhibit A CITY OF FORT WORTH, TEXAS STANDARD PURCHASING TERMS AND CONDITIONS 1. Termination. 1.1. Convenience. Either the City or Vendor may terminate this Agreement at any time and for any reason by providing the other party with 30 days written notice of termination. 1.2. Breach. If either party commits a material breach of this Agreement, the non-breaching Party must give written notice to the breaching party that describes the breach in reasonable detail. The breaching party must cure the breach ten(10)calendar days after receipt of notice from the non-breaching party,or other time frame as agreed to by the parties.If the breaching party fails to cure the breach within the stated period of time,the non-breaching party may,in its sole discretion,and without prejudice to any other right under this Agreement,law,or equity,immediately terminate this Agreement by giving written notice to the breaching party. 1.3. Fiscal Funding Out. In the event no funds or insufficient funds are appropriated by the City in any fiscal period for any payments due hereunder,the City will notify Vendor of such occurrence and this Agreement shall terminate on the last day of the fiscal period for which appropriations were received without penalty or expense to the City of any kind whatsoever, except as to the portions of the payments herein agreed upon for which funds have been appropriated. 1.4. Duties and Obligations of the Parties. In the event that this Agreement is terminated prior to the Expiration Date,the City shall pay Vendor for services actually rendered up to the effective date of termination and Vendor shall continue to provide the City with services requested by the City and in accordance with this Agreement up to the effective date of termination. Upon termination of this Agreement for any reason, Vendor shall provide the City with copies of all completed or partially completed documents prepared under this Agreement. In the event Vendor has received access to City information or data as a requirement to perform services hereunder,Vendor shall return all City provided data to the City in a machine readable format or other format deemed acceptable to the City. 2. Disclosure of Conflicts and Confidential Information. 2.1. Disclosure of Conflicts. Vendor hereby warrants to the City that Vendor has made full disclosure in writing of any existing or potential conflicts of interest related to Vendor's services under this Agreement.In the event that any conflicts of interest arise after the Effective Date of this Agreement, Vendor hereby agrees immediately to make full disclosure to the City in writing. 2.2. Confidential Information. The City acknowledges that Vendor may use products, materials, or methodologies proprietary to Vendor. The City agrees that Vendor's provision of services under this Agreement shall not be grounds for the City to have or obtain any rights in such proprietary products,materials,or methodologies unless the parties have executed a separate written agreement with respect thereto. Vendor, for itself and its officers, agents and employees, agrees that it shall treat all information provided to it by the City("City Information")as confidential and shall not disclose any such information to a third party without the prior written approval of the City. 2.3. Public Information Act. City is a government entity under the laws of the State of Texas and all documents held or maintained by City are subject to disclosure under the Texas Public Information Act.In the event there is a request for information marked Confidential or Proprietary,City shall promptly Cooperative Purchase Page 3 of 17 notify Seller. It will be the responsibility of Seller to submit reasons objecting to disclosure. A determination on whether such reasons are sufficient will not be decided by City,but by the Office of the Attorney General of the State of Texas or by a court of competent jurisdiction. 2.4. Unauthorized Access. Vendor shall store and maintain City Information in a secure manner and shall not allow unauthorized users to access, modify, delete or otherwise corrupt City Information in any way.Vendor shall notify the City immediately if the security or integrity of any City information has been compromised or is believed to have been compromised, in which event, Vendor shall,in good faith,use all commercially reasonable efforts to cooperate with the City in identifying what information has been accessed by unauthorized means and shall fully cooperate with the City to protect such information from further unauthorized disclosure. 3. Right to Audit. 3.1. Vendor agrees that the City shall,until the expiration of three(3)years after final payment under this Agreement,have access to and the right to examine at reasonable times any directly pertinent books, documents,papers and records of the Vendor involving transactions relating to this Agreement at no additional cost to the City.Vendor agrees that the City shall have access during normal working hours to all necessary Vendor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this section. The City shall give Vendor not less than 10 days written notice of any intended audits. 3.2. Vendor further agrees to include in all its subcontractor agreements hereunder a provision to the effect that the subcontractor agrees that the City shall,until expiration of three (3)years after final payment of the subcontract, have access to and the right to examine at reasonable times any directly pertinent books, documents, papers and records of such subcontractor involving transactions related to the subcontract, and further that City shall have access during normal working hours to all subcontractor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this paragraph. City shall give subcontractor not less than 10 days written notice of any intended audits. 4. Independent Contractor. It is expressly understood and agreed that Vendor shall operate as an independent contractor as to all rights and privileges granted herein, and not as agent,representative or employee of the City. Subject to and in accordance with the conditions and provisions of this Agreement,Vendor shall have the exclusive right to control the details of its operations and activities and be solely responsible for the acts and omissions of its officers, agents, servants, employees,contractors and subcontractors.Vendor acknowledges that the doctrine of respondeat superior shall not apply as between the City, its officers, agents, servants and employees, and Vendor, its officers,agents,employees, servants, contractors and subcontractors. Vendor further agrees that nothing herein shall be construed as the creation of a partnership or joint enterprise between City and Vendor. It is further understood that the City shall in no way be considered a Co-employer or a Joint employer of Vendor or any officers,agents,servants,employees or subcontractors of Vendor.Neither Vendor,nor any officers, agents, servants, employees or subcontractors of Vendor shall be entitled to any employment benefits from the City.Vendor shall be responsible and liable for any and all payment and reporting of taxes on behalf of itself, and any of its officers,agents, servants,employees or subcontractors. 5. LIABILITY AND INDEMNIFICATION. 5.1. LIABILITY - VENDOR SHALL BE LIABLE AND RESPONSIBLE FOR ANY AND ALL PROPERTY LOSS, PROPERTY DAMAGE AND/OR PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL PERSONS, OF ANY HIND OR CHARACTER, WHETHER REAL OR ASSERTED,TO THE EXTENT CAUSED BY THE NEGLIGENT ACT(S) Cooperative Purchase Page 4 of 17 OR OMISSION(S), MALFEASANCE OR INTENTIONAL MISCONDUCT OF VENDOR, ITS OFFICERS,AGENTS,SERVANTS OR EMPLOYEES. 5.2. INDEMNIFICATION - VENDOR HEREBY COVENANTS AND AGREES TO INDEMNIFY, HOLD HARMLESS AND DEFEND THE CITY, ITS OFFICERS, AGENTS, SERVANTS AND EMPLOYEES, FROM AND AGAINST ANY AND ALL CLAIMS OR LAWSUITS OF ANY HIND OR CHARACTER, WHETHER REAL OR ASSERTED, FOR EITHER PROPERTY DAMAGE OR LOSS (INCLUDING ALLEGED DAMAGE OR LOSS TO BUSINESS, AND ANY RESULTING LOST PROFITS), PERSONAL INJURY, INCLUDING DEATH,TO ANY AND ALL PERSONS,AND DAMAGES FOR CLAIMS OF INTELLECTUAL PROPERTY INFRINGEMENT, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT,TO THE EXTENT CAUSED BY THE ACTS OR OMISSIONS OF VENDOR,ITS OFFICERS,AGENTS,SUBCONTRACTORS,SERVANTS OR EMPLOYEES. 5.3. INTELLECTUAL PROPERTY INFRINGEMENT. 5.3.1. The Vendor warrants that all Deliverables, or any part thereof, furnished hereunder, including but not limited to: programs, documentation, software, analyses, applications,methods,ways,and processes(in this Section 8C each individually referred to as a "Deliverable" and collectively as the "Deliverables,") do not infringe upon or violate any patent, copyrights, trademarks, service marks, trade secrets, or any intellectual property rights or other third party proprietary rights,in the performance of services under this Agreement. 5.3.2. Vendor shall be liable and responsible for any and all claims made against the City for infringement of any patent, copyright, trademark, service mark, trade secret, or other intellectual property rights by the use of or supplying of any Deliverable(s) in the course of performance or completion of, or in any way connected with providing the services, or the City's continued use of the Deliverable(s) hereunder. 5.3.3. Vendor agrees to indemnify, defend, settle, or pay, at its own cost and expense, including the payment of attorney's fees, any claim or action against the City for infringement of any patent, copyright, trade mark, service mark, trade secret, or other intellectual property right arising from City's use of the Deliverable(s),or any part thereof, in accordance with this Agreement, it being understood that this agreement to indemnify, defend, settle or pay shall not apply if the City modifies or misuses the Deliverable(s). So long as Vendor bears the cost and expense of payment for claims or actions against the City pursuant to this section 8, Vendor shall have the right to conduct the defense of any such claim or action and all negotiations for its settlement or compromise and to settle or compromise any such claim; however, City shall have the right to fully participate in any and all such settlement, negotiations, or lawsuit as necessary to protect the City's interest, and City agrees to cooperate with Vendor in doing so.In the event City,for whatever reason, assumes the responsibility for payment of costs and expenses for any claim or action brought against the City for infringement arising under this Agreement,the City shall have the sole right to conduct the defense of any such claim or action and all negotiations for its settlement or compromise and to settle or compromise any such claim; however, Vendor shall fully participate and cooperate with the City in defense of such claim or action. City agrees to give Vendor timely written notice of any such claim or action, with copies of all papers City may receive relating thereto. Notwithstanding the foregoing, the City's assumption of payment of costs or expenses shall not eliminate Vendor's duty to indemnify the City under this Agreement. If the Deliverable(s), or any part thereof,is held to infringe and the use Cooperative Purchase Page 5 of 17 thereof is enjoined or restrained or,if as a result of a settlement or compromise, such use is materially adversely restricted,Vendor shall, at its own expense and as City's sole remedy, either: (a)procure for City the right to continue to use the Deliverable(s); or(b) modify the Deliverable(s) to make them/it non-infringing, provided that such modification does not materially adversely affect City's authorized use of the Deliverable(s); or (c) replace the Deliverable(s)with equally suitable,compatible,and functionally equivalent non-infringing Deliverable(s) at no additional charge to City; or(d)if none of the foregoing alternatives is reasonably available to Vendor,terminate this Agreement, and refund all amounts paid to Vendor by the City, subsequent to which termination City may seek any and all remedies available to City under law. VENDOR'S OBLIGATIONS HEREUNDER SHALL BE SECURED BY THE REQUISITE INSURANCE COVERAGE AND AMOUNTS SET FORTH IN SECTION 10 OF THIS AGREEMENT. 6. Assignment and Subcontracting. 6.1. Vendor shall not assign or subcontract any of its duties, obligations or rights under this Agreement without the prior written consent of the City. If the City grants consent to an assignment,the assignee shall execute a written agreement with the City and the Vendor under which the assignee agrees to be bound by the duties and obligations of Vendor under this Agreement.The Vendor and assignee shall be jointly liable for all obligations under this Agreement prior to the assignment.If the City grants consent to a subcontract, the subcontractor shall execute a written agreement with the Vendor referencing this Agreement under which the subcontractor shall agree to be bound by the duties and obligations of the Vendor under this Agreement as such duties and obligations may apply.The Vendor shall provide the City with a fully executed copy of any such subcontract. 7. Insurance. 7.1. The Vendor shall carry the following insurance coverage with a company that is licensed to do business in Texas or otherwise approved by the City: 7.1.1. Commercial General Liability: 7.1.1.1. Combined limit of not less than $2,000,000 per occurrence; $4,000,000 aggregate; or 7.1.1.2. Combined limit of not less than $1,000,000 per occurrence; $2,000,000 aggregate and Umbrella Coverage in the amount of$4,000,000. Umbrella policy shall contain a follow-form provision and shall include coverage for personal and advertising injury. 7.1.1.3. Defense costs shall be outside the limits of liability. 7.1.2. Automobile Liability Insurance covering any vehicle used in providing services under this Agreement, including owned,non-owned, or hired vehicles,with a combined limit of not less than $1,000,000 per occurrence. 7.1.3. Professional Liability (Errors & Omissions) in the amount of $1,000,000 per claim and$1,000,000 aggregate limit. 7.1.4. Statutory Workers' Compensation and Employers' Liability Insurance requirements per the amount required by statute. Cooperative Purchase Page 6 of 17 7.1.5. Technology Liability(Errors&Omissions) 7.1.5.1. Combined limit of not less than $2,000,000 per occurrence; $4million aggregate or 7.1.5.2. Combined limit of not less than $1,000,000 per occurrence; $2,000,000 aggregate and Umbrella Coverage in the amount of$4,000,000. Umbrella policy shall contain a follow-form provision and shall include coverage for personal and advertising injury. The umbrella policy shall cover amounts for any claims not covered by the primary Technology Liability policy. Defense costs shall be outside the limits of liability. 7.1.5.3. Coverage shall include,but not be limited to,the following: 7.1.5.3.1. Failure to prevent unauthorized access; 7.1.5.3.2. Unauthorized disclosure of information; 7.1.5.3.3. Implantation of malicious code or computer virus; 7.1.5.3.4. Fraud, Dishonest or Intentional Acts with final adjudication language; 7.1.5.3.5. Intellectual Property Infringement coverage, specifically including coverage for intellectual property infringement claims and for indemnification and legal defense of any claims of intellectual property infringement, including infringement of patent, copyright, trade mark or trade secret, brought against the City for use of Deliverables, Software or Services provided by Vendor under this Agreement; 7.1.5.3.6. Technology coverage may be provided through an endorsement to the Commercial General Liability (CGL) policy, a separate policy specific to Technology E&O,or an umbrella policy that picks up coverage after primary coverage is exhausted.Either is acceptable if coverage meets all other requirements. Technology coverage shall be written to indicate that legal costs and fees are considered outside of the policy limits and shall not erode limits of liability. Any deductible will be the sole responsibility of the Vendor and may not exceed $50,000 without the written approval of the City. Coverage shall be claims-made,with a retroactive or prior acts date that is on or before the effective date of this Agreement. Coverage shall be maintained for the duration of the contractual agreement and for two (2) years following completion of services provided. An annual certificate of insurance, or a full copy of the policy if requested, shall be submitted to the City to evidence coverage; and 7.1.5.3.7. Any other insurance as reasonably requested by City. 7.2. General Insurance Requirements: 7.2.1. All applicable policies shall name the City as an additional insured thereon,as its interests may appear. The term City shall include its employees, officers, officials, agents, and volunteers in respect to the contracted services. Cooperative Purchase Page 7 of 17 7.2.2. The workers' compensation policy shall include a Waiver of Subrogation(Right of Recovery)in favor of the City of Fort Worth. 7.2.3. A minimum of Thirty (30) days' notice of cancellation or reduction in limits of coverage shall be provided to the City. Ten(10) days' notice shall be acceptable in the event of non-payment of premium. Notice shall be sent to the Risk Manager, City of Fort Worth, 1000 Throckmorton,Fort Worth,Texas 76102,with copies to the City Attorney at the same address. 7.2.4. The insurers for all policies must be licensed and/or approved to do business in the State of Texas. All insurers must have a minimum rating of A-VII in the current A.M.Best Key Rating Guide, or have reasonably equivalent financial strength and solvency to the satisfaction of Risk Management. If the rating is below that required, written approval of Risk Management is required. 7.2.5. Any failure on the part of the City to request required insurance documentation shall not constitute a waiver of the insurance requirement. 7.2.6. Certificates of Insurance evidencing that the Vendor has obtained all required insurance shall be delivered to and approved by the City's Risk Management Division prior to execution of this Agreement. 8. Compliance with Laws, Ordinances, Rules and Regulations. Vendor agrees to comply with all applicable federal, state and local laws, ordinances, rules and regulations. If the City notifies Vendor of any violation of such laws, ordinances, rules or regulations, Vendor shall immediately desist from and correct the violation. 9. Non-Discrimination Covenant. Vendor, for itself, its personal representatives, assigns, subcontractors and successors in interest, as part of the consideration herein, agrees that in the performance of Vendor's duties and obligations hereunder, it shall not discriminate in the treatment or employment of any individual or group of individuals on any basis prohibited by law. If any claim arises from an alleged violation of this non-discrimination covenant by Vendor,its personal representatives,assigns,subcontractors or successors in interest,Vendor agrees to assume such liability and to indemnify and defend the City and hold the City harmless from such claim. 10. Notices. Notices required pursuant to the provisions of this Agreement shall be conclusively determined to have been delivered when (1)hand-delivered to the other party, its agents, employees, servants or representatives,(2)delivered by facsimile with electronic confirmation of the transmission,or(3)received by the other party by United States Mail,registered,return receipt requested,addressed as follows: TO THE CITY: TO VENDOR: City of Fort Worth Critical Start,Inc. Attn:Assistant City Manager Attn: Tera Davis 200 Texas Street 6860 North Dallas Parkway,Suite 250 Fort Worth TX 76102 Plano,TX 75024 Facsimile:(817)392-6134 Facsimile: (214)919-4050 With Copy to the City Attorney at same address Cooperative Purchase Page 8 of 17 11. Solicitation of Employ. Neither the City nor Vendor shall, during the term of this Agreement and additionally for a period of one year after its termination, solicit for employment or employ, whether as employee or independent contractor,any person who is or has been employed by the other during the term of this Agreement, without the prior written consent of the person's employer. This provision shall not apply to an employee who responds to a general solicitation or advertisement of employment by either party. 12. Governmental Powers. It is understood and agreed that by execution of this Agreement,the City does not waive or surrender any of its governmental powers. 13. No Waiver. The failure of the City or Vendor to insist upon the performance of any term or provision of this Agreement or to exercise any right granted herein shall not constitute a waiver of the City's or Vendor's respective right to insist upon appropriate performance or to assert any such right on any future occasion. 14. Governing Law and Venue. This Agreement shall be construed in accordance with the laws of the State of Texas. If any action, whether real or asserted, at law or in equity, is brought on the basis of this Agreement, venue for such action shall lie in state courts located in Tarrant County, Texas or the United States District Court for the Northern District of Texas,Fort Worth Division. 15. Severability. If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity,legality and enforceability of the remaining provisions shall not in any way be affected or impaired. 16. Force Majeure. The City and Vendor shall exercise their best efforts to meet their respective duties and obligations as set forth in this Agreement, but shall not be held liable for any delay or omission in performance due to force majeure or other causes beyond their reasonable control(force majeure),including,but not limited to, compliance with any government law, ordinance or regulation, acts of God, acts of the public enemy, fires, strikes, lockouts, natural disasters, wars, riots, material or labor restrictions by any governmental authority,transportation problems and/or any other similar causes. 17. Headings Not Controlling. Headings and titles used in this Agreement are for reference purposes only and shall not be deemed a part of this Agreement. 18. Review of Counsel. The parties acknowledge that each party and its counsel have reviewed this Agreement and that the normal rules of construction to the effect that any ambiguities are to be resolved against the drafting party shall not be employed in the interpretation of this Agreement or exhibits hereto. 19. Amendments. No amendment of this Agreement shall be binding upon a party hereto unless such amendment is set forth in a written instrument, and duly executed by an authorized representative of each party. 20. Entirety of Agreement. This Agreement, including any exhibits attached hereto and any documents incorporated herein by reference, contains the entire understanding and agreement between the City and Vendor, their assigns and successors in interest, as to the matters contained herein. Any prior or contemporaneous oral or written agreement is hereby declared null and void to the extent in conflict with any provision of this Agreement. 21. Counterparts. This Agreement may be executed in one or more counterparts and each counterpart shall,for all purposes,be deemed an original,but all such counterparts shall together constitute one and the same instrument. An executed Agreement, modification, amendment, or separate signature page shall constitute a duplicate if it is transmitted through electronic means, such as fax or e-mail, and reflects the signing of the document by any party. Duplicates are valid and binding even if an original paper document bearing each party's original signature is not delivered. Cooperative Purchase Page 9 of 17 22. Warranty of Services. Vendor warrants that its services will be of a professional quality and conform to generally prevailing industry standards. City must give written notice of any breach of this warranty within thirty (30) days from the date that the services are completed. In such event, at Vendor's option,Vendor shall either(a)use commercially reasonable efforts to re-perform the services in a manner that conforms with the warranty, or(b)refund the fees paid by the City to Vendor for the nonconforming services. 23. Network Access. 23.1. City Network Access. If Vendor, and/or any of its employees, officers, agents, servants or subcontractors(for purposes of this section"Vendor Personnel"),requires access to the City's computer network in order to provide the services herein, Vendor shall execute and comply a Network Access Agreement. 23.2. Federal Law Enforcement Database Access.If Vendor,or any Vendor Personnel,requires access to any federal law enforcement database or any federal criminal history record information system, including but not limited to Fingerprint Identification Records System("FIRS"),Interstate Identification Index System("III System"),National Crime Information Center('NCIC")OF National Fingerprint File ("NFF"),or Texas Law Enforcement Telecommunications Systems("TLETS"),that is governed by and/or defined in Title 28, Code of Federal Regulations Part 20 ("CFR Part 20"), for the purpose of providing services for the administration of criminal justice as defined therein on behalf of the City or the Fort Worth Police Department, under this Agreement, Vendor shall comply with the Criminal Justice Information Services Security Policy and CFR Part 20, as amended, and shall separately execute the Federal Bureau of Investigation Criminal Justice Information Services Security Addendum. No changes, modifications, alterations,or amendments shall be made to the Security Addendum.The document must be executed as is, and as approved by the Texas Department of Public Safety and the United States Attorney General. 24. Immigration Nationality Act. Vendor shall verify the identity and employment eligibility of its employees who perform work under this Agreement, including completing the Employment Eligibility Verification Form (I-9). Upon request by City, Vendor shall provide City with copies of all I-9 forms and supporting eligibility documentation for each employee who performs work under this Agreement. Vendor shall adhere to all Federal and State laws as well as establish appropriate procedures and controls so that no services will be performed by any Vendor employee who is not legally eligible to perform such services. VENDOR SHALL INDEMNIFY CITY AND HOLD CITY HARMLESS FROM ANY PENALTIES, LIABILITIES, OR LOSSES DUE TO VIOLATIONS OF THIS PARAGRAPH BY VENDOR,VENDOR'S EMPLOYEES, SUBCONTRACTORS,AGENTS, OR LICENSEES. City,upon written notice to Vendor, shall have the right to immediately terminate this Agreement for violations of this provision by Vendor. 25. Informal Dispute Resolution. Except in the event of termination pursuant to Section 4.2,if either City or Vendor has a claim, dispute, or other matter in question for breach of duty, obligations, services rendered or any warranty that arises under this Agreement,the parties shall first attempt to resolve the matter through this dispute resolution process. The disputing party shall notify the other party in writing as soon as practicable after discovering the claim,dispute, or breach. The notice shall state the nature of the dispute and list the party's specific reasons for such dispute. Within ten (10) business days of receipt of the notice, both parties shall commence the resolution process and make a good faith effort, either through email, mail, phone conference, in person meetings, or other reasonable means to resolve any claim, dispute, breach or other matter in question that may arise out of, or in connection with this Agreement. If the parties fail to resolve the dispute within sixty(60)days of the date of receipt of the notice of the dispute,then the parties may submit the matter to non-binding mediation in Tarrant County,Texas, upon written consent of authorized representatives of both parties in accordance with the Industry Arbitration Rules of the American Arbitration Association or other applicable rules governing mediation then in effect. The mediator shall be agreed to by the parties.Each party shall be liable for its own expenses,including attorney's fees;however, the parties shall share equally in the costs of the mediation. If the parties cannot resolve the dispute through Cooperative Purchase Page 10 of 17 mediation,then either party shall have the right to exercise any and all remedies available under law regarding the dispute. Notwithstanding the fact that the parties may be attempting to resolve a dispute in accordance with this informal dispute resolution process,the parties agree to continue without delay all of their respective duties and obligations under this Agreement not affected by the dispute. Either party may, before or during the exercise of the informal dispute resolution process set forth herein, apply to a court having jurisdiction for a temporary restraining order or preliminary injunction where such relief is necessary to protect its interests. 26. No Boycott of Israel. If Vendor has fewer than 10 employees or the Agreement is for less than $100,000, this section does not apply. Vendor acknowledges that in accordance with Chapter 2270 of the Texas Government Code, City is prohibited from entering into a contract with a company for goods or services unless the contract contains a written verification from the company that it: (1) does not boycott Israel; and(2)will not boycott Israel during the term of the contract. The terms"boycott Israel"and"company"shall have the meanings ascribed to those terms in Section 808.001 of the Texas Government Code. By signing this Addendum, Vendor certifies that Vendor's signature provides written verification to City that Vendor: (1)does not boycott Israel, and (2) will not boycott Israel during the term of the Agreement. 27. Prohibition on Boycotting EncM Companies. Vendor acknowledges that in accordance with Chapter 2274 of the Texas Government Code, as added by Acts 2021, 87th Leg., R.S., S.B. 13, § 2, the City is prohibited from entering into a contract for goods or services that has a value of$100,000 or more that is to be paid wholly or partly from public funds of the City with a company with 10 or more full-time employees unless the contract contains a written verification from the company that it: (1)does not boycott energy companies; and (2)will not boycott energy companies during the term of the contract. The terms"boycott energy company" and "company"have the meaning ascribed to those terms by Chapter 2274 of the Texas Government Code, as added by Acts 2021,87th Leg.,R.S., S.B. 13, §2. To the extent that Chapter 2274 of the Government Code is applicable to this Agreement, by signing this Agreement, Vendor certifies that Vendor's signature provides written verification to the City that Vendor: (1) does not boycott energy companies; and (2) will not boycott energy companies during the term of this Agreement. 28. Prohibition on Discrimination Against Firearm and Ammunition Industries. Vendor acknowledges that except as otherwise provided by Chapter 2274 of the Texas Government Code, as added by Acts 2021, 87th Leg.,R.S., S.B. 19, § 1,the City is prohibited from entering into a contract for goods or services that has a value of$100,000 or more that is to be paid wholly or partly from public funds of the City with a company with 10 or more full-time employees unless the contract contains a written verification from the company that it: (1) does not have a practice, policy, guidance, or directive that discriminates against a firearm entity or firearm trade association; and (2)will not discriminate during the term of the contract against a firearm entity or firearm trade association. The terms "discriminate," "firearm entity" and "firearm trade association" have the meaning ascribed to those terms by Chapter 2274 of the Texas Government Code, as added by Acts 2021, 87th Leg.,R.S., S.B. 19, § 1. To the extent that Chapter 2274 of the Government Code is applicable to this Agreement, by signing this Agreement,Vendor certifies that Vendor's signature provides written verification to the City that Vendor: (1) does not have a practice, policy, guidance, or directive that discriminates against a firearm entity or firearm trade association; and(2)will not discriminate against a firearm entity or firearm trade association during the term of this Agreement. 29. Reporting Requirements. 29.1. For purposes of this section,the words below shall have the following meaning: 29.1.1. Child shall mean a person under the age of 18 years of age. Cooperative Purchase Page 11 of 17 29.1.2. Child pornography means an image of a child engaging in sexual conduct or sexual performance as defined by Section 43.25 of the Texas Penal Code. 29.1.3. Computer means an electronic,magnetic,optical,electrochemical,or other high- speed data processing device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage,or communication facilities that are connected or related to the device. 29.1.4. Computer technician means an individual who, in the course and scope of employment or business, installs, repairs, or otherwise services a computer for a fee. This shall include installation of software,hardware, and maintenance services. 29.2. Reporting Requirement. If Vendor meets the definition of Computer Technician as defined herein, and while providing services pursuant to this Agreement,views an image on a computer that is or appears to be child pornography,Vendor shall immediately report the discovery of the image to the City and to a local or state law enforcement agency or the Cyber Tip Line at the National Center for Missing and Exploited Children. The report must include the name and address of the owner or person claiming a right to possession of the computer, if known, and as permitted by law. Failure by Vendor to make the report required herein may result in criminal and/or civil penalties. 30. Survival of Provisions. The parties'duties and obligations pursuant to sections related to Duties and Obligations, Disclosure of Conflicts and Confidential Information, Right to Audit, and Liability and Indemnification shall survive termination of this Agreement. 31. Electronic Signatures. This Agreement may be executed by electronic signature, which will be considered as an original signature for all purposes and have the same force and effect as an original signature. For these purposes,"electronic signature"means electronically scanned and transmitted versions(e.g.via pdf file or facsimile transmission)of an original signature,or signatures electronically inserted via software such as Adobe Sign. Cooperative Purchase Page 12 of 17 Exhibit B —CONFLICT OF INTEREST QUESTIONNAIRE Pursuant to Chapter 176 of the Local Government Code, any person or agent of a person who contracts or seeks to contract for the sale or purchase of property, goods, or services with a local governmental entity (i.e. The City of Fort Worth) must disclose in the Questionnaire Form CIQ ("Questionnaire") the person's affiliation or business relationship that might cause a conflict of interest with the local governmental entity. By law,the Questionnaire must be filed with the Fort Worth City Secretary no later than seven days after the date the person begins contract discussions or negotiations with the Buyer, or submits an application or response to a request for proposals or bids, correspondence, or another writing related to a potential agreement with the Buyer.Updated Questionnaires must be filed in conformance with Chapter 176. A copy of the Questionnaire Form CIQ is enclosed with the submittal documents.The form is also available at http://www.ethics.state.tx.us/forms/CIo.pdf. If you have any questions about compliance, please consult your own legal counsel. Compliance is the individual responsibility of each person or agent of a person who is subject to the filing requirement. An offense under Chapter 176 is a Class C misdemeanor. NOTE: If you are not aware of a Conflict of Interest in any business relationship that you might have with the Buyer, state Seller name in the # 1, use N/A in each of the areas on the form. However, a signature is required in the #4 box in all cases. Cooperative Purchase Page 13 of 17 CONFLICT OF INTEREST QUESTIONNAIRE FORM CIO For vendor doing business with local governmental entity This questionnaire reflects changes made to the law by H.B. 23, 84th Leg., Regular Session. OFFICE USE ONLY This questionnaire is being filed in accordance with Chapter 176,Local GovemmentCode, Date Received by avendorwho has abusiness relationship as defined by Section 176.001(1-a)with a local governmental entity and the vendor meets requirements under Section 176.006(a). By law this questionnaire must be filedwith the records administrator ofhe local governmental entity not later than the 7th business day after the date the vendor becomes aware of facts that require the statement to be filed. See Section 176.006(a-1),Local Government Code. A vendor commits an offense if the vendor knowingly violates Section 176.006, Local Government Code.An offense under this section is a misdemeanor. t Name of vendarwho has a business relationship with local governmental entity. CRITICAL START, INC. 21 Gheckthis box ifyou are filing an update to a previously filed questionnaire. (The law requires that you file an updated completed questionnaire with the appropriate filing authority not later than the 7th business day after the date on which you became aware that the originally filed questionnaire was incomplete or inaccurate_) 3 Name of local government officer about whom the information In this section is being disclosed. N/A Name of Officer This section(item 3 including subparts A, B. C, & D) must be completed for each officer with whom the vendor has ar employment or other business relationship as defined by Section 176.001(1-a), Local Government Code. Attach additionai pages to this Form CIQ as necessary. A. Is the local government officer named in this section receiving or likely to receive taxable income,other than investment income,from the vendor? F] Yes F7 No B. Is the vendor receiving or likely to receive taxable income,other than investment income,from or at the direction of the local government officer named in this section AND the taxable income is not received from the local governmental entity? Yes F-1 No C. Is the filer of this questionnaire employed by a corparatian or other business entity with respect to which the local government officer serves as an officer or director,or holds an ownership interest of one percent or more? F7 Yes = No U. Describe each employment or business and family relationship with the local government officer named in this section. a 11/19/2021 Signature of vendor doing business with the governmental eatty 1 r: Adopted 8J7f2415 Cooperative Purchase Page 14 of 17 Exhibit C Critical Start, Inc. DIR-TSO-4074 hqps://dir.texas.gov/contracts/dir-tso-4074 Cooperative Purchase Page 15 of 17 Exhibit D Critical Start, Inc. DIR-TSO-4074 Pricing Index Cooperative Purchase Page 16 of 17 Appendix C Pricing Index DIR-TS0 4074 Critical Start LLC DIR Customer Brand Product Description Discount%off MSRP Hardware Exabeam Physical Appliance 15.00% Exabeam Other Hardware 15.00% SecureAuth Physical Appliance 10.00% Verodin Physical Appliance 10.00% Software Exabeam Software/Subscription 1 License 15.00% ProtectWise Software/Subscription 1 License 18.00% SecureAuth Software 1 Subscription 1 License 10.00% Verodin Software!Subscription 1 License 10.00% Duo Security Inc, Software/Subscription 1 License 8.00% Cybereason Software/Subscription 1 License &00% Illusive Networks Software!Subscription/License>1000 Machines 10.00% DIR Customer DescriptionDetailed Service MSRP Cybereason Monitoring Services(Product must be purchased) 5.00% Critical Start Services-Implementation 1 Configuration 20.00% *important Note:Vendors quote to DIR customers shall include the D I R administrative fee.The fee will he added after discount off MSRP Is applied. Cooperative Purchase Page 17 of 17 CRITICALSTART U SECURITY ASSESSMENT Statement of • (DIR-TSO-4074) Security Assessment for City of Fort Worth Water Department by Critical Start, Inc. CRITICALSTART U Security Assessment Security Assessment STATEMENT OF WORK ( DIR-TSO-4074 ) Table of Contents EXECUTIVE SUMMARY........................................................................................................ 3 ABOUT CRITICAL START...................................................................................................... 3 ASSESSMENT ACTIVITIES.....................................................................................................4 PenetrationTesting................................................................................................................................4 DOCUMENTATION .............................................................................................................. 5 PROJECT MANAGEMENT.................................................................................................... 5 PROJECT RESPONSIBILITIES & ASSUMPTIONS....................................................................7 ORDER AND PAYMENT INFORMATION ............................................................................. 8 PaymentTerms.......................................................................................................................................8 Expenses..................................................................................................................................................8 AUTHORIZATION.............................................................................................................. 10 Agreement..............................................................................................................................................10 ©Critical Start, Inc. Page 2 CRITICALSTART U Security Assessment EXECUTIVE SUMMARY Critical Start, Inc. (Critical Start),formerly known as Critical Start, LLC., is pleased to present this proposal for a PCI Penetration Test for City of Fort Worth Water Department ("Fort Worth" or "Customer"). The threat landscape is changing where personal information of customers and employees are a key target to hackers. The assessment will focus on the attack methods commonly used by malicious actors to gain access to customer and employee data. This project is performed to identify vulnerabilities which an attacker may use to breach the network. This simulated multi-layered attack is performed on your organization to measure how well your people, processes,facilities and technologies can withstand a real-life attack situation. ABUU I CRITICAL STAR1 Critical Start is a Plano, TX based security company that is majority employee-owned with the goal to cost- effectively improve the security & compliance management capabilities of our customers by leveraging deep industry subject matter expertise. While focused on security and compliance services, we also resell a limited set of security products, and assist organizations that are moving from a reactive security to proactive security model, or who are working to address security & compliance challenges. Our professional services teams provide a compliment of offerings to assist organizations with the development, maintenance, and assessment of your Information Security, Risk, and Compliance Management Programs. Our teams of security analysts, assessors, and engineers deliver top tier real-world expertise with regard to building and maintaining world class information security capabilities and governance programs, and have helped numerous organizations in the following markets achieve their security & compliance objectives: • Retail & E-Commerce • Banking & Financial Services • Healthcare & Clinical Services • State & Local Government • Public Service & Transportation Organizations • Technology Products & Services • Manufacturing & Distribution • Utilities & Critical Infrastructure Critical Start also has an in-house research offensive and defensive team —TEAMARES—that focuses on investigating new threats and potential vulnerabilities industrywide to protect our customers and partners. TEAMARES is also a premiere provider of all offensive and defensive security services including: • Penetration Testing • Web and Mobile Application Testing • Full Red Team Engagements • Password Quality Assessments • SCADA and IoT Penetration Testing • Incident Response • Endpoint Digital Forensics • Malware Reverse Engineering ©Critical Start, Inc. Page 3 CRITICALSTART U Security Assessment ASSESSMENT ACTIVITIES This assessment will simulate an advanced hacking team who is using multiple methods to obtain access into the Fort Worth network. During the assessment, a standardized methodology and framework called the MITRE ATT&CK is utilized to maintain a consistent approach to the testing. The use and understanding of this standard provides consistency, targeting to specific compliance requirements, the ability to reproduce similar assessments in the future and a consistent reporting approach. Critical Start will perform an assessment based on the assessment requirements as understood by Critical Start, however the MITRE ATT&CK methodology will be adapted to meet Fort Worth's individual needs. This adaptation will be applied through the following phases requested by Fort Worth: Penetration Testing • PCI Penetration Assessment o Testing of Card Holder Environment (CDE) for PCI_DSS 11.3 requirements for penetration testing. o Critical Start will start the project with a review of the current cardholder data environment, including any segmentation or scope reduction technologies. This will also include architecture reviews to ensure a full understanding of the current segmentation strategy for limiting the scope of the CDE. o Testing of CDE systems from a non-CDE environment to test segmentation controls. o Scope includes: ■ City of Fort Worth Water Department ■ 1 External IP Address Confidential Page 4 CRITICALSTART U Security Assessment DOCUMENTATION Our report will include an executive summary, high-level recommendations for remediation, and a detailed technical findings section. The executive summary section will reiterate the scope and purpose of the project as well as list of key findings discovered during the assessment. A brief synopsis of remediation recommendations will follow the executive summary, which serves to highlight steps Fort Worth can take to mitigate risk. The technical findings section will be compiled into a matrix by finding and each finding will include information regarding risk severity level, systems impacted, description of finding, business risk summary, recommendations for remediation and remediation effort level. Project Documentation includes a combined report including: • Executive Level Summary of Findings and Recommendations • Review of the work performed according to ISACA auditing standards • A quantitative overall risk score based on the average and impact of discovered vulnerabilities. • Managerial level results from penetration assessment which includes a narrative walkthrough of the steps performed based on the project timeline. • Technical Findings of identified vulnerabilities, risk level, remediation effort and recommendations for correction. • Information Security Program Roadmap including projects associated with the identified risks, impact to the business, initial cost, estimated FTE cost and overall benefit to your organization. • Executive Presentation of Findings PROJECT MANA%3EMEN1 Critical Start will designate a project manager to oversee the project, manage Critical Start resources, and be the Customer's primary contact with Critical Start regarding the following: • Management of scope (formal or informal requests for changes) • Conducting Status Meetings • Preparing Status Reports • Other activities as specified in this Statement of Work Additionally, project escalation and quality assurance resources will be designated to ensure that Fort Worth receives the highest quality of service. CHANGE PROCESS The general change process will be implemented as illustrated in the Figure below. Either Critical Start or Customer may initiate a change, in writing, to the Project. The change will be evaluated and any Project impact will be identified. If the evaluation of a change request submitted by Customer takes in excess of four (4) hours to complete, the cost of evaluation may be charged to Customer and any schedule slippage as a result of performing the evaluation will be documented as a formal change to the schedule. The price, scope, and schedule impact, if any, will be analyzed and documented. The change impact will then be processed for Customer authorization or closure. The change request form will include a description of the change, reason for the change, and initiator of the change as well as impact to scope, price, quality, schedule, resources, and risks. All changes must be mutually agreed by the parties in writing. Once approved, changes to the initial project will be implemented as described. If Critical Start and Customer are unable to resolve disposition of change order, the Project SOW will remain as defined in this document. Confidential Page 5 CRITICALSTAI T U Security Assessment ESCALATION PROCESS Timely resolution of issues is critical to maintaining project control and customer satisfaction. The purpose of the escalation process is to help ensure that issues are identified and resolved quickly. The escalation process provides a mechanism to alert Project Managers and other management personnel to issues not being resolved. Either Critical Start or Customer may escalate a project issue as follows: 1. Raise the issue initially to the Critical Start Project Manager or Project Lead. 2. If not resolved at this level, an issue report will be generated and the issue will be escalated to the Project Sponsor. 3. Certain internal Critical Start issues may need to be escalated to the Critical Start VP or Managing Partner for resolution. Confidential Page 6 CRITICALSTART U Security Assessment PROJECT RESPONSIBILITIES & ASSUMPTIONS This section details the assumptions and high-level responsibilities associated with the delivery of this Statement of Work. FORT WORTH RESPONSIBILITIES • Assign a Project Sponsor who: o Is available to Critical Start personnel throughout the life of the project. o Acts as an escalation point when conflicts cannot be resolved by the Project Manager. • Assign a Project Manager who is: o Responsible for all Fort Worth aspects of this Project. o Authorized to make all decisions relative to the Project, including identification and assignment of Fort Worth resources. o Available to Critical Start consulting personnel throughout the Project's life. o Is authorized to sign Status Reports, approve consultant hours, and approve project changes. o Will coordinate all interviews, onsite reviews, and meeting schedules. o Authorized to approve Project changes. • Complete any documentation requests associated with this statement of work in a timely fashion, and provide requested information to Critical Start project lead. • Assign managers, process owners, and other personnel, as appropriate, to work with Critical Start throughout the project's life. It is expected that Fort Worth will engage and participate throughout the project lifecycle phases. Project performance is predicated on Fort Worth's staff, and response to documentation and information requests. Delays in providing this staffing or information may lead to a Change Order, and result in additional cost and/or delay in completion of the Services. CRITICAL START RESPONSIBILITIES In addition to the Services defined throughout this SOW, Critical Start shall • Provide a single point of contact to Fort Worth for the duration of the project for coordination and scheduling of project tasks, documentation and any changes to scope requiring a change order. • Coordinate activities of all Critical Start resources and provide Fort Worth with a calling tree • Provide notification prior to the start of intrusive testing along with source IP addresses / ranges. • Stop performing testing if degradation is identified on applications and networks being reviewed. • Provide immediate notification if critical vulnerabilities are identified. • Provide project documentation within an agreed upon timeframe, based on timelines and milestones defined at project kick-off. • Provide retesting services for vulnerabilities identified during the project that Customer has informed Critical Start of remediation within 90 calendar days from completion of the project. GENERAL ASSUMPTIONS • Fort Worth will make reasonable efforts in advance of Critical Start's project activities to assemble all documentation and work papers within scope as identified by Critical Start. Confidential Page 7 CRITICALSTART U Security Assessment • Any formal reporting of individual controls performed as part of ad-hoc testing will reference specific components which were evaluated, and will not be construed to apply universally to all controls, environments, or components which may be applicable but were not evaluated as part of individual testing. • Fort Worth acknowledges and agrees that: (i) any outcome of the services involving compliance assessment is limited to a point-in-time examination of Fort Worth's compliance or non-compliance status with the applicable standards or industry best practices set forth in the Scope of Work and that the outcome of any audits, assessments or testing by, and the opinions, advice, recommendations and/or certification of Critical Start do not constitute any form of representation, warranty or guarantee that Fort Worth systems are 1 00% secure from every form of attack, and (ii) in assisting in the examination of Fort Worth's compliance or non-compliance status, Critical Start relies upon accurate, authentic and complete information provided by Fort Worth as well as use of certain sampling techniques. ORDER AND PAYMENT INFORMATION Critical Start proposes to provide the Services and Deliverables at a fixed price not including travel expenses. Table 1. Combined Project Cost Type SKU Description Combined Cost Consulting CS-PROSRV-TA-RED-NONR PCI Penetration Assessment $4,400 Consulting CS-PROSRV-TA-RED-NONR-AL Reporting $2,200 Project CS-PROSRV-TA-RED-NONR-AL Project Management $1,400 Management Discount CS-DISC-PSNONMDR DIR Discount $1,600 Estimated Expenses n a Total Package Price USD $6,400 Payment Terms Critical Start will invoice Fort Worth for half of the assessment (50%) at the project kickoff and the remaining amount and expenses at the delivery of the engagement report. All Critical Start invoices are payable NET 30 days. Expenses Portions of this engagement is performed remotely and no travel expenses or licensing fees are required. Other portions are performed on site. As staff is local, no additional travel expenses are required. If Customer requests services that require travel, such as in-person debriefs or presentations outside of the DFW area, travel and incidentals will be billed in addition to the quoted package price. Confidential Page 8 CRITICALSTART U Security Assessment Billing Contact: City of Fort Worth Water Department Contact Name: Justin Grace IT Security Manager 817.392.2222 Justin.Grace@fortworthtexas.gov Critical Start Address: 6100 Tennyson Parkway, Suite 200 City,State,Zip(Country): Plano, TX 75024 Senior Account Manager: Justin Bacon Phone No.: 469.909.7686 E-mail: Professional Services Project Manager: TBD Mobile No.: E-mail: pmo@criticalstart.com Prepared By: Cory Mathews SOW Number: 19718 Issuance Date: 10/14/2021 Version: 2 Confidential Page 9 CRITICALSTART U Security Assessment AUTHORIZATION Agreement In addition to Fort Worth's execution of this SOW, Critical Start shall require a valid acceptable purchase order referencing this SOW in order to begin to provide the Services hereunder and the signature represents that their execution of this SOW is a binding commitment to purchase the Services described herein. However, in the event that Fort Worth does not issue purchase orders as a matter of business practice, Fort Worth herby warrants and represents that: i) its signature on this SOW authorizes Critical Start to provide the Services hereunder, and ii) that Fort Worth shall pay for Services provided to Fort Worth without the necessity of a purchase order, and iii) Fort Worth will not contest payment for the provision of Services hereunder due to the fact that no purchase order was issued. Professional Services Terms and Conditions are located on the Critical Start website at https://www.criticaIstart.com/wp-content/uploads/Critical-Start-PSA 0.0 07-06-2020 no-sianature.pdf. This SOW is valid for 60-days after issue date. Effective Date: City of Fort Worth Water Department Critical Start, Inc. Authorized Signature Authorized Signature Printed Name Printed Name Title Title Date Date Please fax your documents to: Critical Start, Inc. ATTN: Sales Operations Phone: 214-810-6760 Fax: 214-919-4050 Email: ol2erations(d)criticalstart.com Confidential Page 10 CRITICALSTART U SECURITY ASSESSMENT Statement of Work (DIR-TSO-4074) Security Assessment for City of Fort Worth by Critical Start, Inc. CRITICALSTART U Security Assessment Security Assessment STATEMENT OF WORK ( DIR-TSO-4074 ) Table of Contents EXECUTIVE SUMMARY........................................................................................................ 3 ABOUT CRITICAL START...................................................................................................... 3 ASSESSMENT ACTIVITIES.....................................................................................................4 PenetrationTesting................................................................................................................................4 WirelessPenetration Test....................................................................................................................4 Physical Security Assessment...............................................................................................................5 DOCUMENTATION .............................................................................................................. 6 PROJECT MANAGEMENT.................................................................................................... 6 PROJECT RESPONSIBILITIES & ASSUMPTIONS.................................................................... 8 ORDER AND PAYMENT INFORMATION .............................................................................9 PaymentTerms.......................................................................................................................................9 Expenses..................................................................................................................................................9 AUTHORIZATION.............................................................................................................. 11 Agreement..............................................................................................................................................11 ©Critical Start, Inc. Page 2 CRITICALSTART U Security Assessment EXECUTIVE SUMMARY Critical Start, Inc. (Critical Start), formerly known as Critical Start, LLC., is pleased to present this proposal for a DMZ, Internal, and Wireless Penetration Test for City of Fort Worth ("Fort Worth" or "Customer"). The threat landscape is changing where personal information of customers and employees are a key target to hackers. The assessment will focus on the attack methods commonly used by malicious actors to gain access to customer and employee data. This project is performed to identify vulnerabilities which an attacker may use to breach the network. This simulated multi-layered attack is performed on your organization to measure how well your people, processes,facilities and technologies can withstand a real-life attack situation. ABUU I CRITICAL STAR1 Critical Start is a Plano, TX based security company that is majority employee-owned with the goal to cost- effectively improve the security & compliance management capabilities of our customers by leveraging deep industry subject matter expertise. While focused on security and compliance services, we also resell a limited set of security products, and assist organizations that are moving from a reactive security to proactive security model, or who are working to address security & compliance challenges. Our professional services teams provide a compliment of offerings to assist organizations with the development, maintenance, and assessment of your Information Security, Risk, and Compliance Management Programs. Our teams of security analysts, assessors, and engineers deliver top tier real-world expertise with regard to building and maintaining world class information security capabilities and governance programs, and have helped numerous organizations in the following markets achieve their security & compliance objectives: • Retail & E-Commerce • Banking & Financial Services • Healthcare & Clinical Services • State & Local Government • Public Service & Transportation Organizations • Technology Products & Services • Manufacturing & Distribution • Utilities & Critical Infrastructure Critical Start also has an in-house research offensive and defensive team —TEAMARES—that focuses on investigating new threats and potential vulnerabilities industrywide to protect our customers and partners. TEAMARES is also a premiere provider of all offensive and defensive security services including: • Penetration Testing • Web and Mobile Application Testing • Full Red Team Engagements • Password Quality Assessments • SCADA and IoT Penetration Testing • Incident Response • Endpoint Digital Forensics • Malware Reverse Engineering ©Critical Start, Inc. Page 3 CRITICALSTART U Security Assessment ASSESSMENT ACTIVITIES This assessment will simulate an advanced hacking team who is using multiple methods to obtain access into the Fort Worth network. During the assessment, a standardized methodology and framework called the MITRE ATT&CK is utilized to maintain a consistent approach to the testing. The use and understanding of this standard provides consistency, targeting to specific compliance requirements, the ability to reproduce similar assessments in the future and a consistent reporting approach. Critical Start will perform an assessment based on the assessment requirements as understood by Critical Start, however the MITRE ATT&CK methodology will be adapted to meet Fort Worth's individual needs. This adaptation will be applied through the following phases requested by Fort Worth: Penetration Testing • DMZ Penetration Testing o Perform Footprinting and Reconnaissance within the DMZ o Manual scanning of identified network ranges and hosts o Performance of manual and automated checks for vulnerabilities o Manually validate vulnerabilities o Web application attacks (unauthenticated) to identify vulnerable systems o Attempt movement from "compromised" DMZ host into other areas of Customer's network o Engagement goals: ■ Decreased DMZ exposure. ■ Increasing user and management security awareness. ■ Regulatory compliance requirement ■ Fulfill requirement by third-party o Scope Includes: ■ Up to 200 hosts within the DMZ • Internal Penetration Testing o Perform Footprint and Reconnaissance internally. o Simulate an attack who has already gained access to internal network or an insider threat. o Utilize common hacking tools and techniques to enumerate trusts, common passwords, and privileged accounts. o Engagement goals: ■ Decreased external exposure. ■ Increasing user and management security awareness. ■ Regulatory compliance requirement ■ Fulfill requirement by third-party o Scope Includes: ■ —300 Live Hosts Wireless Penetration Test • Wi-Fi Penetration Testing o Unauthenticated assessment of SSID's within Fort Worth's physical location. o Attempts to capture and/or crack wireless authentications. o Scope Includes: ■ Up to 5 Wireless networks that have access to City data. Confidential Page 4 CRITICALSTART U Security Assessment Physical Security Assessment • Physical Security Walkthrough o Conduct a walk-through with Fort Worth to identify physical security concerns that could lead to a breach. ■ Scope Includes: • 1 Location, 2 floors. Confidential Page 5 CRITICALSTART U Security Assessment DOCUMENTATION Our report will include an executive summary, high-level recommendations for remediation, and a detailed technical findings section. The executive summary section will reiterate the scope and purpose of the project as well as list of key findings discovered during the assessment. A brief synopsis of remediation recommendations will follow the executive summary, which serves to highlight steps Fort Worth can take to mitigate risk. The technical findings section will be compiled into a matrix by finding and each finding will include information regarding risk severity level, systems impacted, description of finding, business risk summary, recommendations for remediation and remediation effort level. Project Documentation includes a combined report including: • Executive Level Summary of Findings and Recommendations • Review of the work performed according to ISACA auditing standards • A quantitative overall risk score based on the average and impact of discovered vulnerabilities. • Managerial level results from penetration assessment which includes a narrative walkthrough of the steps performed based on the project timeline. • Technical Findings of identified vulnerabilities, risk level, remediation effort and recommendations for correction. • Information Security Program Roadmap including projects associated with the identified risks, impact to the business, initial cost, estimated FTE cost and overall benefit to your organization. • Executive Presentation of Findings PROJECT MANA%3EMEN1 Critical Start will designate a project manager to oversee the project, manage Critical Start resources, and be the Customer's primary contact with Critical Start regarding the following: • Management of scope (formal or informal requests for changes) • Conducting Status Meetings • Preparing Status Reports • Other activities as specified in this Statement of Work Additionally, project escalation and quality assurance resources will be designated to ensure that Fort Worth receives the highest quality of service. CHANGE PROCESS The general change process will be implemented as illustrated in the Figure below. Either Critical Start or Customer may initiate a change, in writing, to the Project. The change will be evaluated and any Project impact will be identified. If the evaluation of a change request submitted by Customer takes in excess of four (4) hours to complete, the cost of evaluation may be charged to Customer and any schedule slippage as a result of performing the evaluation will be documented as a formal change to the schedule. The price, scope, and schedule impact, if any, will be analyzed and documented. The change impact will then be processed for Customer authorization or closure. The change request form will include a description of the change, reason for the change, and initiator of the change as well as impact to scope, price, quality, schedule, resources, and risks. All changes must be mutually agreed by the parties in writing. Once approved, changes to the initial project will be implemented as described. If Critical Start and Customer are unable to resolve disposition of change order, the Project SOW will remain as defined in this document. Confidential Page 6 CRITICALSTAI T U Security Assessment ESCALATION PROCESS Timely resolution of issues is critical to maintaining project control and customer satisfaction. The purpose of the escalation process is to help ensure that issues are identified and resolved quickly. The escalation process provides a mechanism to alert Project Managers and other management personnel to issues not being resolved. Either Critical Start or Customer may escalate a project issue as follows: 1. Raise the issue initially to the Critical Start Project Manager or Project Lead. 2. If not resolved at this level, an issue report will be generated and the issue will be escalated to the Project Sponsor. 3. Certain internal Critical Start issues may need to be escalated to the Critical Start VP or Managing Partner for resolution. Confidential Page 7 CRITICALSTART U Security Assessment PROJECT RESPONSIBILITIES & ASSUMPTIONS This section details the assumptions and high-level responsibilities associated with the delivery of this Statement of Work. FORT WORTH RESPONSIBILITIES • Assign a Project Sponsor who: o Is available to Critical Start personnel throughout the life of the project. o Acts as an escalation point when conflicts cannot be resolved by the Project Manager. • Assign a Project Manager who is: o Responsible for all Fort Worth aspects of this Project. o Authorized to make all decisions relative to the Project, including identification and assignment of Fort Worth resources. o Available to Critical Start consulting personnel throughout the Project's life. o Is authorized to sign Status Reports, approve consultant hours, and approve project changes. o Will coordinate all interviews, onsite reviews, and meeting schedules. o Authorized to approve Project changes. • Complete any documentation requests associated with this statement of work in a timely fashion, and provide requested information to Critical Start project lead. • Assign managers, process owners, and other personnel, as appropriate, to work with Critical Start throughout the project's life. It is expected that Fort Worth will engage and participate throughout the project lifecycle phases. Project performance is predicated on Fort Worth's staff, and response to documentation and information requests. Delays in providing this staffing or information may lead to a Change Order, and result in additional cost and/or delay in completion of the Services. CRITICAL START RESPONSIBILITIES In addition to the Services defined throughout this SOW, Critical Start shall • Provide a single point of contact to Fort Worth for the duration of the project for coordination and scheduling of project tasks, documentation and any changes to scope requiring a change order. • Coordinate activities of all Critical Start resources and provide Fort Worth with a calling tree • Provide notification prior to the start of intrusive testing along with source IP addresses / ranges. • Stop performing testing if degradation is identified on applications and networks being reviewed. • Provide immediate notification if critical vulnerabilities are identified. • Provide project documentation within an agreed upon timeframe, based on timelines and milestones defined at project kick-off. • Provide retesting services for vulnerabilities identified during the project that Customer has informed Critical Start of remediation within 90 calendar days from completion of the project. GENERAL ASSUMPTIONS • Fort Worth will make reasonable efforts in advance of Critical Start's project activities to assemble all documentation and work papers within scope as identified by Critical Start. Confidential Page 8 CRITICALSTART U Security Assessment • Any formal reporting of individual controls performed as part of ad-hoc testing will reference specific components which were evaluated, and will not be construed to apply universally to all controls, environments, or components which may be applicable but were not evaluated as part of individual testing. • Fort Worth acknowledges and agrees that: (i) any outcome of the services involving compliance assessment is limited to a point-in-time examination of Fort Worth's compliance or non-compliance status with the applicable standards or industry best practices set forth in the Scope of Work and that the outcome of any audits, assessments or testing by, and the opinions, advice, recommendations and/or certification of Critical Start do not constitute any form of representation, warranty or guarantee that Fort Worth systems are 1 00% secure from every form of attack, and (ii) in assisting in the examination of Fort Worth's compliance or non-compliance status, Critical Start relies upon accurate, authentic and complete information provided by Fort Worth as well as use of certain sampling techniques. ORDER AND PAYMENT INFORMATION Critical Start proposes to provide the Services and Deliverables at a fixed price not including travel expenses. Table 1. Combined Project Cost Type SKU Description Combined Cost Consulting CS-PROSRV-TA-RED-NONR DMZ Penetration Test $5,500 Consulting CS-PROSRV-TA-RED-NONR-AL Internal Penetration Test $19,250 Consulting CS-PROSRV-TA-RED-NONR-AL Wireless Penetration Test $2,750 Consulting CS-PROSRV-TA-RED-NONR-AL Physical Security Walkthrough $7,700 Consulting CS-PROSRV-TA-RED-NONR-AL Reporting $6,600 Project CS-PROSRV-TA-RED-NONR-AL Project Management $1,100 Management Discount CS-DISC-PSNONMDR DIR Discount $8,580 Estimated Expenses n a Total Package Price USD $34,320 Payment Terms Critical Start will invoice Fort Worth for half of the assessment (50%) at the project kickoff and the remaining amount and expenses at the delivery of the engagement report. All Critical Start invoices are payable NET 30 days. Expenses Portions of this engagement is performed remotely, and no travel expenses or licensing fees are required. Other portions are performed on site. As staff is local, no additional travel expenses are required. If Customer requests services that require travel, such as in-person debriefs or presentations outside of the DFW area, travel and incidentals will be billed in addition to the quoted package price. Confidential Page 9 CRITICAL U Security Assessment Billing Contact: City of Fort Worth Contact Name: Justin Grace 817.392.6671 iusrin.v race kuOortworthtexas.gov Critical Start Address: 6100 Tennyson Parkway, Suite 200 City,State,Zip(Country): Plano, TX 75024 Senior Account Manager: Justin Bacon Phone No.: 469.909.7686 E-mail: Professional Services Project Manager: TBD Mobile No.: E-mail: pmo@criticalstart.com Prepared By: Cory Mathews SOW Number: 19988 Issuance Date: 10/26/2021 Version: 2 Confidential Page 10 CRITICALSTART U Security Assessment AUTHORIZATION Agreement In addition to Fort Worth's execution of this SOW, Critical Start shall require a valid acceptable purchase order referencing this SOW in order to begin to provide the Services hereunder and the signature represents that their execution of this SOW is a binding commitment to purchase the Services described herein. However, in the event that Fort Worth does not issue purchase orders as a matter of business practice, Fort Worth herby warrants and represents that: i) its signature on this SOW authorizes Critical Start to provide the Services hereunder, and ii) that Fort Worth shall pay for Services provided to Fort Worth without the necessity of a purchase order, and iii) Fort Worth will not contest payment for the provision of Services hereunder due to the fact that no purchase order was issued. Professional Services Terms and Conditions are located on the Critical Start website at https://www.criticaIstart.com/wp-content/uploads/Critical-Start-PSA 0.0 07-06-2020 no-signature.pdf. This SOW is valid for 60-days after issue date. Effective Date: City of Fort Worth Critical Start, Inc. Authorized Signature Authorized Signature Printed Name Printed Name Title Title Date Date Please fax your documents to: Critical Start, Inc. ATTN: Sales Operations Phone: 214-810-6760 Fax: 214-919-4050 Email: ol2erations(d)criticalstart.com Confidential Page 11