HomeMy WebLinkAboutContract 46925 PM � 2 ,�
61 City Secretary Contract No. UT
RECEIVED
00
AUG 1 1 2015 o
CITY OF FORT WORTH , FORTWORTH,
ETARY
,y
CITY SECRti
Eel 1.
PROFESSIONAL SERVICES AGREEMENT
([n(ormation Technologic)
This PROFESSIONAL SERVICES AGREEMENT ("Agreement") is made and entered into by and
between the CITY OF FORT WORTH (the "City" or "Client"), a Texas home-rule municipal corporation, and
Coalfire Systems, Inc. ("Consultant" or "Contractor'), a Delaware corporation. City and Consultant are each
individually referred to herein as a"party"and collectively referred to as the"parties."
CONTRACT DOCUMENTS:
The Contract documents shall include the following:
I. This Agreement for Professional Services
2. Exhibit A—Statement of Work plus any amendments to the Statement of Work
3. Exhibit B—Payment Schedule
4. Exhibit C—Milestone Acceptance Form
5. Exhibit D—Network Access Agreement
6. Exhibit E—Signature Verification Form
7. Exhibit F—DIR-SDD-1899
All Exhibits attached hereto are incorporated herein and made a part of this Agreement for all purposes. in the event
of any conflict between the documents, the terms and conditions of this Professional Services Agreement shall
control. The term"Consultant" or "Contractor" shall include the Consultant or Contractor, and its officers, agents,
employees, representatives, servants, contractors or subcontractors. The term "City' shall include its officers,
employees,agents,and representatives.
1. Scope of Services.
Consultant hereby agrees, with good faith and due diligence, to provide the City with professional consulting
services for Penetration Testing and Social Engineering Services. Specifically, Consultant will perform all duties
outlined and described in the Statement of Work, which is attached hereto as Exhibit "A" and incorporated herein for
all purposes, and further referred to herein as the "Services." Consultant shall perform the Services in accordance with
standards in the industry for the same or similar services. in addition, Consultant shall perform the Services in
accordance with all applicable federal, state, and local laws, rules, and regulations. If there is any conflict between this
Agreement and Exhibit A,the terms and conditions of this Agreement shall control.
2. Term.
This Agreement shall cormnence upon the last day executed by both parties ("Effective Date") and shall
expire no later than November 16, 2015 ("Expiration Date"), unless terminated earlier in accordance with the
provisions of this Agreement or otherwise extended by the parties.
OFFICIAL RECORD
CITY SECRETARY
FT. WORTH, TX
Coalfire Systems,Inc. Professional Services Agreement-Techno ogy
Page 1 of 42 Rev. 11/2014
City Secretary Contract No.
3. Compensation.
The City shall pay Consultant an amount not to exceed $44,900.00 in accordance with the provisions of
this Agreement and Exhibit "B," Payment Schedule, which is attached hereto and incorporated herein for all
purposes. Consultant shall not perform any additional services for the City not specified by this Agreement unless
the City requests and approves in writing the additional costs for such services. The City shall not be liable for any
additional expenses of Consultant not specified by this Agreement unless the City first approves such expenses in
writing. City agrees to pay all invoices of Consultant within thirty(30) days of receipt of such invoice. Consultant
may charge interest on late payments not to exceed one percent(I%).
o).
4. Termination.
4.1. Convenience. Either the City or Consultant may terminate this Agreement at any time and for any reason by
providing the other party with 30 days written notice of termination.
4.2 Breach. Subject to Section 29 herein, either party may terminate this Agreement for breach of duty,
obligation or warranty upon exhaustion of all remedies set forth in Section 29,
4.3 Fiscal Funding Out. In the event no funds or insufficient funds are appropriated by the City in any fiscal
period for any payments due hereunder, the City will notify Consultant of such occurrence and this Agreement shall
terminate on the last day of the fiscal period for which appropriations were received without penalty or expense to
the City of any kind whatsoever, except as to the portions of the payments herein agreed upon for which funds have
been appropriated.
4.4 Duties and Obligations of the Parties. In the event that this Agreement is
terminated prior to the Expiration Date, the City shall pay Consultant for services actually rendered up to the
effective date of termination and Consultant shall continue to provide the City with services requested by the City
and in accordance with this Agreement up to the effective date of termination. Upon termination of this Agreement
for any reason, Consultant shall provide the City with copies of all completed or partially completed documents
prepared under this Agreement. In the event Consultant has received access to City information or data as a
requirement to perform services hereunder. Consultant shall return all City provided data to the City in a machine
readable format or other format deemed acceptable to the City.
5. Disclosure of Conflicts and Confidential information.
5.1 Disclosure of Conflicts. Consultant hereby warrants to the City that Consultant has made full disclosure in
writing of any existing or potential conflicts of interest related to Consultant's services under this Agreement. In the
event that any conflicts of interest arise after the Effective Date of this Agreement, Consultant hereby agrees
immediately to make full disclosure to the City in writing.
5.2 Confidential Information. The City acknowledges that Consultant may use products, materials, or
methodologies proprietary to Consultant. The City agrees that Consultant's provision of services under this
Agreement shall not be grounds for the City to have or obtain any rights in such proprietary products,materials,or
methodologies unless the parties have executed a separate written agreement with respect thereto. Consultant, for
itself and its officers, agents and employees, agrees that it shall treat all information provided to it by the City
("City Information") as confidential and shall not disclose any such information to a third party without the prior
written approval of the City.
5.3 Unauthorized Access, Consultant shall store and maintain City Information in a secure manner and shall
not allow unauthorized users to access, modify, delete or otherwise corrupt City Information in any way.
Consultant shall notify the City immediately if the security or integrity of any City information has been
compromised or is believed to have been compromised, in which event, Consultant shall, in good faith, use all
commercially reasonable efforts to cooperate with the City in identifying what information has been accessed by
unauthorized means and shall fully cooperate with the City to protect such information from further unauthorized
disclosure.
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 2 of42 Rev. 11/2014
City Secretary Contract No.
6. Right to Audit.
Consultant agrees that the City shall, until the expiration of three (3) years after final payment under this
Agreement, have access to and the right to examine at reasonable times any directly pertinent books, documents,
papers and records of the Consultant involving transactions relating to this Agreement at no additional cost to the
City. Consultant agrees that the City shall have access during normal working hours to all necessary Consultant
facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with
the provisions of this section. The City shall give Consultant not less than 10 days written notice of any intended
audits.
Consultant further agrees to include in all its subcontractor agreements hereunder a provision to the effect
that the subcontractor agrees that the City shall, until expiration of three (3) years after final payment of the
subcontract, have access to and the right to examine at reasonable times any directly pertinent books, documents,
papers and records of such subcontractor involving transactions related to the subcontract, and further that City
shall have access during normal working hours to all subcontractor facilities and shall be provided adequate and
appropriate work space in order to conduct audits in compliance xvith the provisions of this paragraph. City shall
give subcontractor not less than 10 days written notice of any intended audits.
7. Independent Contractor.
It is expressly understood and agreed that Consultant shall operate as an independent contractor as to all
rights and privileges granted herein, and not as agent, representative or employee of the City. Subject to and in
accordance with the conditions and provisions of this Agreement, Consultant shall have the exclusive right to
control the details of its operations and activities and be solely responsible for the acts and omissions of its officers,
agents, servants, employees, contractors and subcontractors. Consultant acknowledges that the doctrine of
f-espondeat superior shall not apply as between the City, its officers, agents, servants and employees, and
Consultant,its officers, agents, employees,servants,contractors and subcontractors. Consultant further agrees that
nothing herein shall be construed as the creation of a partnership or joint enterprise between City and Consultant. .
It is further understood that the City shall in no way be considered a Co-employer or a Joint employer of
Consultant or any officers, agents, servants, employees or subcontractors of Consultant. Neither Consultant, nor
any officers, agents, servants, employees or subcontractors of Consultant shall be entitled to any employment
benefits from the City. Consultant shall be responsible and liable for any and all payment and reporting of taxes on
behalf of itself,and any of its officers,agents,servants,employees or subcontractors.
8. LIABILITY AND INDEMNIFICATION.
A. LIABILITY - CONSULTANT SHALL BE LIABLE AND RESPONSIBLE FOR ANY AND ALL
PROPERTY LOSS, PROPERTY DAMAGE AND/OR PERSONAL INJURY, INCLUDING DEATH, TO
ANY AND ALL PERSONS, OF ANY KIND OR CHARACTER, WHETHER REAL OR ASSERTED, TO
THE EXTENT CAUSED BY THE NEGLIGENT ACT(S) OR OMISSION(S), MALFEASANCE OR
INTENTIONAL MISCONDUCT OF CONSULTANT, ITS OFFICERS, AGENTS, SERVANTS OR
EMPLOYEES. EXCEPT IN THE EVENT OF GROSS NEGLIGENCE OR WILLFUL MISCONDUCT,
LIABILITY OF CONSULTANT FOR CLAIMS ARISING UNDER THIS AGREEIIIENT SHALL NOT
EXCEED,IN THE AGGREGATE$3,000,000.
B. INDEMNIFICATION - CONSULTANT HEREBY COVENANTS AND AGREES TO INDEMNIFY,
HOLD HARMLESS AND DEFEND THE CITY, ITS OFFICERS, AGENTS, SERVANTS AND
EMPLOYEES, FROM AND AGAINST ANY AND ALL CLAIMS OR LAWSUITS OF ANY KIND OR
CHARACTER, WHETHER REAL OR ASSERTED, FOR EITHER PROPERTY DAMAGE OR LOSS
(INCLUDING ALLEGED DAMAGE OR LOSS TO CONSULTANT'S BUSINESS, AND ANY
RESULTING LOST PROFITS) PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL
PERSONS, AND DAMAGES FOR CLAIMS OF INTELLECTUAL PROPERTY INFRINGEMENT,
ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT,TO THE EXTENT CAUSED BY
THE NEGLIGENT ACTS OR OMISSIONS OF CONSULTANT, ITS OFFICERS, AGENTS,
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 3 of42 Rev. 11/2014
City Secretary Contract No.
SUBCONTRACTORS,SERVANTS OR EMPLOYEES.
C. INTELLECTUAL PROPERTY INFRINGEMENT—(I) The Consultant warrants that all Deliverables, or
any part thereof, furnished hereunder, including but not limited to: programs, documentation, software,
analyses, applications, methods, ways, and processes (in this Section 8C each individually referred to as a
"Deliverable" and collectively as the "Deliverables,") do not infringe upon or violate any patent, copyrights,
trademarks, service marks, trade secrets,or any intellectual property rights or other third party proprietary
rights,in the performance of services under this Agreement.
(ii)Consultant shall be liable and responsible for any and all claims made against the City for infringement of
any patent, copyright, trademark, service mark, trade secret, or other intellectual property rights by the use
of or supplying of any Deliverable(s) in the course of performance or completion of,or in any way connected
with providing the services,or the City's continued use of the Deliverable(s) hereunder.
(iii)Consultant agrees to indemnify,defend,settle,or pay,at its own cost and expense,including the payment
of attorney's fees, any claim or action against the City for infringement of any patent,copyright, trade mark,
service mark,trade secret,or other intellectual property right arising from City's use of the Deliverable(s),or
any part thereof, in accordance with this Agreement, it being understood that this agreement to indemnify,
defend, settle or pay shall not apply if the City modifies or misuses the Deliverable(s).So long as Consultant
bears the cost and expense of payment for claims or actions against the City pursuant to this section 8,
Consultant shall have the right to conduct the defense of any such claim or action and all negotiations for its
settlement or compromise and to settle or compromise any such claim; however, City shall have the right to
fully participate in any and all such settlement, negotiations, or lawsuit as necessary to protect the City's
interest, and City agrees to cooperate with Consultant in doing so. In the event City, for whatever reason,
assumes the responsibility for payment of costs and expenses for any claim or action brought against the City
for infringement arising under this Agreement,the City shall have the sole right to conduct the defense of any
such claim or action and all negotiations for its settlement or compromise and to settle or compromise any
such claim; however, Consultant shall fully participate and cooperate with the City in defense of such claim
or action. City agrees to give Consultant timely written notice of any such claim or action, with copies of all
papers City may receive relating thereto. Notwithstanding the foregoing,the City's assumption of payment of
costs or expenses shall not eliminate Consultant's duty to indemnify the City under this Agreement. If the
Deliverable(s), or any part thereof,is held to infringe and the use thereof is enjoined or restrained or,if as a
result of a settlement or compromise, such use is materially adversely restricted, Consultant shall, at its own
expense and as City's sole remedy,either: (a)procure for City the right to continue to use the Deliverable(s);
or (b) modify the Deliverable(s) to make them/it non-infringing, provided that such modification does not
materially adversely affect City's authorized use of the Deliverable(s); or (c) replace the Deliverable(s)
with equally suitable, compatible, and functionally equivalent non-infringing Deliverable(s) at no additional
charge to City; or (d) if none of the foregoing alternatives is reasonably available to Consultant, terminate
this Agreement,and refund all amounts paid to Consultant by the City,subsequent to which termination City
may seek any and all remedies available to City under law.CONSULTANT'S OBLIGATIONS HEREUNDER
SHALL BE SECURED BY THE REQUISITE INSURANCE COVERAGE AND AMOUNTS SET FORTH IN
SECTION 10 OF THIS AGREEMENT.
9. Assignment and Subcontracting.
Consultant shall not assign or subcontract any of its duties, obligations or rights under this Agreement
without the prior written consent of the City. If the City grants consent to an assignment,the assignee shall execute a
written agreement with the City and the Consultant under which the assignee agrees to be bound by the duties and
obligations of Consultant under this Agreement. The Consultant and Assignee shall be jointly liable for all
obligations under this Agreement prior to the assignment. If the City grants consent to a subcontract, the
subcontractor shall execute a written agreement with the Consultant referencing this Agreement under which the
subcontractor shall agree to be bound by the duties and obligations of the Consultant under this Agreement as such
duties and obligations may apply. The Consultant shall provide the City with a fully executed copy of any such
subcontract.
Coaltire Systems.Inc. Professional Services Agreement-Technology
Page 4 of 42 Rev.11/2014
City Secretary Contract No.
10. INSURANCE.
10.1 The Consultant shall carry the following insurance coverage with a company that is licensed to do business
in Texas or otherwise approved by the City:
1. Commercial General Liability
a.Combined limit of not less than 52,000,000 per occurrence,S4million aggregate or
b. Combined limit of not less than 51,000,000 per occurrence; $2,000,000 aggregate and Umbrella
Coverage in the amount of 54,000,000. Umbrella policy shall contain a follow-form provision and shall
include coverage for personal and advertising injury.
c. Defense costs shall be outside the limits of liability.
2. Automobile Liability Insurance covering any vehicle used in providing services under this Agreement,
including owned, non-owned, or hired vehicles, with a combined limit of not less than $1,000,000 per
occurrence.
3. Professional Liability (Errors & Omissions) in the amount of 51,000,000 per claim and $1,000,000
aggregate limit.
4. Statutory Workers' Compensation and Employers' Liability Insurance requirements per the amount required
by statute.
5. Technology Liability(Errors&Omissions)
a.Combined limit of not less than 52,000,000 per occurrence;$4million aggregate or
b. Combined limit of not less than 51,000,000 per occurrence; $2,000,000 aggregate and Umbrella
Coverage in the amount of 54,000,000. Umbrella policy shall contain a follow-form provision and shall
include coverage for personal and advertising injury. The umbrella policy shall cover amounts for any
claims not covered by the primary Technology Liability policy. Defense costs shall be outside the limits of
liability.
(a) Coverage shall include,but not he limited to,the following:
(i)Failure to prevent unauthorized access
(ii) Unauthorized disclosure of information
(iii)implantation of malicious code or computer virus
(iv)Fraud,Dishonest or Intentional Acts with final adjudication language
(v) Intellectual Property Infringement coverage, specifically including coverage for intellectual
property infringement claims and for indemnification and legal defense of any claims of
intellectual property infringement, including infringement of patent, copyright, trade mark or trade
secret, brought against the City for use of Deliverables, Software or Services provided by
Consultant under this Agreement.
Technology coverage may be provided through an endorsement to the Commercial General Liability(CGL)
policy, a separate policy specific to Technology E&O, or an umbrella policy that picks up coverage after
primary coverage is exhausted. Either is acceptable if coverage meets all other requirements.Technology
coverage shall be written to indicate that legal costs and fees are considered outside of the policy limits and
shall not erode limits of liability. Any deductible will be the sole responsibility of the Consultant and may
not exceed 550,000 without the written approval of the City. Coverage shall be claims-made, with a
retroactive or prior acts date that is on or before the effective date of this Agreement. Coverage shall be
maintained for the duration of the contractual agreement and for two (2) years following completion of
services provided. An annual certificate of insurance, or a full copy of the policy if requested, shall be
submitted to the City to evidence coverage.
6. Any other insurance as reasonably requested by City.
10.2 General Insurance Requirements:
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 5 of42 Rev. 11/2014
City Secretary Contract No.
1. All applicable policies shall name the City as an additional insured thereon,as its interests may appear. The
term City shall include its employees, officers, officials,agents, and volunteers in respect to the contracted
services.
2. The workers' compensation policy shall include a Waiver of Subrogation (Right of Recovery) in favor of
the City of Fort Worth.
3. A minimum of Thirty(30) days' notice of cancellation or reduction in limits of coverage shall be provided
to the City. Ten(10)days' notice shall be acceptable in the event of non-payment of premium. Notice shall
be sent to the Risk Manager, City of Fort Worth, 1000 Throckmorton, Fort Worth, Texas 76102, with
copies to the City Attorney at the same address.
4. The insurers for all policies must be licensed and/or approved to do business in the State of Texas. All
insurers must have a minimum rating of A- VII in the current A.M. Best Key Rating Guide, or have
reasonably equivalent financial strength and solvency to the satisfaction of Risk Management, if the rating
is below that required,written approval of Risk Management is required.
5. Any failure on the part of the City to request required insurance documentation shall not constitute a waiver
of the insurance requirement.
6. Certificates of Insurance evidencing that the Consultant has obtained all required insurance shall be
delivered to and approved by the City's Risk Management Division prior to execution of this Agreement.
11. Compliance with Laws,Ordinances,Rules and Rel?ulations.
Consultant agrees to comply with all applicable federal, state and local laws, ordinances, rules and
regulations. if the City notifies Consultant of any violation of such laws, ordinances, rules or regulations,
Consultant shall immediately desist from and correct the violation.
12. Non-Discrimination Covenant.
Consultant, for itself, its personal representatives, assigns, subcontractors and successors in interest,as part
of the consideration herein, agrees that in the performance of Consultant's duties and obligations hereunder, it shall
not discriminate in the treatment or employment of any individual or group of individuals on any basis prohibited by
law. If any claim arises from an alleged violation of this non-discrimination covenant by Consultant, its personal
representatives, assigns, subcontractors or successors in interest, Consultant agrees to assume such liability and to
indemnify and defend the City and hold the City harmless from such claim.
13. Notices.
Notices required pursuant to the provisions of this Agreement shall be conclusively determined to have
been delivered when (I) hand-delivered to the other party, its agents, employees, servants or representatives, (2)
delivered by facsimile with electronic confirmation of the transmission, or (3) received by the other party by
United States Mail, registered,return receipt requested,addressed as follows:
TO THE CITY:
City of Fort Worth With Copy to the City Attorney
Attn: Susan Alanis, ACM at same address
1000 Throckmorton
Fort Worth TX 76102
TO CONSULTANT:
Name:Coalfire Systems, Inc.
Attn: Alan Ferguson,Exec.Vice President
Address: 361 Centennial Parkway,#150
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 6 of42 Rev. 11/2014
City Secretary Contract No.
City, State,Zip Louisville,CO 80027
Facsimile: 303-872-4151
14. Solicitation of Employees.
Neither the City nor Consultant shall, during the term of this Agreement and additionally for a period of
one year after its termination, solicit for employment or employ, whether as employee or independent contractor,
any person who is or has been employed by the other during the term of this Agreement, without the prior written
consent of the person's employer. This provision shall not apply to an employee who responds to a general
solicitation or advertisement of employment by either party.
15. Governmental Powers.
It is understood and agreed that by execution of this Agreement,the City does not waive or surrender any of
its governmental powers.
16. No Waiver.
The failure of the City or Consultant to insist upon the performance of any term or provision of this
Agreement or to exercise any right granted herein shall not constitute a waiver of the City's or Consultant's
respective right to insist upon appropriate performance or to assert any such right on any future occasion.
17. Governing Law and Venue.
This Agreement shall be construed in accordance with the laws of the State of Texas. if any action,whether
real or asserted, at law or in equity, is brought on the basis of this Agreement,venue for such action shall lie in state
courts located in Tarrant County, Texas or the United States District Court for the Northern District of Texas, Fort
Worth Division.
18. Severability.
If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity, legality and
enforceability of the remaining provisions shall not in any way be affected or impaired.
19. Force Maieure.
The City and Consultant shall exercise their best efforts to meet their respective duties and obligations as
set forth in this Agreement, but shall not be held liable for any delay or omission in performance due to force
majeure or other causes beyond their reasonable control (force majeure), including, but not limited to, compliance
with any government law, ordinance or regulation, acts of God, acts of the public enemy, fires, strikes, lockouts,
natural disasters, wars, riots, material or labor restrictions by any governmental authority, transportation problems
and/or any other similar causes.
20. Headings Not Controlling.
Headings and titles used in this Agreement are for reference purposes only and shall not be deemed a part of
this Agreement.
21. Review of Counsel.
The parties acknowledge that each party and its counsel have reviewed this Agreement and that the normal
rules of construction to the effect that any ambiguities are to be resolved against the drafting party shall not be
employed in the interpretation of this Agreement or exhibits hereto.
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 7 o1`42 Rev. 11/2014
City Secretary Contract No.
22. Amendments.
No amendment of this Agreement shall be binding upon a party hereto unless such amendment is set forth in
a written instrument,and duly executed by an authorized representative of each party.
23. Entirety of Agreement.
This Agreement, including any exhibits attached hereto and any documents incorporated herein by
reference, contains the entire understanding and agreement between the City and Consultant, their assigns and
successors in interest, as to the matters contained herein. Any prior or contemporaneous oral or written agreement
is hereby declared null and void to the extent in conflict with any provision of this Agreement.
24. Counterparts.
This Agreement may be executed in one or more counterparts and each counterpart shall, for all purposes,
be deemed an original, but all such counterparts shall together constitute one and the same instrument. An executed
Agreement, modification, amendment, or separate signature page shall constitute a duplicate if it is transmitted
through electronic means, such as fax or e-mail,and reflects the signing of the document by any party.Duplicates are
valid and binding even if an original paper document bearing each party's original signature is not delivered.
25. Warrantv of Services.
Consultant warrants that its services will be of a professional quality and conform to generally prevailing
industry standards. City must give written notice of any breach of this warranty within thirty(30)days from the date
that the services are completed. In such event, at Consultant's option, Consultant shall either (a) use commercially
reasonable efforts to re-perform the services in a manner that conforms with the warranty,or(b)refund the fees paid
by the City to Consultant for the nonconforming services.
26. Milestone Acceptance.
Consultant shall verify the quality of each deliverable before submitting it to the City for review and
approval. The City will review all deliverables to determine their acceptability and signify acceptance by execution
of the Milestone Acceptance Form, which is attached hereto as Exhibit "C." If the City rejects the submission, it
will notify the Consultant in writing as soon as the determination is made listing the specific reasons for rejection.
The Consultant shall have ten(10) days to correct any deficiencies and resubmit the corrected deliverable. Payment
to the Consultant shall not be authorized unless the City accepts the deliverable in writing in the form attached. The
City's acceptance will not be unreasonably withheld.
27. Network Access.
27.1 City Network Access. If Consultant, and/or any of its employees, officers, agents, servants or
subcontractors(for purposes of this section"Consultant Personnel"), requires access to the City's computer network
in order to provide the services herein. Consultant shall execute and comply with the Network Access Agreement
which is attached hereto as Exhibit"D"and incorporated herein for all purposes.
27.2 Federal Law Enforcement Database Access. if Consultant, or any Consultant Personnel, requires
access to any federal law enforcement database or any federal criminal history record information system, including
but not limited to Fingerprint Identification Records System ("FIRS"), Interstate Identification Index System ("III
System"), National Crime Information Center ("NCIC") or National Fingerprint File ("NFF"), that is governed by
and/or defined in Title 28, Code of Federal Regulations Part 20 ("CFR Part 20"), for the purpose of providing
services for the administration of criminal justice as defined therein on behalf of the City under this Agreement,
Consultant shall comply with the Criminal Justice Information Services Security Policy and CFR Part 20, and shall
separately execute the Federal Bureau of Investigation Criminal Justice Information Services Security Addendum.
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 8 of 42 Rev. 11/2014
City Secretary Contract No.
28. Immigration Nationality Act.
The City of Fort Worth actively supports the Immigration & Nationality Act (INA) which includes
provisions addressing employment eligibility, employment verification, and nondiscrimination. Consultant shall
verify the identity and employment eligibility of all employees who perform work under this Agreement. Consultant
shall complete the Employment Eligibility Verification Form (I-9), maintain photocopies of all supporting
employment eligibility and identity documentation for all employees, and upon request,provide City with copies of
all 1-9 forms and supporting eligibility documentation for each employee who performs work under this Agreement.
Consultant shall establish appropriate procedures and controls so that no services will be performed by any employee
who is not legally eligible to perform such services. Consultant shall provide City with a certification letter that it has
complied with the verification requirements required by this Agreement. Consultant shall indemnify City from any
penalties or liabilities due to violations of this provision. City shall have the right to immediately terminate this
Agreement for violations of this provision by Consultant.
29. Informal Disoute Resolution.
Except in the event of termination pursuant to Section 4 2, if either City or Consultant has a claim,dispute,or
other matter in question for breach of duty, obligations, services rendered or any warranty that arises under this
Agreement, the parties shall first attempt to resolve the matter through this dispute resolution process. The disputing
party shall notify the other parry in writing as soon as practicable after discovering the claim, dispute, or breach. The
notice shall state the nature of the dispute and list the party's specific reasons for such dispute. Within ten(10)business
days of receipt of the notice, both parties shall commence the resolution process and make a good faith effort, either
through email, mail, phone conference, in person meetings, or other reasonable means to resolve any claim, dispute.
breach or other matter in question that may arise out of, or in connection with this Agreement. If the parties fail to
resolve the dispute within sixty(60)days of the date of receipt of the notice of the dispute,then the parties may submit
the matter to non-binding mediation in Tarrant County, Texas, upon written consent of authorized representatives of
both parties in accordance with the Industry Arbitration Rules of the American Arbitration Association or other
applicable rules governing mediation then in effect.The mediator shall be agreed to by the parties. Each party shall be
liable for its own expenses, including attorney's fees; however, the parties shall share equally in the costs of the
mediation. If the parties cannot resolve the dispute through mediation, then either party shall have the right to exercise
any and all remedies available under law regarding the dispute. Notwithstanding the fact that the parties may be
attempting to resolve a dispute in accordance with this informal dispute resolution process, the parties agree to
continue without delay all of their respective duties and obligations under this Agreement not affected by the dispute.
Either party may, before or during the exercise of the informal dispute resolution process set forth herein, apply to a
court having jurisdiction for a temporary restraining order or preliminary injunction where such relief is necessary to
protect its interests.
30. Reporting Requirements.
For purposes of this section,the words below shall have the following meaning:
Child shall mean a person under the age of 18 years of age.
Child pornographv means an image of a child engaging in sexual conduct or sexual performance as defined by
Section 43.25 of the Texas Penal Code.
Computer means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device that
performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and
includes all input,output,processing,storage,or communication facilities that are connected or related to the device.
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 9 of42 Rev. 11/2014
City Secretary Contract No.
Computer technician means an individual who, in the course and scope of employment or business, installs, repairs,
or otherwise services a computer for a fee. This shall include installation of software, hardware, and maintenance
services.
If Consultant meets the definition of Computer Technician as defined herein, and while providing services pursuant
to this Agreement, views an image on a computer that is or appears to be child pornography, Consultant shall
immediately report the discovery of the image to the City and to a local or state law enforcement agency or the Cyber
Tip Line at the National Center for Missing and Exploited Children. The report must include the name and address
of the owner or person claiming a right to possession of the computer,if known,and as permitted by law.Failure by
Consultant to make the report required herein may result in criminal and/or civil penalties.
31. Signature Authority.
The person signing this agreement hereby warrants that he/she has the legal authority to execute this
agreement on behalf of the respective party, and that such binding authority has been granted by proper order,
resolution, ordinance or other authorization of the entity. This Agreement, and any amendment(s) hereto, may be
executed by any authorized representative of Consultant whose name, title and signature is affixed on the
Verification of Signature Authority Form, which is attached hereto as Exhibit "E" and incorporate herein by
reference. Each party is fully entitled to rely on these warranties and representations in entering into this Agreement
or any amendment hereto.
Executed in multiples this the day of ,20
AGREED: AGREED:
CITY T WOR Coaltire Syste s,
By: By:
Susan Al s Alan Ferguson
Assistant Ci M nager _ Executive Vice Presi ent
Date: Date: August 1,2015
SORT
ATTE ��� 0� ATTEST
By: o� By:
M J.Kayse S S ve eitsch
City Secreta qFO
0000000
r )
P�
APPROVED TO FO AND LEGALITY:/'+
Maleshia 131
Senior Assistant City Attorney
CONTRACT AUTHORIZATION:
NI&C: None required OFFICIAL RECORD
Date Approved: CITY SECRETARY
FT. WORTH, TX
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 10 of 42 Rev.11/2014
EXHIBIT A
STATEMENT OF 1 '
FoRTWORTH
Service Order for:
Application,
Submitted to: SubmFtted by:
Alan Girton Ice Ramer
Senior Manager,SecwAy Regional Sales Director
Ciir or Farr WOarH CoalFire Systems,Inc.
275 W 13`"Sheet 14806 landmark Rhn1,Suite 770
Fort Worth,icxas 76101 DalFas,iX 75254
87;-302-t;7t37 (972(763�Ol l
ice bantes@coalfire.com
June 22,2015
Service Urder.15O(112 City of Ft Worth Ventest
texas DIR Conlr.0 t DIR SDP 1899
/bsCrl�llre"zld Mw�."ar�nfrrt+rad indslnrrY.ief:o/te�S,�lrm.iral.,ill rM,nwwd
4
r p
Coalfire Systems,Inc. Professional
Page I I of 42 Rev. 11/2014
Overview
Coalfire Systems,inc.(Coslfiree)is pleased to provide City of Fort Worth,Texas(City of Fort Worth)this proposal
and service order to provide network penetration testing,web application testing and social englrteeringservices.
The primary target environment will be toward systems that contain Credit Card Data(CCD).
About Coalfire" labs
Coalfire labs offers services that are pre-emptive and immediate. We also provide post-incident support when
needed. From start to finish,through forensic e-discovery processes,we follow a standard medwdology that
promotes knowledge transfer and a thorough understanding of your needs.
Our services are delivered by the brightest minds in IT security with technical experts that are industry-certified
and well-versed in regulations,digital forensics,threat mitigation,electronic discovery,vubwrability dales,and
incident response.
Services:
• Penetration Testing • Incident Response Planning
■ VulnerabitityScannine&Assessments • Electronic Discovery support
• Social Engineering • Forensics and Litigation Support
• Application Security
Lab Professional Credentials:
• AccessData Certified Examiner(ACE) ■ GIAC Certified Web Application Penetration
• AccessData Mobile Examiner(AME) Tester(GWAPT)
■ CCNA Security • GIAC Penetration Tester(GPEN)
• Certified Disaster Recovery Planner(CORP) ■ GIAC Certified ForerWc Analyst(GCFA)
• Certified in Risk and Information Systems • GIAC Exploit Researcher and Advanced
Control(CRISC) Penetration Tester(GXPN)
• Certified Information Systems Auditor(CISH) • Holistic information Security Practitioner(HISP)
• Certified Information Systems Security • ITIL Foundations v3
Professional(CISSP) • Microsoft Certified System Engineer(MCSE)
• Certified VISA and ABA Encryption Auditor(TG3) a Mkroeoft Certified Technology Specialist(MOTS)
• Certified Ethical Hacker(CEH) ■ Offensive Security Certified Expert(OSCE)
• Certified TACLANE Operates(General Dynamics • Offensive Security Oaf-titled Professional(OSCP)
NSA Type 1 Encryptor Certification) • Offensive Security Wireless Professional(OSWP)
■ Cisco Certified Network Associate(CCNA) ■ PA-0SA(P2PE)
• CompTIA A+,Network+.Linux+ ■ OSA(P2PE)
• CompTIA Advanced Security Practitioner(GASP) ■ Red Hat Certified Engineer(RHCE)
■ GIAC Certified Incident Handler(GCIH)
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 12 of42 Rev.11/2014
Statement of Work
The services defined in this Statement of Work constitute the extent of services Coalfirewill provide to City of fort
Worth who understands that services not specified in this Statement of Work are out of scope for this
engagement Services listed in this document will be provided on a mutually agreeable schedule.
The purpose of this task is to align all project participants to the project objectives,tasks,deliverables and
schedules in a formal project charter meeting,supported by a formal project charter document. Key project
charter activities are shown in the table below.
eft
Introduction Introduce project stakeholders to Foster good communicatieru and coordination
among key members of the project loam,inducting Coelfire,Qty of Fort Worth and
third party personnel.
Rolm and Responsbilties Establish and agree on roles and responsibilities for project team member;,and
identity points of contact for project salvitles end specific subject matter expertise.
Requait for information Request documentation and artifacts pertinent to tate IT risk assesurvent services
through use of a formal request for Information(RFI),and adapt the RFI to the
specific environment requirements during the Project Charter meetin
Timelines rk Milestones Establish and agree on tln,"ne;milestones,status meeting dates,and target
deliverable timeframes.
Review and Approve Align stakeholders to the project management process and establish overall project
Methodologies and Took management roles. Review pertinent methodologles and toots with City of fort
Worth.
Acnes RWrts Identify approved team members to be granted access rights to the secure project
portal established to create a central place for all participants tostnre and retrieve
working documents.
The deliverables from this task include the initial version of the Project Charter document,and subsequent
versions as amended for important changes and adjustments to the project definition.
Project Portal
A secure Project Portal is established immediately after the project charter meeting. Access is restricted on a
"need-to-know"basis and Coalfire will provide credentials to approved project team member as determined
during the Project Charter meeting.The key purpose of the Project Portal is to establish a means of exchanging
sensitive project information securely. The Project Portal maintains the project charter,project plans,status
reports,task assignments,reports and deliverables. It also incorporates alerting tools based on daily,weekly
or activity-based criteria. The Project Portal leverages MicrosofVs SharePoint architecture.
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 13 of 42 Rev.11/2014
Testing Tools
Standard tools Coalfire utilizes for its Penetration Tests include:
-- Rapid 7's NeXpose—Hats been named the"Best Vulnembtlhy Assessment Soluttah"
by SC Magazine. Coalfire has found Rapid 7's award winning NeXpose vulnerability
R A P I D, assessment tool to be the best available off-the-shelf tool for internal vulnerability
scans and checks for more than 30,000 MnerabHities. Rapad7 also acquired
MetaSploit In 2OD9,and had integrated Its cods into the scanning product.
Metasploit Is an opensaurard project managed by Rapid7. It provides useful
information to people who perform penetration testing, IDS signature
development, and exploit research. This project vies created to provide
1 information on exploit techniques and to create a useful resource for exploit
developers and security professiaals.
Burp Sub-is an integrated platform for performing securtty testing of web
PORTSWIGGER applications.luvarlousmotsworkseamlesaytogethertosupporttheentiretesting
process
Aeurie t—Is the industries'most advanced and In-depth$QL injeWon and Crass
Site scripting testing tool with state of the art crawler technology which includes a
Alacunetjx client script analyzer engine,Low False Positives and detailed reports that pinpoint
security issues right down to the exact line of code.
Open Source-In addition to commerdal ptoducti6 CoatBre may leverage open
OPEN SOURCE source Woisin d uding:Gin 0 Able,LOphtcnKk,Nmsp,Nikto/Wikto,Superscan,SSL
Digger, Nessus, Microsoft Baseline Security Analyzer (MBSA), and Center for
Internet 5ecuwlty(CIS)Benchmarks.
Coalfire's Enterprise Penetration Testing attacks all parts of your attack surface-people, processes and
technology-using various threat vectors. This testing is designed to emulate how a real-world adversary
would attack your organization to gain unauthorized access to systems or data. This is comprised of two
complimentary tasks: technical penetration testing and social engineering. Coalfire begins penetration
testing engagements by working with your team to establish goals of the engagement. Typically,engagement
goals include access to specific systems or types of data. These goals,combined with the types of systems
that are in scope for testing(the"attack surface")drive the specific techniques used. Coaffire performs the
two types of attacks as a blended threat scenario-leveraging techniai attacks and social engineering attacks
where most appropriate to accomplish the goals of the engagement
Coalftre Systems,Inc. Professional Services Agreement-Technology
Page 14 of 42 Rev.11/2014
Technical penetration Testing
Penetration Testing determines if system,service,network,or application vulnerabilities can be exploited to
allow unauthorized access to systems,applications,or data. Coalfire will initially attack your network from
the outside,demonstrating the impact of an Internet-based attacker attempting to compromise systems with
externally accessible interfaces. We follow the External attack with an Internal attack that emulates an
adversary that may have gained physical access to your facilities or network presence, or one that has
infiltrated your organization via employment or third party contractor. When performing an enterprise
penetration test that also includes physical access testing,we will attempt to gain this internal access through
surreptitious means.
Scope
The scope of this engagement induces all technical assets. The anticipated level of effort for this
engagement has been established based on an attack surface and attack scenarios consisting of.
Attack Surface.
Approximately 1100 external systems and applications
Approximately 6000 internal systems
Attack 5aenorios consisting of.,
1. Malicious Outsider
2. Malicious Insider
Specifically out of scope for this engagement are attacks against the organization's business partners
beyond those components,systems or services that the organization has management control over.
Methodology
At a high level,Coalfire takes a standardized approach to penetration testing, regardless of the type of
technologies in your environment: Reconnaissance and Vulnerability Identification,Exploiting,Pivoting,and
Pilfering. Our methodology for penetration testing is aligned with the Penetration Test Execution Standard
(PTES)and NIST 300-115 and follows the following outline:
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 15 of 42 Rev.11/2014
intonwrumo.ra.rt� srxn.aten
seo,sa WA u Cknul"a mo as d.mps�tw+n
: . Aft ew w.r apgllerpan n aaeMi�wa w
plan atier..�
aft"
bNwniar rlMwae4aer,
poaaAWlw.aant a..aiap
.rade orn
awmow
Nr*oetwharf
n
Hr$%en VOW arptidm &Nu
"bat NMav tdwlon
��� Bpst�yMenwdidrn aa/
end rutlwreeeweeefNOON
hebenNrlon
Reconnaissance and Vuinerobiiity idendflcaf an
Using a variety of automated scanning tools lboth open source and commercial)Coalfire penetration
Tester:will gather and classify all systems,open ports,and running services in the target environment
The following types of vulnerabilities are typical of those identified and exploited during a penetration
test;
Weak Network or host Configuration
Missing patches
Use of insecure services and protocols
Wireless configuration or management weaknesses
Authentication Vulnerabilities such as default or easily guessable usernames and passwords
Database Server Vulnerabilities such as Insecure ob)M permissions
Web Application vulnerabilities
Expwatiwn
Coalfire will exploit vulnerabilities to gain access to systems or information contained on the system.
Exploitation techniques may include buffer overflows,command injection, or other methods that are
Intended to gain information. All exploitation done in this phase Is intended to gain additional access to
the platform being targeted in order to allow our testers to achieve the goals set collaboratively with your
team. Unless requested by the client,our penetration testing methodology does not include denial of
service attacks.
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 16 o1742 Rev.11/2014
Rvoting
After the system has been exploited and Coalfire has achieved access to the system,we will use any
information or access that system grants to further attack systems that can get us closer to achieving our
goal.
MYering
Once access to systems that represent our pal,Coalfire will gather evidence that indicates we have
achieved this level, This information may include screenshots of systems indicating the level of access
gained,copies of databases,application access,or other information as needed.
Tools
Tools Coalfire utilizes for Its Network Penetration Tests Include!
Nexpose Network discovery and vulnerability assessment tool by Rapid7.
NetSpufter Web Application Vulnerability assessment tool.
Metaspioit Open Source exploitation framework to compile and execute exploit code.
NMAP Open source utility for network exploration and security auditing.
burpSulte Pro Web Application proxy and exploitation utility
Additional took Various other open source and commercial took are utilized duringtesting
according to the technology in use in the environment
Coalfire approaches Social Engineering as your adversary would. An effective social engineering attack will
be targeted,specific,and believable. We leverage a blended approach that includes telephone,email,and
physical attacks,often in conjunction with one another to provide the greatest impact.
Spear Phlshing—Coalfire carries out a blended approach of pre-text calling and phishing emalls to execute a
'spear phishing' attack. The goal is to emulate a real world adversary though creative and logial social
engineering attack methods.Coalfire's specialty crafted pre-text calling efforts will attempt to convince the
targets that the phishingemail Is real and vice-versa.Information gathered from targets via physical,ph'shing
emails,and pre-text calling will be leveraged in subsequent attacks on targets in an attempt to prove validity
of Coalfire's requests and gain access to sensitive information.
a Phlshing—Coalfire assessors will call a sample of 100 employees under a loosely scripted scenario in
an attempt to obtain sensitive information including information such as username and password
details. Examples include impersonating legitimate employees,contractors,and customers.
Phishing—Coalfire Social Engineers will craft emails specifically emulating internal communications
or those from business partners attempting to coerce your staff to follow links to an external
website. This external website will be configured to have a look and feel of your internet or intranet
site and will be designed to gather sensitive authentication data from your users.
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 17 of 42 Rev.11/2014
Deliverable,
The result of the penetration testing task is a detailed, narrative report on vulnerabilities discovered and
exploited including risk ratings,and recommendations for remediation. Coalfire will also provide a conference
call debriefing to discuss findings and remediation with the Company stakeholders.
Task 4-Web Application Penetration Test
Vulnerable web facing applications are rapidly becoming the most popular attack vector for a hacker.
Coalfire's Basic Application Penetration test is intended to find vulnerabilities that can be exploited to
compromise the application and the data it transmits, processes,or stores. This testing Is emulates an
anonymous,Intemet-based attacker attempting to compromise your application by identifying coding errors,
business logic flaws,or web server configuration weaknesses.
Methodology
Coalfire uses automated vulnerability scanning tools to rapidly identify technical vulnerabilities within the web
application. Based on vulnerabilities identified, Coalfire will perform 'proof-of-concept' exploits to
demonstrate the feasibility at exploitation.
Testing will begin in a Black Box manner in order to emulate a malicious attacker with no credentials to your
environment. This testing will focus on the integrity of the application's public footprint only. If your
application contains a 'self-service' user provisioning component that can be completed without
administrator intervention,our testing will create this account and attempt to escalate permissions of the
account or access data belonging to another user account
The OWASP Top Ten provides a representative sample of the types of vulnerabilities that are identified during
this assessment:
Al—Injection
A2—Cross•Stte Scripting(XSS)
A3—Broken Authentication&Session Management
A4—Insecure Direct Object Reference
AS—Cross-Site Request Forgery(CSRF)
A6—Security Maconfigtratikm
A7—Insecure Cryptographic Storage
AS—Failure to Restrict URL Access
A9—Insufficient Transport Layer Protection
A10—Uri-validated Redirects&Forwards
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 18 of 42 Rev.11/2014
Tools
Standard took Coalfire utilizes for its Penetration Tests include:
Tomtits Nassau-The Irxivarv's most widely deployed vulnerability scanner.
enable Nessus Professional features high-spend asset discovery,configuration auditing
network security target profiling malware detection, sensitive data dkoovery, and vulnerabillty
analysis.
— v - -- Metaspbe-is an open-sourced project managed by Rapid7. it provides useful
information to people who perform penetration testing IDS sigruture
f development, and enpldt researcK This pro}ect was created to provide
Information on expldt teQmiques and to create a useful resource for exploit
developers and security professionals.
Burp Saes-is an integrated platform for performing security testing of web
■#.F%TSWIGGER applications.Itsvarlous tools workseamlesslytopether to support the entire ursting
process.
-Nebparker_an advanced and in-depth SOL injection and Goss Site scripting
tasting tool inoorporatinga JavaScript engine that an parse,exe=e and analyze
the output of JsvaSchpt.This allows Netsparker to automatically yawl,interpret
and scan modern web 2.0 and HTMLS web applications that rely an dientside
scripting.
Open Source-in addition to commercial produdb Coalfire may leversge open
OPEN SOURCE source took including:Gin&Able,Wphtcradr,Nmap,Nikto/WRros,Superscan,SSL
Digger, Nessus, Microsoft Baseline 5ecurfty Analyzer (MESA), and Center for
Internet Security(CIS)Benchmarks.
Deliverable:
The result of this task is a detailed report on attack scenarios used,vulnerabilities discovered including risk
ratings,proof of penetration(screenslwts)and recommendations for remediation. Coaifire will also provide
a conference call debriefing to discuss findings and remediation with Client stakeholders.
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 19 of 42 Rev.11/2014
Project Fees
Coalfire will provide services under this engagement as time and materials not to exceed the budget shown In the
table below without prior authorization. Services will be provided on a mutually agreeable schedule.
Not to Exceed
Descriptor,
Project Charter
eProject Management included
f
Quallty Management
Enterprise Penetration Testing
External:
C4 • Up to 1100 external systems(potentially)available across 4/24 and 3/28 533,100
networks
Internal:
• Up to 6000 internal systems
�n
Social Engineering:Pretext and Phishing 1200 targets) $6,900
f
a
Web Application Penetration Test $4,900
f
Not-to-Exceed budget,includes travel.
• Two man-weeks on-site testing $44,900
• One day-trip for onsite executive briefing
Si Post-Remadlstlon Re-tasting and/or Advisory Services 5200 per hour
0
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 20 of 42 Rev.11/2014
NOTE ON AVAILABLE FORENSIC SERVICES:
In the event the tasks in this Service Order identify the presence of compromised systems in your environment,
City of Fort Worth may engage Coalfire's IT forensics team on a bme and materials basis. The subsequent
forensics engagement will be scoped and priced In a separate Service Order and delivered at a reduced rate
of$300 per hour(standard rate for forensic services is$350 per hour).
Requirements and Assumptions
This project assumes certain participation and limitations as described below and as otherwise identified by the
parties during the course of this engagement.
■ Coalfire anticipates on-site activities will be performed at the City of Fort Worth's Fort Worth,Texas
headquarters.
• Qty of fort Worth will provide to Coalfire as appropriate and necessary to complete the project tasks:
o Access to business staff,documentation,and facilities necessary for Coalfire to perform its services,
including access to corporate and,if any,hosted computer systems and network connections;
o A single point of contact to work with Coalfire throughout each phase of the project. The resource
will have technical knowledge about the in-scope systems,devices and networks,or will have access
to additional subject-matter expert within City of Fort Worth. The resource will serve as the focal
point for immediately notifying City of Fort Worth of discovered high-risk vulnerabilities and
findings;
o Introductions to and facilitated discussion with City of Fort Worth's service providers and third-party
business partners,which may be considered within scope;and
o Timely input throughout the project and will review progress at review meetings requested by
Coalfire.
• Cooperation,input,and access are critical to this project,and City of Fort Worth will provide
representation at all review meetings.
• City of fort Worth acknowledges and agrees that:(i)any outcome of the services involving compliance
assessment is limited to a point-in-time examination of City of Fort Worth's compliance or non-
compliance status with the applicable standards or industry best practices set forth in the Scope of Work
and that the outcome of any audits,assessments or testing by,and the opinions,advlue,
recommendations and/or certification by Coalfire does notconstitute any form of representation,
warranty or guarantee that City of Fort Worth's systems are 100%secure from every form of attack,and
(il)in assisting in the examination of City of Fort Worth's compliance or non-compliance status,Coalfire
relies upon accurate,authentic and complete information provided by City of Fort Worth as well as use
of certain sampling techniques.
■ Travel-NTE expenses are included in the total fee
• Any changes to the scope and/or assumptions will require joint written approval. This may extend the
duration of the engagement and/lex require additional resources,resulting in additional cost to City of
Fort Worth.
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 21 of 42 Rev.11/2014
■ Advisory Services,including input for control design and interim testing during remediation,is offered
on a time-and-materials basis and not covered in any fixed-price service described herein.
■ All testing activities included in this service order will be performed between barn and 6prn Central
time,Monday through Friday unless specified in this service order. If testing is required outside these
hours and has not been specified in this service order,a change order will be required which will incur a
charge of ZMA of the total of this contract.
8 Work will commence no sooner than two weeks from the date of execution of this service order,or at
the earliest mutually agreeable date.
Acceptance
This Service Order is subject to the terms and conditions of the State of Texas DIR Contract DI R SDD•1899 by
and between Coalfire Systems,Inc.(Coaifire•)and the State of Texas DIR.
i Service Order. 15-W#U Clty of Ft Worth Web App&Pettiest
City of Fort Worth,Texas Coalfire Systems,Inc.
Signed: Signed:
Name: S��" Name: Alan Fergu
i
Title: Title: Executive Vice President
Date: $ I (� Date:
Kindly return signed Service Order to toe.barneSftoalfire.com Fax: (303)SS4-75SS
OFFICIAL RECORD
CITY SECRETARY
FT. WORTNf TX
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 22 of42 Rev.11/2014
EXHIBIT B
PAYMENT SCHEDULE
Unless otherwise agreed,Coalfire will invoice the City on a monthly basis;terms will be net 30 days.
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 23 of42 Rev.11/2014
EXHIBIT C
MILESTONE/DELIVERABLE ACCEPTANCE FORM
Services Delivered:
Milestone/Deliverable Ref.#:
Milestone/Deliverable Name:
Unit Testing Completion Date:
Milestone/Deliverable Target Completion Date:
Milestone/Deliverable Actual Completion Date:
Approval Date:
Comments(if needed):
Approved by Consultant: Approved by City Department Director:
Signature: Signature:
Printed Natne: Printed Name:
Title: Title:
Date: Date:
For Director Use Only
Contracted Payment Amount:
Adjustments,including penalties:
Approved Payment Amount:
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 24 of 42 Rev.11/2014
EXHIBIT D
NETWORK ACCESS AGREEMENT
1. The Network. The City owns and operates a computing environment and network (collectively the
"Network"). Contractor wishes to access the City's network in order to provide Penetration Testing Services. In
order to provide the necessary support.Contractor needs access to Systems in scope for this test.
2. Grant of Limited Access. Contractor is hereby granted a limited right of access to the City's Network for
the sole purpose of providing Network Penetration Testing Services. Such access is granted subject to the terms and
conditions forth in this Agreement and applicable provisions of the City's Administrative Regulation D-7(Electronic
Communications Resource Use Policy), of which such applicable provisions are hereby incorporated by reference
and made a part of this Agreement for all purposes herein and are available upon request.
3. Network Credentials. The City will provide Contractor with Network Credentials consisting of user IDs
and passwords unique to each individual requiring Network access on behalf of the Contractor. Access rights will
automatically expire one (1) year from the date of this Agreement. If this access is being granted for purposes of
completing services for the City pursuant to a separate contract,then this Agreement will expire at the completion of
the contracted services,or upon termination of the contracted services,whichever occurs first. This Agreement will
be associated with the Services designated below.
❑ Services are being provided in accordance with City Secretary Contract No.
❑ Services are being provided in accordance with City of Fort Worth Purchase Order No.
® Services are being provided in accordance with the Agreement to which this Access Agreement is attached.
❑ No services are being provided pursuant to this Agreement.
4. Renewal. At the end of the first year and each year thereafter,this Agreement may be renewed annually if
the following conditions are met:
4.1 Contracted services have not been completed.
4.2 Contracted services have not been tenninated.
4.3 Within the thirty (30) days prior to the scheduled annual expiration of this Agreement, the
Contractor has provided the City with a current list of its officers, agents, servants, employees or
representatives requiring Network credentials.
Notwithstanding the scheduled contract expiration or the status of completion of services. Contractor shall provide
the City with a current list of officers, agents, servants, employees or representatives that require Network
credentials on an annual basis. Failure to adhere to this requirement may result in denial of access to the Network
and/or termination of this Agreement.
5. Network Restrictions. Contractor officers,agents, servants,employees or representatives may not share
the City-assigned user IDs and passwords. Contractor acknowledges,agrees and hereby gives its authorization to the
City to monitor Contractor's use of the City's Network in order to ensure Contractor's compliance with this
Agreement. A breach by Contractor, its officers. agents, servants. employees or representatives, of this Agreement
and any other written instructions or guidelines that the City provides to Contractor pursuant to this Agreement shall
be grounds for the City immediately to deny Contractor access to the Network and Contractor's Data,terminate the
Agreement,and pursue any other remedies that the City may have under this Agreement or at law or in equity.
5.1 Notice to Contractor Personnel — For purposes of this section, Contractor Personnel shall include
all officers, agents, servants, employees, or representatives of Contractor. Contractor shall be responsible for
specifically notifying all Contractor Personnel who will provide services to the City under this agreement of the
following City requirements and restrictions regarding access to the City's Network:
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 25 of 42 Rev.11/2014
(a) Contractor shall be responsible for any City-owned equipment assigned to Contractor Personnel,
and will immediately report the loss or theft of such equipment to the City
(b) Contractor, and/or Contractor Personnel, shall be prohibited from connecting personally-owned
computer equipment to the City's Network
(c) Contractor Personnel shall protect City-issued passwords and shall not allow any third party to
utilize their password and/or user ID to gain access to the City's Network
(d) Contractor Personnel shall not engage in prohibited or inappropriate use of Electronic
Communications Resources as described in the City's Administrative Regulation D7
(e) Any document created by Contractor Personnel in accordance with this Agreement is considered
the property of the City and is subject to applicable state regulations regarding public information
(f) Contractor Personnel shall not copy or duplicate electronic information for use on any non-City
computer except as necessary to provide services pursuant to this Agreement
(g) All network activity may be monitored for any reason deemed necessary by the City
(h) A Network user ID may be deactivated when the responsibilities of the Contractor Personnel no
longer require Network access
6. Termination. In addition to the other rights of termination set forth herein, the City may terminate this
Agreement at any time and for any reason with or without notice, and without penalty to the City. Upon termination
of this Agreement, Contractor agrees to remove entirely any client or communications software provided by the City
from all computing equipment used and owned by the Contractor, its officers, agents, servants, employees and/or
representatives to access the City's Network,
7. Information Security. Contractor agrees to make every reasonable effort in accordance with accepted
security practices to protect the Network credentials and access methods provided by the City from unauthorized
disclosure and use. Contractor agrees to notify the City immediately upon discovery of a breach or threat of breach
which could compromise the integrity of the City's Network, including but not limited to,theft of Contractor-owned
equipment that contains City-provided access software, termination or resignation of officers, agents, servants,
employees or representatives with access to City-provided Network credentials, and unauthorized use or sharing of
Network credentials.
ACCEPTED AND AGREED:
CITY?�FYORTWORT -t CONTRACTOR NAn%t—•
By: / �� By:
usa lanis Name:Alan Fergus
nt City Adanaler Title:Executive V resident
Date: Date: August 1,2015
o°oo� fij_
ATTE Q °P°ee��� ATT T:
0
By:
0 �
Cty re $ �rpaX aDei c
lf
°°°°`r
APPROVED AS Y070
As ' nt ity A ey
M&C: none required
OFFICIAL RECORD
CITY SECRETARY
FT. WORTH, TX
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 26 of 42 Rev. 11/2014
EXHIBIT E
VERIFICATION OF SIGNATURE AUTHORITY
Full Legal Name of Company: Coalfire Systems,Inc.
Legal Address: 361 Centennial Parkway,#150,Louisville,CO 80027
Services to be provided: Network Penetration Testing Services
Execution of this Signature Verification Form ("Form") hereby certifies that the following individuals and/or
positions have the authority to legally bind the Company and to execute any agreement, amendment or change order
on behalf of Company. Such binding authority has been granted by proper order, resolution, ordinance or other
authorization of Company. The City is fully entitled to rely on the warranty and representation set forth in this Form
in entering into any agreement or amendment with Company. Cotnpany will submit an updated Form within ten (10)
business days if there are any changes to the signatory authority.The City is entitled to rely on any current executed
Form until it receives a revised Form that has been properly executed by the Company.
1. Name: Alan Ferguson
Position: Executive Vice President
Signature
2. Name:
Position:
Signature
3. Name:
Position:
Signature
Name: S ve Deitsch
S ature of resident/CEO
7
ther Title:CFO
Date: August 1,2015
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 27 of 42 Rev.11/2014
EXHIBIT F
DIR-SDD-1899
DIR Contract No. DIR-SIM-M9
Vendor Contract No.
STATE OF TEAS
DEPARTMENTOF INFORMATION RESOI'RCE.S
CONTRACT FOR SF,RVIC'ES
C'OALFIRE SYSTEMS,INC
1. Intmduction
A. Parties
Ill is Contract for Smices is entered info hel\\Yell file Stale of Texas.aclln�hC alld lllrOltg)l
the Departntcnl of Inlunnaiion Resources(hercinaller"DIR")milli its principal place of
business at 300 West I stn Street.Suite 1300. Austin.Texas 78701. and Coalfire Systems.
Inc.(hercinaNer"Vendor'•),with its principal place of business at 361 Centennial Parkway.
Suite 1?0. Louis%ille,Colorado 80027,
B.Compliallre\sill Procurement lams
"Illi"C'onlracl is the result of compliance\\ith applicable procurement la\%,,of the State of
Texas. DIR issued a solicimliat on file Comptroller of Public .accounts' Electronic Stale
Business Daily.Request for Otter(RFO)DIR-SDI)-TRIP-171.on September 29.2011.tor
Infunnation Tcchnolog} Securit\ (ITS)Ikud\\arc.Soll\\are and Scr\iccs.Upon execution
ofthis Contract. a notice of a\card for RFO DII2 SDD-'IA1P-171 shall he posted by DIR
on the Electronic Stale Busmes,,Dail\.
C. Or der of Precedence
Ibis Contract: Appendix A. Standard lcrn,s and Conditions For Services Contracts.
Appendix 13, Vendor's llistoricalh 1'ndertrtiliied Businesses Subcontracting Plan:
.Appendix C. Pricing Index: Exhibit 1. Vendor's Response to RFO DIR-SDD-'FMP-171.
including all addenda:and Exhibit 2,NPO 1)1R-SDD-'IMI1-171.including all addenda:are
incorporated b\ reference and con>lilulc lite entire agreement bcl\\ecn DIR and Vendor. In
the event of a colltlict hemeen the documents listed in this paragraph. the controlling
document shall he this Contract. then Appendix A_ then Appendix 13, then .Appendix C'_
then Exhibit L and linalIN Exhibit 2.In the c\enl and to the extent an\ provisions contained
in multiple documents address the same or substantialh the sante subiect platter but do not
actually conflict, the more recent provisions shall be deemed to ha\'e superseded earlier
provisions.
2. Tel-in ofOmtrtct
The feral of this Contract shall he two Q)\'cars commencing on the last date of approval
by DIR and Vendor. Prior to expiration ol'the original lernl. DIR and Vendor may extend
this Contract,upon mutual agreement.for up to t\\o(2)optional one-Near terms.Protracted
contract negotiations may, in DIR's sole discretion,result in fewer optional terms.
Page 1 of 10
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 28 of 42 Rev. 11/2014
DIRContract No. 1)112-SD[)-ISI)9
Vendor Contract No.
3. Sct-ice Offerings
Sen ices available under this Contract are limited to the IT Security Services as specified
in_Appendix C.Pricing Index. Vendor nwy incorporate changes to their services offering-
however.any changes trust be within the,cope of sen ices;marded based on the posting
descrilkd in Section 1.13 ahm c. Vendor nim not add services a hich %%ere not included in
the Vendor's response to the solicitation described n,Section 1 13 above.
q. Pricing
IL. Manufacturer's Suggested Retail Price(\ISRP)
MSRP is defined as the saps prig suggested by the manufacturer or publisher of the
scn•icc.
B. Customer Discount
71,e minimum Customer discount for all services wall he the percentage oil•MSRP as
speolied in .Appendix C. Pricing Index. Customer Discount includes the DIR
administrative Fee specified in Section 5.
C. ('ustomer Price
1)The price to the Customer shall he calculated as tollo%ys:
Customer Price=NISRP—Customer Discount
2) Customer, purchasing sen ices under this Contract nriy negotiate more
adyantageuus pricing nr partiripnte in special promotional ollcrs.In such event.a cope
of such better offerings shall be furnished to DIR upon request.
3) If pricing for products or services available under this Contract are provided at a
loa er price to:(i)an eligible Customer who is not purchasing those products or services
under this Contract or(ii)am other emit% or consortia authorised h, 'texas lim to sell
said products and ser ices to eligible Customers,then the available Customer Price in
this Contract shall he adjusted to that lo%Ner price.'lltis requirement applies to products
or serices quoted by Vendor or its resellers tur a quantity of one(1)under like terns
and conditions. and docs not apph to volume or special pricing purchases. 'Mis
Contract shall be amended"ithin ten(10)husincss days to reflect the to%%er prig.
D. DIR Administrative Fee
7hc administrative leespecified ied in Section S Mom shall not he broken out as a separate
line item when pricing or invoice is provided to Customer.
pa Z nl'10
Coaltire Systems,Inc. Protessionat Services Agreement-Technology
Page 29 of 42 Rev. 11/201.1
DIR Contract No. DIR-SDD-IR99
Vendoi,Contract No.
Section 14;1309. Texas Tax Code.Customers under this Contract are exempt
from the assessment ol'Statc sales,use and excise taxes, Further.Customers Linder this
Contract are exempt from Federal Excise Taxes. 26 1 nited States Code Sections
4253(i)and(1)
F. Travel EApense Reimbumement
Pricing for services provided under this Contract are CXCILISiVe Ot'all'V travel expenses
that niav be iricurri] in the performance of' those services. 'ravel espense
reimbursement may include personal vehicle mileage or commercial coach
transportation. hotel accommodations. Parking and meals. provided. ho%%c\er. the
amount of'reinibursement by Customers shall not exceed the amounts authorised f'or
state employees as adopted by each Cttstomor. and provided. flurther, that all
1-cillibillsellient rates shall not exceed the maxinitim rates established for state
employees under the current State Travel Management Program
(hup: procurement prog stamp ). Travel time may not he
included as part of the alliounts pauable by CuNlonier for;in\ services rendered 1111dCl
this Contract.Ilie DIR administrative fee speci tied in Section 4;below is not applicable
to tra%el expense reimbursement. Ajilicipaled lra%cl expenses must be pre-appi-med in
writing by Cuslonier.
G. (11,111ges to Prices
Vendor may change the price of any service at uiN-time. based upon changes to the
MSRP,but diSCOUlit levols shall remain consistent\%1111 the discount lev'As specified in
this Contract. Price decreases shall take etlect automatically during the term of this
Contract and shall be passed(into the Customer ininiediatel.\.
5. DIR Administrative Fee
A)Ilie adnittlistrativc fee to be paid by the Vendor to DIR based on(lie dollar vaiLle 01'all
sales to Customers pursuant io this Contract is one half of'one percent(50"o), Pavnietil
%N all he calculated lor all sales-net of'returns and credits. For example,the administratiN e
Ieo tor sales totaling S100.000 shall be S500.00.
B) .\If prices quoted to Ctistonicrs shall include the administrative 1ec. DIR reserves the
riglit to change this fee upwards or downwards during the tern of this Contract. tipoll
written notice to \endor without I'Litilier requirement f0i a tormal contract amendment.
Any change in the administrative fee shall be incorporated in the price 10 the CLISIOnler.
6. Notification
All notices Under this Contract shall lie sent to a partY at Ilic respective address indicated
below.
If sent to file slatc:
Robin Abbott
Contract and Vendor Mana-Vcruent
Department of hiformation Resources
Page 3 410
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 30 of 42 Rev. 11/2014
DIR Coact No, DIR 4m-1899
Vendor Contract No.
300 W. 15"St.,Suite 1300
Austin.Texas 711701
Phone: (512)475-4700
Facsimile:(512)475-4759
If sent to the Vendor.
Jim Fish
Coalfire Systems,Inc.
361 Centennial Parkway.Suite 150
Louisville,Colorado 80027
Phone:(977)224-8077 Ext 7501
Facsimile:(303)554-7555
Email: iimStshiyooalfue.com
7. Software License and Service Agreements
A. Shrink/Click-wrap License Agreement
Regardless of any other provlsim or Other license terms which may be issued by
Vendor after the effective date of this Contract,and irrespective of whether any such
provisions have been proposed prior to or after the issuance of a Purchase Order for
products licensed wider this Contract,or the fact that such other agreement may be
affixed to or accompany software upon delivery (shred:-wrap), rho terms and
conditions sett forth in this Contract shall supersede and govern the license term
between Customers and Vendor. It is the Customer's responsibility to read the
ShrinkK lick-wrap LicerneAgreement and determine ifthe Cuxtarner accepts the
license terms as amended by this Contract If the Customer does not agree with
the license terms,Customer shall be responsible for negotiating with the reseller
to obtain additional changes In the Shrink/CNck-wrap License Agreement
language from the software publisher.
S. InteUectual.Property?Batters
A.Dentitions
1 Work,Product"means any and all deliverables produced by Vendor for Customer
under a Statement of Work issued pursuant to this Contract, including any and all
tangible or intangible items or things that have been or will be prepared, created,
developed, invented or conceived at any time following the effective date of the
Contract, including but not limited to any(i)works of authorship(such as manuals,
instructions. printed material, graphics, artwork, imagss, illustrations, photographs.
computer programs, computer software, scripts. object code. source coda or other
programming code, HTML code, flow chats, notes, outlines, lists, compilations,
manuscripts,writings,pictorial materials,schematics,famwlac,processes.algorithms,
data, information, multimedia files, text web pages or web sites, other written or
machine readable expression of such works fixed in any tangible media,and all other
oopyrightable works).(ii)trademarks,service marks,trade dress,trade names,logos,
Page 4 of 10
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 31 of 42 Rev.11/2014
DIR Contract No. DIR.S D)-IWJ9
Vendor Contract No.
or other indicia o1 source or origin. (iii) ideas, designs. concepts. persomalit' rights,
methods. processes. techniques. apparatuses. intentions. fbnnulas. discoveries. or
improvements.including anv patents.trade secrets and kno%N-hoN%.(iy)domain names.
(y) any copies. and similar or deriyatiye works to any of the foregoing. (vi) all
documentation and materials related to any of the foregoing. (vii) all other goods-
ser ices or deliverables to he provided to Customer under the Contract or a Statement
of Work,and(viii)all Intellectual Property Rights in uty of the foregoing,and which
are or%%ere created.prepared, developed.invented or conceived for the use or benefit
of Cttstonaer in connection kith this Contract or a Statement of Work. or kith funds
appropriated b% or for Customer or Customers benefit: (a)b� any Vendor personnel
or Customer personnel.or(b)any Customer personnel who then became personnel to
Vendor or any of its AtIimes or subcontractors,where.although creation or reduction-
to-practice is completed%chile(he person is affiliated with Vendor or its personnel.any
portion of same%�as created.inserted or conceived by such person while affiliated with
Customer.
2. -Intellectual Property Rights" means the worldwide legal tights or interests
evidenced by or embodied in: (i)any idea.design,concept.personalih right,method.
process. technique. apparatus, invention. discover. or improvement. including all),-
patents.
nypatents. trade secrets. and know-how. (ii) any work of authorship. including any
copyrights,moral rights or neighboring tights:(iii)any trademark.service mark,trade
dress.trade name.or other indicia ofsource or origin:(iy)domain name registrations.
and(v) any other proprietary or similar rights. 'llae intellectual Property Rights of a
parte include all worldwide legal rights or interests that the part may have acquired
by assignment or license mth the right to grant sublicenses-
3.'itatenacnt of 1k ork' means a document signed by Customer and Vendor describing
it specific set of activities and or deli%crables. %%hich man include Work Product and
intellectual Property Rights. that Vendor is to provide Customer. issued pursuant to
the Contract.
4."Third Parts IV means the htlellectuml Property Rights of any third part%not a party
to this Contract.and which is not directly or indirectly providing any goods or services
to Customer under this Contract.
i. `Vendor IV shall mean all tangible or intangible items or things. including the
intellectual Property Rights therein, created or developed by Vendor (a) prior to
providing am, Sen ices or Work Product to Customer and prior to recei wing any
documents, materials, infomaatron or funding from or on behalf of Customer relating,
to the Services or Work Product.or(b)after the Effective Date of the Contract if such
t.tngible or intangible items or things Isere independently developed by Vendor outside
endor s provision of Sen ices or Work Product for Customer hereunder and%N ere not
created, prepared. developed, invented or conceived by,any Customer personnel whu
then beeanto personnel to Vendor or auty of its alliliates or sul,contractors, where,
although creation or reduction-to-practice is completed while the person is affiliated
Page i of 10
Coalfire Systems,[nc. Professional Services Agreement-Technology
Page 32 of42 Rev.11/2014
INR Contract No. INR-SIH)-1899
Vendor Contract No.
kith Vendor or its personnel. any portion of saute was created. invented or conceived
by Such parson while atliliated with Customer.
B.Owneiship.
As between Vendor and Customer. the Work Product and intellectual Property Rights
therein are and shall be owned ezclusiyehby Customer. and not Vendor. Vender
specilicalh agrees that the Work Product shall be considered"works made for hire"and
that the Work Product shall. upon creation, he owned exchiskely M Customer. To the
extent that the Work Product under applicable law.may not he considered works made Cor
hire, Vendor herehs agrees that the Contract elfeclivek transfer".grants.runs e\s.assigns.
and relinquishes exclusiyeh to Customer all right,title and interest in and to all ownership
rights in the Work Product, and all Intellectual Property Rights in the Work Product.
without the necessity ol'am Further consideration.and C'ustomer;hall he entitled to obtain
and hold in its own name all Intellectual Property Rights in and to the \York Product.
Vendor acknowledges that Vendor and Customer do not intend Vendor to be a joint author
of the Work Product within the meaning of the Cops tight \ct of 1976. Customer shall
have access,during normal business hours(Monday thru Friday. SAM to 5P%I)and upon
reasonable prior notice to Vendor. to all Vendor materials, premises and computer files
containing the Work Product Vendor and Customer, as appropriate.will cooperate with
one another and executC such other documents as mai be reasonably appropriate to achieve
file obiectiyes herein. No license or other right is granled hereunder to any'third Party iP.
except as ntay he incorporated in the Work Product b\ Vendor.
C. Fuither actions.
Vendor- upon request and without further consideration, shall perforin any acts that ria,,
he deemed reasonahh necessan or desirable by Customer to evidence more full the
transfer of ownership and or registration of all Intellectual Property Rights in all Work
Product to Customer to the fullest extent possible_ including but not limited to the
execution.aeknoNN edgenient and deliver of such further documents in a Conn determined
by Customer. to the event Customer shall be unable to obtain Vendors signature due to
the dissolution of' Vendor or Vendors untcasonable failure to respond to Customers
repeated requests forsuch signature on any document reasonahh necessary for any purpose
set forth in the roregoing sentence_ Vendor hereby irreyocabh designates and appoints
Customer and its duh authorized oflicers and agents as Vendors agent and Vendor's
attorney-in-fact to act for and in Vendor's behalf and stead to execute mid fila any such
document aid to do all other lawfulh'permitted acts to further anv such purpose with the
same three and effect as if executed and delivered b%y \endor.provided however that no
such grant of'right to Customer is applicable if Vendor fails to execute any document due
to it good faith dispute by Vendor with respect to such document. It is understood that such
power is coupled with in interest and is therefore irrevocable. Customer shall have the full
and sole power to prosecute such applications and to lake all other action concerning the
Work ProduCt,and \endor shall cooperate.at Customers sole expense,in the preparation
and prosecution of all such applications and in any legal actions and proceedings
concerning the k\'ork Product.
1).With cr of Moral Rights.
Page 6 of 10
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 33 of42 Rev. 11/2014
DIN(ontract No. DIR SDD-1tt99
cndor Contract No.
Vender hereby irreyoeably anxd lorc%ci xcaivcs. and agrees never to assetl, any Moral
Righls in or to the Work Product which Vendor mai now have or\\hick may accrue to
Vendor's benefit under V.S. or foreign copyright or other la%\s and am and all other
residual rights and benefits which arise under any other applicable law nosh in force or
hereafler enacted. Vcndor acknox0edges the receipt ol'equitable compensation 1br its
assignment and xutiver of such \lural Rights. 'Ilic term "Moral Rights'shall mean an%
and all rights of paternity or integrity of the Work Product and the right to object to anv
modification,translation or use of the Work Product,and any similar rights existing under
the judicial or slalutory la\\ of an counts in the\\orld or under an treaty. regardless of
holier or not stich right is detrtnninaled or relined to its a moral right.
E.Confidentiality.
All documents,inkirinalion and materials lormarded to Vendor bx Customer litr use in and
preparation of the Work Product, ;hall be deemed the confidential inRrnnalion of
Customer.and suh_jcct to the license granted by Citstonter to Vendor under sub-paragraph
II. hereunder. Vendor shall not use, disclose.of permit an) person to ase or obtain the
Work Product,or in}'portion thereof:in any manner xvithout the prior written approval of
Customer.
F.Inj(tnctnc RelicC
'ihe Contract is intended to protect Customer's proprietan riohts pertaining io the Work
Product,raid the illleliCClllal Pioperly Rights therein,and anv misuse of such rights Mould
cause substantial and irreparable hann to Customer's business. 'llterefore. Vendor
acknox\ledges and stipulates that a court of competent jurisdiction may nrrniediateh enjoin
any material breach ofthc intellectual property. tise_and confidentiality provisions of,this
Contracl.upon a request by Customer.\\ilhout rcquiring proof of irreparable injury as same
should be presumed.
G. Return of Materials Pertnining to'fork Product_
t poll the request of Customer, but in ale event upon termination or expiration of this
Contract of a Statement of\fork. Vendor shall surrender to Custonncr all documents aurid
things perlaining to the Work Product, inJuding hill not limited to drafts, ntenroranda.
notes, records, dra\\ings, manuals. computer solWare. reports. data. and all other
documents or materials (and copies of same) generated or developed by Vendor or
furnished by Customer to Vendor. including all materials embodying the Work Product.
any Customer confidential inlimnation. or Intellectual Propertv Rights in Such \fort.
Product,regardless of\\hether complete or incomplete. 17tis section is intended to apple
to all York Product is\\all as to all doctnnents and things furnished to Vendor by C util 011ler
or by anyone else that pertains to the Work Product.
i1. Vendor License to Ilse.
Customer hereby grants to \ender a non-transferable. non-exclusive. roNallc-free. Dully
paid-up license to use any Work Product solely as necessary to provide the Services to
Cuslonter. Except as provided in this Section.neither Vendor nor aunv Subcontractor shall
have the right to ase the York Product in connection \\ith the provision ol'services to its
Page i of 10
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 34 of 42 Rev. 11/2014
DIR Contract No. DIR-SDD-1899
Vendor Corttrucl No.
other customers \vithout the pi im \vritten conscut of Cushnner. \vhich consent nuav be
\\rthheld in Customer's sole discretion.
1.Third-Part}'1•nderl"ving and Derivatime Rorks.
To the extent that env Vendor[P or'llhird Parte II'are anhodicd or nllected in the Work
Product,or are necessar to provide the Services. Vendor inrebv grants to the Customer,
or shall obtain from the applicable third pain fix Customer"s benefit, the irrevocable.
perpetual,non-exclusive.\\orld\\ide,rovally-face right and license.Fur Cuslomer's internal
business purposes only.to(i)use.execute. reproduce.display.perlbmi, distribute copies
of: and prepare derivative \\arks based upon such Vendor 1I' or 11tird Part\ IP and:n»
derivative \\orks thereof'embodied in or delivered it) Customer in conjunction \vith the
Work Product,and(ii)authorize others to do ally or all of the foregoing. Vendor agrees to
nolik Customer on dcli\cry ol'the Work Product or Services ihsuch materials include env
lltird Pall} II'. (ht request.Vendor shall provide Customer\\ith dOCtmentatlon indicating
a third party's written approval for Vendor to use any"Ilurd Party IP that may he embodied
or rellected in the\V"ork Product.
.1.Agrecinent with Subcontracts:
Vendor agrees that it shall have\\rittcn agrecnnnt(s)that are consistent with the pro\inions
hereof related to Work Product and Intellectual Properly Rights with any employees,
agents, consultants. contractors or subcontractors pro\iding Services or Work Product
pursuant to the Contract,prior to their pro\iding such Services or Work Product,and that
it shall maintain such\written agreements at all times during pertonnance of this Contract.
\\hick are sufficient to support all pertonnance and grants of rights by Vendor. Copies of
such agreements shall he pnwided to the Customer promptly ulxnt request.
I;. License to Customer.
Vendor grants to Customer. a perpetual. irnvocablc. ro\alt\ I'ree license, solch for the
Customer',; internal husinesS pulposes. to use. coPe. modif\. display, perturnt (by y
an
means).transmit and prepare deri\ativc\\orks otan\ \endor IP embodied in or dcli\cred
to Customer in conjunction \\ilh the Work Product the foregoing license includes the
right to sublicense third parties- solely for the purpose of engaging such third parties to
assist or camout Customer's internal business use of the Work Product. FAcept For the
preceding license.all rights in Vendor ill remain in \endor.
L.Vendor Development Rights.
To the extent not inconsistent\\ith Customer's rights in the Work Product or as set forth
herein. nothing in this Contract shall preclude Vendor Irom developing for itself. or for
others. materials \\htch are competitive \\ith those produced as a result OF tile Services
provided hereunder,provided that no Work Product is utilized,and no Intellectual Property
Rights otCustomer therein are infringed by such competitive materials. To the extent that
\endor\\ishes to use the Work Product,or acquire licensed rights in certain Intellectual
Property Rights of imonter therein in order to otl'cr competitive goods or services to third
parties- Vendor and Customer agree to negotiate in good faith regarding an appropriate
licetne and rovalty agreement to allo%\ lur such.
Page 8 of 10
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 35 of d2 Rev.1112014
DIR Contract No. DIR-SIN)-1899
Vendor Contract No.
9. Atithmizcd Exceptions to Appendix A,Standaj-d Tarots and Conditions for Product
and Related Senices Contracts.
No exceptions have been agreed to b. DIR and Vendor.
(fliis~pace inlentionally lett blunt.)
Page 9 of 10
Coaltire Systems.Inc. Professional Services Agreement-Technology
Page 36 of 42 Rev.11/2014
INR Contract\o. 0114-SIM-1699
Vendor Contract No.
'Ili is Conti act is executed to he ellectk e its of the date of last signature.
Coalfire Systems.Inc.
:authorized By: Slenature on file
Name: .clan Fereuson
Title: Executive Vice President
Date: W29/12
The State of'Tetas,acting b-, and through the Dep:ntment of Information Resources
.Authorized Bv:Todd Kimbriel on behalf of Cats Marsh
Name: Cad Marsh
'Title: thief Oneratine Officer
Date: 9/12/12
Office of General Counsel:D.R.Brown 9/6/12
Page 10 of 10
Coaltlre Systems,Inc. Professional Services Agreement-Technology
Page 37 of 42 Rev. 11/2014
ANIENDNIENT NUMBER 2
TO
CO\TRkCT\O.DIR-SDD-1899
BETWEEN
THE Sr vm OF TFS.t S,DEPARTMENT OF I\F'ORNIA'I-IO\ RESOI-RCFS
AND
CO U.17RY.51,5'rENIS,INC.
This Arnendmont Number 2 to Contract Number DIR-SDD-18911 ("Contract') is beween the
Department of Information Resource,; ("UIR-) and Coalfirc Svstcros. Inc. ("Vendor-). UIR and
Vendor agree to modify the terms and conditions of the Contract as foiiox%s:
L Contract,Section 2.Tenn ofC'ontwct,is herebx amended a follows:
UIR and Vendor hcrebx agree to extend the torn of the Contract lur one (1) year through
September 14. 2015 or until terminated pursuant to the causes contained in the Contract.
.appendix a_ Section 10.13. Prior to expiration ol'the tern. UIR and Vendor mac extend the
Contract.upon nntual agrcennnl.I'm one(1)additional one-War term.
2_ Contract,Section d. Pricing,is hereby restated in its entiret% as follo%Ns:
4. Pricing
Pricing to the UIR Customer shall he as set forth in .Appendix A. Standard Terms and
Conditions For Services Contracts. Section 7. Pricing. Purchase Orders, Invoices and
PaNments. and as set forth in .Appendix C. Pricing Index. and shall include the UIR
Administrativc Fee.
3. Contract, Section d. Pricing, A - G is deleted and is hereby restated in its entirety in
-appendix A. Standard Terms and Conditions For Sen•ices Contraets. Section 7_ Pricing.
Purchase Orders. Invoices and Pavntents dated 05 02 14 as attached hereto.
4. Contract,Section 5.DiR Administrative Fee is hercbv restated in its entiretx az follows:
A) The administrative fee to be paid by the Vendor to UIR based on the dollar value of all
Sales to Customers pwxuant to this Contract i. three rluarterx ofone percent(75'0). Payment
will he calculated for all sales. net of returns and credits. For example_the administrative fee
for Sales totaling $100000 shall he 575(1.00. 'Ihe effective dale of' this change \%ill be
November 1.2014.
B) All prices quoted to Customers shall include the administrative fee. UIR reserves the right
to change this fee up\\ards or dm%n«ards during the tent of this Contract.upon\%ritten notice
to Vendor \%ithout further reduiremenl for a formal contract amendment. Ana change in the
administrative Ice shall he incorporated by Vendor in the price to the CuSloncr.
Ajwndrlant2!o(onui t+,UIRShLiIF����
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 38 of 42 Rev.1112014
5. Contract,Section 6.'.Notification is hereby restated in its entirety as follows:
6. Notification
All notices under this Contract shall be sent to a party at the respective address indicated
below.
If sent to the State:
Dana L.Collins.CITM,CTCM
Manager.Contract and Vendor Management
Department of Information Resources
300 W. 15"'St.,Suite 1300
Austin,Texas 78701
Phone: (512)936-2233
Facsimile:(512)475-4759
Lmail: dana callins(dzd r.lexa%gov
If sent to the Vendor:
Joe Karnes
Coalfire Systans,Inc.
14R00 Landmark Blvd.,Suite 220
Dallas,Texas 75254
Phone:(972)763-8012
Facsimile:(303)8724151
Email: Joe.MmesCOcoalfiro.com
6. Contract, Section 7. Software License and Service Agreements, is hereby amended by
adding Q Conflicting or Additional Terms as follows:
B. Conflicting or Additional Terms
In the event that conflicting or additional terms in Vendor Software License Agreements.
Shrink/Click Wrap license Agreement,;, Service Agreements or linked or supplemental
documents amend or diminish the rights of DIR Customers or the State,such conflicting or
additional terns shall not lake precedence over the terms of this Contract.
7. Contract,Section 8.Intellectual Property Matters,A-L is deleted and is hereby restated
in its entirety in Appendlx A,Standard Terris and Conditions For Services Contracts,
Section 4.Intellectual Property Matters A—L dated 05/02/14 as attached hereto.
8. Appendix A. Standard Tears and Conditions for Services Contracts dated 6012,
hereby replaced in its entirety with Appendix A, Standard Terms and Conditions for
Services Contracts dated 05/02!14,as attached.
9. Authorized Exceptions to Appendix A. Standard Terms and Conditions for Services
Contracts.
AmaUbmat 2 to C:orami MD1R-9DU-1899 Pap 2
Coalfire Systems,Inc. Professional Services Agreement-Technology
Page 39 of 42 Rev.11/2014
A. Authorized Exceptions to Appendix A, Standard Terms and Conditions For
Services Contracts,Appendix A. Section 8, Contract Administration, B. Reporting
and Adminhdrative Fees, 2) Detailed Monthly Reporting dated 05/02/114 is hereby
revised by adding the second paragraph below. Section 9 A)B. 2). as revised, in its
entirety reads as follows:
2)Detailed Morift Report
Vendor shall electronically provide DIR with a detailed monthly report in the format
required by DIR showing the dollar volume of any and all sales under the Contract for
the previous month period. Reports shall be submitted to the DIR ICT Cooperative
Contracts E-Mail Box at ict.sa gQdir.tem&izov. Reports are due on the fifteenth
(13th)calendar day after the close of the previous month period The monthly report
shall include,per transaction, the detailed sales for the period,Customer name,invoice
date, invoice number,description, quantity,manufacturer's suggested retail price.unit
price, extended price. Customer Purchase Order number. contact name. Customer's
complete billing address,and other information at+required by DIR. Each report must
contain all information listed above per transaction or the report will he rejected and
returned to the Vendor for correction in accordance with this section.
If Vendor submits three (3)monthly sales roports or administrdive fee payments late
within a 12-month period, DIR reserves the right to suspend or terminate this Contract
for cause per Section 10.13.4.a. of Appendix A, Termination for Cause. If Vendor is
late with its monthly sales report, Vendor will pay DIR one hundred dollars($100)per
day("late Payment'),for each day the monthly report is late. up to ten(10)days per
month for a maximum monthly Late Payment amount of$1000 for late monthly sales
reports. If Vendor is late with its monthly administrative fee payment.Vendor will pay
DIR one hundred dollars ($100)per day("Late Payment"), for each day the monthly
administrative fee payment is late, up to ten (10) days per anonth for a maximum
monthly Iate Payment amount of$1000 for late monthly adm inif trative fee payments.
DIR does not waive any other contractual remedy pursuant to this Contract
10. Appendix C—Pricing Index is hereby restated in its entirety and replaced with the attached
Appendix C Pricing Index.
All other terms and conditions of the Contract not specifically modified herein shall retrain in
Rill farce and effect. In the event of a conflict among provisions,the order of precedence shall
be this Amendment 2,then Amendment 1 and then the Contract.
(Remainder of page into ndonally left blame)
AwxWrnmd 2 to Catera 901FL-SOU-1899 Pap 3
Coalfire Syslems,Inc. Professional Services Agreement-Technology
Page 40 of 42 Rev.11/2014
IN WITNESS WHERF,OF.Jto Parties hcreh\ this unclidment to be elk,�ti\,L�a�of thy,
Jute cif 111e last signature.but to all CA e111s.tit)later than Sertember 14.2014.
( oalffre Systenb.Inc.
Authorized Bv: Signature on file
\ame: Alan Ferwson
'rifle: Execuffie a'icc President
Date: IU/22/14
The State of'rexas.acting bi and through the Department of Information Resources
authorized Bv: Sienature on file
Name: Karen Robinson
Title: I':xecutive Director
Date: 10/30/14
General Counsel: Mark Hmranl 111/28/1.1
linatrfmrat=i �cn'r:ai+U1;SUt IRu 1'ac: l
Coaltire Systems,Inc. Professional Services Agreement-Technology
Page 41 of 42 Rev.11/2014
APPENDIX C
PRICING INDEX DIR CONTRACT NO.DIR-SDD-1899
Amendment#2
COALFIRE SYSTEMS,INC.
SERVICE DESCRIPTION CUSTOMER DISCOUNT
ITS SERVICES
Regtdatory Gomhltance Assessments 2350%
Regulatory Compliance Asscssrrents-HIPAA and HI TECH Act 23 50%
for Healthcare
Repulatory Compliance Assessments-Payment Card Industry 23.50%
Data Secwn4 Standard PCI OS3
Regulatory Comphance Assessments North Amencan Electric 23.50%
Retiabihly Cor oration NERC.
General IT Security and Risk Assessments 13.50%
Vuiner34ihty Scanning 23.50°A
Information Security Business:.ase and Security Program 23 50%
Develo merit
Compliance Advisory 23.5035
IT 4?nvernance Advisory 23.50%
Application Validation 23 SO%
Penetration Testing 23.517°0
Vulnerability Scanning 23.5015
Incident Response and C,�mputef Forensics 23 50%
TECHNICAL SERVICES
Training 23.50%
Coalfire Systems,Inc. Professional Sen�i.ces Agreement-Technology
Page 42 of 42 Rev.11/2014