The URL can be used to link to this page

Home My WebLink AboutContract 59952-A2Second Amendment to Fort Worth City Secretary Contract No. 59952 Page 1 of 3 SECOND AMENDMENT TO FORT WORTH CITY SECRETARY CONTRACT NO. 59952 This Second Amendment to Fort Worth City Secretary Contract No. 59952 (“Second Amendment”) is made between the City of Fort Worth (“City”), a municipal corporation and ePlus Technology, Inc., a Virginia Corporation, (“Vendor”). City and Vendor are each individually referred to herein as a “party” and collectively referred to as the “parties.” WHEREAS, City and Vendor entered into an Agreement identified as City Secretary Contract No. 59952, effective August 8, 2023 (the “Agreement”); WHEREAS, it is the collective desire of both City and Vendor to amend the Agreement to include Exhibit A-1, the Statement of Work for security and internal penetration testing of the City’s external and internal networks for Vendor to identify vulnerabilities and potential attack vectors and to provide recommendations for remediation, in the amount of $11,220.00; and WHEREAS, the total annual contract amount will remain at an amount not to exceed $100,000.00. NOW THEREFORE, known by all these present, City and Vendor, acting herein by and through their duly authorized representatives, agree to the following terms, which amend the Agreement as follows: I. AMENDMENTS 1. The Agreement is hereby amended to include the Statement of Work, attached in this Second Amendment as Exhibit A-1 and incorporated herein for all purposes, for security and internal penetration testing of the City’s external and internal networks for Vendor to identify vulnerabilities and potential attack vectors and to provide recommendations for remediation, in the amount of $11,220.00. 2. The total annual amount of the Agreement will remain at an amount not to exceed $100,000.00. II. MISCELLANEOUS All other terms, provisions, conditions, covenants and recitals of the Agreement not expressly amended herein shall remain in full force and effect. [Signature Page Follows] Second Amendment to Fort Worth City Secretary Contract No. 59952 Page 2 of 3 Executed effective as of the date signed by the Assistant City Manager below. FORT WORTH: City of Fort Worth By: ___________________________ Name: Dianna Giordano Title: Assistant City Manager Date: ___________________________ Approval Recommended: By: ___________________________ Name: Kevin Gunn Title: Director, IT Solutions Department Attest: By: ___________________________ Name: Jannette S. Goodall Title: City Secretary Contract Compliance Manager: By signing I acknowledge that I am the person responsible for the monitoring and administration of this contract, including ensuring all performance and reporting requirements. By: ___________________________ Name: Sudong Lee Title: Sr. IT Solutions Manager Approved as to Form and Legality: By: ___________________________ Name: Hye Won Kim Title: Assistant City Attorney Contract Authorization: M&C: N/A Approval Date: N/A Form 1295: N/A VENDOR: ePlus Technology, Inc. By: ___________________________ Name: ___________________________ Title: ___________________________ Date: ___________________________ Second Amendment to Fort Worth City Secretary Contract No. 59952 Page 3 of 3 Exhibit A-1 Statement of Work (Attached) 6/17/2025 City of Fort Worth-Water Department Penetration Test-164601 PAGE 1 STATEMENT OF WORK City of Fort Worth Statement of Work City of Fort Worth Water Department Penetration Test SOW# City of Fort Worth-Water Department Penetration Test-164601 6/17/2025 Jason Lyssy 100 Fort Worth Trail, Fort Worth, TX 76102 817-392-2476 Jason.Lyssy@FortWorthTexas.gov ePlus Technology, inc. | www.eplus.com 6/17/2025 City of Fort Worth-Water Department Penetration Test-164601 PAGE 2 STATEMENT OF WORK City of Fort Worth 1.0 INTRODUCTION AND EXECUTIVE SUMMARY This Agreement and Statemen June 17th, 2025 City of Fort Worth . This SOW is governed by the TIPS 230105 Contract for the provision of professional or consulting 1.1 EXECUTIVE SUMMARY OF THE SERVICES Customer has engaged ePlus to provide security and internal penetration testing of their external and internal network. ePlus will attempt to identify the vulnerabilities and potential attack vectors and provide recommendations for remediation. 1.2 DEFINITIONS Deliverable: A measurable indication of progress within a given phase, documentation in hard copy or electronic form such as analyses, reports, manuals, test results, or any other items as set forth in section 2.2. Milestone: A specific goal, objective, or event pertaining to services described in this SOW. Normal Business Hours: The hours of Monday through Friday 8:00 a.m. to 5:00 p.m. local time, excluding any federal and ePlus observed holidays. A list of ePlus observed holidays will be provided upon request. Products: Third-party hardware and/or software products are sold separately and are not deliverables. 2.0 SCOPE 2.1 SERVICES The Services that ePlus and/or its subcontractor shall provide will include: External vulnerability assessment/penetration tests of one (1) PCI IP address with full open-source intelligence gathering Internal vulnerability assessment/penetration test of up to twenty (20) PCI devices (desktops, laptops, and POSs) Planning and Preparation Develop a customized testing plan that adheres to the NIST Cybersecurity Framework External Vulnerability and Penetration Testing Passively gather the information from Open-Source Intelligence (OSINT) regarding Customer from publicly available sources, including both regular internet and dark web resources o This information may include IP addresses, registered domains, employee social media profiles, email addresses, breached passwords, publicly accessible documents, DNS enumeration results, and technologies in use. Employ ethical hacking techniques to attempt attacks on Customer's external systems that are in scope o These attacks will be conducted with minimal Customer support or intervention and exclude attempts to perform DDOS attacks. Initially use blackbox methods to attempt access to Customer's systems o If unsuccessful, ePlus may coordinate with Customer to temporarily ease security controls, to conduct further ethical hacking tests using grey and white hat approaches. 6/17/2025 City of Fort Worth-Water Department Penetration Test-164601 PAGE 3 STATEMENT OF WORK City of Fort Worth Halt the testing if internal network access is obtained during this testing phase due to external factors o Customer will be informed, and further actions will be decided. Internal Vulnerability and Penetration Testing systems, open ports, running services, and vulnerabilities in the target environment o The following types of vulnerabilities are typical of those identified and exploited during a penetration test: Weak configuration Missing patches Use of insecure services and protocols Web application vulnerabilities, including the OWASP Top 10 Authentication vulnerabilities such as default or easily guessable usernames and passwords Database server vulnerabilities such as insecure object permissions o Exploitation techniques may include buffer overflows, command injection, or other methods that are intended to gain information. Exploitation done in this phase will be intended to gain additional access to the platform being targeted, Unless requested by Customer, denial of service attacks is not within the scope of Services. Attempt to pivot to other Customer devices after a device has been exploited and system access has been achieved Gather evidence such as screenshots of exploited systems, level of access gained, copies of databases, application access, or other information, as needed Project Management Standard Project Management is utilized when the management requirements for a project of mid to high complexity. The expectation is that the Project Manager will be working on tasks which may include meeting planning, resource scheduling, equipment confirmation, and issue tracking, within a project workbook. The Project Manager will also be responsible for project closeout and satisfaction surveys. 2.2 DELIVERABLES ePlus will provide Services only, and no Deliverables will be provided except as follows: Executive summary report o A high-level and non-technical overview of the methodology used for the testing and the results o A quick review of the findings summary table o Graphics representing discovered and exploited vulnerabilities Technical Report o A technical report detailing the findings of the assessment and penetration testing activities, as well as ePlus-recommendations, provided in Portable Document Format (PDF) o The results of enumeration and exploitation testing 6/17/2025 City of Fort Worth-Water Department Penetration Test-164601 PAGE 4 STATEMENT OF WORK City of Fort Worth o A summarization of findings o ePlus-recommendations for correction o Remediation activities and validation o Raw copies of the security scans 2.3 PLACE OF PERFORMANCE Unless otherwise specified elsewhere in this SOW, all on- Services will be performed remotely 3.0 CUSTOMER RESPONSIBILITIES 3.1 GENERAL RESPONSIBILITIES During the course of this project, ePlus will require the support of Customer staff and computing resources. If the required Customer resources cannot be made available, the scope of the Services, estimated schedule (see section 5.1), or both may be affected. Customer agrees to provide the following: A work area suitable for the tasks to be performed and any required software or documentation. If Customer directly procures any hardware or software required for this project, Customer agrees to provide the hardware, software, and any accompanying support documentation or instructions. Ensure sufficient rack space, power, electric, cooling, etc. for new hardware is in place prior to implementation o Note: The Customer is responsible for moving existing equipment within a rack to make sufficient space for new hardware. ePlus resources are not responsible for moving existing equipment during the physical installation of new hardware. Customer is responsible for the removal and disposal of hardware being replaced as part of this project. Provide location for disposal of packing materials. ePlus will dispose of debris (cardboard, plastic, wood skids, Styrofoam, and other miscellaneous packing materials) in customer-supplied dumpster Customer will provide patch cables related to project unless otherwise specified in this SOW. A secure storage location for all equipment delivered to the Customer Site until the scheduled ePlus installation date, if applicable. Contact personnel to escort the ePlus resource(s) through the Customer Site. Access to the Customer Site during the work hours required for this project. Current network topology Electrical power outlets to support requirements of the installed network equipment Provide a single technical point of contact, who is familiar with the IT environment and requirements, to work with ePlus engineering resource(s) throughout the project and act as a liaison between the Provide requested network diagrams/information to ePlus within two (2) days of the initial request. Customer represents and warrants that it has all right, title, and interest in and to any data furnished in connection with the Services and/or that it has obtained all necessary consents, permissions, and releases necessary for ePlus to perform its obligations under this SOW. Customer shall indemnify, defend, and hold 3.2 PROJECT SPECIFIC CUSTOMER RESPONSIBILITIES Provide remote access as needed 6/17/2025 City of Fort Worth-Water Department Penetration Test-164601 PAGE 5 STATEMENT OF WORK City of Fort Worth 3.3 SYSTEM RESPONSIBILITIES Customer is responsible for providing all software and associated licenses. request for documentation or information needed for the project. Customer shall ensure that contracts with its own vendors and third parties are fully executed and enable and the performance of, all non-ePlus entities assigned to, or working on this project. ePlus will not be responsible for data loss. Backups should be performed prior to work starting. All data is the responsibility of the Customer. Should a manufacturer provide Customer with specialized or custom software unique to Customer, ePlus will not be responsible for any delays or failures to perform related to use of such software. ePlus shall not be responsible for support and maintenance of products. Unless otherwise specified in this SOW, ePlus shall not be responsible for any customization of, or labor to install software (except operating systems or firmware pre-installed by the manufacturer). Services do not include resolution of software or hardware problems resulting from third party equipment Services exclude any hardware upgrade required to run new or updated software. 4.0 ASSUMPTIONS 4.1 GENERAL ASSUMPTIONS The following assumptions were made to create this SOW. Should any of these assumptions prove to be incorrect or incomplete then ePlus may modify the price, scope of work, or Milestones pursuant to the Change Management Procedure set forth herein. ePlus assumes: -current time and materials rates plus travel and other related expenses. Any additional costs incurred by Customer as a result of delays shall be the sole responsibility of the Customer. This SOW defines exclusively the scope of the Services. This SOW shall not apply to any purchase, support or maintenance of products, which are purchased separately. In the event ePlus is required to provide third party materials under this SOW (i.e. cables, racks, etc.), Customer shall be responsible for any costs, maintenance, and/or warranty obligations therein. Acceptance tests conducted in respect of the Services shall apply only to such Services and shall not constitute acceptance or rejection of any Product purchased or licensed separately by Customer. The schedule shall be extended up to thirty (30) days for any personnel change requests made by Customer. Customer acknowledges that at any time during the project, if progress is stalled, by no fault of ePlus, for more than twenty (20) contiguous business days, ePlus reserves the right to issue a Milestone Completion Certificate for work that has been completed. If Services include any assessments , Customer understands that no guaranty is made by ePlus or its subcontractors that such assessments will detect all security weaknesses, potential security problems, vulnerabilities, or potential breaches. ePlus does not guarantee that recommendations or actions undertaken pursuant to this SOW will completely address all issues identified or not identified. 6/17/2025 City of Fort Worth-Water Department Penetration Test-164601 PAGE 6 STATEMENT OF WORK City of Fort Worth o If an ePlus Subcontractor is used to perform the security assessment/audit services, the data will be shared with ePlus for gap analysis and recommendation purposes. If Services include the implementation of any system dealing with Emergency 911 (E911) Services, including but not limited to phone systems, the Customer is responsible for ensuring its 911 dialing is ePlus encourages customers to consult with their counsel regarding this matter. Documents are created using ePlus templates (structure and format) and delivered to Customer in softcopy only. Customization to deliverable documents (structure, format, and/or other non-standard content) must be handled via a Change Request (CR) unless explicitly stated in this SOW. ePlus Deliverable Documents include up to two (2) revisions, per document, based on Customer feedback. Subsequent revisions will require a CR or separate SOW. 4.2 PROJECT SPECIFIC ASSUMPTIONS No training is included in this SOW. Services schedule reflects work effort based on non-contiguous business days and does not include a full- time ePlus Engineer for staff augmentation during the project. This engagement is estimated to be completed within two (2) weeks of an agreed-upon start date. ePlus will not perform testing activities that could cause damage or disruption to the telephony system or other systems. ePlus will not be responsible for issues that arise during or after the testing. 5.0 PERIOD OF PERFORMANCE 5.1 ESTIMATED TIMELINE The estimated timeline for the Services will begin within thirty (30) days after execution of this SOW and continue for not more than twelve (12) months. If Services have not been scheduled at the execution of this SOW, a timeline should be developed mutually by the Parties and agreed to before each phase of the Services begins. The actual start date will depend on the following considerations: Scheduled availability of a qualified systems engineer Receipt of Product and any necessary equipment Receipt of signed SOW from Customer prior to proposed start date Receipt of purchase order from Customer 5.2 TERMINATION Either Party may terminate the SOW for any reason on thirty (30) days prior written notice to the other Party. Upon any such termination, ePlus will be paid all fees and expenses which have been incurred or earned in connection with the performance of the Services through the effective date of such termination. Additionally, in the event Customer cancels any Services with less than two (2) weeks prior notice, Customer shall reimburse ePlus for any non-refundable expenses incurred in preparation for such cancelled Services. 6/17/2025 City of Fort Worth-Water Department Penetration Test-164601 PAGE 7 STATEMENT OF WORK City of Fort Worth 6.0 PRICING AND PAYMENT TERMS For the Services performed under this SOW, Customer agrees to pay ePlus a fee of $11,220.00 (, plus any applicable taxes, as specified. Milestones are as follows: TITLE: DESCRIPTION: AMOUNT: Milestone 1 SOW Acceptance and Signature $5,610.00 Milestone 2 Project Completion $5,610.00 The Pricing in this SOW is valid for sixty (60) days from delivery to the Customer. Customer shall issue a purchase order adequate to cover the Fee prior to commencement of Services. Fees for additional services related to but not defined in this SOW will be on a time and materials basis at a rate set forth in a written amendment or Change Request. All tasks under this SOW will be completed during Normal Business Hours. Payment is due pursuant to the agreed-upon terms in the Agreement. Customer acknowledges that ePlus may participate in and retain the benefit of incentive plans or other programs with, among others, its travel providers wherein ePlus may receive benefits, such as frequent flier miles or other consideration for corporate travel volume. Fees, expenses, and other charges for the Services do not include sales, use, excise, value added, or other applicable taxes, tariffs, or duties. Payment that may be due on such amounts, and shall be the sole employment or independent contractor relationship between ePlus and its personnel). 7.0 ACCEPTANCE OF MILESTONES OR SERVICES following forms of acceptance: Signed work order or time sheet; or ; or Project completion document Customer has five (5) working days from the completion of the Services or Milestone, as applicable, to accept the work performed as being complete. Signing of the MCC, approving the time sheet respond to the approval request of the Milestone or time sheet and that Services have been performed in accordance with the SOW. In order to refuse acceptance of the Services, Customer must provide ePlus with full details that show that Services do not conform to the SOW. ePlus shall address such non-conformance in a timely manner and shall compile an action plan to correct any deficiencies. The acceptance process shall be repeated until all deficiencies have been resolved and the Services meet the requirements of the SOW. Acceptance may not be withheld due to defects in Services that do not represent a material non-conformance with the requirements of the SOW. 6/17/2025 City of Fort Worth-Water Department Penetration Test-164601 PAGE 8 STATEMENT OF WORK City of Fort Worth 8.0 CHANGE MANAGEMENT PROCEDURES Any change to the scope of Services or the obligations of the Parties under this SOW shall be set forth in a mutually Party and will describe the nature of the change, the reason for the change, and the effect of the change on the scope of work, Deliverables and/or the schedule. The Parties will negotiate in good faith the changes to the Services and the additional charges, if any, required to implement the Change Request. 9.0 SOW ACCEPTANCE This SOW # City of Fort Worth-Water Department Penetration Test-164601 is acceptable. Please sign and return to Steve Hughes at TexasServicesManagement@eplus.com. IN WITNESS WHEREOF, the duly authorized representatives of the Parties hereto have caused this SOW to be executed. ePlus Technology, inc. City of Fort Worth AUTHORIZED SIGNATURE AUTHORIZED SIGNATURE PRINTED NAME PRINTED NAME TITLE TITLE DATE DATE PO#