The URL can be used to link to this page

Home My WebLink AboutRFP - 10225 Virtual-Fractional Chief Information Security Officer (vCISO) Services FINALRFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 1 of 40 REQUEST FOR PROPOSAL 10225 VIRTUAL/FRACTIONAL CHIEF INFORMATION SECURITY OFFICER (VCISO) SERVICES RFP DUE: 3:00 PM MT (Mountain Time), October 8, 2025 The City of Fort Collins is requesting proposals from qualified firms to provide Virtual/Fractional Chief Information Security Officer (vCISO) services. This engagement will provide cybersecurity leadership, strategic guidance, and expert advisory support to enhance the City's cybersecurity maturity and resilience. As part of the City’s commitment to sustainability, proposals must be submitted online through the Rocky Mountain E-Purchasing System (RMEPS) at http://www.bidnetdirect.com/colorado/city- of-fort-collins. Note: please ensure adequate time to submit proposals through RMEPS. Proposals not submitted by the designated Opening Date and Time will not be accepted by RMEPS. All questions should be submitted, in writing via email, to Ed Bonnette, CPM, CPPB, Senior Buyer at ebonnette@fcgov.com, with a copy to Joe King, Project Manager, at JKing@fcgov.com , no later than 3:00 PM MT on September 24, 2025. Please format your e- mail to include: RFP 10225 VIRTUAL/FRACTIONAL CHIEF INFORMATION SECURITY OFFICER (VCISO) SERVICES in the subject line. Questions received after this deadline may not be answered. Responses to all questions submitted before the deadline will be addressed in an addendum and posted on the Rocky Mountain E-Purchasing System webpage. Rocky Mountain E-Purchasing System hosted by BidNet A copy of the RFP may be obtained at http://www.bidnetdirect.com/colorado/city-of-fort-collins. This RFP has been posted utilizing the following Commodity Code(s): 91893 Security/Safety Consulting 99048 Identity Theft Protection and Data Security Services Prohibition of Unlawful Discrimination: The City of Fort Collins, in accordance with the provisions of Title VI of the Civil Rights Act of 1964 (78 Stat. 252, 42 US.C. §§ 2000d to 2000d- 4) and the Regulations, hereby notifies all bidders that it will affirmatively ensure that any contract entered into pursuant to this advertisement, disadvantaged business enterprises will be afforded full and fair opportunity to submit bids in response to this invitation and will not be discriminated against on the grounds of race, color, or national origin in consideration for an award. The City strictly prohibits unlawful discrimination based on an individual’s gender (regardless of gender identity or gender expression), race, color, religion, creed, national origin, ancestry, age 40 years or older, marital status, disability, sexual orientation, genetic information, or other characteristics protected by law. For the purpose of this policy “sexual orientation” means a person’s actual or perceived orientation toward heterosexuality, homosexuality, and bisexuality. The City also strictly prohibits unlawful harassment in the workplace, including sexual Financial Services Purchasing Division 215 N. Mason St. 2nd Floor PO Box 580 Fort Collins, CO 80522 970.221.6775 fcgov.com/purchasing RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 2 of 40 harassment. Further, the City strictly prohibits unlawful retaliation against a person who engages in protected activity. Protected activity includes an employee complaining that he or she has been discriminated against in violation of the above policy or participating in an employment discrimination proceeding. The City requires its Professionals to comply with the City’s policy for equal employment opportunity and to prohibit unlawful discrimination, harassment and retaliation. This requirement applies to all third-party Professionals and their subcontractors/subconsultants at every tier. Public Viewing Copy: The City is a governmental entity subject to the Colorado Open Records Act, C.R.S. §§ 24-72-200.1 et seq. (“CORA”). Any proposals submitted hereunder are subject to public disclosure by the City pursuant to CORA and City ordinances. Professionals may submit one (1) additional complete proposal clearly marked “FOR PUBLIC VIEWING.” In this version of the proposal, Professionals may redact text and/or data that it deems confidential or proprietary pursuant to CORA. All pricing will be considered public records subject to disclosure under CORA and as such pricing cannot be redacted from the “FOR PUBLIC VIEWING” version of the proposal. Failure to provide a public viewing copy will be considered a waiver of any claim of confidentiality under CORA without regard to how the applicant’s proposal or certain pages of the proposal are marked confidential, proprietary, or similar. Such statement does not necessarily exempt such documentation from public disclosure if required by CORA, by order of a court of appropriate jurisdiction, or other applicable law. Generally, under CORA, trade secrets, confidential commercial information and financial data information may not be disclosed by the City. Proposals may not be marked “Confidential” or ‘Proprietary’ in their entirety. By responding to this RFP, Professional hereby waives any and all claims for damages against the City for the City’s good faith compliance with CORA. All provisions and pricing of any contract resulting from this request for proposal will be public information. Professionals Registration: The City requires new Professionals receiving awards from the City to submit IRS form W-9 and requires all Professionals to accept Direct Deposit (Electronic) payment. If needed, the W-9 form and the Vendor Direct Deposit Authorization Form can be found on the City’s Purchasing website at www.fcgov.com/purchasing under Vendor Reference Documents. Please do not submit these documents with your proposal, however, if you take exception to participating in Direct Deposit (Electronic) payments please clearly note such in your proposal as an exception. The City may waive the requirement to participate in Direct Deposit (Electronic) payments at its sole discretion. Sales Prohibited/Conflict of Interest: No officer, employee, or member of City Council, shall have a financial interest in the sale to the City of any real or personal property, equipment, material, supplies or services where such officer or employee exercises directly or indirectly any decision-making authority concerning such sale or any supervisory authority over the services to be rendered. This rule also applies to subcontracts with the City. Soliciting or accepting any gift, gratuity favor, entertainment, kickback or any items of monetary value from any person who has or is seeking to do business with the City of Fort Collins is prohibited. Collusive or Sham Proposals: Any proposal deemed to be collusive or a sham proposal will be rejected and reported to authorities as such. Your authorized signature of this proposal assures that such proposal is genuine and is not a collusive or sham proposal. The City of Fort Collins reserves the right to reject any and all proposals and to waive any irregularities or informalities. RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 3 of 40 Utilization of Award by Other Agencies: The City of Fort Collins reserves the right to allow other state and local governmental agencies, political subdivisions, and/or school districts to utilize the resulting award under all terms and conditions specified and upon agreement by all parties. Usage by any other entity shall not have a negative impact on the City of Fort Collins in the current term or in any future terms. The selected Professional shall be required to sign the City’s Agreement prior to commencing services (see sample attached to this document). Sincerely, Gerry Paul Purchasing Director RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 4 of 40 I. BACKGROUND & OBJECTIVE / OVERVIEW A. Objective The City of Fort Collins is requesting proposals from qualified firms to provide Virtual/Fractional Chief Information Security Officer (vCISO) services. This engagement will provide cybersecurity leadership, strategic guidance, and expert advisory support to enhance the City's cybersecurity maturity and resilience. To ensure the integrity of this engagement, all vendors must disclose any potential conflicts of interest, including but not limited to existing relationships with security product vendors, service providers, or other third parties that may create a perceived or actual bias in recommending security tools, services, or policies. The City seeks an independent and objective advisory partner and expects the Virtual/Fractional CISO service to act solely in the best interest of the City of Fort Collins. B. Background As cyber threats grow in sophistication and frequency, the City of Fort Collins recognizes the need for dedicated cybersecurity leadership. This engagement builds upon work funded through Federal Recovery programs and other cybersecurity modernization efforts, particularly in Endpoint Management, Patch Management, and Vulnerability Management. The City of Fort Collins manages a hybrid IT environment supporting public safety, utilities, and general government operations. Core IT infrastructure includes both cloud- hosted and on-premises systems, a centralized identity and access management foundation, and multiple endpoint types including desktops, laptops, and mobile devices. The City employs a suite of security tools for endpoint protection, patch management, vulnerability scanning, and email filtering. Additionally, the City leverages a formal ITSM platform for ticketing, change management, and asset tracking. The cybersecurity program is evolving toward greater standardization, centralized governance, and alignment with the NIST Cybersecurity Framework. To protect sensitive systems and information, detailed architectural or tooling specifics will only be shared with vendors upon execution of a mutually agreed Non-Disclosure Agreement (NDA). II. SCOPE OF PROPOSAL A. Scope of Work 1. Organizational Principle: The City of Fort Collins recognizes the importance of establishing clear lines of accountability between security and operations functions. As part of this engagement, the vCISO service will be expected to support and advise on the separation of duties between security and IT operations teams. This approach will ensure that cybersecurity oversight is independent from the implementation and maintenance of systems, thereby enhancing transparency, reducing risk, and aligning with best practices in governance and compliance frameworks. RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 5 of 40 2. Scope of Services: The vCISO service will assist in evaluating, developing, and formalizing the City’s Incident Management Program. This includes the creation or refinement of an Incident Response Plan (IRP), definition of roles and responsibilities, escalation procedures, and coordination mechanisms across departments. The vCISO service will also ensure that incident response activities align with regulatory expectations and industry best practices, including logging, forensics, and post-incident review. Additionally, the vCISO service will support or lead the execution of tabletop exercises and simulation drills to test and improve organizational readiness for cybersecurity incidents. The Virtual/Fractional CISO service will: - Conduct cybersecurity maturity and risk assessments. - Develop and maintain a cybersecurity roadmap aligned with NIST CSF or equivalent frameworks. - Provide executive-level guidance and board reporting. - Oversee or support improvements to patch, vulnerability, and endpoint security. - Evaluate and recommend cost-effective tools and services. - Guide grant funding strategy and compliance efforts. - Help develop and enforce security policies, standards, and procedures. - Advise on cybersecurity risks in IT/business projects. - Assist in succession planning and the potential transition to a full-time, internal CISO by defining role requirements, evaluating candidates, and ensuring continuity of the cybersecurity program. 3. General Information - This contract will be a 12-month term with optional extensions. - Services can be fulfilled either in-person/on-site, or Virtually. It is expected that the vCISO representative(s) will attend 2-4 on-site meetings annually. B. Deliverables/Milestones 1. Goals: - Provide expert cybersecurity leadership and strategic planning. - Identify cost-effective tools and approaches suitable for constrained public-sector budgets. - Help define and implement cybersecurity policies, standards, and procedures. - Assist in meeting compliance obligations and insurance requirements. - Identify and/or support the acquisition of State and Federal grant funding. - Serve as an advisor to IT and business initiatives with security relevance. 2. Expected Outcomes: 1. A comprehensive cybersecurity maturity assessment and gap analysis conducted within the first 90 to 100 days of engagement. This assessment should leverage industry-recognized methodologies, such as the Info-Tech RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 6 of 40 Research Group's Security Strategy Framework or equivalent, to evaluate current capabilities, identify risks, and inform strategic planning. 2. A documented cybersecurity strategy within 180 days. 3. Defined cybersecurity program policies and roadmap. 4. Improved patch/vulnerability management. 5. Identified grant funding opportunities. 6. Risk reporting and metrics to support governance and audit readiness. 7. Clear planning and support for potential transition to an in-house CISO. C. Minimum Qualifications 1. Required certifications: To ensure a high level of expertise and professionalism, all personnel proposed to fulfill the vCISO responsibilities must hold one or more of the following certifications: - CISSP (Certified Information Systems Security Professional): Demonstrates broad-based knowledge across multiple security domains, including risk management, asset security, and security architecture. - CISM (Certified Information Security Manager): Focuses on governance, program development, and risk management; ideal for candidates aligning security with business objectives. - GCED (GIAC Certified Enterprise Defender): Validates hands-on technical knowledge in enterprise security operations, including incident handling, defense strategies, and system hardening. Personnel who possess these certifications demonstrate proficiency in both strategic leadership and technical depth. Firm must provide proof of certification for proposed personnel as part of their proposal submission. a. Compliance Context Firm MUST demonstrate experience with and knowledge of the following compliance areas: - NIST CSF / NIST 800-53 - CJIS - HIPAA - NERC CIP Firm SHOULD demonstrate experience with and knowledge of the following compliance areas: - PCI-DSS - EPA Cybersecurity Guidance - Cyber Insurance Requirements b. Core Competency Evaluation Firms must respond to the following eight (8) CISO core competencies: o Business Acumen RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 7 of 40 o Leadership o Communication Skills o Technical Knowledge o Innovative Problem Solving o Vendor Management o Program Management o Regulatory Knowledge For each, provide: o A description and example demonstrating capability. o A self-assessed maturity rating (Foundational, Capable, Inspirational, Strategic). D. Anticipated Schedule The following represents the City’s target schedule for the RFP. The City reserves the right to amend the target schedule at any time. • RFP issuance: September 17, 2025 • Question deadline: 3:00 PM MT on September 24, 2025 • Final Addendum Issued: September 26, 2025 • Proposal due date: 3:00 PM MT on October 8, 2025 • Interviews (tentative): Week of October 20, 2025 • Award of Contract (tentative): November 3, 2025 E. Interviews In addition to submitting a written proposal, the top-rated Firms may be interviewed by the RFP assessment team and asked to participate in an oral presentation to provide an overview of the company, approach to the project and to address questions. The evaluation criteria for the oral interviews will be the same as the criteria for the written evaluations and is included in Section IV. Instead of traditional in-person interviews for the optional interview session, the City may opt to use alternate methods including, but not limited to remote interviews through a platform such as Microsoft Teams or Zoom. F. Subcontractors/Subconsultants Firm will be responsible for identifying any subcontractors and/or subconsultants in their proposal. Please note that the City will contract solely with the awarded firm; therefore, subcontractors and/or subconsultants will be the responsibility of the firm. G. Current standards All work and/or materials must meet current standards in force by recognized technical and professional societies, trade and materials supply associations, institutes and organizations, bureaus and testing laboratories, and national, federal, state, county, and local laws, codes and ordinances. H. Fees, Licenses, Permits RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 8 of 40 The successful firm shall be responsible for obtaining any necessary licenses, fees or permits without additional expense to the City. All vehicles and equipment shall be properly licensed and insured, carry the appropriate permits and be placarded as required by law. I. Laws and Regulations The firm agrees to comply fully with all applicable local, State of Colorado and Federal laws and regulations and municipal ordinances to include American Disabilities Act (ADA). J. Invoicing and Payment Invoices should be emailed monthly to invoices@fcgov.com with a copy to the Project Manager. The cost of the work completed shall be paid to the firm each month following the submittal of a correct invoice by the firm indicating the project name, Purchase Order number, task description. Payments will be made using the prices stated in the Agreement. In the event a service is requested which is not stated in the Agreement, the firm and the City will negotiate an appropriate unit price for the service prior to the firm initiating such work. The City pays invoices on Net 30 terms. III. PROPOSAL SUBMITTAL Please limit the total length of your proposal to a maximum of fifty (50) 8 ½ x 11” pages (excluding cover pages, table of contents, dividers and Acknowledgement form). Font shall be a minimum of 10 Arial and margins are limited to no less than .5” for sides and top/bottom. Extended page sizes, such as 11” x 17”, count as a single page and may be used for detailed pricing. Links to other files or websites shall not be permitted. Proposals that do not conform to these requirements may be rejected. Firms are required to provide detailed written responses to the following items in the order outlined below. The responses shall be considered technical offers of what Firms propose to provide and shall be incorporated in the contract award as deemed appropriate by the City. A proposal that does not include all the information required may be deemed non-responsive and subject to rejection. Responses must include all the items in the order listed below. It is suggested that the firm include each of the City’s questions with their response. The City of Fort Collins shall not reimburse any firm for costs incurred in the preparation and presentation of their proposal. A. Cover Letter / Executive Summary The Executive Summary should highlight the content of the proposal and features of the program offered, including a general description of the program and any unique aspects or benefits provided by your firm. Indicate your availability to participate in the interviews/demonstrations on the proposed dates as stated in the Schedule section. B. Professional Information 1. Describe the firm’s business and background 2. Number of years in the business RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 9 of 40 3. Details about ownership 4. An overview of services offered and qualifications 5. Size of the firm 6. Location(s) of offices. If multiple, please identify which will be the primary for our account. 7. Primary contact information for the company including contact name(s) and title(s), mailing address(s), phone number(s), and email address(s). C. Scope of Proposal 1. Provide a detailed narrative of the services proposed if awarded the contract per the scope above. The narrative should include any options that may be beneficial for the City to consider. 2. Describe how the project would be managed and who would have primary responsibility for its timely and professional completion. 3. Briefly describe the approach to execute the scope of work to include the methods and assumptions used, and any exceptions and/or risks. 4. Describe the methods and timeline of communication your firm will use with the City’s Project Manager and other parties. 5. Identify what portion of work, if any, may be subcontracted or outsourced to subconsultants. Include all applicable information herein requested for each firm. 6. Can the work be completed in the necessary timeframe, with target start and completion dates met? 7. Are other qualified personnel available to assist in meeting the project schedule if required? 8. Is the project team available to attend meetings as required by the Scope of Work? 9. Provide an outline of the schedule for completing tasks. 10. Describe your firm’s experience providing Virtual/Fractional CISO services. 11. Provide examples of SLTT and utility/energy sector engagements. 12. Describe your approach to onboarding and developing an actionable cybersecurity roadmap. 13. What cybersecurity frameworks do you use and why? 14. How do you ensure strategies are aligned with business and financial realities in public sector environments? 15. Provide examples of cost-effective tooling or consolidation strategies you’ve recommended. 16. Describe how you identify or support grant applications. RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 10 of 40 17. How do you approach cultural fit and communication across technical and executive levels? 18. Describe your reporting cadence and the metrics you provide. 19. Describe your risk identification and prioritization process and how it aligns with organizational objectives. 20. Provide a description and example demonstrating capability in each of the eight (8) following CISO core competencies: a. Business Acumen b. Leadership c. Communication Skills d. Technical Knowledge e. Innovative Problem Solving f. Vendor Management g. Program Management h. Regulatory Knowledge 21. Provide a self-assessed maturity rating (Foundational, Capable, Inspirational, Strategic) for each of those same eight (8) CISO core competencies. D. Firm Capability and Assigned Personnel Provide relevant information regarding previous experience related to this or similar projects, to include the following: 1. Provide an Organization Chart/Proposed Project Team: An organization chart containing the names of all key personnel and subconsultants with titles and their specific task assignment for this Agreement shall be provided in this section. 2. Provide resumes for each professional and technical person to be assigned to the project, including partners, subconsultants, and subcontractors. Please limit resumes to one page. The résumés shall include at least three individual references from previous assignments. 3. A list of qualifications for your firm and qualifications and experience of the specific staff members proposed to perform the services described above. 4. References. Provide a minimum of three similar projects with public agencies in the last 5 years that have involved the staff and subcontractors/subconsultants proposed to work on this project. Include the owner’s name, title of project, beginning price, ending price, contact name, email and phone number, subconsultants on the team and a brief description of the work and any change orders. The Professional authorizes the City to verify any and all information contained herein and hereby releases all those concerned providing information as a reference from any liability in connection with any information provided. 5. Provide any information that distinguishes the firm from its competition and any additional information applicable to this RFP that might be valuable in assessing Professional’s proposal. RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 11 of 40 a. Note: Grant strategy experience is considered a value-add. Responses to related questions will be evaluated as supplemental to core operational capabilities. E. Cost and Work Hours In your response to this proposal, please provide the following: 1. Estimated Hours by Task: Provide estimated hours for each proposed task by job title and employee name, including the time required for meetings, conference calls, etc. 2. Cost by Task: Provide the cost of each task identified in the Scope of Proposal section. Provide a total not to exceed cost for the Scope of Proposal. Price all additional services/deliverables separately. 3. Schedule of Rates: Provide a schedule of billing rates by category of employee and job title to be used during the term of the Agreement. This fee schedule will be firm for at least one (1) year from the date of the Agreement. The fee schedule will be used as a basis for determining fees should additional services be necessary. Include a per meeting rate in the event additional meetings are needed. A fee schedule for subconsultants/subcontractors, if used, shall be included. 4. All direct costs (i.e., travel, printing, postage, etc.) specifically attributed to the project and not included in the billing rates must be identified. Reasonable expenses may be reimbursable as per the current rates found at www.gsa.gov. Firm will be required to provide original receipts to the City for all travel expenses. F. Sample Agreement Included with this request for proposals is a sample Agreement that the City intends to use for obtaining the services of the firm. The firm is required to review this Agreement and indicate any objections to the terms of the contract. If revisions to the contractual terms are requested, provide suggested revisions. G. Acknowledgement The Acknowledgement form is attached as Section V. Complete the attached form indicating the firm hereby acknowledges receipt of the City of Fort Collins Request for Proposal and acknowledges that the firm has read and agrees to be fully bound by all of the terms, conditions and other provisions set forth in the RFP. H. The Byrd Anti-Lobbying Certification (Section VI) must be signed, dated and returned as part of your Proposal. RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 12 of 40 IV. REVIEW AND ASSESSMENT CRITERIA A. Proposal and Interview Criteria Professionals will be evaluated on the following criteria. This set of criteria will be the basis for review and assessment of the written proposals and optional interview session. At the discretion of the City, interviews of the top-rated Professionals may be conducted. The rating scale shall be from 1 to 10, a rating of 1 doesn’t meet minimum requirements, a rating of 5 means the category fulfills the minimum requirements, and 10 exceeds minimum requirements in that category. WEIGHTING FACTOR CATEGORY STANDARD QUESTIONS 3.0 Scope of Proposal Does the proposal address all elements of the RFP? Does the proposal show an understanding of the project objectives, methodology to be used and results/outcomes required by the project? Are there any exceptions to the specifications, Scope of Work, or agreement? Can the work be completed in the necessary time? Can the target start and completion dates be met? Are other qualified personnel available to assist in meeting the project schedule if required? Is the project team available to attend meetings as required by the Scope of Work? Did the Professional provide detailed and acceptable answers to all the questions in section III.C.? 3.0 Firm Capability & Assigned Personnel Does the firm have the resources, financial strength, capacity and support capabilities required to successfully complete the project on- time and in-budget? Has the firm successfully completed previous projects of this type and scope? Do the persons who will be working on the project have the necessary skills and qualifications? Are sufficient people of the requisite skills and qualifications assigned to the project? 1.0 Minimum Qualifications Does the firm possess the required Certifications and demonstrate experience and proficiency in the required compliance areas? 3.0 Cost & Work Hours Does the proposal included detailed cost break- down for each cost element as applicable and are the line-item costs competitive? Do the proposed cost and work hours compare favorably with the Project Manager's estimate? Are the work hours presented reasonable for the effort required by each project task or phase? RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 13 of 40 V. ACKNOWLEDGEMENT This form may not be redlined and must be submitted with your proposal. Failure to adhere to these requirements may result in your proposal being rejected. Firm hereby acknowledges receipt of the City of Fort Collins Request for Proposal and acknowledges that it has read and agrees to be fully bound by all of the terms, conditions and other provisions set forth in the RFP 10225 VIRTUAL/FRACTIONAL CHIEF INFORMATION SECURITY OFFICER (VCISO) SERVICES and sample Agreement except as otherwise noted. Additionally, Professional hereby makes the following representations to City: a. All of the statements and representations made in this proposal are true to the best of the Firm’s knowledge and belief. b. Firm commits that it is able to meet the terms provided in this proposal. c. This proposal is a firm and binding offer, for a period of 90 days from the date hereof. d. Firm further agrees that the method of award is acceptable. e. Firm also agrees to complete the proposed Agreement with the City of Fort Collins within 10 days of notice of award. If contract is not completed and signed within 10 days, City reserves the right to cancel and award to the next highest rated firm. f. Firm acknowledges receipt of addenda. g. Firm acknowledges no conflict of interest. h. Firm acknowledges that the City is a governmental entity subject to the Colorado Open Records Act, C.R.S. §§ 24-72-200.1 et seq. (“CORA”). Any proposals submitted hereunder are subject to public disclosure by the City pursuant to CORA and City ordinances. Professionals may submit one (1) additional complete proposal clearly marked “FOR PUBLIC VIEWING.” In this version of the proposal, Professionals may redact text and/or data that it deems confidential or proprietary pursuant to CORA. All pricing will be considered public records subject to disclosure under CORA and as such pricing cannot be redacted from the “FOR PUBLIC VIEWING” version of the proposal. Failure to provide a public viewing copy will be considered a waiver of any claim of confidentiality under CORA without regard to how the applicant’s proposal or certain pages of the proposal are marked confidential, proprietary, or similar. Such statement does not necessarily exempt such documentation from public disclosure if required by CORA, by order of a court of appropriate jurisdiction, or other applicable law. Generally, under CORA, trade secrets, confidential commercial information and financial data information may not be disclosed by the City. Proposals may not be marked “Confidential” or ‘Proprietary’ in their entirety. By responding to this RFP, Professionals hereby waives any and all claims for damages against the City for the City’s good faith compliance with CORA. All provisions and pricing of any contract resulting from this request for proposal will be public information. Legal Firm Name: Physical Address: Remit to Address: Phone: RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 14 of 40 Name of Authorized Agent of Firm: Signature of Authorized Agent: Primary Contact for Project: Title: Email Address: Phone: Cell Phone: NOTE: ACKNOWLEDGMENT IS TO BE SIGNED & RETURNED WITH YOUR PROPOSAL. RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 15 of 40 VI. BYRD ANTI-LOBBYING AMENDMENT (31 U.S.C. 1352) CERTIFICATION The Contractor attests that it has filed the required certification under the Byrd Anti-Lobbying Amendment. The Contractor attests that it has certified that it will not and has not used Federal appropriated funds to pay any person or organization for influencing or attempting to influence an officer or employee of any agency, a member of Congress, officer or employee of Congress, or an employee of a member of Congress in connection with obtaining any Federal Contract, grant or any other award covered by 31 U.S.C.1352. The Contractor further attests that it has disclosed, and will continue to disclose, any lobbying with non-Federal funds that takes place in connection with obtaining any Federal award. The undersigned certifies, to the best of his or her knowledge and belief, that: (1) No Federal appropriated funds have been paid or will be paid, by or on behalf of the undersigned, to any person for influencing or attempting to influence an officer or employee of an agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with the awarding of any Federal contract, the making of any Federal grant, the making of any Federal loan, the entering into of any cooperative agreement, and the extension, continuation, renewal, amendment, or modification of any Federal contract, grant, loan, or cooperative agreement. (2) If any funds other than Federal appropriated funds have been paid or will be paid to any person for making lobbying contacts to an officer or employee of any agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with this Federal contract, grant, loan, or cooperative agreement, the undersigned shall complete and submit Standard Form--LLL, "Disclosure Form to Report Lobbying," in accordance with its instructions [as amended by "Government wide Guidance for New Restrictions on Lobbying," 61 Fed. Reg. 1413 (1/19/96). (3) The undersigned shall require that the language of this certification be included in the award documents for all subawards at all tiers (including subcontracts, subgrants, and contracts under grants, loans, and cooperative agreements) and that all subrecipients shall certify and disclose accordingly. This certification is a material representation of fact upon which reliance was placed when this transaction was made or entered into. Submission of this certification is a prerequisite for making or entering into this transaction imposed by 31, U.S.C. § 1352 (as amended by the Lobbying Disclosure Act of 1995). Any person who fails to file the required certification shall be subject to a civil penalty of not less than $10,000 and not more than $100,000 for each such failure. The Contractor, ________________ ___, certifies or affirms the truthfulness and accuracy of each statement of its certification and disclosure, if any. In addition, the Contractor understands and agrees that the provisions of 31 U.S.C. A 3801, et seq., apply to this certification and disclosure, if any. __________________________ Entity Name __________________________ Signature of Authorized Official __________________________ Name and Title of Authorized Official __________________________ Date Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 16 of 40 VII. SAMPLE AGREEMENT (FOR REFERENCE ONLY – DO NOT SIGN ) PROFESSIONAL SERVICES AGREEMENT This Professional Services Agreement (Agreement) made and entered into the day and year set forth in the Agreement Period section below by and between the CITY OF FORT COLLINS, COLORADO, a Colorado Municipal Corporation (City) and , a(n) [enter state] [business type] (Professional). WITNESSETH: In consideration of the mutual covenants and obligations herein expressed, it is agreed by and between the parties hereto as follows: 1. Scope of Service. The Professional agrees to provide Services in accordance with the Scope of Services (Services) attached as Exhibit A, consisting of [# of Pages] and incorporated herein. Irrespective of references in to named third parties in this Agreement and its Exhibits, the Professional shall be solely responsible for performance of all duties hereunder. 2. Changes. The City may, at any time during the term of the Agreement, make changes to the Agreement. Such changes shall be agreed upon in writing by the parties. 3. Agreement Period. Agreement shall commence , 20(Year) (the Effective Date) and shall continue in full force and effect until , 20(Year), unless sooner terminated as herein provided. In addition, at the option of the City, the Agreement may be extended for additional one-year periods not to exceed [choose one] additional one-year period(s). Renewals and pricing changes shall be negotiated by and agreed to by both parties only at the time of renewal. Written notice of renewal shall be provided to the Professional no later than thirty (30) days prior to Agreement end. 4. Early Termination by City. Notwithstanding the time periods contained herein, the City may terminate this Agreement at any time without cause or penalty by providing at least ten (10) calendar days written notice of termination to the Professional. In the event of early termination by the City, the Professional shall be paid for Services rendered up to the date of termination, subject to the satisfactory performance of the Professional 's obligations under this Agreement. Professional shall submit a final invoice within ten (10) calendar days of the effective date of termination. Payment shall be the Professional's sole right and remedy for termination. 5. Notices. All notices provided under this Agreement shall be effective immediately when emailed or three (3) business days from the date of the notice when mailed to the following addresses: Professional: City: Copy to: Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 17 of 40 Attn: Email Address City of Fort Collins Attn: PO Box 580 Fort Collins, CO 80522 Email Address City of Fort Collins Attn: Purchasing Dept. PO Box 580 Fort Collins, CO 80522 purchasing@fcgov.com All notices under this Agreement shall be written. 6. Compensation. In consideration of the Services to be performed pursuant to this Agreement, the City agrees to pay the Professional [on a time and reimbursable direct cost basis] [a fixed fee in the amount of ???? ($????)] [a fixed fee in the amount of ???? ($????) plus reimbursable direct costs. All such fees and costs shall not exceed ???? ($????)] in accordance with Exhibit [choose one], consisting of [# of Pages], attached and incorporated herein. Monthly partial payments based upon the Professional's billings and itemized statements are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the Services to be performed pursuant hereto and upon the City's approval of the Professional's actual reimbursable expenses. Final payment shall be made following acceptance of the Services by the City. Invoices shall be emailed to invoices@fcgov.com with a copy to the City Project Manager. The cost of the work completed shall be paid to the Professional following the submittal of a correct itemized invoice by the Professional. The City is exempt from sales and use tax. The City’s Certificate of Exemption license number is 09804502. A copy of the license is available upon written request. The City pays undisputed invoices on Net 30 days from the date of the invoice submittal to the City or, for disputed invoices, Net 30 days from the date of City Project Manager’s approval. 7. Design and Service Standards. The Professional warrants and shall be responsible for the professional quality, technical accuracy, accessibility requirements under ADA and Public Accommodations and Technology Accessibility sections below, timely completion and the coordination of all Services rendered by the Professional, and the Project Instruments as defined in the Project Instruments and License section below. The Professional shall, without additional compensation, promptly remedy and correct any errors, omissions, or other deficiencies from such standards. 8. Indemnification. The Professional shall indemnify, defend, and hold harmless the City and its officers and employees, to the maximum extent permitted under Colorado law, against and from any and all actions, suits, claims, demands, or liability of any character whatsoever claimed by the Professional or third parties against the City arising out of or related to this Agreement (including but not limited to contract, tort, intellectual property, accessibility, or otherwise). This obligation extends to reimbursement of the City's defense costs and reasonable attorney’s fees. 9. Insurance. The Professional shall maintain insurance in accordance with Exhibit [choose one], consisting of [# of Pages], attached and incorporated herein. Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 18 of 40 10. Appropriation. To the extent this Agreement or any provision in it. requires payment of any nature in fiscal years subsequent to the current fiscal year and constitutes a multiple fiscal year debt or financial obligation of the City, it shall be subject to annual appropriation by Fort Collins City Council as required in Article V, Section 8(b) of the City Charter, City Code Section 8-186, and Article X, Section 20 of the Colorado Constitution. The City shall have no obligation to continue this Agreement in any fiscal year for which there are no pledged cash reserves or supporting appropriations pledged irrevocably for purposes of payment obligations herein. Non-appropriation by the City shall not be construed as a breach of this Agreement. 11. Project Instruments and License. a. Upon execution of this Agreement, the Professional grants to the City an irrevocable, unlimited and royalty free license to use any and all sketches, drawings, as-builts, specifications, designs, blueprints, data files, calculations, studies, analysis, renderings, models, plans, reports, and other deliverables (Project Instruments), in any form whatsoever and in any medium expressed, for purposes of constructing, using, maintaining, altering and adding to the project, provided that the City substantially performs its obligations under the Agreement. The license granted hereunder permits the City and third parties reasonably authorized by the City to reproduce applicable portions of the Project Instruments for use in performing the Services or construction for the project. In addition, the license granted hereunder shall permit the City and third parties reasonably authorized by the City to reproduce and use the Project Instruments for similar projects, provided however, in such event the Professional shall not be held responsible for the design to the extent the City deviates from the Project Instruments. This license shall survive termination of the Agreement by default or otherwise. b. Upon payment of each invoice, associated Project Instruments rendered by the Professional shall become the City’s property. The Professional shall provide the City with the Project Instruments in electronic format in a mutually agreed upon file type. 12. City Project Manager. The City will designate, before commencement of the Services, the City Project Manager who shall make, within the scope of their authority, all necessary and proper decisions with reference to the Services provided under this Agreement. All requests for contract interpretations, change order, and other clarification or instruction shall be directed to the City Project Manager. The initial City Project Manager for this Agreement is [Enter Name] and can be reached at [Enter Email] or [Enter Phone]. The City Project Manager is subject to change by the City. 13. Project Status Report. Project status reports may be required by Exhibit A – Scope of Services and shall be submitted to the City Project Manager. Failure to provide any required status report may result in the suspension of the processing of any invoice. 14. Independent Contractor. The Services to be performed by the Professional are those of an independent contractor and not of an employee of the City. The City shall not be responsible Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 19 of 40 for withholding or remitting any portion of the Professional 's compensation hereunder or any other amounts on behalf of Professional for the payment of FICA, Workers' Compensation, unemployment insurance, other taxes or benefits or for any other purpose. 15. Personal Services. It is understood that the City enters into this Agreement based on the special abilities of the Professional and that this Agreement shall be considered as an Agreement for personal services. Accordingly, the Professional shall neither assign any responsibilities nor delegate any duties arising under this Agreement without the prior written consent of the City. 16. Subcontractors/Subconsultants. The Professional may not subcontract any of the Services without the prior written consent of the City, which shall not be unreasonably withheld. If any of the Services is subcontracted hereunder, with the consent of the City, then the following provisions shall apply: a. the subcontractor must be a reputable, qualified firm with an established record of successful performance in its respective trade performing identical or substantially similar work; b. the subcontractor will be required to comply with all applicable terms of this Agreement; c. the subcontract will not create any contractual relationship between any such subcontractor and the City, nor will it obligate the City to pay or see to the payment of any subcontractor; and d. the work of the subcontractor will be subject to inspection by the City to the same extent as the work of the Professional. The Professional shall require all subcontractor/subconsultants performing Services hereunder to maintain insurance coverage naming the City as an additional insured under this Agreement and Exhibit [choose one], consisting of [# of Pages], attached and incorporated herein. The Professional shall maintain a copy of each subcontractor’s/subconsultant’s certificate evidencing the required insurance. Upon request, the Professional shall promptly provide the City with a copy of the certificate(s). The Professional shall be responsible for any liability directly or indirectly arising out of the Services performed under this Agreement by a subcontractor/subconsultant, which liability is not covered by the subcontractor/subconsultant's insurance. 17. Acceptance Not Waiver. The City's approval of Project Instruments furnished hereunder shall not in any way relieve the Professional of responsibility for the quality or technical accuracy of the Services. The City's approval or acceptance of, or payment for, any of the Services shall not be construed to operate as a waiver of any rights or benefits provided to the City under this Agreement. 18. Default. Each and every term and condition hereof shall be deemed to be a material element of this Agreement. In the event either party should fail to or refuse to perform according to the terms of this Agreement, that party may be declared in default upon notice. Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 20 of 40 19. Remedies. In the event a party has been declared in default, that defaulting party shall be allowed a period of ten (10) calendar days from the date of notice within which to cure said default. In the event the default remains uncorrected, the party declaring default may elect to: a. terminate the Agreement and seek damages; b. treat the Agreement as continuing and require specific performance; or c. avail themselves of any other remedy at law or equity. In the event of a dispute between the parties regarding this Agreement, each party shall bear its own attorney fees and costs, except as provided for in the Indemnification and Technology Accessibility sections. 20. Entire Agreement; Binding Effect; Authority to Execute. This Agreement, along with all Exhibits and other documents incorporated herein, shall constitute the entire Agreement of the parties regarding this transaction and the matter recited herein. This Agreement supersedes any prior agreements, promises, or understandings as to the matter recited herein. The Agreement shall be binding upon the parties, their officers, employees, agents and assigns and shall inure to the benefit of the respective survivors, heirs, personal representatives, successors and assigns of said parties. Covenants or representations regarding the matter recited herein, not contained in this Agreement shall not be binding on the parties. In the event of a conflict between terms of the Agreement and any exhibit or attachment, the terms of the Agreement shall prevail. Each person executing this Agreement affirms that they have the necessary authority to sign on behalf of their respective party and to bind that party to the terms of this Agreement. 21. Law/Severability. The laws of the State of Colorado and the City of Fort Collins Charter and Municipal Code shall govern the construction, interpretation, execution and enforcement of this Agreement —without regard to choice of law or conflict of law principles. The Parties further agree that Larimer County District Court is the proper venue for all disputes. If the City subsequently agrees in writing that the matter may be heard in federal court, venue will be District Court for the District of Colorado. In the event any provision of this Agreement shall be held invalid or unenforceable by any court of competent jurisdiction, that holding shall not invalidate or render unenforceable any other provision of this Agreement. 22. Use by Other Agencies. The City reserves the right to allow other state and local governmental agencies, political subdivisions, and/or school districts (collectively Agency) to use the City’s award determination to the Professional. Use by any other Agency shall not have a negative impact on the City in the current term or in any future terms. Nothing herein shall be deemed to authorize or empower the Agency to act as an agent for the City in connection with the exercise of any rights hereunder, and neither party shall have any right or authority to assume or create any obligation or responsibility on behalf of the other. The other Agency shall be solely responsible for any debts, liabilities, damages, claims or expenses incurred in connection with any agreement established solely between the Agency and the Professional. The City’s concurrence hereunder is subject to the Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 21 of 40 Professional’s commitment that this authorization shall not have a negative impact on the Services to be completed for the City. 23. Prohibition Against Unlawful Discrimination. The Professional acknowledges that the City, in accordance with the provisions of Title VI of the Civil Rights Act of 1964 (78 Stat. 252, 42 US.C. §§ 2000d to 2000d-4); C.R.S. § 24-34-401, and any associated State or Federal laws and regulations, strictly prohibits unlawful discrimination based on an individual’s gender (regardless of gender identity or gender expression), race, color, religion, creed, national origin, ancestry, age forty (40) years or older, marital status, disability, sexual orientation, genetic information, or other characteristics protected by law. Pursuant to City policy, sexual orientation means a person’s actual or perceived orientation toward heterosexuality, homosexuality, and bisexuality. The City also strictly prohibits unlawful harassment in the workplace, including sexual harassment. Further, the City strictly prohibits unlawful retaliation against a person who engages in protected activity. Protected activity includes an employee complaining that the employee has been discriminated against in violation of the above policy or participating in an employment discrimination proceeding. The Professional shall comply with the City’s policy for equal employment opportunity and prohibit unlawful discrimination, harassment and retaliation. This requirement also applies to all third-party subcontractors/subconsultants at every tier. 24. ADA and Public Accommodations. In performing the Services required hereunder, the Professional agrees to meet all requirements of the Americans with Disabilities Act of 1990, C.R.S. § 24-85-101, and all applicable rules and regulations (ADA), and all applicable Colorado public accommodation laws, which are imposed directly on the Professional or which would be imposed on the City as a public entity. 25. Technology Accessibility. The Professional represents that the Project Instruments hereunder, shall fully comply with all applicable provisions of C.R.S. § 24-85-101, and the Accessibility Standards for Individuals with a Disability, as established by the State of Colorado Governor’s Office of Information Technology (OIT) pursuant to C.R.S. § 24-85-103 (2.5), including all updates and amendments to those standards as provided by the OIT. The Professional shall also comply with all State of Colorado technology standards related to technology accessibility and with Level AA of the most current version of the Web Content Accessibility Guidelines (WCAG), incorporated in the State of Colorado technology standards. To confirm that the Project Instruments meet these standards, the Professional may be required to demonstrate compliance.  The Professional shall indemnify, save, and hold harmless the City against any and all costs, expenses, claims, damages, liability, court awards and other amounts (including attorneys’ fees and related costs) incurred by the City in relation to the Professional’s failure to comply with C.R.S. § 24-85-101, or the Accessibility Standards for Individuals with a Disability as established by OIT pursuant to C.R.S. § 24-85-103 (2.5). Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 22 of 40 The City may require the Professional’s compliance to the State’s Accessibility Standards to be determined by a third party selected by the City to attest to the Project Instruments and software compliance with C.R.S. § 24-85-101, and the Accessibility Standards for Individuals with a Disability as established by OIT pursuant to C.R.S. § 24-85-103 (2.5). 26. Data Privacy. Professional will comply with all applicable data privacy regulations and laws, specifically including Colorado’s Privacy Act, C.R.S § 6-1-1301 (the Privacy Act). Professional shall ensure that each person processing any personal data connected to the Services is subject to a duty of confidentiality with respect to the data. If applicable, Professional shall require that any subcontractors meet the obligations of Professional with respect to any personal data connected to this Agreement. The Parties agree that upon termination of the Services that Professional shall, at the City’s choice, delete or return all personal data to the City unless retention of the personal data is required by law. Professional shall make available to the City all information necessary to demonstrate compliance with the obligations of the Privacy Act. Professional shall allow for, and contribute to, reasonable audits and inspections by the City or the City’s designated auditor. 27. Governmental Immunity Act. No term or condition of this Agreement shall be construed or interpreted as a waiver, express or implied, of any of the notices, requirements, immunities, rights, benefits, protections, limitations of liability, and other provisions of the Colorado Governmental Immunity Act, C.R.S. § 24-10-101, and under any other applicable law. 28. Colorado Open Records Act. Professional acknowledges that the City is a governmental entity subject to the Colorado Open Records Act, C.R.S. § 24-72-200, et seq. (CORA), and documents in the City’s possession may be considered public records subject to disclosure under the CORA. The parties agree that this Agreement and all incorporated Exhibits, unless specifically marked as Confidential, are considered public records under the CORA. 29. Delay. Time is of the essence. Subject to Force Majeure, if the Professional is temporarily delayed in whole or in part from performing its obligations, then the Professional shall provide written notice to the City within two (2) business days defining the nature of the delay. Provision of written notice under this Section shall not operate as a waiver of any rights or benefits provided to the City under this Agreement. 30. Force Majeure. No party hereto shall be considered in default in the performance of an obligation hereunder to the extent that performance of such obligation is delayed, hindered, or prevented by force majeure. Force majeure shall be any cause beyond the control of the party that could not reasonably have been foreseen and guarded against. Force majeure includes, but is not limited to, acts of God, fires, riots, pandemics, incendiarism, interference by civil or military authorities, compliance with regulations or orders of military authorities, and acts of war (declared or undeclared), provided the cause could not have been reasonably foreseen and guarded against by the affected party. Force majeure shall not include increases in labor, commodity, utility, material, supply, fuel, or energy costs, or compliance with regulations or orders of civil authorities. To the extent that the performance Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 23 of 40 is actually prevented, the Professional must provide notice to the City of such condition within ten (10) calendar days from the onset of the condition. 31. Special Provisions. Special provisions or conditions relating to the Services to be performed pursuant to this Agreement are set forth in Exhibit [choose one] - Confidentiality, consisting of four (4) pages incorporated herein. 32. Order of Precedence. In the event of a conflict or inconsistency within this Agreement, the conflict or inconsistency shall be resolved by giving preference to the documents in the following order of priority: a. The body of this Agreement (and any written amendment), b. Exhibits to this Agreement, and c. The Purchase Order document. 33. Prohibited Terms. Nothing in any Exhibit or other attachment shall be construed as a waiver of any provision above. Any terms included in any Exhibit or other attachment that requires the City to indemnify or hold Professional harmless; requires the City to agree to binding arbitration; limits Professional’s liability; or that conflicts with statute, City Charter or City Code in any way, shall be void. [Signature Page Follows] Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 24 of 40 THE CITY OF FORT COLLINS, COLORADO By: Gerry Paul Purchasing Director Date: ATTEST: APPROVED AS TO FORM: PROFESSIONAL'S NAME By: Printed: Title: Date: Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 25 of 40 EXHIBIT A SCOPE OF SERVICES Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 26 of 40 EXHIBIT [CHOOSE ONE] BID SCHEDULE/COMPENSATION The following pricing shall remain fixed for the initial term of this Agreement. Any applicable price adjustments may only be negotiated and agreed to in writing at the time of renewal. Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 27 of 40 EXHIBIT [CHOOSE ONE] INSURANCE REQUIREMENTS The Professional will provide, from insurance companies acceptable to the City, the insurance coverage designated hereinafter and pay all costs. Before commencing work under this bid, the Professional shall furnish the City with certificates of insurance showing the type, amount, class of operations covered, effective dates and date of expiration of policies. In case of the breach of any provision of the Insurance Requirements, the City, at its option, may take out and maintain, at the expense of the Professional, insurance as the City may deem proper and may deduct the cost of the insurance from any monies which may be due or become due the Professional under this Agreement. Insurance certificates should show the certificate holder as follows: City of Fort Collins Purchasing Division PO Box 580 Fort Collins, CO 80522 The City, its officers, agents and employees shall be named as additional insureds on the Professional's general liability and automobile liability insurance policies by marking the appropriate box or adding a statement to this effect on the certificate, for any claims arising out of work performed under this Agreement. Insurance coverages shall be as follows: A. Workers' Compensation & Employer's Liability. The Professional shall maintain Worker’s Compensation and Employer’s Liability insurance during the life of this Agreement for all of the Professional 's employees engaged in work performed under this Agreement. Workers' Compensation & Employer’s Liability insurance shall conform with statutory limits of $100,000 per accident, $500,000 disease aggregate, and $100,000 disease each employee, or as required by Colorado law. B. General Liability. The Professional shall maintain during the life of this Agreement General Liability insurance as will provide coverage for damage claims of personal injury, including accidental death, as well as for claims for property damage, which may arise directly or indirectly from the performance of work under this Agreement. Coverage for property damage shall be on a (broad form) basis. The amount of insurance for General Liability shall not be less than $1,000,000 combined single limits for bodily injury and property damage. C. Automobile Liability. The Professional shall maintain during the life of this Agreement Automobile Liability insurance as will provide coverage for damage claims of personal injury, including accidental death, as well as for claims for property damage, which may arise directly or indirectly from the performance of work under this Agreement. Coverage for property damage shall be on a (broad form) basis. The amount of insurance for Automobile Liability shall not be less than $1,000,000 combined single limits for bodily injury and property damage. D. Errors and Omissions. The Professional shall maintain errors and omissions insurance in the amount of $1,000,000. E. Cybersecurity. The Professional shall maintain cybersecurity insurance in the amount of $5,000,000. Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 28 of 40 EXHIBIT [CHOOSE ONE] CONFIDENTIALITY IN CONNECTION WITH THE SERVICES to be provided by Professional under this Agreement, the parties agree to comply with reasonable policies and procedures with regard to the exchange and handling of confidential information and other sensitive materials between the parties, as set forth below. 1. Definitions. For purposes of this Agreement, the party who owns the referenced information and is disclosing same shall be referenced as the “Disclosing Party.” The party receiving the Disclosing Party’s information shall be referenced as the “Receiving Party.” 2. Confidential Information. Confidential Information controlled by this Agreement refers to information that is not public and/or is proprietary, including but not limited to location information, network security system, business plans, formulae, processes, intellectual property, trade secrets, designs, photographs, plans, drawings, schematics, methods, specifications, samples, reports, mechanical and electronic design drawings, customer lists, financial information, studies, findings, inventions, ideas, City customer identifiable information (including account, address, billing, consumption, contact, and other customer data), utility metering data, service billing records, customer equipment information. To the extent practical, Confidential Information shall be marked “Confidential” or “Proprietary.” Nevertheless, Professional shall treat as Confidential Information all customer identifiable information in any form, whether or not bearing a mark of confidentiality or otherwise requested by the City, including but not limited to the non-exclusive list of Confidential Information above. In the case of disclosure in non-documentary form of non- customer identifiable information, made orally or by visual inspection, the Disclosing Party shall have the right, or, if requested by the Receiving Party, the obligation to confirm in writing the fact and general nature of each disclosure within a reasonable time after it is made in order that it is treated as Confidential Information. Any information disclosed to the other party before the execution of this Agreement and related to the services for which Professional has been engaged shall be considered in the same manner and be subject to the same treatment as the information disclosed after the execution of this Agreement with regard to protecting it as Confidential Information. 3. Use of Confidential Information. Receiving Party hereby agrees that it shall use the Confidential Information solely for the purpose of performing its obligations under this Agreement and not in any way detrimental to Disclosing Party. Receiving Party agrees to use the same degree of care Receiving Party uses with respect to its own proprietary or confidential information, which in any event shall result in a reasonable standard of care to prevent unauthorized use or disclosure of the Confidential Information. Except as otherwise provided herein, Receiving Party shall keep confidential and not disclose the Confidential Information. The City and Professional shall cause each of their directors, officers, employees, agents, representatives, and subcontractors to become familiar with, and abide by, the terms of this Exhibit, which shall survive this Agreement as an on-going obligation of the Parties. Professional shall not use such information to obtain any economic or other benefit for itself, or any third party, other than in the performance of obligations under this Agreement. Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 29 of 40 4. Exclusions from Definition. The term “Confidential Information” as used herein does not include any data or information which is already known to the Receiving Party or which before being divulged by the Disclosing Party: (a) was generally known to the public through no wrongful act of the Receiving Party; (b) has been rightfully received by the Receiving Party from a third party without restriction on disclosure and without, to the knowledge of the Receiving Party, a breach of an obligation of confidentiality; (c) has been approved for release by a written authorization by the other party hereto; or (d) has been disclosed pursuant to a requirement of a governmental agency or by operation of law, subject to Paragraph 5 below. 5. Required Disclosure. Notwithstanding Paragraph 4(d) above, if the Receiving Party receives a request (by interrogatories, requests for information or documents, subpoena, civil investigative demand or similar process, or by federal, state, or local law, including without limitation, the Colorado Open Records Act) to disclose any Confidential Information, the Parties agree the Receiving Party will provide the Disclosing Party with immediate notice of such request, so the Disclosing Party may seek an appropriate protective order before disclosure or waive the Receiving Party’s compliance with this Exhibit. The Receiving Party shall furnish a copy of this Exhibit with any disclosure. Notwithstanding this Paragraph 5, Receiving Party shall not disclose Confidential Information to any person, directly or indirectly, nor use it in any way, except as required by law or authorized in writing by Disclosing Party. 6. Red Flags Rules. If applicable, Professional must implement reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft in compliance with the Identity Theft Red Flags Rules found at 16 Code of Federal Regulations part 681. Further, Professional must take appropriate steps to mitigate identity theft if it occurs with any of the City’s covered information and must notify the City in writing within twenty-four (24) hours of discovery of any breaches of security or Red Flags to the City. 7. Data Protection and Data Security. Professional shall have in place information security safeguards designed to conform to or exceed industry best practices regarding the protection of the confidentiality, integrity and availability of Confidential Information and shall have written agreements requiring any subcontractor to meet those standards. These information security safeguards (the “Information Security Program”) shall be materially consistent with, or more stringent than, the safeguards described in this Exhibit. (a) Professional’s information security safeguards shall address the following elements: • Data Storage, Backups and Disposal • Logical Access Control (e.g., Role-Based) • Information Classification and Handling • Secure Data Transfer (SFTP and Data Transfer Specification) • Secure Web Communications • Network and Security Monitoring Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 30 of 40 • Application Development Security • Application Security Controls and Procedures (User Authentication, Security Controls, and Security Procedures, Policies and Logging) • Incident Response • Vulnerability Assessments • Hosted Services • Personnel Security (b) Subcontractors. Professional may use subcontractors, though such activity shall not release or absolve Professional from the obligation to satisfy all conditions of this Agreement, including the data security measures described in this Exhibit, and to require a substantially similar level of data security, appropriate to the types of services provided and Confidential Information received, for any subcontractor Professional may use. Accordingly, any release of data, confidential information, or failure to protect information under this Agreement by a subcontractor or affiliated party shall be attributed to Professional and may be considered to be a material breach of this Agreement. 8. Information Storage. Confidential Information is not to be stored on any local workstation, laptop, or media such as CD/DVD, USB drives, external hard drives or other similar portable devices unless the Professional can ensure security for the Confidential Information so stored. Workstations or laptops to be used in the Services will be required to have personal firewalls on each, as well as have current, active anti-virus definitions. 9. Continuing Obligation. The agreement not to disclose Confidential Information as set forth in this Exhibit shall apply during the term of the Services and or Agreement and at any time thereafter unless specifically authorized by the City in writing. 10. Termination Remedy. If Professional breaches any of the terms of this Exhibit, in the City’s sole discretion, the City may immediately terminate this Agreement and withdraw Professional’s right to access Confidential Information. 11. Return of Information. Notwithstanding any other provision of this Agreement to provide Project Instruments and work product, all material, i.e., various physical forms of media in which Confidential Information is stored, including but not limited to writings, drawings, tapes, diskettes, prototypes or products, shall remain the sole property of the Disclosing Party and, upon request, shall be promptly returned, together with all copies thereof to the Disclosing Party. Upon return of such materials, all digital and electronic data shall also be deleted in a non-restorable way by which it is no longer available to the Receiving Party. Upon Disclosing Party’s request, written verification of the deletion (including date of deletion) is to be provided to the Disclosing Party within ten (10) days after completion of engagement, whether it be via termination, completion or otherwise. 12. Injunctive Relief. Professional Receiving Party acknowledges that the Disclosing Party may, based upon the representations made in this Agreement, disclose security information that is critical to the continued success of the Discloser’s business. Accordingly, Receiving Party agrees that the Disclosing Party does not have an adequate remedy at law for breach of this Agreement and therefore, the Disclosing Party shall be entitled, as a non-exclusive remedy, and in addition to an action for damages, to seek and obtain an injunction or decree of specific performance or any other remedy, from a court of competent jurisdiction to enjoin or remedy any violation of this Agreement. Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 31 of 40 ATTACHMENT A AMERICAN RESCUE PLAN ACT (ARPA) FEDERALLY REQUIRED CONTRACT CLAUSES 1. NO FEDERAL GOVERNMENT OBLIGATION TO THIRD PARTIES Applies to all FTA-Assisted Third-Party Contracts and Subcontracts. No Obligation by the Federal Government. 1. The Purchaser and Contractor acknowledge and agree that, notwithstanding any concurrence by the Federal Government in or approval of the solicitation or award of the underlying contract, absent the express written consent by the Federal Government, the Federal Government is not a party to this contract and shall not be subject to any obligations or liabilities to the Purchaser, Contractor, or any other party (whether or not a party to that contract) pertaining to any matter resulting from the underlying contract. 2. The Contractor agrees to include the above clause in each subcontract financed in whole or in part with Federal assistance provided by FTA. It is further agreed that the clause shall not be modified, except to identify the sub-contractor who will be subject to it provisions. 2. RECORDS RETENTIONS AND ACCESS TO SITES OF PERFORMANCE Applies to all FTA-Assisted Third-Party Contracts and Subcontracts. 1. For a period of three years following Contract closing, the Contractor and its subcontractors shall maintain, preserve and make available to the City, the FTA Administrator, the Comptroller General of the United States, and any of their authorized representatives, access at all reasonable times to any books, documents, papers and records of Contractor which are directly pertinent to this Contract for the purposes of making audits, examinations, excerpts and transcriptions. Contractor also agrees, otherwise comply with 49 U.S.C. § 5325(g), and federal access to records requirements as set forth in the applicable U.S. DOT Common Rule. 2. The Contractor shall maintain and the City shall have the right to examine and audit all records and other evidence sufficient to reflect properly all prices, costs or rates negotiated and invoiced in performance of this Contract. This right of examination shall include inspection at all reasonable times of the Contractor’s offices engaged in performing the Contract. 3. If this Contract is completely or partially terminated, the Contractor shall make available the records relating to the work terminated until 3 years after any resulting final termination settlement. The Contractor shall make available records relating to appeals under the Disputes clause or to litigation or the settlement of claims arising under or relating to this Contract until such appeals, litigation, or claims are finally resolved. 4. Access to Records and Reports” applies with equal force and effect to any subcontractors hired by the Contractor to perform Work under this Contract. The Contractor shall insert this provision in all subcontracts under this Contract and require subcontractor compliance therewith. 5. Access to the Sites of Performance. The Recipient agrees to permit, and to require its Third Party Participants to permit, FTA to have access to the sites of performance of its Award, the accompanying Underlying Agreement, and any Amendments thereto, and to make site visits as needed in compliance with the U.S. DOT Common Rules. Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 32 of 40 6. Closeout. Closeout of the Award does not alter the record retention or access requirements of this section of this Master Agreement. 3. FEDERAL CHANGES Applies to all FTA-Assisted Third-Party Contracts and Subcontracts. Federal Changes - Contractor shall at all times comply with all applicable FTA regulations, policies, procedures and directives, including without limitation those listed directly or by reference in the Master Agreement between Purchaser and FTA, as they may be amended or promulgated from time to time during the term of this contract. Contractor's failure to so comply shall constitute a material breach of this contract. 4. CIVIL RIGHTS (EEO, TITLE VI & ADA) Applies to all FTA-Assisted Third-Party Contracts and Subcontracts. The following requirements apply to the underlying contract: a) The Recipient agrees that it must comply with applicable federal civil rights laws, regulations, requirements, and guidance, and follow applicable federal guidance, except as the Federal Government determines otherwise in writing. Therefore, unless a Recipient or a federal program, including the Tribal Transit Program or the Indian Tribe Recipient, is specifically exempted from a civil rights statute, FTA requires compliance with that civil rights statute, including compliance with equity in service. b) Nondiscrimination in Federal Public Transportation Programs. The Recipient agrees to, and assures that it and each Third-Party Participant, will: (1) Prohibit discrimination based on the basis of race, color, religion, national origin, sex, disability, or age. (2) Prohibit the: (a) Exclusion from participation in employment or a business opportunity for reasons identified in 49 U.S.C. § 5332, (b) Denial of program benefits in employment or a business opportunity identified in 49 U.S.C. § 5332, or (c) Discrimination, including discrimination in employment or a business opportunity identified in 49 U.S.C. § 5332. (3) Follow: (a) The most recent edition of FTA Circular 4702.1, “Title VI Requirements and Guidelines for Federal Transit Administration Recipients,” to the extent consistent with applicable federal laws, regulations, requirements, and guidance, and other applicable federal guidance that may be issued, but (b) FTA does not require an Indian Tribe to comply with FTA program- specific guidelines for Title VI when administering its Underlying Agreement supported with federal assistance under the Tribal Transit Program. c) Nondiscrimination – Title VI of the Civil Rights Act. The Recipient agrees to, and assures that each Third Party Participant, will: (1) Prohibit discrimination based on race, color, or national origin, (2) Comply with: (a) Title VI of the Civil Rights Act of 1964, as amended, 42 U.S.C. § 2000d et seq., (b) U.S. DOT regulations, “Nondiscrimination in Federally-Assisted Programs of the Department of Transportation – Effectuation of Title VI of the Civil Rights Act of 1964,” 49 C.F.R. part 21, and (c) Federal transit law, specifically 49 U.S.C. § 5332, and (3) Follow: (a) The most recent edition of FTA Circular 4702.1, “Title VI Requirements and Guidelines for Federal Transit Administration Recipients,” to the extent consistent with applicable federal laws, regulations, requirements, and guidance, (b) U.S. DOJ, “Guidelines for the enforcement of Title VI, Civil Rights Act of 1964,” 28 C.F.R. § 50.3, and (c) All other applicable federal guidance that may be issued. d) Equal Employment Opportunity. (1) Federal Requirements and Guidance. The Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 33 of 40 Recipient agrees to, and assures that each Third Party Participant will, prohibit discrimination on the basis of race, color, religion, sex, or national origin, and: (a) Comply with Title VII of the Civil Rights Act of 1964, as amended, 42 U.S.C. § 2000e et seq., (b) Facilitate compliance with Executive Order No. 11246, “Equal Employment Opportunity,” as amended by Executive Order No. 11375, “Amending Executive Order No. 11246, Relating to Equal Employment Opportunity,” 42U.S.C. § 2000e note, (c) Comply with Federal transit law, specifically 49 U.S.C. § 5332, as stated in section a, and (d) Comply with FTA Circular 4704.1other applicable EEO laws and regulations, as provided in Federal guidance, including laws and regulations prohibiting discrimination on the basis of disability, except as the Federal Government determines otherwise in writing, (2) General. The Recipient agrees to: (a) Ensure that applicants for employment are employed and employees are treated during employment without discrimination on the basis of their: 1 Race, 2 Color, 3 Religion, 4 Sex, 5 Disability, 6 Age, or 7 National origin, (b) Take affirmative action that includes, but is not limited to: 1 Recruitment advertising, 2 Recruitment, 3Employment, 4 Rates of pay, 5 Other forms of compensation, 6 Selection for training, including apprenticeship, 7 Upgrading, 8 Transfers, 9 Demotions, 10 Layoffs, and 11 Terminations, but (b) Indian Tribe. Title VII of the Civil Rights Act of 1964, as amended, exempts Indian Tribes under the definition of "Employer". (3) Equal Employment Opportunity Requirements for Construction Activities. In addition to the foregoing, when undertaking “construction” as recognized by the U.S. Department of Labor (U.S. DOL), the Recipient agrees to comply, and assures the compliance of each Third Party Participant, with: (a) U.S. DOL regulations, “Office of Federal Contract Compliance Programs, September 2019 Equal Employment Opportunity, Department of Labor,” 41 C.F.R. chapter 60, and (b) Executive Order No. 11246, “Equal Employment Opportunity,” as amended by Executive Order No. 11375, “Amending Executive Order No. 11246, Relating to Equal Employment Opportunity,” 42U.S.C. § 2000e note. e) Disadvantaged Business Enterprise. To the extent authorized by applicable federal laws and regulations, the Recipient agrees to facilitate, and assures that each Third- Party Participant will facilitate, participation by small business concerns owned and controlled by socially and economically disadvantaged individuals, also referred to as “Disadvantaged Business Enterprises” (DBEs), in the Underlying Agreement as follows: (1) Statutory and Regulatory Requirements. The Recipient agrees to comply with: (a) Section 1101(b) of the FAST Act, 23 U.S.C. §101 note, (b) U.S. DOT regulations, “Participation by Disadvantaged Business Enterprises in Department of Transportation Financial Assistance Programs,” 49 C.F.R. part 26, and (c) Federal transit law, specifically 49 U.S.C. § 5332, as provided in section 12a of this Master Agreement. (2) DBE Program Requirements. A Recipient that receives planning, capital and/or operating assistance and that will award prime third-party contracts exceeding $250,000 in a federal fiscal year must have a DBE program meeting the requirements of 49 C.F.R. Part 26, which is approved by FTA, and establish an annual DBE participation goal. (3) Special Requirements for a Transit Vehicle Manufacturer (TVM). The Recipient agrees that: (a) TVM Certification. Each TVM, as a condition of being authorized to bid or propose on FTA-assisted transit vehicle procurements, must certify that it has complied with the requirements of 49 C.F.R. part 26, and (b) Reporting TVM Awards. Within 30 days of any third-party contract award for a vehicle purchase, the Recipient must submit to FTA the name of the TVM contractor and the total dollar value of the third-party contract and notify FTA that this information has been attached to FTA’s electronic award and management system, the Recipient must also submit subsequent notifications if options are exercised in subsequent years to ensure the TVM is still in good standing. (4) Assurance. As required by 49 C.F.R. § Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 34 of 40 26.13(a): (a) Recipient Assurance. The Recipient agrees and assures that: 1 It must not discriminate on the basis of race, color, national origin, or sex in the award and performance of any FTA or U.S. DOT-assisted contract, or in the administration of its DBE program or the requirements of 49 C.F.R. part 26, 2 It must take all necessary and reasonable steps under 49 C.F.R. part 26 to ensure nondiscrimination in the award and administration of U.S. DOT- assisted contracts, 3 Its DBE program, as required under 49 C.F.R. part 26 and as approved by U.S. DOT, is incorporated by reference and made part of the Underlying Agreement, and 4 Implementation of its DBE program approved by U.S. DOT is a legal obligation and failure to carry out its terms shall be treated as a violation of this Master Agreement. (b) Subrecipient/Third Party Contractor/Third Party Subcontractor Assurance. The Recipient agrees and assures that it will include the following assurance in each subagreement and third party contract it signs with a Subrecipient or Third Party Contractor and agrees to obtain the agreement of each of its Subrecipients, Third Party Contractors, and Third Party Subcontractors to include the following assurance in every subagreement and third party contract it signs: 1 The Subrecipient, each Third Party Contractor, and each Third Party Subcontractor must not discriminate on the basis of race, color, national origin, or sex in the award and performance of any FTA or U.S. DOT-assisted subagreement, third party contract, and third party subcontract, as applicable, and the administration of its DBE program or the requirements of 49 C.F.R. part 26, 2 The Subrecipient, each Third Party Contractor, and each Third Party Subcontractor must take all necessary and reasonable steps under 49 C.F.R. part 26 to ensure nondiscrimination in the award and administration of U.S. DOT-assisted subagreements, third party contracts, and third party subcontracts, as applicable, 3 Failure by the Subrecipient and any of its Third Party Contractors or Third Party Subcontractors to carry out the requirements of this subparagraph 13.d(4)(b) is a material breach of this subagreement, third party contract, or third party subcontract, as applicable, and 4 The following remedies, or such other remedy as the Recipient deems appropriate, include, but are not limited to, withholding monthly progress payments; assessing sanctions; liquidated damages; and/or disqualifying the Subrecipient, Third Party Contractor, or Third Party Subcontractor from future bidding as non-responsible. (5) Remedies. Upon notification to the Recipient of its failure to carry out its approved program, FTA or U.S. DOT may impose sanctions as provided for under 49 C.F.R. part 26, and, in appropriate cases, refer the matter for enforcement under either or both 18 U.S.C. § 1001, and/or the Program Fraud Civil Remedies Act of 1986, 31 U.S.C. § 3801 et seq. f) Nondiscrimination on the Basis of Sex. The Recipient agrees to comply with federal prohibitions against discrimination on the basis of sex, including: (1) Title IX of the Education Amendments of 1972, as amended, 20 U.S.C. § 1681 et seq., (2) U.S. DOT regulations, “Nondiscrimination on the Basis of Sex in Education Programs or Activities Receiving Federal Financial Assistance,” 49 C.F.R. part 25, and (3) Federal transit law, specifically 49 U.S.C. § 5332. g) Nondiscrimination on the Basis of Age. The Recipient agrees to comply with federal prohibitions against discrimination on the basis of age, including: (1) The Age Discrimination in Employment Act, 29 U.S.C. §§ 621 – 634, which prohibits discrimination on the basis of age, (2) U.S. Equal Employment Opportunity Commission (U.S. EEOC) regulations, “Age Discrimination in Employment Act,” 29 C.F.R. part 1625, (3) The Age Discrimination Act of 1975, as amended, 42 U.S.C. § 6101 et seq., which prohibits discrimination against individuals on the basis of age in the administration of Programs, Projects, and related activities receiving federal Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 35 of 40 assistance, (4) U.S. Health and Human Services regulations, “Nondiscrimination on the Basis of Age in Programs or Activities Receiving Federal Financial Assistance,” 45 C.F.R. part 90, and (5) Federal transit law, specifically 49 U.S.C. § 5332. h) Nondiscrimination on the Basis of Disability. The Recipient agrees to comply with the following federal prohibitions against discrimination on the basis of disability: (1) Federal laws, including: (a) section 504 of the Rehabilitation Act of 1973, as amended, 29 U.S.C. § 794, which prohibits discrimination on the basis of disability in the administration of federally assisted Programs, Projects, or activities, (b) The Americans with Disabilities Act of 1990 (ADA), as amended, 42 U.S.C. § 12101 et seq., which requires that accessible facilities and services be made available to individuals with disabilities: 1 For FTA Recipients generally, Titles I, II, and III of the ADA apply, but 2 For Indian Tribes, Titles II and III of the ADA apply, but Title I of the ADA does not apply because it exempts Indian Tribes from the definition of “employer,” (c) The Architectural Barriers Act of 1968, as amended, 42 U.S.C. § 4151 et seq., which requires that buildings and public accommodations be accessible to individuals with disabilities, (d) Federal transit law, specifically 49 U.S.C. § 5332, which now includes disability as a prohibited basis for discrimination, and (e) Other applicable federal laws, regulations and requirements pertaining to access for seniors or individuals with disabilities. (2) Federal regulations, including: (a) U.S. DOT regulations, “Transportation Services for Individuals with Disabilities (ADA),” 49 C.F.R. part 37, (b) U.S. DOT regulations, “Nondiscrimination on the Basis of Disability in Programs and Activities Receiving or Benefiting from Federal Financial Assistance,” 49 C.F.R. part 27, (c) Joint U.S. Architectural and Transportation Barriers Compliance Board (U.S. ATBCB) and U.S. DOT regulations, “Americans With Disabilities (ADA) Accessibility Specifications for Transportation Vehicles,” 36 C.F.R. part 1192 and 49 C.F.R. part 38, (d) U.S. DOT regulations, “Transportation for Individuals with Disabilities: Passenger Vessels,” 49 C.F.R. part 39, (e) U.S. DOJ regulations, “Nondiscrimination on the Basis of Disability in State and Local Government Services,” 28 C.F.R. part 35, (f) U.S. DOJ regulations, “Nondiscrimination on the Basis of Disability by Public Accommodations and in Commercial Facilities,” 28 C.F.R. part 36, (g) U.S. EEOC, “Regulations to Implement the Equal Employment Provisions of the Americans with Disabilities Act,” 29 C.F.R. part 1630, (h) U.S. Federal Communications Commission regulations, “Telecommunications Relay Services and Related Customer Premises Equipment for Persons with Disabilities,” 47 C.F.R. part 64, Subpart F, (i) U.S. ATBCB regulations, “Electronic and Information Technology Accessibility Standards,” 36 C.F.R. part 1194, and (j) FTA regulations, “Transportation for Elderly and Handicapped Persons,” 49 C.F.R. part 609, and (k) Other applicable federal civil rights and nondiscrimination guidance. (i) Drug or Alcohol Abuse - Confidentiality and Other Civil Rights Protections. The Recipient agrees to comply with the confidentiality and civil rights protections of: (1) The Drug Abuse Office and Treatment Act of 1972, as amended, 21 U.S.C. § 1101 et seq., (2) The Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970, as amended, 42 U.S.C. § 4541 et seq., and (3) The Public Health Service Act, as amended, 42 U.S.C. §§ 290dd – 290dd-2. (j) Access to Services for Persons with Limited English Proficiency. The Recipient agrees to promote accessibility of public transportation services to persons with limited understanding of English by following: (1) Executive Order No. 13166, “Improving Access to Services for Persons with Limited English Proficiency,” August 11, 2000, 42 U.S.C. § 2000d-1 note, and (2) U.S. DOT Notice, “DOT Policy Guidance Concerning Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 36 of 40 Recipients’ Responsibilities to Limited English Proficiency (LEP) Persons,” 70 Fed. Reg. 74087, December 14, 2005. (k) Other Nondiscrimination Laws, Regulations, Requirements, and Guidance. The Recipient agrees to comply with other applicable federal nondiscrimination laws, regulations, and requirements, and follow federal guidance prohibiting discrimination. (l) Remedies. Remedies for failure to comply with applicable federal Civil Rights laws, regulations, requirements, and guidance may be enforced as provided in those federal laws, regulations, or requirements. (m) Free Speech and Religious Liberty. The recipient shall ensure that Federal funding is expended in full accordance with the U.S. Constitution, Federal Law, and statutory and public policy requirements: including, but not limited to, those protecting free speech, religious liberty, public welfare, the environment, and prohibiting discrimination. 5. INCORPORATION OF FEDERAL TRANSIT ADMINISTRATION (FTA) TERMS (Per FTA C 4330.1F) Applies to all FTA-Assisted Third-Party Contracts and Subcontracts. Incorporation of Federal Transit Administration (FTA) Terms - The preceding provisions include, in part, certain Standard Terms and Conditions required by DOT, whether or not expressly set forth in the preceding contract provisions. All contractual provisions required by DOT, as set forth in FTA Circular 4220.1F, are hereby incorporated by reference. Anything to the contrary herein notwithstanding, all FTA mandated terms shall be deemed to control in the event of a conflict with other provisions contained in this Agreement. The Contractor shall not perform any act, fail to perform any act, or refuse to comply with any City requests which would cause the City to be in violation of the FTA terms and conditions. 6. ENERGY CONSERVATION REQUIREMENTS Applies to all FTA-Assisted Third-Party Contracts and Subcontracts. Energy Conservation - The contractor agrees to comply with mandatory standards and policies relating to energy efficiency which are contained in the state energy conservation plans under the Energy Policy and Conservation Act, as amended 42 U.S.C. § 6321, et. seq., and perform an energy assessment for any building constructed, reconstructed, or modified with federal assistance required under FTA regulations, “Requirements for Energy Assessments,” 49 CFR Part 622, subpart C. 7. PROHIBITION ON CERTAIN TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES OR EQUIPMENT (2 CFR §200.216) Applies to all FTA-Assisted Third-Party Contracts and Subcontracts. Contractor is prohibited from using equipment, services, or systems that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. As described in Public Law 115-232, section 889, covered telecommunications equipment is telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities). a. For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 37 of 40 Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities). b. Telecommunications or video surveillance services provided by such entities or using such equipment. c. Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of the National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country. 8. TERMINATION PROVISIONS (APPENDIX II TO PART 200) Applies to all contracts except micro-purchases. a. Termination for Convenience. The City may terminate this Contract, in whole or in part, for any reason, upon five (5) days written notice to the Contractor. In such event, the City shall pay the Contractor its costs, including reasonable Contract close-out costs, and profit on Work performed up to the time of termination. The Contractor shall promptly submit its termination claim to the City to be paid the Contractor. If the Contractor has any property in its possession belonging to the City, the Contractor will account for the same, and dispose of it in a manner the City directs. b. Termination for Breach. Either Party’s failure to perform any of its material obligations under this Contract, in whole or in part or in a timely or satisfactory manner, will be a breach. The institution of proceedings under any bankruptcy, insolvency, reorganization or similar law, by or against Contractor, or the appointment of a receiver or similar officer for Contractor or any of its property, which is not vacated or fully stayed within thirty (30) days after the institution of such proceeding, will also constitute a breach. In the event of a breach, the non- breaching Party may provide written notice of the breach to the other Party. If the notified Party does not cure the breach, at its sole expense, within thirty (30) days after delivery of notice, the non-breaching Party may exercise any of its remedies provided under this Contract or at law, including immediate termination of the Contract. 9. GOVERNMENT-WIDE DEBARMENT AND SUSPENSION Applies to all contracts and subcontracts exceeding $25,000. Suspension and Debarment Executive. The contractor attests that it is not listed on the government-wide exclusions in the System for Award Management (SAM). The Contractor agrees to the following: (a) It will comply with the requirements of 2 C.F.R. part 180, subpart C, as adopted and supplemented by U.S. DOT regulations at 2 C.F.R. part 1200, which include the following: (a) It will not enter into any arrangement to participate in the development or implementation of the Project with any Third Party Participant that is debarred or suspended except as authorized by: 1 U.S. DOT regulations, “Non-procurement Suspension and Debarment,” 2 C.F.R. part 1200, 2 U.S. OMB, “Guidelines to Agencies on Government wide Debarment and Suspension (Non-procurement),” 2 Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 38 of 40 C.F.R. part 180, including any amendments thereto, and 3 Executive Orders Nos. 12549 and 12689, “Debarment and Suspension,” 31 U.S.C. § 6101 note, (b) It will review the U.S. GSA “System for Award Management,” https://www.sam.gov, if required by U.S. DOT regulations, 2 C.F.R. part 1200, and (c) It will include, and require each of its Third Party Participants to include, a similar provision in each lower tier covered transaction, ensuring that each lower tier Third Party Participant: 1 Will comply with Federal debarment and suspension requirements, and 2 Reviews the “System for Award Management” at https://www.sam.gov, if necessary to comply with U.S. DOT regulations, 2 C.F.R. part 1200, and (b) If the Recipient suspends, debars, or takes any similar action against a Third-Party Participant or individual, the Recipient will provide immediate written notice to the: (a) FTA Regional Counsel for the Region in which the Recipient is located or implements the Project, (b) FTA Project Manager if the Project is administered by an FTA Headquarters Office, or (c) FTA Chief Counsel. 10. NOTICE TO FTA AND U.S. DOT INSPECTOR GENERAL OF INFORMATION RELATED TO FRAUD, WASTE, ABUSE OR OTHER LEGAL MATTERS Applies to all contracts and subcontracts exceeding $25,000. The prime contractor is required to “flow down” this requirement to subcontractors. a. If a current or prospective legal matter that may affect the Federal Government emerges, the Recipient must promptly notify the FTA Chief Counsel and FTA Regional Counsel for the Region in which the Recipient is located. The Recipient must include a similar notification requirement in its Third Party Agreements and must require each Third Party Participant to include an equivalent provision in its subagreements at every tier, for any agreement that is a “covered transaction” according to 2 C.F.R. §§ 180.220 and 1200.220. 1. The types of legal matters that require notification include, but are not limited to, a major dispute, breach, default, litigation, or naming the Federal Government as a party to litigation or a legal disagreement in any forum for any reason. 2. Matters that may affect the Federal Government include, but are not limited to, the Federal Government’s interests in the Award, the accompanying Underlying Agreement, and any Amendments thereto, or the Federal Government’s administration or enforcement of federal laws, regulations, and requirements. 3. Additional Notice to U.S. DOT Inspector General. The Recipient must promptly notify the U.S. DOT Inspector General in addition to the FTA Chief Counsel or Regional Counsel for the Region in which the Recipient is located, if the Recipient has knowledge of potential fraud, waste, or abuse occurring on a Project receiving assistance from FTA. The notification provision applies if a person has or may have submitted a false claim under the False Claims Act, 31 U.S.C. § 3729, et seq., or has or may have committed a criminal or civil violation of law pertaining to such matters as fraud, conflict of interest, bid rigging, misappropriation or embezzlement, bribery, gratuity, or similar misconduct involving federal assistance. This responsibility occurs whether the Project is subject to this Agreement or another agreement between the Recipient and FTA, or an agreement involving a principal, officer, employee, agent, or Third Party Participant of the Recipient. It also applies to subcontractors at any tier. Knowledge, as used in this paragraph, includes, but is not limited to, knowledge of a criminal or civil investigation by a Federal, state, or local law enforcement or other investigative agency, a criminal indictment or civil Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 39 of 40 complaint, or probable cause that could support a criminal indictment, or any other credible information in the possession of the Recipient. In this paragraph, “promptly” means to refer information without delay and without change. This notification provision applies to all divisions of the Recipient, including divisions tasked with law enforcement or investigatory functions. b. Federal Interest in Recovery. The Federal Government retains the right to a proportionate share of any proceeds recovered from any third party, based on the percentage of the federal share for the Underlying Agreement. Notwithstanding the preceding sentence, the Recipient may return all liquidated damages it receives to its Award Budget for its Underlying Agreement rather than return the federal share of those liquidated damages to the Federal Government, provided that the Recipient receives FTA’s prior written concurrence. c. Enforcement. The Recipient must pursue its legal rights and remedies available under any third party agreement or any federal, state, or local law or regulation. 11. BYRD ANTI-LOBBYING AMENDMENT (31 U.S.C. 1352) Applies to all contracts exceeding $100,000. Byrd Anti-Lobbying Amendment (31 U.S.C. 1352). Contractor attests that it has filed the required certification under the Byrd Anti-Lobbying Amendment. Contractor attests that it has certified that it will not and has not used Federal appropriated funds to pay any person or organization for influencing or attempting to influence an officer or employee of any agency, a member of Congress, officer or employee of Congress, or an employee of a member of Congress in connection with obtaining any Federal Contract, grant or any other award covered by 31 U.S.C. 1352. Contractor further attests that it has disclosed, and will continue to disclose, any lobbying with non- Federal funds that takes place in connection with obtaining any Federal award. If contract exceeds $100,000 the contractor is required to sign the attached certification. 12. 6002 OF THE SOLID WASTE DISPOSAL ACT (2 CFR 200.322) Applies to all contracts except micro-purchases. Recovered Materials - All parties agree to comply with all applicable requirements of Section 6002 of the Solid Waste Disposal Act, as amended by the Resource Conservation and Recovery Act. The requirements of Section 6002 include procuring only items designated in guidelines of the Environmental Protection Agency (EPA) at 40 CFR part 247 that contain the highest percentage of recovered materials practicable, consistent with maintaining a satisfactory level of competition, where the purchase price of the item exceeds $10,000 or the value of the quantity acquired during the preceding fiscal year exceeded $10,000; procuring solid waste management services in a manner that maximizes energy and resource recovery; and establishing an affirmative procurement program for procurement of recovered materials identified in the EPA guidelines. a. In the performance of this contract, the Contractor shall make maximum use of products containing recovered materials that are EPA-designated items unless the product cannot be acquired: • Competitively within a timeframe providing for compliance with the contract performance schedule; Official Purchasing Document Last updated 4/2025 Professional Services Agreement RFP 10225 Virtual/Fractional Chief Information Security Officer (vCISO) Services Page 40 of 40 • Meeting contract performance requirements; or • At a reasonable price. b. Information about this requirement, along with the list of EPA-designated items, is available at EPA’s Comprehensive Procurement Guidelines web site: https://www.epa.gov/smm/comprehensive-procurement-guideline-cpg-program 13. ASSIGNABILITY Applies to all contracts except micro-purchases. Neither the City nor the Contractor shall assign or transfer any of its rights or obligations hereunder without the prior written consent of the other. 14. CITY OF FORT COLLINS BID PROTEST PROCEDURES Applies to all contracts except micro-purchases. The City of Fort Collins has a protest procedure, covering any phase of solicitation or award, including but not limited to specification or award. The protest procedures are available from the Purchasing Department, City of Fort Collins, 215 N. Mason, Street, 2nd Floor, P. O. Box 580, Fort Collins, CO. 80522. You may also request a copy of the procedures by emailing: Purchasing@fcgov.com or calling 970-221-6775. 15. TITLE VI OF THE CIVIL RIGHTS ACT OF 1964 Applies to all contracts except micro-purchases. The sub-grantee, contractor, subcontractor, successor, transferee, and assignee shall comply with Title VI of the Civil Rights Act of 1964, which prohibits recipients of federal financial assistance from excluding from a program or activity, denying benefits of, or otherwise discriminating against a person on the basis of race, color, or national origin (42 U.S.C. § 2000d et seq.), as implemented by the Department of the Treasury’s Title VI regulations, 31 CFR Part 22, which are herein incorporated by reference and made a part of this contract (or agreement). Title VI also includes protection to persons with “Limited English Proficiency” in any program or activity receiving federal financial assistance, 42 U.S.C. § 2000d et seq., as implemented by the Department of the Treasury’s Title VI regulations, 31 CFR Part 22, and herein incorporated by reference and made a part of this contract or agreement. 16. INCREASING SEAT BELT USE IN THE UNITED STATES Applies to all contracts except micro-purchases. Pursuant to Executive Order 13043, 62 FR 19217 (Apr. 18, 1997), the City encourages its contractors to adopt and enforce on-the-job seat belt policies and programs for their employees when operating company-owned, rented, or personally owned vehicles. 17. REDUCING TEXT MESSAGING WHILE DRIVING Applies to all contracts except micro-purchases. Pursuant to Executive Order 13513, 74 FR 51225 (Oct. 6, 2009), the City encourages its employees, subrecipients, and contractors to adopt and enforce policies that ban text messaging while driving, and the City has established workplace safety policies to decrease accidents caused by distracted drivers.