The URL can be used to link to this page

Home My WebLink AboutRFP - 7408 AMFC INDEPENDENT SECURITY ASSESSMENTREQUEST FOR PROPOSAL 7408 AMFC Independent Security Assessment The City of Fort Collins is soliciting proposals from specifically qualified information security assessment firms to verify that security controls designed into the Advanced Meter Fort Collins project function as intended and that additional controls, policies, or procedures are identified to mitigate design weaknesses. Six (6) copies of written proposals and one electronic Adobe PDF copy of the proposal will be received at the City of Fort Collins' Purchasing Division, 215 North Mason St., 2nd floor, Fort Collins, Colorado 80524. Proposals will be received before 3:00 p.m. (our clock), July 17, 2012. If delivered, proposals are to be sent to 215 North Mason Street, 2nd Floor, Fort Collins, Colorado 80524. If mailed, the address is P.O. Box 580, Fort Collins, 80522-0580. The proposal shall be clearly marked “Request for Proposal for AMFC Independent Security Assessment, RFP # 7408.” This contract is partially funded by the ‘‘American Recovery and Reinvestment Act of 2009’’ (ARRA). In compliance with the ARRA contractors and subcontractor must adhere to the following provisions as outlined in Attachment A immediately following this Invitation to Bid. Questions concerning the scope of the project should be directed to Project Manager, Paul Folger, by phone at (970) 416-2777 or via e-mail at pfolger@fcgov.com with a carbon copy to odick@fcgov.com. Please format your e-mail to include: 7408 AMFC Independent Security Assessment in the subject line. Questions regarding the proposal submittal process should be directed to Opal Dick, CPPO, Senior Buyer, (970) 221- 6778. A copy of the Proposal may be obtained as follows: 1) Download the Proposal/Bid from the BuySpeed Webpage: www.fcgov.com/eprocurement 2) Come by Purchasing at 215 North Mason St., 2nd floor, Fort Collins, and request a copy of the Bid. Due to security constraints and potential impacts to the City’s network, on-site visits will be limited, scheduled, and require a prior letter of nondisclosure. The City of Fort Collins is subject to public information laws, which permit access to most records and documents. Proprietary information in your response must be clearly Financial Services Purchasing Division 215 N. Mason St. 2nd Floor PO Box 580 Fort Collins, CO 80522 970.221.6775 970.221.6707 fcgov.com/purchasing identified and will be protected to the extent legally permissible. Proposals may not be marked ‘Proprietary’ in their entirety. Information considered proprietary is limited to material treated as confidential in the normal conduct of business, trade secrets, discount information, and individual product or service pricing. Summary price information may not be designated as proprietary as such information may be carried forward into other public documents. All provisions of any contract resulting from this request for proposal will be public information. Sales Prohibited/Conflict of Interest: No officer, employee, or member of City Council, shall have a financial interest in the sale to the City of any real or personal property, equipment, material, supplies or services where such officer or employee exercises directly or indirectly any decision-making authority concerning such sale or any supervisory authority over the services to be rendered. This rule also applies to subcontracts with the City. Soliciting or accepting any gift, gratuity favor, entertainment, kickback or any items of monetary value from any person who has or is seeking to do business with the City of Fort Collins is prohibited. Collusive or sham proposals: Any proposal deemed to be collusive or a sham proposal will be rejected and reported to authorities as such. Your authorized signature of this proposal assures that such proposal is genuine and is not a collusive or sham proposal. The City of Fort Collins reserves the right to reject any and all proposals and to waive any irregularities or informalities. Sincerely, James B. O'Neill II, CPPO, FNIGP Director of Purchasing & Risk Management RFP # 7408 AMFC Independent Security Assessment I) Purpose Background The City of Fort Collins (City) is nestled against the foothills of the Colorado Rockies in northern Colorado. The 55 square mile City is home to 144,000 residents and Colorado State University. Consolidated IT Infrastructure and Application Services are provided to 76 facilities in support of Electric, Water, Water Reclamation, and Stormwater utilities, Police, Fire, Parks and Recreation, Transportation, and Public Libraries. The Department of Energy selected Fort Collins as one of 100 utilities awarded grants designed to improve the nation's electric grid. At the end of 2010, the City received a $15.7 million grant to upgrade mechanical electric and water meters in homes, schools and businesses throughout the community with electronic devices that enable two-way digital communication between the meter and the utility. The Advanced Meter Fort Collins (AMFC) project will hit an implementation milestone in June 2012. The Initial Deployment Area (IDA), consisting of 6,000 electric meters and 2,700 water meters, will demonstrate the functionality of server, data management, network, applications, and cyber security components. The functional capabilities of implemented hardware, software, and underlying operational processes will then be thoroughly evaluated to ensure performance expectations have been met. Systems architecture must prove to be scalable in preparation for citywide deployment of 90,000 additional meters, starting in September. Technology Environment The City’s WAN architecture is in the final stages of evolving from a single core star to a redundant data center topology. Two data center facilities are geographically separated along a 26 mile community-wide fiber optic ring. Each is designed for Cisco enterprise class switches, running VSS over 10Gbps dedicated fiber optic cable. Core switches support redundancy for firewalls, VPN, Internet Access, WLAN Controllers, and multiple fiber optic WAN rings. The core switches are linked via Cisco 10Gbps switch interfaces to consolidated SAN, Blade Server, and hierarchical data backup systems. Insulated within this enterprise framework are the AMFC systems and networks. Approximately 35 blade-based virtual and physical servers support 8 distinct database, application, and Enterprise Service Bus (ESB) functions. These are maintained in 4 separate computing environments (Prod, Q/A, Dev/Test, DR) and replicated in two data centers. Access to, from, and between these environments is managed by dedicated firewalls. The meter data collection network is comprised of two different wireless communication systems and isolated fiber optic infrastructure. Data is compiled in a Head End System (HES) database application then relayed directly to the Meter Data Management System (MDMS) where it is processed for interface with the Utility Billing System via the ESB. At this time, there are no other internal or external application program interfaces to the AMFC systems. Role based access to systems and components is managed through a combination of ADS, Oracle, VPN, and Application layer credentials, as well as Firewall rules for approximately 40 system users, administrators, and vendor support staff. Cyber security policies and procedures are based on NIST SP800-53 controls. General Requirements Cyber security is a major focus of the IDA implementation. It is critical to ensure meters are not usable as conduits for attacks on other meters or Smart Grid systems and components, end users, external service providers (e.g., telecommunications), or any other interconnected and interdependent device or data system. AMFC systems must protect the privacy of customer-sensitive data and the confidentiality of business- sensitive data in transit and in storage. To this end, the City will contract with a qualified information security assessment firm to verify that security controls, designed into the AMFC project, function as intended and that additional controls, policies, or procedures are identified to mitigate design weaknesses. While the scope of this RFP is limited, the City reserves the right to negotiate with the selected bidder for provision of similar vulnerability assessments of Utilities and other enterprise systems in the future. II) Scope of Work A) Risks and Vulnerabilities Activities related to this independent, objective assessment will be directed to the infrastructure and applications that define the AMFC project. There is no expectation of a broader evaluation of the City’s cyber security posture. However, there are tangent points where AMFC data and systems are exposed to enterprise infrastructure. The Utility Billing System is hosted. PCs, other end user equipment, and wireless mobile devices live on the corporate network. Data backup, DMZ, and VPN environments are shared resources. These tangent points must be considered in the assessment. The assessment will address the risks and vulnerabilities related to:  The integrity of data transmitted from meters through gatekeepers, nodes, backhaul equipment, and switches to the HES – It will be confirmed that usage data, event signals, control messages, commands, and other operational data transmitted from meters and field network equipment cannot be intercepted, interpreted, or manipulated. An assessment will be made of the environments with encryption enabled and disabled.  The integrity of Utility customer Personally Identifiable Information (PII) and any premise or usage data that could readily indicate presence or residential activities  The integrity of commands or data (including modifications of code or firmware) transmitted from the HES to network endpoints and meters – It will be confirmed that such information is actually correct and sent from an authentic source.  Unauthorized modifications made in any one endpoint affecting the operations of the network or of other endpoints  Unauthorized remote or local access to systems and components – Social Media/Engineering techniques will be exercised to acquire systems information or credentials.  Cyber security methodologies that are unaligned with recognized best practices and ineffectively applied in vendor products and services  Capabilities for timely, authorized cyber security updates in the face of a changing threat environment  System capabilities for maintaining critical functions in a secure and resilient manner during and after an attack, accident, emergency situation, subsystem failure, or in response to unexpected malicious or accidental inputs  Physical access to meters and other field network endpoints for the purposes of tampering or control  Collecting, protecting, and transmitting for analysis, sufficient forensic and tracking data to support auditing of cyber security, real-time intrusion detection, and incident response in reaction to a malicious or accidental cyber event  Cryptographic operations and key management schemes employed to ensure that compromise of one meter does not impact other deployed meters – Periodic re-keying and revocation functionality will be confirmed.  The existence of extra, installed services or undocumented remote hardware or software access  AMFC firewall configurations and rules and other cyber security boundary management provisions  The integrity of physical and virtual servers, data systems, and databases  User end-device hardware configurations and management  Unauthorized access to or from the AMFC and Electric and Water SCADA system environments – SCADA systems will not be assessed otherwise.  Physical access and to both main and co-located data centers.  Role based security mechanisms for systems and component access  ESB interfaces between the Utility Billing System and the MDMS The AMFC project is bound in its full lifecycle to a set of NIST SP800-53 cyber security control families. Policies, procedures, and compliance artifacts have been developed in the form of a Cyber Security Plan to put NIST principles into effect. To ensure the Plan is adequate in its design and application to the AMFC environment, the assessment will provide an overall evaluation and gap analysis of the Plan. B) Penetration Testing The objective of this phase of the assessment is to actively analyze the following AMFC Production environment targets for configuration and design flaws and critical vulnerabilities: 9 servers running Windows and Linux operating systems 4 application programs 1 Oracle database 1 set of High Availability firewalls 4 field-deployed meters and communications end-points 12 end-user computing devices Where discovered, flaws or vulnerabilities will be exploited without damage to data and systems components to demonstrate their validity and significance. Analysis of field based targets will be carried out from the position of a potential attacker having limited knowledge. Greater knowledge will be made available for internal targets to assess the potential of an internal attack. III) Project Schedule The start date for the assessment is contingent upon final implementation of all IDA infrastructure and processes. The week of August 27 is currently being targeted but has not been set firmly. A degree of flexibility will be required on the part of the selected bidder. IV) Deliverables The IDA assessment will consist of a written draft report, an electronic version of the draft report, a post assessment meeting on site with members of the AMFC project team and the Cyber Security Committee to discuss assessment findings, and a final report. Reports shall address the items listed under Scope of Work in the following format: A) Executive summary of assessment findings including but not limited to:  Overall evaluation of the integrity of the AMFC cyber security boundary  Evaluation of the Cyber Security Plan related to NIST requirements  Overall evaluation of the cyber security strength of vendor products  Overall evaluation of cyber security risks to the community  Overall level of complexity to implement recommendations  Overall results of Penetration Testing  A perspective on staff and resource requirements related to near-term remediation efforts and the long-term effort to maintain cyber security vigilance and adaptation to new threats and risks.  Recommendations for implementation of additional layers of security hardware and software. B) Detailed Findings And Recommendations to include but not limited to:  Identification and quantification of vulnerabilities  Categorization and rating of risks associated with each vulnerability  Technical and business risks associated with vulnerabilities  Technical details regarding each issue discovered  Prioritized set of recommended remedial actions to limit security risks and to eliminate vulnerabilities that could be exploited  Exploit attempts (both successful and unsuccessful)  Supporting documentation (e.g., scanning results, audit logs, etc.) C) Final Report  Six (6) bound printed copies of the final assessment report  One (1) electronic copy of the final assessment report  An electronic copy of data collected during the assessment (network scans, packet captures. etc.); separate from the final assessment report. V) Method of Payment The payment schedule will be driven by Delivery milestones. The assessment will be considered 80% complete at the point of delivery of the draft report and on-site discussion with members of the AMFC project team and the Cyber Security Committee. The selected bidder will be entitled to present an invoice for payment in the amount of 80% of the agreed to total cost of the assessment. Payment for the remaining 20% of the contract will be authorized upon acceptance of the Final Report and accompanying documentation. VI) Submittal Requirements A) It is recommended that you limit the total length of your proposal to a maximum of forty (40) pages (excluding covers and dividers but including resumes and project descriptions). Pages shall be 8-1/2” x 11” single-sided, with a minimum 11-point font. The proposal may include up to four (4) - 11” x 17” sheets, which will count towards the 40-page total. B) Submit a total of six paper (6) copies of your proposal, with one copy marked as the original copy. Also provide a single copy of the proposal in Adobe Acrobat PDF© format on a separate disk. The selected bidder will be required to execute a non-disclosure agreement with the City that covers this effort from start to finish and will not release any information obtained as part of this study to anyone other than the City of Fort Collins IT Department. The response to this RFP shall consist of the following sections: 1. Executive Summary 2. Corporate Background and Experience 3. Financial Statement 4. Project Staffing and Organization 5. Technical Approach 6. Cost Proposal 1. Executive Summary – This section shall consist of the proposal cover letter, highlighting the contents of this proposal, and bearing the authorized representative's signature. State your understanding of the City’s needs. Summarize your firm’s qualifications for providing these services in a timely manner. Include any material assumptions that either enhance or limit service performance. 2. Corporate Background and Experience – This section shall provide a history of your firm as relevant to the purpose and scope of this RFP. A list of references (including contact persons and telephone numbers) for which similar work has been performed shall be included. 3. Financial Statement – The section shall provide the most recently audited financial statement or similar evidence of financial stability. 4. Project Staffing and Organization – This section must include the proposed staffing, deployment, and organization of personnel to be assigned to this project. Include resumes and any recommendation or commendation letters received from recipients of your services in the past 4 years. List any applicable professional certifications. 5. Technical Approach – This section shall include, in narrative, outline, and/or graph form the proposed approach to accomplishing the tasks outlined in the Scope of Work section of this RFP. A description of each task and deliverable and the schedule for accomplishing each shall be included. Provide detailed requirements of City staff for support and any additional hardware, software, or office space needs. 6. Cost Proposal – The cost of each work activity defined in Sections A and B under the Scope of Work must be identified separately. Proposal costs must include: a. Personnel costs (including hourly rates and total hours) b. Travel and Subsistence Expenses c. Subcontractor Costs (if any) d. Other Costs (e.g., office expenses) e. TOTAL COST: A total not to exceed cost representing the maximum amount for all work to be performed must be clearly indicated under this heading. Proposals must be received no later than 3:00 p.m. (our clock), July 17, 2012 at: City of Fort Collins – Purchasing and Risk Management Division 215 North Mason Street P.O. Box 580 Fort Collins, CO 80524 (970) 221-6775 C) Contact Information 1. Questions related to RFP and procurement procedures should be directed to: City of Fort Collins Opal Dick, CPPO - Senior Buyer Purchasing Division P.O. Box 580 Fort Collins, CO 80522 (970) 221 - 6778 odick@fcgov.com 2. Questions related to the scope of work or the project in general should be directed to: Paul Folger – Infrastructure Services Director City of Fort Collins IT Department 215 N. Mason Street P.O. Box 580 Fort Collins, CO 80522 (970) 416 - 2777 pfolger@fcgov.com VII) Selection Criteria and Method Professional firms will be evaluated on the following criteria. These criteria will be the basis for review of the written proposals and optional interview session. At discretion of the City, interviews of top rated firms may be held. The rating scale shall be from 1 to 5, with 1 being a poor rating, 3 being an average rating, and 5 being an outstanding rating. WEIGHTING FACTOR QUALIFICATION STANDARD 2.0 Scope of Proposal Does the proposal show an understanding of the project objective, methodology to be used and results that are desired from the project? 2.0 Assigned Personnel Do the persons who will be working on the project have the necessary skills? Are sufficient people of the requisite skills assigned to the project? 1.0 Availability Can the work be completed in the necessary time? Can the target start and completion dates be met? Are other qualified personnel available to assist in meeting the project schedule if required? Is the project team available to attend meetings as required by the Scope of Work? 1.0 Motivation Is the firm interested and are they capable of doing the work in the required time frame? 2.0 Cost and Work Hours Do the proposed cost and work hours compare favorably with the project Manager's estimate? Are the work hours presented reasonable for the effort required in each project task or phase? 2.0 Firm Capability Does the firm have the support capabilities the assigned personnel require? Has the firm performed this type of work previously? REFERENCE EVALUATION (TOP RATED FIRM) A City IT representative will check references using the following criteria. The evaluation rankings will be labeled Satisfactory/Unsatisfactory. QUALIFICATION STANDARD Overall Performance Would you hire this Professional again? Did they show the skills required by this project? Timetable Was the original Scope of Work completed within the specified time? Were interim deadlines met in a timely manner? Completeness Was the Professional responsive to client needs; did the Professional anticipate problems? Were problems solved quickly and effectively? Budget Was the original Scope of Work completed within the project budget? Job Knowledge a) If a study, did it meet the Scope of Work? b) If Professional administered a construction contract, was the project functional upon completion and did it operate properly? Were problems corrected quickly and effectively? VIII) Schedule Written proposals will be evaluated by the City’s Selection Committee, and three (3) firms will be selected for interviews based upon the Committee’s recommendations. RFP Submittal Deadline: July, 17 2012 Review and Selection of Contractor Deadline: August, 03 2012 Contracting and Scope of Work Negotiation Deadline: August 17, 2012 Notice to Proceed: August 20, 2012 ATTACHMENT A 1.0 REQUIRED FEDERAL PROVISIONS 1.1 DOE Requirements. DOE requires specific contract terms for the purpose of making audit, examination, excerpts, and transcriptions. Contractor is required to retain all required records for three years after the City makes final payments and all other pending matters are closed. Contractor shall submit all records, data, information and reports to the City required in the Agreement, containing Confidential Information which Contractor does not want disclosed to the public or used by DOE or any other Governmental Authority for any purpose other than in connection with this Agreement and the Project, marked conspicuously with the following notice or with a notice or label of substantially the same effect: “Notice of Restriction on Disclosure and Use of Data The data contained in pages ----of this [designate material] have been submitted in confidence and contain trade secrets or proprietary information, and such data shall be used or disclosed only for evaluation purposes, provided that DOE shall have the right to use or disclose the data here to the extent provided in the DOE Grant Agreement. This restriction does not limit the Federal government’s right to use or disclose data obtained without restriction from any source, including Contractor. 1.1.2 Clean Air Act: Contractor will comply with all applicable standards, orders, or requirements issued under section 306 of the Clean Air Act (42 U.S.C. 1857(h)), section 508 of the Clean Water Act (33 U.S.C. 1368), Executive Order 11738, and Environmental Protection Agency regulations (40 CFR part 15). 1.1.3 Energy Policy and Conservation Act: Contractor will comply with mandatory standards and policies relating to energy efficiency which are contained in the state energy conservation plan issued in compliance with the Energy Policy and Conservation Act (Pub. L. 94–163, 89 Stat. 871). 1.1.4 Intellectual Property. Contractor may copyright any work that is subject to copyright and is developed by Contractor under the Agreement. To the extent specifically permitted under Applicable Law, DOE reserves a royalty-free, nonexclusive and irrevocable right to reproduce, publish or otherwise use any copyrightable work developed by Contractor under this Agreement for Federal purposes and to authorize others to do so. DOE has the right to: (1) obtain, reproduce, publish or otherwise use the data first produced under this Agreement; and (2) authorize others to receive, reproduce, publish or otherwise use such data for Federal purposes. 1.1.5 Debarment and Suspension. Contractor shall comply with requirements regarding debarment and suspension in Subpart C of 2 C.F.R. parts 180 and 901. 1.1.6 Lobbying Restrictions. Contractor shall comply with the restrictions on lobbying in 31 U.S.C. 1352, as implemented by the DOE at 10 C.F.R. Part 601, and shall submit all disclosures required by Law. In addition, Contractor shall comply with the prohibition in 18 U.S.C. 1913 on the use of Federal funds, absent express Congressional authorization, to pay directly or indirectly for any service, advertisement or other written matter, telephone communication, or other device intended to influence at any time a Member of Congress or official of any government concerning any legislation, Law, policy, appropriation, or ratification. 1.1.7 Officials Not to Benefit. Contractor shall comply with the requirement that no member of Congress shall be admitted to any share or part of this Agreement, or to any benefit arising from it, in accordance with 41 U.S.C. 22. 1.2 Civil Rights Requirements. The following requirements apply to the underlying contract: 1.2.1 Nondiscrimination. In accordance with Title VI of the Civil Rights Act, as amended, 42 U.S.C. § 2000d, section 303 of the Age Discrimination Act of 1975, as amended, 42 U.S.C. § 6102, section 202 of the Americans with Disabilities Act of 1990, 42 U.S.C. § 12132, and Federal transit law at 49 U.S.C. § 5332, the Contractor agrees that it will not discriminate against any employee or applicant for employment because of race, color, creed, national origin, sex, age, or disability. In addition, the Contractor agrees to comply with applicable Federal implementing regulations and other implementing requirements DOE may issue. 1.2.2 Equal Employment Opportunity. The following equal employment opportunity requirements apply to the underlying contract: (a) Race, Color, Creed, National Origin, Sex - In accordance with Title VII of the Civil Rights Act, as amended, 42 U.S.C. § 2000e, and Federal transit laws at 49 U.S.C. § 5332, the Contractor agrees to comply with all applicable equal employment opportunity requirements of U.S. Department of Labor (U.S. DOL) regulations, "Office of Federal Contract Compliance Programs, Equal Employment Opportunity, Department of Labor," 41 C.F.R. Parts 60 et seq., (which implement Executive Order No. 11246, "Equal Employment Opportunity," as amended by Executive Order No. 11375, "Amending Executive Order 11246 Relating to Equal Employment Opportunity," 42 U.S.C. § 2000e note), and with any applicable Federal statutes, executive orders, regulations, and Federal policies that may in the future affect construction activities undertaken in the course of the Project. The Contractor agrees to take affirmative action to ensure that applicants are employed, and that employees are treated during employment, without regard to their race, color, creed, national origin, sex, or age. Such action shall include, but not be limited to, the following: employment, upgrading, demotion or transfer, recruitment or recruitment advertising, layoff or termination; rates of pay or other forms of compensation; and selection for training, including apprenticeship. In addition, the Contractor agrees to comply with any implementing requirements DOE may issue. (b) Age. In accordance with section 4 of the Age Discrimination in Employment Act of 1967, as amended, 29 U.S.C. § § 623 and Federal transit law at 49 U.S.C. § 5332, the Contractor agrees to refrain from discrimination against present and prospective employees for reason of age. In addition, the Contractor agrees to comply with any implementing requirements DOE may issue. (c) Disabilities. In accordance with section 102 of the Americans with Disabilities Act, as amended, 42 U.S.C. § 12112, the Contractor agrees that it will comply with the requirements of U.S. Equal Employment Opportunity Commission, "Regulations to Implement the Equal Employment Provisions of the Americans with Disabilities Act," 29 C.F.R. Part 1630, pertaining to employment of persons with disabilities. In addition, the Contractor agrees to comply with any implementing requirements DOE may issue. 1.2.3(3) Subcontracts. The Contractor also agrees to include these requirements in each subcontract financed in whole or in part with Federal assistance provided by DOE, modified only if necessary to identify the affected parties. 1.3 Clean Water Act. The Contractor agrees to comply with all applicable standards, orders or regulations issued pursuant to the Federal Water Pollution Control Act, as amended, 33 U.S.C. 1251 et seq. The Contractor agrees to report each violation to the City and understands and agrees that the City will, in turn, report each violation as required to assure notification to DOE and the appropriate EPA Regional Office. 1.4 Cargo Preference Requirements. To the extent required under the ARRA or other Applicable Law for this Project, the Contractor agrees: a) to use privately owned United States-Flag commercial vessels to ship at least 50 percent of the gross tonnage (computed separately for dry bulk carriers, dry cargo liners, and tankers) involved, whenever shipping any equipment, material, or commodities pursuant to the underlying contract to the extent such vessels are available at fair and reasonable rates for United States-Flag commercial vessels; b) to furnish within 20 working days following the date of loading for shipments originating within the United States or within 30 working days following the date of leading for shipments originating outside the United States, a legible copy of a rated, "on-board" commercial ocean bill-of -lading in English for each shipment of cargo described in the preceding paragraph to the Division of National Cargo, Office of Market Development, Maritime Administration, Washington, DC 20590 and to the DOE recipient (through the contractor in the case of a subcontractor's bill-of-lading.); and c) to include these requirements in all subcontracts issued pursuant to this contract when the subcontract may involve the transport of equipment, material, or commodities by ocean vessel. 1.5 Project Reporting and Information Requirements. Contractor and its personnel shall cooperate with and provide all records, data, information and reports requested by the City, in the form and format and within the timeframes requested by the City, in order to enable the City to comply with the DOE Grant Agreement reporting and information requirements for the Project. Contractor shall also provide the City with any backup or additional documentation required by DOE or any other Governmental Authority. 1.5.1 Final Cost Audit. In accordance with Applicable Law and the Federal Assistance Reporting Checklist, DOE F 4600.2, DOE reserves the right under the DOE Grant Agreement to initiate a final incurred cost audit in connection with the City’s Project. Contractor and its personnel shall cooperate with, and make all necessary AMI System and Contractor cost data and documents available to the City and/or to any representative of DOE or any other Governmental Authority for purposes of such audit. 1.5.2 Job Creation and Retention Reporting. Contractor shall provide the City with all AMI System and Contractor information, in the format and within the timeframe, requested by the City to enable the City to complete and timely submit to DOE reports, information and data regarding the City’s Project job creation and retention, including without limitation, monthly and/or quarterly cumulative and/or current reports, as applicable, on AMI System and Contractor Services jobs created and retained at the “contractor” or “Contractor” level by Contractor, as required for the City to comply with the Federal Assistance Reporting Checklist, DOE F 4600.2 and the ARRA Section 1512 reporting requirements under the DOE Grant Agreement. 1.5.3 Final Close-Out Report. Contractor shall provide the City with all AMI System and Contractor information, in the format and within the timeframe, requested by the City to enable the City to complete and timely submit to DOE reports, information and data at the end of the DOE Grant Agreement performance period regarding Project completion. Contractor will complete a final close-out report which shall include such information and detail as the City, DOE or any other Governmental Authority shall request regarding the Project and Contractor services. If the AMI System and the Contractor services are completed or terminated prior to Project completion, Contractor shall provide the City with a final report of the AMI System and the Contractor services through the date of termination of this Agreement. 1.5.4 No Obligation by the Federal Government: The Purchaser and Contractor acknowledge and agree that, notwithstanding any concurrence by the Federal Government in or approval of the solicitation or award of the underlying contract, absent the express written consent by the Federal Government, the Federal Government is not a party to this contract and shall not be subject to any obligations or liabilities to the Purchaser, Contractor, or any other party (whether or not a party to that contract) pertaining to any matter resulting from the underlying contract. The Contractor agrees to include the above clause in each subcontract financed in whole or in part with Federal assistance provided by DOE. It is further agreed that the clause shall not be modified, except to identify the subcontractor who will be subject to its provisions. 1.5.5 Federal Changes. Subject to Pricing and Time Schedule as provided below, Contractor shall at all times comply with all applicable DOE regulations, policies, procedures and directives, including without limitation those listed directly or by reference in the Grant Agreement between City and DOE, as they may be amended or promulgated from time to time during the term of this contract. 1.5.6 Pricing and Time Schedule: The price(s) and time schedule(s) set forth herein are based on applicable laws, rules, regulations, orders or requirements of governmental authorities and other applicable codes and standards effective on the day prior to the date of Contractor’ bid, proposal, quote or other response to the City’s initial solicitation or inquiry. Any change to any law, rule, regulation, order, code, standard or requirement (including any changes in application or interpretation thereof) which requires any change or addition to the work hereunder shall entitle Contractor to an equitable adjustment in the Agreement price(s) and time schedule(s). 1.6 American Recovery and Reinvestment Act of 2009. The following provisions of ARRA shall apply: 1.6.1 Procurement Provisions: This contract is funded by the ‘‘American Recovery and Reinvestment Act of 2009’’ (ARRA). In compliance with the ARRA contractors and subcontractor must adhere to the following provisions: 1.6.2 Prohibition Against Employing Illegal Aliens. Contractor will comply with Section 8-17.5-101, C.R.S., et. seq., requiring, among other things, that Contractor will not knowingly employ or contract with an illegal alien who will perform work under the Agreement. Contractor will participate in either the e-Verify program created in Public Law 208, 104th Congress, as amended, and expanded in Public Law 156, 108th Congress, as amended, administered by the United States Department of Homeland Security (the “e-Verify Program”) or the Department Program (the “Department Program”), an employment verification program established pursuant to Section 8-17.5-102(5)(c) C.R.S. in order to confirm the employment eligibility of all newly hired employees to perform work under the Agreement. ‘‘American Recovery and Reinvestment Act of 2009’’ Procurement Provisions: This contract is funded by the ‘‘American Recovery and Reinvestment Act of 2009’’ (ARRA). In compliance with the ARRA contractors and subcontractor must adhere to the following provisions: ARRA TITLE XV—ACCOUNTABILITY AND TRANSPARENCY BUY AMERICAN SEC. 1605. USE OF AMERICAN IRON, STEEL, AND MANUFACTURED GOODS. (a) None of the funds appropriated or otherwise made available by this Act may be used for a project for the construction, alteration, maintenance, or repair of a public building or public work unless all of the iron, steel, and manufactured goods used in the project are produced in the United States. (b) Subsection (a) shall not apply in any case or category of cases in which the head of the Federal department or agency involved finds that— (1) applying subsection (a) would be inconsistent with the public interest; (2) iron, steel, and the relevant manufactured goods are not produced in the United States in sufficient and reasonably available quantities and of a satisfactory quality; or (3) inclusion of iron, steel, and manufactured goods produced in the United States will increase the cost of the overall project by more than 25 percent. (c) If the head of a Federal department or agency determines that it is necessary to waive the application of subsection (a) based on a finding under subsection (b), the head of the department or agency shall publish in the Federal Register a detailed written justification as to why the provision is being waived. (d) This section shall be applied in a manner consistent with United States obligations under international agreements. ECONOMIC STABILIZATION CONTRACTING SEC. 1611. HIRING AMERICAN WORKERS IN COMPANIES RECEIVING TARP FUNDING. (a) SHORT TITLE.—This section may be cited as the ‘‘Employ American Workers Act’’. (b) PROHIBITION.— (1) IN GENERAL.—Notwithstanding any other provision of law, it shall be unlawful for any recipient of funding under title I of the Emergency Economic Stabilization Act of 2008 (Public Law 110–343) or section 13 of the Federal Reserve Act (12 U.S.C. 342 et seq.) to hire any nonimmigrant described in section 101(a)(15)(h)(i)(b) of the Immigration and Nationality Act (8 U.S.C. 1101(a)(15)(h)(i)(b)) unless the recipient is in compliance with the requirements for an H–1B dependent employer (as defined in section 212(n)(3) of such Act (8 U.S.C.1182(n)(3))), except that the second sentence of section 212(n)(1)(E)(ii) of such Act shall not apply. (2) DEFINED TERM.—In this subsection, the term ‘‘hire’’ means to permit a new employee to commence a period of employment. PROFESSIONAL SERVICES AGREEMENT THIS AGREEMENT made and entered into the day and year set forth below, by and between THE CITY OF FORT COLLINS, COLORADO, a Municipal Corporation, hereinafter referred to as the "City" and , hereinafter referred to as "Professional". WITNESSETH: In consideration of the mutual covenants and obligations herein expressed, it is agreed by and between the parties hereto as follows: 1. Scope of Services. The Professional agrees to provide services in accordance with the scope of services attached hereto as Exhibit "A", consisting of ( ) pages, and incorporated herein by this reference. 2. The Work Schedule. [Optional] The services to be performed pursuant to this Agreement shall be performed in accordance with the Work Schedule attached hereto as Exhibit "B", consisting of ( ) pages, and incorporated herein by this reference. 3. Contract Period. The services to be performed pursuant to this Agreement shall be initiated within five (5) days following execution of this Agreement. Services shall be completed no later than , 20 . Time is of the essence. Any extensions of the time limit set forth above must be agreed upon in writing by the parties hereto. 4. Early Termination by City. Notwithstanding the time periods contained herein, the City may terminate this Agreement at any time without cause by providing written notice of termination to the Professional. Such notice shall be delivered at least fifteen (15) days prior to the termination date contained in said notice unless otherwise agreed in writing by the parties. All notices provided under this Agreement shall be effective when mailed, postage prepaid and sent to the following addresses: Professional: City: City of Fort Collins Attn: PO Box 580 Fort Collins, CO 80522 With Copy to: City of Fort Collins, Purchasing PO Box 580 Fort Collins, CO 80522 In the event of any such early termination by the City, the Professional shall be paid for services rendered prior to the date of termination, subject only to the satisfactory performance of the Professional's obligations under this Agreement. Such payment shall be the Professional's sole right and remedy for such termination. 5. Design, Project Indemnity and Insurance Responsibility. The Professional shall be responsible for the professional quality, technical accuracy, timely completion and the coordination of all services rendered by the Professional, including but not limited to designs, plans, reports, specifications, and drawings and shall, without additional compensation, promptly remedy and correct any errors, omissions, or other deficiencies. The Professional shall indemnify, save and hold harmless the City, its officers and employees in accordance with Colorado law, from all damages whatsoever claimed by third parties against the City; and for the City's costs and reasonable attorneys fees, arising directly or indirectly out of the Professional's negligent performance of any of the services furnished under this Agreement. The Professional shall maintain commercial general liability insurance in the amount of $500,000 combined single limits and errors and omissions insurance in the amount of $ . 6. Compensation. [Use this paragraph or Option 1 below.] In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional a fixed fee in the amount of ($ ) plus reimbursable direct costs. All such fees and costs shall not exceed ($ ). Monthly partial payments based upon the Professional's billings and itemized statements are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's actual reimbursable expenses. [Optional] Insert Subcontractor Clause Final payment shall be made following acceptance of the work by the City. Upon final payment, all designs, plans, reports, specifications, drawings, and other services rendered by the Professional shall become the sole property of the City. 6. Compensation. [Option 1] In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional on a time and reimbursable direct cost basis according to the following schedule: Hourly billing rates: Reimbursable direct costs: with maximum compensation (for both Professional's time and reimbursable direct costs) not to exceed ($ ). Monthly partial payments based upon the Professional's billings and itemized statements of reimbursable direct costs are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's reimbursable direct costs. Final payment shall be made following acceptance of the work by the City. Upon final payment, all designs, plans, reports, specifications, drawings and other services rendered by the Professional shall become the sole property of the City. 7. City Representative. The City will designate, prior to commencement of work, its project representative who shall make, within the scope of his or her authority, all necessary and proper decisions with reference to the project. All requests for contract interpretations, change orders, and other clarification or instruction shall be directed to the City Representative. 8. Project Drawings. [Optional] Upon conclusion of the project and before final payment, the Professional shall provide the City with reproducible drawings of the project containing accurate information on the project as constructed. Drawings shall be of archival, prepared on stable Mylar base material using a non-fading process to provide for long storage and high quality reproduction. "CD" disc of the as-built drawings shall also be submitted to the City in an AutoCAD version no older then the established city standard. 9. Monthly Report. Commencing thirty (30) days after the date of execution of this Agreement and every thirty (30) days thereafter, Professional is required to provide the City Representative with a written report of the status of the work with respect to the Scope of Services, Work Schedule, and other material information. Failure to provide any required monthly report may, at the option of the City, suspend the processing of any partial payment request. 10. Independent Contractor. The services to be performed by Professional are those of an independent contractor and not of an employee of the City of Fort Collins. The City shall not be responsible for withholding any portion of Professional's compensation hereunder for the payment of FICA, Workers' Compensation, other taxes or benefits or for any other purpose. 11. Personal Services. It is understood that the City enters into this Agreement based on the special abilities of the Professional and that this Agreement shall be considered as an agreement for personal services. Accordingly, the Professional shall neither assign any responsibilities nor delegate any duties arising under this Agreement without the prior written consent of the City. 12. Acceptance Not Waiver. The City's approval of drawings, designs, plans, specifications, reports, and incidental work or materials furnished hereunder shall not in any way relieve the Professional of responsibility for the quality or technical accuracy of the work. The City's approval or acceptance of, or payment for, any of the services shall not be construed to operate as a waiver of any rights or benefits provided to the City under this Agreement. 13. Default. Each and every term and condition hereof shall be deemed to be a material element of this Agreement. In the event either party should fail or refuse to perform according to the terms of this agreement, such party may be declared in default. 14. Remedies. In the event a party has been declared in default, such defaulting party shall be allowed a period of ten (10) days within which to cure said default. In the event the default remains uncorrected, the party declaring default may elect to (a) terminate the Agreement and seek damages; (b) treat the Agreement as continuing and require specific performance; or (c) avail himself of any other remedy at law or equity. If the non-defaulting party commences legal or equitable actions against the defaulting party, the defaulting party shall be liable to the non-defaulting party for the non-defaulting party's reasonable attorney fees and costs incurred because of the default. 15. Binding Effect. This writing, together with the exhibits hereto, constitutes the entire agreement between the parties and shall be binding upon said parties, their officers, employees, agents and assigns and shall inure to the benefit of the respective survivors, heirs, personal representatives, successors and assigns of said parties. 16. Law/Severability. The laws of the State of Colorado shall govern the construction, interpretation, execution and enforcement of this Agreement. In the event any provision of this Agreement shall be held invalid or unenforceable by any court of competent jurisdiction, such holding shall not invalidate or render unenforceable any other provision of this Agreement. 17. Prohibition Against Employing Illegal Aliens. Pursuant to Section 8-17.5-101, C.R.S., et. seq., Professional represents and agrees that: a. As of the date of this Agreement: 1. Professional does not knowingly employ or contract with an illegal alien who will perform work under this Agreement; and 2. Professional will participate in either the e-Verify program created in Public Law 208, 104th Congress, as amended, and expanded in Public Law 156, 108th Congress, as amended, administered by the United States Department of Homeland Security (the “e-Verify Program”) or the Department Program (the “Department Program”), an employment verification program established pursuant to Section 8-17.5-102(5)(c) C.R.S. in order to confirm the employment eligibility of all newly hired employees to perform work under this Agreement. b. Professional shall not knowingly employ or contract with an illegal alien to perform work under this Agreement or knowingly enter into a contract with a subcontractor that knowingly employs or contracts with an illegal alien to perform work under this Agreement. c. Professional is prohibited from using the e-Verify Program or Department Program procedures to undertake pre-employment screening of job applicants while this Agreement is being performed. d. If Professional obtains actual knowledge that a subcontractor performing work under this Agreement knowingly employs or contracts with an illegal alien, Professional shall: 1. Notify such subcontractor and the City within three days that Professional has actual knowledge that the subcontractor is employing or contracting with an illegal alien; and 2. Terminate the subcontract with the subcontractor if within three days of receiving the notice required pursuant to this section the subcontractor does not cease employing or contracting with the illegal alien; except that Professional shall not terminate the contract with the subcontractor if during such three days the subcontractor provides information to establish that the subcontractor has not knowingly employed or contracted with an illegal alien. e. Professional shall comply with any reasonable request by the Colorado Department of Labor and Employment (the “Department”) made in the course of an investigation that the Department undertakes or is undertaking pursuant to the authority established in Subsection 8-17.5-102 (5), C.R.S. f. If Professional violates any provision of this Agreement pertaining to the duties imposed by Subsection 8-17.5-102, C.R.S. the City may terminate this Agreement. If this Agreement is so terminated, Professional shall be liable for actual and consequential damages to the City arising out of Professional’s violation of Subsection 8-17.5-102, C.R.S. g. The City will notify the Office of the Secretary of State if Professional violates this provision of this Agreement and the City terminates the Agreement for such breach. 18. Red Flags Rules. Professional must implement reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft in compliance with the Identity Theft Red Flags Rules found at 16 Code of Federal Regulations part 681. Further, Professional must take appropriate steps to mitigate identity theft if it occurs with one or more of the City’s covered accounts and must as expeditiously as possible notify the City in writing of significant breeches of security or Red Flags to the Utilities or the Privacy Committee. 19. Special Provisions. Special provisions or conditions relating to the services to be performed pursuant to this Agreement are set forth in Exhibit “ “ - Confidentiality, consisting of one (1) page, attached hereto and incorporated herein by this reference. THE CITY OF FORT COLLINS, COLORADO By: _________________________________ James B. O'Neill II, CPPO, FNIGP Director of Purchasing & Risk Management DATE: ______________________________ ATTEST: _________________________________ City Clerk APPROVED AS TO FORM: ________________________________ Assistant City Attorney [Insert Professional's name] or [Insert Partnership Name] or [Insert individual's name] or Doing business as [insert name of business] By: __________________________________ Title: _______________________________ CORPORATE PRESIDENT OR VICE PRESIDENT Date: _______________________________ ATTEST: _________________________________ (Corporate Seal) Corporate Secretary EXHIBIT “ ” CONFIDENTIALITY IN CONNECTION WITH SERVICES provided to the City of Fort Collins (the “City”) pursuant to this Agreement (the “Agreement”), the Professional hereby acknowledges that it has been informed that the City has established policies and procedures with regard to the handling of confidential information and other sensitive materials. In consideration of access to certain information, data and material (hereinafter individually and collectively, regardless of nature, referred to as “information”) that are the property of and/or relate to the City or its employees, customers or suppliers, which access is related to the performance of services that the Professional has agreed to perform, the Professional hereby acknowledges and agrees as follows: That information that has or will come into its possession or knowledge in connection with the performance of services for the City may be confidential and/or proprietary. The Professional agrees to treat as confidential (a) all information that is owned by the City, or that relates to the business of the City , or that is used by the City in carrying on business, and (b) all information that is proprietary to a third party (including but not limited to customers and suppliers of the City) . The Professional shall not disclose any such information to any person not having a legitimate need-to-know for purposes authorized by the City. Further, the Professional shall not use such information to obtain any economic or other benefit for itself, or any third party, except as specifically authorized by the City. The foregoing to the contrary notwithstanding, the Professional understands that it shall have no obligation under this Agreement with respect to information and material that (a) becomes generally known to the public by publication or some means other than a breach of duty of this Agreement, or (b) is required by law, regulation or court order to be disclosed, provided that the request for such disclosure is proper and the disclosure does not exceed that which is required. In the event of any disclosure under (b) above, the Professional shall furnish a copy of this Agreement to anyone to whom it is required to make such disclosure and shall promptly advise the City in writing of each such disclosure. In the event that the Professional ceases to perform services for the City, or the City so requests for any reason, the Professional shall promptly return to the City any and all information described hereinabove, including all copies, notes and/or summaries (handwritten or mechanically produced) thereof, in its possession or control or as to which it otherwise has access. The Professional understands and agrees that the City’s remedies at law for a breach of the Professional’s obligations under this Confidentiality Agreement may be inadequate and that the City shall, in the event of any such breach, be entitled to seek equitable relief (including without limitation preliminary and permanent injunctive relief and specific performance) in addition to all other remedies provided hereunder or available at law.