The URL can be used to link to this page

Home My WebLink AboutRFP - 8155 CYBERSECURITY ASSESSMENTRFP 8155 Cybersecurity Vulnerability Assessment Page 1 of 20 REQUEST FOR PROPOSAL 8155 CYBERSECURITY VULNERABILITY ASSESSEMENT The City of Fort Collins is seeking the services of qualified consultants to assist City staff with conducting an assessment of the effectiveness of Fort Collins Utilities Water Resources and Treatment Industrial Control System (WR&T ICS) cybersecurity controls. As part of the City’s commitment to Sustainable Purchasing, proposals submission via email is preferred. Proposals shall be submitted in a single Microsoft Word or PDF file under 20MB and e-mailed to: purchasing@fcgov.com. If electing to submit hard copy proposals instead, seven (7) copies, will be received at the City of Fort Collins' Purchasing Division, 215 North Mason St., 2nd floor, Fort Collins, Colorado 80524. Proposals must be received before 3:00 p.m. (our clock), August 17, 2015 and referenced as Proposal No. 8155. If delivered, they are to be sent to 215 North Mason Street, 2nd Floor, Fort Collins, Colorado 80524. If mailed, the address is P.O. Box 580, Fort Collins, 80522-0580. Please note, additional time is required for bids mailed to the PO Box to be received at the Purchasing Office. The City encourages all Disadvantaged Business Enterprises (DBEs) to submit proposals in response to all requests for proposals. No individual or business will be discriminated against on the grounds of race, color, sex, or national origin. It is the City’s policy to create a level playing field on which DBEs can compete fairly and to ensure nondiscrimination in the award and administration of all contracts. All questions must be submitted in writing via email to Pat Johnson no later than 5:00 PM our clock on August 10, 2015. Questions received after this deadline will not be answered. A copy of the RFP may be obtained at www.rockymountainbidsystem.com. The City of Fort Collins is subject to public information laws, which permit access to most records and documents. Proprietary information in your response must be clearly identified and will be protected to the extent legally permissible. Proposals may not be marked ‘Proprietary’ in their entirety. All provisions of any contract resulting from this request for proposal will be public information. New Vendors: The City requires new vendors receiving awards from the City to fill out and submit an IRS form W-9 and to register for Direct Deposit (Electronic) payment. If needed, the W-9 form and the Vendor Direct Deposit Authorization Form can be found on the City’s Purchasing website at www.fcgov.com/purchasing under Vendor Reference Documents. Sales Prohibited/Conflict of Interest: No officer, employee, or member of City Council, shall have a financial interest in the sale to the City of any real or personal property, equipment, material, supplies or services where such officer or employee exercises directly or indirectly any decision-making authority concerning such sale or any supervisory authority over the services to be rendered. This rule also applies to subcontracts with the City. Soliciting or accepting any gift, gratuity favor, entertainment, kickback or any items of monetary value from any person who has or is seeking to do business with the City of Fort Collins is prohibited. Financial Services Purchasing Division 215 N. Mason St. 2nd Floor PO Box 580 Fort Collins, CO 80522 970.221.6775 970.221.6707 fcgov.com/purchasing RFP 8155 Cybersecurity Vulnerability Assessment Page 2 of 20 Collusive or sham proposals: Any proposal deemed to be collusive or a sham proposal will be rejected and reported to authorities as such. Your authorized signature of this proposal assures that such proposal is genuine and is not a collusive or sham proposal. The City of Fort Collins reserves the right to reject any and all proposals and to waive any irregularities or informalities. Utilization of Award by Other Agencies: The City of Fort Collins reserves the right to allow other state and local governmental agencies, political subdivisions, and/or school districts to utilize the resulting award under all terms and conditions specified and upon agreement by all parties. Usage by any other entity shall not have a negative impact on the City of Fort Collins in the current term or in any future terms. Sustainability: Consulting firms/teams participating in the proposal are to provide an overview of the organization’s philosophy and approach to Sustainability. In no more than two (2) pages please describe how your organization strives to be sustainable in the use of materials, equipment, vehicles, fuel, recycling, office practices, etc. The City of Fort Collins incorporates the Triple Bottom Line into our decision process by including economic (or financial), environmental, and social factors in our evaluation. The selected Service Provider shall be expected to sign the City’s standard Agreement without revision prior to commencing Services (see sample attached to this Proposal). Sincerely, Gerry S. Paul Director of Purchasing RFP 8155 Cybersecurity Vulnerability Assessment Page 3 of 20 8155 CYBERSECURITY VULNERABILITY ASSESSEMENT I. PURPOSE The City of Fort Collins is seeking the services of qualified consultants to assist City staff with conducting an assessment of the effectiveness of the Fort Collins Utilities Water Resources and Treatment Industrial Control System (WR&T ICS) cybersecurity controls. The purpose of this project is to: 1. Establish a basic baseline assessment of the general security state of the Water Resources and Treatment ICS (Industrial Control System), including an independent 3rd party assessment of key WR&T components and cybersecurity controls. 2. Develop a prioritized work program to phase in any appropriate WR&T ICS cybersecurity capability maturity improvements over time. 3. Establish a clear understanding of City staff roles and responsibilities in maintaining the WR&T ICS security state in a manner consistent with Fort Collins Utilities (FCU) organizational goals and resources. 4. Pilot replicable methods and procedures to enable similar cybersecurity assessments for other FCU systems in a manner that does not require significant time commitment by FCU staff and that can be reasonably accommodated within existing staff resources and work plan commitments. City staff have completed an initial high level self-assessment of the WR&T ICS cybersecurity posture as expressed by the National Institute of Standards and Technology (NIST) SP 800-53 controls by utilizing the United States Computer Emergency Readiness Team Cybersecurity Evaluation Tool (USCERT CSET). Staff is seeking 3rd party assistance to help interpret and prioritize the findings of that initial self-assessment. Staff also seeks a 3rd party assessment and confirmation of the security configuration and “hardening” of key WR&T ICS system components such as network routers, database and application servers, and programmable logic controllers. This assessment will focus on system components and security controls that are specific to the WR&T ICS rather than enterprise or other FCU shared infrastructure, systems, or process controls. The system boundary for this assessment is ICS developed and supported by WR&T department. This is comprised of eight (8) facilities of various size and complexity within a ten (10) mile radius. System components included within the assessment include at a minimum: Major components: • Seventy-one (71) Programmable Logic Controllers (PLC) and connected field equipment • Six (6) Human Machine Interface (HMI) Servers • Thirty (30) HMI Client Machines • Four (4) Database Servers • One (1) Web Application Server Network components: • Ten (10) Routers • Switches • Copper & Fiber mediums • Radio Telemetry RFP 8155 Cybersecurity Vulnerability Assessment Page 4 of 20 II. SCOPE OF SERVICES A. SCOPE OF WORK Task1: Assessment of Cybersecurity Controls. Review and refine staff developed self-assessment of current cybersecurity controls. Review existing staff generated self-assessment reports created by using NIST SP 800-53 controls, assist staff in interpreting the findings, and further refine the self- assessment report documentation. Task 2: Review WR&T ICS system security architecture. Review the WR&T system network architecture and boundary protections from a cybersecurity perspective. Task 3: Assess WR&T System Components Security Configurations. Assess the security configurations of key WR&T ICS system components such as network routers and servers to verify such components are appropriately patched and hardened. This task will not include penetration testing. Task 4: Finding and Recommendations Report. Develop a report summarizing findings and recommendations developed from Tasks 1-3. Included shall be a characterization of any vulnerabilities identified based on the relative probability and impact of such vulnerabilities being exploited and a prioritized listing of any recommended cybersecurity risk mitigation measures or actions that may be appropriate to further mature the security state of the WR&T ICS system. Task 5: Report Presentation. Present findings of report to FCU Management. B. PROJECT SCHEDULE Issuance of RFP August 3, 2015 RFP Questions Due August 10, 2015 RFP Proposals Due August 17, 2015 Notice of Short List (tentative) August 21, 2015 Interviews (tentative) Sept. 1-2, 2015 Contracts Signed / Notice to proceed September 18, 2015 Tasks 1-3 Complete October 9, 2015 Tasks 4 & 5 Complete October 31, 2015 C. INTERVIEWS In addition to submitting a written proposal, finalists may be interviewed by the City of Fort Collins and asked to do an oral presentation about their company and approach to the future projects. D. FEES, TRAVEL & EXPENSES Submittals shall contain a not to exceed cost for the scope of work. Consultant shall also include a current fee schedule. A fee schedule for sub-consultants, if used, shall be included as well. Consultants are to provide a list of fees for reimbursable expenses. Reasonable expenses will be reimbursable as per the attached Exhibit F Fort Collins Expense Guidelines. Expenses not identified on the Guidelines will be paid at cost. A reasonable administrative mark-up may be included with Consultants submittal. RFP 8155 Cybersecurity Vulnerability Assessment Page 5 of 20 E. USE OF SUB-CONSULTANTS/PARTNERS There may be areas for use of sub-consultants or partners from the award of this RFP. Consultants will be responsible for identifying the sub-consultants necessary during the scope of work negotiation. Please keep in mind that the City will contract solely with the Consultant, therefore sub- consultants/partners remain the sole responsibility of the Consultant. F. LENGTH OF PROPOSALS Limit the total length of your proposal to a maximum of 35 pages (8.5 x 11” only) (excluding covers, table of contents, dividers, sustainability response and proposal acknowledgement form). The Director of Purchasing may reject proposals received that are longer than 35 pages in length. All information packages will be public record and firms shall include no confidential or proprietary information. G. REFERENCES Consultant firms must provide a list of references for a minimum of three (3) municipalities for whom the proposing firm has managed and administered the municipality’s Grease Interceptor Inspection Program. Included shall be the contact names and titles, name of municipality, telephone numbers, email and mailing address of each reference. H. AWARD The intent of the City of Fort Collins Utilities is to award contracts to one qualified consultant for the services. The selected consultant may be retained by the City of Fort Collins Utilities annually for up to five years to provide services as they are required. I. ITEMIZED MONTHLY BILLINGS All submittals for payment shall be submitted in an itemized format on a quarterly basis with a copy to the City Project Manager. III. PROPOSAL SUBMITTAL Qualified engineering service providers who are interested in performing the work described in this request for proposals should submit relevant information about their offerings. Responses should contain the following information at a minimum: A. EXECUTIVE SUMMARY The Executive Summary should highlight the content of the proposal and features of the program offered, including a general description of the program and any unique aspects or benefits provided by your firm. B. CONSULTANT INFORMATION AND FIRM CAPABILITY 1. Provide contact information for the company including the primary contact name and title, mailing address, phone number, and email address. Complete the attached Exhibit A - Proposal Acknowledgment Form. 2. Describe the Company’s business and background, including the size, location, capacity, type of firm, details about ownership and year established. 3. Describe the company’s structure, including an organizational chart of all management and technical staff to be involved with the City. RFP 8155 Cybersecurity Vulnerability Assessment Page 6 of 20 4. Provide your firm’s qualifications to perform the consulting services described above. Provide a short explanation of Consultant experiences dealing with cybersecurity vulnerability assessment, risk management, and information assurance as in the context municipal utilities. 5. There may be areas for use of sub-consultants in this project. If you are utilizing this approach, your proposal must list the sub-consultant firm for this contract, their area(s) of expertise, and include all other applicable information herein requested for each sub- consultant. Identify what portion of work, if any, may be subcontracted. Provide examples of at least two projects where you’ve worked with the sub-consultants. 6. List similar projects completed over the past 5 years by key members of your proposed team, including sub-consultants. Include the owner’s name, title of project, beginning price, ending price, sub-consultants on the team and a brief description of the work and any change orders. 7. Provide references from at least three other projects with similar requirements that have been completed within the past five years and that have involved the staff proposed to work on this project. References contained in Consultant’s submittal are an intricate part of consultant’s qualifications. References must be accurate. The Consultant authorizes City to verify any and all information contained in the Consultant’s submittal from references contained herein and hereby releases all those concerned providing information as a reference from any liability in connection with any information they give. C. SCOPE OF PROPOSAL 1. Provide a detailed narrative of the services your firm proposes to provide if awarded the contract. The narrative should include any options that may be beneficial for Utilities to consider. 2. Describe how the project WR&T ICS Cybersecurity Controls Assessment Project would be managed and who would have primary responsibility for its timely and professional completion. 3. Describe the anticipated interaction with the City. Include any resources you would expect City staff to provide. 4. Include a description of any software and other tools to be used to evaluate system component security configurations and other vulnerability assessment activities. 5. Detail experience your proposed team has with working with organizations composed of multiple separate operating units each with varying levels of cybersecurity management capability maturity, risk profile, and risk tolerance. 6. Identify the firm’s approach to measuring and verifying value delivered. D. AVAILABILITY Tasks 1-3 of this project should be completed by October 9, 2015. Describe the availability of project personnel to participate in this project in the context of the Consultant firm’s other commitments. Provide a schedule for the work, estimating the number of hours for each proposed or optional task, including the time required for meetings, conference calls, etc. E. SUSTAINABILITY/TBL METHODOLOGY In no more than two (2) pages please describe how your organization strives to be Sustainable in the use of materials, equipment, vehicles, fuel, recycling, office practices, etc.. Address how your firm incorporates Triple Bottom Line (TBL) into the workplace, see below in Section IV: Review and Assessment for additional information. RFP 8155 Cybersecurity Vulnerability Assessment Page 7 of 20 F. COST AND WORK HOURS Submittals shall contain a not to exceed cost for the scope of work. Fee Schedules for Consultant and sub-consultants are to be included. A list of reimbursables, if needed (include rates for meetings or conference calls), is to be included as well as any markups Travel Expenses shall be per the Fort Collins’ Expense Guidelines, attached as Exhibit F. Additional travel expenses shall be detailed in the submittal if the City will be invoiced for them. G. ASSIGNED PERSONNEL 1. Provide individual references for key personnel proposed to work under this agreement from three other projects with similar requirements that have been completed within the past five years. References contained in Consultant’s submittal are an intricate part of consultant’s qualifications. References must be accurate. The Consultant authorizes City to verify any and all information contained in the Consultant’s submittal from references contained herein and hereby releases all those concerned providing information as a reference from any liability in connection with any information they give. 2. Submit qualifications and detailed resumes of individuals proposed to fill key positions highlighting experience in municipal design and construction. The commitment of key staff is critical to the City of Fort Collins and the success of this project. It is the City’s expectation that staff assigned to the project will remain throughout the project and act as the City’s key resources. Please limit resumes to one-half page. 3. Some functions of this project may require the use of sub-consultants. Provide resumes for sub-consultant’s key personnel. Provide examples of at least two projects where key personnel from sub-consultants have been part of your project team. Please limit resumes to one-half page. H. ADDITIONAL INFORMATION Provide any information that distinguishes Consultant from its competition and any additional information applicable to this RFP that might be valuable in assessing Consultant’s proposal. Explain any concerns Consultant may have in maintaining objectivity in recommending the best solution for Utilities. All potential conflicts of interest must be disclosed. RFP 8155 Cybersecurity Vulnerability Assessment Page 8 of 20 IV. REVIEW AND ASSESSMENT Professional firms will be evaluated on the following criteria. These criteria will be the basis for review and assessment of the written proposals and optional interview session. At the discretion of the City, interviews of the top rated firms may be conducted. The rating scale shall be from 1 to 5, with 1 being a poor rating, 3 being an average rating, and 5 being an outstanding rating. WEIGHTING FACTOR QUALIFICATION STANDARD 2.0 Scope of Proposal Does the proposal address all elements of the RFP? Does the proposal show an understanding of the project objectives, methodology to be used and results/outcomes required by the project? Are there any exceptions to the specifications, Scope of Work, or agreement? 2.0 Assigned Personnel Do the persons who will be working on the project have the necessary skills and qualifications? Are sufficient people of the requisite skills and qualifications assigned to the project? 1.0 Availability Can the work be completed in the necessary time? Can the target start and completion dates be met? Are other qualified personnel available to assist in meeting the project schedule if required? Is the project team available to attend meetings as required by the Scope of Work? 1.0 Sustainability/TBL Methodology Does the firm demonstrate a commitment to Sustainability and incorporate Triple Bottom Line methodology in both their Scope of Work for the project, and their day-to-day business operating processes and procedures? 2.0 Cost and Work Hours Does the proposal included detailed cost break-down for each cost element as applicable and are the line-item costs competitive? Do the proposed cost and work hours compare favorably with the Project Manager's estimate? Are the work hours presented reasonable for the effort required by each project task or phase? 2.0 Firm Capability Does the firm have the resources, financial strength, capacity and support capabilities required to successfully complete the project on-time and in-budget? Has the firm successfully completed previous projects of this type and scope? Definitions Sustainable Purchasing is a process for selecting products or services that have a lesser or reduced negative effect on human health and the environment when compared with competing products or services that serve the same purpose. This process is also known as “Environmentally Preferable Purchasing” (EPP), or “Green Purchasing”. RFP 8155 Cybersecurity Vulnerability Assessment Page 9 of 20 The Triple Bottom Line (TBL) is an accounting framework that incorporates three dimensions of performance: economic, or financial; environmental, and social. The generally accepted definition of Andrew Savitz for TBL is that it “captures the essence of sustainability by measuring the impact of an organization’s activities on the world…including both its profitability and shareholders values and its social, human, and environmental capital.” REFERENCE EVALUATION (TOP RATED FIRM) The Project Manager will check references using the following criteria. The evaluation rankings will be labeled Satisfactory/Unsatisfactory. QUALIFICATION STANDARD Overall Performance Would you hire this Professional again? Did they show the skills required by this project? Timetable Was the original Scope of Work completed within the specified time? Were interim deadlines met in a timely manner? Completeness Was the Professional responsive to client needs; did the Professional anticipate problems? Were problems solved quickly and effectively? Budget Was the original Scope of Work completed within the project budget? Job Knowledge a) If a study, did it meet the Scope of Work? b) If Professional administered a construction contract, was the project functional upon completion and did it operate properly? Were problems corrected quickly and effectively? RFP 8155 Cybersecurity Vulnerability Assessment Page 10 of 20 EXHIBIT A PROPOSAL ACKNOWLEDGEMENT Consultant hereby acknowledges receipt of the City of Fort Collins Utilities’ Request for Proposal and acknowledges that it has read and agrees to be fully bound by all of the terms, conditions and other provisions set forth in the RFP. Additionally, the Consultant hereby makes the following representations to Utilities: a. All of the statements and representations made in this proposal are true to the best of the Consultant’s knowledge and belief. b. The Consultant has obtained all necessary authorizations and approvals that will enable the Consultant to commit to the terms provided in this proposal. c. This proposal is a firm and binding offer, for a period of 180 days from the date hereof. d. I further agree that the method of award is acceptable to my company. e. I also agree to complete the proposed Agreements with the City of Fort Collins within 30 days of notice of award. f. If contract is not completed and signed within 30 days, City reserves the right to cancel and award to the next highest rated firm. g. I acknowledge receipt of addenda. Consultant Firm Name: Physical Address: Remit to Address: Phone: Authorized Agent of Firm Name: Signature of Authorized Agent: Primary Contact for Project: Title: Email Address: Phone: Cell Phone: RFP 8155 Cybersecurity Vulnerability Assessment Page 11 of 20 EXHIBIT B PROFESSIONAL SERVICES AGREEMENT WORK ORDER TYPE THIS AGREEMENT made and entered into the day and year set forth below, by and between THE CITY OF FORT COLLINS, COLORADO, a Municipal Corporation, hereinafter referred to as the "City" and , hereinafter referred to as "Professional". WITNESSETH: In consideration of the mutual covenants and obligations herein expressed, it is agreed by and between the parties hereto as follows: 1. Scope of Services. The Professional agrees to provide services in accordance with any project Work Orders for RFP issued by the City. A blank sample of a work order is attached hereto as Exhibit "A", consisting of one (1) page and is incorporated herein by this reference. No Work Order shall exceed $ . The City reserves the right to independently bid any project rather than issuing a Work Order to the Professional for the same pursuant to this Agreement. Irrespective of references in Exhibit A to certain named third parties, Professional shall be solely responsible for performance of all duties hereunder. 2. The Work Schedule. The services to be performed pursuant to this Agreement shall be performed in accordance with the Work Schedule stated on each Work Order. 3. Time of Commencement and Completion of Services. The services to be performed pursuant to this Agreement shall be initiated as specified on each Work Order. Time is of the essence. Any extensions of any time limit must be agreed upon in writing by the parties hereto. 4. Contract Period. This Agreement shall commence upon the date of execution shown on the signature page of this Agreement and shall continue in full force and effect for one (1) year, unless sooner terminated as herein provided. In addition, at the option of the City, the Agreement may be extended for an additional period of one (1) year at the rates provided with written notice to the professional mailed no later than ninety (90) days prior to contract end. 5. Contract Period. [Option 1] This Agreement shall commence , 20 , and shall continue in full force and effect until , 20 , unless sooner terminated as herein provided. In addition, at the option of the City, the Agreement may be extended for additional one year periods not to exceed ( ) additional one year periods. Renewals and pricing changes shall be negotiated by and agreed to by both parties. Written notice of renewal shall be provided to the Professional and mailed no later than thirty (30) days prior to contract end. 6. Early Termination by City. Notwithstanding the time periods contained herein, the City may terminate this Agreement at any time without cause by providing written notice of termination to the Professional. Such notice shall be delivered at least fifteen (15) days prior to the termination date contained in said notice unless otherwise agreed in writing by the parties. All notices provided under this Agreement shall be effective when mailed, postage prepaid and sent to the following addresses: Professional: City: Copy to: RFP 8155 Cybersecurity Vulnerability Assessment Page 12 of 20 Attn: City of Fort Collins Attn: PO Box 580 Fort Collins, CO 80522 City of Fort Collins Attn: Purchasing Dept. PO Box 580 Fort Collins, CO 80522 In the event of any such early termination by the City, the Professional shall be paid for services rendered prior to the date of termination, subject only to the satisfactory performance of the Professional's obligations under this Agreement. Such payment shall be the Professional's sole right and remedy for such termination. 4. Design, Project Indemnity and Insurance Responsibility. The Professional shall be responsible for the professional quality, technical accuracy, timely completion and the coordination of all services rendered by the Professional, including but not limited to designs, plans, reports, specifications, and drawings and shall, without additional compensation, promptly remedy and correct any errors, omissions, or other deficiencies. The Professional shall indemnify, save and hold harmless the City, its officers and employees in accordance with Colorado law, from all damages whatsoever claimed by third parties against the City; and for the City's costs and reasonable attorneys fees, arising directly or indirectly out of the Professional's negligent performance of any of the services furnished under this Agreement. The Professional shall maintain commercial general liability insurance in the amount of $1,000,000 combined single limits and errors and omissions insurance in the amount of $1,000,000, in accordance with Exhibit , consisting of one (1) page, attached hereto and incorporated herein. 7. Compensation. [Use this paragraph or Option 1 below.] In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional a fixed fee in the amount of ($ ) plus reimbursable direct costs. All such fees and costs shall not exceed ($ ). Monthly partial payments based upon the Professional's billings and itemized statements are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's actual reimbursable expenses. [Optional] Insert Subcontractor Clause Final payment shall be made following acceptance of the work by the City. Upon final payment, all designs, plans, reports, specifications, drawings, and other services rendered by the Professional shall become the sole property of the City. 8. Compensation. [Option 1] In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional on a time and reimbursable direct cost basis according to the following schedule: Hourly billing rates: Reimbursable direct costs: With maximum compensation (for both Professional's time and reimbursable direct costs) not to exceed ($ ). Monthly partial payments based upon the Professional's billings and itemized statements of reimbursable direct costs are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's reimbursable direct costs. Final payment shall be made following acceptance of the work by the City. Upon RFP 8155 Cybersecurity Vulnerability Assessment Page 13 of 20 final payment, all designs, plans, reports, specifications, drawings and other services rendered by the Professional shall become the sole property of the City. 9. City Representative. The City will designate, prior to commencement of work, its project representative who shall make, within the scope of his or her authority, all necessary and proper decisions with reference to the project. All requests for contract interpretations, change orders, and other clarification or instruction shall be directed to the City Representative. 10. Project Drawings. [Optional] Upon conclusion of the project and before final payment, the Professional shall provide the City with reproducible drawings of the project containing accurate information on the project as constructed. Drawings shall be of archival, prepared on stable Mylar base material using a non-fading process to provide for long storage and high quality reproduction. "CD" disc of the as-built drawings shall also be submitted to the City in an AutoCAD version no older then the established city standard. 11. Monthly Report. Commencing thirty (30) days after the date of execution of this Agreement and every thirty (30) days thereafter, Professional is required to provide the City Representative with a written report of the status of the work with respect to the Scope of Services, Work Schedule, and other material information. Failure to provide any required monthly report may, at the option of the City, suspend the processing of any partial payment request. 12. Independent Contractor. The services to be performed by Professional are those of an independent contractor and not of an employee of the City of Fort Collins. The City shall not be responsible for withholding any portion of Professional's compensation hereunder for the payment of FICA, Workers' Compensation, other taxes or benefits or for any other purpose. 13. Personal Services. It is understood that the City enters into this Agreement based on the special abilities of the Professional and that this Agreement shall be considered as an agreement for personal services. Accordingly, the Professional shall neither assign any responsibilities nor delegate any duties arising under this Agreement without the prior written consent of the City. 14. Acceptance Not Waiver. The City's approval of drawings, designs, plans, specifications, reports, and incidental work or materials furnished hereunder shall not in any way relieve the Professional of responsibility for the quality or technical accuracy of the work. The City's approval or acceptance of, or payment for, any of the services shall not be construed to operate as a waiver of any rights or benefits provided to the City under this Agreement. 15. Default. Each and every term and condition hereof shall be deemed to be a material element of this Agreement. In the event either party should fail or refuse to perform according to the terms of this agreement, such party may be declared in default. 16. Remedies. In the event a party has been declared in default, such defaulting party shall be allowed a period of ten (10) days within which to cure said default. In the event the default remains uncorrected, the party declaring default may elect to (a) terminate the Agreement and seek damages; (b) treat the Agreement as continuing and require specific performance; or (c) avail himself of any other remedy at law or equity. If the non-defaulting party commences legal or equitable actions against the defaulting party, the defaulting party shall be liable to the non-defaulting party for the non-defaulting party's reasonable attorney fees and costs incurred RFP 8155 Cybersecurity Vulnerability Assessment Page 14 of 20 because of the default. 17. Binding Effect. This writing, together with the exhibits hereto, constitutes the entire agreement between the parties and shall be binding upon said parties, their officers, employees, agents and assigns and shall inure to the benefit of the respective survivors, heirs, personal representatives, successors and assigns of said parties. 18. Law/Severability. The laws of the State of Colorado shall govern the construction, interpretation, execution and enforcement of this Agreement. In the event any provision of this Agreement shall be held invalid or unenforceable by any court of competent jurisdiction, such holding shall not invalidate or render unenforceable any other provision of this Agreement. 19. Prohibition Against Employing Illegal Aliens. Pursuant to Section 8-17.5-101, C.R.S., et. seq., Professional represents and agrees that: a. As of the date of this Agreement: 1. Professional does not knowingly employ or contract with an illegal alien who will perform work under this Agreement; and 2. Professional will participate in either the e-Verify program created in Public Law 208, 104th Congress, as amended, and expanded in Public Law 156, 108th Congress, as amended, administered by the United States Department of Homeland Security (the “e-Verify Program”) or the Department Program (the “Department Program”), an employment verification program established pursuant to Section 8-17.5-102(5)(c) C.R.S. in order to confirm the employment eligibility of all newly hired employees to perform work under this Agreement. b. Professional shall not knowingly employ or contract with an illegal alien to perform work under this Agreement or knowingly enter into a contract with a subcontractor that knowingly employs or contracts with an illegal alien to perform work under this Agreement. c. Professional is prohibited from using the e-Verify Program or Department Program procedures to undertake pre-employment screening of job applicants while this Agreement is being performed. d. If Professional obtains actual knowledge that a subcontractor performing work under this Agreement knowingly employs or contracts with an illegal alien, Professional shall: 1. Notify such subcontractor and the City within three days that Professional has actual knowledge that the subcontractor is employing or contracting with an illegal alien; and 2. Terminate the subcontract with the subcontractor if within three days of receiving the notice required pursuant to this section the subcontractor does not cease employing or contracting with the illegal alien; except that Professional shall not terminate the contract with the subcontractor if during such three days the subcontractor provides information to establish that the subcontractor has not knowingly employed or contracted with an illegal alien. e. Professional shall comply with any reasonable request by the Colorado Department of Labor and Employment (the “Department”) made in the course of an investigation that the Department undertakes or is undertaking pursuant to the authority established in Subsection RFP 8155 Cybersecurity Vulnerability Assessment Page 15 of 20 8-17.5-102 (5), C.R.S. f. If Professional violates any provision of this Agreement pertaining to the duties imposed by Subsection 8-17.5-102, C.R.S. the City may terminate this Agreement. If this Agreement is so terminated, Professional shall be liable for actual and consequential damages to the City arising out of Professional’s violation of Subsection 8-17.5-102, C.R.S. g. The City will notify the Office of the Secretary of State if Professional violates this provision of this Agreement and the City terminates the Agreement for such breach. 20. Red Flags Rules. Professional must implement reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft in compliance with the Identity Theft Red Flags Rules found at 16 Code of Federal Regulations part 681. Further, Professional must take appropriate steps to mitigate identity theft if it occurs with one or more of the City’s covered accounts and must as expeditiously as possible notify the City in writing of significant breeches of security or Red Flags to the Utilities or the Privacy Committee. 21. Special Provisions. Special provisions or conditions relating to the services to be performed pursuant to this Agreement are set forth in Exhibit “ “ - Confidentiality, consisting of one (1) page, attached hereto and incorporated herein by this reference. THE CITY OF FORT COLLINS, COLORADO By: _________________________________ Gerry Paul Director of Purchasing DATE: ______________________________ ATTEST: _________________________________ City Clerk APPROVED AS TO FORM: ________________________________ Assistant City Attorney [INSERT PROFESSIONAL'S NAME] OR [INSERT PARTNERSHIP NAME] OR [INSERT INDIVIDUAL'S NAME] OR By: __________________________________ Title: _______________________________ CORPORATE PRESIDENT OR VICE PRESIDENT Date: _______________________________ ATTEST: _________________________________ (Corporate Seal) Corporate Secretary RFP 8155 Cybersecurity Vulnerability Assessment Page 16 of 20 EXHIBIT C WORK ORDER FORM PURSUANT TO AN AGREEMENT BETWEEN THE CITY OF FORT COLLINS AND DATED: Work Order Number: Purchase Order Number: Project Title: Original Bid/RFP Project Number & Name: Commencement Date: Completion Date: Maximum Fee: (time and reimbursable direct costs): Project Description: Scope of Services: Professional agrees to perform the services identified above and on the attached forms in accordance with the terms and conditions contained herein and in the Professional Services Agreement between the parties. In the event of a conflict between or ambiguity in the terms of the Professional Services Agreement and this work order (including the attached forms) the Professional Services Agreement shall control. The attached forms consisting of ___ (_) pages are hereby accepted and incorporated herein, by this reference, and Notice to Proceed is hereby given. Professional By:_______________________________ Date:_____________________________ City of Fort Collins Submitted By: _________________________ Project Manager Date: _________________________ Reviewed by: _________________________ Senior Utility Engineer Date: _________________________ Approved by: _________________________ Water Engineering & Field Services Operations Manager Date: ________________________ Approved by: _________________________ Utilities General Manager (over $1,000,000) Date: ________________________ Approved by: _________________________ Director of Purchasing (if over $60,000) Date: _______________________ RFP 8155 Cybersecurity Vulnerability Assessment Page 17 of 20 EXHIBIT D INSURANCE REQUIREMENTS 1. The Professional will provide, from insurance companies acceptable to the City, the insurance coverage designated hereinafter and pay all costs. Before commencing work under this bid, the Professional shall furnish the City with certificates of insurance showing the type, amount, class of operations covered, effective dates and date of expiration of policies, and containing substantially the following statement: “The insurance evidenced by this Certificate will not reduce coverage or limits and will not be cancelled, except after thirty (30) days written notice has been received by the City of Fort Collins.” In case of the breach of any provision of the Insurance Requirements, the City, at its option, may take out and maintain, at the expense of the Professional, such insurance as the City may deem proper and may deduct the cost of such insurance from any monies which may be due or become due the Professional under this Agreement. The City, its officers, agents and employees shall be named as additional insureds on the Professional’s general liability and automobile liability insurance policies for any claims arising out of work performed under this Agreement. 2. Insurance coverages shall be as follows: A. Workers' Compensation & Employer's Liability. The Professional shall maintain during the life of this Agreement for all of the Professional's employees engaged in work performed under this agreement: 1. Workers' Compensation insurance with statutory limits as required by Colorado law. 2. Employer's Liability insurance with limits of $100,000 per accident, $500,000 disease aggregate, and $100,000 disease each employee. B. Commercial General & Vehicle Liability. The Professional shall maintain during the life of this Agreement such commercial general liability and automobile liability insurance as will provide coverage for damage claims of personal injury, including accidental death, as well as for claims for property damage, which may arise directly or indirectly from the performance of work under this Agreement. Coverage for property damage shall be on a "broad form" basis. The amount of insurance for each coverage, Commercial General and Vehicle, shall not be less than $1,000,000 combined single limits for bodily injury and property damage. In the event any work is performed by a subcontractor, the Professional shall be responsible for any liability directly or indirectly arising out of the work performed under this Agreement by a subcontractor, which liability is not covered by the subcontractor's insurance. C. Errors & Omissions. The Professional shall maintain errors and omissions insurance in the amount of $1,000,000. RFP 8155 Cybersecurity Vulnerability Assessment Page 18 of 20 EXHIBIT E CONFIDENTIALITY IN CONNECTION WITH SERVICES provided to the City of Fort Collins (the “City”) pursuant to this Agreement (the “Agreement”), the Professional hereby acknowledges that it has been informed that the City has established policies and procedures with regard to the handling of confidential information and other sensitive materials. In consideration of access to certain information, data and material (hereinafter individually and collectively, regardless of nature, referred to as “information”) that are the property of and/or relate to the City or its employees, customers or suppliers, which access is related to the performance of services that the Professional has agreed to perform, the Professional hereby acknowledges and agrees as follows: That information that has or will come into its possession or knowledge in connection with the performance of services for the City may be confidential and/or proprietary. The Professional agrees to treat as confidential (a) all information that is owned by the City, or that relates to the business of the City, or that is used by the City in carrying on business, and (b) all information that is proprietary to a third party (including but not limited to customers and suppliers of the City). The Professional shall not disclose any such information to any person not having a legitimate need-to-know for purposes authorized by the City. Further, the Professional shall not use such information to obtain any economic or other benefit for itself, or any third party, except as specifically authorized by the City. The foregoing to the contrary notwithstanding, the Professional understands that it shall have no obligation under this Agreement with respect to information and material that (a) becomes generally known to the public by publication or some means other than a breach of duty of this Agreement, or (b) is required by law, regulation or court order to be disclosed, provided that the request for such disclosure is proper and the disclosure does not exceed that which is required. In the event of any disclosure under (b) above, the Professional shall furnish a copy of this Agreement to anyone to whom it is required to make such disclosure and shall promptly advise the City in writing of each such disclosure. In the event that the Professional ceases to perform services for the City, or the City so requests for any reason, the Professional shall promptly return to the City any and all information described hereinabove, including all copies, notes and/or summaries (handwritten or mechanically produced) thereof, in its possession or control or as to which it otherwise has access. The Professional understands and agrees that the City’s remedies at law for a breach of the Professional’s obligations under this Confidentiality Agreement may be inadequate and that the City shall, in the event of any such breach, be entitled to seek equitable relief (including without limitation preliminary and permanent injunctive relief and specific performance) in addition to all other remedies provided hereunder or available at law. RFP 8155 Cybersecurity Vulnerability Assessment Page 19 of 20 EXHIBIT F Fort Collins Expense Guidelines: Lodging, Per Diem Meals and Incidentals and Other expenses: October 1, 2013 Fort Collins Policy: Lodging: • Hotels will be reimbursed at $91/day provided the government rate is available. If the government rate is not available, the best available rate shall be used and a printout of the available rates at the time of the reservation provided as documentation. • Hotel taxes do not count to the $91 limit, i.e. the rate is $91 plus applicable taxes. • Receipts are to be provided. • Actual expense will apply Meals and Incidentals: In lieu of requiring expense receipts, Fort Collins will use Federal GSA per diem guidelines. • Daily rate: $56 • Travel Days rate: 75% of $56 = $42 Vehicle Expenses: • All costs related to rental vehicles (gas, parking, etc.) must be documented if they are to be reimbursed. The standard for vehicle size is mid-size to lower. • If a private vehicle is used, mileage will be reimbursed using the mileage rate set by the IRS. The most direct route is the standard for determining total mileage. Extra Ordinary Cost • Prior authorization required. Expenses Not Allowed • Liquor, movies, or entertainment (including in-room movies); • Sporting events; • Laundry, dry-cleaning or shoe repair; • Personal phone calls, including connection and long-distance fees; • Computer connections (unless required for City business); • Other personal expenses not directly related to City business; • Convenience charges; • Rescheduling Airline Charges not related to City requirements. • Excessive meal tip amounts generally over 20%; • Delivery fees shall not exceed 10% of the total bill, if not already included; • Hotel Cleaning Tips; • Extra Baggage for one day trips; • Air Travel (when local); • Items that are supplied by the City. Time Frame for Reporting • Per contract (every 30 days). Reference: RFP 8155 Cybersecurity Vulnerability Assessment Page 20 of 20 The Federal GSA guidelines for Fort Collins are $91/day for hotel and $56 for meals and incidentals (M&IE). (Incidentals are defined as 1) fees and tips given to porters, baggage carriers, bellhops, hotel maids, stewards or stewardesses , and 2) transportation between places of lodging or business and places where meals are taken). Hotel taxes (i.e. lodging taxes) are not covered by per diem and are expensed as a separate line item. The M&IE is further broken down by: • Breakfast: $9 • Lunch: $13 • Dinner: $29 • Incidentals: $5 Federal guidelines further provide for the use of 75% of the M&IE rate for travel days, i.e. $42 for Fort Collins.