HomeMy WebLinkAbout557741 SECURANCE LLC - CONTRACT - RFP - 8155 CYBERSECURITY ASSESSMENT8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 1 of 24
PROFESSIONAL SERVICES AGREEMENT
THIS AGREEMENT made and entered into the day and year set forth below, by and
between THE CITY OF FORT COLLINS, COLORADO, a Municipal Corporation, hereinafter
referred to as the "City" and SECURANCE LLC, hereinafter referred to as "Professional".
WITNESSETH:
In consideration of the mutual covenants and obligations herein expressed, it is agreed
by and between the parties hereto as follows:
1. Scope of Services. The Professional agrees to provide services as detailed in RFP 8155
CYBERSECURITY VULNERABILITY, in accordance with the scope of services attached
hereto as Exhibit "A", consisting of thirteen (13) pages, and incorporated herein by this
reference. Irrespective of references in Exhibit A to certain named third parties,
Professional shall be solely responsible for performance of all duties hereunder.
2. The Work Schedule. The services to be performed pursuant to this Agreement shall be
performed in accordance with the Work Schedule attached hereto as Exhibit "B",
consisting of one (1) page, and incorporated herein by this reference.
3. Contract Period. The services to be performed pursuant to this Agreement shall be
initiated within five (5) days following execution of this Agreement. Services shall be
completed no later than November 30, 2015. Time is of the essence. Any extensions of
the time limit set forth above must be agreed upon in writing by the parties hereto.
4. Early Termination by City. Notwithstanding the time periods contained herein, the City
may terminate this Agreement at any time without cause by providing written notice of
termination to the Professional. Such notice shall be delivered at least fifteen (15) days
prior to the termination date contained in said notice unless otherwise agreed in writing by
the parties.
All notices provided under this Agreement shall be effective when mailed, postage prepaid
and sent to the following addresses:
Professional: City: Copy to:
Securance LLC
Attn: Paul Ashe
6922 W. Linebaugh Ave., Ste 101
Tampa, FL 33625
City of Fort Collins
Attn: Don Mathre
PO Box 580
Fort Collins, CO 80522
City of Fort Collins
Attn: Purchasing Dept.
PO Box 580
Fort Collins, CO 80522
In the event of any such early termination by the City, the Professional shall be paid for
services rendered prior to the date of termination, subject only to the satisfactory
performance of the Professional's obligations under this Agreement. Such payment shall
be the Professional's sole right and remedy for such termination.
5. Design, Project Indemnity and Insurance Responsibility. The Professional shall be
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 2 of 24
responsible for the professional quality, technical accuracy, timely completion and the
coordination of all services rendered by the Professional, including but not limited to
designs, plans, reports, specifications, and drawings and shall, without additional
compensation, promptly remedy and correct any errors, omissions, or other deficiencies.
The Professional shall indemnify, save and hold harmless the City, its officers and
employees in accordance with Colorado law, from all damages whatsoever claimed by
third parties against the City; and for the City's costs and reasonable attorney’s fees,
arising directly or indirectly out of the Professional's negligent performance of any of the
services furnished under this Agreement. The Professional shall maintain insurance in
accordance with Exhibit D consisting of one (1) page, attached hereto and incorporated
herein.
6. Compensation. In consideration of the services to be performed pursuant to this
Agreement, the City agrees to pay Professional a fixed fee in the amount of fifty three
thousand, three hundred twenty eight dollars ($53,328) plus reimbursable direct costs in
accordance with Exhibit C, consisting of one (1) page, attached hereto and incorporated
herein. Monthly partial payments based upon the Professional's billings and itemized
statements are permissible. The amounts of all such partial payments shall be based
upon the Professional's City-verified progress in completing the services to be performed
pursuant hereto and upon the City's approval of the Professional's actual reimbursable
expenses. Final payment shall be made following acceptance of the work by the City.
Upon final payment, all designs, plans, reports, specifications, drawings, and other
services rendered by the Professional shall become the sole property of the City.
7. City Representative. The City will designate, prior to commencement of work, its project
representative who shall make, within the scope of his or her authority, all necessary and
proper decisions with reference to the project. All requests for contract interpretations,
change orders, and other clarification or instruction shall be directed to the City
Representative.
8. Monthly Report. Commencing thirty (30) days after the date of execution of this
Agreement and every thirty (30) days thereafter, Professional is required to provide the
City Representative with a written report of the status of the work with respect to the
Scope of Services, Work Schedule, and other material information. Failure to provide any
required monthly report may, at the option of the City, suspend the processing of any
partial payment request.
9. Independent Contractor. The services to be performed by Professional are those of an
independent contractor and not of an employee of the City of Fort Collins. The City shall
not be responsible for withholding any portion of Professional's compensation hereunder
for the payment of FICA, Workers' Compensation, other taxes or benefits or for any other
purpose.
10. Personal Services. It is understood that the City enters into this Agreement based on the
special abilities of the Professional and that this Agreement shall be considered as an
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 3 of 24
agreement for personal services. Accordingly, the Professional shall neither assign any
responsibilities nor delegate any duties arising under this Agreement without the prior
written consent of the City.
11. Subcontractors. Service Provider may not subcontract any of the Work set forth in the
Exhibit A, Statement of Work without the prior written consent of the city, which shall not
be unreasonably withheld. If any of the Work is subcontracted hereunder (with the
consent of the City), then the following provisions shall apply: (a) the subcontractor must
be a reputable, qualified firm with an established record of successful performance in its
respective trade performing identical or substantially similar work, (b) the subcontractor will
be required to comply with all applicable terms of this Agreement, (c) the subcontract will
not create any contractual relationship between any such subcontractor and the City, nor
will it obligate the City to pay or see to the payment of any subcontractor, and (d) the work
of the subcontractor will be subject to inspection by the City to the same extent as the
work of the Service Provider.
12. Acceptance Not Waiver. The City's approval of drawings, designs, plans, specifications,
reports, and incidental work or materials furnished hereunder shall not in any way relieve
the Professional of responsibility for the quality or technical accuracy of the work. The
City's approval or acceptance of, or payment for, any of the services shall not be
construed to operate as a waiver of any rights or benefits provided to the City under this
Agreement.
13. Default. Each and every term and condition hereof shall be deemed to be a material
element of this Agreement. In the event either party should fail or refuse to perform
according to the terms of this agreement, such party may be declared in default.
14. Remedies. In the event a party has been declared in default, such defaulting party shall
be allowed a period of ten (10) days within which to cure said default. In the event the
default remains uncorrected, the party declaring default may elect to (a) terminate the
Agreement and seek damages; (b) treat the Agreement as continuing and require specific
performance; or (c) avail himself of any other remedy at law or equity. If the non-
defaulting party commences legal or equitable actions against the defaulting party, the
defaulting party shall be liable to the non-defaulting party for the non-defaulting party's
reasonable attorney fees and costs incurred because of the default.
15. Binding Effect. This writing, together with the exhibits hereto, constitutes the entire
agreement between the parties and shall be binding upon said parties, their officers,
employees, agents and assigns and shall inure to the benefit of the respective survivors,
heirs, personal representatives, successors and assigns of said parties.
16. Law/Severability. The laws of the State of Colorado shall govern the construction,
interpretation, execution and enforcement of this Agreement. In the event any provision
of this Agreement shall be held invalid or unenforceable by any court of competent
jurisdiction, such holding shall not invalidate or render unenforceable any other provision
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 4 of 24
of this Agreement.
17. Prohibition Against Employing Illegal Aliens. Pursuant to Section 8-17.5-101, C.R.S., et.
seq., Professional represents and agrees that:
a. As of the date of this Agreement:
1. Professional does not knowingly employ or contract with an illegal alien who will
perform work under this Agreement; and
2. Professional will participate in either the e-Verify program created in Public Law
208, 104th Congress, as amended, and expanded in Public Law 156, 108th
Congress, as amended, administered by the United States Department of
Homeland Security (the “e-Verify Program”) or the Department Program (the
“Department Program”), an employment verification program established pursuant
to Section 8-17.5-102(5)(c) C.R.S. in order to confirm the employment eligibility of
all newly hired employees to perform work under this Agreement.
b. Professional shall not knowingly employ or contract with an illegal alien to perform
work under this Agreement or knowingly enter into a contract with a subcontractor that
knowingly employs or contracts with an illegal alien to perform work under this
Agreement.
c. Professional is prohibited from using the e-Verify Program or Department Program
procedures to undertake pre-employment screening of job applicants while this
Agreement is being performed.
d. If Professional obtains actual knowledge that a subcontractor performing work under
this Agreement knowingly employs or contracts with an illegal alien, Professional shall:
1. Notify such subcontractor and the City within three days that Professional has
actual knowledge that the subcontractor is employing or contracting with an illegal
alien; and
2. Terminate the subcontract with the subcontractor if within three days of receiving
the notice required pursuant to this section the subcontractor does not cease
employing or contracting with the illegal alien; except that Professional shall not
terminate the contract with the subcontractor if during such three days the
subcontractor provides information to establish that the subcontractor has not
knowingly employed or contracted with an illegal alien.
e. Professional shall comply with any reasonable request by the Colorado Department of
Labor and Employment (the “Department”) made in the course of an investigation that
the Department undertakes or is undertaking pursuant to the authority established in
Subsection 8-17.5-102 (5), C.R.S.
f. If Professional violates any provision of this Agreement pertaining to the duties
imposed by Subsection 8-17.5-102, C.R.S. the City may terminate this Agreement. If
this Agreement is so terminated, Professional shall be liable for actual and
consequential damages to the City arising out of Professional’s violation of Subsection
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 5 of 24
8-17.5-102, C.R.S.
g. The City will notify the Office of the Secretary of State if Professional violates this
provision of this Agreement and the City terminates the Agreement for such breach.
18. Red Flags Rules. Professional must implement reasonable policies and procedures to
detect, prevent and mitigate the risk of identity theft in compliance with the Identity Theft
Red Flags Rules found at 16 Code of Federal Regulations part 681. Further, Professional
must take appropriate steps to mitigate identity theft if it occurs with one or more of the
City’s covered accounts and must as expeditiously as possible notify the City in writing of
significant breeches of security or Red Flags to the Utilities or the Privacy Committee.
19. Special Provisions. Special provisions or conditions relating to the services to be
performed pursuant to this Agreement are set forth in Exhibit E – Non-Disclosure
Agreement, consisting of two (2) pages, attached hereto and incorporated herein by this
reference.
THE CITY OF FORT COLLINS, COLORADO
By:
Gerry Paul
Purchasing Director
DATE:
ATTEST:
City Clerk
APPROVED AS TO FORM:
Assistant City Attorney
SECURANCE LLC
By:
Printed:
Title:
CORPORATE PRESIDENT OR VICE PRESIDENT
Date:
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
President
Paul Ashe
10/21/2015
10/29/2015
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 6 of 24
EXHIBIT A
STATEMENT OF WORK
This Statement of Work (SOW) is executed between the City of Fort Collins and Securance
LLC. This statement of work pertains directly to the request for services detailed below.
SUMMARY
The City of Fort Collins, Colorado (City) is contracting for services to assist City staff with
conducting an assessment of the effectiveness of the Fort Collins Utilities Water Resources
and Treatment Industrial Control System (WR&T ICS) cybersecurity controls.
The purpose of this project is to:
1. Establish a basic baseline assessment of the general security state of the Water
Resources and Treatment ICS (Industrial Control System), including an independent
3rd party assessment of key WR&T components and cybersecurity controls.
2. Develop a prioritized work program to phase in any appropriate WR&T ICS
cybersecurity capability maturity improvements over time.
3. Establish a clear understanding of City staff roles and responsibilities in maintaining
the WR&T ICS security state in a manner consistent with Fort Collins Utilities (FCU)
organizational goals and resources.
4. Pilot replicable methods and procedures to enable similar cybersecurity
assessments for other FCU systems in a manner that does not require significant
time commitment by FCU staff and that can be reasonably accommodated within
existing staff resources and work plan commitments.
SCOPE
General Responsibilities
1. Before access to any systems is granted, Securance will provide a background
check for each individual Securance employee who will need access to City of Ft.
Collins systems. The check will include the name of the company that performed the
background check, and the date of the most recent background check.
2. Before access to any systems is granted, Securance will sign a non-disclosure
agreement.
3. Securance will provide laptop computers for use during this project. These laptops will
be scanned by IT personnel prior to allowing them on the City network. Said laptops
will also need to each have a personal firewall software, as well as have current, active
anti-virus definitions.
4. Securance will provide the Information Sharing Security Safeguards and Standards
described in their Response to Request for Proposal RFP 8155 Cybersecurity
Vulnerability Assessment, Approach & Methodology Section as attached.
Project Scope Items
Perform a Cyber Security Assessment:
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 7 of 24
Assessment of Cyber Security Controls
o Conduct a gap analysis against NIST Special Publication 800-53
using Client’s self-assessment reports.
o Help Client’s staff interpret findings.
o Recommend improvements to the self-assessment
documentation process.
Review of Water Resources and Treatment (WR&T) System
Security Architecture
o Review system architecture and boundary protections from a
cyber security perspective.
Assessment of WR&T System Security Configurations
o Analyze the security configurations of key WR&T control system
components, including PLCs, HMI servers and client machines,
databases, web application servers, routers and switches.
Prepare Deliverables
Management and Technician’s Reports
Report Presentation
Methodologies
The cybersecurity assessment will be performed using the methodologies described in
Securance’s Response to Request for Proposal RFP 8155 Cybersecurity Vulnerability
Assessment.
Use of Automated Tools
Fort Collins Utilities will allow use of automated tools with some caveats.
1. Prior to use of automated tools, FCU must approve a Securance-provided list of
tools to be used, their configuration settings, the systems to be tested, and a
testing schedule. Information gathered about the environment during the
cybersecurity assessment will help determine which tools will be used for testing.
2. Passive configuration settings are to be used initially. Based on results, cautious
progression to active settings may be used upon approval. It’s possible that
permission will not be granted for active scanning/testing of unstable or high risk
systems, in which case manual testing may be performed.
3. Scanning is not to go beyond the logical Water SCADA network into the business
network without explicit permission. The boundary between the Water SCADA
network and business network is within scope. Devices on the business network
that are allowed access to the SCADA network will be need to be examined.
Examination of these will be added through a change order negotiated and
agreed upon by both parties.
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 8 of 24
DELIVERABLES AND ACCEPTANCE CRITERIA
1. Management Report to include
o Executive summary
o Introduction and scope
o Approach and methodology
o Current maturity level and a road map for improved maturity
o Vulnerability findings including
vulnerability descriptions
associated risk rankings
risk descriptions
actionable recommendations to mitigate risks and achieve compliance
remediation cost estimates
2. Technician’s Report to include raw data extracts from utilized security tools.
3. Report Presentation
4. All electronic data will be permanently deleted from Professionals workstations. Written
verification of the deletion (including date of deletion) is to be provided to City Project
Manager within ten (10) days after completion of engagement, whether it be via
termination, completion or otherwise.
SCHEDULE
The expected time for this engagement will be determined upon execution of the SOW.
Securance’s sample project plan is attached as Exhibit XX to the Agreement.
STAFF
The expected team roles anticipated over the duration of the Project consist of, but are not
limited to, one (1) Sr. IT Audit Professional and the Engagement Manager. Additions to the
team may be made as needed or requested by the Client’s Project Manager.
DEPENDENCIES AND ASSUMPTIONS
1. Securance will provide a client assistance request list to Client prior to the
commencement of the engagement.
2. Securance will have full access to all Client participants and personnel as required
through the duration of the engagement.
3. Client will hold meetings with the Securance engagement manager, as necessary, to
assess the Securance progress.
4. Each task will be performed at an agreed-upon time to minimize disruption to Client
personnel.
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 9 of 24
5. Client will provide Securance with appropriate system access to successfully complete
each project.
OTHER
The following sections from Securance’s RFP submittal shall be part of the Statement of
Work.
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 10 of 24
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 11 of 24
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 12 of 24
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 13 of 24
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 14 of 24
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 15 of 24
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 16 of 24
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 17 of 24
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 18 of 24
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 19 of 24
EXHIBIT B
PROPOSED PROJECT PLAN
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 20 of 24
EXHIBIT C
COST AND WORK HOURS
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 21 of 24
EXHIBIT D
INSURANCE REQUIREMENTS
1. The Professional will provide, from insurance companies acceptable to the City, the
insurance coverage designated hereinafter and pay all costs. Before commencing work
under this bid, the Professional shall furnish the City with certificates of insurance
showing the type, amount, class of operations covered, effective dates and date of
expiration of policies, and containing substantially the following statement:
“The insurance evidenced by this Certificate will not reduce coverage or limits and
will not be cancelled, except after thirty (30) days written notice has been received
by the City of Fort Collins.”
In case of the breach of any provision of the Insurance Requirements, the City, at its
option, may take out and maintain, at the expense of the Professional, such insurance
as the City may deem proper and may deduct the cost of such insurance from any
monies which may be due or become due the Professional under this Agreement. The
City, its officers, agents and employees shall be named as additional insureds on the
Professional 's general liability and automobile liability insurance policies for any claims
arising out of work performed under this Agreement.
2. Insurance coverages shall be as follows:
A. Workers' Compensation & Employer's Liability. The Professional shall maintain
during the life of this Agreement for all of the Professional's employees engaged in
work performed under this agreement:
1. Workers' Compensation insurance with statutory limits as required by
Colorado law.
2. Employer's Liability insurance with limits of $100,000 per accident,
$500,000 disease aggregate, and $100,000 disease each employee.
B. Commercial General & Vehicle Liability. The Professional shall maintain during the
life of this Agreement such commercial general liability and automobile liability
insurance as will provide coverage for damage claims of personal injury, including
accidental death, as well as for claims for property damage, which may arise
directly or indirectly from the performance of work under this Agreement.
Coverage for property damage shall be on a "broad form" basis. The amount of
insurance for each coverage, Commercial General and Vehicle, shall not be less
than $1,000,000 combined single limits for bodily injury and property damage.
In the event any work is performed by a subcontractor, the Professional shall be
responsible for any liability directly or indirectly arising out of the work performed
under this Agreement by a subcontractor, which liability is not covered by the
subcontractor's insurance.
C. Errors & Omissions. The Professional shall maintain errors and omissions
insurance in the amount of $1,000,000.
D. Cyber Risk. The Professional shall maintain cyber risk insurance in the amount of
$2,000,000.
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
No new insurance required
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 22 of 24
EXHIBIT E
NON-DISCLOSURE AGREEMENT
THIS NON-DISCLOSURE AGREEMENT (Agreement) made and entered into by and between
the City of Fort Collins, a municipal corporation (“City”) and Securance LLC (Professional)
(collectively, the “Parties”).
WITNESSETH
WHEREAS, the parties desire to assure the confidential and/or proprietary status of the
information which may be disclosed to each other in connection with their discussions relating to
RFP 8155 Cybersecurity Vulnerability Assessment.
NOW, THEREFORE, in consideration of terms and covenants contained herein, the Parties
agree as follows:
1. Confidential Information.
Confidential Information controlled by this Agreement refers to information which is
confidential and/or proprietary and includes by way of example, but without limitation, City
customer information, location information, Fort Collins Utilities Water Resources and
Treatment Industrial Control System, network security system, business plans, formulae,
processes, intellectual property, trade secrets, designs, photographs, plans, drawings,
schematics, methods, specifications, samples, reports, mechanical and electronic design
drawings, customer lists, financial information, studies, findings, inventions, and ideas.
To the extent practical, Confidential Information shall be marked "Confidential" or
"Proprietary". In the case of disclosure in non-documentary form made orally or by visual
inspection, the Discloser shall have the right, or, if requested by the Recipient, the obligation
to confirm in writing the fact and general nature of each disclosure within a reasonable time
after it is made in order that it is treated as Confidential Information. Any information
disclosed to the other party prior to the execution of this Agreement shall be considered in
the same manner and be subject to the same treatment as the information disclosed after
the execution of this Agreement.
2. Use of Confidential Information. Recipient hereby agrees that it shall use the Confidential
Information solely for the purpose of performing its obligations under this Agreement and not
in any way detrimental to Discloser. Recipient agrees to use the same degree of care
Recipient uses with respect to its own proprietary or confidential information, which in any
event shall result in a reasonable standard of care to prevent unauthorized use or disclosure
of the Confidential Information. Except as otherwise provided herein, Recipient shall keep
confidential and not disclose the Confidential Information. The City and Contractor shall
cause each of their directors, officers, employees, agents, representatives, Subcontractors
to become familiar with, and abide by, the terms of this section.
3. Exclusions from Definition. The term “Confidential Information” as used herein does not
include any data or information which is already known to the receiving party or which
before being divulged by the receiving party (1) was generally known to the public through
no wrongful act of the receiving party; (2) has been rightfully received by the receiving party
from a third party without restriction on disclosure and without, to the knowledge of the
receiving party, a breach of an obligation of confidentiality; (3) has been approved for
release by a written authorization by the other party hereto; or (4) has been disclosed
pursuant to a requirement of a governmental agency or by operation of law.
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 23 of 24
4. Required Disclosure. If the receiving party is required (by oral questions, interrogatories,
requests for information or documents, subpoena, civil investigative demand or similar
process, or by federal, state, or local law, including without limitation, the Colorado Open
Records Act) to disclose any Confidential Information, the parties agree that the receiving
party will provide the disclosing party with prompt notice of such request, so that the
disclosing party may seek an appropriate protective order or waive the receiving party’s
compliance with the provisions of this Agreement. The parties further agree that if, in the
absence of a protective order or the receipt of a waiver hereunder, the receiving party is
nonetheless, in the opinion of its legal counsel, compelled by law to disclose Confidential
Information to any person, entity or tribunal, the receiving party may disclose such
Confidential Information to such person, entity or tribunal without any liability under this
Agreement.
5. Professional shall not, disclose any such Confidential Information to any person, directly or
indirectly, nor use it in any way, except as required or authorized by the City.
6. Confidential Information is not to be stored on any local workstation, laptop, or media such
as CD/DVD, USB drives, external hard drives or other similar portable devices unless
Vendor can ensure security for the Confidential Information so stored. Work stations or
laptops to be used in the Work will be required to have personal firewalls on each, as well as
have current, active anti-virus definitions.
7. The agreement not to disclose Confidential Information as set forth in this document shall
apply during the term of the project and at any time thereafter unless specifically authorized
by the City in writing.
8. Professional shall make no copies of any Confidential Information obtained.
9. If Professional breaches this Agreement, the City may immediately terminate this Agreement
and withdraw Professional’s right to access Confidential Information.
10. Notwithstanding any other provision of this Agreement, all material, i.e., various physical
forms of media in which Confidential Information is contained, including but not limited to
writings, drawings, tapes, diskettes, prototypes or products, shall remain the sole property
of the Discloser and, upon request, shall be promptly returned, together with all copies
thereof to the Discloser. All digital and electronic data should be deleted in a non-restorable
way by which it is no longer available to the Recipient. Written verification of the deletion
(including date of deletion) is to be provided to the Discloser within ten (10) days after
completion of engagement, whether it be via termination, completion or otherwise.
11. Professional acknowledges that the City will, based upon the representations made in this
Agreement, disclose security information that is critical to the continued success of the City’s
business. Accordingly, Professional agrees that the City does not have an adequate remedy
at law for breach of this Agreement and therefore, the City shall be entitled, as a non-
exclusive remedy, and in addition to an action for damages, to seek and obtain an injunction
or decree of specific performance or any other remedy, from a court of competent
jurisdiction to enjoin or remedy any violation of this Agreement.
12. No act of omission or commission of either the City or Professional, including without
limitation, any failure to exercise any right, remedy, or recourse, shall be deemed to be a
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 24 of 24
waiver, release, or modification of the same. Such a waiver, release, or modification is to be
effected only through a written modification to this Agreement.
13. Neither party shall assign any of its rights, privileges or obligations under this Agreement to
any third party without prior written consent of the other party.
14. This Agreement is to be construed in accordance with the laws of the State of Colorado.
Venue and jurisdiction for any cause of action or claim asserted by either party hereto shall
be in the District Court of Larimer County, Colorado.
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6
DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6