Loading...
HomeMy WebLinkAbout557741 SECURANCE LLC - CONTRACT - RFP - 8155 CYBERSECURITY ASSESSMENT8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 1 of 24 PROFESSIONAL SERVICES AGREEMENT THIS AGREEMENT made and entered into the day and year set forth below, by and between THE CITY OF FORT COLLINS, COLORADO, a Municipal Corporation, hereinafter referred to as the "City" and SECURANCE LLC, hereinafter referred to as "Professional". WITNESSETH: In consideration of the mutual covenants and obligations herein expressed, it is agreed by and between the parties hereto as follows: 1. Scope of Services. The Professional agrees to provide services as detailed in RFP 8155 CYBERSECURITY VULNERABILITY, in accordance with the scope of services attached hereto as Exhibit "A", consisting of thirteen (13) pages, and incorporated herein by this reference. Irrespective of references in Exhibit A to certain named third parties, Professional shall be solely responsible for performance of all duties hereunder. 2. The Work Schedule. The services to be performed pursuant to this Agreement shall be performed in accordance with the Work Schedule attached hereto as Exhibit "B", consisting of one (1) page, and incorporated herein by this reference. 3. Contract Period. The services to be performed pursuant to this Agreement shall be initiated within five (5) days following execution of this Agreement. Services shall be completed no later than November 30, 2015. Time is of the essence. Any extensions of the time limit set forth above must be agreed upon in writing by the parties hereto. 4. Early Termination by City. Notwithstanding the time periods contained herein, the City may terminate this Agreement at any time without cause by providing written notice of termination to the Professional. Such notice shall be delivered at least fifteen (15) days prior to the termination date contained in said notice unless otherwise agreed in writing by the parties. All notices provided under this Agreement shall be effective when mailed, postage prepaid and sent to the following addresses: Professional: City: Copy to: Securance LLC Attn: Paul Ashe 6922 W. Linebaugh Ave., Ste 101 Tampa, FL 33625 City of Fort Collins Attn: Don Mathre PO Box 580 Fort Collins, CO 80522 City of Fort Collins Attn: Purchasing Dept. PO Box 580 Fort Collins, CO 80522 In the event of any such early termination by the City, the Professional shall be paid for services rendered prior to the date of termination, subject only to the satisfactory performance of the Professional's obligations under this Agreement. Such payment shall be the Professional's sole right and remedy for such termination. 5. Design, Project Indemnity and Insurance Responsibility. The Professional shall be DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 2 of 24 responsible for the professional quality, technical accuracy, timely completion and the coordination of all services rendered by the Professional, including but not limited to designs, plans, reports, specifications, and drawings and shall, without additional compensation, promptly remedy and correct any errors, omissions, or other deficiencies. The Professional shall indemnify, save and hold harmless the City, its officers and employees in accordance with Colorado law, from all damages whatsoever claimed by third parties against the City; and for the City's costs and reasonable attorney’s fees, arising directly or indirectly out of the Professional's negligent performance of any of the services furnished under this Agreement. The Professional shall maintain insurance in accordance with Exhibit D consisting of one (1) page, attached hereto and incorporated herein. 6. Compensation. In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional a fixed fee in the amount of fifty three thousand, three hundred twenty eight dollars ($53,328) plus reimbursable direct costs in accordance with Exhibit C, consisting of one (1) page, attached hereto and incorporated herein. Monthly partial payments based upon the Professional's billings and itemized statements are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's actual reimbursable expenses. Final payment shall be made following acceptance of the work by the City. Upon final payment, all designs, plans, reports, specifications, drawings, and other services rendered by the Professional shall become the sole property of the City. 7. City Representative. The City will designate, prior to commencement of work, its project representative who shall make, within the scope of his or her authority, all necessary and proper decisions with reference to the project. All requests for contract interpretations, change orders, and other clarification or instruction shall be directed to the City Representative. 8. Monthly Report. Commencing thirty (30) days after the date of execution of this Agreement and every thirty (30) days thereafter, Professional is required to provide the City Representative with a written report of the status of the work with respect to the Scope of Services, Work Schedule, and other material information. Failure to provide any required monthly report may, at the option of the City, suspend the processing of any partial payment request. 9. Independent Contractor. The services to be performed by Professional are those of an independent contractor and not of an employee of the City of Fort Collins. The City shall not be responsible for withholding any portion of Professional's compensation hereunder for the payment of FICA, Workers' Compensation, other taxes or benefits or for any other purpose. 10. Personal Services. It is understood that the City enters into this Agreement based on the special abilities of the Professional and that this Agreement shall be considered as an DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 3 of 24 agreement for personal services. Accordingly, the Professional shall neither assign any responsibilities nor delegate any duties arising under this Agreement without the prior written consent of the City. 11. Subcontractors. Service Provider may not subcontract any of the Work set forth in the Exhibit A, Statement of Work without the prior written consent of the city, which shall not be unreasonably withheld. If any of the Work is subcontracted hereunder (with the consent of the City), then the following provisions shall apply: (a) the subcontractor must be a reputable, qualified firm with an established record of successful performance in its respective trade performing identical or substantially similar work, (b) the subcontractor will be required to comply with all applicable terms of this Agreement, (c) the subcontract will not create any contractual relationship between any such subcontractor and the City, nor will it obligate the City to pay or see to the payment of any subcontractor, and (d) the work of the subcontractor will be subject to inspection by the City to the same extent as the work of the Service Provider. 12. Acceptance Not Waiver. The City's approval of drawings, designs, plans, specifications, reports, and incidental work or materials furnished hereunder shall not in any way relieve the Professional of responsibility for the quality or technical accuracy of the work. The City's approval or acceptance of, or payment for, any of the services shall not be construed to operate as a waiver of any rights or benefits provided to the City under this Agreement. 13. Default. Each and every term and condition hereof shall be deemed to be a material element of this Agreement. In the event either party should fail or refuse to perform according to the terms of this agreement, such party may be declared in default. 14. Remedies. In the event a party has been declared in default, such defaulting party shall be allowed a period of ten (10) days within which to cure said default. In the event the default remains uncorrected, the party declaring default may elect to (a) terminate the Agreement and seek damages; (b) treat the Agreement as continuing and require specific performance; or (c) avail himself of any other remedy at law or equity. If the non- defaulting party commences legal or equitable actions against the defaulting party, the defaulting party shall be liable to the non-defaulting party for the non-defaulting party's reasonable attorney fees and costs incurred because of the default. 15. Binding Effect. This writing, together with the exhibits hereto, constitutes the entire agreement between the parties and shall be binding upon said parties, their officers, employees, agents and assigns and shall inure to the benefit of the respective survivors, heirs, personal representatives, successors and assigns of said parties. 16. Law/Severability. The laws of the State of Colorado shall govern the construction, interpretation, execution and enforcement of this Agreement. In the event any provision of this Agreement shall be held invalid or unenforceable by any court of competent jurisdiction, such holding shall not invalidate or render unenforceable any other provision DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 4 of 24 of this Agreement. 17. Prohibition Against Employing Illegal Aliens. Pursuant to Section 8-17.5-101, C.R.S., et. seq., Professional represents and agrees that: a. As of the date of this Agreement: 1. Professional does not knowingly employ or contract with an illegal alien who will perform work under this Agreement; and 2. Professional will participate in either the e-Verify program created in Public Law 208, 104th Congress, as amended, and expanded in Public Law 156, 108th Congress, as amended, administered by the United States Department of Homeland Security (the “e-Verify Program”) or the Department Program (the “Department Program”), an employment verification program established pursuant to Section 8-17.5-102(5)(c) C.R.S. in order to confirm the employment eligibility of all newly hired employees to perform work under this Agreement. b. Professional shall not knowingly employ or contract with an illegal alien to perform work under this Agreement or knowingly enter into a contract with a subcontractor that knowingly employs or contracts with an illegal alien to perform work under this Agreement. c. Professional is prohibited from using the e-Verify Program or Department Program procedures to undertake pre-employment screening of job applicants while this Agreement is being performed. d. If Professional obtains actual knowledge that a subcontractor performing work under this Agreement knowingly employs or contracts with an illegal alien, Professional shall: 1. Notify such subcontractor and the City within three days that Professional has actual knowledge that the subcontractor is employing or contracting with an illegal alien; and 2. Terminate the subcontract with the subcontractor if within three days of receiving the notice required pursuant to this section the subcontractor does not cease employing or contracting with the illegal alien; except that Professional shall not terminate the contract with the subcontractor if during such three days the subcontractor provides information to establish that the subcontractor has not knowingly employed or contracted with an illegal alien. e. Professional shall comply with any reasonable request by the Colorado Department of Labor and Employment (the “Department”) made in the course of an investigation that the Department undertakes or is undertaking pursuant to the authority established in Subsection 8-17.5-102 (5), C.R.S. f. If Professional violates any provision of this Agreement pertaining to the duties imposed by Subsection 8-17.5-102, C.R.S. the City may terminate this Agreement. If this Agreement is so terminated, Professional shall be liable for actual and consequential damages to the City arising out of Professional’s violation of Subsection DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 5 of 24 8-17.5-102, C.R.S. g. The City will notify the Office of the Secretary of State if Professional violates this provision of this Agreement and the City terminates the Agreement for such breach. 18. Red Flags Rules. Professional must implement reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft in compliance with the Identity Theft Red Flags Rules found at 16 Code of Federal Regulations part 681. Further, Professional must take appropriate steps to mitigate identity theft if it occurs with one or more of the City’s covered accounts and must as expeditiously as possible notify the City in writing of significant breeches of security or Red Flags to the Utilities or the Privacy Committee. 19. Special Provisions. Special provisions or conditions relating to the services to be performed pursuant to this Agreement are set forth in Exhibit E – Non-Disclosure Agreement, consisting of two (2) pages, attached hereto and incorporated herein by this reference. THE CITY OF FORT COLLINS, COLORADO By: Gerry Paul Purchasing Director DATE: ATTEST: City Clerk APPROVED AS TO FORM: Assistant City Attorney SECURANCE LLC By: Printed: Title: CORPORATE PRESIDENT OR VICE PRESIDENT Date: DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 President Paul Ashe 10/21/2015 10/29/2015 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 6 of 24 EXHIBIT A STATEMENT OF WORK This Statement of Work (SOW) is executed between the City of Fort Collins and Securance LLC. This statement of work pertains directly to the request for services detailed below. SUMMARY The City of Fort Collins, Colorado (City) is contracting for services to assist City staff with conducting an assessment of the effectiveness of the Fort Collins Utilities Water Resources and Treatment Industrial Control System (WR&T ICS) cybersecurity controls. The purpose of this project is to: 1. Establish a basic baseline assessment of the general security state of the Water Resources and Treatment ICS (Industrial Control System), including an independent 3rd party assessment of key WR&T components and cybersecurity controls. 2. Develop a prioritized work program to phase in any appropriate WR&T ICS cybersecurity capability maturity improvements over time. 3. Establish a clear understanding of City staff roles and responsibilities in maintaining the WR&T ICS security state in a manner consistent with Fort Collins Utilities (FCU) organizational goals and resources. 4. Pilot replicable methods and procedures to enable similar cybersecurity assessments for other FCU systems in a manner that does not require significant time commitment by FCU staff and that can be reasonably accommodated within existing staff resources and work plan commitments. SCOPE General Responsibilities 1. Before access to any systems is granted, Securance will provide a background check for each individual Securance employee who will need access to City of Ft. Collins systems. The check will include the name of the company that performed the background check, and the date of the most recent background check. 2. Before access to any systems is granted, Securance will sign a non-disclosure agreement. 3. Securance will provide laptop computers for use during this project. These laptops will be scanned by IT personnel prior to allowing them on the City network. Said laptops will also need to each have a personal firewall software, as well as have current, active anti-virus definitions. 4. Securance will provide the Information Sharing Security Safeguards and Standards described in their Response to Request for Proposal RFP 8155 Cybersecurity Vulnerability Assessment, Approach & Methodology Section as attached. Project Scope Items Perform a Cyber Security Assessment: DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 7 of 24  Assessment of Cyber Security Controls o Conduct a gap analysis against NIST Special Publication 800-53 using Client’s self-assessment reports. o Help Client’s staff interpret findings. o Recommend improvements to the self-assessment documentation process.  Review of Water Resources and Treatment (WR&T) System Security Architecture o Review system architecture and boundary protections from a cyber security perspective.  Assessment of WR&T System Security Configurations o Analyze the security configurations of key WR&T control system components, including PLCs, HMI servers and client machines, databases, web application servers, routers and switches. Prepare Deliverables  Management and Technician’s Reports  Report Presentation Methodologies The cybersecurity assessment will be performed using the methodologies described in Securance’s Response to Request for Proposal RFP 8155 Cybersecurity Vulnerability Assessment. Use of Automated Tools Fort Collins Utilities will allow use of automated tools with some caveats. 1. Prior to use of automated tools, FCU must approve a Securance-provided list of tools to be used, their configuration settings, the systems to be tested, and a testing schedule. Information gathered about the environment during the cybersecurity assessment will help determine which tools will be used for testing. 2. Passive configuration settings are to be used initially. Based on results, cautious progression to active settings may be used upon approval. It’s possible that permission will not be granted for active scanning/testing of unstable or high risk systems, in which case manual testing may be performed. 3. Scanning is not to go beyond the logical Water SCADA network into the business network without explicit permission. The boundary between the Water SCADA network and business network is within scope. Devices on the business network that are allowed access to the SCADA network will be need to be examined. Examination of these will be added through a change order negotiated and agreed upon by both parties. DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 8 of 24 DELIVERABLES AND ACCEPTANCE CRITERIA 1. Management Report to include o Executive summary o Introduction and scope o Approach and methodology o Current maturity level and a road map for improved maturity o Vulnerability findings including  vulnerability descriptions  associated risk rankings  risk descriptions  actionable recommendations to mitigate risks and achieve compliance  remediation cost estimates 2. Technician’s Report to include raw data extracts from utilized security tools. 3. Report Presentation 4. All electronic data will be permanently deleted from Professionals workstations. Written verification of the deletion (including date of deletion) is to be provided to City Project Manager within ten (10) days after completion of engagement, whether it be via termination, completion or otherwise. SCHEDULE The expected time for this engagement will be determined upon execution of the SOW. Securance’s sample project plan is attached as Exhibit XX to the Agreement. STAFF The expected team roles anticipated over the duration of the Project consist of, but are not limited to, one (1) Sr. IT Audit Professional and the Engagement Manager. Additions to the team may be made as needed or requested by the Client’s Project Manager. DEPENDENCIES AND ASSUMPTIONS 1. Securance will provide a client assistance request list to Client prior to the commencement of the engagement. 2. Securance will have full access to all Client participants and personnel as required through the duration of the engagement. 3. Client will hold meetings with the Securance engagement manager, as necessary, to assess the Securance progress. 4. Each task will be performed at an agreed-upon time to minimize disruption to Client personnel. DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 9 of 24 5. Client will provide Securance with appropriate system access to successfully complete each project. OTHER The following sections from Securance’s RFP submittal shall be part of the Statement of Work. DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 10 of 24 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 11 of 24 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 12 of 24 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 13 of 24 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 14 of 24 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 15 of 24 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 16 of 24 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 17 of 24 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 18 of 24 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 19 of 24 EXHIBIT B PROPOSED PROJECT PLAN DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 20 of 24 EXHIBIT C COST AND WORK HOURS DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 21 of 24 EXHIBIT D INSURANCE REQUIREMENTS 1. The Professional will provide, from insurance companies acceptable to the City, the insurance coverage designated hereinafter and pay all costs. Before commencing work under this bid, the Professional shall furnish the City with certificates of insurance showing the type, amount, class of operations covered, effective dates and date of expiration of policies, and containing substantially the following statement: “The insurance evidenced by this Certificate will not reduce coverage or limits and will not be cancelled, except after thirty (30) days written notice has been received by the City of Fort Collins.” In case of the breach of any provision of the Insurance Requirements, the City, at its option, may take out and maintain, at the expense of the Professional, such insurance as the City may deem proper and may deduct the cost of such insurance from any monies which may be due or become due the Professional under this Agreement. The City, its officers, agents and employees shall be named as additional insureds on the Professional 's general liability and automobile liability insurance policies for any claims arising out of work performed under this Agreement. 2. Insurance coverages shall be as follows: A. Workers' Compensation & Employer's Liability. The Professional shall maintain during the life of this Agreement for all of the Professional's employees engaged in work performed under this agreement: 1. Workers' Compensation insurance with statutory limits as required by Colorado law. 2. Employer's Liability insurance with limits of $100,000 per accident, $500,000 disease aggregate, and $100,000 disease each employee. B. Commercial General & Vehicle Liability. The Professional shall maintain during the life of this Agreement such commercial general liability and automobile liability insurance as will provide coverage for damage claims of personal injury, including accidental death, as well as for claims for property damage, which may arise directly or indirectly from the performance of work under this Agreement. Coverage for property damage shall be on a "broad form" basis. The amount of insurance for each coverage, Commercial General and Vehicle, shall not be less than $1,000,000 combined single limits for bodily injury and property damage. In the event any work is performed by a subcontractor, the Professional shall be responsible for any liability directly or indirectly arising out of the work performed under this Agreement by a subcontractor, which liability is not covered by the subcontractor's insurance. C. Errors & Omissions. The Professional shall maintain errors and omissions insurance in the amount of $1,000,000. D. Cyber Risk. The Professional shall maintain cyber risk insurance in the amount of $2,000,000. DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 No new insurance required 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 22 of 24 EXHIBIT E NON-DISCLOSURE AGREEMENT THIS NON-DISCLOSURE AGREEMENT (Agreement) made and entered into by and between the City of Fort Collins, a municipal corporation (“City”) and Securance LLC (Professional) (collectively, the “Parties”). WITNESSETH WHEREAS, the parties desire to assure the confidential and/or proprietary status of the information which may be disclosed to each other in connection with their discussions relating to RFP 8155 Cybersecurity Vulnerability Assessment. NOW, THEREFORE, in consideration of terms and covenants contained herein, the Parties agree as follows: 1. Confidential Information. Confidential Information controlled by this Agreement refers to information which is confidential and/or proprietary and includes by way of example, but without limitation, City customer information, location information, Fort Collins Utilities Water Resources and Treatment Industrial Control System, network security system, business plans, formulae, processes, intellectual property, trade secrets, designs, photographs, plans, drawings, schematics, methods, specifications, samples, reports, mechanical and electronic design drawings, customer lists, financial information, studies, findings, inventions, and ideas. To the extent practical, Confidential Information shall be marked "Confidential" or "Proprietary". In the case of disclosure in non-documentary form made orally or by visual inspection, the Discloser shall have the right, or, if requested by the Recipient, the obligation to confirm in writing the fact and general nature of each disclosure within a reasonable time after it is made in order that it is treated as Confidential Information. Any information disclosed to the other party prior to the execution of this Agreement shall be considered in the same manner and be subject to the same treatment as the information disclosed after the execution of this Agreement. 2. Use of Confidential Information. Recipient hereby agrees that it shall use the Confidential Information solely for the purpose of performing its obligations under this Agreement and not in any way detrimental to Discloser. Recipient agrees to use the same degree of care Recipient uses with respect to its own proprietary or confidential information, which in any event shall result in a reasonable standard of care to prevent unauthorized use or disclosure of the Confidential Information. Except as otherwise provided herein, Recipient shall keep confidential and not disclose the Confidential Information. The City and Contractor shall cause each of their directors, officers, employees, agents, representatives, Subcontractors to become familiar with, and abide by, the terms of this section. 3. Exclusions from Definition. The term “Confidential Information” as used herein does not include any data or information which is already known to the receiving party or which before being divulged by the receiving party (1) was generally known to the public through no wrongful act of the receiving party; (2) has been rightfully received by the receiving party from a third party without restriction on disclosure and without, to the knowledge of the receiving party, a breach of an obligation of confidentiality; (3) has been approved for release by a written authorization by the other party hereto; or (4) has been disclosed pursuant to a requirement of a governmental agency or by operation of law. DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 23 of 24 4. Required Disclosure. If the receiving party is required (by oral questions, interrogatories, requests for information or documents, subpoena, civil investigative demand or similar process, or by federal, state, or local law, including without limitation, the Colorado Open Records Act) to disclose any Confidential Information, the parties agree that the receiving party will provide the disclosing party with prompt notice of such request, so that the disclosing party may seek an appropriate protective order or waive the receiving party’s compliance with the provisions of this Agreement. The parties further agree that if, in the absence of a protective order or the receipt of a waiver hereunder, the receiving party is nonetheless, in the opinion of its legal counsel, compelled by law to disclose Confidential Information to any person, entity or tribunal, the receiving party may disclose such Confidential Information to such person, entity or tribunal without any liability under this Agreement. 5. Professional shall not, disclose any such Confidential Information to any person, directly or indirectly, nor use it in any way, except as required or authorized by the City. 6. Confidential Information is not to be stored on any local workstation, laptop, or media such as CD/DVD, USB drives, external hard drives or other similar portable devices unless Vendor can ensure security for the Confidential Information so stored. Work stations or laptops to be used in the Work will be required to have personal firewalls on each, as well as have current, active anti-virus definitions. 7. The agreement not to disclose Confidential Information as set forth in this document shall apply during the term of the project and at any time thereafter unless specifically authorized by the City in writing. 8. Professional shall make no copies of any Confidential Information obtained. 9. If Professional breaches this Agreement, the City may immediately terminate this Agreement and withdraw Professional’s right to access Confidential Information. 10. Notwithstanding any other provision of this Agreement, all material, i.e., various physical forms of media in which Confidential Information is contained, including but not limited to writings, drawings, tapes, diskettes, prototypes or products, shall remain the sole property of the Discloser and, upon request, shall be promptly returned, together with all copies thereof to the Discloser. All digital and electronic data should be deleted in a non-restorable way by which it is no longer available to the Recipient. Written verification of the deletion (including date of deletion) is to be provided to the Discloser within ten (10) days after completion of engagement, whether it be via termination, completion or otherwise. 11. Professional acknowledges that the City will, based upon the representations made in this Agreement, disclose security information that is critical to the continued success of the City’s business. Accordingly, Professional agrees that the City does not have an adequate remedy at law for breach of this Agreement and therefore, the City shall be entitled, as a non- exclusive remedy, and in addition to an action for damages, to seek and obtain an injunction or decree of specific performance or any other remedy, from a court of competent jurisdiction to enjoin or remedy any violation of this Agreement. 12. No act of omission or commission of either the City or Professional, including without limitation, any failure to exercise any right, remedy, or recourse, shall be deemed to be a DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 8155 – Cybersecurity Vulnerability Assessment Professional Services Agreement Page 24 of 24 waiver, release, or modification of the same. Such a waiver, release, or modification is to be effected only through a written modification to this Agreement. 13. Neither party shall assign any of its rights, privileges or obligations under this Agreement to any third party without prior written consent of the other party. 14. This Agreement is to be construed in accordance with the laws of the State of Colorado. Venue and jurisdiction for any cause of action or claim asserted by either party hereto shall be in the District Court of Larimer County, Colorado. DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6 DocuSign Envelope ID: B29B8F09-39A3-4A07-AAA4-A62B292966E6