The URL can be used to link to this page

Home My WebLink AboutRFP - 8359 CYBERSECURITY VULNERABILITY ASSESSMENT (3)8359 Cybersecurity Vulnerability Assessment Page 1 of 28 REQUEST FOR PROPOSAL 8359 CYBERSECURITY VULNERABILITY ASSESSMENT The City of Fort Collins Utilities Department is seeking a qualified firm to perform a Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service System and the Light & Power SCADA System. Another task will be to develop a plan to create, implement, and maintain a Cybersecurity Governance Framework for the Utility. As part of the City’s commitment to Sustainable Purchasing, proposals submission via email is preferred. Proposals shall be submitted in a single Microsoft Word or PDF file under 20MB and e-mailed to: purchasing@fcgov.com. If electing to submit hard copy proposals instead, nine (9) copies, will be received at the City of Fort Collins' Purchasing Division, 215 North Mason St., 2nd floor, Fort Collins, Colorado 80524. Proposals must be received before 3:00 p.m. (our clock), September 19, 2016 and referenced as Proposal No. 8359. If delivered, they are to be sent to 215 North Mason Street, 2nd Floor, Fort Collins, Colorado 80524. If mailed, the address is P.O. Box 580, Fort Collins, 80522-0580. Please note, additional time is required for bids mailed to the PO Box to be received at the Purchasing Office. The City encourages all Disadvantaged Business Enterprises (DBEs) to submit proposals in response to all requests for proposals. No individual or business will be discriminated against on the grounds of race, color, sex, or national origin. It is the City’s policy to create a level playing field on which DBEs can compete fairly and to ensure nondiscrimination in the award and administration of all contracts. Questions concerning the project should be directed to Pat Johnson, CPPB, Senior Buyer at pjohnson@fcgov.com in written format. Please format your e-mail to include: RFP 8359 CYBERSECURITY VULNERABILITY ASSESSMENT in the subject line. The deadline for question submittal is September 8, 2016 at 5:00 pm. A copy of the RFP may be obtained at www.rockymountainbidsystem.com. The City of Fort Collins is subject to public information laws, which permit access to most records and documents. Proprietary information in your response must be clearly identified and will be protected to the extent legally permissible. Proposals may not be marked ‘Proprietary’ in their entirety. All provisions of any contract resulting from this request for proposal will be public information. New Vendors: The City requires new vendors receiving awards from the City to fill out and submit an IRS form W-9 and to register for Direct Deposit (Electronic) payment. If needed, the W-9 form and the Vendor Direct Deposit Authorization Form can be found on the City’s Purchasing website at www.fcgov.com/purchasing under Vendor Reference Documents. Financial Services Purchasing Division 215 N. Mason St. 2nd Floor PO Box 580 Fort Collins, CO 80522 970.221.6775 970.221.6707 fcgov.com/purchasing 8359 Cybersecurity Vulnerability Assessment Page 2 of 28 Sales Prohibited/Conflict of Interest: No officer, employee, or member of City Council, shall have a financial interest in the sale to the City of any real or personal property, equipment, material, supplies or services where such officer or employee exercises directly or indirectly any decision- making authority concerning such sale or any supervisory authority over the services to be rendered. This rule also applies to subcontracts with the City. Soliciting or accepting any gift, gratuity favor, entertainment, kickback or any items of monetary value from any person who has or is seeking to do business with the City of Fort Collins is prohibited. Collusive or sham proposals: Any proposal deemed to be collusive or a sham proposal will be rejected and reported to authorities as such. Your authorized signature of this proposal assures that such proposal is genuine and is not a collusive or sham proposal. The City of Fort Collins reserves the right to reject any and all proposals and to waive any irregularities or informalities. Utilization of Award by Other Agencies: The City of Fort Collins reserves the right to allow other state and local governmental agencies, political subdivisions, and/or school districts to utilize the resulting award under all terms and conditions specified and upon agreement by all parties. Usage by any other entity shall not have a negative impact on the City of Fort Collins in the current term or in any future terms. Sustainability: Consulting firms/teams participating in the proposal are to provide an overview of the organization’s philosophy and approach to Sustainability. In no more than two (2) pages please describe how your organization strives to be sustainable in the use of materials, equipment, vehicles, fuel, recycling, office practices, etc. The City of Fort Collins incorporates the Triple Bottom Line into our decision process by including economic (or financial), environmental, and social factors in our evaluation. The selected Service Provider shall be expected to sign the City’s standard Agreement without revision prior to commencing Services (see sample attached to this Proposal). Sincerely, Gerry S. Paul Purchasing Director 8359 Cybersecurity Vulnerability Assessment Page 3 of 28 TABLE OF CONTENTS Page I. PURPOSE AND BACKGROUND 4 II. SCOPE OF PROPOSAL 5 III. PROPOSAL SUBMITTAL 8 IV. REVIEW AND ASSESSMENT 11 ATTACHMENTS Attachment 1 - Proposal Acknowledgement Attachment 2 – Sample Professional Services Agreement, Work Order Type Exhibit A: Sample Work Order Form Exhibit B: Insurance Requirements Exhibit C: Confidentiality Exhibit D: Fort Collins Expense Guidelines Exhibit E: Non-Disclosure Agreement 8359 Cybersecurity Vulnerability Assessment Page 4 of 28 I. PURPOSE AND BACKGROUND A. Purpose The City of Fort Collins Utilities Department is seeking a qualified firm to provide services for the following three projects. 1. Perform a cybersecurity vulnerability assessment of the Utility’s billing and customer service system 2. Develop a plan to create, implement, and maintain a cybersecurity governance framework for the Utility. 3. Perform a cybersecurity vulnerability assessment of the Light & Power SCADA system B. Background Fort Collins is a vibrant community of approximately 151,000 located 65 miles north of Denver, at the base of the foothills of the Rocky Mountains. The City is 56 square miles in size and is the northern extension of the “Colorado Front Range” urban corridor. The City’s population includes over 24,000 college students. City of Fort Collins Utilities (Utilities) serves more than 65,000 (both single family and multi-family) electric customers with total annual sales of approximately 1,500 gigawatt- hours. The Utility also provides water, wastewater, stormwater and financing services. More information about Fort Collins Utilities can be found at fcgov.com/utilities. Within this group of residential customers, approximately 26,000 single family homes also receive water services. Three Projects Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) The Customer Information System (CIS) is Fort Collins Utility’s (FCU) and the City of Longmont Utility’s (CLU) core system for managing and billing customer accounts. It is considered a business critical system because of its vital place in the revenue cycle. While security measures are in place, the Utility is aware that unknown vulnerabilities may exist within the system that could be exploited. Such exploits may result in customers’ personally identifiable information (PII) being stolen, data being corrupted resulting in loss of productivity and revenue, or the system being taken down. Any compromise of the CIS system would damage the City’s reputations as safe and secure organizations. The purpose of this project is to identify vulnerabilities to the CIS system that can then be remediated in order to maintain confidentiality of customer information, integrity of data stored in CIS, and system availability. Platte River Power Authority (PRPA) hosts CIS for FCU and CLU; therefore, it has a vested interest in ensuring system security. Project 2: Cybersecurity Framework and Governance Planning for the Utility The City of Fort Collins Utility has cybersecurity processes in place, but understands that its framework and governance are immature. FCU requests assistance in using the NIST Framework for Improving Critical Infrastructure Cybersecurity to develop a cybersecurity plan and long-term maturation road map to be implemented and maintained by internal resources. The plan and road map should reflect the Utility’s unique environment, aligning cybersecurity activities with its business requirements, risk tolerance, and resources. 8359 Cybersecurity Vulnerability Assessment Page 5 of 28 Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA system (ESCADA) Electricity distribution is one of Fort Collins Utility’s primary services. The continuous operation of the Electric Supervisory Control and Data Acquisition (ESCADA) system is of paramount importance to the Utility’s ability to safely provide reliable service to its customers. While security measures are in place, the Utility is aware that unknown vulnerabilities may exist that could be exploited. Such exploits may result in power outages and equipment damage. The purpose of this project is to identify vulnerabilities of the ESCADA system so they can be remediated in order to maintain safe reliable electricity distribution to Fort Collins residents and businesses. II. SCOPE OF PROPOSAL The City intends to hire one firm for all three of the projects. The projects will not take place all at once, but will be staggered per the suggested schedule below. A. Scope of Work for the Projects Project 1: Scope of Work for Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) Perform a vulnerability assessment of the CIS system, including: 1. Network architecture and boundary protection 2. VPN concentrator 3. Server configuration (application, database, web) 4. Application security 5. Endpoint device security 6. Organizational security policy and processes as they relate directly to the CIS system 7. The interactive voice response system (IVR) 8. Data transmission security between the CIS system and approximately 45 third party interfaces 9. Other direct system interfaces with the CIS, such as network and server devices The following are outside the scope of this project: 1. City internet firewalls not directly related to CIS security 2. A vulnerability assessment of the business network 3. Penetration testing 4. Risk assessment (organization-specific threat and actor assessment, which in combination with the vulnerability assessment and risk tolerance assessment, results in a risk rating of the environment) 5. Physical security (e.g., cameras) assessment 8359 Cybersecurity Vulnerability Assessment Page 6 of 28 6. Payment Card Industry (PCI) assessment 7. Maturity rating analysis 8. Full vulnerability assessment of interfaced applications is outside of the scope. Focus is to be on data transmission between interfaced applications and CIS. 9. Phishing assessment Project 1: Deliverables 1. A written report of the findings and recommendations including a prioritized list of recommendations for improvement, including estimated time and cost to remediate each item. Recommendations should be based on NIST SP 800-53 v4 and mapped to the Center for Internet Security Critical Security Controls version 6.0. 2. An oral presentation of the findings and recommendations to management. Project 2: Scope of Work for Cybersecurity Governance Framework for the Utility Following the steps outlined in the NIST Framework for Improving Critical Infrastructure Cybersecurity version 1, section 3.2 Establishing or Improving a Cybersecurity Program: 1. Assist the Utility with development of a cybersecurity plan that aligns with its business requirements, risk tolerance, and resources. 2. Deliver a prioritized action plan, including estimated time and resources to complete each opportunity for improvement. This should be a long-term road map for program maturation. A risk assessment would facilitate the above and may be included in the scope, depending on cost. Please include pricing with and without this effort. The following is outside the scope of this project: 1. Vulnerability assessment, other than interviews Project 2: Deliverables 1. Risk assessment report (optional, see Scope of Work) 2. Cybersecurity plan 3. Long term road map for cybersecurity program maturation, based on the Framework Profile, including time and resource estimates for each opportunity for improvement. Project 3: Scope of Work: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Perform a vulnerability assessment of the ESCADA system, including: 1. The ESCADA network architecture and boundary protection 2. ESCADA servers (application, database) 3. Application security settings analysis 4. Endpoint devices 5. Organizational security policy and processes as they relate directly to the ESCADA system 8359 Cybersecurity Vulnerability Assessment Page 7 of 28 6. 900MHz monitoring and control system 7. Field devices may be included depending on the cost (please bid with and without) The following are outside the scope of this project: 1. Network architecture not directly related to the ESCADA network 2. A vulnerability assessment of the business network 3. Penetration testing 4. Risk assessment (organization-specific threat and actor assessment, which in combination with the vulnerability assessment and risk tolerance assessment, results in a risk rating of the environment) 5. Physical plant security (e.g., cameras) 6. Maturity rating analysis is outside of the scope Project 3: Deliverables 1. A written report of the findings and recommendations including a prioritized list of recommendations for improvement, including estimated time and cost to remediate each item. Recommendations should be based on NIST SP 800-53 v4 and mapped to the Center for Internet Security Critical Security Controls version 6.0. 2. An oral presentation of the findings and recommendations to management. B. Consultant Instructions and Information The following apply to all three projects. 1. Schedule Utilities has established the target schedule shown below for the RFP. Utilities reserves the right to amend the target schedule at any time.  RFP issuance: August 30, 2016  Questions due: September 8, 2016  Proposal due date: September 19, 2016  Interviews (tentative): Week of October 3, 2016  Completion of CIS project: December 23, 2016  Start of Governance Framework project (estimated): January 9, 2017  Completion of Governance Framework project (estimated): April 30, 2017  Start of ESCADA project (estimate): October 10, 2017  Completion of ESCADA project: December 30, 2017 2. Budget The budget for these projects has a maximum of $187,000, therefore firms are invited to submit proposals with the tasks prioritized to aid the City in working together with the selected firm to identify and implement core tasks within the budget available for this project. 8359 Cybersecurity Vulnerability Assessment Page 8 of 28 3. Interviews In addition to submitting a written proposal, finalists may be interviewed by the City of Fort Collins and asked to do an oral presentation about their company and approach to the project. 4. Travel & Expenses Submittals shall contain a not to exceed cost for the scope of work. Consultant shall also include a current fee schedule. A fee schedule for sub-consultants, if used, shall be included as well. Consultants are to provide a list of fees for reimbursable expenses. Reasonable expenses will be reimbursable as per the attached Exhibit F Fort Collins Expense Guidelines. Expenses not identified on the Guidelines will be paid at cost. A reasonable administrative mark-up may be included with Consultants submittal. 5. Use of Sub-consultants/Partners There may be areas for use of sub-consultants or partners from the award of this RFP. Consultants will be responsible for identifying the sub-consultants necessary during the scope of work negotiation. Please keep in mind that the City will contract solely with your company, therefore sub-consultants/partners remain your sole responsibility. 6. Length of Proposal Limit the total length of your proposal to a maximum of twenty five (25) 8 ½ x 11” pages (excluding covers, table of contents, dividers, 11” x 17” fee spreadsheet (if used), sustainability response and proposal acknowledgement form). The Director of Purchasing may reject proposals received that are longer than 25 pages in length. Font shall be a minimum of 10 Arial and margins are limited to no less than .75 for sides and top/bottom. 7. Award The intent of the City of Fort Collins Utilities is to award contracts to one qualified consultant for the services. The selected consultant may be retained by the City of Fort Collins Utilities annually for up to five years to provide additional similar services if required. 8. Itemized Monthly Billings All submittals for payment shall be submitted in an itemized format on a monthly basis with a copy to the City Project Manager. 9. Non-Disclosure Agreement A sample copy of the Non-Disclosure Agreement the City will use for the services specified in this RFP is included for your review. The attached contract is only a sample and is not to be completed as part of the proposal submittal. III. PROPOSAL SUBMITTAL For this section, consultants are required to provide detailed written responses to the following items in the order outlined below FOR EACH SCOPE OF WORK. The responses shall be considered technical offers of what consultants propose to provide and shall be incorporated in the contract award as deemed appropriate by Utilities. A proposal that does 8359 Cybersecurity Vulnerability Assessment Page 9 of 28 not include all of the information required may be deemed incomplete and may be subject to rejection. Responses must include all of the sections in the order listed below. It is suggested that the Consultants include each of the City’s questions with their response immediately following the question. The City of Fort Collins shall not reimburse any firm for costs incurred in the preparation and presentation of their proposal. A. Executive Summary The Executive Summary should highlight the content of the proposal and features of the program offered, including a general description of the program and any unique aspects or benefits provided by your firm. Any exceptions to the agreement shall be made in the executive summary as well. Indicate your availability to participate in the interviews/demonstrations on the proposed dates as stated in the Schedule section. B. Scope of Proposal 1. Provide a detailed narrative of the services proposed if awarded the contract. The narrative should include any options that may be beneficial for Utilities to consider. 2. Describe how the project would be managed and who would have primary responsibility for its timely and professional completion. Include a description regarding how the analysis will be performed for the various identified areas identified, the methods and assumptions used, and the limitations of the analysis. 3. Describe the methods and timeline of communication your firm will use with the City’s Project Manager and other parties. 4. Include a description of the software and other analysis tools to be used. 5. Identify what portion of work, if any, may be subcontracted. 6. Provide a written outline of the consultant’s schedule and milestones for completing tasks. C. Assigned Personnel The Consultant should provide the following information: 1. Primary contact information for the company including contact name(s) and title(s), mailing address(s), phone number(s), and email address(s). Complete Exhibit A, Proposal Acknowledgement. Describe the Company’s business and background, including the size, location, capacity, type of firm, details about ownership and year established. Describe the company’s structure, including an organizational chart, which illustrates leadership and roles. 2. List of Project Personnel: This list should include the identification of the contact person with primary responsibility for this Agreement, the personnel proposed for this Agreement, and any supervisory personnel, including partners and/or sub consultants, and their individual areas of responsibility. 8359 Cybersecurity Vulnerability Assessment Page 10 of 28 3. A resume for each professional and technical person assigned to the Agreement, including partners and/or sub consultants, shall be submitted. The résumés shall include at least three individual references from previous assignments. Please limit resumes to one page. 4. Some functions of this project may require the use of sub-consultants. If you intend to utilize sub-consultants you must list each and provide resumes for their key personnel. Provide examples of at least two projects where you’ve worked with your sub-consultants. List the sub-consultant firm(s) for this Agreement, their area(s) of expertise, and include all other applicable information herein requested for each sub- consultant. Identify what portion of work, if any, may be sub-contracted. 5. A list of qualifications for your firm and qualifications and experience of the specific staff members proposed to perform the consulting services described above. 6. Describe the availability of project personnel to participate in this project in the context of the consultant firm’s other commitments. 7. Provide a list of similar projects completed in the last five (5) years by the key members of the proposed team. 8. References (current contact name, current telephone number and email address) from at least three similar projects with similar requirements that have been completed within the past five (5) years and that have involved the staff proposed to work on this project. Provide a description of the work performed. D. Sustainability/TBL Methodology In no more than two (2) pages please describe how your organization strives to be Sustainable in the use of materials, equipment, vehicles, fuel, recycling, office practices, etc.. Address how your firm incorporates Triple Bottom Line (TBL) into the workplace, see below in Section IV: Review and Assessment for additional information. E. Cost and Work Hours Reasonable expenses will be reimbursable as per the attached Exhibit E Fort Collins Expense guidelines. Consultant will be required to provide original receipts to the City for all reimbursable expenses. In your response to this proposal, please provide the following: 1. Estimated Hours by Task: Provide estimated hours for each proposed task by job title and employee name, including the time required for meetings, conference calls, etc. 2. Cost by Task: Provide the cost of each task identified in the Scope of Proposal section. Provide a total not to exceed figure for the Scope of Proposal. Price all additional services/deliverables separately. 3. Schedule of Rates: Provide a schedule of billing rates by category of employee and job title to be used during the term of the Agreement. This fee schedule will be firm for at least one (1) year from the date of the Agreement. The fee schedule will be used as a basis for determining fees should additional services be necessary. Include a per meeting rate in the event additional meetings are needed. A fee schedule for sub-consultants, if used, including mark-up if applicable shall be included. 8359 Cybersecurity Vulnerability Assessment Page 11 of 28 4. All direct costs (i.e., travel, printing, postage, etc.) specifically attributed to the project and not included in the billing rates must be identified. Travel expenses will be reimbursable as per the attached Fort Collins Expense Guidelines. Consultant will be required to provide original receipts to the City for all travel expenses. 5. Consultant shall include a current fee schedule. Fee schedule will be used as a basis for determining fees should additional services be necessary. Include a per meeting rate in the event additional meetings are needed. A fee schedule for sub-consultants, if used, shall be included. F. Firm Capability Provide relevant information regarding previous experience related to this or similar Projects, to include the following: 1. Brief Company History including number of years in business. 2. Detail information regarding a minimum of five years of experience in providing similar services. 3. Describe the Company’s business and background, including the size, location, capacity, type of firm, details about ownership and year established. 4. Provide an Organization Chart/Proposed Project Team: An organization chart containing the names of all key personnel and sub consultants with titles and their specific task assignment for this Agreement shall be provided in this section. 5. Provide a minimum of three similar projects with governmental utilities in the last 5 years that have involved the staff proposed to work on this project. Include the owner’s name, title of project, beginning price, ending price, contact name, email and phone number, sub-consultants on the team and a brief description of the work and any change orders. G. Additional Information Provide any information that distinguishes Consultant from its competition and any additional information applicable to this RFP that might be valuable in assessing Consultant’s proposal. Explain any concerns Consultant may have in maintaining objectivity in recommending the best solution for Utilities. All potential conflicts of interest must be disclosed. 8359 Cybersecurity Vulnerability Assessment Page 12 of 28 IV. REVIEW AND ASSESSMENT Professional firms will be evaluated on the following criteria. These criteria will be the basis for review and assessment of the written proposals and optional interview session. At the discretion of the City, interviews of the top rated firms may be conducted. The rating scale shall be from 1 to 5, with 1 being a poor rating, 3 being an average rating, and 5 being an outstanding rating. WEIGHTING FACTOR QUALIFICATION STANDARD 2.0 Scope of Proposal Does the proposal address all elements of the RFP? Does the proposal show an understanding of the project objectives, methodology to be used and results/outcomes required by the project? Are there any exceptions to the specifications, Scope of Work, or agreement? Can the work be completed in the necessary time? Can the target start and completion dates be met? 2.0 Assigned Personnel Do the persons who will be working on the project have the necessary skills and qualifications? Are sufficient people of the requisite skills and qualifications assigned to the project? Is the project team available to attend meetings as required by the Scope of Work? 1.0 Sustainability/TBL Methodology Does the firm demonstrate a commitment to Sustainability and incorporate Triple Bottom Line methodology in both their Scope of Work for the project, and their day-to-day business operating processes and procedures? 2.0 Cost and Work Hours Does the proposal included detailed cost break- down for each cost element as applicable and are the line-item costs competitive? Do the proposed cost and work hours compare favorably with the Project Manager's estimate? Are the work hours presented reasonable for the effort required by each project task or phase? 2.0 Firm Capability Does the firm have the resources, financial strength, capacity and support capabilities required to successfully complete the project on- time and in-budget? Has the firm successfully completed previous projects of this type and scope? 8359 Cybersecurity Vulnerability Assessment Page 13 of 28 Definitions Sustainable Purchasing is a process for selecting products or services that have a lesser or reduced negative effect on human health and the environment when compared with competing products or services that serve the same purpose. This process is also known as “Environmentally Preferable Purchasing” (EPP), or “Green Purchasing”. The Triple Bottom Line (TBL) is an accounting framework that incorporates three dimensions of performance: economic, or financial; environmental, and social. The generally accepted definition of Andrew Savitz for TBL is that it “captures the essence of sustainability by measuring the impact of an organization’s activities on the world…including both its profitability and shareholders values and its social, human, and environmental capital.” REFERENCE EVALUATION (TOP RATED FIRM) The Project Manager will check references using the following criteria. The evaluation rankings will be labeled Satisfactory/Unsatisfactory. QUALIFICATION STANDARD Overall Performance Would you hire this Professional again? Did they show the skills required by this project? Timetable Was the original Scope of Work completed within the specified time? Were interim deadlines met in a timely manner? Completeness Was the Professional responsive to client needs; did the Professional anticipate problems? Were problems solved quickly and effectively? Budget Was the original Scope of Work completed within the project budget? Job Knowledge a) If a study, did it meet the Scope of Work? b) If Professional administered a construction contract, was the project functional upon completion and did it operate properly? Were problems corrected quickly and effectively? 8359 Cybersecurity Vulnerability Assessment Page 14 of 28 ATTACHMENT 1 PROPOSAL ACKNOWLEDGEMENT Consultant hereby acknowledges receipt of the City of Fort Collins Utilities’ Request for Proposal and acknowledges that it has read and agrees to be fully bound by all of the terms, conditions and other provisions set forth in the RFP. Additionally, the Consultant hereby makes the following representations to Utilities: a. All of the statements and representations made in this proposal are true to the best of the Consultant’s knowledge and belief. b. The Consultant has obtained all necessary authorizations and approvals that will enable the Consultant to commit to the terms provided in this proposal. c. This proposal is a firm and binding offer, for a period of 180 days from the date hereof. d. I further agree that the method of award is acceptable to my company. e. I also agree to complete the proposed Agreements with the City of Fort Collins within 30 days of notice of award. f. If contract is not completed and signed within 30 days, City reserves the right to cancel and award to the next highest rated firm. g. I acknowledge receipt of addenda. Consultant Firm Name: Physical Address: Remit to Address: Phone: Authorized Agent of Firm Name: Signature of Authorized Agent: Primary Contact for Project: Title: Email Address: Phone: Cell Phone: 8359 Cybersecurity Vulnerability Assessment Page 15 of 28 ATTACHMENT 2 SAMPLE PROFESSIONAL SERVICES AGREEMENT WORK ORDER THIS AGREEMENT made and entered into the day and year set forth below, by and between THE CITY OF FORT COLLINS, COLORADO, a Municipal Corporation, hereinafter referred to as the "City" and , hereinafter referred to as "Professional". WITNESSETH: In consideration of the mutual covenants and obligations herein expressed, it is agreed by and between the parties hereto as follows: 1. Scope of Services. The Professional agrees to provide services in accordance with any project Work Orders for RFP issued by the City. A blank sample of a work order is attached hereto as Exhibit "A", consisting of one (1) page and is incorporated herein by this reference. No Work Order shall exceed $ . The City reserves the right to independently bid any project rather than issuing a Work Order to the Professional for the same pursuant to this Agreement. Irrespective of references in Exhibit A to certain named third parties, Professional shall be solely responsible for performance of all duties hereunder. A general scope of services is attached hereto as Exhibit “B”, consisting of ( ) page and is incorporated herein by this reference. 2. The Work Schedule. The services to be performed pursuant to this Agreement shall be performed in accordance with the Work Schedule stated on each Work Order. 3. Time of Commencement and Completion of Services. The services to be performed pursuant to this Agreement shall be initiated as specified on each Work Order. Time is of the essence. Any extensions of any time limit must be agreed upon in writing by the parties hereto. 4. Contract Period. This Agreement shall commence , 20 , and shall continue in full force and effect until , 20 , unless sooner terminated as herein provided. In addition, at the option of the City, the Agreement may be extended for additional one year periods not to exceed ( ) additional one year periods. Renewals and pricing changes shall be negotiated by and agreed to by both parties. Written notice of renewal shall be provided to the Professional and mailed no later than thirty (30) days prior to contract end. 5. Early Termination by City. Notwithstanding the time periods contained herein, the City may terminate this Agreement at any time without cause by providing written notice of termination to the Professional. Such notice shall be delivered at least fifteen (15) days prior to the termination date contained in said notice unless otherwise agreed in writing by the parties. All notices provided under this Agreement shall be effective when mailed, postage prepaid 8359 Cybersecurity Vulnerability Assessment Page 16 of 28 and sent to the following addresses: Professional: City: Copy to: Attn: City of Fort Collins Attn: PO Box 580 Fort Collins, CO 80522 City of Fort Collins Attn: Purchasing Dept. PO Box 580 Fort Collins, CO 80522 In the event of any such early termination by the City, the Professional shall be paid for services rendered prior to the date of termination, subject only to the satisfactory performance of the Professional's obligations under this Agreement. Such payment shall be the Professional's sole right and remedy for such termination. 4. Design, Project Indemnity and Insurance Responsibility. The Professional shall be responsible for the professional quality, technical accuracy, timely completion and the coordination of all services rendered by the Professional, including but not limited to designs, plans, reports, specifications, and drawings and shall, without additional compensation, promptly remedy and correct any errors, omissions, or other deficiencies. The Professional shall indemnify, save and hold harmless the City, its officers and employees in accordance with Colorado law, from all damages whatsoever claimed by third parties against the City; and for the City's costs and reasonable attorney’s fees, arising directly or indirectly out of the Professional's negligent performance of any of the services furnished under this Agreement. The Professional shall maintain insurance in accordance with Exhibit , consisting of one (1) page, attached hereto and incorporated herein. 6. Compensation. [Use this paragraph or Option 1 below.] In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional a fixed fee in the amount of ($ ) plus reimbursable direct costs. All such fees and costs shall not exceed ($ ), in accordance with Exhibit “ ”, consisting of ( ) page , attached hereto and incorporated herein. Monthly partial payments based upon the Professional's billings and itemized statements are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's actual reimbursable expenses. [Optional] Insert Subcontractor Clause Final payment shall be made following acceptance of the work by the City. Upon final payment, all designs, plans, reports, specifications, drawings, and other services rendered by the Professional shall become the sole property of the City. 7. Compensation. [Option 1] In consideration of the services to be performed pursuant to this Agreement, the City agrees to pay Professional on a time and reimbursable direct cost basis in accordance with Exhibit “ ”, consisting of ( ) page , attached hereto and incorporated herein, with maximum compensation (for both Professional's time and reimbursable direct costs) not to exceed ($ ). Monthly 8359 Cybersecurity Vulnerability Assessment Page 17 of 28 partial payments based upon the Professional's billings and itemized statements of reimbursable direct costs are permissible. The amounts of all such partial payments shall be based upon the Professional's City-verified progress in completing the services to be performed pursuant hereto and upon the City's approval of the Professional's reimbursable direct costs. Final payment shall be made following acceptance of the work by the City. Upon final payment, all designs, plans, reports, specifications, drawings and other services rendered by the Professional shall become the sole property of the City. 8. City Representative. The City will designate, prior to commencement of work, its project representative who shall make, within the scope of his or her authority, all necessary and proper decisions with reference to the project. All requests for contract interpretations, change orders, and other clarification or instruction shall be directed to the City Representative. 9. Project Drawings. [Optional] Upon conclusion of the project and before final payment, the Professional shall provide the City with reproducible drawings of the project containing accurate information on the project as constructed. Drawings shall be of archival, prepared on stable Mylar base material using a non-fading process to provide for long storage and high quality reproduction. "CD" disc of the as-built drawings shall also be submitted to the City in an AutoCAD version no older then the established city standard. 10. Monthly Report. Commencing thirty (30) days after the date of execution of this Agreement and every thirty (30) days thereafter, Professional is required to provide the City Representative with a written report of the status of the work with respect to the Scope of Services, Work Schedule, and other material information. Failure to provide any required monthly report may, at the option of the City, suspend the processing of any partial payment request. 11. Independent Contractor. The services to be performed by Professional are those of an independent contractor and not of an employee of the City of Fort Collins. The City shall not be responsible for withholding any portion of Professional's compensation hereunder for the payment of FICA, Workers' Compensation, other taxes or benefits or for any other purpose. 12. Personal Services. It is understood that the City enters into this Agreement based on the special abilities of the Professional and that this Agreement shall be considered as an agreement for personal services. Accordingly, the Professional shall neither assign any responsibilities nor delegate any duties arising under this Agreement without the prior written consent of the City. 13. Acceptance Not Waiver. The City's approval of drawings, designs, plans, specifications, reports, and incidental work or materials furnished hereunder shall not in any way relieve the Professional of responsibility for the quality or technical accuracy of the work. The City's approval or acceptance of, or payment for, any of the services shall not be construed to operate as a waiver of any rights or benefits provided to the City under this 8359 Cybersecurity Vulnerability Assessment Page 18 of 28 Agreement. 14. Default. Each and every term and condition hereof shall be deemed to be a material element of this Agreement. In the event either party should fail or refuse to perform according to the terms of this Agreement, such party may be declared in default. 15. Remedies. In the event a party has been declared in default, such defaulting party shall be allowed a period of ten (10) days within which to cure said default. In the event the default remains uncorrected, the party declaring default may elect to (a) terminate the Agreement and seek damages; (b) treat the Agreement as continuing and require specific performance; or (c) avail himself of any other remedy at law or equity. If the non- defaulting party commences legal or equitable actions against the defaulting party, the defaulting party shall be liable to the non-defaulting party for the non-defaulting party's reasonable attorney fees and costs incurred because of the default. 16. Binding Effect. This writing, together with the exhibits hereto, constitutes the entire Agreement between the parties and shall be binding upon said parties, their officers, employees, agents and assigns and shall inure to the benefit of the respective survivors, heirs, personal representatives, successors and assigns of said parties. 17. Law/Severability. The laws of the State of Colorado shall govern the construction, interpretation, execution and enforcement of this Agreement. In the event any provision of this Agreement shall be held invalid or unenforceable by any court of competent jurisdiction, such holding shall not invalidate or render unenforceable any other provision of this Agreement. 18. Prohibition Against Employing Illegal Aliens. Pursuant to Section 8-17.5-101, C.R.S., et. seq., Professional represents and agrees that: a. As of the date of this Agreement: 1. Professional does not knowingly employ or contract with an illegal alien who will perform work under this Agreement; and 2. Professional will participate in either the e-Verify program created in Public Law 208, 104th Congress, as amended, and expanded in Public Law 156, 108th Congress, as amended, administered by the United States Department of Homeland Security (the “e-Verify Program”) or the Department Program (the “Department Program”), an employment verification program established pursuant to Section 8-17.5-102(5)(c) C.R.S. in order to confirm the employment eligibility of all newly hired employees to perform work under this Agreement. b. Professional shall not knowingly employ or contract with an illegal alien to perform work under this Agreement or knowingly enter into a contract with a subcontractor that knowingly employs or contracts with an illegal alien to perform work under this Agreement. 8359 Cybersecurity Vulnerability Assessment Page 19 of 28 c. Professional is prohibited from using the e-Verify Program or Department Program procedures to undertake pre-employment screening of job applicants while this Agreement is being performed. d. If Professional obtains actual knowledge that a subcontractor performing work under this Agreement knowingly employs or contracts with an illegal alien, Professional shall: 1. Notify such subcontractor and the City within three days that Professional has actual knowledge that the subcontractor is employing or contracting with an illegal alien; and 2. Terminate the subcontract with the subcontractor if within three days of receiving the notice required pursuant to this section the subcontractor does not cease employing or contracting with the illegal alien; except that Professional shall not terminate the contract with the subcontractor if during such three days the subcontractor provides information to establish that the subcontractor has not knowingly employed or contracted with an illegal alien. e. Professional shall comply with any reasonable request by the Colorado Department of Labor and Employment (the “Department”) made in the course of an investigation that the Department undertakes or is undertaking pursuant to the authority established in Subsection 8-17.5-102 (5), C.R.S. f. If Professional violates any provision of this Agreement pertaining to the duties imposed by Subsection 8-17.5-102, C.R.S. the City may terminate this Agreement. If this Agreement is so terminated, Professional shall be liable for actual and consequential damages to the City arising out of Professional’s violation of Subsection 8-17.5-102, C.R.S. g. The City will notify the Office of the Secretary of State if Professional violates this provision of this Agreement and the City terminates the Agreement for such breach. 19. Red Flags Rules. Professional must implement reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft in compliance with the Identity Theft Red Flags Rules found at 16 Code of Federal Regulations part 681. Further, Professional must take appropriate steps to mitigate identity theft if it occurs with one or more of the City’s covered accounts and must as expeditiously as possible notify the City in writing of significant breeches of security or Red Flags to the Utilities or the Privacy Committee. 20. Special Provisions. Special provisions or conditions relating to the services to be performed pursuant to this Agreement are set forth in Exhibit “ “ - Confidentiality, consisting of one (1) page, attached hereto and incorporated herein by this reference. 8359 Cybersecurity Vulnerability Assessment Page 20 of 28 THE CITY OF FORT COLLINS, COLORADO By: Gerry Paul Purchasing Director DATE: ATTEST: City Clerk APPROVED AS TO FORM: Senior Assistant City Attorney PROFESSIONAL'S NAME By: Printed: Title: CORPORATE PRESIDENT OR VICE PRESIDENT Date: 8359 Cybersecurity Vulnerability Assessment Page 21 of 28 EXHIBIT A WORK ORDER FORM PURSUANT TO AN AGREEMENT BETWEEN THE CITY OF FORT COLLINS AND DATED: Work Order Number: Purchase Order Number: Project Title: Original Bid/RFP Project Number & Name: Commencement Date: Completion Date: Maximum Fee: (time and reimbursable direct costs): Project Description: Scope of Services: Professional agrees to perform the services identified above and on the attached forms in accordance with the terms and conditions contained herein and in the Professional Services Agreement between the parties. In the event of a conflict between or ambiguity in the terms of the Professional Services Agreement and this Work Order (including the attached forms) the Professional Services Agreement shall control. The attached forms consisting of ( ) page(s) are hereby accepted and incorporated herein, by this reference, and Notice to Proceed is hereby given. PROFESSIONAL By:_______________________________ Date:_____________________________ CITY OF FORT COLLINS Submitted By: _________________________ Project Manager Date: _________________________ Reviewed by: _________________________ Senior Utility Engineer Date: _________________________ Approved by: _________________________ Water Engineering & Field Services Operations Manager Date: ________________________ Approved by: _________________________ Utilities General Manager (over $1,000,000) Date: ________________________ Approved by: _________________________ Purchasing Director (if over $60,000) Date: _______________________ 8359 Cybersecurity Vulnerability Assessment Page 22 of 28 EXHIBIT B INSURANCE REQUIREMENTS 1. The Professional will provide, from insurance companies acceptable to the City, the insurance coverage designated hereinafter and pay all costs. Before commencing work under this bid, the Professional shall furnish the City with certificates of insurance showing the type, amount, class of operations covered, effective dates and date of expiration of policies, and containing substantially the following statement: “The insurance evidenced by this Certificate will not reduce coverage or limits and will not be cancelled, except after thirty (30) days written notice has been received by the City of Fort Collins.” In case of the breach of any provision of the Insurance Requirements, the City, at its option, may take out and maintain, at the expense of the Professional, such insurance as the City may deem proper and may deduct the cost of such insurance from any monies which may be due or become due the Professional under this Agreement. The City, its officers, agents and employees shall be named as additional insureds on the Professional 's general liability and automobile liability insurance policies for any claims arising out of work performed under this Agreement. 2. Insurance coverages shall be as follows: A. Workers' Compensation & Employer's Liability. The Professional shall maintain during the life of this Agreement for all of the Professional's employees engaged in work performed under this Agreement: 1. Workers' Compensation insurance with statutory limits as required by Colorado law. 2. Employer's Liability insurance with limits of $100,000 per accident, $500,000 disease aggregate, and $100,000 disease each employee. B. Commercial General & Vehicle Liability. The Professional shall maintain during the life of this Agreement such commercial general liability and automobile liability insurance as will provide coverage for damage claims of personal injury, including accidental death, as well as for claims for property damage, which may arise directly or indirectly from the performance of work under this Agreement. Coverage for property damage shall be on a "broad form" basis. The amount of insurance for each coverage, Commercial General and Vehicle, shall not be less than $1,000,000 combined single limits for bodily injury and property damage. In the event any work is performed by a subcontractor, the Professional shall be responsible for any liability directly or indirectly arising out of the work performed under this Agreement by a subcontractor, which liability is not covered by the subcontractor's insurance. C. Errors & Omissions. The Professional shall maintain errors and omissions insurance in the amount of $1,000,000. 8359 Cybersecurity Vulnerability Assessment Page 23 of 28 EXHIBIT C CONFIDENTIALITY IN CONNECTION WITH SERVICES provided to the City of Fort Collins (the “City”) pursuant to this Agreement (the “Agreement”), the Professional hereby acknowledges that it has been informed that the City has established policies and procedures with regard to the handling of confidential information and other sensitive materials. In consideration of access to certain information, data and material (hereinafter individually and collectively, regardless of nature, referred to as “information”) that are the property of and/or relate to the City or its employees, customers or suppliers, which access is related to the performance of services that the Professional has agreed to perform, the Professional hereby acknowledges and agrees as follows: That information that has or will come into its possession or knowledge in connection with the performance of services for the City may be confidential and/or proprietary. The Professional agrees to treat as confidential (a) all information that is owned by the City, or that relates to the business of the City, or that is used by the City in carrying on business, and (b) all information that is proprietary to a third party (including but not limited to customers and suppliers of the City). The Professional shall not disclose any such information to any person not having a legitimate need-to-know for purposes authorized by the City. Further, the Professional shall not use such information to obtain any economic or other benefit for itself, or any third party, except as specifically authorized by the City. The foregoing to the contrary notwithstanding, the Professional understands that it shall have no obligation under this Agreement with respect to information and material that (a) becomes generally known to the public by publication or some means other than a breach of duty of this Agreement, or (b) is required by law, regulation or court order to be disclosed, provided that the request for such disclosure is proper and the disclosure does not exceed that which is required. In the event of any disclosure under (b) above, the Professional shall furnish a copy of this Agreement to anyone to whom it is required to make such disclosure and shall promptly advise the City in writing of each such disclosure. In the event that the Professional ceases to perform services for the City, or the City so requests for any reason, the Professional shall promptly return to the City any and all information described hereinabove, including all copies, notes and/or summaries (handwritten or mechanically produced) thereof, in its possession or control or as to which it otherwise has access. The Professional understands and agrees that the City’s remedies at law for a breach of the Professional’s obligations under this Confidentiality Agreement may be inadequate and that the City shall, in the event of any such breach, be entitled to seek equitable relief (including without limitation preliminary and permanent injunctive relief and specific performance) in addition to all other remedies provided hereunder or available at law. 8359 Cybersecurity Vulnerability Assessment Page 24 of 28 EXHIBIT D Fort Collins Expense Guidelines: Lodging, Per Diem Meals and Incidentals and Other expenses: January 1, 2016 Fort Collins Policy: Lodging:  Hotels will be reimbursed at $109/day provided the government rate is available. If the government rate is not available, the best available rate shall be used and a printout of the available rates at the time of the reservation provided as documentation.  Hotel taxes do not count to the $109 limit, i.e. the rate is $109 plus applicable taxes.  Receipts are to be provided.  Actual expense will apply Meals and Incidentals: In lieu of requiring expense receipts, Fort Collins will use Federal GSA per diem guidelines.  Daily rate: $59  Travel Days rate: 75% of $59 = $44.25 Vehicle Expenses:  All costs related to rental vehicles (gas, parking, etc.) must be documented if they are to be reimbursed. The standard for vehicle size is mid-size to lower.  If a private vehicle is used, mileage will be reimbursed using the mileage rate set by the IRS. The most direct route is the standard for determining total mileage.  Mileage for 2 wheel drive vehicles will be at the current rate found at www.gsa.gov. The rate for 2016 is $0.54.  Mileage for 4 wheel drive vehicles will be $0.78 when required by the City of Fort Collins. Extra Ordinary Cost  Prior authorization required. Expenses Not Allowed  Liquor, movies, or entertainment (including in-room movies);  Sporting events;  Laundry, dry-cleaning or shoe repair;  Personal phone calls, including connection and long-distance fees;  Computer connections (unless required for City business);  Other personal expenses not directly related to City business;  Convenience charges;  Rescheduling Airline Charges not related to City requirements.  Excessive meal tip amounts generally over 20%;  Delivery fees shall not exceed 10% of the total bill, if not already included;  Hotel Cleaning Tips;  Extra Baggage for one day trips;  Air Travel (when local); 8359 Cybersecurity Vulnerability Assessment Page 25 of 28  Items that are supplied by the City. Time Frame for Reporting  Per contract (every 30 days). Reference: The Federal GSA guidelines for Fort Collins are $109/day for hotel and $59 for meals and incidentals (M&IE). (Incidentals are defined as 1) fees and tips given to porters, baggage carriers, bellhops, hotel maids, stewards or stewardesses , and 2) transportation between places of lodging or business and places where meals are taken). Hotel taxes (i.e. lodging taxes) are not covered by per diem and are expensed as a separate line item. The M&IE is further broken down by:  Breakfast: $13  Lunch: $15  Dinner: $26  Incidentals: $5 Federal guidelines further provide for the use of 75% of the M&IE rate for travel days, i.e. $44.25 for Fort Collins. 8359 Cybersecurity Vulnerability Assessment Page 26 of 28 EXHIBIT E NON-DISCLOSURE AGREEMENT THIS NON-DISCLOSURE AGREEMENT (“Agreement”) made and entered into by and between the City of Fort Collins, a municipal corporation (“City”) and (“Professional”) (collectively, the “Parties”). WITNESSETH WHEREAS, the Parties desire to assure the confidential and/or proprietary status of the information which may be disclosed to each other in connection with their discussions relating to the RFP/Project/Scope of Work . NOW, THEREFORE, in consideration of terms and covenants contained herein, the Parties agree as follows: 1. Definitions. For purposes of this Agreement, the party who owns the confidential information and is disclosing same shall be referenced as the “Disclosing Party.” The party receiving the Disclosing Party’s confidential information shall be referenced as the “Receiving Party.” 2. Confidential Information. Confidential Information controlled by this Agreement refers to information which is not public and/or is proprietary and includes by way of example, but without limitation, City customer information, utility data, service billing records, customer equipment information, location information, network security system, business plans, formulae, processes, intellectual property, trade secrets, designs, photographs, plans, drawings, schematics, methods, specifications, samples, reports, mechanical and electronic design drawings, customer lists, financial information, studies, findings, inventions, and ideas. To the extent practical, Confidential Information shall be marked “Confidential” or “Proprietary.” Nevertheless, Professional shall treat as Confidential Information all customer identifiable information in any form, whether or not bearing a mark of confidentiality or otherwise requested by the City, including but not limited to account, address, billing, consumption, contact and other customer data. In the case of disclosure in non- documentary form of non-customer identifiable information, made orally or by visual inspection, the Disclosing Party shall have the right, or, if requested by the Receiving Party, the obligation to confirm in writing the fact and general nature of each disclosure within a reasonable time after it is made in order that it is treated as Confidential Information. Any information disclosed to the other party prior to the execution of this Agreement and related to the services for which Professional has been engaged shall be considered in the same manner and be subject to the same treatment as the information disclosed after the execution of this Agreement with regard to protecting it as Confidential Information. 3. Use of Confidential Information. Receiving Party hereby agrees that it shall use the Confidential Information solely for the purpose of performing its obligations under this Agreement and not in any way detrimental to Disclosing Party. Receiving Party agrees to use the same degree of care Receiving Party uses with respect to its own proprietary or confidential information, which in any event shall result in a reasonable standard of care to prevent unauthorized use or disclosure of the Confidential Information. Except as otherwise provided herein, Receiving Party shall keep confidential and not disclose the Confidential Information. The City and Professional shall 8359 Cybersecurity Vulnerability Assessment Page 27 of 28 cause each of their directors, officers, employees, agents, representatives, and subcontractors to become familiar with, and abide by, the terms of this section, which shall survive this Agreement as an on-going obligation of the Parties. The Professional shall not use such information to obtain any economic or other benefit for itself, or any third party. 4. Exclusions from Definition. The term “Confidential Information” as used herein does not include any data or information which is already known to the Receiving Party or which before being divulged by the Disclosing Party (1) was generally known to the public through no wrongful act of the Receiving Party; (2) has been rightfully received by the Receiving Party from a third party without restriction on disclosure and without, to the knowledge of the Receiving Party, a breach of an obligation of confidentiality; (3) has been approved for release by a written authorization by the other party hereto; or (4) has been disclosed pursuant to a requirement of a governmental agency or by operation of law. 5. Required Disclosure. If the Receiving Party is required (by interrogatories, requests for information or documents, subpoena, civil investigative demand or similar process, or by federal, state, or local law, including without limitation, the Colorado Open Records Act) to disclose any Confidential Information, the Parties agree the Receiving Party will provide the Disclosing Party with prompt notice of such request, so the Disclosing Party may seek an appropriate protective order or waive the Receiving Party’s compliance with this Agreement. The Receiving Party shall furnish a copy of this Agreement with any disclosure. 6. Notwithstanding paragraph 5, Professional shall not disclose any such Confidential Information to any person, directly or indirectly, nor use it in any way, except as required or authorized in writing by the City. 7. Confidential Information is not to be stored on any local workstation, laptop, or media such as CD/DVD, USB drives, external hard drives or other similar portable devices unless the Professional can ensure security for the Confidential Information so stored. Work stations or laptops to be used in the Work will be required to have personal firewalls on each, as well as have current, active anti-virus definitions. 8. The Agreement not to disclose Confidential Information as set forth in this document shall apply during the term of the project and at any time thereafter unless specifically authorized by the City in writing. 9. If Professional breaches this Agreement, in the City’s sole discretion, the City may immediately terminate this Agreement and withdraw Professional’s right to access Confidential Information. 10. Notwithstanding any other provision of this Agreement, all material, i.e., various physical forms of media in which Confidential Information is contained, including but not limited to writings, drawings, tapes, diskettes, prototypes or products, shall remain the sole property of the Disclosing Party and, upon request, shall be promptly returned, together with all copies thereof to the Disclosing Party. Upon such return of physical records, all digital and electronic data shall also be deleted in a non-restorable way by which it is no longer 8359 Cybersecurity Vulnerability Assessment Page 28 of 28 available to the Receiving Party. Written verification of the deletion (including date of deletion) is to be provided to the Disclosing Party within ten (10) days after completion of engagement, whether it be via termination, completion or otherwise. 11. Professional acknowledges that the City may, based upon the representations made in this Agreement, disclose security information that is critical to the continued success of the City’s business. Accordingly, Professional agrees that the City does not have an adequate remedy at law for breach of this Agreement and therefore, the City shall be entitled, as a non- exclusive remedy, and in addition to an action for damages, to seek and obtain an injunction or decree of specific performance or any other remedy, from a court of competent jurisdiction to enjoin or remedy any violation of this Agreement. 12. No act of omission or commission of either the City or Professional, including without limitation, any failure to exercise any right, remedy, or recourse, shall be deemed to be a waiver, release, or modification of the same. Such a waiver, release, or modification is to be effected only through a written modification to this Agreement. 13. Neither party shall assign any of its rights, privileges or obligations under this Agreement to any third party without prior written consent of the other party. 14. This Agreement is to be construed in accordance with the laws of the State of Colorado. Venue and jurisdiction for any cause of action or claim asserted by either party hereto shall be in the District Court of Larimer County, Colorado.