The URL can be used to link to this page

Home My WebLink AboutSolutions Simplified; 2021-11-09;City Attorney Approved Version 6/12/18 1 AGREEMENT FOR MANDIANT CONSULTING SERVICES SOLUTIONS SIMPLIFIED THIS AGREEMENT is made and entered into as of the ______________ day of _________________________, 2021, by and between the CITY OF CARLSBAD, a municipal corporation, ("City"), and Solutions Simplified, a California corporation, ("Contractor"). RECITALS A. City requires the professional services of a consultant that is experienced in FireEye (Mandiant) external penetration testing. B. Contractor has the necessary experience in providing professional services and advice related to external penetration testing. C. Contractor has submitted a proposal to City and has affirmed its willingness and ability to perform such work. NOW, THEREFORE, in consideration of these recitals and the mutual covenants contained herein, City and Contractor agree as follows: 1. SCOPE OF WORK City retains Contractor to perform, and Contractor agrees to render, those services (the "Services") that are defined in attached Exhibit "A", which is incorporated by this reference in accordance with this Agreement’s terms and conditions. 2. STANDARD OF PERFORMANCE While performing the Services, Contractor will exercise the reasonable professional care and skill customarily exercised by reputable members of Contractor's profession practicing in the Metropolitan Southern California Area, and will use reasonable diligence and best judgment while exercising its professional skill and expertise. 3. TERM The term of this Agreement will be effective for a period of one (1) year from the date first above written. The Assistant City Manager may amend the Agreement to extend it for one (1) additional one (1) year period or parts thereof. Extensions will be based upon a satisfactory review of Contractor's performance, City needs, and appropriation of funds by the City Council. The parties will prepare a written amendment indicating the effective date and length of the extended Agreement. 4. TIME IS OF THE ESSENCE Time is of the essence for each and every provision of this Agreement. 5. COMPENSATION The total fee payable for the Services to be performed during the initial Agreement term will be forty thousand eight hundred thirty-seven dollars and fifty cents ($40,837.50). No other compensation for the Services will be allowed except for items covered by subsequent amendments to this Agreement. If the City elects to extend the Agreement, the amount shall not exceed forty thousand eight hundred thirty-seven dollars and fifty cents dollars ($40,837.50) per Agreement year. The City reserves the right to withhold a ten percent (10%) retention until City has accepted the work and/or Services specified in Exhibit "A". Incremental payments, if applicable, should be made as outlined in attached Exhibit "A". DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 9th November City Attorney Approved Version 6/12/18 2 6. STATUS OF CONTRACTOR Contractor will perform the Services in Contractor's own way as an independent contractor and in pursuit of Contractor's independent calling, and not as an employee of City. Contractor will be under control of City only as to the result to be accomplished, but will consult with City as necessary. The persons used by Contractor to provide services under this Agreement will not be considered employees of City for any purposes. The payment made to Contractor pursuant to the Agreement will be the full and complete compensation to which Contractor is entitled. City will not make any federal or state tax withholdings on behalf of Contractor or its agents, employees or subcontractors. City will not be required to pay any workers' compensation insurance or unemployment contributions on behalf of Contractor or its employees or subcontractors. Contractor agrees to indemnify City within thirty (30) days for any tax, retirement contribution, social security, overtime payment, unemployment payment or workers' compensation payment which City may be required to make on behalf of Contractor or any agent, employee, or subcontractor of Contractor for work done under this Agreement. At the City’s election, City may deduct the indemnification amount from any balance owing to Contractor. 7. SUBCONTRACTING Contractor will not subcontract any portion of the Services without prior written approval of City. If Contractor subcontracts any of the Services, Contractor will be fully responsible to City for the acts and omissions of Contractor's subcontractor and of the persons either directly or indirectly employed by the subcontractor, as Contractor is for the acts and omissions of persons directly employed by Contractor. Nothing contained in this Agreement will create any contractual relationship between any subcontractor of Contractor and City. Contractor will be responsible for payment of subcontractors. Contractor will bind every subcontractor and every subcontractor of a subcontractor by the terms of this Agreement applicable to Contractor's work unless specifically noted to the contrary in the subcontract and approved in writing by City. Solutions Simplified is approved to subcontract with FireEye, Inc dba Mandiant. 8. CONFIDENTIALITY The Contractor agree to the terms defined in the confidentiality provisions in attached Exhibit “B”. 9. OTHER CONTRACTORS The City reserves the right to employ other Contractors in connection with the Services. 10. INDEMNIFICATION Contractor agrees to indemnify and hold harmless the City and its officers, officials, employees and volunteers from and against all claims, damages, losses and expenses including attorneys fees arising out of the performance of the work described herein caused by any negligence, recklessness, or willful misconduct of the Contractor, any subcontractor, anyone directly or indirectly employed by any of them or anyone for whose acts any of them may be liable. The parties expressly agree that any payment, attorney’s fee, costs or expense City incurs or makes to or on behalf of an injured employee under the City’s self-administered workers’ compensation is included as a loss, expense or cost for the purposes of this section, and that this section will survive the expiration or early termination of this Agreement. 11. INSURANCE Contractor will obtain and maintain for the duration of the Agreement and any and all amendments, insurance against claims for injuries to persons or damage to property which may DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 3 arise out of or in connection with performance of the services by Contractor or Contractor’s agents, representatives, employees or subcontractors. The insurance will be obtained from an insurance carrier admitted and authorized to do business in the State of California. The insurance carrier is required to have a current Best's Key Rating of not less than "A-:VII"; OR with a surplus line insurer on the State of California’s List of Approved Surplus Line Insurers (LASLI) with a rating in the latest Best’s Key Rating Guide of at least “A:X”; OR an alien non-admitted insurer listed by the National Association of Insurance Commissioners (NAIC) latest quarterly listings report. 11.1 Coverage and Limits. Contractor will maintain the types of coverage and minimum limits indicated below, unless the Risk Manager or City Manager approves a lower amount. These minimum amounts of coverage will not constitute any limitations or cap on Contractor's indemnification obligations under this Agreement. City, its officers, agents and employees make no representation that the limits of the insurance specified to be carried by Contractor pursuant to this Agreement are adequate to protect Contractor. If Contractor believes that any required insurance coverage is inadequate, Contractor will obtain such additional insurance coverage, as Contractor deems adequate, at Contractor's sole expense. The full limits available to the named insured shall also be available and applicable to the City as an additional insured. 11.1.1 Commercial General Liability (CGL) Insurance. Insurance written on an “occurrence” basis, including personal & advertising injury, with limits no less than $2,000,000 per occurrence. If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location or the general aggregate limit shall be twice the required occurrence limit. 11.1.2 Automobile Liability. (if the use of an automobile is involved for Contractor's work for City). $2,000,000 combined single-limit per accident for bodily injury and property damage. 11.1.3 Workers' Compensation and Employer's Liability. Workers' Compensation limits as required by the California Labor Code. Workers' Compensation will not be required if Contractor has no employees and provides, to City's satisfaction, a declaration stating this. 11.1.4 Professional Liability. Errors and omissions liability appropriate to Contractor’s profession with limits of not less than $1,000,000 per claim. Coverage must be maintained for a period of five years following the date of completion of the work. 11.2 Additional Provisions. Contractor will ensure that the policies of insurance required under this Agreement contain, or are endorsed to contain, the following provisions: 11.2.1 The City will be named as an additional insured on Commercial General Liability which shall provide primary coverage to the City. 11.2.2 Contractor will obtain occurrence coverage, excluding Professional Liability, which will be written as claims-made coverage. 11.2.3 This insurance will be in force during the life of the Agreement and any extensions of it and will not be canceled without thirty (30) days prior written notice to City sent by certified mail pursuant to the Notice provisions of this Agreement. 11.3 Providing Certificates of Insurance and Endorsements. Prior to City's execution of this Agreement, Contractor will furnish certificates of insurance and endorsements to City. DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 4 11.4 Failure to Maintain Coverage. If Contractor fails to maintain any of these insurance coverages, then City will have the option to declare Contractor in breach, or may purchase replacement insurance or pay the premiums that are due on existing policies in order to maintain the required coverages. Contractor is responsible for any payments made by City to obtain or maintain insurance and City may collect these payments from Contractor or deduct the amount paid from any sums due Contractor under this Agreement. 11.5 Submission of Insurance Policies. City reserves the right to require, at any time, complete and certified copies of any or all required insurance policies and endorsements. 12. BUSINESS LICENSE Contractor will obtain and maintain a City of Carlsbad Business License for the term of the Agreement, as may be amended from time-to-time. 13. ACCOUNTING RECORDS Contractor will maintain complete and accurate records with respect to costs incurred under this Agreement. All records will be clearly identifiable. Contractor will allow a representative of City during normal business hours to examine, audit, and make transcripts or copies of records and any other documents created pursuant to this Agreement. Contractor will allow inspection of all work, data, documents, proceedings, and activities related to the Agreement for a period of three (3) years from the date of final payment under this Agreement. 14. OWNERSHIP OF DOCUMENTS All work product produced by Contractor or its agents, employees, and subcontractors pursuant to this Agreement is the property of City. In the event this Agreement is terminated, all work product produced by Contractor or its agents, employees and subcontractors pursuant to this Agreement will be delivered at once to City. Contractor will have the right to make one (1) copy of the work product for Contractor’s records. 15. COPYRIGHTS Contractor agrees that all copyrights that arise from the services will be vested in City and Contractor relinquishes all claims to the copyrights in favor of City. /// /// /// /// /// /// /// /// /// DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 5 16. NOTICES The name of the persons who are authorized to give written notice or to receive written notice on behalf of City and on behalf of Contractor under this Agreement. For City For Contractor Name Maria Callander Name Rachel DaValle Title IT Director Title President Department Information Technology Address 3626 Fair Oaks Blvd. Suite 100 City of Carlsbad Sacramento, CA 95864 Address 1635 Faraday Ave Phone No. 530.21.0576 Carlsbad, CA 92008 Email Rachel.davalle@solutionssimplified.net Phone No. 760.602.2454 Each party will notify the other immediately of any changes of address that would require any notice or delivery to be directed to another address. 17. CONFLICT OF INTEREST Contractor shall file a Conflict of Interest Statement with the City Clerk in accordance with the requirements of the City of Carlsbad Conflict of Interest Code. The Contractor shall report investments or interests in all categories. Yes No 18. GENERAL COMPLIANCE WITH LAWS Contractor will keep fully informed of federal, state and local laws and ordinances and regulations which in any manner affect those employed by Contractor, or in any way affect the performance of the Services by Contractor. Contractor will at all times observe and comply with these laws, ordinances, and regulations and will be responsible for the compliance of Contractor's services with all applicable laws, ordinances and regulations. Contractor will be aware of the requirements of the Immigration Reform and Control Act of 1986 and will comply with those requirements, including, but not limited to, verifying the eligibility for employment of all agents, employees, subcontractors and consultants whose services are required by this Agreement. 19. DISCRIMINATION AND HARASSMENT PROHIBITED Contractor will comply with all applicable local, state and federal laws and regulations prohibiting discrimination and harassment. 20. DISPUTE RESOLUTION If a dispute should arise regarding the performance of the Services the following procedure will be used to resolve any questions of fact or interpretation not otherwise settled by agreement between the parties. Representatives of Contractor or City will reduce such questions, and their respective views, to writing. A copy of such documented dispute will be forwarded to both parties involved along with recommended methods of resolution, which would be of benefit to both parties. The representative receiving the letter will reply to the letter along with a recommended method of resolution within ten (10) business days. If the resolution thus obtained is unsatisfactory to the aggrieved party, a letter outlining the disputes will be forwarded to the City Manager. The DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 6 City Manager will consider the facts and solutions recommended by each party and may then opt to direct a solution to the problem. In such cases, the action of the City Manager will be binding upon the parties involved, although nothing in this procedure will prohibit the parties from seeking remedies available to them at law. 21. TERMINATION In the event of the Contractor's failure to prosecute, deliver, or perform the Services, City may terminate this Agreement for nonperformance by notifying Contractor by certified mail of the termination. If City decides to abandon or indefinitely postpone the work or services contemplated by this Agreement, City may terminate this Agreement upon written notice to Contractor. Upon notification of termination, Contractor has five (5) business days to deliver any documents owned by City and all work in progress to City address contained in this Agreement. City will make a determination of fact based upon the work product delivered to City and of the percentage of work that Contractor has performed which is usable and of worth to City in having the Agreement completed. Based upon that finding City will determine the final payment of the Agreement. Either party upon tendering thirty (30) days written notice to the other party may terminate this Agreement. In this event and upon request of City, Contractor will assemble the work product and put it in order for proper filing and closing and deliver it to City. Contractor will be paid for work performed to the termination date; however, the total will not exceed the lump sum fee payable under this Agreement. City will make the final determination as to the portions of tasks completed and the compensation to be made. 22. COVENANTS AGAINST CONTINGENT FEES Contractor warrants that Contractor has not employed or retained any company or person, other than a bona fide employee working for Contractor, to solicit or secure this Agreement, and that Contractor has not paid or agreed to pay any company or person, other than a bona fide employee, any fee, commission, percentage, brokerage fee, gift, or any other consideration contingent upon, or resulting from, the award or making of this Agreement. For breach or violation of this warranty, City will have the right to annul this Agreement without liability, or, in its discretion, to deduct from the Agreement price or consideration, or otherwise recover, the full amount of the fee, commission, percentage, brokerage fees, gift, or contingent fee. 23. CLAIMS AND LAWSUITS By signing this Agreement, Contractor agrees that any Agreement claim submitted to City must be asserted as part of the Agreement process as set forth in this Agreement and not in anticipation of litigation or in conjunction with litigation. Contractor acknowledges that if a false claim is submitted to City, it may be considered fraud and Contractor may be subject to criminal prosecution. Contractor acknowledges that California Government Code sections 12650 et seq., the False Claims Act applies to this Agreement and, provides for civil penalties where a person knowingly submits a false claim to a public entity. These provisions include false claims made with deliberate ignorance of the false information or in reckless disregard of the truth or falsity of information. If City seeks to recover penalties pursuant to the False Claims Act, it is entitled to recover its litigation costs, including attorney's fees. Contractor acknowledges that the filing of a false claim may subject Contractor to an administrative debarment proceeding as the result of which Contractor may be prevented to act as a Contractor on any public work or improvement for a period of up to five (5) years. Contractor acknowledges debarment by another jurisdiction is grounds for City to terminate this Agreement. 24. JURISDICTION AND VENUE Any action at law or in equity brought by either of the parties for the purpose of enforcing a right or rights provided for by this Agreement will be tried in a court of competent jurisdiction in the DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 7 County of San Diego, State of California, and the parties waive all provisions of law providing for a change of venue in these proceedings to any other county. 25. SUCCESSORS AND ASSIGNS It is mutually understood and agreed that this Agreement will be binding upon City and Contractor and their respective successors. Neither this Agreement nor any part of it nor any monies due or to become due under it may be assigned by Contractor without the prior consent of City, which shall not be unreasonably withheld. 26. ENTIRE AGREEMENT This Agreement, together with any other written document referred to or contemplated by it, along with the purchase order for this Agreement and its provisions, embody the entire Agreement and understanding between the parties relating to the subject matter of it. In case of conflict, the terms of the Agreement supersede the purchase order. Neither this Agreement nor any of its provisions may be amended, modified, waived or discharged except in a writing signed by both parties. /// /// /// /// /// /// /// /// /// /// /// /// /// /// /// /// /// DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 8 27. AUTHORITY The individuals executing this Agreement and the instruments referenced in it on behalf of Contractor each represent and warrant that they have the legal power, right and actual authority to bind Contractor to the terms and conditions of this Agreement. CONTRACTOR CITY OF CARLSBAD, a municipal corporation of the State of California By: By: (sign here) Assistant City Manager (print name/title) ATTEST: By: (sign here) FAVIOLA MEDINA City Clerk Services Manager (print name/title) If required by City, proper notarial acknowledgment of execution by contractor must be attached. If a corporation, Agreement must be signed by one corporate officer from each of the following two groups. Group A Group B Chairman, Secretary, President, or Assistant Secretary, Vice-President CFO or Assistant Treasurer Otherwise, the corporation must attach a resolution certified by the secretary or assistant secretary under corporate seal empowering the officer(s) signing to bind the corporation. APPROVED AS TO FORM: CELIA A. BREWER, City Attorney BY: _____________________________ Assistant City Attorney DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 PresidentRachel DeValle Financial ControllerLauren Koegel for City Attorney Approved Version 6/12/18 9 EXHIBIT “A” SCOPE OF SERVICES This Statement of Work is valid when the order from the applicable reseller is received before November 15, 2021. Description of Services Mandiant agrees to provide services (“Services”) as set forth below. External Penetration Test The External Penetration Test aims to assess the security strength of Internet accessible systems, services, and applications as defined in the scope of work. Mandiant will enumerate all accessible systems and services, which may include significant, publicly accessible cloud infrastructure like Office 365 or G Suite, within the defined scope parameters. Mandiant will then proceed to identify and validate vulnerable or misconfigured systems, services, and applications. Mandiant will perform limited testing against exposed applications, which may include hosted web applications, but they will not be comprehensively assessed for all possible vulnerabilities, focusing instead on critical vulnerabilities. Mandiant will then attempt to gain remote access to the Customer environment or an externally accessible, authenticated Customer service by any in-scope means not explicitly stated as off limits or potentially harmful to the environment. Mandiant will also attempt to authenticate to any significant, publicly accessible cloud infrastructure or other publicly accessible authentication portals using password guessing and password stuffing attacks. Mandiant will make note of any changes made to the environment (such as account creation or modification) and inform Customer. Mandiant will use a combination of internally developed tools and scripts in addition to open source and commercial tools. Internal Penetration Test The Internal Penetration Test aims to assess the ability of an unprivileged user, or an attacker, that gained initial access to Customer’s environment, to operate unhindered throughout the environment. Mandiant follows a standard methodology that consists of environmental reconnaissance, privileges escalation, lateral movement, and, in some cases, vulnerability exploitation in order to accomplish the pre-defined objectives. Mandiant will attempt to use compromised systems and services to exploit other systems in Customer’s environment in order test the depth of network defenses. Mandiant will then attempt to accomplish the pre-defined objectives by any in-scope means not explicitly stated as off limits or potentially harmful to the environment. These objectives could include, but are not limited to, compromise of the domain, theft of email, or proof of access to sensitive data, such as payroll, intellectual property, Personally Identifiable Information (PII), or Personal Health Information (PHI). DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 10 Mandiant will make note of any changes made to the environment (such as account creation or modification) and inform Customer. Mandiant will use a combination of internally developed tools and scripts in addition to open source and commercial tools. Deliverables Proactive Services Deliverables The following Deliverables will be produced for these Services: • Regular Status Reporting - Mandiant will provide regular status reporting that summarizes activities completed, significant findings, issues requiring attention and plans for the next reporting period. • Penetration Test Report - Mandiant will provide a detailed written summary for each phase of the assessment. This typically includes an executive summary, key findings, the methodologies followed, and detailed findings. Each finding includes an explanation of the systemic cause, risk rating, and detailed remediation steps. Any other reports (including intelligence reports), presentations, materials or other written information provided by Mandiant as a result of the Services are Mandiant IP and will not be considered “Deliverables” as defined in the Agreement. Schedule and Staffing The scheduling of Services under this SOW will be as mutually agreed to by all parties. The Services under this SOW will be provided within the twelve (12) month period from the SOW Effective Date. TASK EXPECTED TIMING 0 External Penetration Test  Security assessment of Customer Internet accessible systems  Includes discovery of live hosts within IP address ranges of up to 265 possible IP addresses  Includes penetration testing activities on up to 50 live, Internet accessible systems as provided by Customer  Does not include a comprehensive vulnerability assessment of every system, reassessment, or remediation validation  All External Penetration Testing activities are estimated/anticipated to take a total of 5 consultant-days of work  Performed without restrictions on the days and times when testing can occur  Performed remotely 1 Week 1.2 Internal Penetration Test  Security assessment of the Customer internal corporate network by simulating an attack by an internal user or a compromised user workstation  Includes targeting of up to 3 objectives provided by Customer at the start of the test  Does not include a comprehensive security assessment of custom web applications identified on assessed systems  Does not include a comprehensive vulnerability assessment of customer systems, reassessment, or remediation validation  Testing is not intended to avoid detection by Customer network defenses  All Internal Penetration Test activities are anticipated to take a total of 10 consultant-days of work  Performed without restrictions on the days and times when testing can occur  Performed remotely from Mandiant’s offices o Security exercise is performed on the Customer’s corporate network through a laptop/VM deployed onsite, with Customer providing VPN 1 Week DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 11 access to the internal environment, or by a Customer employee executing a Mandiant payload on a Customer corporate workstation Total Services Fees 2 Week Report Development 1 Week Total 3 Weeks Services Fees Customer agrees to pay the services fees as quoted to Customer by the applicable reseller. All fees are non-cancelable and non-refundable. Customer agrees that this SOW and the Agreement represent the complete, final, and exclusive terms and conditions governing the Services. Technology Fees Technology Fees are not anticipated for this engagement. Assumptions 1. All work activities will be performed without day and time restrictions. 2. If compromised computer systems are identified during the engagement, incident response activities may be conducted pursuant to a separate SOW 3. If any factor outside Mandiant’s control, including those caused by Customer or Customer requirements (such as requirements to refrain from operating technology during specific times), causes delays in implementing technology needed for Mandiant to perform the Services or cause Services to take longer than expected, then notwithstanding any fixed fees, Customer will be invoiced for technology fees for the period of any such delays. 4. Estimated professional fees do not include any hardware, software, licensing, maintenance, or support costs of any Mandiant or other third-party product or service suggested by Mandiant as we conduct the activities outlined within this SOW. 5. Mandiant will provide Deliverables to Customer throughout this engagement. Draft Deliverables are considered final upon confirmation from Customer (written or oral) or ten business days after their submission date from Mandiant to Customer, whichever is earlier. 6. When Mandiant’s personnel are performing Services on site at Customer’s premises, Customer will allocate appropriate working space and physical access for all Mandiant assigned personnel. 7. Customer represents that all information provided is true and accurate and that Customer owns or is authorized to represent the owners of the systems, facilities, and/or devices described in connection with the services. Customer represents that it has obtained all permissions necessary for Mandiant to perform the services described herein. Customer will hold Mandiant harmless against any claims, disputes, or issues arising or related to foregoing representations. 8. Customer will make available key individuals that can best help plan operations around security event monitoring, analysis, threat intelligence, and incident response. 9. Any changes to the scope of Services or this SOW must be mutually agreed upon in writing by all parties. Additional Security Testing Terms and Conditions 1. As a part of the testing, Mandiant may, among other things, (a) scan Customer’s network and systems for ports, services and other entry points that can be exploited; and (b) probe those entry points in an effort to gain access to Customer’s network and systems in an effort to determine the severity of the vulnerability. 2. CUSTOMER UNDERSTANDS THAT, ALTHOUGH MANDIANT TAKES PRECAUTIONS TO AVOID DAMAGE TO CUSTOMER’S NETWORK AND SYSTEMS, DISRUPTIONS, OUTAGES AND/OR DATA LOSS MAY OCCUR AS A RESULT OF THE TESTING. Customer represents and warrants that all systems on its network or otherwise accessible during the test have been backed up, and that any data loss or other damage caused by the penetration testing can be easily and quickly reversed. DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 12 3. Customer will provide to Mandiant certain information required for performing its tests, including a description and location (e.g., an IP address) of the systems and networks to be tested. Customer represents and warrants that all information provided is true and accurate and that Customer owns or is authorized to represent the owners of the systems and networks described in connection with the penetration testing. 4. Customer may inform all or a selected group of its employees, contractors, and other third parties about the testing to be undertaken by Mandiant. If Customer decides not to inform anyone of the testing, Customer understands that people may spend time and money on behalf of Customer in detecting, blocking, investigating or responding to activities of Mandiant. IN LIGHT OF THE POSSIBILITY THAT SUCH ACTIONS MAY BE TAKEN AND EXPENDITURES MAY OCCUR, CUSTOMER SHOULD CONSULT WITH CUSTOMER’S LEGAL COUNSEL AND/OR A MEMBER OF EXECUTIVE MANAGEMENT PRIOR TO ANY SUCH ZERO KNOWLEDGE ENGAGEMENTS. Customer may also want to consider contacting such third-party service providers as Customer’s telecommunications carrier to alert them to the testing. 5. User data contained on systems that are being tested may be accessible to Mandiant and Mandiant may download portions of such data (e.g., as proof of access). 6. At any point during the testing, either party may pause or stop the test. Should the testing be terminated, a rationale for such termination shall be provided by the party requesting such termination and such rationale shall be clearly documented. Contact Information Customer will provide Mandiant with points of contact information in the following table: Business Line Contact Name: Hendra Gunawan Title: IT Dept Security Manager Email: Hendra.Gunawan@carlsbadca.gov Phone: 760.331.9847 Street: 1635 Faraday Ave City: Carlsbad State: CA Zip: 92008 Payables Contact Name: Brent Gerber Title: IT Dept Senior Management Analyst Email: Brent.Gerber@Carlsbadca.gov Phone: 760.602.2498 Street: 1635 Faraday Ave City: Carlsbad State: CA Zip: 92008 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 13 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 14 EXHIBIT “B” CONFIDENTIALITY 1. In connection with the work to be performed under this Agreement (the "Purpose"), City may disclose to Contractor, or Contractor may otherwise receive access to, Confidential Information (as defined below). Contractor shall use the Confidential Information solely for the Purpose and, subject to Section 3, shall not disclose or permit access to Confidential Information other than to its officers, employees, or agents, including approved subcontractors (collectively, "Representatives") who: (a) need to know such Confidential Information for the Purpose; (b) know of the existence and terms of this Agreement; and (c) are bound by confidentiality obligations no less protective of the Confidential Information than the terms contained in the Agreement. Contractor shall safeguard the Confidential Information from unauthorized use, access, or disclosure using at least the degree of care it uses to protect its most sensitive information and no less than a reasonable degree of care. Contractor shall promptly notify City of any unauthorized use or disclosure of Confidential Information and take all reasonable steps to prevent further use or disclosure. Contractor will be responsible for any breach of this Agreement caused by its Representatives. 2. "Confidential Information" means all non-public, proprietary, or confidential information, including, but not limited to, any trade secrets of City, in oral, visual, written, electronic, or other tangible or intangible form, whether or not marked or designated as "confidential," and all notes, analyses, summaries, and other materials prepared by Contractor or any of its Representatives that contain, are based on, or otherwise reflect, to any degree, any of the foregoing ("Notes"); provided, however, that Confidential Information does not include any information that: (a) is or becomes generally available to the public other than as a result of Contractor's or its Representatives' act or omission; (b) is obtained by Contractor or its Representatives on a non-confidential basis from a third party that was not legally or contractually restricted from disclosing such information; (c) was in Contractor's or its Representatives' possession, as established by documentary evidence, before City's disclosure under the Agreement; or (d) was or is independently developed by Contractor or its Representatives, as established by documentary evidence, without using any Confidential Information. 3. If Contractor or any of its Representatives is required by applicable law or a valid legal order to disclose any Confidential Information, Contractor shall, before such disclosure, notify City of such requirements so that City may seek a protective order or other remedy, and Contractor shall reasonably assist City in such effort. If Contractor remains legally compelled to make such disclosure, it shall: (a) only disclose that portion of the Confidential Information that, in the written opinion of its legal counsel, Contractor is required to disclose; and (b) use reasonable efforts to ensure that such Confidential Information is afforded confidential treatment. 4. On the expiration of this Agreement or otherwise at City's request, Contractor shall promptly, at City's option, either return to City or destroy all Confidential Information in its and its Representatives' possession other than Notes, and destroy all Notes, and certify in writing to City the destruction of such Confidential Information. 5. City provides all Confidential Information without any representation or warranty, expressed or implied, as to the accuracy or completeness of it, and City will have no liability to Contractor or any other person relating to Contractor's use of any of the Confidential Information or any errors in it or omissions from it. 6. City retains its entire right, title, and interest in and to all Confidential Information, and no disclosure of Confidential Information under this Agreement will be construed as a license, assignment, or other transfer of any such right, title, and interest to Contractor or any other person. DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 City Attorney Approved Version 6/12/18 15 7. The rights and obligations of the parties under this Agreement expire 5 years after the Effective Date of the Agreement or the completion of the Purpose, whichever is later; provided that with respect to Confidential Information that is a trade secret under the laws of any jurisdiction, such rights and obligations will survive such expiration until, if ever, such Confidential Information loses its trade secret protection other than due to an act or omission of Contractor or its Representatives. 8. Contractor acknowledges and agrees that any breach of the confidentiality provisions of this Agreement will cause irreparable harm and injury to City for which money damages would be an inadequate remedy and that, in addition to remedies at law, City is entitled to equitable relief as a remedy for any such breach. DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 CONFIDENTIALITY AGREEMENT This CONFIDENTIALITY AGREEMENT ("Agreement"), dated as of the latest signature date below ("Effective Date"), is between the City of Carlsbad, a municipal corporation, and Mandiant, Inc. (formerly FireEye, Inc.), a Delaware corporation (each a “party” and collectively the “parties”). 1. In connection with external and internal penetration tesing of internet accessible systems, services and applications (the "Purpose"), either party (“Disclosing Party”) may disclose to the other party (“Recipient”) Confidential Information (as defined below). Recipient shall use the Confidential Information solely for the Purpose and, subject to Section 3, shall not disclose or permit access to Confidential Information other than to its officers or employees (collectively, "Representatives") who: (a) need access to the Confidential Information for the Purpose; (b) are informed of its confidential nature; and (c) are bound in writing by confidentiality obligations no less protective of the Confidential Information than the terms contained in the Agreement. Recipient shall safeguard the Confidential Information from unauthorized use, access, or disclosure using at least the same degree of care it uses to protect its most sensitive information and no less than a reasonable degree of care. Recipient shall promptly notify Disclosing Party of any unauthorized use or disclosure of Confidential Information and take all reasonable steps to prevent further use or disclosure. Recipient will be responsible for any breach of this Agreement caused by its Representatives. Recipient agrees to promptly notify Disclosing Party of any misuse, misappropriation, or unauthorized disclosure of Disclosing Party’s confidential information that may come to Recipient’s attention. 2. "Confidential Information" means all non-public, proprietary, or confidential information, including, but not limited to, any trade secrets of Disclosing Party, in oral, visual, written, electronic, or other tangible or intangible form, whether or not marked or designated as "confidential," and all notes, analyses, summaries, and other materials prepared by Recipient or any of its Representatives that contain, are based on, or otherwise reflect, to any degree, any of the foregoing ("Notes"); provided, however, that Confidential Information does not include any information that: (a) is or becomes generally available to the public other than as a result of Recipient's or its Representatives' act or omission; (b) is obtained by Recipient or its Representatives on a non-confidential basis from a third party that was not legally or contractually restricted from disclosing the information; (c) was in Recipient's or its Representatives' possession, as established by documentary evidence, before Disclosing Party's disclosure under the Agreement; or (d) was or is independently developed by Recipient or its Representatives, as established by documentary evidence, without using any Confidential Information. 3. If Recipient or any of its Representatives is required by applicable law or a valid legal order to disclose any Confidential Information, Recipient shall, before such disclosure, notify Disclosing Party of such requirements so that Disclosing Party may seek a protective order or other remedy, and Recipient shall reasonably assist Disclosing Party in such effort. If Recipient remains legally compelled to make such disclosure, it shall: (a) only disclose that portion of the Confidential Information that, in the written opinion of its legal counsel, DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 2 Recipient is required to disclose; and (b) use reasonable efforts to ensure that such Confidential Information is afforded confidential treatment. 4. On the expiration of this Agreement or otherwise at Disclosing Party's request, Recipient shall promptly, at Disclosing Party's option, either return to Disclosing Party or destroy all Confidential Information in its and its Representatives' possession, and destroy all Notes, and certify in writing to Disclosing Party the destruction of such Confidential Information. Recipient may retain copies of Confidential Information that are store on Recipient’s IT backup and disaster recovery systems until the ordinary course of deletion for the stored information. 5. Disclosing Party has no obligation under this Agreement to (a) disclose any Confidential Information or (b) negotiate for, enter into, or otherwise pursue the Purpose. Disclosing Party provides all Confidential Information without any representation or warranty, expressed or implied, as to the accuracy or completeness of it, and Disclosing Party will have no liability to Recipient or any other person relating to Recipient's use of any of the Confidential Information or any errors in it or omissions from it. 6. Disclosing Party retains its entire right, title, and interest in and to all Confidential Information, and no disclosure of Confidential Information under the Agreement will be construed as a license, assignment, or other transfer of any such right, title, and interest to Recipient or any other person. 7. This Agreement shall govern disclosures between the parties for five years after the Effective Date. Recipient shall protect Confidential Information under this Agreement for five years after the receipt of it, provided that with respect to Confidential Information that is a trade secret or otherwise required to be kept confidential under the laws of any jurisdiction, such rights and obligations will survive such expiration until, if ever, such Confidential Information loses its trade secret or other protection except due to an act or omission of Recipient or its Representatives. 8. Recipient acknowledges and agrees that any breach of this Agreement will cause irreparable harm and injury to Disclosing Party for which money damages would be an inadequate remedy and that, in addition to remedies at law, Disclosing Party is entitled to seek equitable relief as a remedy for any such breach. Recipient waives any claim or defense that Disclosing Party has an adequate remedy at law in any such proceeding. Nothing in this paragraph limits Disclosing Party’s available equitable or legal remedies. 9. This Agreement and all matters arising out of or relating to this Agreement, whether sounding in contract, tort, or statute are governed by, and construed in accordance with, the laws of the State of California. Venue for any action, litigation or proceeding arising from or related to this Agreement shall be in the state courts in San Diego County. DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 3 10. The name of the persons who are authorized to give written notice or to receive written notice on behalf of Disclosing Party and on behalf of the Recipient under this Agreement are: For Recipient For Disclosing Party Name ________________________________ Name ___ Maria Callander _______________ Title __ VP Commercial, Legal _ Title __ IT Director _____________________ Department __ IT Department ____________ City of Carlsbad Address 601 McCarthy Blvd Milpitas, CA 95035 Address __1635 Faraday Ave _____________ __ Carlsbad, CA 92008 ___________ Phone _______________________________ Phone 760.602.2454___________________ Email ________________________________ Email __maria.callander@carlsbadca.gov _ 11. This Agreement is the entire agreement of the parties regarding its subject matter, and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, whether written or oral, regarding such subject matter. This Agreement may only be amended, modified, waived, or supplemented by an agreement in writing signed by both parties. (Remainer of page intentionally left blank) DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 408-321-4941 Joe Zuccaro joe.zuccaro@mandiant.com 4 12. The individuals executing this Agreement on behalf of the Recipient represent and warrant they have the legal power, right and actual authority to bind Recipient to the terms and conditions of this Agreement. Mandiant, Inc. CITY OF CARLSBAD By: By: (sign here) Assistant City Manager (print name/title) DATE:______________________________ ATTEST: By: (sign here) FAVIOLA MEDINA City Clerk Services Manager (print name/title) DATE: DATE: If required by City, proper notarial acknowledgment of execution by contractor must be attached. If a corporation, Agreement must be signed by one corporate officer from each of the following two groups. Group A Group B Chairman, Secretary, President, or Assistant Secretary, Vice-President CFO or Assistant Treasurer Otherwise, the corporation must attach a resolution certified by the secretary or assistant secretary under corporate seal empowering the officer(s) signing to bind the corporation. APPROVED AS TO FORM: CELIA A. BREWER, City Attorney BY: _____________________________ Assistant City Attorney DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 Joe Zuccaro V.P. Commercial Legal, Americas 10/28/2021 for DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8 DocuSign Envelope ID: FC37846A-F33C-4D70-9F17-8BAC2AFA83A8