Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Solutions Simplified; 2023-02-07;
City Attorney Approved Version 6/12/18 1 AGREEMENT FOR CONSULTING SERVICES WITH SOLUTIONS SIMPLIFIED THIS AGREEMENT is made and entered into as of the day of , 2023, by and between the CITY OF CARLSBAD, a municipal corporation, ("City"), and Solutions Simplified, a California corporation ("Contractor"). RECITALS A. City requires the professional services of a consultant that is experienced in FireEye (Mandiant) external penetration testing. B. Contractor has the necessary experience in providing professional services and advice related to external penetration testing. C. Contractor has submitted a proposal to City and has affirmed its willingness and ability to perform such work. NOW, THEREFORE, in consideration of these recitals and the mutual covenants contained herein, City and Contractor agree as follows: 1. SCOPE OF WORK City retains Contractor to perform, and Contractor agrees to render, those services (the "Services") that are defined in attached Exhibit "A", which is incorporated by this reference in accordance with this Agreement’s terms and conditions. In the event that there is a conflict between the terms of this Agreement and Exhibit “A”, the terms of this Agreement will control. 2. STANDARD OF PERFORMANCE While performing the Services, Contractor will exercise the reasonable professional care and skill customarily exercised by reputable members of Contractor's profession practicing in the Metropolitan Southern California Area, and will use reasonable diligence and best judgment while exercising its professional skill and expertise. 3. TERM The term of this Agreement will be effective for a period of one (1) year from the date first above written. The City Manager or designee may amend the Agreement to extend it for one (1) additional one (1) year period or parts thereof. Extensions will be based upon a satisfactory review of Contractor's performance, City needs, and appropriation of funds by the City Council. The parties will prepare a written amendment indicating the effective date and length of the extended Agreement. 4. TIME IS OF THE ESSENCE Time is of the essence for each and every provision of this Agreement. 5. COMPENSATION The total fee payable for the Services to be performed during the initial Agreement term will be Forty-Four Thousand Six Hundred Thirty Dollars ($44,630.00). No other compensation for the Services will be allowed except for items covered by subsequent amendments to this Agreement. If the City elects to extend the Agreement, the amount will be negotiated at the time of extension. The City reserves the right to withhold a ten percent (10%) retention until City has accepted the work and/or Services specified in Exhibit "A". Incremental payments, if applicable, should be made as outlined in attached Exhibit "A". DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 7th February City Attorney Approved Version 6/12/18 2 6. STATUS OF CONTRACTOR Contractor will perform the Services in Contractor's own way as an independent contractor and in pursuit of Contractor's independent calling, and not as an employee of City. Contractor will be under control of City only as to the result to be accomplished, but will consult with City as necessary. The persons used by Contractor to provide services under this Agreement will not be considered employees of City for any purposes. The payment made to Contractor pursuant to the Agreement will be the full and complete compensation to which Contractor is entitled. City will not make any federal or state tax withholdings on behalf of Contractor or its agents, employees or subcontractors. City will not be required to pay any workers' compensation insurance or unemployment contributions on behalf of Contractor or its employees or subcontractors. Contractor agrees to indemnify City within thirty (30) days for any tax, retirement contribution, social security, overtime payment, unemployment payment or workers' compensation payment which City may be required to make on behalf of Contractor or any agent, employee, or subcontractor of Contractor for work done under this Agreement. At the City’s election, City may deduct the indemnification amount from any balance owing to Contractor. 7. SUBCONTRACTING Contractor will not subcontract any portion of the Services without prior written approval of City. If Contractor subcontracts any of the Services, Contractor will be fully responsible to City for the acts and omissions of Contractor's subcontractor and of the persons either directly or indirectly employed by the subcontractor, as Contractor is for the acts and omissions of persons directly employed by Contractor. Nothing contained in this Agreement will create any contractual relationship between any subcontractor of Contractor and City. Contractor will be responsible for payment of subcontractors. Contractor will bind every subcontractor and every subcontractor of a subcontractor by the terms of this Agreement applicable to Contractor's work unless specifically noted to the contrary in the subcontract and approved in writing by City. Solutions Simplified is approved to subcontract with FireEye, Inc dba Mandiant. 8. CONFIDENTIALITY The Contractor agrees to the terms defined in the Confidentiality Provisions in attached Exhibit “B”, which is incorporated by this reference in accordance with this Agreement’s terms and conditions. 9. OTHER CONTRACTORS The City reserves the right to employ other Contractors in connection with the Services. 10. INDEMNIFICATION Contractor agrees to indemnify and hold harmless the City and its officers, officials, employees and volunteers from and against all claims, damages, losses and expenses including attorneys’ fees arising out of the performance of the work described herein caused by any negligence, recklessness, or willful misconduct of the Contractor, any subcontractor, anyone directly or indirectly employed by any of them or anyone for whose acts any of them may be liable. The parties expressly agree that any payment, attorney’s fee, costs or expense City incurs or makes to or on behalf of an injured employee under the City’s self-administered workers’ compensation is included as a loss, expense or cost for the purposes of this section, and that this section will survive the expiration or early termination of this Agreement. DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 3 11. INSURANCE Contractor will obtain and maintain for the duration of the Agreement and any and all amendments, insurance against claims for injuries to persons or damage to property which may arise out of or in connection with performance of the services by Contractor or Contractor’s agents, representatives, employees or subcontractors. The insurance will be obtained from an insurance carrier admitted and authorized to do business in the State of California. The insurance carrier is required to have a current Best's Key Rating of not less than "A-:VII"; OR with a surplus line insurer on the State of California’s List of Approved Surplus Line Insurers (LASLI) with a rating in the latest Best’s Key Rating Guide of at least “A:X”; OR an alien non-admitted insurer listed by the National Association of Insurance Commissioners (NAIC) latest quarterly listings report. 11.1 Coverage and Limits. Contractor will maintain the types of coverage and minimum limits indicated below, unless the Risk Manager or City Manager approves a lower amount. These minimum amounts of coverage will not constitute any limitations or cap on Contractor's indemnification obligations under this Agreement. City, its officers, agents and employees make no representation that the limits of the insurance specified to be carried by Contractor pursuant to this Agreement are adequate to protect Contractor. If Contractor believes that any required insurance coverage is inadequate, Contractor will obtain such additional insurance coverage, as Contractor deems adequate, at Contractor's sole expense. The full limits available to the named insured shall also be available and applicable to the City as an additional insured. 11.1.1 Commercial General Liability (CGL) Insurance. Insurance written on an “occurrence” basis, including personal & advertising injury, with limits no less than $2,000,000 per occurrence. If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location or the general aggregate limit shall be twice the required occurrence limit. 11.1.2 Automobile Liability. (if the use of an automobile is involved for Contractor's work for City). $2,000,000 combined single-limit per accident for bodily injury and property damage. 11.1.3 Workers' Compensation and Employer's Liability. Workers' Compensation limits as required by the California Labor Code. Workers' Compensation will not be required if Contractor has no employees and provides, to City's satisfaction, a declaration stating this. 11.1.4 Professional Liability. Errors and omissions liability appropriate to Contractor’s profession with limits of not less than $1,000,000 per claim. Coverage must be maintained for a period of five years following the date of completion of the work. 11.2 Additional Provisions. Contractor will ensure that the policies of insurance required under this Agreement contain, or are endorsed to contain, the following provisions: 11.2.1 The City will be named as an additional insured on Commercial General Liability which shall provide primary coverage to the City. 11.2.2 Contractor will obtain occurrence coverage, excluding Professional Liability, which will be written as claims-made coverage. 11.2.3 This insurance will be in force during the life of the Agreement and any extensions of it and will not be canceled without thirty (30) days prior written notice to City sent by certified mail pursuant to the Notice provisions of this Agreement. DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 4 11.3 Providing Certificates of Insurance and Endorsements. Prior to City's execution of this Agreement, Contractor will furnish certificates of insurance and endorsements to City. 11.4 Failure to Maintain Coverage. If Contractor fails to maintain any of these insurance coverages, then City will have the option to declare Contractor in breach, or may purchase replacement insurance or pay the premiums that are due on existing policies in order to maintain the required coverages. Contractor is responsible for any payments made by City to obtain or maintain insurance and City may collect these payments from Contractor or deduct the amount paid from any sums due Contractor under this Agreement. 11.5 Submission of Insurance Policies. City reserves the right to require, at any time, complete and certified copies of any or all required insurance policies and endorsements. 12. BUSINESS LICENSE Contractor will obtain and maintain a City of Carlsbad Business License for the term of the Agreement, as may be amended from time-to-time. 13. ACCOUNTING RECORDS Contractor will maintain complete and accurate records with respect to costs incurred under this Agreement. All records will be clearly identifiable. Contractor will allow a representative of City during normal business hours to examine, audit, and make transcripts or copies of records and any other documents created pursuant to this Agreement. Contractor will allow inspection of all work, data, documents, proceedings, and activities related to the Agreement for a period of three (3) years from the date of final payment under this Agreement. 14. OWNERSHIP OF DOCUMENTS All work product produced by Contractor or its agents, employees, and subcontractors pursuant to this Agreement is the property of City. In the event this Agreement is terminated, all work product produced by Contractor or its agents, employees and subcontractors pursuant to this Agreement will be delivered at once to City. Contractor will have the right to make one (1) copy of the work product for Contractor’s records. 15. COPYRIGHTS Contractor agrees that all copyrights that arise from the services will be vested in City and Contractor relinquishes all claims to the copyrights in favor of City. /// /// /// /// /// /// /// /// DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 5 16. NOTICES The name of the persons who are authorized to give written notice or to receive written notice on behalf of City and on behalf of Contractor under this Agreement. For City For Contractor Name Maria Callander Name Rachel DaValle Title IT Director Title President Department Information Technology Address 3626 Fair Oaks Blvd. Suite 100 City of Carlsbad Sacramento, CA 95864 Address 1635 Faraday Ave Phone No. 530.21.0576 Carlsbad, CA 92008 Email Rachel.davalle@solutionssimplified.net Phone No. 760.602.2454 Each party will notify the other immediately of any changes of address that would require any notice or delivery to be directed to another address. 17. CONFLICT OF INTEREST Contractor shall file a Conflict of Interest Statement with the City Clerk in accordance with the requirements of the City of Carlsbad Conflict of Interest Code. The Contractor shall report investments or interests in all categories. Yes No 18. GENERAL COMPLIANCE WITH LAWS Contractor will keep fully informed of federal, state and local laws and ordinances and regulations which in any manner affect those employed by Contractor, or in any way affect the performance of the Services by Contractor. Contractor will at all times observe and comply with these laws, ordinances, and regulations and will be responsible for the compliance of Contractor's services with all applicable laws, ordinances and regulations. Contractor will be aware of the requirements of the Immigration Reform and Control Act of 1986 and will comply with those requirements, including, but not limited to, verifying the eligibility for employment of all agents, employees, subcontractors and consultants whose services are required by this Agreement. 19. DISCRIMINATION AND HARASSMENT PROHIBITED Contractor will comply with all applicable local, state and federal laws and regulations prohibiting discrimination and harassment. 20. DISPUTE RESOLUTION If a dispute should arise regarding the performance of the Services the following procedure will be used to resolve any questions of fact or interpretation not otherwise settled by agreement between the parties. Representatives of Contractor or City will reduce such questions, and their respective views, to writing. A copy of such documented dispute will be forwarded to both parties involved along with recommended methods of resolution, which would be of benefit to both parties. The representative receiving the letter will reply to the letter along with a recommended method of resolution within ten (10) business days. If the resolution thus obtained is unsatisfactory to the aggrieved party, a letter outlining the disputes will be forwarded to the City Manager. The DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 □ City Attorney Approved Version 6/12/18 6 City Manager will consider the facts and solutions recommended by each party and may then opt to direct a solution to the problem. In such cases, the action of the City Manager will be binding upon the parties involved, although nothing in this procedure will prohibit the parties from seeking remedies available to them at law. 21. TERMINATION In the event of the Contractor's failure to prosecute, deliver, or perform the Services, City may terminate this Agreement for nonperformance by notifying Contractor by certified mail of the termination. If City decides to abandon or indefinitely postpone the work or services contemplated by this Agreement, City may terminate this Agreement upon written notice to Contractor. Upon notification of termination, Contractor has five (5) business days to deliver any documents owned by City and all work in progress to City address contained in this Agreement. City will make a determination of fact based upon the work product delivered to City and of the percentage of work that Contractor has performed which is usable and of worth to City in having the Agreement completed. Based upon that finding City will determine the final payment of the Agreement. Either party upon tendering thirty (30) days written notice to the other party may terminate this Agreement. In this event and upon request of City, Contractor will assemble the work product and put it in order for proper filing and closing and deliver it to City. Contractor will be paid for work performed to the termination date; however, the total will not exceed the lump sum fee payable under this Agreement. City will make the final determination as to the portions of tasks completed and the compensation to be made. 22. COVENANTS AGAINST CONTINGENT FEES Contractor warrants that Contractor has not employed or retained any company or person, other than a bona fide employee working for Contractor, to solicit or secure this Agreement, and that Contractor has not paid or agreed to pay any company or person, other than a bona fide employee, any fee, commission, percentage, brokerage fee, gift, or any other consideration contingent upon, or resulting from, the award or making of this Agreement. For breach or violation of this warranty, City will have the right to annul this Agreement without liability, or, in its discretion, to deduct from the Agreement price or consideration, or otherwise recover, the full amount of the fee, commission, percentage, brokerage fees, gift, or contingent fee. 23. CLAIMS AND LAWSUITS By signing this Agreement, Contractor agrees that any Agreement claim submitted to City must be asserted as part of the Agreement process as set forth in this Agreement and not in anticipation of litigation or in conjunction with litigation. Contractor acknowledges that if a false claim is submitted to City, it may be considered fraud and Contractor may be subject to criminal prosecution. Contractor acknowledges that California Government Code sections 12650 et seq., the False Claims Act applies to this Agreement and, provides for civil penalties where a person knowingly submits a false claim to a public entity. These provisions include false claims made with deliberate ignorance of the false information or in reckless disregard of the truth or falsity of information. If City seeks to recover penalties pursuant to the False Claims Act, it is entitled to recover its litigation costs, including attorney's fees. Contractor acknowledges that the filing of a false claim may subject Contractor to an administrative debarment proceeding as the result of which Contractor may be prevented to act as a Contractor on any public work or improvement for a period of up to five (5) years. Contractor acknowledges debarment by another jurisdiction is grounds for City to terminate this Agreement. DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 7 24. JURISDICTION AND VENUE Any action at law or in equity brought by either of the parties for the purpose of enforcing a right or rights provided for by this Agreement will be tried in a court of competent jurisdiction in the County of San Diego, State of California, and the parties waive all provisions of law providing for a change of venue in these proceedings to any other county. 25. SUCCESSORS AND ASSIGNS It is mutually understood and agreed that this Agreement will be binding upon City and Contractor and their respective successors. Neither this Agreement nor any part of it nor any monies due or to become due under it may be assigned by Contractor without the prior consent of City, which shall not be unreasonably withheld. 26. ENTIRE AGREEMENT This Agreement, together with any other written document referred to or contemplated by it, along with the purchase order for this Agreement and its provisions, embody the entire Agreement and understanding between the parties relating to the subject matter of it. In case of conflict, the terms of the Agreement supersede the purchase order. Neither this Agreement nor any of its provisions may be amended, modified, waived or discharged except in a writing signed by both parties. /// /// /// /// /// /// /// /// /// /// /// /// /// /// /// /// /// DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 8 27. AUTHORITY The individuals executing this Agreement and the instruments referenced in it on behalf of Contractor each represent and warrant that they have the legal power, right and actual authority to bind Contractor to the terms and conditions of this Agreement. CONTRACTOR CITY OF CARLSBAD, a municipal corporation of the State of California By: Rachel DeValle President (print name/title) ATTEST: Assistant City Manager Lauren Koegel (print name/title) SHERRY FREISINGER Financial ControlleCrity Clerk If required by City, proper notarial acknowledgment of execution by contractor must be attached. If a corporation, Agreement must be signed by one corporate officer from each of the following two groups. Group A Group B Chairman, Secretary, President, or Assistant Secretary, Vice-President CFO or Assistant Treasurer Otherwise, the corporation must attach a resolution certified by the secretary or assistant secretary under corporate seal empowering the officer(s) signing to bind the corporation. APPROVED AS TO FORM: CINDIE K. McMAHON, City Attorney BY: Deputy City Attorney By: (sign here) By: (sign here) DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 for City Attorney Approved Version 6/12/18 9 EXHIBIT “A” SCOPE OF SERVICES Contractor agrees to provide services (“Services”) as set forth below. Red Team Assessment The goal of the Red Team Assessment is to assess the effectiveness of City’s information security prevention, detection, and response capabilities by leveraging real-world adversarial techniques to establish a foothold on the internal environment and accomplish specific attack objectives mutually defined by City and Contractor. Example objectives may include gaining access to City data, compromising internal domain administrator credentials, or demonstrating access to email or critical business systems. In order to present a realistic attack scenario, the test will be conducted with no prior knowledge of or access to City’s IT environment. Additionally, Contractor will use techniques specifically designed to evade detection by IT Security teams and controls. The specific methodology used during this testing may be customized during the engagement based on results and findings, but will generally follow the following steps: 1. Assumed Breach – Upon gaining access to the internal environment, Contractor will attempt to move laterally throughout the intranet and ultimately accomplish the defined objectives. The Post-Exploitation phase may involve the following: a. Privileged Escalation – Upon gaining access to a system, Contractor may leverage various attacks to escalate the privileges of the current user to the highest levels. This escalated privilege allows Contractor to perform a variety of malicious activities, including establishing persistence, installing additional malware (e.g., key loggers), and capturing credentials. b. Internal Exploitation – By leveraging the same techniques used during Identification phase, Contractor may search for internal data repositories, portals, collaboration forums, and other internal sources that provide access to sensitive data and assist in locating high-value targets within the intranet. Additionally, Contractor may identify internal systems that can be compromised via technical exploits in order to gain further access to the environment or capture additional credentials. c. Credential Harvesting – Once access to internal systems has been obtained, Contractor may begin collecting account credentials for valid internal users. Specific focus will be given to identifying and extracting privileged domain credentials, as these provide extensive access to the environment. Typical credential harvesting attacks include dumping hashes, Kerberos tickets, and clear text credentials from local system memory or accessible virtual machine files and identifying accessible scripts and configuration files with hard-coded credentials. In most attacks, post-exploitation is an iterative process that involves multiple cycles of identifying internal targets, compromising those targets, and extracting additional information and credentials for further lateral movement within the intranet. As noted above, the ultimate goal of this phase is to accomplish the predefined attack objectives. In order to accomplish the objectives, Contractor often obtains full administrative access to critical systems (e.g., financial application servers, key DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 10 databases, executive email and file shares), the internal authentication and authorization systems (e.g., Active Directory, LDAP, two-factor authentication), or the core network infrastructure (e.g., RADIUS, TACACS). A secondary objective of this assessment is to measure the detection and response capabilities of the information security team. Therefore, Contractor will use testing and attack techniques that are designed to bypass or evade security controls. Contractor will leverage custom malware that may not be detected by commercial anti-virus products, and avoid using any scanning or exploitation techniques that are likely to be observed by system users or detected by network sensors and endpoint controls. In the event that City information security team detects the test in progress, the Contractor and City project managers will select an appropriate course of action for the continuation of testing. Red Team activities will be discussed and agreed upon by both Contractor and the City during the project kickoff meeting. The activities may include the specific scope of the engagement (e.g., whitelisted targets, blacklisted targets), coordination and approval necessary prior to exploitation of targets, schedules and timeframes, data handling and communications plan, and escalation policy. Additional Services details: • Simulation of an advanced attacker attempting to gain access to specific sensitive systems and information within the City’s environment • Includes targeting of up to 3 objectives provided by City at the start of the assessment • Includes exploitation of discovered vulnerabilities, lateral movement between City’s systems and networks, and escalation of privileges within accessed systems • Testing will be designed to be stealthy and will aim to avoid detection by City’s network defenses and security personnel • Includes a simulation of data exfiltration from select City systems and networks • Does not include a comprehensive vulnerability assessment of City systems, reassessment, or remediation validation • All Red Team Assessment activities are time-bound to a total of 15 consultant-days of work • Performed without restrictions on the days and times when testing can occur • Testing will not be performed on a full-time basis and Contractor may pause testing for several days at a time during this phase to assist with avoiding detection by City’s network defenses and/or security personnel. • Contractor will be provided with internal access via a Contractor-controlled Command and Control (C2) payload or via other means agreed upon between Contractor and City. • Services will be performed remotely from Contractor’s offices Deliverables Proactive Services Deliverables The following Deliverables will be produced for these Services: • Regular Status Reporting - Contractor will provide regular status reporting that summarizes activities completed, significant findings, issues requiring attention and plans for the next reporting period. • Penetration Test Report - Contractor will provide a detailed written summary for each phase of the assessment. This typically includes an executive summary, key findings, DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 11 the methodologies followed, and detailed findings. Each finding includes an explanation of the systemic cause, risk rating, and detailed remediation steps. • Red Team Assessment Report – Contractor will provide a detailed written summary of the Red Team Assessment. This typically includes an executive summary, key findings, a risk rating based on the objectives, the methodology followed, and detailed findings that include reproducible technical results and associated recommendations. Contractor’s independent work product reports such as intelligence reports, presentations, materials or other written information provided by Contractor to City in connection with the Services provided hereunder but having been developed independently by Contractor are Contractor’s materials and will not be considered “Deliverables” as defined in this Agreement. Schedule and Staffing The scheduling of Services under this SOW will be as mutually agreed to by all parties. Technology Fees Technology Fees are not anticipated for this engagement. Contractor will request written (emailed) authorization from City for any charges related to the use of technologies. Expenses Assumptions 1. All work activities will be performed without day and time restrictions. 2. If compromised computer systems are identified during the engagement, incident response activities may be conducted pursuant to a separate SOW 3. If any factor outside Contractor’s control, including those caused by City or City requirements (such as requirements to refrain from operating technology during specific times), causes delays in implementing technology needed for Contractor to perform the Services or cause Services to take longer than expected, then notwithstanding any fixed fees, City may be invoiced for technology fees for the period of any such delays, upon approval by the City. 4. Estimated professional fees do not include any hardware, software, licensing, maintenance, or support costs of any Contractor or other third-party product or service suggested by Contractor as we conduct the activities outlined within this SOW. 5. Contractor will provide Deliverables to City throughout this engagement. Draft Deliverables are considered final upon written confirmation from City. 6. City represents that all information provided is true and accurate and that City owns or is authorized to represent the owners of the systems, facilities, and/or devices described in connection with the services. City represents that it has obtained all permissions necessary for Contractor to perform the services described herein. 7. City will make available key individuals that can best help plan operations around security event monitoring, analysis, threat intelligence, and incident response. 8. Any changes to the scope of Services or this SOW must be mutually agreed upon in writing by all parties. Additional Security Testing Terms and Conditions 1. As a part of the testing, Contractor may, among other things, (a) scan City’s network and systems for ports, services and other entry points that can be exploited; and (b) probe those entry points in an effort to gain access to City’s network and systems in an effort to determine the severity of the vulnerability. 2. CITY UNDERSTANDS THAT, ALTHOUGH CONTRACTOR TAKES PRECAUTIONS TO AVOID DAMAGE TO CITY’S NETWORK AND SYSTEMS, DISRUPTIONS, OUTAGES AND/OR DATA LOSS MAY OCCUR AS A RESULT OF THE TESTING. City represents and warrants that all systems on its network or otherwise accessible DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 12 during the test have been backed up, and that any data loss or other damage caused by the penetration testing can be easily and quickly reversed. 3. City will provide to Contractor certain information required for performing its tests, including a description and location (e.g., an IP address) of the systems and networks to be tested. City represents and warrants that all information provided is true and accurate and that City owns or is authorized to use the systems and networks described in connection with the penetration testing. 4. City may inform all or a selected group of its employees, contractors, and other third parties about the testing to be undertaken by Contractor. If City decides not to inform anyone of the testing, City understands that people may spend time and money on behalf of City in detecting, blocking, investigating or responding to activities of Contractor. IN LIGHT OF THE POSSIBILITY THAT SUCH ACTIONS MAY BE TAKEN AND EXPENDITURES MAY OCCUR, CITY SHOULD CONSULT WITH CITY’S LEGAL COUNSEL AND/OR A MEMBER OF EXECUTIVE MANAGEMENT PRIOR TO ANY SUCH ZERO KNOWLEDGE ENGAGEMENTS. City may also want to consider contacting such third-party service providers as City’s telecommunications carrier to alert them to the testing. 5. User data contained on systems that are being tested may be accessible to Contractor and Contractor may download portions of such data (e.g., as proof of access). 6. At any point during the testing, either party may pause or stop the test. Should the testing be terminated, a rationale for such termination shall be provided by the party requesting such termination and such rationale shall be clearly documented. Contact Information City’s points of contact information are as follows: Business Line Contact Name: Hendra Gunawan Title: IT Security Manager Email: Hendra.Gunawan@carlsbadca.gov Phone: (442) 339-2750 Street: 1635 Faraday Ave City: Carlsbad State: California Zip: 92008 Payables Contact Name: Brent Gerber Title: IT Dept Senior Financial Analyst Email: Brent.gerber@carlsbadca.gov & renewals@carlsbadca.gov Phone: 442.339.2498 Street: 1635 Faraday Ave City: Carlsbad State: CA Zip: 92008 DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 13 DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 SOLUTIONS S I M P L I F I ED A Certified Women-Owned Business Prepared By: Rachel DaValle Phone: 530-521-0576 Fax: 916-244-0351 Exhibit "A" Solutions Simplified 3626 Fair Oaks Blvd. Suite 100 Sacramento, CA 95864 ww,.v_solutionssimplified.net Email: rachel.davalle@solutionssimplified.net CUSTOMER Hendra Gunawan CISO City of carlsbad 1635 Faraday Ave cartsbad, CA 92008 hendra.gunawan@carlsbadca.gov (442) 339-2549 QUOTE Date: 12/8/2022 Quote #: 11708 Valid Until: 1/31/2023 FEIN: 47-5088841 Seller's Permit : 102-806808 DUNS: 80004788 CAGE: 7GNNO Delivery: Electronic FOB: De:stinatKln, Freigtu PPD Payment Terms: Net 45 Contract #: NASPO 7-17-70-40-05 Master Agreement No. AR2472 ITEM#IPART# !DESCRIPTION IU1Y !UNITPRICE !EXTPRICE !TAXED 1 CS-FIXED Red Team Assessment See SOW for details CS Fixed Price Term: (12) m onth period from the Effective Date 1. This quote is valid for 30 days from original quote date unless otherwise specified above. 2. We accept Purchase Order, Visa, Mastercard, & AMEX. 3. Orders placed on a credit card are subject to a 3% fee. 4. Our product return window is 30 days from receipt of order. 1 $44,630.00 Subtotal Tax Rate Tax Total Please contact us if you have any questions or need further information. THANK YOU FOR YOUR BUSINESS I $44,630.00 N $44,630.00 8.75% so.oo $44,630.00 City Attorney Approved Version 6/12/18 14 EXHIBIT “B” CONFIDENTIALITY 1. In connection with the work to be performed under this Agreement (the "Purpose"), City may disclose to Contractor, or Contractor may otherwise receive access to, Confidential Information (as defined below). Contractor shall use the Confidential Information solely for the Purpose and, subject to Section 3, shall not disclose or permit access to Confidential Information other than to its officers, employees, or agents, including approved subcontractors (collectively, "Representatives") who: (a) need to know such Confidential Information for the Purpose; (b) know of the existence and terms of this Agreement; and (c) are bound by confidentiality obligations no less protective of the Confidential Information than the terms contained in the Agreement. Contractor shall safeguard the Confidential Information from unauthorized use, access, or disclosure using at least the degree of care it uses to protect its most sensitive information and no less than a reasonable degree of care. Contractor shall promptly notify City of any unauthorized use or disclosure of Confidential Information and take all reasonable steps to prevent further use or disclosure. Contractor will be responsible for any breach of this Agreement caused by its Representatives. 2. "Confidential Information" means all non-public, proprietary, or confidential information, including, but not limited to, any trade secrets of City, in oral, visual, written, electronic, or other tangible or intangible form, whether or not marked or designated as "confidential," and all notes, analyses, summaries, and other materials prepared by Contractor or any of its Representatives that contain, are based on, or otherwise reflect, to any degree, any of the foregoing ("Notes"); provided, however, that Confidential Information does not include any information that: (a) is or becomes generally available to the public other than as a result of Contractor's or its Representatives' act or omission; (b) is obtained by Contractor or its Representatives on a non-confidential basis from a third party that was not legally or contractually restricted from disclosing such information; (c) was in Contractor's or its Representatives' possession, as established by documentary evidence, before City's disclosure under the Agreement; or (d) was or is independently developed by Contractor or its Representatives, as established by documentary evidence, without using any Confidential Information. 3. If Contractor or any of its Representatives is required by applicable law or a valid legal order to disclose any Confidential Information, Contractor shall, before such disclosure, notify City of such requirements so that City may seek a protective order or other remedy, and Contractor shall reasonably assist City in such effort. If Contractor remains legally compelled to make such disclosure, it shall: (a) only disclose that portion of the Confidential Information that, in the written opinion of its legal counsel, Contractor is required to disclose; and (b) use reasonable efforts to ensure that such Confidential Information is afforded confidential treatment. 4. On the expiration of this Agreement or otherwise at City's request, Contractor shall promptly, at City's option, either return to City or destroy all Confidential Information in its and its Representatives' possession other than Notes, and destroy all Notes, and certify in writing to City the destruction of such Confidential Information. 5. City provides all Confidential Information without any representation or warranty, expressed or implied, as to the accuracy or completeness of it, and City will have no liability to Contractor or any other person relating to Contractor's use of any of the Confidential Information or any errors in it or omissions from it. DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 City Attorney Approved Version 6/12/18 15 6. City retains its entire right, title, and interest in and to all Confidential Information, and no disclosure of Confidential Information under this Agreement will be construed as a license, assignment, or other transfer of any such right, title, and interest to Contractor or any other person. 7. The rights and obligations of the parties under this Agreement expire 5 years after the Effective Date of the Agreement or the completion of the Purpose, whichever is later; provided that with respect to Confidential Information that is a trade secret under the laws of any jurisdiction, such rights and obligations will survive such expiration until, if ever, such Confidential Information loses its trade secret protection other than due to an act or omission of Contractor or its Representatives. 8. Contractor acknowledges and agrees that any breach of the confidentiality provisions of this Agreement will cause irreparable harm and injury to City for which money damages would be an inadequate remedy and that, in addition to remedies at law, City is entitled to equitable relief as a remedy for any such breach. DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 Information Technology IT Operations 1635 Faraday Ave. ï Carlsbad, CA 92008 ï 760-602-2789 t Memorandum February 6, 2023 To: Geoff Patnoe, Assistant City Manager From: Hendra Gunawan – Information Technology Security Manager Via: Maria Callander, Director of IT Laura Rocha, Deputy City Manager Administrative Services Re: Agreement for Mandiant Consulting Services with Solutions Simplified This memorandum provides an explanation of the Agreement for Mandiant Consulting Services with Solutions Simplified for cyber-attack penetration testing. Purpose of Agreement The purpose of this agreement is to conduct cyber-attack penetration testing. With today's technological advances that make it easier than ever for bad actors to find an organization's most vulnerable access points it is critical to be proactive with our testing. The purpose of penetration testing is to help identify where we are most likely to face an attack and proactively shore up those weaknesses before exploitation by hackers. The high cost of a successful cyber-attack means we should not wait for an actual scenario to play out and we need to be ahead of the curve. While the City does have robust cyber security protocols in place, a real-world test will help identify possible short falls to the protocols. With the help from our penetration testing provider, we are looking to expose holes, if any, in our City’s security layer and address any shortcomings before they become critical liabilities. What we gain from penetration testing: Test Security Controls — Gain insights into the overall health of our application, network, and physical security layers. Find Real-World Vulnerabilities — Expose endpoints in our computer systems most susceptible to attacks from adversaries. Ensure Compliance — We can maintain information security compliance with industry standards for penetration testing. Re-enforce Security Posture — Penetration testing assists us in prioritizing and addressing our vulnerability with a security program. DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 fVl {city of Carlsbad Feb. 6, 2023 Page 2 Next Steps Approve the Agreement for Mandiant Consulting Services with Solutions Simplified and the Confidentiality Agreement with FireEye, Inc dba Mandiant an approved subcontractor. Fiscal Impact The cost for the testing is $44,630.00 and was included in the Information Technology’s Fiscal Year 2022-23 Operating Budget. Attachments: Agreement for Mandiant Consulting Services with Solutions Simplified CC: Brent Gerber DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) 01/18/2023 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). PRODUCER CONTACT NAME:K T L Business Insurance Services, Inc.K T L Business Insurance Services, Inc. 322 8th Street Suite # 101 Del Mar CA 92014 PHONE (A/C, No. Ext):(858) 350-0555 FAX (A/C, No):(858) 350-0556 E-MAIL ADDRESS kevin@ktlinsurance.com INSURER(S) AFFORDING COVERAGE NAIC # INSURED Agency Lic#: CA # 0D86601 INSURER A: INSURER B: Travelers Property Casuality Co of America Valley Forge Insurance Company 25674 20508 SOLUTIONS SIMPLIFIED, INC. 3626 FAIR OAKS BLVD. SUITE 100 SACRAMENTO CA 95864 INSURER C: INSURER D: INSURER E: INSURER F: COVERAGES CERTIFICATE NUMBER:94606 REVISION NUMBER: THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED, NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSRLTR TYPE OF INSURANCE ADDLINSRD SUBRWVD POLICY EFFDATE (MM/DD/YY)POLICY EXPDATE (MM/DD/YY) X POLICY NUMBER EACH OCCURRENCE LIMITS $2,000,000ACOMMERCIAL GENERAL LIABILITY 6025579134 04/08/22 04/08/23 DAMAGE TO RENTED PREMISES (Ea occurence)$1,000,000CLAIMS MADE X OCCUR 10,000MED EXP (Any one person)$ 2,000,000PERSONAL & ADV INJURY $ 4,000,000GEN'L AGGREGATE LIMIT APPLIES PER: PRO- JECT GENERAL AGGREGATE $ 4,000,000POLICYLOCPRODUCTS-COMP/OP AGG $ OTHER: 6025579134 04/08/23 COMBINED SINGLE LIMIT (Ea accident) $ A AUTOMOBILE LIABILITY 04/08/22 $1,000,000 ANY AUTO BODILY INJURY (Per person)$ OWNED AUTOS ONLY SCHEDULED AUTOS BODILY INJURY (Per accident)$ X HIRED AUTOS ONLY X NON-OWNED AUTOS ONLY PROPERTY DAMAGE $(Per accident) $ UMBRELLA LIAB OCCUR EACH OCCURRENCE $ EXCESS LIAB CLAIMS-MADE AGGREGATE $ DED RETENTION $$ B WORKERS COMPENSATION AND EMPLOYERS' LIABILITY UB9P251651 06/19/22 06/19/23 X PERSTATUTE OTH-ER ANY PROPRIETOR/PARTNER/EXECUTIVEOFFICER/MEMBER EXCLUDED?(Mandatory in NH) Y/N N/A E.L. EACH ACCIDENT $1,000,000 E.L. DISEASE-EA EMPLOYEE $1,000,000 If yes, describe underDESCRIPTION OF OPERATIONS below E.L. DISEASE-POLICY LIMIT $1,000,000 A Technology Errors and Omissions Liability 6025579134 04/08/22 04/08/23 Per Claim Limit 1,000,000 Aggregate 2,000,000 CERTIFICATE HOLDER NAMED AS ADDITIONAL INSURED WITH RESPECTS TO GENERAL LIABILITY AS PER ATTACHED ENDORSEMENT AND POLICY FORM. 10-DAY NOTICE OF CANCELLATION GIVEN FOR NON-PAYMENT OF PREMIUM. DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) CERTIFICATE HOLDER CANCELLATION City of Carlsbad 1635 Fairwary Drive Carlsbad, CA 92008 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. Attention:Kevin LevineLic # 0834847 ACORD 25 (2016/03)Certificate #94606 © 1988-2015 ACORD CORPORATION. All right reserved. The ACORD name and logo are registered marks of ACORD DocuSign Envelope ID: 02883EB9-9B5E-4BA3-BD3E-B2B89F6CA253 ACORD"" I ~ I I □ R □ □ ----.,___ ---H I I I I I □