Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Nth Generation Computing Inc; 2024-05-28;
Page 1 City Attorney Approved Version 12/22/2023 AGREEMENT FOR RED TEAMING ENGAGEMENT SERVICES Nth GENERATION COMPUTING, INC. THIS AGREEMENT is made and entered into as of the ______________ day of _________________________, 2024, by and between the City of Carlsbad, California, a municipal corporation ("City") and Nth Generation Computing, Inc., a California corporation ("Contractor"). RECITALS A. City requires the professional services of a consultant that is experienced in Red Te information technology applications. B. Contractor has the necessary experience in providing professional services and advice related to Red Teaming Engagement services. C. Contractor has submitted a proposal to City and has affirmed its willingness and ability to perform such work. NOW, THEREFORE, in consideration of these recitals and the mutual covenants contained herein, City and Contractor agree as follows: 1.SCOPE OF WORK City retains Contractor to perform, and Contractor agrees to render, those services (the "Services") that are defined in attached Exhibit "A," which is incorporated by this reference in accordance with this ons. 2.STANDARD OF PERFORMANCE While performing the Services, Contractor will exercise the reasonable professional care and skill customarily exercised by reputable members of Contractor's profession practicing in the Metropolitan Southern California area, and will use reasonable diligence and best judgment while exercising its professional skill and expertise. 3.TERM The term of this Agreement will be effective for a period of one (1) year from the date first above written. The parties will prepare a written amendment indicating changes to the original agreement if determined necessary. 4.TIME IS OF THE ESSENCE Time is of the essence for each and every provision of this Agreement. 5.COMPENSATION AND LATE FEES The total fee payable for the Services to be performed during the Agreement term shall not exceed thirty-five thousand four hundred seventy-five dollars ($35,475.00). No other compensation for the Services will be allowed except for items covered by subsequent amendments to this Agreement. The City reserves the right to withhold a ten percent (10%) retention until City has accepted the work and/or Services specified in Exhibit "A." Incremental payments, if applicable, should be made as outlined in attached Exhibit "A." DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF 28th May a ming Engagement services for pen testing, social engineering, and physical breach of the City's Agreement's terms and conditi Page 2 City Attorney Approved Version 12/22/2023 to remit payment within thirty (30) days of receiving a payment invoice, Contractor shall issue a written late payment notice providing City with an additional thirty (30) days to remit payment before assessing a late payment fee of 1.5% of the outstanding balance per month for each month, or partial month, on any undisputed invoice that remains unpaid beyond the late payment notice period. Payment by Visa, MasterCard and American Express are accepted only on orders under $5,000. Invoices paid by credit card are subject to a 2.9% convenience fee surcharge. 6.STATUS OF CONTRACTOR Contractor will perform the Services in Contractor's own way as an independent contractor and in pursuit of Contractor's independent calling, and not as an employee of City. Contractor will be under control of City only as to the result to be accomplished, but will consult with City as necessary. The persons used by Contractor to provide services under this Agreement will not be considered employees of City for any purposes. The payment made to Contractor pursuant to the Agreement will be the full and complete compensation to which Contractor is entitled. City will not make any federal or state tax withholdings on behalf of Contractor or its agents, employees or subcontractors. City will not be required to pay any workers' compensation insurance or unemployment contributions on behalf of Contractor or its employees or subcontractors. Contractor agrees to indemnify City within thirty (30) days for any tax, retirement contribution, social security, overtime payment, unemployment payment or workers' compensation payment which City may be required to make on behalf of Contractor or any agent, employee, or subcontractor of Contractor for work done under this Agreement. 7.SUBCONTRACTING Contractor will not subcontract any portion of the Services without prior written approval of City. If Contractor subcontracts any of the Services, Contractor will be fully responsible to City for the acts and omissions of Contractor's subcontractor and of the persons either directly or indirectly employed by the subcontractor, as Contractor is for the acts and omissions of persons directly employed by Contractor. Nothing contained in this Agreement will create any contractual relationship between any subcontractor of Contractor and City. Contractor will be responsible for payment of subcontractors. Contractor will bind every subcontractor and every subcontractor of a subcontractor by the terms of this Agreement applicable to Contractor's work unless specifically noted to the contrary in the subcontract and approved in writing by City. 8.OTHER CONTRACTORS The City reserves the right to employ other Contractors in connection with the Services. 9.MUTUAL INDEMNIFICATION Contractor agrees to defend (with counsel approved by the City), indemnify, and hold harmless the City and its officers, elected and appointed officials, employees and volunteers from and against all claims, nce of the work described herein caused by any negligence, recklessness, or willful misconduct of the Contractor, any subcontractor, anyone directly or indirectly employed by any of them or anyone for whose acts any of them may be liable. The parties expr - DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF Upon the City's failure damages, losses and expenses including attorneys' fees arising out of the performa essly agree that any payment, attorney's fee, costs or expense City incurs or makes to or on behalf of an injured employee under the City's self administered workers' compensation is included Page 3 City Attorney Approved Version 12/22/2023 as a loss, expense or cost for the purposes of this section, and that this section will survive the expiration or early termination of this Agreement. City agrees to defend (with counsel approved by the Contractor), indemnify, and hold harmless the Contractor and its officers, employees and volunteers from and against all claims, damages, losses and by any negligence, recklessness, or willful misconduct of the City or its employees. City will not defend, indemnify, and hold harmless Contractor from any claims, damages, losses and expenses including recklessness, or willful misconduct of t indirectly employed by any of them or anyone for whose acts any of them may be liable. 10.INSURANCE Contractor will obtain and maintain for the duration of the Agreement and any and all amendments, insurance against claims for injuries to persons or damage to property which may arise out of or in employees or subcontractors. The insurance will be obtained from an insurance carrier admitted and authorized to do business in the State of California. The insurance carrier is required to have a current Best's Key Rating of not less than "A-:VII"; OR with a surplus line insurer on the State of Ca of Approved Surplus Line Insurers -admitted insurer listed by the National Association of Insurance Commissioners (NAIC) latest quarterly listings report. 10.1 Coverages and Limits. Contractor will maintain the types of coverages and minimum limits indicated below, unless Risk Manager or City Manager approves a lower amount. These minimum amounts of coverage will not constitute any limitations or cap on Contractor's indemnification obligations under this Agreement. City, its officers, agents and employees make no representation that the limits of the insurance specified to be carried by Contractor pursuant to this Agreement are adequate to protect Contractor. If Contractor believes that any required insurance coverage is inadequate, Contractor will obtain such additional insurance coverage, as Contractor deems adequate, at Contractor's sole expense. The full limits available to the named insured shall also be available and applicable to the City as an additional insured. 10.1.1 Commercial General Liability (CGL) Insurance. including personal & advertising injury, with limits no less than $2,000,000 per occurrence. If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location or the general aggregate limit shall be twice the required occurrence limit. 10.1.2 Automobile Liability. If the use of an automobile is involved for Contractor's work for City, insurance coverage shall be no less than $2,000,000 combined single-limit per accident for bodily injury and property damage. 10.1.3 Workers' Compensation and Employer's Liability. Workers' Compensation limits as required by the California Labor Code. Workers' Compensation will not be required if Contractor has no employees and provides, to City's satisfaction, a declaration stating this. DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF expenses including attorneys' fees arising out of the performance of the work described herein caused attorneys' fees arising out of the performance of the work described herein caused by any negligence, he City's contractors or their subcontractors or anyone directly or connection with performance of the services by Contractor or Contractor's agents, representatives, "A:X"; OR an alien non lifornia's List (LASLI) with a rating in the latest Best's Key Rating Guide of at least _________________ Insurance written on an "occurrence" basis, Page 4 City Attorney Approved Version 12/22/2023 10.1.4 Professional Liability. limits of not less than $1,000,000 per claim. Coverage must be maintained for a period of five years following the date of completion of the work. 10.1.5 Cyber Insurance. Coverage limit in the amount of $2,000,000 per occurrence with a $2,000,000 aggregate. 10.2 Additional Provisions. Contractor will ensure that the policies of insurance required under this Agreement contain, or are endorsed to contain, the following provisions: 10.2.1 The City will be named as an additional insured on Commercial General Liability which shall provide primary coverage to the City. 10.2.2 Contractor will obtain occurrence coverage, excluding Professional Liability, which will be written as claims-made coverage. 10.2.3 This insurance will be in force during the life of the Agreement and any extensions of it and will not be canceled without thirty (30) days prior written notice to City sent by certified mail pursuant to the Notice provisions of this Agreement. 10.3 Providing Certificates of Insurance and Endorsements. Prior to City's execution of this Agreement, Contractor will furnish certificates of insurance and endorsements to City. 10.4 Failure to Maintain Coverage. If Contractor fails to maintain any of these insurance coverages, then City will have the option to declare Contractor in breach, or may purchase replacement insurance or pay the premiums that are due on existing policies in order to maintain the required coverages. Contractor is responsible for any payments made by City to obtain or maintain insurance and City may collect these payments from Contractor or deduct the amount paid from any sums due Contractor under this Agreement. 10.5 Submission of Insurance Policies. City reserves the right to require, at any time, complete and certified copies of any or all required insurance policies and endorsements. 11.BUSINESS LICENSE Contractor will obtain and maintain a City of Carlsbad Business License for the term of the Agreement, as may be amended from time-to-time. 12.ACCOUNTING RECORDS Contractor will maintain complete and accurate records with respect to costs incurred under this Agreement in accordance with Generally Accepted Accounting Principles. All records will be clearly identifiable. Contractor will allow a representative of City during normal business hours to examine, audit, and make transcripts or copies of records and any other documents created pursuant to this Agreement. Contractor will allow inspection of all work, data, documents, proceedings, and activities related to the Agreement for a period of three (3) years from the date of final payment under this Agreement. DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF ________ Errors and omissions liability appropriate to Contractor's profession with Page 5 City Attorney Approved Version 12/22/2023 13.OWNERSHIP OF DOCUMENTS All work product produced by Contractor or its agents, employees, and subcontractors pursuant to this Agreement is the property of City. In the event this Agreement is terminated, all work product produced by Contractor or its agents, employees and subcontractors pursuant to this Agreement will be delivered at once to City. Contractor will have the right to make one (1) copy of the work product for records. 14.NOTICES The name of the persons who are authorized to give written notice or to receive written notice on behalf of City and on behalf of Contractor under this Agreement are: For City:For Contractor: Name Maria Callander Name Joyce Russell Title IT Director Title EVP/CFO Dept Information Technology Address 17055 Camino San Bernardo CITY OF CARLSBAD SAN DIEGO, CA 92127 Address 1635 Faraday Ave Phone 858-451-2383 Carlsbad, CA 92008 Email Joyce.Russell@nth.com Phone 442-339-2454 Each party will notify the other immediately of any changes of address that would require any notice or delivery to be directed to another address. 15.CONFLICT OF INTEREST Contractor shall file a Conflict of Interest Statement with the City Clerk in accordance with the requirements of the City of Carlsbad Conflict of Interest Code. The Contractor shall report investments or interests as required in the City of Carlsbad Conflict of Interest Code. Yes No If yes, list the contact information below for all individuals required to file: Name Email Phone Number 16.GENERAL COMPLIANCE WITH LAWS Contractor will keep fully informed of federal, state and local laws and ordinances and regulations which in any manner affect those employed by Contractor, or in any way affect the performance of the Services by Contractor. Contractor will at all times observe and comply with these laws, ordinances, and regulations and will be responsible for the compliance of Contractor's services with all applicable laws, ordinances and regulations. DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF Contractor's □ ~ City Attorney Approved Version 12/22/2023 Page 6 Contractor will be aware of the requirements of the Immigration Reform and Control Act of 1986 and will comply with those requirements, including, but not limited to, verifying the eligibility for employment of all agents, employees, subcontractors and consultants whose services are required by this Agreement. 17.CALIFORNIA AIR RESOURCES BOARD (CARB) ADVANCED CLEAN FLEETS REGULATIONS -duty package delivery vehicles operated in California may be subject to the California Air Resources Board (CARB) Advanced Clean Fleets regulations. Such vehicles may therefore be subject to requirements to reduce emissions of air pollutants. For more information, please visit the CARB Advanced Clean Fleets webpage at https://ww2.arb.ca.gov/our-work/programs/advanced-clean-fleets. 18.DISCRIMINATION AND HARASSMENT PROHIBITED Contractor will comply with all applicable local, state and federal laws and regulations prohibiting discrimination and harassment. 19.DISPUTE RESOLUTION If a dispute should arise regarding the performance of the Services the following procedure will be used to resolve any questions of fact or interpretation not otherwise settled by agreement between the parties. Representatives of Contractor or City will reduce such questions, and their respective views, to writing. A copy of such documented dispute will be forwarded to both parties involved along with recommended methods of resolution, which would be of benefit to both parties. The representative receiving the letter will reply to the letter along with a recommended method of resolution within ten (10) business days. If the resolution thus obtained is unsatisfactory to the aggrieved party, a letter outlining the disputes will be forwarded to the City Manager. The City Manager will consider the facts and solutions recommended by each party and may then opt to direct a solution to the problem. In such cases, the action of the City Manager will be binding upon the parties involved, although nothing in this procedure will prohibit the parties from seeking remedies available to them at law. 20.TERMINATION In the event of the Contractor's failure to prosecute, deliver, or perform the Services, City may terminate this Agreement for nonperformance by notifying Contractor by certified mail of the termination. If City decides to abandon or indefinitely postpone the work or services contemplated by this Agreement, City may terminate this Agreement upon written notice to Contractor. Upon notification of termination, Contractor has five (5) business days to deliver any documents owned by City and all work in progress to City address contained in this Agreement. City will make a determination of fact based upon the work product delivered to City and of the percentage of work that Contractor has performed which is usable and of worth to City in having the Agreement completed. Based upon that finding, City will determine the final payment of the Agreement. City may terminate this Agreement by tendering thirty (30) days written notice to Contractor. Contractor may terminate this Agreement by tendering thirty (30) days written notice to City. In the event of termination of this Agreement by either party and upon request of City, Contractor will assemble the work product and put it in order for proper filing and closing and deliver it to City. Contractor will be paid for work performed to the termination date; however, the total will not exceed the lump sum fee payable under this Agreement. City will make the final determination as to the portions of tasks completed and the compensation to be made. DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF Contractor's vehicles with a gross vehicle weight rating greater than 8,500 lbs. and light City Attorney Approved Version 12/22/2023 Page 7 n this section 20, Contractor retains the right to seek remedies available to them at law. 21.COVENANTS AGAINST CONTINGENT FEES Contractor warrants that Contractor has not employed or retained any company or person, other than a bona fide employee working for Contractor, to solicit or secure this Agreement, and that Contractor has not paid or agreed to pay any company or person, other than a bona fide employee, any fee, commission, percentage, brokerage fee, gift, or any other consideration contingent upon, or resulting from, the award or making of this Agreement. For breach or violation of this warranty, City will have the right to annul this Agreement without liability, or, in its discretion, to deduct from the Agreement price or consideration, or otherwise recover, the full amount of the fee, commission, percentage, brokerage fees, gift, or contingent fee. 22.CLAIMS AND LAWSUITS By signing this Agreement, Contractor agrees that any Agreement claim submitted to City must be asserted as part of the Agreement process as set forth in this Agreement and not in anticipation of litigation or in conjunction with litigation. Contractor acknowledges that if a false claim is submitted to City, it may be considered fraud and Contractor may be subject to criminal prosecution. Contractor acknowledges that California Government Code sections 12650 et seq., the False Claims Act applies to this Agreement and, provides for civil penalties where a person knowingly submits a false claim to a public entity. These provisions include false claims made with deliberate ignorance of the false information or in reckless disregard of the truth or falsity of information. If City seeks to recover penalties pursuant to the False Claims Act, it is entitled to recover its litigation costs, including attorney's fees. Contractor acknowledges that the filing of a false claim may subject Contractor to an administrative debarment proceeding as the result of which Contractor may be prevented to act as a Contractor on any public work or improvement for a period of up to five (5) years. Contractor acknowledges debarment by another jurisdiction is grounds for City to terminate this Agreement. 23.JURISDICTION AND VENUE Any action at law or in equity brought by either of the parties for the purpose of enforcing a right or rights provided for by this Agreement will be tried in a court of competent jurisdiction in the County of San Diego, State of California, and the parties waive all provisions of law providing for a change of venue in these proceedings to any other county. 24.SUCCESSORS AND ASSIGNS It is mutually understood and agreed that this Agreement will be binding upon City and Contractor and their respective successors. Neither this Agreement nor any part of it nor any monies due or to become due under it may be assigned by Contractor without the prior consent of City, which shall not be unreasonably withheld. 25.ENTIRE AGREEMENT This Agreement, together with any other written document referred to or contemplated by it, along with the purchase order for this Agreement and its provisions, embody the entire Agreement and understanding between the parties relating to the subject matter of it. In case of conflict, the terms of the Agreement supersede the purchase order. Neither this Agreement nor any of its provisions may be amended, modified, waived or discharged except in a writing signed by both parties. This Agreement may be executed in counterparts. DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF In the event that the Contractor disagrees with the City's findings as described i City Attorney Approved Version 12/22/2023 Page 8 26.AUTHORITY The individuals executing this Agreement and the instruments referenced in it on behalf of Contractor each represent and warrant that they have the legal power, right and actual authority to bind Contractor to the terms and conditions of this Agreement. Executed by Contractor this___________ day of _______________________, 20____. CONTRACTOR CITY OF CARLSBAD, a municipal corporation of the State of CaliforniaNth Generation Computing, Inc., a California corporation By:By: (sign here)IT Director Todd Burkhardt, Co-President (print name/title) ATTEST: By:SHERRY FREISINGER, City Clerk (sign here)By: Joyce Russell, EVP/CFO Senior Deputy City Clerk (print name/title) If required by City, proper notarial acknowledgment of execution by contractor must be attached. If a corporation, Agreement must be signed by one corporate officer from each of the following two groups. Group A Group B Chairman, Secretary, President, or Assistant Secretary, Vice-President CFO or Assistant Treasurer Otherwise, the corporation must attach a resolution certified by the secretary or assistant secretary under corporate seal empowering the officer(s) signing to bind the corporation. APPROVED AS TO FORM: CINDIE K. McMAHON, City Attorney BY: _____________________________ Assistant City Attorney DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF 16th May 24 By: (sign here) IT Director Todd Burkhardt, Co-President (print name/title) ATTEST: By : SHERRY FREISINGER, City Clerk (sign here) By: j~ R.. '-'Mt,~ Senior Deputy City Clerk Joyce Russell, EVP/CFO (print name/title) If required by City, proper notarial acknowledgment of execution by contractor must be attached.~ corporation, Agreement must be signed by one corporate officer from each of the following two groups. Group A Group B Chairman, Secretary, President, or Assistant Secretary, Vice-President CFO or Assistant Treasurer Otherwise, the corporation must attach a resolution certified by the secretary or assistant secretary under corporate seal empowering the officer(s) signing to bind the corporation. BY: a~w~ Assistant City Attorney City Attorney Approved Version 12/22/2023 Page 9 EXHIBIT A SCOPE OF SERVICES AND FEE Scope of Work Contractor will provide Internal Red Team Engagement using the MITRE ATT&CK Framework (defined below) and other tactics, techniques, and procedures. These comprehensive tests involve blending multiple attack vectors, just like a real attacker would, to attempt to gain a foothold in the environment and/or access sensitive data. This service includes Smishing, Vishing and Phishing utilizing Deepfakes, Internal and External Penetration Testing, Wi-Fi Assessment, and a Physical Security Walkthrough of 2 locations. Unlike other penetration tests where results are delivered per phase, during the Internal Red Team engagement, results from one phase may be used to make progress in different phases. Contractor will use every possible avenue to penetrate and exploi systems and gain access to data. No penetration tests shall be conducted on any third party hosted system(s). Contractor shall work with City to determine whether a particular internal network and system has a third-party hosting component. The MITRE ATT&CK Framework MITRE ATT&CK® is a taxonomy of adversary tactics and techniques based on real-world observations. Contractor uses the same Techniques, Tactics, and Procedures (TTP) malicious attackers use, allowing City to ascertain their risk to such threats. This framework provides a roadmap for an attacker or (SOW) and engagement operating procedures align with this framework. Kickoff Meeting constraints, and identified risks, and solidify the timeline. City should attempt to include their sponsor(s), stakeholders, and team members in the kickoff to ensure everyone understands the services DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF t the City's internal network and penetration tester to move from reconnaissance through data exfiltration. Contractor's Scope of Work .1. Weaponization .1. .1. Recon Delivery .1. Exploitation .1. Installation .1. Command & Control .1. Exfiltration A kickoff meeting will be held to introduce the Contractor's team, discuss details, dependencies, City Attorney Approved Version 12/22/2023 Page 10 and their roles. It is an opportunity for all team members to share data specific to the services. It provides a richer understanding and insight into business triggers, corporate objectives, and keys to success. The kickoff meeting also defines roles, responsibilities, governance, communication, and reporting. A well-executed kickoff meeting is critical to success. Reconnaissance & Resource Requirements Identified Upon initial internal system access, the Contractor will seek to gain visibility into what is accessible on the network. Identification of operating systems, applications, file shares, web applications, and accessible services will be conducted. This information provides valuable information as many organizations run outdated operating systems or applications with known weaknesses. Systems allowing remote desktop capabilities, Telnet services, and other significant attack vectors will be identified. Initial Access Initial access will be attempted via several methods including Smishing, Vishing and Phishing as well as technical attacks on the Internet-Facing systems. The goal of this phase is to gain initial access into the environment from which the Contractor can then attempt further penetration. Privilege Escalation If the Contractor successfully gains initial access and administrative access is not achieved, a variety of privilege escalation techniques will be utilized. The methods used are to gain higher-level permissions on a system or network. A few examples of techniques utilized include, abuse of access tokens, password hashes, SSH keys, DLL side-loading, capabilities to escape to a host operating system, process injection, and scheduling of tasks. Defense Evasion Defense evasion techniques are used to avoid detection. Methods for defense evasion often include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Shell escapes may be utilized to manipulate SetUID/SetGUD bits. Token impersonation may be used to pose as another account. Installation and utilization of virtual machines and containers may also be used to circumvent the controls. Custom malicious payloads may be loaded by side-loading DLLs, which often bypass even solutions. Credential Access During this phase, the Contractor will seek to acquire credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can provide access to systems, make the Contractor harder to detect, and provide the opportunity to create more accounts. Lateral Movement targets and gain access to them. This often involves pivoting through multiple systems and accounts to gain the access sought. The Contractor may utilize custom remote access tools or use legitimate credentials with native network and operating system tools, which is sometimes stealthier and often DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF today's advanced endpoint security During the Lateral Movement phase, the Contractor's primary objective is to explore the network to find referred to as "Living ofthe Land" (LoL) attacks. City Attorney Approved Version 12/22/2023 Page 11 Collection During Collection, the Contractor will scour the environment to acquire sensitive information. Man-in- the-Middle attacks, such as network sniffing and ARP cache poisoning, may enable the Contractor to gain visibility into network traffic. Resources such as browser history, passwords, etc., will be assessed. Data repositories such as SharePoint, Confluence, and Jira may be evaluated as they often contain helpful information for an attacker. Access and Collection of emails often provide valuable information. Keylogging, screen captures, and video captures are other potential techniques used during this phase. Due to this data's potentially sensitive nature, a comprehensive exfiltration of the information is not executed. The Contractor will take screenshots and artifacts demonstrating the exposure level without compromising the dataset. Equally, the Contractor will intentionally not attempt to manipulate, interrupt, or destroy systems or data. Reporting Upon completing the above phrases, the data will coalesce into a final deliverable with applicable artifacts from the automated scans and manual discovery phases. The Contractor will author an executive summary that includes a prioritized list of recommendations and a technical report. The executive summary and technical report will be shared with the City before the debriefing phase. Debriefing Red team account techniques and durations vary greatly. Some organizations have a specific timeline to be meet, while others are focused on outcomes and the comprehensiveness of the test. Contractor can accommodate either approach. As this is a covert operation, Contractor will only work with the few individuals listed on the Documentation Request forms. Once the covert operations are completed, if necessary, Contractor will deploy a physical security appliance to allow the Contractor to complete comprehensive penetration testing against the internal network. After report delivery, a debriefing meeting will be held to address findings and recommendations, confirm contract terms and conditions have been met, and formally conclude services. The debriefing meeting provides an opportunity to discuss any items or tasks set aside or deemed out of scope, ensures that all work is complete, and offers a forum for feedback. Contractor will make every effort to hold the debriefing meeting within thirty (30) business days of delivering the executive summary and technical report. If the Client is unable to meet within 10 business days of receipt of final report an invoice and an email acknowledging that work has been completed will be sent to the Client. Invoicing If this project is completed within thirty (30) days, Contractor will submit an invoice at the conclusion of the project. If the services extend beyond thirty (30) days, Contractor will submit invoices at the end of each month for the services performed during the month. In either instance, payment is due within No invoices will be submitted for complimentary assessments, and such assessments are independent from the billable services described herein. Fees Contractor is offering this service as a fixed price engagement. DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF thirty (30) days of receiving Contractor's invoice. City Attorney Approved Version 12/22/2023 Page 12 General Provisions cooperation, as well as the accuracy and completeness of any information and data the City may provide to Contractor. Contractor will schedule the delivery of the service at a time mutually agreed upon with the City, but which shall be during standard business hours and excluding holidays defined under U.S. Code 5.III.E.61.1§6103 unless otherwise agreed in writing, in advance, by Contractor. Service Price Red Team Engagement $35,475.00 DocuSign Envelope ID: 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF • The ability of Contractor to deliver this service is dependent upon City's full and timely • DocuSign Envelope ID· 3EB93DC5-358D-463B-8DF5-F5F4E7E186AF ----~ NTHGE-1 nc, ID· I~ ACORD9 CERTIFICATE OF LIABILITY INSURANCE I DATE (MM/DD/YYYY) ~ 06/20/2023 THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement A statement on this certificate does not confer riahts to the certificate holder in lieu of such endorsementlsl. PRODUCER 858-391-3001 22tI~cT Leigh Shelton Springbrook Insurance Agency ri11g,Nio, Ext): 858-391-3001 Irie~. No):858-391-3010 10650 Treena Street Suite 101 San Diego, CA 92131.2435 lflJ~ss: leigh@springbrookins.com Russell Lail INSURERISI AFFORDING COVERAGE NAIC# 1NsuRERA: Hartford Ins Co of MidWest 37478 INSURED INSURER B, Trumball Ins Co 27120 NTH Generation Computin~ Inc INSURER c : Hartford Casualty Ins Co 29424 17055 Camino San Bernar o San Diego, CA 92127-5709 INSURER D , Hartford Fire Insurance Co. 19682 INSURER E: INSURERF : COVERAGES CERTIFICATE NUMBER· REVISION NUMBER· THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSR TYPE OF INSURANCE ~.\1.,0~ SUBR POLICY NUMBER POLICYEFF POLICY EXP LIMITS ITI> lun,n ... .. A X COMMERCIAL GENERAL LIABILITY EACH OCCURRENCE $ 1,000,000 ~ □ CLAIMS-MADE [K] OCCUR !;>&'1Al>U9c:~~~~;lence\ 1,000,000 y 72UUNCK3777 07/01/2023 07/01/2024 $ ~ MED EXP /Anv one oersonl $ 10,000 1,000,000 PERSONAL & ADV INJURY $ ~ GEN'L AGGREGATE LIMIT APPLIES PER: GENERAL AGGREGATE $ 2,000,000 Fl POLICY [K] ~r8f □ LOC PRODUCTS -COMP/OP AGG $ 2,000,000 OTHER: ~ B ~TOMOBILE LIABILITY r~~~~~~~~1~1NGLE LIMIT $ 1,000,000 X ANY AUTO ~ OWNED ~ SCHEDULED y 72UENCK3752 07/01/2023 07/01/2024 BODILY INJURY /Per oersonl $ ~ AUTOS ONLY ~ AUTOS BODILY INJURY /Per accident\ $ X ~L't'WsoNLY X ~a-rtgvmi~ FP~?~[c~d~t?AMAGE $ X comp X coll ded $ 1,000 C X UMBRELLA LIAB ~OCCUR EACH OCCURRENCE $ 5,000,000 EXCESS LIAB CLAIMS-MADE y 72XHUCK2415-FOLLOWS FORM 07/01/2023 07/01/2024 AGGREGATE $ 5,000,000 OED I X I RETENTION $ 10000 ~ A WORKERS COMPENSATION X I ~~~Tl IT~ I I fJH-AND EMPLOYERS' LIABILITY YIN ANY PROPRIETOR/PARTNER/EXECUTIVE [Y] 72WERT0498 07/01/2023 07/01/2024 E.L. EACH ACCIDENT $ 1,000,000 OFFICER/MEMBER EXCLUDED? NIA 1,000,000 (Mandatory in NH) E.L. DISEASE -EA EMPLOYEE $ If yes, describe under DESCRIPTION OF OPERATIONS below E.L. DISEASE -POLICY LIMIT ~ 1,000,000 D Professional Liabi 72TE0294863 07/01/2023 07/01/2024 occ 5,000,000 D Cyber Liability 72TE0294863 07/01/2023 07/01/2024 occ 5,000,000 DESCRIPTION OF OPERATIONS/ LOCATIONS/ VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached If more space Is required) City of Carlsbad is named as additional insured. CERTIFICATE HOLDER CANCELLATION CARLS01 SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN City of Carlsbad ACCORDANCE WITH THE POLICY PROVISIONS. €t Management Analyst AUTHORl2ED REPRESENTATIVE 1200 Carlsbad Village Drive ~~ Carlsbad, CA 92008 I ACORD 25 (2016/03) © 1988-2015 ACORD CORPORATION. All rights reserved. The ACORD name and logo are registered marks of ACORD