The URL can be used to link to this page

045-17 - Critical Informatics - ContractE V ' D CITY OF PORT ORCHARD PERSONAL SERVICES AGREEMENT Contract No. 045-17 "� l f )', FORT ORCHARD CITY CLERKS OFFICE THIS Agreement is made effective as of the 13' day of June 2017, by and between the City of Port Orchard, a municipal corporation, organized under the laws of the State of Washington, whose address is: CITY OF PORT ORCHARD, WASHINGTON (hereinafter the "CITY") 216 Prospect Street Port Orchard, Washington 98366 Contact: Mayor Robert Putaansuu Phone: 360.876.4407 Fax: 360.895.9029 And Critical Informatics, a corporation, organized under the laws of the State of Washington, doing business at: 245 411' Street Suite 405 Bremerton, WA 98337 (hereinafter the "CONSULTANT") Contact: Fred Langston, CISSP CCSK Phone: 206-973-2098 Email: fred.langston@criticalinformatics.com for personal services in connection with the following Project: Security Assessment Services TERMS AND CONDITIONS Services by Consultant. A. The Consultant shall perform the services described in the Scope of Work attached to this Agreement as Exhibit "A." The services performed by the Consultant shall not exceed the Scope of Work without prior written authorization from the City. B. The City may from time to time require changes or modifications in the Scope of Work. Such changes, including any decrease or increase in the amount of compensation, shall be agreed to by the parties and incorporated in written amendments to the Agreement. 2. Schedule of Work. A. The Consultant shall perform the services described in the Scope of Work in accordance with the tasks identified within Exhibit "A" and the terms of this Agreement. If delays beyond the Consultant's reasonable control occur, the parties will negotiate in good faith to determine whether an extension is appropriate. B. The Consultant is authorized to proceed with services upon receipt of a written Notice to Proceed. City of Port Orchard and Critical Informatics Personal Services Agreement Contract No. 045-17 1 of 38 3. Terms. This Agreement shall commence on July 3, 2017 ("Commencement Date") and shall terminate December 31, 2017 unless extended or terminated in writing as provided herein. The City reserves the right to offer two (2) one-year extensions prior to contract expiration to retain the selected company's services. 4. Compensation. X LUMP SUM. Compensation for these services shall be a Lump Sum of $11,440.00. ❑ TIME AND MATERIALS NOT TO EXCEED. Compensation for these services shall not exceed $ without written authorization and will be based on the list of billing rates and reimbursable expenses attached hereto as Exhibit ❑ TIME AND MATERIALS. Compensation for these services shall be on a time and material basis according to the list of billing rates and reimbursable expenses attached hereto as Exhibit G6 )7 ❑ OTHER. 5. Payment. A. The Consultant shall maintain time and expense records and provide them to the City monthly after services have been performed, along with monthly invoices in a format acceptable to the City for work performed to the date of the invoice. B. All invoices shall be paid by City warrant within thirty (30) days of receipt of a proper invoice. If the City objects to all or any portion of any invoice, it shall so notify the Consultant of the same within fifteen (15) days from the date of receipt and shall pay that portion of the invoice not in dispute, and the parties shall immediately make every effort to settle the disputed portion. C. The Consultant shall keep cost records and accounts pertaining to this Agreement available for inspection by City representatives for three (3) years after final payment unless a longer period is required by a third -party agreement. Copies shall be made available on request. D. On the effective date of this Agreement (or shortly thereafter), the Consultant shall comply with all federal and state laws applicable to independent contractors, including, but not limited to, the maintenance of a separate set of books and records that reflect all items of income and expenses of the Consultant's business, pursuant to Revised Code of Washington (RCW) 51.08.195, as required by law, to show that the services performed by the Consultant under this Agreement shall not give rise to an employer -employee relationship between the parties, which is subject to Title 51 RCW, Industrial Insurance. E. If the services rendered do not meet the requirements of the Agreement, the Consultant will correct or modify the work to comply with the Agreement. The City may withhold payment for such work until the work meets the requirements of the Agreement. 6. Discrimination and Compliance with Laws A. The Consultant agrees not to discriminate against any employee or applicant for employment or any other person in the performance of this Agreement because of race, creed, color, City of Port Orchard and Critical Informatics Personal Services Agreement Contract No. 045-17 2 of 38 national origin, marital status, sex, age, disability, or other circumstance prohibited by federal, state, or local law or ordinance, except for a bona fide occupational qualification. B. Even though the Consultant is an independent contractor with the authority to control and direct the performance and details of the work authorized under this Agreement, the work must meet the approval of the City and shall be subject to the City's general right of inspection to secure the satisfactory completion thereof. The Consultant agrees to comply with all federal, state and municipal laws, rules and regulations that are now effective or become applicable within the terms of this Agreement to the Consultant's business, equipment and personnel engaged in operations covered by this Agreement or accruing out of the performance of such operations. C. The Consultant shall obtain a City of Port Orchard business license prior to receipt of written Notice to Proceed. D. Violation of this Paragraph 6 shall be a material breach of this Agreement and grounds for cancellation, termination, or suspension of the Agreement by the City, in whole or in part, and may result in ineligibility for further work for the City. 7. Relationship of Parties. The parties intend that an independent contractor -client relationship will be created by this Agreement. As the Consultant is customarily engaged in an independently established trade which encompasses the specific service provided to the City hereunder, no agent, employee, representative or sub -consultant of the Consultant shall be or shall be deemed to be the employee, agent, representative or sub -consultant of the City. In the performance of the work, the Consultant is an independent contractor with the ability to control and direct the performance and details of the work, the City being interested only in the results obtained under this Agreement. None of the benefits provided by the City to its employees, including but not limited to compensation, insurance, and unemployment insurance, are available from the City to the employees, agents, representatives or sub - consultants of the Consultant. The Consultant will be solely and entirely responsible for its acts and for the acts of its agents, employees, representatives and sub -consultants during the performance of this Agreement. The City may, during the term of this Agreement, engage other independent contractors to perform the same or similar work that the Consultant performs hereunder. 8. Suspension and Termination of Agreement A. Termination without cause. This Agreement may be terminated by the City at any time for public convenience, for the Consultant's insolvency or bankruptcy, or the Consultant's assignment for the benefit of creditors. B. Termination with cause. This Agreement may be terminated upon the default of the Consultant and the failure of the Consultant to cure such default within a reasonable time after receiving written notice of the default. C. Rights Upon Termination. 1. With or Without Cause. Upon termination for any reason, all finished or unfinished documents, reports, or other material or work of the Consultant pursuant to this Agreement shall be submitted to the City, and the Consultant shall be entitled to just and equitable compensation for any satisfactory work completed prior to the date of termination, not to exceed the total compensation set forth herein. The Consultant shall not be entitled to any reallocation of cost, profit or overhead. The Consultant shall not in any event be entitled to City of Port Orchard and Critical Informatics Personal Services Agreement Contract No. 045-17 3 of 38 anticipated profit on work not performed because of such termination. The Consultant shall use its best efforts to minimize the compensation payable under this Agreement in the event of such termination. Upon termination, the City may take over the work and prosecute the same to completion, by contract or otherwise. 2. Default. If the Agreement is terminated for default, the Consultant shall not be entitled to receive any further payments under the Agreement until all work called for has been fully performed. Any extra cost or damage to the City resulting from such default(s) shall be deducted from any money due or coming due to the Consultant. The Consultant shall bear any extra expenses incurred by the City in completing the work, including all increased costs for completing the work, and all damage sustained, or which may be sustained, by the City by reason of such default. D. Suspension. The City may suspend this Agreement, at its sole discretion. Any reimbursement for expenses incurred due to the suspension shall be limited to the Consultant's reasonable expenses, and shall be subject to verification. The Consultant shall resume performance of services under this Agreement without delay when the suspension period ends. E. Notice of Termination or Suspension. If delivered to the Consultant in person, termination shall be effective immediately upon the Consultant's receipt of the City's written notice or such date as stated in the City's notice of termination, whichever is later. Notice of suspension shall be given to the Consultant in writing upon one week's advance notice to the Consultant. Such notice shall indicate the anticipated period of suspension. Notice may also be delivered to the Consultant at the address set forth in Section 15 herein. 9. Standard of Care. The Consultant represents and warrants that it has the requisite training, skill and experience necessary to provide the services under this Agreement and is appropriately accredited and licensed by all applicable agencies and governmental entities. Services provided by the Consultant under this Agreement will be performed in a manner consistent with that degree of care and skill ordinarily exercised by members of the same profession currently practicing in similar circumstances. 10. Ownership of Work Product. A. All data, materials, reports, memoranda, and other documents developed under this Agreement whether finished or not shall become the property of the City, shall be forwarded to the City at its request and may be used by the City as it sees fit. Upon termination of this Agreement pursuant to paragraph 8 above, all fmished or unfinished documents, reports, or other material or work of the Consultant pursuant to this Agreement shall be submitted to City. Any reuse or modification of such documents, reports or other material or work of the Consultant for purposes other than those intended by the Consultant in its scope of services under this Agreement shall be at the City's risk. B. All written information submitted by the City to the Consultant in connection with the services performed by the Consultant under this Agreement will be safeguarded by the Consultant to at least the same extent as the Consultant safeguards like information relating to its own business. If such information is publicly available or is already in the Consultant's possession or known to it, or is rightfully obtained by the Consultant from third parties, the Consultant shall bear no responsibility for its disclosure, inadvertent or otherwise. The Consultant is permitted to disclose any such information only to the extent required by law, subpoena or other court order. City of Port Orchard and Critical Informatics Personal Services Agreement Contract No. 045-17 4 of 38 11. Work Performed at the Consultant's Risk. The Consultant shall take all precautions necessary and shall be responsible for the safety of its employees, agents and sub -consultants in the performance of the work hereunder, and shall utilize all protection necessary for that purpose. All work shall be done at the Consultant's own risk, and the Consultant shall be responsible for any loss of or damage to materials, tools, or other articles used or held by the Consultant for use in connection with the work. 12. Indemnification. The Consultant shall defend, indemnify and hold the City, its officers, officials, employees, agents and volunteers harmless from any and all claims, injuries, damages, losses or suits, including all legal costs and attorneys' fees, arising out of or resulting from the negligent acts, errors or omissions of the Consultant in performance of this Agreement, except for injuries or damages caused by the sole negligence of the City. Should a court of competent jurisdiction determine that this Agreement is Subject to RCW 4.24.115, then, in the event of liability for damages arising out of bodily injury to persons or damages to property caused by or resulting from the concurrent negligence of the Consultant and the City, its officers, officials, employees, agents and volunteers, the Consultant's liability hereunder shall be only to the extent of the Consultant's negligence. The provisions of this section shall survive the expiration or termination of this Agreement. IT IS FURTHER SPECIFICALLY AND EXPRESSLY UNDERSTOOD THAT THE INDEMNIFICATION PROVIDED HEREIN CONSTITUTES THE CONSULTANT'S WAIVER OF IMI UNITY UNDER INDUSTRIAL INSURANCE, TITLE 51 RCW, SOLELY FOR THE PURPOSES OF THIS INDEMNIFICATION. THE PARTIES FURTHER ACKNOWLEDGE THAT THEY HAVE MUTUALLY NEGOTIATED THIS WAIVER. 13. Insurance. The Consultant shall procure and maintain for the duration of this Agreement, insurance against claims for injuries to persons or damage to property which may arise from or in connection with the performance of the work hereunder by the Consultant, its agents, representatives, or employees. A. Minimum Scope of Insurance Consultant shall obtain insurance of the types described below: 1. Automobile Liability insurance covering all owned, non -owned, hired and leased vehicles. Coverage shall be written on Insurance Services Office (ISO) form CA 00 01 or a substitute form providing equivalent liability coverage. If necessary, the policy shall be endorsed to provide contractual liability coverage. 2. Commercial General Liability insurance shall be written on ISO occurrence form CG 00 01 or a substitute form providing equivalent liability coverage and shall cover liability arising from premises, operations, independent contractors and personal injury and advertising injury. The City shall be named by endorsement as an additional insured under the Consultant's Commercial General Liability insurance policy with respect to the work performed for the City. 3. Workers' Compensation coverage as required by the Industrial Insurance laws of the State of Washington. City of Port Orchard and Critical Informatics Personal Services Agreement Contract No. 045-17 5 of38 4. Professional Liability insurance appropriate to the Consultant's profession. B. Minimum Amounts of Insurance Consultant shall maintain the following insurance limits: 1. Automobile Liability insurance with a minimum combined single limit for bodily injury and property damage of $1,000,000 per accident. 2. Commercial General Liability insurance shall be written with limits no less than $1,000,000 each occurrence, $2,000,000 general aggregate. 3. Workers' Compensation Employer's Liability each accident $1,000,000, Employer's Liability Disease each employee $1,000,000, and Employer's Liability Disease — Policy Limit $1,000,000. 4. Professional Liability insurance shall be written with limits no less than $1,000,000 per claim and $1,000,000 policy aggregate limit. C. Other Insurance Provisions The insurance policies are to contain, or be endorsed to contain, the following provisions for Automobile Liability, Professional Liability and Commercial General Liability insurance: 1. The Consultant's insurance coverage shall be primary insurance as respect the City. Any insurance, self-insurance, or insurance pool coverage maintained by the City shall be excess of the Consultant's insurance and shall not contribute with it. 2. The Consultant's insurance shall be endorsed to state that coverage shall not be cancelled by either party, except after thirty (30) days prior written notice by certified mail, return receipt requested, has been given to the City. 3. The City will not waive its right to subrogation against the Consultant. The Consultant's insurance shall be endorsed acknowledging that the City will not waive their right to subrogation. The Consultant's insurance shall be endorsed to waive the right of subrogation against the City, or any self-insurance, or insurance pool coverage maintained by the City. 4. If any coverage is written on a "claims made" basis, then a minimum of a three (3) year extended reporting period shall be included with the claims made policy, and proof of this extended reporting period provided to the City. D. Acceptability of Insurers Insurance is to be placed with insurers with a current A.M. Best rating of not less than ANII. E. Verification of Coverage The Consultant shall furnish the City with original certificates and a copy of the amendatory endorsements, including but not necessarily limited to the additional insured endorsement, evidencing the insurance requirements of the Consultant before commencement of the work. City of Port Orchard and Critical Informatics Personal Services Agreement Contract No. 045-17 6 of38 14. Assigning or Subcontracting. The Consultant shall not assign, transfer, subcontract or encumber any rights, duties, or interests accruing from this Agreement without the express prior written consent of the City, which consent may be withheld in the sole discretion of the City. 15. Notice. Any notices required to be given by the City to the Consultant or by the Consultant to the City shall be in writing and delivered to the parties at the following addresses: Robert Putaansuu Mayor 216 Prospect Street Port Orchard, WA 98366 Phone: 360.876.4407 Fax: 360.895.9029 CONSULTANT= CK I i) CO L- .rN c . U—nn F a, od A - J p3,7,-4- Phone: Z,06 ' 617 " q 100 Fax: !12s - 6-4/ - D-02-f 16. Resolution of Disputes and Governing Law. A. Should any dispute, misunderstanding or conflict arise as to the terms and conditions contained in this Agreement, the matter shall first be referred to the Mayor, who shall determine the term or provision's true intent or meaning. The Mayor shall also decide all questions which may arise between the parties relative to the actual services provided or to the sufficiency of the performance hereunder. B. If any dispute arises between the City and the Consultant under any of the provisions of this Agreement which cannot be resolved by the Mayor's determination in a reasonable time, or if the Consultant does not agree with the Mayor's decision on a disputed matter, jurisdiction of any resulting litigation shall be filed in Kitsap County Superior Court, Kitsap County, Washington. C. This Agreement shall be governed by and construed in accordance with the laws of the State of Washington. In any suit or action instituted to enforce any right granted in this Agreement, the substantially prevailing party shall be entitled to recover its costs, disbursements, and reasonable attorneys' fees from the other party. 17. General Provisions. A. Non -waiver of Breach. The failure of either party to insist upon strict performance of any of the covenants and agreements contained herein, or to exercise any option herein contained in one or more instances, shall not be construed to be a waiver or relinquishment of said covenants, agreements, or options, and the same shall be in full force and effect. B. Modification. No waiver, alteration, modification of any of the provisions of this Agreement shall be binding unless in writing and signed by a duly authorized representative of the City and the Consultant. C. Severability. The provisions of this Agreement are declared to be severable. If any provision of this Agreement is for any reason held by a court of competent jurisdiction to be invalid or City of Port Orchard and Critical Informatics Personal Services Agreement Contract No. 045-17 7 of 38 unconstitutional, such invalidity or unconstitutionality shall not affect the validity or constitutionality of any other provision. D. Entire Agreement. The written provisions of this Agreement, together with any Exhibits attached hereto, shall supersede all prior verbal statements of any officer or other representative of the City, and such statements shall not be effective or be construed as entering into or forming a part of or altering in any manner whatsoever, the Agreement or the Agreement documents. The entire agreement between the parties with respect to the subject matter hereunder is contained in this Agreement and the Exhibits attached hereto, which may or may not have been dated prior to the execution of this Agreement. All of the above documents are hereby made a part of this Agreement and form the Agreement document as fully as if the same were set forth herein. Should any language in any of the Exhibits to this Agreement conflict with any language contained in this Agreement, then this Agreement shall prevail. IN WITNESS WHEREOF, the parties have executed this Agreement on the day and year set forth above. CITY OF PORT ORCHARD, WASHINGTON By: Robert Putaansuu, Mayor ATTEST/AUTHENT C TE: By: Brdh—dne son, CMC City Clerk APPROVED AS TO FORM: IIn ,�,�1•l•,�lttorney .o . • �;,! .0 �. .Z IsI!y T • awl ,Va City of Port Orchard and Critical Informatics Personal Services Agreement Contract No. 045-17 CONSULTANT By: Name: Title:OF 8 of 38 Contract No. 045-17 Exhibit A May 10, 2017 CRITICAL INFORMATICS Presented To: Allan Martin City Treasurer City of Port Orchard 216 Prospect St. Port Orchard, WA 98366 Telephone: (360) 876-7023 Email: amartin@cityofportorchard.us �'� t� oYo w, PORT ORCHARD, WA SECURITY ASSESSMENT SERVICES STATEMENTOF WORK SOW-2017-017 Submitted By: Fred Langton CISSP CCSK Executive Vice President, Professional Services Critical Informatics Inc. 245 4th Street, Suite 405 Bremerton WA. 98337 Telephone: (206) 973-2098 Email: Fred.Langston@CriticaIInformatics.com May 10, 2017 Table of Contents GENERALINFORMATION...................................................................................................1 KEY BUSINESS AND TECHNICAL CONTACTS............................................................................................2 Customer Business Contact Information........................................................................................ 2 Critical Informatics Business Contact & Technical Contact Information .......................................... 2 SERVICE DESCRIPTION AND SCOPE.....................................................................................3 GENERAL DESCRIPTION..................................................................................................................3 Authenticated Vulnerability Scan.................................................................................................. 3 Focused Security Assessment....................................................................................................... 3 VULNERABILITY ASSESSMENT SCOPE OF ACTIVITY................................................................4 APPROACHAND METHODOLOGY........................................................................................................4 Coordination, Planning, & Project Initiation.................................................................................. 5 The City's Resource Requirements................................................................................................ 5 ProjectInitiation Meeting............................................................................................................ 5 VULNERABILITY ASSESSMENT METHODOLOGY........................................................................................ 6 VULNERABILITY ASSESSMENT INITIATION MEETING..................................................................................6 IntelligenceGathering.................................................................................................................. 7 VulnerabilityScanning................................................................................................................. 7 ManualVerification..................................................................................................................... 8 Analysisand Reporting................................................................................................................. 8 FOCUSED SECURITY ASSESSMENT.....................................................................................10 APPROACH AND METHODOLOGY...................................................................................................... 10 Coordination, Planning, & Project Initiation.................................................................................10 The Ciiy Resource Requirements.................................................................................................10 ProjectInitiation Meeting...........................................................................................................11 Approach....................................................................................................................................11 SCHEDULE.................................................................................................................... 14 PERIOD OF PERFORMANCE............................................................................................................ 14 PROJECT CHANGE CONTROL........................................................................................................... 14 SERVICEDELIVERABLES.................................................................................................. 16 DESCRIPTION............................................................................................................................ 16 ACCEPTANCE OF DELIVERABLES....................................................................................................... 16 ASSUMPTIONS.............................................................................................................. 17 COST........................................................................................................................... 18 FIRM FIXED PRICE COST FOR SERVICES.............................................................................................. 18 TRAVEL AND EXPENSE REIMBURSEMENT............................................................................................. 18 SIGNATURES................................................................................................................. 19 CRITICAL INFORMATICS Notice Critical Informatics has made every reasonable attempt to ensure that the information contained within this statement of work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. Non -Disclosure Statement The information in this document is Critical Informatics Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Informatics Inc. Trademark Notice 2017 Critical Informatics Inc. All Rights Reserved, Critical Informatics, the Critical Informatics logo and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Informatics in the United States and in foreign countries. © Copyright 2017 Critical Informatics Inc, City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 General Information This Statement of Work ("SOW"), effective as of the date of the last signature on the signature page to this Statement of Work ("Effective Date"), is by and between Critical Informatics Inc. ("Critical Informatics", "Cl") and the City of Port Orchard, WA ("The City", "Customer"). The parties hereby agree as follows: This Statement of Work is governed by the terms and conditions set forth in the Terms and Conditions as shown in Appendix B: CRITICAL INFORMATICS INC. TERMS AND CONDITIONS. The information in this document is Critical Informatics Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Informatics Inc. For the avoidance of doubt, Customer hereby acknowledges and agrees that the offer of pricing and other terms set forth in this Statement of Work shall be valid for 45 days after the date set forth on the cover sheet of this Statement of Work. The offer of pricing and other terms set forth in this Statement of Work shall become effective and binding on Critical Informatics and Customer only upon the execution of this Statement of Work by the parties on the Effective Date. City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Key Business and Technical Contacts Customer Business Contact Information Name: Allan Martin Treasurer Mailing Address: Port Orchard City Hall 216 Prospect St. Port Orchard, WA 98366 E-Mail Address: amartin@cityofportorchard.us Phone Number: (360) 876-7023 Critical Informatics Business Contact & Technical Contact Information Name: Fred Langston Executive Vice President, Professional Services Mailing Address: Critical Informatics Inc. 245 4th Street, Suite 405 Bremerton WA. 98337 E-Mail Address: Fred.Laneston@Critical lnformatics.com Phone Number: (206) 973-2098 Fax Number: (425) 671-0928 City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Service Description and Scope This section provides a description of services, scope of activity, and support requirements associated with the services. General Description Critical Informatics will provide to The City two key services: ■ An authenticated vulnerability assessment against Lip to 75 IP addresses ■ A focused security assessment of The City's security policies and practices Authenticated Vulnerability Scan The authenticated vulnerability assessment (VA) is designed to provide a point in time assessment of known technical vulnerabilities. By performing an authenticated scan, the results include not only discoverable network ports, but also software inventories and patch levels. A VA can be used to not only inform on existing vulnerabilities, but also as a prioritized project list with critical and high vulnerabilities targeted for remediation. Focused Security Assessment Our Focused Security Assessment approach may be summarized as a computer and network security assessment intended to provide a point -in -time snapshot of The City's security posture, coupled with a set of prioritized recommendations for increasing the security throughout the organization. The Focused Security Assessment will focus on The City's Enterprise environment and the security management practices supporting that environment. The assessment methodology is based on standards of practice drawn from multiple sources that include the National Institute of Standards and Technology (NIST) Cyber Security Framework, and possibly the Payment Card Industry Data Security Standard (PCI), and the Health Insurance Portability and Accountability Act (HIPAA). City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Vulnerability Assessment Scope of Activity Table 1 depicts the scope of activity associated with this engagement. Table 1: Scope of The City Vulnerability Assessment Kickoff Meetings One (1) hour Kick-off/Review conference call Rules of Engagement, Schedule, target identification plus Architecture Interview, Documentation and Diagram reviews Assessment Scope Reconnaissance and vulnerability scanning of vulnerabilities of up to: 0 75 network accessible IP addresses ■ Authenticated Vulnerability Assessment 0 75 network accessible IP addresses = Manual Verification of Findings 0 75 network accessible IP addresses Approach and Methodology This section presents Critical Informatics' approach to providing Vulnerability Assessment Services: Figure 1: Vulnerability Assessment Services Workflow IV LN-V I I IVIUM111r, Rules of Engagement Project Testing Window Communications during testing Information Gathering Review Architecture, funtionality provided Report Vulnerability Scanning Manual Verification Re-c ritten Report of Findings & I ommendations __ _ ___ _ City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Coordination, Planning, & Project Initiation Critical Informatics will assign a Lead Consultant to be the primary point of contact for all project work. The Lead Consultant will coordinate, plan, manage, and report all project activities and findings to The City's designated Project Sponsor and/or Project Manager. Critical Informatics will provide project management for all aspects of this project, including tracking and resolution of project related issues, progress tracking, project reporting, and communication. A key component of Critical Informatics' project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project, and ensures that all project stakeholders are completely informed at all times. To support this, Critical Informatics will conduct a weekly status report teleconference with The City's project team. Follow-up discussions and deliverables will occur on a case -by -case basis to ensure clear and timely communication of all issues. The City's Resource Requirements Achieving The City's objectives will require active participation from both the Critical Informatics Project Lead Consultant as well as The City's own personnel. To ensure the timely and successful completion of this project, The City should expect at least the following resource time commitments from its own personnel: ■ A Project Sponsor should be assigned to provide resolution of issues, escalation of issues, clarification of requirements, sign -off of deliverables, and access to resources as required by the project team. This role will require only a 2-3 hours per week of commitment to the project. ■ Additionally, the following activities and estimated time allocations will be performed as part of the project in which The City -identified staff will participate: Kick-off meeting: 1 hour Project Initiation Meeting Critical Informatics recognizes the value of communication and ongoing collaboration with our customers. As such, we include an up to two hour project initiation meeting (kick-off meeting) with all of our Lead Consultant engagements. During the meeting, Critical Informatics will address the following topics: a Introduce key people at The City and Critical Informatics a Exchange contact information (for regular reporting and emergencies) Critical Informatics Inc. City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 a Review communication, notification, and issue escalation procedures w Discuss other specific The City requests and rules of engagement w Provide detailed description of application architecture and functionality a Critical Informatics will discuss the nature and time requirements for specific deliverable types that might be requested by The City during the project, the designated recipient, and the manner in which Critical Informatics will forward those deliverables Vulnerability Assessment Methodology Critical Informatics will provide an internal Vulnerability Assessment against the external The City networks. The Technical assessment will be based around vulnerability assessment of up to 75 hosts from an internal access standpoint. An internal Vulnerability Assessment simulates what an attacker with access on the internal network could use to gain access to systems. The following describes the approach and methodology for delivery of a Vulnerability Assessment for this engagement: .r Vulnerability Assessment Objectives Against a provided target IP space or DNS name range Map out accessible resources Identify vulnerabilities ■ Identify which of those vulnerabilities are exploitable with published tools and techniques Vulnerability Assessment Initiation Meeting Critical Informatics recognizes the value of communication and ongoing collaboration with our customers. During the meeting, Critical Informatics will address the following topics: mo Introduce key people at The City and Critical Informatics o Exchange contact information (for regular reporting and emergencies) Review communication, notification, and issue escalation procedures Discuss other specific The City requests and rules of engagement Provide detailed description of application architecture and functionality City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 w Critical Informatics will discuss the nature and time requirements for specific deliverable types that might be requested by The City during the project, the designated recipient, and the manner in which Critical Informatics will forward those deliverables Figure 2. Vulnerability Assessment Process (�'' Vulnerability Scanning Testing I Depth F_ Vulnerability Testing Information Vulnerability Manual Gathering Scanning Verification Information Execution of scans Verification of provided by the using automated scan results, Testing client or derived tools. additional Activity from public discovery, & domain searches. Enumeration of elimination of hosts, services, false positives. applications, & vulnerabilities. Intelligence Gathering Analysis of risks & business impact. Development of deliverables. The objective of this first phase is to gain as much knowledge as possible about the target environment through a combination of non -intrusive and somewhat intrusive activities. Equipped with the results of these Intelligence Gathering activities, the team determines its execution plans for the subsequent phases. w Project Based Information Gathering w Public -domain Information Gathering ■ Network Mapping Vulnerability Scanning The objective of this phase is to identify hosts, services and vulnerabilities in the target environment using a suite of customized tools. Critical Informatics performs two City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 distinct steps during this phase: Host & Service Identification and Vulnerability Identification. ■ Host & Service Identification ■ Vulnerability Identification Manual Verification During this phase, Critical Informatics manually confirms the results from the automated tools. This activity serves to filter the data to improve the accuracy and relevance of our technical findings report as it eliminates false positives yielded by the tools. While the scans effectively identify a large portion of the vulnerabilities present, Critical Informatics also executes manual testing to identify certain complex, emerging, or obscure vulnerabilities. This phase does not generally include exploitation of the identified vulnerabilities to penetrate systems. However, 'inadvertent' exploitation may occur when the vulnerability, by its very nature, is exploited in the process of identifying its presence or when exploitation will identify additional and/or dependent vulnerabilities. The activities Critical Informatics performs during this phase offer significant value over the sole use of automated tools. Often, vulnerabilities identified using automated tools only are later determined to be false positives with the use of these advanced techniques. Furthermore, such techniques allow Critical Informatics to identify previously undetected vulnerabilities as they can detect counter -security and attack techniques that obscure vulnerabilities from automated tools. For example, a common application running on a non-standard port may exhibit vulnerabilities not discovered by an automated scanner, but detectable using manual testing methods. At the conclusion of this phase, Critical Informatics will enumerate and validate vulnerabilities discovered through both automated and manual means. Within the final deliverable report, Critical Informatics will note any particular vulnerability whose presence could neither be validated nor eliminated. Analysis and Reporting During the Analysis and Reporting phase, Critical Informatics analyzes the information gathered and documents the findings. Critical Informatics then assigns a rating to each risk identified, based on standards of good practice and Critical Informatics' extensive practical assessment experience. "Risk" is defined as the intersection between Likelihood and Impact. Vulnerabilities are to be given risk scores and sorted in priority order (highest to lowest). Each security vulnerability finding must contain at least the following elements: m Vulnerability name and description of vulnerability A City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 e Risk rating (Likelihood and Impact) with summary of reasoning Wa Remediation recommendations Relevant NIST Cybersecurity Framework subcategory references (e.g. PR.DS-2, DE.CM-7, etc.) Specifically, Critical Informatics categorizes the risk each finding poses to your enterprise as "Critical", "High," "Medium," or "Low." City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Focused Security Assessment Approach and Methodology Critical Informatics will then create and conduct up to four (4) focused information - gathering facilitation sessions in one (1) day at The City. The sessions will articulate the required controls, while adding context from the current threat landscape that is relevant. Each of the presentations will focus on the areas that are germane to the audience. For example: The groups will be interviewed as follows: a Two (2) hours — Network Ops / Telecomm / Infrastructure im Two (2) hours — Policy / Procedures / Management Issues The sessions will address the control standards as components that are relevant to each of the audiences (with some overlap), and conduct the delivery of information, as well as its solicitation. As the requirements are presented, a conversational narrative will be used to interview the audience as to how effectively each requirement is being currently met. This conversation will include ideas on how gaps in compliance may be met using open -source, managed services, and other methods that fit local government networks with respect to cost and management requirements. Critical Informatics will review the results of the interviews and develop a presentation described in the Deliverables section below. A draft of the deliverable will be provided to the Client lead stakeholder for approval prior to delivery in the de -brief sessions listed below. Coordination, Planning, & Project Initiation Critical Informatics will provide day-to-day project management for all aspects of this project, including tracking and resolution of project related issues, progress tracking, project reporting, and communication. A key component of Critical Informatics' project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project, and ensures that all project stakeholders are completely informed at all times. The City Resource Requirements Achieving The City's objectives will require active participation from both the Critical Informatics Project Team as well as The City's own personnel. To ensure the timely and successful completion of this project, The City should expect at least the following resource time commitments from its own personnel: City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 ■ A Project Manager should be assigned to the project to serve as the single point of contact for the Critical Informatics Project Team (The City may choose to assign the Project Sponsor and Project Manager role to the same person). This role will require a commitment of approximately 4 hours during the course of the project. Project Initiation Meeting Critical Informatics recognizes the value of communication and ongoing collaboration with our customers. As such, we include a project initiation meeting (kick-off meeting) with all of our engagements. During the meeting, Critical Informatics will address the following topics: w Introduce key people at The City and Critical Informatics M Exchange contact information (for regular reporting and emergencies) ■ Review scope of services. s Review communication, notification, and issue escalation procedures ■ Discuss other specific The City requests and rules of engagement ■ Discuss the involvement of The City staff in the project for the purpose of knowledge transfer and security ■ Critical Informatics will discuss the deliverables required at completion of the project, the designated recipient, and the manner in which Critical Informatics will Forward those deliverables Approach Step 1— Information Gathering Critical Informatics will collect all relevant information from document reviews and staff interviews, and review and verify gathered data. This project will include a combination of onsite and remote work. During this time, Critical Informatics focuses on information gathering to gain a better understanding of the information security program, policy and procedural implementation, and the environment including: 0 Identification of the organizational structure and essential stakeholders in security management activities w The information risk environment ■ Governance, policy management, acceptable risk tolerance 0 Information security planning activities City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 ■ Additional functional components of the security program and the key practices supporting the security program components ■ Operational risk and compliance activities ■ Critical issues confronting The City ■ Prior information security -related assessments ■ The general technical architecture The City may consider focusing on the following elements: w Security training needs for staff ■ Encryption — especially on mobile devices 1.1 Limit information being passed (especially student or health data) .� Strengthen passwords with apps, VOW, voicemail PINS ■ Incident response ■ Specific SSL vulnerabilities ■ Physical security of switches As stated, Critical Informatics will derive most of the information necessary to assess the environment and supporting key practices through documentation reviews, such as policies, procedures, and plans related to information security, and interviews and subsequent discussions with knowledgeable staff responsible for various aspects of information security management including: ■ Executive Management m Key business unit leaders Information Security staff wo Staff focused on Privacy ■ CIO / IT Management / Administrators / Developers ■ Staff focused on Business Continuity and Disaster Recovery ■ Support Functions (HR, Legal, Facilities) ■ Others, as applicable City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Step 2 — Review and Analysis During remote work activities, Critical Informatics professionals will analyze the information gleaned from documents provided by The City and our interviews with various staff. The objective is to identify critical issues and develop the prioritized recommendations for improvement. Critical Informatics will assess the current environment and security management practices against a standards of practice such as the NIST Cybersecurity Framework, with specifics that may draw on various regulatory requirements, for example the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCi-DSS), or the Criminal Justice Information Standard (CJIS), depending on how data housed by the City may be within the purview of those requirements. Critical Informatics will provide prioritized recommendations, based upon risk, so that The City can meet the compliance objectives and strengthen its overall security program. Step 3 — Reporting Using the results from Steps 1 & 2, Critical Informatics will develop prioritized recommendations to improve The City's information security program. The recommendations to improve the environment will be based on aforementioned standards of practice, business requirements, internal security -related requirements, and practices used by local government peers. As part of this activity, Critical Informatics will ensure that our recommendations and supporting rationale are clearly understood and appropriate for The City's environment. Critical Informatics will present any documentation detailing our findings and recommendations in draft form so that The City has an opportunity to review, comment, correct, and approve the format and content prior to finalizing the deliverable documentation. This iterative process helps to ensure that The City can make informed, incremental decisions regarding specific courses of action throughout this review. City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Schedule Period of Performance The City requests the following project dates. Critical Informatics will make every reasonable attempt to meet the dates requested. The City understands and agrees that changes in critical factors (such as those listed below in Project Change Control, or a delay in signature of this document) may impact Critical Informatics' ability to meet certain dates. Project Change Control Critical Informatics has made every attempt to accurately estimate time required to successfully complete the project. The City acknowledges and agrees that if impediments, complications, or The City requested changes in scope arise, these factors are out of the control of Critical Informatics, and the length of the project and associated price could be impacted. Examples of valid impediments, complications, and changes in scope consist of (but are not limited to): rx The City initiated delay where Customer is not prepared to allow Critical Informatics to begin work on the agreed upon start date thus resulting in additional cost to Critical Informatics for resources that have been sent to The City's site but cannot begin the Services �► The City provided information necessary for timely delivery by Critical Informatics is not accurate Delays or problems associated with third party telecommunication equipment. (This includes, but is not limited to, cabling, servers, routers, hubs, and switches managed or installed by third parties) ■ Malfunctioning hardware ■ Inability to access equipment or personnel that are required to complete the project ■ Conflicts or incompatibilities associated with the installation of hardware or software installed by Critical Informatics _, The City increases the scope of services requiring additional labor, hardware, software, materials, travel, lodging, meals, or other direct costs City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 IF any change(s) from impediments, complications, or The City changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in the written change, then the price, delivery schedules and other affected provision(s), if any, as applicable, shall be equitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this Section. City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Service Deliverables Description Critical Informatics will provide the following deliverables as part of this project: Table 2: Deliverable Description Deliverableflame ot Internal Vulnerability A report detailing the technical testing methodology, findings Assessment Report and recommendations for remediation identified during the testing. Focused Security Assessment A report describing the activities performed, the findings and Report risk identified along with a set of prioritized recommendations and next steps to mitigate the risks and increase the security posture of The City Acceptance of Deliverables The City has five (5) business days to inspect and acknowledge full delivery of the Services to be provided by Critical Informatics hereunder upon completion and delivery of the Services by Critical Informatics. The City will indicate such acknowledgement by signing Critical Informatics' Project Completion Form, a sample of which is attached as Appendix A: Project Completion Form. If The City believes that Critical Informatics has not fully delivered the Services to be provided hereunder and refuses to sign the Project Completion Form on that basis, The City shall identify in reasonable detail the specific Services or deliverables which The City believes were not delivered, with specific reference to the corresponding sections of this SOW, via written notice to Critical informatics within such Five (5) business day period. Following Critical Informatics' receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining Service delivery requirements. Upon Critical Informatics' delivery of the remaining Services, if any, The City's right to inspect and acknowledge full delivery shall be as stated above. If The City fails to provide such acknowledgement or notice within the five (5) business days of receiving final deliverables, The City agrees that the services shall be deemed fully delivered to The City, even if The City has not signed the Critical Informatics Project Completion Form. City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Assumptions Critical Informatics used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitment w The City will provide Critical Informatics access to the business, customer, and technical information, and facilities necessary to execute the solution w The City will provide Critical Informatics on -site and off -site access to documents necessary for this assessment w The City will ensure that appropriate personnel are available to meet with Critical Informatics, as necessary ■ The Critical Informatics professional working day is eight hours, including reasonable time For meals. Critical Informatics understands that occasions arise during customer engagements that require a longer or shorter working day. Critical Informatics will not be obligated to extend engagements when delays result from The City's inability to meet stated prerequisites prior to an engagement, nor when delays result from The City personnel not being available to provide required support. n During this effort, Critical Informatics will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between The City and third parties. Critical Informatics, at the request of The City, will provide input to The City regarding optimal product or vendor selection w Any application code, documentation, and/or presentations developed under this SOW will be in English w Critical Informatics will perform the work between 8:30am and 5:00pm (local time). After -hour and weekend work (when required), must be explicitly identified below or as otherwise agreed to in writing by the parties: After-hours required? Yes ❑ No Weekend hours required? Yes ❑ No Location of onsite services? Port Orchard City Hall 216 Prospect St. Port Orchard, WA 98366 City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Cost Firm Fixed Price Cost for Services Critical Informatics will provide the services for a Firm Fixed Price (FFP) for labor as of $11,440. Travel and Expense Reimbursement Travel, meals, lodging, and other direct costs for the described effort are not expected in the execution of the body of work above and shall not be billed to The City. City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Signatures IN WITNESS WHEREOF, the parties have caused this Statement of Work to be executed and do each hereby warrant and represent that their respective signatory whose signature appears below has been and is on the date of this Statement of Work duly authorized by all necessary and appropriate corporate action to execute this Statement of Work. PAYMENT (Must check one) ❑ A purchase order has been approved and a copy is attached to this SOW. ❑ My company does not issue purchase orders for these product and/or services ordered. In order to ensure correct and timely invoicing, I have provided a reference number and billing information to be identified on the invoice. Reference #: Billing Contact Name Billing Address: Billing Contact Phone Billing Contact Email Critical Informatics Inc. Signature: Printed Name: Title: Date: City of Port Orchard, WA Signature: Printed Name: Title: Date: City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 Critical Informatics Inc. has completed all of the agreed upon tasks outlined in the Statement of Work titled "Security Assessment Services" and dated May 10, 2017. rite of Port Orchard. WA Signature: Printed Name: Title: Date: Please email the signed lt3i m to %xe Ward at tt inee.Ward@Critkallnfcormattes,com. City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 1. PAYMENTS. Customer shall pay Critical Informatics Inc. the fees specified without deduction, setoff or delay for any reason. Such payment shall be made: (i) in U.S. Dollars, (ii) within thirty (30) days from the invoice date, and (iii) in accordance with the terms of the invoice. All fees paid are non-refundable. Beginning the day after the due date of the invoice, interest shall be due and payable by Customer at the rate of one and one-half percent (1.5%) per month or the highest rate allowed by law, whichever is less, on any portion of the invoice which has not been paid. Customer is responsible for payment of all taxes applicable to this Statement of Work, except for any tax on Critical Informatics Inc.'s net income. 2. CONFIDENTIAL INFORMATION The Parties acknowledge that by reason of their relationship under this Statement of Work, they may have access to and acquire Confidential Information of the other Party. Each Party receiving Confidential Information (the "Receiving Party") agrees to maintain all such Confidential Information received from the other Party (the "Disclosing Party"), both orally and in writing, in confidence and agrees not to disclose or otherwise make available such Confidential Information to any third party without the prior written consent of the Disclosing Party; provided, however, that the Receiving Party may disclose the terms of this Statement of Work to its legal and business advisors if such third parties agree to maintain the confidentiality of such Confidential Information under terms no less restrictive than those set forth herein. The Receiving Party further agrees to use the Confidential Information only for the purpose of performing this Statement of Work. Notwithstanding the foregoing, the obligations set forth herein shall not apply to Confidential Information which: (i) is or becomes a matter of public knowledge through no fault of or action by the Receiving Party; (ii) was lawfully in the Receiving Party's possession prior to disclosure by the Disclosing Party; (iii) subsequent to disclosure, is rightfully obtained by the Receiving Party from a third party who is lawfully in possession of such Confidential Information without restriction; (iv) is independently developed by the Receiving Party without resort to the Confidential Information; or (v) is required by law or judicial order, provided that the Receiving Party shall give the Disclosing Party prompt written notice of such required disclosure in order to afford the Disclosing Party an opportunity to seek a protective order or other legal remedy to prevent the disclosure, and shall reasonably cooperate with the Disclosing Party's efforts to secure such a protective order or other legal remedy to prevent the disclosure. 3. RELATIONSHIP BETWEEN CRITICAL INFORMATICS INC. AND CUSTOMER. City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 The parties to this Statement of Work are independent contractors. Neither party is an agent, representative, or partner of the other party. Neither party shall have any right, power, or authority to enter into any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind, the other party. Each party shall bear its own costs and expenses in performing this Statement of Work. 4. INTELLECTUAL PROPERTY OWNERSHIP A. Customer will own all right, title and interest in and to the Deliverables. For purposes of this Statement of Work, the term "Deliverables" shall mean any deliverables created by Critical Informatics Inc. during the performance of the Services that are specifically identified in this Statement of Work, whether published or unpublished, Deliverables excludes any Critical Informatics Inc. Intellectual Property. All Deliverables shall be considered a work made for hire, to the fullest extent permitted by law and all right, title and interest therein, including the intellectual property rights, shall be the property of Customer. In the event that any said Deliverables or portion thereof shall not be legally qualified as a work made for hire, or shall subsequently be so held to not be a work made for hire, Critical Informatics Inc. agrees to assign, and does hereby so assign to Customer, all right, title and interest in and to said work or portion thereof, including, but not limited to, the intellectual property rights, extensions of such rights and renewal rights therein. Critical Informatics Inc., without charge to Customer, shall duly execute, acknowledge and deliver to Customer all such further papers, including assignments and applications for intellectual property registration or renewal, as may be necessary to enable Customer to publish or protect said works by copyright, patent or otherwise in any and all countries and to vest title to said works in Customer, or its nominees, their successors or assigns, and shall render all such assistance as Customer may require in any proceeding or litigation involving the rights in said works. B. Critical Informatics Inc. will own right, title, and interest in all Critical Informatics Inc. Intellectual Property. To the extent the Deliverables contain or include any Critical Informatics Inc. Intellectual Property, Critical Informatics Inc. hereby grants to Customer and its Affiliates (defined below), a perpetual, revocable, worldwide, royalty -free, non- exclusive, limited, right and license to use, execute or copy, the Critical Informatics Inc. Intellectual Property solely for its internal business purposes and solely in connection with Customer's use of the Services or Deliverables. For purposes of this Statement of Work, the term "Critical Informatics Inc. Intellectual Property" means, collectively, (i) all Pre -Existing Works, which shall mean all work product created, conceived, developed or first reduced to practice by Critical Informatics Inc., either solely or in collaboration with others, prior to Critical Informatics Inc.'s delivery of the Services including, without limitation, designs, inventions, improvements, processes, computer programs, software, source code, object code, graphics, pictorial representations, user interfaces, functional specifications, reports, spreadsheets, presentations and analyses, (ii) all Derivative Works, which shall mean a work which is based upon or related to one or more Pre - Existing Works such as a revision, modification, translation, abridgement, condensation, City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 expansion or any other form in which such Pre -Existing works may be recast, transformed, or adapted, whether that work stands alone or is combined with other works and which may include processes, methods and procedures, (iii) methodologies, concepts, know-how and techniques utilized to produce the Deliverables (and any improvements or modifications thereto developed in the course of providing the Services) and any ideas, concepts, text, formats and industry best practices which are of a generally applicable nature and do not include or reference the Confidential Information of Customer, and (iv) all Documentation, which shall mean user manuals and other written materials that relate to the Intellectual Property or to the Services provided hereunder. 5. REPRESENTATIONS AND WARRANTIES; DISCLAIMERS Customer represents and warrants that it (i) has the corporate power and authority to enter into this Statement of Work and to fully perform its obligations under this Statement of Work; and (ii) will not make any unauthorized representation or warranty to any third party relating to any Services. Critical Informatics Inc. represents and warrants that (i) it has the corporate power and authority to enter into this Statement of Work and to fully perform its obligations under this Statement of Work (ii) the Services performed under this Statement of Work shall be performed or provided by competent personnel in a professional and workmanlike manner. EXCEPT AS SPECIFICALLY SET FORTH IN THIS STATEMENT OF WORK, THE SERVICES PERFORMED AND ANY ITEMS FURNISHED UNDER THIS STATEMENT OF WORK, INCLUDING BUT NOT LIMITED TO DATA, REPORTS, DOCUMENTATION, DELIVERABLES, HARDWARE AND SOFTWARE OF ANY KIND, AND ANY RECOMMENDATIONS OR CONCLUSIONS CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS WITH NO WARRANTIES OR REPRESENTATIONS OF ANY KIND. CRITICAL INFORMATICS INC. MAKES NO WARRANTY, EXPRESS OR IMPLIED, THAT THE SERVICES WILL RENDER CUSTOMER'S NETWORK AND SYSTEMS SAFE FROM MALICIOUS CODE, INTRUSIONS, OR OTHER SECURITY BREACHES. CRITICAL INFORMATICS INC. SPECIFICALLY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON -INFRINGEMENT, AS WELL AS ANY WARRANTIES ALLEGED TO HAVE ARISEN FROM CUSTOM, USAGE, OR PAST DEALINGS BETWEEN THE PARTIES. 6. LIMITATION OF LIABILITY A. EXCEPT WITH RESPECT TO FEES DUE UNDER SECTION 1, A BREACH OF SECTION 2 OR 4, OR INDEMNIFICATION OBLIGATIONS UNDER SECTION 7, (i) EACH PARTY'S LIABILITY TO THE OTHER PARTY, INCLUDING ALL LIABILITIES ARISING OUT OF OR RELATED TO THIS STATEMENT OF WORK, FROM ANY CAUSE OR CAUSES, AND REGARDLESS OF THE LEGAL THEORY, INCLUDING BREACH OF CONTRACT, WARRANTY, NEGLIGENCE, STRICT LIABILITY, OR STATUTORY LIABILITY, SHALL NOT IN THE AGGREGATE EXCEED THE AMOUNTS PAID OR PAYABLE TO CRITICAL INFORMATICS INC. UNDER THIS STATEMENT OF WORK, AND (ii) City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 IN NO EVENT SHALL CRITICAL INFORMATICS INC. OR CUSTOMER BE LIABLE TO THE OTHER FOR ANY SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR ECONOMIC DAMAGES (INCLUDING, BUT NOT LIMITED TO LOST PROFITS, LOSS OF USE OF DATA AND LOST BUSINESS OPPORTUNITY), REGARDLESS OF THE LEGAL THEORY UNDER WHICH DAMAGES ARE SOUGHT, AND EVEN IF THE PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. INDEMNIFICATION. A. Each party (the "Indemnitor") shall indemnify, defend and hold harmless the other party (the "Indemnitee") and its officers, directors, employees, agents, subsidiaries and Affiliates (as defined below) from and against any and all third party claims, demands, lawsuits, causes of action, losses, damages, liabilities, costs and expenses, including reasonable attorney's fees, related to or arising out of (i) Indemnitor's material breach of a specific representation or warranty hereunder; (ii) Indemnitor's willful misconduct or grossly negligent acts or omissions of the Indemnitor; and (iii) solely with respect to Critical Informatics Inc.'s indemnification of Customer, and subject to Critical Informatics Inc.'s rights below, any alleged infringement of any United States patent, copyright or trade secret by the unmodified Services, Deliverables or Critical Informatics Inc. Intellectual Property as delivered by Critical Informatics Inc. (excluding any open source components or third party specifications). In the event of any claim, suit, or proceeding relating to intellectual property infringement, Critical Informatics Inc. shall have the right, at its sole option, to obtain the right to continue use of the affected Services, Deliverables or Critical Informatics Inc. Intellectual Property, or to replace or modify the affected Services, Deliverables or Critical Informatics Inc. Intellectual Property so that they may be used without infringement of a third party's United States patent, copyright or trade secret rights. If neither of the foregoing options is available to Critical Informatics Inc. on a commercially reasonable basis, Critical Informatics Inc. may terminate this Statement of Work immediately upon written notice to Customer, and within thirty (30) days after such termination shall pay Customer a termination fee equal to fees paid for the infringing Services or Deliverables. Upon such termination, Customer will have no further right to use the infringing Services, Deliverables or Critical Informatics Inc. Intellectual Property and shall promptly return any such Deliverables of Critical Informatics Inc. Intellectual Property to Critical Informatics Inc.. NOTWITHSTANDING ANY OTHER PROVISION OF THIS STATEMENT OF WORK, THE RIGHTS AND REMEDIES SET FORTH IN SECTION CONSTITUTE THE ENTIRE OBLIGATION OF CRITICAL INFORMATICS INC. AND THE EXCLUSIVE REMEDIES OF CUSTOMER WITH RESPECT TO ANY THIRD PARTY INTELLECTUAL PROPERTY INFRINGEMENT CLAIM. B. The Indemnitor agrees to promptly notify the Indemnitee of any such claims, to permit the Indemnitee to control any resulting litigation or settlements and to reasonably cooperate with the defense of any such claims at the Indemnitor's expense. The Indemnitor shall not have any right, without the other party's consent, (which will not be unreasonably withheld), to settle any such claim if such settlement arises for or is City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 part of any criminal action, suit or proceeding or contains a stipulation to or an admission or acknowledgement of, any liability or wrongdoing (whether in contract, tort, or otherwise) on the part of the other party). As used herein, "Affiliate" means any entity controlling, controlled by, or under common control with Critical Informatics Inc. or Customer. The term "control" and its correlative meanings, "controlling," "controlled by," and "under common control with," means the legal, beneficial or equitable ownership, directly or indirectly, of more than fifty percent (50%) of the aggregate of all voting equity interests in an entity. E:111111111:1N►A A. Term. This Statement of Work will remain in force until the Services and Deliverables have been delivered ("Term"), unless terminated sooner as set forth below. B. Termination for Cause. In the event of a material breach of this Statement of Work, the non -breaching party may terminate this Statement of Work if such breach is not cured within thirty (30) days after written notice thereof. C. Termination for Bankruptcy. A party may terminate this Statement of Work by giving written notice to the other party if that other party makes an assignment for the benefit of creditors, becomes unable to pay its debts as they become due, dissolves or liquidates or files a voluntary petition in bankruptcy or a similar proceeding; if an involuntary petition in bankruptcy or a similar proceeding is filed against that other party and is not stayed or dismissed within thirty (30) days; if a receiver is appointed for all or substantially all of that other party's assets; or if execution is made on all or substantially all of that other party's assets. D. Effect of Termination. Upon the effective date of a termination, Critical Informatics Inc. shall inform Customer of the extent to which Critical Informatics Inc.'s performance is completed through such date. At the same time, Critical Informatics Inc. shall collect and deliver to Customer whatever portion of the Deliverables have been completed, provided, however, that Critical Informatics Inc. has received all payments in full. Critical Informatics Inc. shall be entitled, in the event of any termination, to be paid for all Services performed through the effective date of termination. E. Survival. In addition to the terms of this Section, Sections 1, 2, 4, 5, 6, 7, and 9 shall survive any termination or expiration of this Statement of Work. 9. MISCELLANEOUS A. Entire Agreement. This Statement of Work and any amendments thereto, constitutes the entire agreement between the parties hereto relating to the subject matter hereof and supersedes all prior oral and written and all contemporaneous oral negotiations, commitments and understandings of the parties. This Statement of Work shall not be modified or amended in any respect, nor shall any of its terms or conditions be waived, City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 except by a subsequent writing, mutually agreed upon and executed by the authorized representatives of both parties. B. Third Party Beneficiaries. No provisions of this Statement of Work are intended nor shall be interpreted to provide or create any third party beneficiary rights or any other rights of any kind in any other party. C. Publicity. Any press release or other public announcement relating to the existence or terms of this Statement of Work, or any relationship between the parties, must be approved in advance in writing by the parties. D. Legal Effect. If any provision of this Statement of Work shall be held illegal, invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the parties shall substitute for the invalid provision a valid provision which most closely approximates the economic effect and the intent of the invalid provision. E. Waiver. No delay or failure by either party to exercise or enforce at any time any right or provision of this Statement of Work shall be considered a waiver thereof or of such party's right thereafter to exercise or enforce each and every right and provision of this Statement of Work. A waiver to be valid shall be in writing, but need not be supported by consideration. No single waiver shall constitute a continuing or subsequent waiver. F. No Hire. During the Term of the Statement of Work and for a period of one year thereafter, neither Critical Informatics Inc. nor Customer shall knowingly recruit, or solicit for hire any of the other party's employees assigned to this effort. Notwithstanding the foregoing, former employees of Critical Informatics Inc. who have left the employ of Critical Informatics Inc. for a period of six months after last performing hereunder are not subject to this provision. G. Force Majeure. Neither party shall be deemed in default hereunder, nor shall it hold the other party responsible for, any cessation, interruption or delay in the performance of its obligations hereunder due to earthquake, flood, fire, storm, natural disaster, act of God, war, armed conflict, terrorism, labor strike, lockout, boycott, or other similar events beyond the reasonable control of a party, provided that the party relying upon this Section shall have given the other party written notice thereof promptly and, in any event, within five (5) days of discovery thereof and (ii) shall take all steps reasonably necessary under the circumstances to mitigate the effects of the force majeure event upon which such notice is based; provided Further, that in the event a force majeure event described in this Section extends for a period in excess of thirty (30) days in the aggregate, either party may immediately terminate this Statement of Work. H. Governing Law. This Statement of Work shall be governed and construed in all respects in accordance with the laws of the State of Washington , without giving effect to conflict of laws principles thereof. The parties hereby consent to the jurisdiction of the state courts of the State of Washington and the United States Federal District Court for the Western District of the State of Washington for any action or proceeding brought City of Port Orchard Statement of Work Security Assessment Services May 10, 2017 by either of them on or in connection with this Statement of Work or any alleged breach thereof. I. Assignment. Neither Customer nor Critical Informatics Inc. may assign or transfer this Statement of Work without the prior written approval of the other party; provided, however, that the sale of any portion of the assets of one party, or any of its subsidiaries, or its acquisition by or merger into another company, shall not be deemed an assignment of this Statement of Work. Any assignment in violation of this Section shall be void. Subject to the foregoing, this Statement of Work shall be binding upon and inure to the benefit of the successors and assigns of Customer and Critical Informatics Inc.