The URL can be used to link to this page

BPM, LLP ~ C210101 ~ Information Security Assessment Services CITY OF TIGARD,OREGON-CONTRACT SUMMARY FORM THIS FORMMUSTACCOMPANYEVERY CONTRACT Contract Title: Information Security Assessment Services Number: C210101 Contractor: BPM, LLP Contract Total: $34,300 Contract Overview: Cybersecurity risk assessment.Assist with developing and implementing appropriate safeguards. Initial Risk Level: ❑ Extreme ❑ High ® Moderate ❑ Low Risk Reduction Steps: Risk Comments: Risk Signature: Contract Manager: KeHy Johnson Ext: 2771 Department: IT Type: ❑ Personal Svc ❑ Professional Svc ❑ Public Imp ❑ General Svc ® Coop Purchase ❑ Other: Start Date: End Date: Quotes/Bids/Proposal: FIRM AMOUNT/SCORE N/A Account String: Fund-Division-Account Work Order—Activity Tyke Amount FY FY FY FY FY Approvals - LCRB Date: Department Comments: Department Signature: Purchasing Comments: Purchasing Signature: City Manager Comments: City Manager Signature: After securing all required approvals, forward original copy to the Contracting and Purchasing Office along with a completed Contract Checklist. CITY OF TIGARD PARTICIPATING AGREEMENT# C210101 STATE OF OREGON AND THE OREGON COOPERATIVE PURCHASING PROGRAM (ORCPP) through ORCPP AGREEMENT#8263 BPM,LLP 184 East 111h Avenue,Suite 210 Eugene,OR 97401 RE: Information Security Services SPECIFICATIONS FOR SERVICES: Contractor provides services for the City of Tigard as described in the State of Oregon Master Services Agreement#8263 and as described in Attachment 1—City of Tigard Proposal. EFFECTIVE DATE AND DURATION:The initial term of this Agreement shall begin on February 16,2021 and expires on June 30,2021 unless terminated sooner as provided herein. CONSIDERATION: The City agrees to pay Contractor a sum not to exceed$34,300.00 for provision of and completion of the work in accordance with the schedule identified in Attachment 1 herein attached. Interim payments shall be made to the Contractor with the Contractor billing the City on a monthly basis for the total amount worked.Tax exemption certificates can be furnished to Contractor upon request. INSURANCE: Contractor and its subcontractors must maintain insurance acceptable to the City in full force and effect through the term of this Agreement. Such insurance must cover risks arising directly or indirectly out of Contractor's activities or work hereunder,including the operations of its subcontractors of any tier. Additional Insured Provisions: All required insurance policies other than Workers'Compensation and Professional Liability,must name the City its officers,employees,agents and representatives as additional insureds with respect to this Agreement. Certificates of Insurance: Prior to full execution of this Agreement,contractor will furnish the City with the required Certificate of Insurance referencing this Agreement by number,if known,coverage dates,amount,and type of insurance required by this Agreement. BUSINESS LICENSE: Prior to execution of any performance under this Agreement,contractor must obtain a City of Tigard Business License. HOURS OF LABOR,PAY EQUITY: In accordance with ORS 279B.235,the following are hereby incorporated in full by this reference: Contractor may not employ an individual for more than 10 hours in any one day,or 40 hours in any one week,except as provided by law. For contracts for personal services,as defined in ORS 279A.055,Contractor must pay employees at least time and a half pay for all overtime the employees work in excess of 40 hours in any one week,except for employees who are excluded under ORS 653.010 to 653.261 or under 29 U.S.C.201 to 209 from receiving overtime. Contractor must give notice in writing to employees who work on a public contract,either at the time of hire or before commencement of work on the contract,or by positing a notice in a location frequented by employees,of the number of hours per day and days per week that the employees may be required to work. Contractor may not prohibit any of Contractor's employees from discussing the employee's rate of wage, salary, benefits or other compensation with another employee or another person and may not retaliate against an employee who discusses the employee's rate of wage,salary,benefits or other compensation with another employee or another person. Contractor must comply with the pay equity provisions in ORS 652.220. Compliance is a material element of this Agreement and failure to comply will be deemed a breach that entitles City to terminate this Agreement for cause. Attached: State of Oregon Master Services Agreement City of Tigard Participating Agreement#C210101 Page 1 of 2 CONTRACT NUMBER: C210101 CONTRACT TITLE: Information Security Assessment Services CITY OF TIGARD BPM,LLP Signature Signature Steve Rymer David Trepp, Partner in Charge BPM LLP Printed Name Printed Name 02/22/2021 February 2, 2021 Date Date City of Tigard Participating Agreement#C210101 Page 2 of 2 Master Services Agreement #8263 This Master Services Agreement (" MSA") is between the State of Oregon ( 'State") acting by and through its Department of Administrative Services ("DAS") on behalf of state agencies and members of the Oregon Cooperative Purchasing Program ("Authorized Purchasers") and BPM , LLP ("Consultant") . Recitals A. DAS desires to engage Consultant through this MSA to make available to DAS and other Authorized Purchasers certain Information Security Services , as described on Exhibit B ( "Services") . B . On January , 2018 , DAS issued RFP #DASPS- 1410- 18 to provide authority to award contracts to Consultant and other providers of the Services . This is not an exclusive agreement. C . Consultant desires to perform the Services for DAS , agencies of the State of Oregon that are subject to DAS procurement authority according to ORS 279A. 050 and 279A. 140 and that are authorized to use this MSA through a delegation of authority according to OAR 125-246-0170 ("Authorized Agencies") , and any non-Authorized Agency participant in the Oregon Cooperative Purchasing Program operated by DAS (" ORCPP Member") , pursuant to the terms of this MSA. DAS , Authorized Agencies and ORCPP Members are collectively referred to as "Authorized Purchasers . " Agreement DAS and Consultant agree as follows : I . Purpose of MSA. This MSA establishes terms and conditions applicable to Consultant and DAS in connection with the Services , including but not limited to : 1 . 1 . the form of the ordering instruments to be used by Authorized Agencies and Consultant to enter contracts for Services , including Work Order Contracts ("WOCs") or other ordering instruments (collectively, " Contracts") ; 1 .2. the terms and conditions applicable to Contracts ; 1 .3, the process through which Contracts will be created ; and 1 .4. the pricing applicable to Contracts . This MSA is Basecamp agreement and is subject to the provisions of the Vendor Management Program . Consultant shall comply with all requirements of the Vendor Management Program , Authorized Agencies and Consultant may enter into binding and enforceable contracts for Services only by execution of Contracts , substantially in the forms attached hereto as Exhibits C- 1 and C-2 . Page 1 of 60 Other Authorized Purchasers may enter into Contracts substantially in the form of Exhibits C- 1 and C-2 , but are not required to do so and may use forms or other ordering instruments as agreed upon by the Authorized Purchaser and Consultant. Each Contract will specify the Services to be performed , the associated deliverables to be delivered , and will incorporate the terms and conditions in Exhibit A as applicable to the Contract. 2. Effective Date and Term . This MSA is effective on the later of (i) , August 1 , 2018 or (ii) the date that it has been executed by DAS and Consultant, and has been approved as required by applicable law (" Effective Date") . Unless terminated or extended , this MSA expires on July 31 ) 2020 ("MSA term") . DAS and Consultant may extend this MSA by written agreement, provided , however, that the MSA term including the initial term and any renewals will not extend longer than 10 years from the Effective Date . MSA expiration or termination does not extinguish or prejudice DAS' right to enforce this MSA with respect to any Consultant breach or any default or defect in Consultant performance that has not been cured . 3. MSA Documents. This MSA includes the MSA and its exhibits which are attached and incorporated by reference . If a conflict, inconsistency or ambiguity exists among any portion of this MSA and any other documents, then the issue must be interpreted in the following order of precedence , starting with the MSA less all exhibits: 3. 1 . This MSA less all exhibits ; 3.2. Exhibit A, Contract Terms ; 3 .3 . Exhibit E, Performance Standards and Metrics 3 .4 Exhibit B , Description of Services ; Pricing ; 3 .5 . Exhibit F , Insurance 3. 6 . Exhibit D , Volume Sales Report and Vendor Collected Administrative Fee ; and 3 .7 Exhibit C- 1 , Work Order Contract Form 4. Firm Offer Established ; Pricing Changes . 4. 1 . Firm Offer Established . This MSA constitutes a firm offer by Consultant regardless of whether any Contract for Services is executed . This MSA is enforceable as a firm offer pursuant to ORS 2796 . 140 for the MSA term specified in section 2 , and all pricing in Exhibit B is valid until the MSA expires or is terminated , unless the pricing is changed according to subsection 4 . 2 . Notwithstanding ORS 72 . 2050 , obligations under this MSA are not revocable by Consultant. Page 2 of 60 4.2. Pricing Changes. Consultant shall keep pricing specified in Exhibit B fixed for at least the first twelve ( 12) full months of this MSA. Thereafter, DAS and Consultant may adjust pricing no more than once annually by MSA amendment. Consultant shall submit all pricing increase requests to DAS in writing and provide substantiating evidence that each request is based on demonstrable market changes impacting the cost of. the Services . Pricing changes will apply to Contracts and amendments to Contracts entered on and after the effective date of the pricing change . 5 . Non-exclusive MSA; Consultant Selection . 5 . 1 . Non -exclusivity. This MSA is not exclusive. Each Authorized Purchaser retains the right to contract for Services through any selection process authorized by law, or to perform the Services itself. Neither DAS nor any other Authorized Purchaser guarantees that any specific number of Contracts will be entered or that any specific amount of Services will be required . 5 .2. Consultant Selection . In the event DAS awards more than one Master Services Agreement, Authorized Purchaser must conduct a best value analysis process to select the Consultant. Authorized Purchaser shall issue a request for quote to all Master Services Agreement holders detailing the Service need and evaluation criteria , including : Service availability, time for delivery or performance, costs , and any other factors . If Authorized Purchaser elects to award a Contract, Authorized Purchaser shall award the Contract to the Consultant with the offer that is in the best interest of Authorized Purchaser. Authorized Purchaser's determination is final . 5.3 . Successors and Assigns . Consultant may not assign or transfer any of its interest in this MSA without DAS' prior written consent. Except that, Consultant may assign or transfer the MSA without DAS ' prior written consent in the event of merger or sale of substantially all its assets, provided Consultant sends DAS written notice of the assignment or transfer within thirty (30) Calendar Days of the effective date of the merger or sale . The MSA and all Contracts are binding upon and shall inure to the benefit of DAS and Authorized Purchaser and Consultant and their respective successors and permitted assigns . 6 . Signed Contract Required for Services . 6 . 1 . Contract Form . DAS and Authorized Agencies must use a WOC or PO form substantially similar to the forms attached as Exhibits C- 1 or C-2 . ORCPP Members may use their own forms of WOC or PO as agreed upon with Consultant. 6 .2, Contract Negotiation . Prior to signing a Contract, Authorized Purchaser and Consultant may negotiate the specific Services to be included in the Contract from the Description of Services set forth in Exhibit B , including but Page 3 of 60 not limited to the cost of the Services . Authorized Purchaser and Consultant may negotiate a fixed price or maximum amount payable for the Services under the Contract based on the pricing specified in Exhibit B . Consultant's pricing under any resulting Contract shall not exceed the pricing specified in Exhibit B . 6.3 . Contract Content. To order Services , Authorized Purchasers complete the best value selection process set forth in section 5 . 2 above and must submit a Contract to the selected Consultant that specifies all of the following : 6.3. 1 . Language stating that the Contract is submitted under this MSA and the MSA number; 6 .3 .2. Language incorporating all Contract terms and conditions of Exhibit A into the Contract, which may be modified by ORCPP Members only for consistency with applicable law; 6 .3 .3 . Clear description of the required Services and associated deliverables ; 6.3 .4. Rates and maximum amount payable for the Services (including travel and other expenses) ; 6 .3 .5 . Required delivery schedule for the Services ; 6 .3 .6 . Invoicing address ; and 6 .3 .7. Name of Authorized Purchaser' s authorized representative and contact information for that individual , including telephone number and e- mail address . 6 .4. Contract Rejection . Consultant shall reject Contracts that do not comply with this section 6 . Consultant also shall reject Contracts that are not from Authorized Purchasers . Consultant may verify ORCPP Members at: http ://www. oregon , gov/DAS/SSD/SPO/index . shtml . 6 .5 . Contract Creation . Each fully executed Contract creates a separate contract between Authorized Purchaser and Consultant that is enforceable according to its terms and is independent of all other executed Contracts . Each Contract consists only of the terms specified for Contracts in this MSA and no other terms , regardless of source . DAS is an intended beneficiary under each Contract between Authorized Purchasers and Consultant. DAS is not obligated or liable to Consultant under any Contract unless DAS is purchasing the Services as the Authorized Purchaser. 6 . 6 . Authorized Purchasers ' Liability under Contracts . Consultant shall look solely to the Authorized Purchaser for any rights and remedies Consultant may have at law or in equity arising under any Contract between Consultant and the Authorized Purchaser. Consultant acknowledges and agrees that DAS is not liable to Consultant under any Contract entered into between Consultant and an Authorized Agency or an ORCPP Member unless DAS is purchasing the Services as the Authorized Purchaser, Page 4 of 60 7 . Payment. Authorized Purchasers will pay Consultant for Services and associated deliverables according to the payment methodology specified in the applicable Contract. Authorized Purchasers will pay Consultant only for Services that Consultant has delivered or completed and Authorized Purchaser has accepted . 8 . Services ; Pricing . Attached hereto as Exhibit B is a list of the Services and applicable price available pursuant to this MSA. Consultant shall perform the Services as set forth in the Statement of Work, in accordance with the standards and methodologies set forth in the Contract, Statement of Work, the Performance Standards and Metrics set forth in Exhibit E attached hereto and as set forth elsewhere in this MSA or applicable Contract. Consultant may use various software products , applications or tools ("Products") to perform the Services , provided , however, Consultant may not sell the Products to Authorized Purchaser pursuant to the provisions of this MSA. Consultant agrees to perform the Services: • Employing a methodology that conforms to the standards established by the Project Management Institute (PMI) as described in the Project Management Body of Knowledge (PMBOK) , current edition , supplemented by standards set forth in ISO 12207 ; and • In compliance with the applicable requirements set forth in DAS/OSCIO Oregon Statewide IT and Information Security Policies , found at http://www. oregon . gov/DAS/op/Pages/policies . aspx as those policies are amended from time to time; Consultant shall cooperate with Authorized Purchaser and its other contractors or designated third parties , including its Quality Assurance contractor. 9 . Volume Sales Report and Vendor Collected Administrative Fee . As set forth in Exhibit D , Consultant shall submit Volume Sales Reports and Vendor Collected Administrative Fees to DAS . 10 . Representations and Warranties : Consultant represents and warrants to DAS that: 10 . 1 . Consultant is not an 'officer, " "employee , " or "agent" of DAS , as those terms are used in ORS 30 .265 ; 10 .2. Consultant fully understands and will perform its obligations under this MSA; 10 . 3 . Consultant is qualified to do business in the State of Oregon and will remain qualified throughout the MSA term ; Page 5 of 60 10 .4. Consultant is not in arrears in the payment of any monies due and owing the State of Oregon , or any department or agency or political subdivision thereof, including but not limited to the payment of taxes and employee benefits , and will not become so during the MSA; 10 .5 . Consultant shall comply with the federal , state , and local laws , ordinances , rules, and regulations applicable to Consultant and to-its performance under this MSA; 10.6. Nondiscrimination in Employment. Consultant certifies , in accordance with ORS 279A. 112 , that it has in place a policy and practice of preventing sexual harassment, sexual assault, and discrimination against employees who are members of a protected classi , as defined by subsection 2( 1 ) (b) of ORS 279A. 112 . As a material condition of this MSA, Consultant must maintain , throughout the duration of this MSA, a policy and practice that comply with ORS 279A. 112 , including giving employees written notice of the Consultant's policy and practice . 10 .7 . Consultant shall comply with the standards established by the Project Management Institute (PMI ) as described in the Project Management Body of Knowledge ( PMBOK) , current edition , the Software Engineering Institute and the Control Objectives for Information and related Technology (COBIT®) objectives , as well as standards established by DAS for quality assurance services ; 10 .8 . Consultant shall comply with the applicable requirements set forth in DAS/OSCIO Oregon Statewide Information Technology and Information Security Policies , found at, http ://www oregon . gov/dasIOSCIO/Documents/2017%201S0 %2OStandards % 200regon . pdf and the requirements and policies set forth in the Vendor Management Onboarding Guide , found at: http ://www ore.gon . goylbasecamp/Documents/New Vendor Onboardinq Gui de V. 1 . pdf, as those policies and requirements may be amended from time to time ; Subsection 2(1)(b) of ORS 279A. 112_ contains an expansive definition of the term "protected class": (b) "Protected class" means a group of people that state or federal law protects from employment discrimination including, but not limited to, a group in which membership depends on an ascribed association or identification, or an individual's voluntary association or identification with other individuals, on the basis of one or more of these characteristics: (A) Race, color or ethnicity; (H) National origin; (C) Sex; (D) Gender, including actual or perceived gender identity; (E) Sexual orientation; (F) Disability; (G) Age; (H) Marital status; or m Religion. Page 6 of 60 10 . 9 . Consultant is not in violation of, charged with nor, to the best of Consultant's knowledge , under any investigation with respect to violation of, any provision of any federal , state or local law, ordinance or regulation or any other requirement or order of any governmental or regulatory body or court or arbitrator applicable to provision of the Services , and Consultant's provision of the Services shall not violate any such law, ordinance , regulation or order; 10 . 10 . Consultant's performance under this MSA to the best of Consultant's knowledge creates no potential or actual conflict of interest, as defined by ORS 244 , for either Consultant or any Consultant personnel that will perform the Services under this MSA; 10 . 11 . Consultant represents and warrants that the personnel providing Services under this MSA are employees of Consultant; that Consultant withholds applicable income taxes from the pay of its employees ; that Consultant pays workers' compensation insurance premiums arising from the employment of its employees under this MSA; that Consultant makes all other applicable tax and related payments arising from that employment (including without limitation social security tax payments) ; and that Consultant provides employee benefits to its employees , including without limitation health insurance benefits , vacation benefits , and retirement benefits ; 10 . 12. Consultant (to the best of Consultant's knowledge) , for a period of no fewer than six (6) Calendar years preceding the Effective Date , faithfully has complied with : 10 . 12. 1 . All tax laws of this state and any political subdivision , including but not limited to ORS 305 .620 and ORS chapters 316 , 317 , and 318 ; 10 . 12 .2 . Any tax provisions imposed by a political subdivision of this state that applied to Consultant, to Consultant' s property, operations , receipts , or income , or to Consultant's performance of or compensation for any work performed by Consultant; 10 . 12.3 . Any tax provisions imposed by a political subdivision of this state that applied to Consultant, or to goods , services , or property, whether tangible or intangible , provided by Consultant; and 10 . 12 .4. Any rules , regulations , charter provisions , or ordinances that implemented or enforced any of the foregoing tax laws or provisions . 10 . 13 . Consultant possesses and will maintain at its own expense all required licenses , certifications and permits necessary to deliver Services under this MSA and all Contracts ; 10 . 14. Consultant has the power and authority to enter into and perform this MSA and all Contracts ; Page 7 of 60 10 . 15. This MSA, when executed and delivered , is a valid and binding obligation of Consultant enforceable according to its terms ; 10 . 16 . Consultant has the skill and knowledge possessed by well-informed members of its trade or profession and Consultant will apply that skill and knowledge with care and diligence so Consultant and Consultant's employees and any authorized subcontractors perform the Services specifications and acceptance criteria in this MSA and the Contract; the performance of the Services will meet or exceed the Performance Standards and Metrics and service level guarantees set forth in Exhibit E attached hereto ; and Consultant shall , at all times during the term of this MSA and any Contract, be qualified , professionally competent, and duly licensed to and perform the Services ; 10 . 17 . If Consultant uses any Products to perform the Services , the Products will materially conform to acceptance criteria set forth in the MSA and the Contract , including the Statement of Work and any Documentation provided by Consultant, and are free from error or defect that materially impairs their use , and be free from material defects in materials , workmanship , or design ; 10 . 18 . Except as otherwise provided in this MSA or a Contract and to the extent necessary , Consultant shall provide Authorized Purchaser a license or right to use the Products , free and clear of any and all restrictions on or conditions of transfer, modification , licensing , sublicensing , direct or indirect distribution , or assignment, and free and clear of any and all liens , claims , mortgages , security interests , liabilities , and encumbrances of any kind ; 10 . 19 . The Services and Products , if any, are free of what are commonly defined as viruses , backdoors , worms , spyware , malware and other malicious code that will hamper performance of the software , collect unlawful personally identifiable information on users , or prevent the software from performing as required under the terms and conditions of this MSA or a Contract. Notwithstanding the foregoing , this representation and warranty does not include a disabling device that limits , suspends or ends use of the Products or Services expressly permitted by the terms and conditions by the license under which it was provided ; and 10 .20 . When used as authorized by this MSA, no Work Product infringes nor will Authorized Purchaser's use , duplication or transfer of the Work Product infringe any copyright, patent, trade secret or other proprietary right of any third party. DISCLAIMER OF WARRANTIES : THE WARRANTIES SET FORTH IN THIS SECTION 10 ARE IN LIEU OF ALL OTHER WARRANTIES , EXPRESS OR IMPLIED , INCLUDING , BUT NOT LIMITED TO , ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE , INTEGRATION , PERFORMANCE AND ACCURACY AND ANY IMPLIED Page 8 of 60 WARRANTIES ARISING FROM STATUTE, COURSE OF DEALING , COURSE OF PERFORMANCE OR USAGE OF TRADE . 11 . MSA Default. Consultant is in default of this MSA if: 11 . 1 . Consultant fails to honor pricing at least at or lower than the pricing specified in Exhibit B ; or 11 .2 . Consultant violates or fails to perform any material covenant, representation , warranty, obligation or certification under this MSA. Before Consultant can be found in default of this MSA, DAS shall first deliver a notice of default to Consultant. The notice must describe the specific nature of the default, cite the specific provisions of this MSA that have been violated and specify the time period in which the default must be cured , which in no event will be less than thirty (30) Calendar Days . In the notice , DAS , in its sole discretion , may include an opportunity for Consultant to cure any default in its performance of this MSA through a Performance Improvement Plan . Consultant shall be required to successfully complete the Performance Improvement Plan in order to be found to have cured the specified default(s) . 12 . Remedies for Default. If Consultant is in default under section 11 or has failed to meet the requirements of the Vendor Management Performance Improvement Plan or otherwise failed to cure the default within the time period set forth in the notice or Plan , DAS may, at its option , pursue any or all remedies available to it under this MSA and at law or in equity, including without limitation , termination of this MSA pursuant to section 13 or pursuing a claim for damages , or both . 13. Termination . 13 . 1 . Mutual Termination . The parties may terminate this MSA upon the date specified in written agreement. 13 .2. DAS ' Right to Terminate . DAS may, at its sole discretion , terminate this MSA as follows : 13 . 2 . 1 . DAS may terminate this MSA upon thirty (30) Calendar days' prior written notice to Consultant or any later date as specified in the written notice ; or 13 .2 . 2 . DAS may terminate this MSA immediately if federal or state laws , regulations or guidelines are modified in such a way that would prohibit any party's performance under this MSA. 13 . 3 . DAS' Right to Terminate for Cause . In addition to any other rights and remedies DAS may have under this MSA, DAS may terminate this MSA, Page 9 of 60 in whole or in part, immediately upon written notice to Consultant of Consultant's default and failure to cure under sections 11 and 12 . 13 .4. Effect of MSA Termination or Expiration on Contracts . Upon termination or expiration of this MSA, Consultant shall continue to provide the Services and access to the Products , as necessary, and meet its obligations under all effective Contracts issued prior to MSA termination or expiration , unless such Contract is otherwise terminated pursuant to its terms . The termination or expiration of this MSA will be without prejudice to the rights of the parties accrued up to the date of such termination or expiration . 14. Consultant's Compliance with Tax Laws . 14. 1 . Consultant must, throughout the term of this MSA and any extensions, comply with all tax laws of this State and all applicable tax laws of any political subdivision of this State . For the purposes of this section , "tax laws" includes all the provisions described in subsection 10 . 12 of this MSA. 14. 1 . Any violation of this subsection 12 . 1 constitutes a material breach of this MSA. Further, any violation of Consultant's warranty in subsection 10 . 12 of this MSA, that Consultant has complied with the tax laws of this State and the applicable tax laws of any political subdivision of this State , also constitutes a material breach of this MSA. Any violation shall entitle DAS to terminate this MSA, to pursue and recover any and all damages that arise from the breach and the termination of this MSA, and to pursue any or all of the remedies available under this MSA, at law, or in equity, including but not limited to : 14. 1 . Termination of this MSA, in whole or in part; 14.2. Exercise of the right of setoff, and withholding of amounts otherwise due and owing to Consultant, in an amount equal to State's setoff right, without penalty; and 14.3 . Initiation of an action or proceeding for damages , specific performance , declaratory or injunctive relief. DAS shall be entitled to recover any and all damages suffered as the result of Consultant's breach of this MSA, including but not limited to direct, indirect, incidental and consequential damages , costs of cure , and costs incurred in securing replacement Services , replacement Consultant, or any of the above . These remedies are cumulative to the extent the remedies are not inconsistent, and DAS may pursue any remedy or remedies singly, collectively, successively, or in any order whatsoever. 15 . Indemnity. Consultant shall defend , save, hold harmless , and indemnify the State of Oregon and DAS , and their officers , employees and agents from and against all third party claims , suits , actions , losses , Page 10 of 60 damages , liabilities , statutory penalties , costs and expenses of any nature whatsoever, including personal injury, death , damage to real property and damage to tangible or intangible personal property resulting from , arising out of, or relating to the intentional , reckless or negligent acts or omissions of Consultant or its officers , employees , subcontractors , or agents under this MSA or any Contract including : 15 . 1 . Any claim that Consultant, a subcontractor, or Consultant's staff or a subcontractor's staff are employees of the State or Authorized Purchaser for any reason ; and 15 .2 Any claim against the State or Authorized Purchaser, which , if true, would constitute a breach by Consultant of any of the duties , obligations , representations , warranties, or covenants set forth in this MSA. Without limiting the generality of the foregoing , Consultant will have no obligation to indemnify the State of Oregon or DAS from and against any claims , suits , actions, losses , damages , liabilities , costs and expenses attributable solely to the acts or omissions of DAS or its officers, employees or agents . 16 . Insurance. Consultant, at its sole cost, shall obtain and maintain the minimum insurance coverages set forth on Exhibit F or as otherwise required by DAS . Authorized Purchaser may request additional or other coverage under a Contract, as Authorized Purchaser deems necessary. 17 . Governing Law. This MSA is governed by and construed according to the laws of the State of Oregon without regard to principles of conflict of laws . 18 . Venue and Consent to Jurisdiction . Any claim , action , suit, or proceeding (collectively, "Claim") between DAS and Consultant that arises from or relates to this MSA must be brought and conducted solely and exclusively within the Circuit Court of Marion County for the State of Oregon ; provided , however, if a Claim must be brought in a federal forum , then it must be brought and conducted solely and exclusively within the United States District Court for the District of Oregon . CONSULTANT BY EXECUTION OF THIS MSA HEREBY CONSENTS TO THE IN PERSONAM JURISDICTION OF THE COURTS REFERENCED IN THIS SECTION 18 . In no event may this section be construed as (i) a waiver by the State of Oregon of any form of defense or immunity, whether sovereign immunity, governmental immunity, immunity based on the eleventh amendment to the Constitution of the United States or otherwise , from any claim , or (ii) consent by the State of Oregon to the jurisdiction of any court. 19 . MSA Contract Administrators . The MSA Contract Administrators for DAS and for Consultant are the individuals identified in this section 19 or any other individual identified in writing as the MSA Administrator to the other party. Page 11 of 60 DAS MSA Contract Administrator: Consultant MSA Contract Administrator: Debbie Davis David Trepp , Partner IT 1225 Ferry St. SE , Salem OR 97301 Assurance (503) 378-5345 PO Box 22303 Eugene, OR 97402 Debbie . m . davis@oregon .gov (877) 328=7475 d avi dt@i nfoatrisk. com 20 . Amendment. This MSA may be amended , modified , or supplemented only by a written amendment signed by DAS and Consultant. Any amendment that provides for additional Services or other services may only provide for Services or other services directly related to the scope of Services , goods and services described in the solicitation , and no amendment will be effective until all requisite signatures and approvals are obtained . Either DAS or Consultant may request a change to this MSA, including all Exhibits hereto , by submitting a written proposal describing the desired change to the other party. 21 . Integration . This MSA and attached Exhibits constitute the entire agreement between the parties on the subject matter hereof. There are no understandings , agreements or representations , oral or written , not specified herein regarding this MSA. Authorized Signatures : Consultant:W Title : Partner, IT Assurance Date : June 25 , 2018 The State of Oregon acting by and through its Department of Administrative Service By7 Title: c °(, (6 :S Q Date : Approved pursuant to ORS 291 .047 Page 12 of 60 Oregon Department of Justice g� By: � {�f �Lf(J / /. Date: Assistan4 AlCorney General Approved by the Office of the State CIO as per email dated 7/27/18 Page 13 of 60 EXHIBIT A to Master Agreement #8263 CONTRACT TERMS AND CONDITIONS These Contract Terms and Conditions apply to all Contracts issued under this MSA, including Work Order Contracts or other agreed upon ordering instruments . 1 . Definitions . In addition to any other terms defined elsewhere in this Contract, the following defined terms apply: 1 . 1 . "Authorized Purchaser Intellectual Property" means any background information , data or intellectual property that is owned by Authorized Purchaser. Authorized Purchaser Intellectual Property includes any derivative works and compilations of any Authorized Purchaser Intellectual Property. 1 . 2. " Business Day" means any day Monday through Friday, 8 : 00 a . m . to 5 : 00 p . m . , Pacific Time , excluding State of Oregon holidays and business closure days . 1 .3 . " Calendar Day" means any day on the Western calendar. 1 .4. "Consultant Intellectual Property" means any intellectual property that is owned by Consultant and contained in or necessary for the use of the Deliverables , and may include any software owned by Consultant and derivative works and compilations of any Consultant Intellectual Property. 1 .5. " Contract" means any Work Order Contract or other agreed upon ordering instrument issued under this MSA . 1 . 6 . " Deliverables" means all items that Consultant is required to provide to Authorized Purchaser under a Contract as part of the Services , including Work Product. 1 .7 . "Third Party Intellectual Property" means any intellectual property owned by parties other than Authorized Purchaser or Consultant. Third Party Intellectual Property includes software owned by Third Parties , and derivative works and compilations of any Third Party Intellectual Property. 1 .8 "Work Product" means everything that is specifically made , conceived , discovered , or reduced to practice by Consultant or Consultant's subcontractors or agents (either alone or with others) pursuant to the Contract, including every invention , modification , discovery , design , development, customization , configuration , improvement, process , software program , work of authorship , documentation , formula , datum , technique , know how, secret , or intellectual property right whatsoever or any interest therein (whether patentable or not patentable or registerable under copyright Page 14 of 60 or similar statutes or subject to analogous protection) . Notwithstanding anything in the immediately preceding sentence to the contrary, Work Product is not Authorized Purchaser Intellectual Property, Consultant Intellectual Property, or Third Party Intellectual Property. 2. Non -Exclusive Contract. Consultant acknowledges and agrees that by executing this Contract, Authorized Purchaser is not granting to Consultant the exclusive right to or perform the Services or to perform any other services, for Authorized Purchaser, Authorized Purchaser may contract with other entities to provide Authorized Purchaser with services or products that are the same or similar to those provided to Consultant under this Contract or Authorized Purchaser may perform any or all of the Services itself. 3. Compensation . Following Consultant's delivery or completion , and Authorized Purchaser's acceptance of the Services , Authorized Purchaser will pay Consultant as specified in this Contract, based on the pricing established in MSA Exhibit B . Consultant represents that all pricing for Services under this Contract is equal to or better than the pricing specified in the MSA. 4, Funds Available and Authorized . Consultant will not be compensated for Services performed under this Contract by any other agency or department of the State of Oregon other than Authorized Purchaser. Authorized Purchaser believes it has sufficient funds currently available and authorized for expenditure to make payments under this Contract within Authorized Purchaser's biennial appropriation or limitation . Consultant understands and agrees that Authorized Purchaser's payments under this Contract are contingent on Authorized Purchaser receiving appropriations , limitations , or other expenditure authority sufficient to allow Authorized Purchaser, in the exercise of its reasonable administrative discretion , to continue to make payments under this Contract. 5 . Invoicing and Payment 5 . 1 . Invoices . Consultant shall submit invoices for completed and accepted Services or Deliverables according to the payment schedule as set forth in this Contract. Consultant shall submit invoices to Authorized Purchaser as designated in this Contract. Consultant shall include the MSA number and applicable Contract number on all invoices . Consultant also shall include a description of all Services performed or Deliverables delivered , applicable pricing , total amount invoiced and the address for payment. 5 .2 . Payment. Authorized Purchaser shall pay all undisputed amounts within thirty (30) Calendar Days from receipt of each invoice determined to be correct following Authorized Purchaser's review under section 5 . 3 . Consultant may assess late payment charges only to the extent permitted by ORS 293 .462 . 5.3 . Invoice Review / Dispute Process . Authorized Purchaser will review each invoice and will either approve payment of the amount invoiced or notify Page 15 of 60 Consultant of any errors or disputed charges . Authorized Purchaser may withhold payment of any amounts that are disputed . If an error or dispute arises concerning the amount charged in an invoice , Authorized Purchaser will notify Consultant of the disputed charge . Upon notification of dispute , Consultant shall submit to Authorized Purchaser all documentation Authorized Purchaser requires to substantiate the amount charged . Authorized Purchaser, in its sole discretion , will determine if the supporting documentation provides sufficient substantiation for the disputed charges . If Authorized Purchaser determines that the supporting documentation is sufficient, Authorized Purchaser will notify Consultant and pay Consultant the amount charged in the invoice . If Authorized Purchaser determines the supporting documentation supports payment of an amount less than originally invoiced , Authorized Purchaser will notify Consultant of the amount Authorized Purchaser believes is due under the invoice , and if Consultant agrees , Authorized Purchaser will pay the invoice in that lesser amount. If Consultant does not agree , the matter will be handled in accordance with section 20 . 6. Performance, Delivery and Acceptance . 6 . 1 . Responsibilities of Consultant. Consultant shall comply with the requirements of the Vendor Management Program and shall perform the Services in accordance with the standards and methodologies set forth in the MSA including the Performance Standards and Metrics set forth in MSA Exhibit E , and the Statement of Work , attached hereto as Exhibit No . 1 , and as otherwise set forth in this Contract. Consultant shall cooperate with Authorized Purchaser and its designated third parties , including providing access and information on the Services provided and the-Products' architecture , design , operating environment, interfaces and operating parameters as necessary . 6 .2 . Delivery and Review of Deliverables . Unless otherwise agreed , within ten ( 10) Business Days following Consultant's delivery of Services or Deliverables , or both , Authorized Purchaser will review the Services and Deliverables to determine whether the Services and Deliverables meet the Contract requirements . If Authorized Purchaser determines that the Services and Deliverables meet the Contract requirements , Authorized Purchaser will notify Consultant of Authorized Purchaser's acceptance. If Consultant receives no response from Authorized Purchaser within ten ( 10) Business Days , then the Services or Deliverable will be deemed accepted . If Authorized Purchaser determines that the Services or Deliverables , or both , do not meet the Contract requirements , Authorized Purchaser will notify Consultant of Authorized Purchaser's rejection . Within ten ( 10) Business Page 16 of 60 Days , or as otherwise agreed , following Consultant's receipt of Authorized Purchaser's rejection notice, Consultant shall revise and redeliver to Authorized Purchaser the rejected Services or Deliverables at Consultant's sole expense to confirm that the Services or Deliverables meet the Contract requirements as determined by Authorized Purchaser. Authorized Purchaser will thereafter review the revised Services or Deliverables and notify Consultant of Authorized Purchaser's acceptance or rejection in writing-within a ten ( 10) Business Days following Authorized Purchaser's receipt of Consultant's revised Services or Deliverables . This process is an iterative process . Consultant's failure to deliver Services or Deliverables that meet the specifications and performance standards after Authorized Purchaser's second review may constitute a default by Consultant, if Authorized Purchaser chooses not to allow Consultant any further attempts to revise and redeliver the Services or Deliverables , or both . Upon such default, Consultant shall refund to Authorized Purchaser all amounts paid by Authorized Purchaser for the Deliverables or the Services related to such Deliverables . All such refunds are in addition to , and not in lieu of, any other remedies Authorized Purchaser may have for Consultant's default. 6 .3 . Business Continuity Management and Disaster Recovery. Consultant shall deliver, maintain , and upgrade as necessary , Business Continuity Management and Disaster Recovery Plan and Procedures for the Services and Products , acceptable to Authorized Purchaser. In the event of a disaster, Consultant shall comply with the provisions of and deliver the Service or access to the Products according to the Business Continuity Management and Disaster Recovery Plan and Procedures . 6 .4. Performance Standards and Metrics . In its provision of the Services , Consultant shall meet the performance standards and metrics as set forth in MSA Exhibit E . 6 .5. Responsibilities of Authorized Purchaser. If this Contract requires Authorized Purchaser to provide any information or resources , and Authorized Purchaser fails to provide the requisite quality or quantity of such resources , or fails to provide such resources in a timely manner for a period that does not exceed ten ( 10) Calendar Days , Consultant's sole remedy is an extension of the applicable delivery dates corresponding to the delay. If Authorized Purchaser's failure to provide such resources exceeds ten ( 10) Calendar Days , and Consultant can show to the reasonable satisfaction of Authorized Purchaser, that Authorized Purchaser's failure has resulted in an unavoidable increase in the cost of the Services required for the Statement of Work then Consultant will be entitled to recover from Authorized Purchaser the reasonable amount of such increased costs . Consultant's right to delay applicable delivery dates or recover for increased costs may be exercised only if Consultant provides Authorized Purchaser with reasonable notice of Page 17 of 60 Authorized Purchaser's failure and Consultant uses commercially reasonable efforts to perform notwithstanding Authorized Purchaser's failure to perform . 7 . Consultant's Personnel . 7. 1 . Key Persons, Consultant's Key Persons are identified on MSA Exhibit B or Contract, Exhibit No , 1 . The hourly rates applicable to each Key Person are specified in MSA Exhibit B . Consultant acknowledges and agrees that a significant reason Authorized Purchaser selected Consultant and is entering into this Contract is because of the special qualifications of each Key Person , Authorized Purchaser is engaging the expertise , experience , judgment, and personal attention of such Key Persons under this Contract. Neither Consultant nor any Key Person shall delegate performance of the duties and obligations of such Key Person under this Contract to any other employee , agent or subcontractor of Consultant unless Authorized Purchaser provides prior written consent to such delegation . Consultant shall not reassign or transfer a Key Person to other duties or positions so that the Key Person is no longer available to provide Authorized Purchaser with that Key Person's services unless Authorized Purchaser provides prior written consent to the reassignment or transfer, or the reassignment or transfer is required based on the termination of employment, illness , death , disability or other similar cause . If Consultant requests Authorized Purchaser's consent to a delegation , reassignment, transfer or other replacement of a Key Person , Authorized Purchaser may meet with the Key Person and review the qualifications of the proposed substitute personnel before providing its consent or rejecting such replacement. Any such replacement shall have substantially equivalent or better qualifications than the Key Person being replaced . Consultant shall not charge Authorized Purchaser, and Authorized Purchaser will not pay, for any replacement Key Person while that Key Person acquires the necessary skills and knowledge to continue the Services . Such period of non-charge will be agreed upon by the parties , but not extend for more than twenty-eight (28) Calendar Days . All replacement personnel approved by Authorized Purchaser are deemed Key Persons for purposes of this Contract, and this Contract is deemed amended to include those Key Persons . 7.2. Subcontracts . Consultant shall not enter into any subcontracts for any of the Services required by this Contract without Authorized Purchaser's prior written consent. In addition to any other provisions Authorized Purchaser may require , Consultant shall include in any permitted subcontracts under this Contract a requirement that the subcontractor be bound by sections 5 , 6 , 8 , 91 11 , 12 , 14 , 17 , 20 , 28 , and 30 of this Contract as if the subcontractor were the Consultant. Authorized Purchaser's consent to any subcontractor shall not relieve Consultant of any of its duties or obligations under this Contract. 7 .3 . Successors and Assigns . Neither Party may assign or transfer any of its interest in this Contract without the other Party's prior written consent. This Contract is binding upon and shall inure to the benefit of Authorized Purchaser Page 18 of 60 and Consultant, and their respective successors and permitted assigns . Consultant may assign or transfer the Contract without Authorized Purchaser's prior consent in the event of merger or sale of substantially all its assets , provided Consultant sends Authorized Purchaser written notice of the assignment or transfer within thirty (30) Calendar Days of the effective date of the merger or sale . 7.4 Cooperation . Consultant understands and agrees that , as part of this Contract, Consultant may be required to work with other contractors of Authorized Purchaser who may be working on this or similar projects subject to the provisions related to confidentiality and ownership of intellectual property herein . Authorized Purchaser and Consultant acknowledge and agree that this cooperation is essential to the mutual goal of both parties for accurate and valuable use by Authorized Purchaser. Consultant shall create and maintain a cooperative working relationship between and among Authorized Purchaser and other entities and their respective representatives involved in representing Authorized Purchaser's priorities at the federal and statewide levels , to further the interests of Authorized Purchaser to result in the Services being successfully completed on time and within budget. In the event of a conflict between contractors who must cooperate , contractors shall notify the Authorized Purchaser's contract administrator and abide by Authorized Purchaser's direction (s) . Authorized Purchaser will use its best efforts to encourage its other entities and their respective representatives to do likewise . 7. 5 Authorized Purchaser Facilities and Networks ; Access and Security. Authorized Purchaser shall permit Consultant and Consultant personnel access to Authorized Purchaser facilities and networks , provided Consultant and Consultant personnel comply with all Authorized Purchaser security and access policies , rules , procedures , and regulations for access to Authorized Purchaser' s facilities and networks . Authorized Purchaser shall make it's security and access policies , rules , procedures , and regulations , available to Consultant prior to the commencement of Services for Authorized Purchaser under this Contract. 8 . Confidentiality / Non =Disclosure. 8 . 1 . Confidential Information . Each party acknowledges that it and its employees or agents may, in the course of performing its responsibilities under this Contract, be exposed to or acquire information that is confidential to the other party or the other party's clients . Any and all information of any form obtained by one party or its employees or agents in the performance of this Contract is confidential information of the other party ("Confidential Information") . The parties shall treat any reports or other documents or items (including software) which result from the use of the Confidential Information by the recipient of such information with respect to confidentiality in the same manner as the Confidential Information . Page 19 of 60 Confidential Information does not include information that (i) is or becomes (other than by disclosure by the party acquiring such information) publicly known or is contained in a publicly available document; (ii) is furnished by the party disclosing such information to others without restrictions similar to those imposed by this Contract; (iii) is rightfully in the receiving party's possession without the obligation of nondisclosure prior to the time of its disclosure under this Contract; (iv) is obtained from a source other than the discloser without the obligation of confidentiality, (v) is disclosed with the written consent of the disclosing party, or; (vi) is independently developed by employees or agents of the receiving party who can be shown to have had no access to the Confidential Information . 8 . 2. Duties of Care. The Recipient shall use the same care and discretion to avoid disclosure , publication or dissemination of Confidential Information as it uses with its own similar information that it does not wish to disclose , publish or disseminate . The Recipient may use Confidential Information only for the purposes of this Contract. The Recipient may disclose Confidential Information to : a) its officers , employees , subcontractors and affiliates or other agencies who have a need to know; and b) any other party with the Discloser's prior written consent. Before disclosure to any of the above parties , the Recipient will have a written agreement with such party sufficient to require that party to treat Confidential Information in accordance with this section 8 . 8 .3 . Prevention of Unauthorized Use or Disclosure . Each party shall use commercially reasonable efforts to assist the other in identifying and preventing any unauthorized use or disclosure of any Confidential Information . Without limitation of the foregoing , each party shall advise the other immediately in the event it learns or has reason to believe that any person who has had access to Confidential Information has violated or intends to violate the terms of this Contract and each party will at its expense cooperate with the other in seeking injunctive or other equitable relief in the name of the other against any such person . 8 .4. Identity Theft. In the performance of this Contract, Consultant may have possession or access to documents , records or items that contain " Personal Information , " as that term is used in ORS 646A . 602( 11 ) . Personal Information is a type of Confidential Information that is highly sensitive and subject to additional protection . Prior to the receipt of, and during the period in which Consultant has possession of or access to , any Personal Information , Consultant shall have and maintain a formal written information security program that provides safeguards to protect Personal Information from loss, theft, and disclosure to unauthorized persons , consistent with the Oregon Consumer Identity Theft Protection Act, ORS 646A. 600-646A. 628 . Consultant shall not breach or permit breach of the security of any Personal Information that is contained in any document, record , Page 20 of 60 compilation of information or other item to which Consultant receives access , possession , custody or control under this Contract. Consultant shall not disclose , or otherwise permit access of any nature , to any unauthorized person , of any such Personal Information . Consultant shall not use, distribute or dispose of any Personal Information other than expressly permitted by Authorized Purchaser, required by applicable law, or required by an order of a tribunal having competent jurisdiction . Consultant shall promptly report to the Authorized Purchaser any • breach of security, use , disclosure , theft, loss , or other unauthorized access of any document, record , compilation of information or other item that contains Personal Information to which the Consultant receives access , possession , custody or control in the performance of this Contract. • Consultant shall require the compliance of its employees , agents , and subcontractors with this section 8 . 8 .5 . Non -disclosure ; Disclosure Required by Law. Each party agrees that, except as provided in this Contract or directed by the other, it will not at any time during or after the term of this Contract disclose , directly or indirectly, any Confidential Information to any person , and that upon termination of this Contract each party will turn over to the other all documents , papers and other matter in its possession which embody Confidential Information . If, however, a party receives any request under the Oregon Public Records Law, the Freedom of Information Act, administrative or court order, or any other legal request for disclosure of Confidential Information , the party receiving the request will immediately notify the other party and provide the other party with the opportunity to protect its information from disclosure , including by redaction . Each party is exclusively responsible for defending its position concerning the confidentiality of its own information ; neither party assumes liability for the disclosure of information required by law. 8 .6 . NDAs and Background Checks . Consultant agrees to comply with all reasonable requests by Authorized Purchaser to ensure the confidentiality and nondisclosure of Authorized Purchaser's Confidential Information , including without limitation (i) obtaining nondisclosure agreements from Consultant's employees and agents who are performing Services and providing copies of such agreements to Authorized Purchaser, (ii) performing criminal background checks on each of Consultant's employees and agents who are performing Services , and providing a copy of the results to Authorized Purchaser, and (iii) complying with Authorized Purchaser's access and security policies and procedures . 8 . 7. Public Records Laws . Authorized Purchaser's obligations of confidentiality, if any , are subject to the Oregon Public Records Laws , ORS Page 21 of 60 192 . 311 through ORS 192 .478 and the Oregon Custody and Maintenance of Records Laws , ORS 192 . 005 through192 . 170 . 8 .8 . Injunctive Relief and Other Remedies . Each party acknowledges that breach of this section 8 , including disclosure of any Confidential Information may give rise to irreparable injury which may be inadequately compensable in damages . Accordingly, each party may seek injunctive relief against the breach or threatened breach of the foregoing undertakings , in addition to any other legal remedies that may be available . Each party acknowledges and agrees that the covenants contained herein are necessary for the protection of the legitimate business interests of the other and are reasonable in scope and content. 8. 9 . Breach Notification . In the event Consultant or its subcontractors or agents discovers or is notified of a breach or potential breach of security relating to Confidential Information , including a failure to comply with Consultant' s confidentiality obligations under this Contract, Consultant shall promptly notify Authorized Purchaser's Authorized Representative of the breach or potential breach . If Authorized Purchaser determines that the breach or potential breach requires notification of Authorized Purchaser clients or employees , or other notification required by law, Authorized Purchaser will have sole control over the notification content, timing , and method , subject to Consultant's obligations under applicable law. Consultant will not notify any individual or any third party other than law enforcement of any breach or potential breach involving Authorized Purchaser Confidential Information without first consulting with , and obtaining written permission of, Authorized Purchaser. 8 . 10 . Publicity. Consultant agrees that it will not disclose the form , content or existence of this Contract or any Deliverable in any advertising , press releases or other materials distributed to prospective customers , or otherwise attempt to obtain publicity from its association with Authorized Purchaser or the State of Oregon , whether or not such disclosure , publicity or association implies an endorsement by Authorized Purchaser or the State of Oregon of Consultant's services , without the prior written consent of Authorized Purchaser. 8 . 11 . Confidentiality Obligations . The obligations of confidentiality under this Contract extend for two (2) years beyond either the disclosure of the Confidential Information or the termination of this Contract, whichever is later. 9. Independent Contractor; Taxes and Withholding . 9 . 1 . Consultant shall perform all Services as an independent contractor. Although Authorized Purchaser reserves the right to determine the delivery schedule for the Services to be performed and evaluate the quality of the completed performance , Authorized Purchaser cannot and will not control the Page 22 of 60 means or manner of Consultant's performance . Consultant is responsible for determining the appropriate means and manner of performing the Services . 9.2. If Consultant is currently performing services for the State of Oregon or the federal government, Consultant, by signing this Contract, declares and certifies that: 9 .2 . 1 . Consultant's delivery of Services creates no potential or actual conflict of interest as defined by ORS 244 ; 9.2.2. No rules or regulations of Consultant's employing agency (state or federal) would prohibit Consultant's Services under this Contract; 9 .2.3. If applicable , Consultant meets the specific independent contractor standards of ORS 670 . 600 ; and 9.2 .4. Consultant is not an "officer, " "employee , " or "agent" of Authorized Purchaser as those terms are used in ORS 30 . 265 . 9 .3 . Consultant is responsible for all federal or state taxes applicable to compensation or payments to Consultant under this Contract and , unless Consultant is subject to backup withholding , Authorized Purchaser will not withhold from such compensation or payments any amounts to cover Consultant's federal or state tax obligations . Consultant is not eligible for any Social Security, unemployment insurance or workers' compensation benefits from compensation or payments to Consultant under this Contract, except as a self-employed individual . 10 . Representations and Warranties . 10 . 1 . Consultant's General Representations and Warranties . Consultant represents and warrants to Authorized Purchaser that: 10 . 1 . 1 . Consultant is not an "officer, " "employee , " or "agent" of DAS or Authorized Purchaser, as those terms are used in ORS 30 .265 ; 10 . 1 .2. Consultant fully understands and will perform its obligations under this Contract and will not make any claims for, or have any rights to relief based on its claim that it misunderstood the terms of this Contract, or lacked information related to its required performance under this Contract; 10 . 1 .3 . Consultant is qualified to do business in the State of Oregon and will remain qualified throughout the Contract term ; 10. 1 .4. Consultant is not in arrears in the payment of any monies due and owing the State of Oregon , or any department or agency thereof, including but not limited to the payment of taxes and employee benefits , and will not become so during the Contract term ; Page 23 of 60 10. 1 .5. Consultant will comply with the federal , state , and local laws , ordinances , rules , and regulations applicable to Consultant and its performance under this Contract; 10 . 1 .6 . Consultant is not in violation of, charged with nor, to the best of Consultant's knowledge , under any investigation with respect to violation of, any provision of any federal , state or local law, ordinance or regulation or any other requirement or order of any governmental or regulatory body or court or arbitrator applicable to provision of the Services , and Consultant' s provision of the Services shall not violate any such law, ordinance , regulation or order; 10 . 1 .7 . Consultant's performance under this Contract to the best of Consultant's knowledge creates no potential or actual conflict of interest, as defined by ORS 244 , for either Consultant or any Consultant personnel that will perform the Services under this Contract; 10 . 1 . 8 . Consultant represents and warrants that the personnel providing services under this Contract are employees of Consultant; that Consultant withholds applicable income taxes from the pay of its employees ; that Consultant pays workers' compensation insurance premiums arising from the employment of its employees under this Contract; that Consultant makes all other applicable tax and related payments arising from that employment (including without limitation social security tax payments) ; and that Consultant provides employee benefits to its employees , including without limitation health insurance benefits , vacation benefits , and retirement benefits ; 10 . 1 .9 . Consultant (to the best of Consultant's knowledge , after due inquiry) , for a period of no fewer than six (6) Calendar years preceding the Effective Date of this Contract, Consultant faithfully has complied with : • All tax laws of this state , including but not limited to ORS 305 .620 and ORS chapters 316 , 317 , and 318 ; • Any tax provisions imposed by a political subdivision of this state that applied to Consultant, to Consultant's property , operations , receipts , or income , or to Consultant' s performance of or compensation for any work performed by Consultant; • Any tax provisions imposed by a political subdivision of this state that applied to Consultant, or to goods , services , or property, whether tangible or intangible , provided by Consultant; and • Any rules , regulations , charter provisions , or ordinances that implemented or enforced any of the foregoing tax laws or provisions ; Page 24 of 60 10. 1 . 10 . Consultant possesses and will maintain at its own expense all required licenses , certifications and permits necessary to deliver Services under this Contract; 10 . 1 . 11 . Consultant has the power and authority to enter into and perform this Contract; 10. 1 . 12. This Contract, when executed and delivered , is a valid and binding obligation of Consultant enforceable in accordance with its terms ; 10 . 1 . 13. Consultant has the skill and knowledge possessed by well- informed members of its trade or profession and Consultant will apply that skill and knowledge with care and diligence so Consultant and Consultant's employees and any authorized subcontractors perform the Services described in this Contract according to the highest standards prevalent in the industry or business most closely involved in providing the Services that Consultant is providing to Authorized Purchaser pursuant to this Contract; 10. 1 . 14. The Services and each Deliverables delivered by Consultant pursuant to the Services will materially comply with any service descriptions , specifications , standards or requirements set forth in this Contract; and 10. 1 . 15 Consultant shall , at all times during the term of this Contract, be qualified , professionally competent, and duly licensed to perform the Services . 10 .2. DISCLAIMER OF WARRANTIES : THE FOREGOING WARRANTIES ARE IN LIEU OF ALL OTHER WARRANTIES , EXPRESS OR IMPLIED , INCLUDING , BUT NOT LIMITED TO , ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE , INTEGRATION , PERFORMANCE ANDACCURACY AND ANY IMPLIED WARRANTIES ARISING FROM STATUTE, COURSE OF DEALING , COURSE OF PERFORMANCE OR USAGE OF TRADE . 11 . Ownership and Licenses . 11 . 1 . Consultant Intellectual Property. Consultant retains ownership of all Consultant Intellectual Property that Consultant delivers to Authorized Purchaser pursuant to the Services performed under this Contract. Consultant grants Authorized Purchaser a perpetual non-exclusive , irrevocable , royalty- free , world-wide license to use, copy, display, distribute , transmit and prepare derivative works of Consultant Intellectual Property employed in the Deliverables or Work Product, and to authorize others to do the same on Authorized Purchaser's behalf, in connection with use of such Deliverables . Page 25 of 60 11 .2. Work Product. Unless otherwise agreed, upon payment for the Services or Deliverables Authorized Purchaser owns all Work Product and the entire right, title and interest therein , shall be exclusively vested in Authorized Purchaser as Work Product made for hire and made in the course of the Services rendered . If title to any Work Product may not by operation of law vest in Authorized Purchaser, Consultant hereby irrevocably assigns the sole right, title and interest in such Works and its proprietary rights therein to Authorized Purchaser. Consultant agrees to execute papers which Consultant reasonably may require to secure and maintain Authorized Purchaser's rights related to the Work Product. Notwithstanding the foregoing , Consultant retains exclusive and unrestricted ownership of any Consultant Intellectual Property relating to the Services and/or supplied with any Work Product, and Consultant grants Authorized Purchaser a worldwide , perpetual , royalty-free, and non-exclusive right and license to use such Consultant Intellectual Property as part of the Work Product. 11 .3. Authorized Purchaser Intellectual Property. Authorized Purchaser owns all Authorized Purchaser Intellectual Property, including all background information , data and all of its clients' data and information , provided to or collected by Consultant pursuant to this Contract. Authorized Purchaser grants Consultant anon-exclusive , royalty-free , license to use , copy, display, distribute , transmit and prepare derivative works of Authorized Purchaser Intellectual Property, including Authorized Purchaser data , and Work Product only to fulfill the purposes of this Contract. Authorized Purchaser's license to Consultant is limited by the term of the Contract and the confidentiality obligations of this Contract. 11 .4. Third Party Intellectual Property. Unless otherwise specified in a Contract, Authorized Purchaser will acquire and obtain a license to Third Party Intellectual Property that is a part of a Deliverable. In the event that Work Product is Third Party Intellectual Property, a derivative work based on Third Party Intellectual Property, or a compilation that includes Third Party Intellectual Property, in each case as expressly authorized by Authorized Purchaser, Authorized Purchaser shall secure on its own behalf and in its name an irrevocable , non-exclusive, perpetual , royalty-free license to use , reproduce, prepare derivative works based upon , distribute copies of, perform and display the Third Party Intellectual Property provided to Authorized Purchaser by Consultant during the term of the Contract necessary for Consultant to deliver the Services , and to authorize others to do the same on Authorized Purchaser's behalf. 11 .5 . No Rights . Except as expressly set forth in this Contract, nothing in this Contract grants or confers upon Consultant any right, title , or interest in any intellectual property that is now owned or subsequently owned by Authorized Purchaser. Except as expressly set forth in this Contract, nothing in this Contract grants or confers upon Authorized Purchaser any right, title , or interest in any Consultant Intellectual Property that is now owned or subsequently owned by Consultant. Page 26 of 60 11 .6. No Rights in Marks. Neither party grants the other the right to use its trademarks , trade names , service marks or other designations in any promotion or publication without prior written consent. Each party grants only the licenses and rights specified in this Contract. 11 .7. Prohibition on Data Mining . Consultant shall not capture , maintain , scan , index, share or use Authorized Purchaser Data stored or transmitted by the Products or Services , or otherwise use any data-mining technology, for any non-authorized activity, and shall not permit its agents or subcontractors to do so . For purposes of this requirement, "non-authorized activity" means the data mining or processing of data , stored or transmitted by the service, for unrelated commercial purposes , advertising or advertising-related purposes , or for any other purpose other than security analysis that is not explicitly authorized in this Contract. 11 .8. Federal Funds . If a Work Product is software and has been developed and delivered by Consultant as a Deliverable to an Authorized Purchaser under this Contract, and such Deliverable has been funded by Authorized Purchaser, to any extent, with federal funds , then Authorized Purchaser will have all right, title , and interest (including ownership of copyright and trademark) to such Deliverable , and , ilf the software Deliverable has been funded with federal funds , the federal agency reserves a royalty-free, nonexclusive , and irrevocable license to reproduce, publish , or otherwise use, and to authorize others to use for federal government purposes , such Deliverable , in each case in accordance with 45 CFR 95 .617(b) . 12. Indemnity. 12 . 1 . CONSULTANT SHALL DEFEND , SAVE , HOLD HARMLESS AND INDEMNIFY AUTHORIZED PURCHASER AND THE STATE OF OREGON AND THEIR AGENCIES , SUBDIVISIONS , OFFICERS , DIRECTORS , AGENTS , AND EMPLOYEES FROM AND AGAINST ALL THIRD PARTY CLAIMS , SUITS , ACTIONS , LOSSES , DAMAGES , LIABILITIES , STATUTORY PENALITIES , COSTS AND EXPENSES OF ANY NATURE WHATSOEVER INCLUDING ( 1 ) ANY CLAIM THAT CONSULTANT, A SUBCONTRACTOR , OR A CONSULTANT EMPLOYEE ORA SUBCONTRACTOR'S EMPLOYEE ARE EMPLOYEES OF THE STATE OR AUTHORIZED PURCHASER FOR ANY REASON , AND ( 11 ) ANY CLAIM AGAINST THE STATE OR AUTHORIZED PURCHASER , WHICH , IF TRUE , WOULD CONSTITUTE A BREACH BY CONSULTANT OF ANY OF THE REPRESENTATIONS , WARRANTIES , OR COVENANTS SET FORTH IN THIS CONTRACT, AND (III ) ANY CLAIMS THAT THE DELIVERABLES OR USE THEREOF OR USE OF ANY PRODUCT INFRINGE OR VIOLATE ANY PATENT, COPYRIGHT, TRADE SECRET , TRADEMARK, TRADE DRESS , MASK WORK, UTILITY DESIGN , OR OTHER PROPRIETARY RIGHT (COLLECTIVELY, " INTELLECTUAL PROPERTY RIGHTS") OF ANY THIRD PARTY, RESULTING FROM , ARISING OUT OF , OR RELATING TO THE Page 27 of 60 ACTS OR OMISSIONS OF CONSULTANT OR ITS OFFICERS , EMPLOYEES , SUBCONTRACTORS , OR AGENTS UNDER THIS CONTRACT. 12 .2 . THE OREGON ATTORNEY GENERAL MUST GIVE WRITTEN AUTHORIZATION TO ANY LEGAL COUNSEL PURPORTING TO ACT IN THE NAME OF , OR REPRESENT THE INTEREST OF , THE STATE OR ITS OFFICERS , EMPLOYEES AND AGENTS PRIOR TO SUCH ACTION OR REPRESENTATION , FURTHER , THE STATE , ACTING BY AND THROUGH ITS DEPARTMENT OF JUSTICE , MAY ASSUME ITS OWN DEFENSE , INCLUDING THAT OF ITS OFFICERS , EMPLOYEES AND AGENTS , AT ANY TIME WHEN IN THE STATE'S SOLE DISCRETION IT DETERMINES THAT: 12. 2 . 1 . PROPOSED COUNSEL IS PROHIBITED FROM THE PARTICULAR REPRESENTATION CONTEMPLATED ; 12 .2 .2. COUNSEL IS NOT ADEQUATELY DEFENDING OR ABLE TO DEFEND THE INTERESTS OF THE STATE , ITS OFFICERS , EMPLOYEES AND AGENTS ; 12 .2. 3 . IMPORTANT GOVERNMENTAL INTERESTS ARE AT STAKE ; OR 12.2.4. THE BEST INTERESTS OF THE STATE ARE SERVED THEREBY. CONSULTANT'S OBLIGATION TO PAY FOR ALL COSTS AND EXPENSES INCLUDE THOSE INCURRED BY THE STATE IN ASSUMING ITS OWN DEFENSE AND THAT OF ITS OFFICERS , EMPLOYEES , OR AGENTS . 12 .3 . Data and Network Services . Except to the extent that a claim or loss results from the negligent, reckless or intentional acts or omissions of Authorized Purchaser, Consultant shall assume liability for all claims or losses related to data loss or breach of security caused directly or indirectly by or resulting from the Deliverables or Services provided by Consultant. 12 .4 LIMITATION OF LIABILITY. 12 . 4 . 1 EXCEPT FOR LIABILITY ARISING OUT OF OR RELATED TO (i) SECTION 12 . 1 , (ii) SECTION 12 . 3 , DATA AND NETWORK SERVICES , ( iii) SECTION 8 , CONSULTANT' S DUTIES OF CONFIDENTIALITY AND NON- DISCLOSURE , (iv) SERVICE CREDITS OR LIQUIDATED DAMAGES ASSESSED UNDER THIS CONTRACT, OR (v) CLAIMS FOR PERSONAL INJURY, INCLUDING DEATH , OR DAMAGE TO REAL PROPERTY OR TANGIBLE OR INTANGIBLE PERSONAL PROPERTY ARISING FROM THE NEGLIGENCE , RECKLESS CONDUCT OR Page 28 of 60 INTENTIONAL ACTS OF CONSULTANT, ITS OFFICERS , EMPLOYEES OR AGENTS , CONSULTANT'S LIABILITY FOR DAMAGES TO THE STATE FOR ANY CAUSE WHATSOEVER IS BE LIMITED TO ONE AND ONE-HALF TIMES THE TOTAL NOT TO EXCEED AMOUNT UNDER THIS CONTRACT. 12 .4 . 2 EXCEPT FOR LIABILITY TO THIRD PERSONS ARISING OUT OF OR RELATED TO ( i) SECTION 12 . 1 , (ii) SECTION 12 . 3 , (iii) SECTION 8 , OR (iv) CLAIMS FOR PERSONAL INJURY, INCLUDING DEATH , OR DAMAGE TO REAL PROPERTY OR TANGIBLE OR INTANGIBLE PERSONAL PROPERTY ARISING FROM THE NEGLIGENCE , RECKLESS CONDUCT OR INTENTIONAL ACTS OF CONSULTANT , ITS OFFICERS , EMPLOYEES OR AGENTS NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY LOST PROFITS , LOST SAVINGS , OR PUNITIVE , INDIRECT, EXEMPLARY, CONSEQUENTIAL , OR INCIDENTAL DAMAGES . 13 . ASSIGNMENT OF ANTITRUST RIGHTS . CONSULTANT IRREVOCABLY ASSIGNS TO AUTHORIZED PURCHASER ANY CLAIM FOR RELIEF OR CAUSE OF ACTION WHICH THE CONSULTANT NOW HAS OR WHICH MAY ACCRUE TO THE CONSULTANT IN THE FUTURE BY REASON OF ANY VIOLATION OF 15 U . S . C . § 1 - 15 OR ORS 646 . 725 OR ORS 646 . 7307 IN CONNECTION WITH ANY GOODS OR SERVICES PROVIDED TO THE CONSULTANT FOR THE PURPOSE OF CARRYING OUT THE CONSULTANT'S OBLIGATIONS UNDER THIS CONTRACT , INCLUDING , AT AUTHORIZED PURCHASER'S OPTION , THE RIGHT TO CONTROL ANY SUCH LITIGATION ON SUCH CLAIM OR RELIEF OR CAUSE OF ACTION . CONSULTANT SHALL REQUIRE ANY SUBCONTRACTORS HIRED TO PERFORM ANY OF CONSULTANT'S DUTIES UNDER THIS AGREEMENT TO IRREVOCABLY ASSIGN TO AUTHORIZED PURCHASER , AS THIRD PARTY BENEFICIARY, ANY RIGHT, TITLE OR INTEREST THAT HAS ACCRUED OR WHICH MAY ACCRUE IN THE FUTURE BY REASON OF ANY VIOLATION OF 15 U . S . C . § 1 - 15 OR ORS 646 . 725 OR ORS 646 . 730 , IN CONNECTION WITH ANY GOODS OR SERVICES PROVIDED TO THE SUBCONTRACTOR FOR THE PURPOSE OF CARRYING OUT THE SUBCONTRACTOR'S OBLIGATIONS TO THE CONSULTANT IN PURSUANCE OF THIS CONTRACT, INCLUDING , AT AUTHORIZED PURCHASER' S OPTION , THE RIGHT TO CONTROL ANY SUCH LITIGATION ON SUCH CLAIM OR RELIEF OR CAUSE OF ACTION . 14. Suspension ; Termination . 14. 1 . Authorized Purchaser's Right to Suspend Performance. Authorized Purchaser may, at its sole discretion , suspend Consultant's Services under this Contract, upon written notice by Authorized Purchaser to Consultant, setting forth the length of the proposed suspension . Page 29 of 60 1401 . 1 Stop-Work Notice. Authorized Purchaser may, at any time , by written notice to Consultant, require Consultant to stop all or any part of the work required by this Contract for a period of up to ninety (90) Calendar Days after the date of the notice, or for any further period to which the parties may agree through a duly executed amendment. Upon receipt of the notice , Consultant shall immediately comply with the Stop-Work Notice terms and take all necessary steps to minimize the incurrence of costs allocable to the work affected by the Stop Work Notice . Within a period of ninety (90) Calendar Days after issuance of the written notice , or within any extension of that period to which the parties have agreed , Authorized Purchaser will either: Cancel or modify the Stop Work Notice by a supplementary written notice ; or Terminate the work as permitted by either the Default or the Convenience provisions of section 14 , Termination , including , as applicable and as set forth in this Contract, payment.for Services completed and accepted and Deliverables delivered and accepted prior to the suspension and termination , reimburseable expenses or reimburseable third party costs . . If the Stop Work Notice is canceled , Authorized Purchaser may, after receiving and evaluating a request from Consultant, make an adjustment in the time required to complete this Contract and the Contract price by a duly executed amendment, inclusive of any ramp-up time required to for Consultant to resume Services . 14.2. Parties ' Right to Terminate for Mutual Consent. This Contract may be terminated at any time by mutual written consent of the parties . 14.3. Authorized Purchaser's Right to Terminate for Convenience. Authorized Purchaser may, at its sole discretion , terminate this Contract, in whole or in part, upon thirty (30) Calendar Days written notice to Consultant. 14.4. Authorized Purchaser's Right to Terminate for Cause. Authorized Purchaser may terminate this Contract, immediately upon notice to Consultant, or at such later date as Authorized Purchaser may establish in such notice , upon the occurrence of any of the following events : 14.4. 1 . If Authorized Purchaser's funding from revenue sources is not obtained and continued at levels sufficient to allow for compensation for the Services or both, in Authorized Purchaser's sole administrative discretion , this Contract may be terminated or modified to accommodate a reduction in funds; 14.4. 2 . If federal or state regulations or guidelines are modified , changed , or interpreted in such a way that the Services is no longer allowable or appropriate for purchase under this Contract; Page 30 of 60 14.4.3 . If any license or certificate required by law or regulations to be held by the Consultant to provide the Services required by this Contract is for any reason denied , revoked , or not renewed ; 14.4.4. If the Authorized Purchaser discovers that Consultant is in default for the payment of taxes or any other amount owed to a government entity; or 14.4.5. Consultant fails to perform the Services under this Contract within the time specified herein or any extension thereof, or so fails to pursue the Services as to endanger Consultant's performance under this Contract according to its terms , and such breach , default or failure is not cured within thirty (30) Calendar Days after delivery of Authorized Purchaser's notice, or such longer period as Authorized Purchaser may specify in such notice. 14.5 . Consultant's Right to Terminate for Cause. Consultant may terminate this Contract if Authorized Purchaser commits any material breach or default of any covenant, obligation or agreement under this Contract and Authorized Purchaser fails to cure the breach or default within thirty (30) Calendar Days after receipt of Consultant's written notice or such longer period of cure as Consultant may specify in such notice. Consultant shall state in the written notice of breach or default the termination date for Authorized Purchaser's failure to cure , which must not be less than thirty (30) Calendar Days following Authorized Purchaser's failure to cure. 14.6 . Transition . If requested by Authorized Purchaser, Consultant shall provide transition services to support a responsible and secure transition of Services and Authorized Purchaser data to another service provider or to Authorized Purchaser ("Transition Services") , subject to the terms and conditions of the Contract as modified by the Transition Plan and provided Authorized Purchaser is up-to-date with its undisputed payment obligations at the commencement of the Transition Period , and continues to pay all undisputed invoices during the Transition Period . Following receipt of the request for Transition Services , Consultant shall not, without Authorized Purchaser's prior written consent, which will not be unreasonably withheld , transfer, reassign , or otherwise redeploy any of Consultant's personnel from providing Services under this Contract. Consultant and Authorized Purchaser will outline a plan ("Transition Plan") setting forth the following : The respective Tasks and Deliverables to be completed by each party under the Transition Plan , A schedule pursuant to which such Tasks and Deliverables will be completed , A schedule identifying which party is responsible for paying the cost (if any) related to each Task and Deliverable . This schedule may include Transition Services that will not exceed the current Contract NTE . If the Page 31 of 60 parties agree Transition Services require new or additional Services that cause an increase in the Contract NTE , the Transition Plan will be in the form of a Contract amendment, and Addressing other outstanding issues . Consultant shall complete the transition of Services from Consultant and its subcontractors to Authorized Purchaser and to any providers that Authorized Purchaser designates, without causing any unnecessary interruption of or adverse impact on the Services . Without limiting the generality of the aforementioned obligations , Consultant shall • Cooperate with Authorized Purchaser and any Authorized Purchaser- designated provider by promptly taking all steps required to assist Authorized Purchaser in completing the Transition Plan . • Provide Authorized Purchaser and any Authorized Purchaser- designated provider with all information regarding the Services and Deliverables that these parties will need to complete the Transition Period . • Promptly and orderly conclude all Services as Authorized Purchaser may direct. This includes the documentation of work in progress , return of property , and other measures to provide an orderly transition to Authorized Purchaser and any Authorized Purchaser-designated provider. 14.7 . Consultant's Tender Upon Termination . Upon receiving a notice of termination of this Contract, Consultant shall promptly cease all activities under this Contract unless Authorized Purchaser expressly directs otherwise in the notice of termination or Authorized Purchaser has requested Transition Services . Consultant shall immediately deliver to Authorized Purchaser or anyone Authorized Purchaser designates all documents , information , works-in- progress , and other property that are or would be deliverables had this Contract been completed . 15. Contract Breach . Before a party can be found in breach of this Contract, the other party shall first deliver a notice of default to the other party. The notice must describe the specific nature of the default, cite the specific provisions of this Contract that have been defaulted , indicate whether the default can be cured , and specify the time period in which the default must be cured , if cure is permitted . 15. 1 . Default by Consultant. Consultant violates or is in default of this Contract if: 15. 1 .1 . Consultant institutes or has instituted against it insolvency, receivership or bankruptcy proceedings , makes an assignment for the benefit of creditors , or ceases doing business on a regular basis; Page 32 of 60 15.1 .2, Consultant no longer holds a license or certificate that is required for Consultant to perform Consultant's obligations under this Contract; or 15.1 .3.Consultant fails to perform or defaults any material covenant, warranty, obligation or certification under this Contract, provided however that Consultant may cure the defaults within the period specified in Authorized Purchaser's notice of default when Authorized Purchaser determines the default is curable by Consultant. 15 .2. Default by Authorized Purchaser. Authorized Purchaser violates or is in default of this Contract if: 15.2. 1 . Authorized Purchaser fails to pay Consultant any amount as required under this Contract, and Authorized Purchaser does not cure such failure to pay within thirty (30) Calendar Days after delivery of Consultant's notice of default or such longer period as Consultant may specify in such notice; or 15.2.1 . Authorized Purchaser defaults any material covenant, warranty, or obligation under this Contract and such default is not cured within thirty (30) Calendar Days after delivery of Consultant's notice of breach or such longer period as Consultant may specify in such notice . 16 . Remedies for Default. 16. 1 . Consultant Remedies . If a Contract is terminated pursuant to section 14 . 2 , 14 . 31 14 .4 . 11 14 .4 . 25 14 .4 . 3 or 14 . 5 , Consultant's sole remedy shall be a claim for accomplishing the Services multiplied by the percentage of Services completed and accepted by Authorized Purchaser, less previous amounts paid and any claims which Authorized Purchaser has against Consultant. If previous amounts paid to Consultant exceed the amount due to Consultant under this Subsection , Consultant shall immediately pay any excess to Authorized Purchaser upon demand . 16 .2. Authorized Purchaser Remedies . If a Contract is terminated pursuant to section 14 .4 .4 or 14 .4 . 5 , Authorized Purchaser shall have any remedy available to it in law or equity. If it is determined for any reason that Consultant was not in default under section 14 .4 .4 or 14 .4 . 5 , the rights and obligations of the parties shall be the same as if this Contract was terminated pursuant to section 14 . 3 . 17 . Compliance with Applicable Law. 17. 1 . Consultant shall comply with the federal , state and local laws , regulations , executive orders and ordinances applicable to Consultant and its performance under this Contract and the Services provided hereunder. Page 33 of 60 17 .2 . Consultant at all times shall comply with all Authorized Purchaser's security and access policies and procedures , including without limitation (i) obtaining nondisclosure agreements from Consultant's employees and agents who are performing Services and providing copies of such agreements to Authorized Purchaser, (ii) performing criminal background checks on each of Consultant's employees and agents who are performing Services , and providing a copy of the results to Authorized Purchaser, 17 .3. Authorized Purchaser' s performance under this Contract is conditioned upon Consultant' s compliance with the obligations intended for contractors under ORS 27913 .220 , 2796 . 225 (if applicable to this Contract) , 2798 . 230 and 27913 .235 (if applicable to this Contract) , which are incorporated into this Contract by reference . Consultant shall , to the maximum extent economically feasible in the performance of this Contract, use recycled paper (as defined in ORS 279A. 010 (1 ) (gg)) , recycled PETE products (as defined in ORS 279A. 010( 1 ) (hh)) , and other recycled plastic resin products and recycled products (as " recycled product" is defined in ORS 279A. 010 ( 1 ) (ii)) . 17.4 Nondiscrimination in Employment. Consultant certifies , in accordance withORS 279A. 112 , that it has in place a policy and practice of preventing sexual harassment, sexual assault, and discrimination against employees who are members of a protected class , 2 as defined by subsection 2 ( 1 ) (b) of ORS 279A. 112 . As a material condition of this Contract, Consultant shall maintain , throughout the duration of this Contract, a policy and practice that comply with ORS 279A. 112 , including giving employees written notice of the Consultant's policy and practice. 18 . Consultant's Compliance with Tax Laws . 18 . 1 . Consultant shall , throughout the term of this Contract and any extensions , comply with all tax laws of this state and all applicable tax laws of any political subdivision of this state . For the purposes of this section , "tax laws" includes all the provisions described in subsection 10 . 1 . 9 of this Contract. 2 ORS 279A. 112 , subsection 2(1 )(b) contains an expansive definition of the term " protected class" : ( b) " Protected class" means a group of people that state or federal law protects from employment discrimination including , but not limited to , a group in which membership depends on an ascribed association or identification , or an individual's voluntary association or identification with other individuals, on the basis of one or more of these characteristics: (A) Race, color or ethnicity; ( B) National origin ; (C) Sex; (D) Gender, including actual or perceived gender identity; (E) Sexual orientation ; (F) Disability; (G) Age; (H) Marital status; or ( 1 ) Religion . Page 34 of 60 18 .2. Any violation of subsection 18 . 1 of this section shall constitute a material breach of this Contract. Further, any violation of Consultant's warranty, in subsection 10 . 1 . 6 of this Contract that Consultant has complied with the tax laws of this state and the applicable tax laws of any political subdivision of this state also shall constitute a material breach of this Contract. Any violation shall entitle Authorized Purchaser to terminate this Contract, to pursue and recover any and all damages that arise from the breach and the termination of this Contract, and to pursue any or all of the remedies available under this Contract, at law, or in equity, including but not limited to: 18 .2. 1 . Termination of this Contract , in whole or in part; 18 .2.2 . Exercise of the right of setoff, and withholding of amounts otherwise due and owing to Consultant, in an amount equal to State's setoff right, without penalty; and 18.2 .3 . Initiation of an action or proceeding for damages , specific performance , declaratory or injunctive relief. Authorized Purchaser shall be entitled to recover any and all damages suffered as the result of Consultant's breach of this Contract, including but not limited to direct, indirect, incidental and consequential damages , costs of cure , and costs incurred in securing replacement Services , a replacement contractor, or any of the above . These remedies are cumulative to the extent the remedies are not inconsistent, and Authorized Purchaser may pursue any remedy or remedies singly, collectively, successively, or in any order whatsoever. 19. Governing Law. This Contract shall be governed by and construed according to with the internal laws of the State of Oregon without regard to principles of conflicts of law. 20 . Dispute Resolution ; Litigation ; Claim Venue and Consent to Jurisdiction 20 . 1 . Dispute Resolution . In the event that the Parties have any disagreement, dispute , breach or claim of breach , non-performance , or repudiation arising from , related to or in connection with the Contract or any of the terms or conditions thereof, or any transaction hereunder including but not limited to either Party's failure or alleged failure to comply with any of the provisions of the Contract (hereinafter collectively the " Dispute") , other than one related to the release of Confidential Information , the Parties shall first conduct the following procedure in an attempt to resolve the Dispute: • The Parties shall make every effort to settle any Dispute through their respective managers , within five (5) Calendar Days of one Party notifying the other Party of a Dispute . Page 35 of 60 • If the Dispute is not resolved between the managers , then either Party may initiate formal dispute resolution discussions by advising the other party in writing . The contact point for these discussions shall be the Parties' Authorized Representatives. The Parties shall attempt to resolve the Dispute within five (5) Calendar Days of the notice from a Party that they are initiating this second level of Dispute resolution discussions . If the Parties mutually agree in writing that there has been substantial progress toward resolution of the Dispute, this second level may be extended for an additional five (5) Business Day period which shall commence at the conclusion of the first five (5) day period . * If the Parties are unable to resolve the Dispute , the Parties may file suit as set forth below, provided , however, that neither party will bring a legal action arising out of or related to this Contract more than two (2) years after the Party has actual knowledge of the Claim . Nothing in this section : (a) shall in any way limit a Party's rights to seek injunctive relief of any kind , at any time , with respect to any matter; (b) in any way limit Authorized Purchaser's or Consultant's right to suspend or terminate the Contract or pursue other remedies available under the Contract, by law or otherwise ; (c) remove the requirement to provide notices or filings to meet deadlines otherwise required by law; or (d) constitute a waiver of the sovereign immunity of the State of Oregon . 20 .2. State Agency Venue and Consent to Jurisdiction . Any claim , action , suit or proceeding (collectively, "Claim ") between DAS , Authorized Agency or any other agency or department of the State of Oregon that is an ORCPP Member, and Consultant that arises from or relates to this Contract shall be brought and conducted solely and exclusively within the Circuit Court of Marion County for the State of Oregon ; provided , however, that if a Claim must be brought in a federal forum , then it shall be brought and adjudicated solely and exclusively within the United States District Court for the District of Oregon . CONSULTANT, BY EXECUTION OF THIS CONTRACT, HEREBY CONSENTS TO THE IN PERSONAM JURISDICTION OF SAID COURT(S) AND WAIVES ANY CLAIM THAT SUCH FORUM IS AN INCONVENIENT FORUM . In no event may this section be construed as (i) a waiver by the State of Oregon of any form of defense or immunity, whether sovereign immunity, governmental immunity , immunity based on the eleventh amendment to the Constitution of the United States or otherwise , from any claim , or (ii) consent by the State of Oregon to the jurisdiction of any court . 20.3 . ORCPP Member Venue and Consent to Jurisdiction . Any Claims between Consultant and an ORCPP Member other than an agency of the State of Oregon that arise from or relate to this Contract Page 36 of 60 order shall be brought and conducted solely and exclusively within the Circuit Court of the county in which such ORCPP Authorized Purchaser resides, or at the ORCPP Authorized Purchaser's option , within such other county as the ORCPP Authorized Purchaser is entitled under the laws of the relevant jurisdiction to bring or defend Claims. If any such Claim must be brought in a federal forum , then unless otherwise prohibited by law it shall be brought and conducted solely and exclusively within the United States District Court for the District in which such ORCPP Authorized Purchaser resides . CONSULTANT HEREBY CONSENTS TO THE IN PERSONAM JURISDICTION OF SAID COURTS AND WAIVES ANY OBJECTION TO VENUE IN SUCH COURTS, AND WAIVES ANY CLAIM THAT SUCH FORUM IS AN INCONVENIENT FORUM . Nothing herein shall be construed as a waiver of ORCPP Authorized Purchaser's sovereign or governmental immunity, if any, whether derived from the Eleventh Amendment to the United States Constitution or otherwise, or of any defenses to Claims or consent to jurisdiction based thereon . 21 . Records Maintenance ; Access . Consultant shall maintain all fiscal records relating to this Contract and Consultant's performance hereunder, according to Generally Accepted Accounting Principles . In addition , Consultant shall maintain all other records relating to this Contract in such a manner as to clearly document Consultant's performance of its duties under this Contract. Consultant acknowledges and agrees that Authorized Purchaser and the federal government (if federal funds are used ) , the-Oregon Secretary of State's Office , the Oregon Department of Revenue , the Oregon Department of Justice and their duly authorized representatives shall have access to such records and other books , documents , papers , plans and writings of Consultant relating to this Contract to perform examinations and audits and make excerpts and transcripts . Consultant shall retain and keep accessible all fiscal and other records relating to this Contract, including books , documents , papers , plans , and writings , for a minimum of six (6) years , or such longer period as may be required by applicable law, following final payment and termination or expiration of this Contract, or until the conclusion of any audit, controversy or litigation arising out of or related to this Contract, whichever date is later. 22. Intended Beneficiaries . Authorized Purchaser and Consultant are the only parties to this Contract and are the only parties entitled to enforce its terms . Nothing in this Contract gives , is intended to give , or will be construed to give or provide , any benefit or right, whether directly, indirectly, or otherwise , to third persons unless such third persons are individually identified by name herein and expressly described as intended beneficiaries of the terms of this Contract. DAS is an intended beneficiary of the terms of this Contract. 23. Foreign Contractor. If Consultant is not domiciled in or registered to do business in the State of Oregon , Consultant shall promptly provide to the Oregon Department of Revenue and the Secretary of State, Corporation Division , all information required by those agencies related to this Contract. Page 37 of 60 24. Force Majeure. Neither Authorized Purchaser nor Consultant will be responsible for delay or default caused by fire, riot, acts of God , terrorism , war or any other like cause which is beyond the party's reasonable control . Consultant shall , however, make all reasonable efforts to remove or eliminate such a cause of delay or default and shall , upon the cessation of the cause , diligently pursue performance of its obligations under this Contract. Authorized Purchaser may terminate this Contract upon written notice to Consultant after it determines that such delay or default will likely prevent successful performance of this Contract. 25. Survival . All Contract terms , which by their context are intended to survive contract termination or expiration , shall survive , as well as sections 5 , 6 , 8 , 9 , 11 , 12 , 13 , 16 , 19 , 28 and 30 of this Exhibit B . 26. Time is of the Essence. Consultant agrees that time is of the essence for delivering Services under this Contract. 27. Notice. Except as otherwise expressly provided in this Contract, any communications between the parties hereto or notices to be given hereunder must be given in writing by email , personal delivery, facsimile , or mailing the same , postage prepaid , to Consultant or Authorized Purchaser at the email address , postal address or telephone number set forth in this Contract, or to such other addresses or numbers as either party may indicate pursuant to this section 27 . Any communication or notice so addressed and mailed is effective five (5) Business Days after mailing . Any communication or notice delivered by facsimile is effective on the day the transmitting machine generates a receipt of the successful transmission , if transmission was during normal business hours , or on the next business day, if transmission was outside normal business hours of the recipient. To be effective against Authorized Purchaser, any notice transmitted by facsimile must be confirmed by telephone notice to Authorized Purchaser' s Contract Administrator. Any communication or notice given by personal delivery is effective when actually delivered . Any notice given by email is effective when the sender receives confirmation of delivery , either by return email , or by demonstrating through other technological means that the email has been delivered to the intended email address . 28 . Severability. The parties agree that if any term of this Contract is declared by a court of competent jurisdiction to be illegal or in conflict with any law, the validity of the remaining terms is not be affected , and the rights and obligations of the parties are construed and enforced as if this Contract did not contain the particular term held to be invalid . 29 . Counterparts . This Contract may be executed in several counterparts , all of which when taken together shall constitute one agreement binding on all parties , notwithstanding that all parties are not signatories to the same counterpart. Each copy of this Contract so executed shall constitute an original . 30 . Amendment; Change Orders . Page 38 of 60 30 . 1 . Amendments . This Contract may be amended , modified , or supplemented only by a written amendment signed by Authorized Purchaser and Consultant. Any amendment that provides for additional Servicesor other services may only provide for Services or other services directly related to the scope of Services in thesolicitation , and no amendment will be effective until all requisite signatures and approvals are obtained . 30.2 . Change Orders and Change Control Process. Subject to the conditions above , modifications to time of performance , quantity, or deliverables in a Statement of Work attached as Exhibit No. 1 , and the related costs may be managed through an Authorized Purchaser-authorized change control process that reflects at least the processes described in this section . Either Authorized Purchaser or Consultant may request a change by submitting a written proposal describing the requested change to the other party. Authorized Purchaser' s and Consultant's Authorized Representatives will review the written change request and either mutually approve it for further analysis or reject it. If the change request is mutually approved , the requesting party will prepare a written change order, detailing all modifications to the Services and related costs (the "Change Order") . A Change Order at a minimum must contain : The effective date of the Change Order; • A detailed description of the Services to be performed under the Change Order; The particular specification or matter in the Statement of Work which will be altered , and the precise scope of that alteration ; Whether the Change Order modifies critical path Deliverables ; • Any change in the cost of the Services to be performed pursuant to the Change Order; and The cumulative cost changes of all Change Orders previously issued . A Change Order may alter only time of performance , quantity, or deliverables in a Statement of Work and the related costs to which it expressly relates and must not otherwise affect the terms and conditions of this Contract. Both parties must sign the Change Order to authorize the Services described therein and incorporate the changes into this Contract. 30 .3. Payments , No Services may be performed pursuant to an Amendment or Change Order and no payment may be made on account of the Amendment or Change Order until the Amendment or Change Order is fully executed and all required State of Oregon approvals are received . Authorized Purchaser will pay for Services performed pursuant to an Amendment or Change Order according to the acceptance and payment procedures set forth in this Contract. 31 . Integration ; Waiver. This Contract, including incorporated exhibits , constitutes the entire agreement between the parties on the subject matter hereof. Page 39 of 60 There are no understandings, agreements , or representations , oral or written , not specified herein regarding this Contract. No waiver, consent, modification or change to the terms of this Contract shall bind either party unless in writing and signed by all parties and all approvals required by law have been obtained . Such waiver, consent, modification or change, if made , shall be effective only in the specific instance and for the specific purpose given . The failure of Authorized Purchaser or Consultant to enforce any provision of this Contract shall not constitute a waiver by Authorized Purchaser or Consultant of that or any other provision . 32. Reporting . Authorized Purchasers who are state agencies are responsible for reporting this Contract to the Oregon Department of Revenue . The Department of Revenue may take any and all actions permitted by law relative to the collection of taxes due to the State of Oregon or a political subdivision , including ( i) garnishing the Consultant's compensation under this Contract or (ii) exercising a right of setoff against Consultant's compensation under this Contract for any amounts that may be due and unpaid to the State of Oregon or its political subdivisions for which the Department of Revenue collects debts . Page 40 of 60 EXHIBIT B to Master Agreement #8263 Description of Services ; Pricing it Services : Category 1 - Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Category 2 — Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services . Consultant Key Persons and Key Person Rates . POSITION TITLE/SERVICES HOURLY RATE DESCRIPTION Project Manager $ 175 Social Engineering Subject Matter $110 Expert Physical Security Subject Matter $135 Expert Technical Security Subject Matter $ 185 Expert Senior Technical Security Subject $225 Matter Expert Executive Manager $225 Editing / Quality Assurance Specialist $ 110 Page 41 of 60 EXHIBIT E to Master Agreement #8263 PERFORMANCE STANDARDS AND METRICS Consultant shall , at all times , comply with all performance requirements and expectations specified in the Vendor Management Program 's Contractor Onboarding Guide , found at: http ://www, oregon . gov/basecamp/Documents/New Vendor_Onboarding_Guide_ V. 1 . pdf Consultant warrants that its performance will meet all requirements of the MSA, Contract, and all federal agency requirements , if any. Subject to the provisions and procedures set forth in the Onboarding Guide , below are the general and specific performance standards and metrics applicable to Consultant's performance under this MSA: GENERAL PERFORMANCE STANDARDS AND METRICS ; Performance Performance Method Of Objective Standard Performance Levels Measurement PM#3301: The State Consultant Exceeds Expectations: Consultant of Oregon desires to submissions are On-time and without management reviews work with consultants made without need revision for last 4 VSR submissions with who support the . for revision and in the quarters DAS - Procurement State's and format established by Services. If report is Authorized the VSR template on Satisfactory: On-time submitted on -time Purchaser's data time. and without revision and using template initiatives and for last quarter format and does not operational practices. require resubmission Unsatisfactory: Not then status is on time, or required Satisfactory, if not revision last quarter then status is Unsatisfactory. If Consultant receives four concurrent Satisfactory statuses Consultant is upgraded to Exceeds Expectations. PM#4101: The State Consultants maintain Exceeds Expectations: Figures are rounded of Oregon desires its a Net Promoter Score x 55 to the nearest Authorized of 40 or higher. integer. Purchasers to have Satisfactory: positive experiences 40 x <. 55 Calculated as when working with Percentage of Page 51 of 60 Basecamp Unsatisfactory: Promoters minus Consultants. x 4 40 Percentage of Detractors Where A Promoter is a respondent who responded with a score of 9 or 10 A Detractor is a respondent who responded with a score between 1 and 6. Sample Survey Question: " How likely would you recommend the products/services of [CONSULTANT] to a colleague or a public organization?" on a scale of 1-10. PM#4102: The State Consultants maintain Exceeds Expectations: of Oregon desires a mean score of 3 out x z> 4.4 Figures are rounded Authorized of 5 to the nearest single Purchasers to see the Satisfactory: decimal place. Basecamp Catalog 3.0 ;j! x < 4.0 and its price Calculated as Mean agreements are of Unsatisfactory: response value over a the highest quality. x �: 3.0 rolling 4 periods Sample Survey Question: "In thinking about your most recent purchase with [CONSULTANT], how was the quality of the product or service you received?" using a 5 point semantic differential scale (1 : Bad through 5: Good). Page 52 of 60 PM#1303: The State All (100%) reviewed Exceeds Expectations: Figures are rounded of Oregon desires an invoices detail prices, x = 100% to the nearest whole agreement in which quantities, and total percentage point. Authorized by line- item. For Satisfactory: Purchasers are given services this includes 95% x < 100% Percent of quotes upfront and rates, positions, and with corresponding transparent prices, hours as applicable. Unsatisfactory: invoices that detail both before the x < 95% costs broken down by engagement begins item or service and on the invoice including all before they make deliverables. payment. PM#4103: The State Consultants maintain Exceeds Expectations: Figures are rounded of Oregon desires a mean score of 3.5 x =>. 4.5 to the nearest single consultants to price out of 5 decimal place. their products and Satisfactory: services competitively 3.5 c x < 4.5 Calculated as Mean and show they response value over a provide value. Unsatisfactory: rolling 4 periods X < 3,5 Sample Survey Question: " Please rate your level of agreement when thinking about your most recent purchase with [CONSULTANT] : Our organization received value for the money." (l: Strongly Disagree, 2: Disagree, 3 : Neither Agree nor Disagree, 4: Agree, 5: Strongly Agree), PM#4104: The State Consultants maintain Exceeds Expectations: Figures are rounded of Oregon desires its a mean score of 3 out x >� 4,0 to the nearest single consultants to of 5 decimal place. provide high quality, Satisfactory: skilled, and customer 3,0 <. x < 4,0 Calculated as Mean service oriented key response value over persons to participate Unsatisfactory: rolling 4 periods on Authorized x < 3.0 Purchasers' contracts. Sample Survey Question: "In thinking about your most recent purchase with [CONSULTANT] , Page 53 of 60 please rate the satisfaction with the persons employed by [CONSULTANT] ?" (l: Unsatisfied through 5: Satisfied) PM#4302: The State Purchasing Partners Exceeds Expectations: Figures are rounded of Oregon desires to generally receive a x >� 4.0 to the nearest single work with consultants response within 2 decimal place. who provide timely business days of a Satisfactory: response to request as indicated 3.0 <- x 4z 4.0 Calculated as Mean Authorized by a response of response value over a Purchasers' requests greater than 3 out of Unsatisfactory: rolling 4 periods. 5 . Xe 3.0. Sample Survey Question: "When making a request about project related work, submitting a ticket, or reporting a problem, staff from [CONSULTANT] generally respond within 2 business days" (99: Too Early to Measure l: Never, 5 : Always). SPECIFIC PERFORMANCE STANDARDS AND METRICS FOR THIS MSA: Performance Performance Performance Objective Standard Levels Method Of Measurement PM#3304: The Less than or equal Exceeds Expectations: Figures are rounded to the State of Oregon to 10% of < 5.0% nearest single decimal place. desires an deliverables agreement in submitted receive Satisfactory: Calculated as the total number of which Authorized a rejection. 500% �e x 5 10.0Ljp rejected deliverables wither the Purchasers have reporting period divided by the confidence in the Unsatisfactory: number of deliverables that were quality of work > 10 .0% submitted for acceptance in that they receive from reporting period. our consultants. The State wants to Page 54 of 60 reduce the need for Authorized Purchasers to micro-manage or reproduce work that should be completed by the Consultant. PM#3303 : The On average, Exceeds Expectations: State of Oregon deliverables are <; —1.0 Figures are rounded to the desires to work submitted when nearest single decimal place. with consultants they are due Satisfactory: who provide —L.0 <, x < 0.0 Survey Question: The Basecamp quality work when program is reviewing orders placed they estimate Unsatisfactory: >0.0 on MSA #[ ] for work will be [TITLE] to monitor vendor delivery completed times. Your order and deliverable number [ORDER #: Deliverable #] has been selected for review. In reviewing this order deliverable, was the deliverable received by the due date?" a. Please indicate the date of order: b. Please indicate the expected delivery date: C, Please indicate the date of delivery: PM#3601 : The Consultants Exceeds Expectations: Figures are rounded to the State of Oregon maintain a mean x >� 4.5 nearest single decimal place, desires to work score of 3 out of 5 with consultants Satisfactory: Customer Satisfaction Survey that who utilize 15 s� x < 4.5 asks: "Did the Consultant use the appropriate methods it proposed in its contract methods of Unsatisfactory: to complete its work?" (0: Too conducting work x 3,0 Early to Measure 1 : Strongly that are clear and Disagree, 2 : Disagree, 3 : Neither demonstrable. Agree nor Disagree, 4 : Agree, 5 : Strongly Agree) Page 55 of 60 NON-CORE MEASUREMENTS RECORDED BY VENDOR MANAGEMENT PROGRAM : Performance Performance Performance Objective Standard Levels Method Of Measurement PM#1304: The NON-CORE: No State of Oregon Defined Standard Percentages are rounded to the desires an nearest single decimal place. agreement in which the total Calculated as the sum of quoted cost of support cost of proposal to an opportunity services to the divided by the project estimated total project cost budget at time of opportunity is kept at a notice. reasonable level. PM#9901 : The NON-CORE: No Calculated as the count of agencies State wants Defined Standard and authorized purchasers over the visibility into the life of the MSA. utilization of its price agreements or master agreements, PM#9902: The NON-CORE: No Calculated as the count of State wants Defined Standard engagements over the life of the visibility into the MSA. utilization of its price agreements or master agreements. PM#9903 : The NON-CORE: No Calculated as the total dollars State of Oregon Defined Standard expended over the life of the MSA. wants visibility on the utilization of its price agreements or master agreements. PM#9904: The NON-CORE: No Flag: State of Oregon Defined Standard Oregon Certified: Certified in desires to contract the State of Oregon with and promote Other Certified: [Listed firms who hold certifications] Certification from Not Certified the Office of Business Inclusion and Diversity (http ://www.orego n4biz.com/How- We-Can- Help/COBID/) Basecamp also wishes to extend opportunities to firms who are certified in other Page 56 of 60 states or by a federal entity in certifications of Minority, Women, Emerging/Small, and/or Disadvantaged Business enterprises. (Noted with an asterisk) Page 57 of 60 EXHIBIT F to Master Agreement #8263 Insurance Requirements Consultant shall obtain at Consultant's expense the insurance specified in this Exhibit F prior to performing under this MSA or any Contract, and shall maintain it in full force and at its own expense throughout the duration of this MSA and all Contracts , and as required by any extended reporting period or tail coverage requirements , and all warranty periods that apply. Consultant shall obtain the following insurance from insurance companies or entities that are authorized to transact the business of insurance and issue coverage in the State of Oregon and that are acceptable to DAS . Authorized Purchasers may request additional insurance coverages under a Contract, as deemed necessary. Coverage must be primary and non-contributory with any other insurance and self-insurance . Consultant shall pay for all deductibles , self-insured retention and self-insurance, if any. Consultant shall obtain at Consultant's expense the insurance specified in this Exhibit F prior to performing under this MSA or any Contract, and shall maintain it in full force and at its own expense throughout the duration of this MSA and any Contract, and as required by any extended reporting period or tail coverage requirements , and all warranty periods that apply. Consultant shall obtain the following insurance from insurance companies or entities that are authorized to transact the business of insurance and issue coverage in the State of Oregon and that are acceptable to DAS-and Authorized Purchaser. Authorized Purchaser may request additional insurance coverages . Coverage must be primary and non-contributory with any other insurance and self-insurance . Consultant shall pay for all deductibles , self-insured retention and self-insurance , if any. 1 . INSURANCE REQUIRED . 1 . 1 Workers' Compensation & Employers' Liability. All employers , including Consultant , that employ subject workers , as defined in ORS 656 . 027 , shall comply with ORS 656 . 017 and provide workers' compensation insurance coverage for those workers , unless they meet the requirement for an exemption under ORS 656 . 126 (2) . Consultant shall require and ensure that each of its subcontractors complies with these requirements . If Consultant is a subject employer, as defined in ORS 656 . 023 , Consultant shall also obtain employers' liability insurance coverage with limits not less than $500 , 000 . 00 each accident. If Consultant is an employer subject to any other state's workers' compensation law, Consultant shall provide workers' compensation insurance coverage for its employees as required by applicable workers' compensation laws including employers' liability insurance coverage with limits not less than $500 , 000 . 00 and Page 58 of 60 require and ensure that each of its out-of-state subcontractors complies with these requirements . 1 . 2 Professional Liability. Consultant shall provide Professional Liability insurance including the following : A combined single limit of no less than $ 1 , 000 , 000 . 00 per occurrence covering : 1 . Technology Errors and Omissions related to the professional services and products provided under this MSA or any Contract, 2 . Network Security/Privacy Breach of agency data ; 3 . Coverage for regulatory fines and fees imposed against Agency due to failures in products and Services provided under this MSA or any Contract, including defense cost. Coverage must include errors , omissions , negligent acts , denial of service , media liability (including software copyright) , dishonesty, fraudulent or criminal acts by a person or persons whether identified or not, intellectual property infringement, computer system attacks , unauthorized access and use of computer system , regulatory actions , and contractual liability. Coverage must extend to business associates and independent contractors providing professional services on behalf of or at the direction of Consultant. A primary policy or combination of a primary policy and excess policy is acceptable in order to meet the limits requirement. 1 . 3 Commercial General Liability . Consultant shall provide Commercial General Liability Insurance covering bodily injury , and property damage in a form and with coverage that are satisfactory to DAS or Authorized Purchaser. This insurance must include personal and advertising injury liability, products and completed operations , contractual liability coverage , in each case arising out of Consultant's negligence , and have no limitation of coverage to designated premises , project, or operation . Coverage must be written on an occurrence basis in an amount of not less than $ 500 , 000 . 00 per occurrence and $500 , 000 . 00 aggregate . 1 .4 Automobile Liability. Consultant shall provide Automobile Liability Insurance covering Consultant's business use including for all owned , non- owned , or hired vehicles with a combined single limit of not less than $ 1 , 000 , 000 . 00 for bodily injury and property damage . This coverage may be written in combination with the Commercial General Liability Insurance (with separate limits for Commercial General Liability and Automobile Liability) . Use of personal automobile liability insurance coverage may be acceptable if evidence that the policy includes a business use endorsement is provided . 2. ADDITIONAL INSURED . The Commercial General Liability, and Automobile Liability insurance required under this MSA and any Contract must include an additional insured endorsement specifying the State of Oregon , its officers , Page 59 of 60 employees and agents as Additional Insureds , including additional insured status with respect to liability arising out of ongoing operations and completed operations but only with respect to Consultant's activities to be performed under this MSA or any Contract. The Additional Insured endorsement with respect to liability arising out of your ongoing operations must be on ISO Form CG 20 10 07 04 or equivalent and the Additional Insured endorsement with respect to completed operations must be on ISO form CG 20 37 04 13 or equivalent. 3 . TAIL COVERAGE . If any of the required insurance is on a claims-made basis and does not include an extended reporting period of at least twenty-four (24) months , Consultant shall maintain either tail coverage or continuous claims made liability coverage , provided the effective date of the continuous claims made coverage is on or before the Effective Date of this MSA and any Contract , for a minimum of twenty-four (24) months following the later of (i) Consultant' s completion and Authorized Purchaser's acceptance of all Services required under this MSA and any Contract, or, (ii) The expiration of all Warranty Periods provided under this MSA and any Contract. 4. CERTIFICATE(S) AND PROOF OF INSURANCE . Consultant shall provide to DAS and Authorized Purchaser Certificate(s) of Insurance for all required insurance before delivering any goods or performing any Services required under this MSA or a Contract. The Certificate(s) must list the State of Oregon , its officers , employees and agents as a Certificate holder and as an endorsed Additional Insured . If excess/umbrella insurance is used to meet the minimum insurance requirement, the Certificate of Insurance must include a list of all policies that fall under the excess/umbrella insurance . As proof of insurance DAS or Authorized Purchaser has the right to request copies of insurance policies and endorsements relating to the insurance requirements in this MSA or a Contract. 5. NOTICE OF CHANGE OR CANCELLATION . Consultant or its insurer must endeavor to provide at least thirty (30) Calendar Days' written notice to DAS or Authorized Purchaser before cancellation of, material change to , potential exhaustion of aggregate limits of, or non-renewal of the required insurance coverage (s) . 6 . INSURANCE REQUIREMENT REVIEW. Consultant agrees to periodic review of insurance requirements by DAS or Authorized Purchaser under this Contract and to meet updated requirements as mutually agreed upon by Consultant and DAS or Authorized Purchaser. Page 60 of 60 Attachment 1 PROPOSALFOR INFORMATION SECURITY ASSESSMENT SERVICES Prepared for City of Tigard Prepared by: David J. Meyer Account Manager davidm@infoatrisk.com Submitted: November 19, 2020 9rA BPM Information Security Assessment Team 184 East 11th Avenue, Suite 210, Eugene, OR, 97401 toll free 877.328.7475 1 local 541.687.5222 www.bpmcpa.com City of Tigard Infosec Assessment Proposal RESTRICTED TABLE OF CONTENTS EXECUTIVESUMMARY.......................................................................................................................3 SERVICE DETAILS:COMPREHENSIVE PENETRATION TEST.....................................................................4 OVERVIEW........................................................................................................................................4 KEYBENEFITS.....................................................................................................................................4 EXTERNALTESTING PROCESS..................................................................................................................5 INTERNALTESTING PROCESS...................................................................................................................9 PROJECTTIMELINE AND DELIVERABLES....................................................................................................10 SERVICE DETAILS: INFORMATION SECURITY CONTROLS REVIEW........................................................12 OVERVIEW......................................................................................................................................12 KEYBENEFITS...................................................................................................................................12 INFORMATION SECURITY CONTROLS REVIEW PROCESS ................................................................................12 PROJECTTIMELINE.............................................................................................................................15 DELIVERABLES ..................................................................................................................................15 WORK APPROACH AND PROJECT PROCESS .......................................................................................16 PROJECT MANAGEMENT......................................................................................................................16 TESTINGMETHODS ............................................................................................................................16 PROJECTMEETINGS...........................................................................................................................17 SECURITY STATEMENT......................................................................................................................19 BPM INFORMATION SECURITY ASSESSMENT TEAM QUALIFICATIONS................................................21 REFERENCES ....................................................................................................................................21 COMPANY PROFILE AND EXPERIENCE......................................................................................................22 STAFFING ROLES AND RESPONSIBILITIES...........................................................................................24 RESUMES OF KEY STAFF.......................................................................................................................24 COSTPROPOSAL ..............................................................................................................................27 ASSERTION OF COMPLIANCE WITH ALL PROJECT REQUIREMENTS,TERMS &CONDITIONS .................28 November 19, 2020 2 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED EXECUTIVE SUMMARY I The Information Security Assessment team of BPM, LLP(formerly Info@Risk) is an assessment-only information security firm that offers our clients an extensive suite of risk-based information security assessments services. Because of our single focus, assessment-only business model, our clients can be assured of thorough and unbiased comprehensive assessment of their information security controls. The Information Security Assessment team has performed information security assessments since 1998 for organizations seeking effective risk mitigation and regulatory compliance. Why BPM? In today's market, many companies profess expertise in information security but also sell solutions to address the security deficiencies their assessments reveal. When clients engage the BPM Information Security Assessment team, they are assured of an honest, independent assessment that will guide the development of their information security risk management program in a cost effective, best practices approach. All clients receive impartial recommendations for remediation, information security plans of action and informal ad-hoc discussions on relevant risk concerns. It is because of our assessment-only business model that our clients rely on our opinions and expertise long after we deliver a project final report. The Information Security Assessment team's staff and services are specifically designed and developed to address the needs expressed by City of Tigard. Based on statements made by City of Tigard stakeholders, it is apparent City of Tigard has made a commitment to improving their security environment and we believe we can offera unique and impartial assessment solution. To meet the needs specified by City of Tigard, BPM proposes the following services: • Comprehensive Penetration Test Please Note: The following reduced-scope/reduced cost options to the Comprehensive Penetration Test are included for City ofTigard's consideration. o Penetration Test without in-person Social Engineering or Physical Testing o Technical Penetration Test (No social engineering, no phishing) • Information Security Controls Review/Program Assessment Detailed descriptions of the services are in the next sections. All proposed services are based on scoping information provided by City of Tigard and all are aligned with NIST framework solutions. In reviewing this proposal, we are confident City of Tigard stakeholders will readily recognize how BPM's NIST based solutions—testing, review, methodology guidance and delivery of working documents for remediation and program development—all support and transfer into a NIST based Information Security Program standard. November 19, 2020 3 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED SERVICE DETAILS: I COMPREHENSIVE PENETRATION OVERVIEW The Comprehensive Penetration Test thoroughly assesses the real-world effectiveness of information security controls. Executed from all typical physical, human and technological attack vectors, the testing provides a comprehensive baseline assessment of information security control effectiveness. The proposed Comprehensive Penetration Test entails a carefully developed testing process to enable decision makers to make effective risk-based decisions. The assessment evaluates the logical and physical controls securing sensitive information and demonstrates the scope and severity of discovered vulnerabilities by manually probing them with the most up-to-date exploits. Attempts are made to leverage vulnerabilities that at first glance may seem unrelated and insignificant into larger exploits of greater severity. Within the defined scope, the Information Security Assessment team's testing parallels steps that might be taken by a real-world attacker attempting to defeat the controls. Assessors document the success of each exploit by providing evidence, typically screen shots, in the report findings. Test results are compiled and subjected to rigorous peer review and contextual feedback from appropriate client personnel to ensure the accuracy of the findings. With the scope and accuracy confirmed, the assessment results are then published in a report and presented in an Executive Summary, both designed to clearly present the nature of the risk to sensitive information and provide clear recommendations for remediation and informed risk-based decision making. The assessment includes remediation verification. Verification will be performed for most high-risk technical vulnerabilities remediated within sixty days of the project completion and submitted as a complete group for remediation verification. Remediation verification will only be done once and the assessors will update the project Vulnerability Remediation Matrix with the results of the remediation verification. KEY BENEFITS • Provides a baseline of physical, human, and technical controls that fail to operate as expected and ones that appear to operate as intended • Provides remediation recommendations for making information security controls more effective • Prioritizes remediation recommendations for efficient, importance-based remediation • Enables accurate measurement of controls improvements November 19, 2020 4 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED EXTERNAL TESTING PROCESS INFORMATION GATHERING Potential Risks Test Activities Having credible information about a target There are three main components to information organization and network improves the chances gathering: of attackers successfully social engineering • Digital foot-printing to inventory the employees and enhances their ability to identify organization's digital perimeter exploitable vulnerabilities. Information about an o Review for any embedded organization is typically obtained through the malicious links Internet but can be obtained by other means, o Run scripts that change top-level such as voicemail directories. domains and perform slight misspelling of domain names to reveal potential domain squatters • Harvest information to determine systems or applications in use that might allow an attacker to craft more targeted attacks. Information is harvested via vendor press releases, tech support discussion threads, plus the organization's website • Harvest employee names, titles, phone numbers and email addresses for social engineering attacks VOICE SYSTEMS Potential Risks Test Activities Telephone voice mail can be a source of To protect the voice mail system, the following penetration when used to exchange stolen credit items are examined: card numbers or forward local calls to long • Voicemail account passcodes are tested distance numbers. Stored messages in poorly for strength and examination of saved protected mailboxes can also provide defrauders messages containing sensitive with sensitive information. Voice mail systems information can also be targeted by hacker organizations • The voicemail system is tested for simply seeking to demonstrate technical fuzzing, call forwarding, and call relay prowess. vulnerabilities that may be used in toll fraud attacks MODEM ACCESS SERVICES Potential Risks Test Activities Modems associated with public telephone To protect against these threats, the following numbers can be identified using common war areas are assessed: dialing applications. Sanctioned modems are • War dialing of all phone numbers often subject to guessing or brute force attacks. o Known modems are attacked Also, attackers still use modems as backdoor o Unknown modems are identified access/egress points to/from a network, so that and attacked November 19, 2020 5 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED typical network security measures, e.g. IDS/IPS, may be bypassed. PHONE-BASED SOCIAL ENGINEERING Potential Risks Test Activities Social engineering, as it relates to hacking, uses Employees are attacked via phone-based social misrepresentation to influence an employee to engineering methods, testing the following import malicious payloads and/or divulge their controls: password or any other information that would be • Willingness to execute commands and useful in the attempt to gain access to sensitive relay network information to an information. BPM utilizes information gathered unverified caller from public sources to develop exploits . Willingness to navigate to an external site specifically tailored to the client's organization. and download a malware payload at the Information such as personnel names and behest of an unverified caller positions are used to craft attacks designed to . Willingness to disclose credentials to an test employee awareness and training. unverified caller BPM will harvest and document phone-based social engineering targets using methods that replicate the actions of an actual attacker. Targets may be added or deleted at the client's discretion. EMAIL SERVICES AND MALICIOUS ATTACHMENTS Potential Risks Test Activities Mail servers that are not configured properly can The following email safeguards are assessed: be victimized in many ways. One common attack . Platform-related vulnerabilities vector is to use the organization's mail system as . Email address enumeration a SPAM site, e.g.,a launch point for emails . SMTP relay vulnerabilities destined for people/organizations outside the . Email address spoofing client's organization. Also, enumerating email 0 Malicious email attachment controls addresses that can be used by social engineers is common. Additionally, criminal hackers exploiting published or known vulnerabilities e.g. email address spoofing, can greatly enhance a phishing attack(see below). Malicious attachments are generally considered the most common means of delivering malware onto an organization's network. Malicious attachments range from nuisance attacks, to ransomware attack drives, to performing full scale Denial of Service (DoS) attacks against network infrastructures and launch points for Advanced Persistent Attacks. November 19, 2020 6 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED PHISHING Potential Risks Test Activities Social engineering, as it relates to hacking, uses In the Phishing test, employees are attacked via misrepresentation to influence an employee to email-based social engineering methods, testing divulge their password or any other information the following controls: that would be useful in an attempt to gain access . Willingness to follow directions in an to sensitive information. BPM utilizes information email from an unverified sender gathered from public sources to develop exploits . Willingness to navigate to an external site specifically tailored to the client's organization. and/or disclose credentials Information such as personnel names and BPM will harvest and document phishing targets positions are used to craft attacks designed to using methods that replicate the actions of an test employee awareness and training. actual attacker. Targets may be added or deleted at the client's discretion to include up to 100% of the organization's employees in the assessment. WEB SERVICES Potential Risks Test Activities The Internet not only brings anonymity to To evaluate controls against web-based attacks hackers, but also a certain degree of impunity the following areas are examined: from legal consequences. Web services are • Vulnerabilities created by unnecessary among the most commonly attacked systems on services running on the web servers the Internet. • Commonly documented system security holes • Evaluate if the means of authentication is consistent with levels of information sensitivity • Evaluate privilege escalation, i.e. can authenticated users gain access to unauthorized information? • Sensitive web directory protections from unauthorized access • Injection, scripting, and traversal controls FIREWALL Potential Risks Test Activities Unauthorized access by external and/or internal BPM assesses the susceptibility of client firewall users. Other risks include IP spoofing, denial of to known vulnerabilities and exploits to service attacks, programs like finger, whois, circumvent its protection features. tracert, and nslookup, and limiting services such • Attempt to access the firewall from as talk, Internet Relay Chat(IRC), and other outside the trusted network; determine if similar programs (WINAMP, NET Meeting, Instant make and model can be identified and if Messenger) to only designated ports. unauthorized connections are allowed • Identify and attack any management login dialogs • Harvest and attack pre-shared keys November 19, 2020 7 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED EXTERNAL NETWORK DEVICES Potential Risks Test Activities When an Internet connection is made, every • Determine if routers are configured to be hacker in the world gains potential access to any hidden from public observation machine using a public IP address. BPM assesses . Test to see if routers refuse all the perimeter network devices' susceptibility to unauthorized connections compromise. • Test for patch related vulnerabilities, extraneous services or weak configurations MISCELLANEOUS SERVICES Potential Risks Test Activities This section includes Domain Name Services The following services are tested where (DNS), FTP servers, and Terminal Services and applicable: other external systems/components not fitting • DNS server allowing unauthorized servers within the categories listed above. By exploiting to perform DNS zone transfers vulnerabilities to these systems, a hacker could . Test FTP (File Transfer Protocol) servers reduce system productivity and access sensitive for risks from published vulnerabilities, hosts and/or proprietary information. including denial of service (DoS), Buffer Overflow, and Directory Traversal • Examine RDP and Terminal Services for vulnerabilities related to unauthorized system account access November 19, 2020 8 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED INTERNAL TESTING PROCESS ONSITE SOCIAL ENGINEERING Potential Risks Test Activities Onsite social engineering consists primarily of The following controls are tested where tests of visitor controls. Combined with physical applicable: security weaknesses, on-site social engineering • Challenging visitors on entry vulnerabilities raise the likelihood of successful . Vetting visitor's identification exploits against vulnerabilities discovered in . Verifying visitor's authority to visit testing elements outlined below. . Escorting visitors PHYSICAL SECURITY Potential Risks Test Activities Physical security poses challenges to the BPM assesses the following physical security protection of information assets. Many physical controls: weaknesses can be exploited to provide access, • Ingress controls, e.g.door locks, alarm even of short duration, to computing resources. systems, surveillance systems And strong physical controls can limit data 0 Externally visible monitors leakage. Without adequate data center security, 0 Unlocked, unattended workstations even the most complex security solutions can be . Unsecured trash receptacles, shred bins, bypassed with physical access to the server, and dumpsters network hardware, or in some cases, . Fire suppression controls workstations. . Publicly accessible information assets, e.g. lobby kiosk PCs NETWORK DEVICES Potential Risks Test Activities BPM probes for weaknesses of network devices BPM assesses the following: that could be exploited by internal attackers who . Internal network device ARP spoofing to have penetrated the physical security perimeter, harvest and compromise data and or internal attackers or threats that are services unprivileged/unauthorized users. • Vulnerabilities in device software versions • Easily guessed credentials WORKSTATIONS Potential Risks Test Activities Often the first internal systems compromised are The following are assessed: user workstations. Once access is granted to a • WPAD-related vulnerabilities networked workstation, a hacker can ascertain . Patch-related operating system other possible access points. In many Windows vulnerabilities networks, domain passwords are resident in . Known application vulnerabilities memory. • Easily guessed passwords • Insecure configuration settings November 19, 2020 9 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED NETWORK SERVERS Potential Risks Test Activities Servers typically hold the most critical data, This section assesses the following items: including user databases, confidential business • Patch-related operating system information, public or private web pages, and vulnerabilities mail services. Exploitation of application • Known application vulnerabilities vulnerabilities could result in compromise of • Easily guessed passwords data confidentiality, integrity (corrupted data), • Insecure configuration settings and accessibility (files deleted). • Extraneous services running on the servers • Unauthenticated/unauthorized access to data and services MISCELLANEOUS SERVICES Potential Risks Test Activities Miscellaneous Security concerns devices that do Miscellaneous testing includes: not fit into other categories. Commonly cited • Patch-related operating system devices include storage devices, multi-function vulnerabilities printer/scanner/fax/copiers and uninterruptible • Known application vulnerabilities power supplies. Through security weaknesses in • Easily guessed passwords any of these, attackers on the inside can reduce • Insecure configuration settings system productivity, access sensitive and/or • Extraneous services proprietary information, create the conditions • Unauthenticated/unauthorized access to for leveraging other weaknesses possibly leading data and services to the ability to steal, corrupt, delete, or compromise an organization's information systems. EGRESS Potential Risks Test Activities In the event an attacker or malware payload is BPM assesses egress security from an internal successful in gaining access to the organization's perspective, including: network, determining the impact can be difficult. • Test limits on egress • Test limits on data exfiltration, e.g.data loss prevention PROJECT TIMELINE AND DELIVERABLES Depending upon project scope, the Comprehensive Penetration Test typically requires approximately four to six weeks as described below: • Testing phase: 3 weeks. • Report/Deliverables preparation: 1 week. • Technical presentations: 1-2 hour presentation is typically delivered during the week following Report/Deliverables preparation. November 19, 2020 10 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED • Executive presentation. The deliverables for the Comprehensive Penetration Test include: EXECUTIVE SUMMARY REPORT AND PRESENTATION DOCUMENT The Executive Summary Report is a brief overview of the assessment and results. It is written in non- technical language and includes areas of strength as well as recommended areas for improvement. The Executive Presentation document contains copies of the slides shown during the results presentation to the Executive Committee, executive management and/or other concerned parties. This is designed to provide management with a clear, non-technical overview of the results of the full assessment. NARRATIVE REPORT The Narrative Report contains detailed and summarized written findings of vulnerabilities and descriptions of leveraged exploits, suggested risk ratings associated with each, and recommendations for remedial action.This includes screenshots and other appropriate visual documentation, a rating of the severity of the risk, and recommendations for remediation. The report is designed to make clear the nature of the risk to sensitive information for each specific vulnerability to assist in prioritizing remediation efforts and ensure effective risk mitigation. VULNERABILITY REMEDIATION MATRIX The Vulnerability Remediation Matrix shows all vulnerabilities found in a concise spreadsheet format. BPM includes an electronic copy of the Vulnerability Remediation Matrix as an editable document to record remediation. When completed, the Vulnerability Remediation Matrix can be shown to auditors to demonstrate City of Tigard's remediation effort. LETTER OF ATTESTATION The auditor's cover letter of attestation provides a brief summary of project scope and results. This document may be used to provide evidence of due care and due diligence, without revealing any result details. November 19, 2020 11 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED SERVICE DETAILS: I INFORMATION SECURITY CONTROLS OVERVIEW The Information Security Controls Review evaluates the organization's documentation of controls required by regulations as well as standards and additional controls informed by best practices. In addition, the Controls Review provides detailed recommendations for Information Security Program improvement. BPM reviews the Information Security Program control implementation as guided by NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations. In order to ensure the review includes controls appropriate for the organization, BPM incorporates guidance from the NIST SP 800-53 Rev. 4 Low Baseline. KEY BENEFITS • Provides guidance for improving the Program's effectiveness in fulfilling regulations and standards and appropriate best practices • Provides detailed, long-term recommendations on how to improve the Program • Guided by NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations INFORMATION SECURITY CONTROLS REVIEW PROCESS BPM will conduct the Information Security Controls Review through examination of Information Security Program documentation and interviews with organization stakeholders. The Information Security Controls Review will: • Determine applicable information security controls • Examine documentation and interview organization stakeholders • Evaluate sufficiency of information security controls documentation • Provide prioritized recommendations for Program improvement DETERMINE APPLICABLE INFORMATION SECURITY CONTROLS BPM will determine a reasonable set of applicable information security controls for the organization. An organization's applicable information security controls are informed by: • Controls required for compliance with regulations and standards • Controls appropriate for the organization informed by best practices November 19, 2020 12 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED Below is an example set of regulations, standards, and best practices that might be used to establish the applicable controls for an organization. APPLICABLE CONTROL SET BPM and Organization have determined that the following regulations, standards, and best practices comprise a reasonable set of applicable information security controls with regard to its business practices and the sensitivity of information it protects. • PCI Digital Security Standard 3.0 • NIST SP 800-53 r4 Low Baseline The Information Security Controls Review will supply the organization with an authoritative Catalog of Applicable Controls, based on guidance from NIST SP 800-53 Rev. 4. Below is an example control from NIST SP 800-53 Rev. 4 Appendix D. AC-7 UNSUCCESSFUL LOGON ATTEMPTS Control: The information system: a. Enforces a limit of[Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. EXAMINE DOCUMENTATION AND INTERVIEW ORGANIZATION STAKEHOLDERS BPM will review the organization's complete Information Security Program, including examining all Program documentation and interviewing organization stakeholders to account for undocumented Program practices identified during examination. The structure and schedule of examination and interviews is detailed in the Project Timeline section below. EVALUATE SUFFICIENCY OF INFORMATION SECURITY CONTROLS DOCUMENTATION BPM will evaluate the sufficiency of the organization's information security controls documentation in fulfilling applicable compliance regulations and standards and appropriate best practices. Evaluation of sufficiency will be both general and control-specific. Control-specific evaluation will be organized by control families defined in NIST SP 800-53 Rev. 4. November 19, 2020 13 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED Below is the list of control families defined in NIST SP 800-53 Rev. 4 Appendix D. TABLE 1: SECURITY CONTROL IDENTIFIERS AND FAMILY NAMES ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment and Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management PROVIDE PRIORITIZED RECOMMENDATIONS FOR PROGRAM IMPROVEMENT BPM will provide a prioritized set of recommendations for general improvements to the Information Security Program. These recommendations highlight Program concerns that are more extensive than control-specific insufficiencies, and detail long-term steps on how to achieve the recommended improvement. Below is an example Recommendation Summary from a Controls Review Report. RECOMMENDATION SUMMARY BPM recommends the following general improvements to Organization's Information Security Program. Each recommendation includes detailed, long-term steps on how to achieve the improvement. 1. Establish Information Security Steering Committee 2. Develop Information Security Program Plan 3. Develop Information Asset Inventory 4. Develop and document baseline configuration for systems subject to change management 5. Expand Business Continuity Plan to include information security system and process contingencies 6. Expand Disaster Recovery Plan to include quantifiable Recovery Time Objectives and Recovery Point Objectives These recommendations will take time and resources to address. BPM attempts to limit its recommendations set to one which might be reasonably completed in two years. November 19, 2020 14 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED PROJECT TIMELINE The Information Security Controls Review is performed through examination of Information Security Program documentation and interviews with organization stakeholders, which consist of a series of remote meetings. The meeting schedule is detailed in the following table. Timeline Meeting Topic Client Time Requirement Prior to project Meeting —Kick-off 30 minutes Client provides documentation Varies Week 1 BPM reviews documentation None Week 2 BPM reviews documentation None Stakeholder Interviews Week 3 Meeting —Undocumented Practices (part 1) 60 minutes Meeting —Undocumented Practices (part 2) 60 minutes Week 4 Meeting —Draft Report 60 minutes If the availability of stakeholders causes delays in scheduling, an additional fee may be incurred. DELIVERABLES CONTROLS REVIEW REPORT: Provides the client with a detailed report of the controls review, including an executive summary, prioritized recommendations, and narrative of controls implementation. CATALOG OF APPLICABLE CONTROLS: Provides the client with an authoritative catalog that includes a reasonable set of applicable controls informed by regulations, standards, and best practices relevant to the organization. CONTROLS REVIEW WORKBOOK: Provides the client with the workbook used for tracking examination and interview notes, which will serve as an exhibit of Information Security Program review. November 19, 2020 15 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED I�WORK APPROACHR• PROCESS The Information Security Assessment team's approach for every project is to partner with the client to strengthen the client's security posture. With each of our services, the initial step is to identify weaknesses, gaps, and vulnerabilities in the client's organization. We followthis with guidance to use the assessment information to improve the organization's risk mitigation processes. Each service has a clear outcome and set of deliverables designed to assist City of Tigard in moving their Information Security Program forward. All assessment activities are performed remotely from the Information Security Assessment Team's offices unless the activity requires an onsite presence (Onsite Social Engineering, Physical Security Assessment, Onsite Firewall Review, etc.) or as otherwise specifically noted. Throughout the project, frequent communication with all stakeholders will be a primary aspect of our work. The assessment services described in this proposal will follow the Information Security Assessment team's project process.This process has been refined over nineteen years of assessment experience and is specifically designed to ensure clear communication of test results and thorough understanding of the risks posed by any specific finding. PROJECT MANAGEMENT To ensure timely and complete performance of tasks and delivery of reports and other associated materials, BPM assigns a dedicated Project Manager. In addition to setting schedule and meeting times, the Project Manager serves as the primary interface for all project communications. When necessary for the completion of specific assessment duties, assessors are available for direct communication with City of Tigard stakeholders. TESTING METHODS BPM has dedicated a team of specialists to perform the work proposed to City of Tigard. While each team member has areas of specialization and particular expertise, the Information Security Assessment team's methodology requires rigorous peer review of all findings. Modeled on academic peer review, assessors review and challenge other team members' test results to ensure thoroughness and accuracy. This process is developed to also ensure that information gathered from a specific testing area can be utilized to enhance the tests performed on other assets.This will fully reveal the nature of the risks posed by a specific vulnerability and better reflect the actions of an actual attacker who might utilize a cascading sequence of exploits to compromise sensitive information and assets. November 19, 2020 16 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED PROJECT MEETINGS The meetings detailed below pertain to the Comprehensive Penetration Test service; please see the Service Details sections for the Information Security Controls Review for a detailed list of anticipated meetings for those services. If the Information Security Controls Review are performed in conjunction with the Comprehensive Penetration Test, the Executive Presentation described below will also incorporate results from those services. PROJECT KICK-OFF MEETING A conference call between BPM assessment personnel and appropriate City of Tigard stakeholders to: • Explain project elements and testing methods • Review and finalize project calendar • Review personnel assignments (for both BPM and City of Tigard) for each task • Coordinate appropriate communication protocols for project tasks • Clarify any testing restrictions, exclusions or concerns, to avoid adverse impacts to City of Tigard personnel or production systems and best ensure meeting of all project goals DRAFT CONFERENCE CALL After performing assessments and compiling an initial report, a conference call between BPM Assessment personnel and appropriate City of Tigard stakeholders will be conducted to preview the findings. The preview conference call meeting will: • Present draft report in a line-by-line preview of every finding to ensure City of Tigard personnel understand all details of the issues found • Provide the opportunity for City of Tigard personnel to present additional information that may impact the risk posed to the organization and/or accuracy of the finding • Receive feedback from City of Tigard stakeholders on changes/modifications for the final reports The primary goals of the Draft Conference Call are to ensure the accuracy of each finding, and for City of Tigard personnel to have a clear understanding of the risks posed and the appropriate steps to mitigate such risks. Following the Draft Conference Call, and after all parties are in agreement as to the findings, their severity, and remediation steps and priorities, BPM will prepare the Final Report forthe Executive Presentation. November 19, 2020 17 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED EXECUTIVE PRESENTATION To ensure the appropriate communication of test results to organizational decision-makers, BPM will coordinate a secure, live video conference presentation of the report results to Executive Management and/or other appropriate personnel. This will be a high-level overview designed for these stakeholders to understand the nature of the tests performed, the effectiveness of existing controls in managing risks, and the responses and improvements made by City of Tigard personnel in response to the test results. The goal will be to provide Executive Management with the information needed for them to make well- informed, risk-based decisions. Opportunity forquestions and discussion will be included in the presentation. November 19, 2020 18 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED SECURITY STATEMENT I Information security is our business and the Information Security Assessment team considers the management and securing of client sensitive information a matter of utmost priority. City of Tigard can be assured their sensitive information will be protected. Policies and procedures are in place to ensure the highest level of protection forall sensitive data. BPM documents that address this issue include: Security Policy Manual, Incident Response Policy, Business Continuity Plan, Privacy Policy, Information Classification Guide, Employee Manual, and Data Handling Procedures. BPM has a third-party conduct periodic penetration testing to assess information security. For all engagements, BPM's secure document management website is used to send and receive all client sensitive information, from project schedule through delivery of final reports. All information is encrypted both at rest and in transit. The physical and electronic safeguarding of data is described in the Data Handling Procedure and includes specifics for encryption, storage, and deletion of sensitive data. The Information Security Assessment team's terms of employment specify the security responsibilities required of our employees and all personnel must adhere to applicable policies. Employee Security Awareness training occurs upon hire and at least annually thereafter. In addition, BPM requires background checks for every employee when they are hired. All project employees receive annual Information Security training from industry leading organizations including the International Organization for Standardization, the International Information System Security Certification Consortium, the SANS Institute, ISACA, and others. The Information Security Assessment team does not use sub-contractors orthird-party IT vendors. Other vendors, such as electricians, who may have access to the team's office suite are escorted and monitored at all times. The Information Security Assessment team's technical security controls are designed to meet or exceed the risk management requirements of all our customers, e.g. HIPAA, GLB, CAS, etc.The Information Security Assessment team prohibits potentially insecure remote access protocols, such as RDP sessions, and requires fixed, known-good source addresses (at the network layer), and multi-factor authentication for remote access.Technical security controls include, but are not limited to,the following: • Intrusion prevention and detection systems (IPS/IDS) in place on administrative networks • Positive security model at the network edge to prevent unauthorized access • Multi-layered email filtering mechanisms that include malware detection • Encrypted communications and file exchange for customer Internet-based interactions involving sensitive data • Multiple redundant encrypted tunnels used for interfacing in and out of client networks • Multi-factor controls forall workstations and client test hosts November 19, 2020 19 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED • Full disk encryption of all workstations, applicable servers, and all test hosts • Two-factor authentication is required to access the firewall management console, and is only accessible from specific internal VLANs • Automatic domain account lockout for repeated failed authentication attempts • Comprehensive NGFW traffic logging The Information Security Assessment team's Information Security Policy dictates that all project-related data must be securely destroyed within six months of project completion, unless otherwise instructed by the client. We utilize data destruction methods in accordance with protocols used by the U.S. Department of Defense. The most compelling attestation to the Information Security Assessment team's technical security controls is that, in over two decades of providing highly sensitive security assessment services for hundreds of institutions, we have not had an insurance claim, threatened or actual litigation claim, or known security breach. We work hard every day to maintain this status and sustain our business by being passionately focused on securing data before, during, and after engagements, and then securely deleting all engagement data from our hosts. November 19, 2020 20 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED INFORMATIONBPM REFERENCES City of Gresham 133 NW Eastman Parkway Gresham, OR 97030 Contact: Pat Hartley, IT Director Phone: (503) 618-2520 Email: pat.hartley@greshamoregon.gov City of Sherwood 22560 SW Pine Street Sherwood, OR 97140 Contact: Brad Crawford, IT Director Phone: (503) 625-4203 Email: crawfordb@sherwoodoregon.gov SAIF Corporation 400 High St. SE Salem, OR 97312 Contact: Bill Donaldson, Information Security Officer Phone: (503) 373-8725 Email: bildon@saif.com PacificSource Health Plans PO Box 7068 Springfield, OR 97475 Contact: David Mohr, Information Security Manager Phone: (541) 684-5488 x5488 Email: david.mohr@pacificsource.com Additional references are available on request. November 19, 2020 21 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED COMPANY PROFILE AND EXPERIENCE BPM LLP Information Security Assessment Team 184 East 11th Avenue, Suite 210 Eugene, OR, 97401 877-328-7475 (Toll Free) 541.687.5222 (Local) 541-485-7372 (Fax) http://www.bpmcpa.com BPM DUNS: 18-123-9468 BPM FEIN: 81-4234542 Mission Statement: Our mission is to provide the most expert, unbiased and comprehensive information security risk analysis services available today, while maintaining the highest levels of integrity and ethical conduct. QUALIFICATIONS AND CERTIFICATIONS • CISSP: Certified Information System Security Professional • CISA: Certified Information Systems Auditor • CWAPT: Certified Web Application Penetration Tester • CEH: Certified Ethical Hacker • CPT: Certified Penetration Tester • CSSA: Certified SCADA Security Architect • GAWN: GIAC Assessing and Auditing Wireless Networks BRIEF HISTORY The Information Security Assessment team of BPM, LLP (formerly Info@Risk) was founded when the Gramm-Leach-Bliley Act (GLBA) was still a bill in Congress and we have been performing risk analysis services since January 1998. Originally started as a small team within a regional systems integration firm, the potential for conflict-of-interest was soon recognized. Info@Risk was spun off into a stand-alone corporation with no shared ownership with any other information technology firm. Since January 1998 the Information Security Assessment team has performed over 1,200 comprehensive penetration tests and over 600 information security program reviews, configuration reviews and risk assessments. In 2017, Info@Risk joined BPM, an accounting firm that provides assurance, tax,and audit services. LIST OF PRODUCTS AND SERVICES • Comprehensive Information Security Penetration Test • Application Penetration Test • Wireless Penetration Test • Device/System Configuration Review • Black Box Testing /Gray Box Testing /Credentialed Testing November 19, 2020 22 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED • Social Engineering Awareness Testing • Information Security Risk Assessment • Information Security Program Review • Online Banking Review • General IT Controls Audit • Information Security Controls Audit • Security Awareness Training • Periodic Active Directory Password Audit • Periodic Scanning STATEMENTOF KEY DIFFERENTIATORS BPM offers our clients an extensive suite of risk-based information security assessments services, but we do not plan, build or manage IT systems. Because of our assessment-only business model, our clients can be assured of a thorough and unbiased comprehensive assessment of their information security controls. No additional security products, services, vendor or partner alliances, or other potential conflicts of interest will ever impact the complete objectivity of the Information Security Assessment team's assessments. In addition, with no financial stake in any information security related products or solutions, remediation recommendations will always be the most cost-effective possible, keeping only our client's best interests in mind. Located in Eugene, Oregon, the Information Security Assessment team has worked with entities throughout the United States. A large percentage of the Information Security Assessment team's clients are repeat customers, with many of our relationships stretching back nearly to our beginning in 1998. We attribute these enduring relationships to three facts: • our clients value the depth and comprehensive quality of our work • our clients recognize that to truly manage risk, an unbiased assessment and remediation plan are a priority when choosing a vendor • our clients seek a partnership with their impartial assessment vendor to guide them in making informed, risk-based decisions for their organization BPM's Information Security Assessment team provides our clients with thorough and comprehensive information security assessments so they can be confident in making risk-based decisions best suited for their organization. We are proud of the work we have done and are confident our references will support this pride. In today's market, many companies profess expertise in information security but also sell solutions to address the security deficiencies their assessments reveal. We strongly encourage you to contact our references to find out more about the quality of our services, processes, and personnel. November 19, 2020 23 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED STAFFING I ROLES AND RESPONSIBILITIES BPM will staff this project exclusively with Information Security Assessment team employees who have performed similar assessments for a number of years. The Information Security Assessment team does not use independent contractors or third-party vendors to perform assessments. • Key BPM staff proposed for this project are included below in the resume section • All Information Security Assessment team staff are US citizens • BPM attests that all project personnel have passed thorough background checks and that no employees working on the engagement have ever been convicted of a felony or excluded from participation in a governmental program • BPM attests that no client data will be disclosed • BPM will provide all tools necessary to conduct its assessments RESUMES OF KEY STAFF David T.—Partner, U.S.Army Achievement Medal IT Assurance B.A., Magna Cum Laude and Phi Beta Kappa: University of New Hampshire M.S.,University of Oregon A technology entrepreneur since 1989,David first led the growth of InfoGroup Northwest(now Presidio)from four employees to the largest independent information systems integrator in the Pacific Northwest.Leveraging his unique experience building information systems,David launched Info@Risk in January 1998,with the single purpose of assessing clients'information system security.Since then,he has led over 1200 information security assessment engagements for satisfied customers across all major industries throughoutthe United States. David has worked in Information Security with governments,financial institutions,utilities,and healthcare since 1998. Jeannie R.— B.S., Ithaca College Project Manager Since 2011,Jeannie has led the team to consistently deliver on-time,in-budget,completed work. Prior to taking on project management responsibilities,Jeannie worked for seven years as Info@Risk's operations manager;providing her with an intimate understanding of how projects get done. Previously,Jeannie was a Physical Therapist for 22 years,providing her with key insights into the clinic workflow challenges facing our healthcare clients. Jeannie has worked in Information Security since 2004. Joshua S.— Lead University of Oregon Technical Assessor CJIS Certification,Level 4 Certified Ethical Hacker(CEH) Certified Penetration Tester(CPT) Joshua also started his career as a systems administratorfor a university in 2009. Since then, Joshua has used his education specialized track in information security as a systems specialist and assessor. Joshua is a dual-threat assessor,with skills in both networking and application development. Joshua's excellent work ethic and superior attention to detail make him a valued member of the Information Security Assessmentteam. Joshua has worked in Information Security with governments and education since 2009. November 19, 2020 24 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED Alex B.—Lead B.A., University of Oregon Program Assessor Certified Information Systems Auditor(CISA) Utilizing his academic background in public speaking and critical reasoning,Alex brings the verbal skills and critical thinking necessaryto effectively assess our clients'Information Security programs and communicate areas for improvement.With an eager enthusiasm and strong attention to detail,Alex has the skills to provide clients with the most accurate insights into security processes and procedures. Alex has worked in Information Security with governments,financial institutions,utilities,and healthcare since 2012. Chris S.—Senior B.S., University of Oregon Technical Assessor CJIS Certification,Level 4 Certified Information Systems Security Professional(CISSP) Certified Ethical Hacker(CEH) Certified Penetration Tester(CPT) Certified Web Application Penetration Tester(CWAPT) Chris'six years of experience managing a non-profit's diverse network and support personnel provide a wealth of experience in managing the confidentiality,integrity,and availability of networked resources within a limited budget.Through his experience,Chris has developed a profound interest and understanding of the information security necessaryto maintain an institution's mission and integrity.With more than twelve years of professional experience in the technology field and a broad range of networking expertise,Chris brings to the Information Security Assessmentteam a deep commitmentto the effective management of our clients'risks. Chris has worked in Information Security with governments,financial institutions,utilities,and healthcare since 2009. Ryan F.— B.S. Mathematics,University of Oregon Technical Assessor B.S.Computer Science,University of California Santa Cruz Certified Ethical Hacker(CEH) Certified SCADA Security Architect(CSSA) Ryan began his career in 2005 as an IT Help Desk employee at UC Santa Cruz,while working on an undergraduate degree in Computer Science.Ryan continued to work as a developer and analyst through his work on a B.S. in Mathematics at the University of Oregon in 2012.Since then,Ryan has worked in positions of increasing complexity and authority,from System Administrator to security management.Ryan brings his keen eye and commitment to excellence that inspires both clients and co-workers. Ryan has worked in Information Technology with higher education,governments,financial institutions,utilities,commercial organizations and healthcare since 2005. Nick A.—Technical B.S. University of Minnesota,Duluth Assessor Certified Information Systems Security Professional(CISSP) Certified Ethical Hacker(CEH) Nick's ten years of experience performing IT support and administration prepared him for a successful career as a penetration tester.With experiences ranging from troubleshooting,to authoring policies and procedures,to implementing secure networks and VPNs,Nick's skills and experience are both deep and broad.The successful application of that experience makes Nick a key member of the Information Security Assessment team. Nick has worked in Information Security with governments,financial institutions,utilities, commercial organizations and healthcare since 2007. November 19, 2020 25 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED Derek B.—Senior B.A. University of New Hampshire Program Assessor M.A.University of New Hampshire Derek has been with BPM's Information Security Assessment Team since its inception in 1998. Over those 20+years,Derek has filled numerous roles as account manager,technical writer,and even onsite assessor.Consequently,Derek's understanding of information security issues is both broad and deep. Derek now focuses his attention solely on client program assessment activities, where his wealth of knowledge is optimally applied. Derek has worked in Information Security with governments,financial institutions,utilities,and healthcare since 1998. November 19, 2020 26 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED ICOST PROPOSAL Proposed services listed below will be performed with specific reference to,and within the limits of,the services as proposed in this document. The costfigure quoted below is all-inclusive, fixed and final unless the project scope is changed at the request of the client. If applicable, State, County or Municipal taxes will be added to the invoice. Project scope and cost have been determined based upon the information below that was provided by City of Tigard: ➢ 60 Public IPs ➢ 1800 Internal Hosts ➢ 7 Locations The services proposed by BPM for City of Tigard are as follows: • Comprehensive Penetration Test $22,900 Please Note: The following are offered as reduced-scope/reduced cost options to the Comprehensive Penetration Test: o Penetration Test without in-person Social Engineering or Physical Testing (no field work/travel) $18,800 o Technical Penetration Test(No social engineering, no phishing) $14,200 • Information Security Controls Review/Program Assessment $11,400 Please note: All quoted prices include all travel and related expenses. Absolutely no other costs,other than applicable taxes, will be incurred for the performance of the services described in this document. Quoted prices are valid for 90 days. November 19, 2020 27 BPM LLP City of Tigard Infosec Assessment Proposal RESTRICTED ASSERTIONOF •MPLIANCE WITH ALL PROJECT REQUIREMENTS, • • Primary Contact Information The account manager for this proposal is: David J. Meyer Account Manager BPM 877-328-7475 davidm@infoatrisk.com The project manager for this project is: Jeannie Reinhardt Project Manager BPM 877-328-7475 ieannier@infoatrisk.com Person authorized to contractually bind BPM LLP for any accepted proposal is: David Trepp, M.S. Partner, ITAssurance BPM 877-328-7475 davidt@infoatrisk.com All of the information contained in this proposal is true and accurate to the best of my knowledge. �is P(w David Trepp Partner, ITAssurance BPM November 19, 2020 Notice: This document contains confidential information intended only for the use of the individual or entity to which it is addressed. Any disclosure, copying, distribution, or action in reliance on the contents of this document is strictly prohibited by anyone except the party to whom it is addressed. November 19, 2020 28 BPM LLP