CM-06-09-182CITY OF ROUND ROCK AGREEMENT FOR
PROFESSIONAL CONSULTING SERVICES FOR
A FULL SPECTRUM INTEGRATED VULNERABILITY ASSESSMENT (FSIVA)
WITH CYBERDEFENSES, INC
THIS AGREEMENT for professional consulting services relating to the City of Round
Rock's (the "Agreement") is made by and between the City of Round Rock, a Texas home -rule
municipal corporation, with offices located at 221 East Main Street, Round Rock, Texas 78664-
5299, (the "City") and CyberDefenses, Inc (the "Consultant"), with offices located at 1205 Sam
Bass Road, Round Rock.
RECITALS:
WHEREAS, City has determined that there is a need for the delineated services; and
WHEREAS, City desires to contract for such professional services; and
WHEREAS, the parties desire to enter into this Agreement to set forth in writing their
respective rights, duties and obligations hereunder;
NOW, THEREFORE, WITNESSETH:
That for and in consideration of the mutual promises contained herein and other good and
valuable consideration, the sufficiency and receipt of which are hereby acknowledged, it is
mutually agreed between the parties as follows:
1.01 EFFECTIVE DATE, DURATION, AND TERM
This Agreement shall be effective on the date this Agreement has been signed by each
party hereto, and shall remain in full force and effect unless and until it expires by operation of
the term indicated herein, or is terminated or extended as provided herein.
The term of this Agreement shall be until full and satisfactory completion of the work
specified herein is achieved, but in no event later than 20 October 2006.
City reserves the right to review the Agreement at any time, including at the end of any
deliverable or phase or task, and may elect to terminate the Agreement with or without cause or
may elect to continue.
1.02 CONTRACT AMOUNT ( All Fees are waived under the existing FSIVA Proof of
Concept period.)
1.03 SCOPE OF SERVICES
For purposes of this Agreement, Consultant has issued its Scope of Services for the
assignments delineated herein, and such Scope of Services is delineated in the attached Scope of
Services Document and incorporated herein for all purposes.
001042001jkg
This Agreement shall evidence the entire understanding and agreement between the
parties and shall supersede any prior proposals, correspondence or discussions.
Consultant shall satisfactorily provide all services and deliverables described under the
referenced Scope of Services within the contract term specified in Section 1.01. Consultant's
undertakings shall be limited to performing services for the City and/or advising the City
concerning those matters on which Consultant has been specifically engaged. Consultant shall
perform its services in accordance with this Agreement and with the referenced Scope of
Services. Consultant shall perform its services in a professional and workmanlike manner.
Consultant shall not undertake work that is beyond the Scope of Services set forth in
Exhibit "A." However, either party may make written requests for changes to the Scope of
Services. To be effective, a change to the Scope of Services must be negotiated and agreed to in
all relevant details, and must be embodied in a valid Supplemental Agreement as described in
Section 1.05 hereof.
1.07 REQUIRED REPORTS
Consultant agrees to provide the City with a Technical Outbrief upon conclusion of the
week of technical assessment. The Consultant agrees to provide a detailed final written report,
together with all information gathered and materials developed during the course of the project.
The final documentation will be provided as a Residual Risk document along with a data
compact disk of all source materials collected during the assessment. Additionally, Consultant
agrees to provide the City any necessary oral presentations of such written reports, at the City's
designation and at no additional cost to the City.
1.08 LIMITATION TO SCOPE OF WORK
Consultant and the City agree that the Scope of Services to be performed is enumerated
in Exhibit "A" herein, and may not be changed without the express written agreement of the
parties. Notwithstanding anything herein to the contrary, the parties agree that the City retains
absolute discretion and authority for all funding decisions, such to be based solely on criteria
accepted by the City which may be influenced by but not be dependent on Consultant's work.
1.11 TERMINATION; DEFAULT
2
Termination: It is agreed and understood by Consultant that the City may terminate this
Agreement for the convenience of the City, upon fifteen (15) days' written notice to Consultant,
with the understanding that immediately upon receipt of said notice all work being performed
under this Agreement shall cease. Consultant shall not be entitled to any lost or anticipated
profits for work terminated under this Agreement. Unless otherwise specified in this Agreement,
all data, information, and work product related to this project shall become the property of the
City upon termination of this Agreement, and shall be promptly delivered to the City in a
reasonably organized form without restriction on future use. Should the City subsequently
contract with a new consultant for continuation of service on the project, Consultant shall
cooperate in providing information.
Termination of this Agreement shall extinguish all rights, duties, and obligations of the
parties to fulfill contractual obligations. Termination under this section shall not relieve the
terminated party of any obligations or liabilities which occurred prior to termination.
Default: The City may terminate this Agreement, in whole or in part, for default if the
City provides Consultant with written notice of such default and Consultant fails to cure such
default to the satisfaction of the City within ten (10) business days of receipt of such notice (or a
greater time if permitted by the City).
1.12 INDEPENDENT CONTRACTOR STATUS
Consultant is an independent contractor, and is not the City's employee. Consultant's
employees or subcontractors are not the City's employees. This Agreement does not create a
partnership, employer-employee, or joint venture relationship. No party has authority to enter
into contracts as an agent for the other party. Consultant and the City agree to the following
rights consistent with an independent contractor relationship:
(1) Consultant has the right to perform services for others during the term hereof.
(2) Consultant has the sole right to control and direct the means, manner and method
by which services required by this Agreement will be performed in accordance
with the agreed upon Scope of Services.
(3)
Consultant has the right to hire assistants as subcontractors, or to use its
employees to provide the services required by this Agreement.
(4) Consultant or its employees or subcontractors shall perform services required
hereunder, and the City shall not hire, supervise, or pay assistants to help
Consultant.
(5)
Neither Consultant nor its employees or subcontractors shall receive training from
3
the City in skills necessary to perform services required by this Agreement.
(6) City shall not require Consultant or its employees or subcontractors to devote full
time to performing the services required by this Agreement.
(7) Neither Consultant nor its employees or subcontractors are eligible to participate
in any employee pension, health, vacation pay, sick pay, or other fringe benefit
plan of the City.
1.13 NON -SOLICITATION
Except as may be otherwise agreed in writing, during the term of this Agreement and for
twelve (12) months thereafter, neither the City nor Consultant shall offer employment to or shall
employ any person employed then or within the preceding twelve (12) months by the other or
any affiliate of the other if such person was involved, directly or indirectly, in the performance of
this Agreement. This provision shall not prohibit the hiring of any person who was solicited
solely through a newspaper advertisement or other general solicitation.
1.14 CITY'S RESPONSIBILITIES
Full information: The City shall provide full information regarding project
requirements. The City shall have the responsibility of providing Consultant with such
documentation and information as is reasonably required to enable Consultant to provide the
services called for. The City shall cause its employees and any third parties who are otherwise
assisting, advising or representing the City to cooperate on a timely basis with Consultant in the
provision of its services. Consultant may rely upon written information provided by the City and
its employees and agents as accurate and complete. Consultant may rely upon any written
directives provided by the City or its designated representative concerning provision of services.
Required materials: Consultant's performance requires receipt of all requested
information reasonably necessary to provision of services. The City shall furnish information
which includes but is not limited to access to the property, preliminary information and/or data
regarding the site and surrounding property (if applicable), pertinent correspondence with other
local municipal and planning officials, previous market analyses or feasibility studies, and other
pertinent information. Consultant agrees, within ten (10) days of the effective date of this
Agreement, to provide the City with a comprehensive and detailed information request list on
contained in the Schedule of Services.
1.15 CONFIDENTIALITY; AND MATERIALS OWNERSHIP
Any and all programs, data, or other materials furnished by the City for use by Consultant
in connection with services to be performed under this Agreement, and any and all data and
information gathered by Consultant, shall be held in confidence by Consultant as set forth
hereunder. Each party agrees to take reasonable measures to preserve the confidentiality of any
proprietary or confidential information relative to this Agreement, and to not make any use
4
thereof other than for the performance of this Agreement, provided that no claim may be made
for any failure to protect information that occurs more than three (3) years after the end of this
Agreement.
The parties recognize and understand that the City is subject to the Texas Public
Information Act and its duties run in accordance therewith.
All data relating specifically to the City's business and any other information which
reasonably should be understood to be confidential to City is confidential information of City.
Consultant's proprietary software, tools, methodologies, techniques, ideas, discoveries,
inventions, know-how, and any other information which reasonably should be understood to be
confidential to Consultant is confidential information of Consultant. The City's confidential
information and Consultant's confidential information is collectively referred to as "Confidential
Information." Each party shall use Confidential Information of the other party only in
furtherance of the purposes of this Agreement and shall not disclose such Confidential
Information to any third party without the other party's prior written consent, which consent
shall not be unreasonably withheld. Each party agrees to take reasonable measures to protect the
confidentiality of the other party's Confidential Information and to advise their employees of the
confidential nature of the Confidential Information and of the prohibitions herein.
Notwithstanding anything to the contrary contained herein, neither party shall be
obligated to treat as confidential any information disclosed by the other party (the "Disclosing
Party") which: (1) is rightfully known to the recipient prior to its disclosure by the Disclosing
Party; (2) is released by the Disclosing Party to any other person or entity (including
governmental agencies) without restriction; (3) is independently developed by the recipient
without any reliance on Confidential Information; or (4) is or later becomes publicly available
without violation of this Agreement or may be lawfully obtained by a party from any non-party.
Notwithstanding the foregoing, either party will be entitled to disclose Confidential Information
of the other to a third party as may be required by law, statute, rule or regulation, including a
subpoena or other similar form of process, provided that (without breaching any legal or
regulatory requirement) the party to whom the request is made provides the other party with
prompt written notice and allows the other party to seek a restraining order or other appropriate
relief.
Subject to Consultant's confidentiality obligations under this Agreement, nothing herein
shall preclude or limit Consultant from providing similar services for other clients.
Neither the City nor Consultant will be liable to the other for inadvertent or accidental
disclosure of Confidential Information if the disclosure occurs notwithstanding the party's
exercise of the same level of protection and care that such party customarily uses in safeguarding
its own proprietary and confidential information.
Notwithstanding anything to the contrary in this Agreement, the City will own as its sole
property all written materials created, developed, gathered, or originally prepared expressly for
the City and delivered to the City under the terms of this Agreement (the "Deliverables"); and
5
Consultant shall own any general skills, know-how, expertise, ideas, concepts, methods,
techniques, processes, software, or other similar information which may have been discovered,
created, developed or derived by Consultant either prior to or as a result of its provision of
services under this Agreement (other than the Deliverables). Consultant's working papers and
Consultant's Confidential Information (as described herein) shall belong exclusively to
Consultant. The City shall have a non-exclusive, non -transferable license to use Consultant's
Confidential Information for the City's own internal use and only for the purposes for which they
are delivered to the extent that they form part of the Deliverables.
1.16 WARRANTIES
Consultant warrants that all services performed hereunder shall be performed consistent
with generally prevailing professional or industry standards, and shall be performed in a
professional and workmanlike manner. Consultant shall re -perform any work not in compliance
with this warranty during the specified period of activity.
1.17 LIMITATION OF LIABILITY
Should any of Consultant's services not conform to the requirements of this Agreement,
then and in that event the City shall give written notification to Consultant; thereafter, (a)
Consultant shall either promptly re -perform such services to the City's satisfaction at no charge,
or (b) if such deficient services cannot be cured within the cure period set forth herein in Section
1.11, then this Agreement may be terminated for default.
In no event will Consultant be liable for any loss, damage, cost or expense attributable to
negligence, willful misconduct or misrepresentations by the City, its directors, employees or
agents.
In no event shall Consultant be liable to the City, by reason of any act or omission
relating to the services provided under this Agreement (including the negligence of Consultant),
whether a claim be in tort, contract or otherwise, (a) for any consequential, indirect, lost profit,
punitive, special or similar damages relating to or arising from the services, or (b) in any event,
in the aggregate, for any amount in excess of the total professional fees paid by the City to
Consultant under this Agreement, except to the extent determined to have resulted from
Consultant's gross negligence, willful misconduct or fraudulent acts relating to the service
provided hereunder.
1.18 INDEMNIFICATION
Consultant and the City each agree to indemnify, defend and hold harmless the other
from and against any and all amounts payable under any judgment, verdict, court order or
settlement for death or bodily injury or the damage to or loss or destruction of any real or
tangible personal property to the extent arising out of the indemnitor's negligence in the
performance of this Agreement.
6
Consultant agrees to indemnify, defend and hold harmless the City from and against any
and all amounts payable under any judgment, verdict, court order or settlement for Third Party
claims of infringement of any trade secrets, copyrights, trademarks or trade names alleged to
have occurred and arising from the deliverables provided by Consultant to the City in connection
with the performance of this Agreement. Should the City's use of such deliverables be
determined to have infringed, Consultant may, at its option: (i) procure for the City the right to
continue using such deliverables provided or (ii) replace or modify them to make their use non -
infringing while yielding substantially equivalent results. If neither of the above options are or
would be available on a basis that is commercially reasonable, then Consultant may terminate
this Agreement, the City shall return such deliverables provided, and Consultant will refund to
the City the fees paid for the deliverables provided. This infringement indemnity does not cover
claims arising from the combination of such deliverables with products or services not provided
by Consultant; the modification of such deliverables by any person other than Consultant;
deliverables complying with or based upon (1) designs provided by or at the direction of the City
or (2) specifications or other information provided by or at the direction of the City; or use of
systems, materials or work performed in a manner not permitted hereunder or by another
obligation of the City to Consultant.
The indemnities in this section are contingent upon: (1) the indemnified party promptly
notifying the indemnifying party in writing of any claim which gives rise to a claim for
indemnification hereunder; (2) the indemnifying party being allowed to participate in the defense
and settlement of such claim; and (3) the indemnified party cooperating with all reasonable
requests of the indemnifying party (at the indemnifying party's expense) in defending or settling
a claim. The indemnified party shall have the right, at its option and expense, to participate in
the defense of any suit or proceeding through counsel of its own choosing.
1.19 ASSIGNMENT AND DELEGATION
The parties each hereby bind themselves, their successors, assigns and legal
representatives to each other with respect to the terms of this Agreement. Neither party may
assign any rights or delegate any duties under this Agreement without the other party's prior
written approval, which approval shall not be unreasonably withheld.
1.20 LOCAL, STATE AND FEDERAL TAXES
Consultant shall pay all income taxes, and FICA (Social Security and Medicare taxes)
incurred while performing services under this Agreement. The City will not do the following:
(1)
Make FICA payments on its behalf;
(2) Make state and/or federal unemployment compensation contributions on
Consultant's behalf;.
7
1.21 INSURANCE
Insurance. Consultant, at Consultant's sole cost, shall have and maintain during the
term of this Agreement professional liability insurance coverage in the minimum amount of One
Million Dollars from a company authorized to do insurance business in Texas and otherwise
acceptable to the City.
Subconsultant Insurance. Without limiting any of the other obligations or liabilities of
Consultant, Consultant shall require each subconsultant performing work under this Agreement
to maintain during the term of the Agreement, at the subconsultant's own expense, the same
stipulated minimum insurance required in the immediately preceding paragraph, including the
required provisions and additional policy conditions as shown below. As an alternative,
Consultant may include its subconsultants as additional insureds on its own coverages as
prescribed under these requirements. Consultant's certificate of insurance shall note in such
event that the subconsultants are included as additional insureds.
Consultant shall obtain and monitor the certificates of insurance from each subconsultant
in order to assure compliance with the insurance requirements. Consultant must retain the
certificates of insurance for the duration of this Agreement, and shall have the responsibility of
enforcing these insurance requirements among its subconsultants. The City shall be entitled,
upon request and without expense, to receive copies of these certificates of insurance.
Insurance Policy Endorsements. Each insurance policy hereunder shall include the
following conditions by endorsement to the policy:
(1)
Each policy shall require that thirty (30) days prior to the expiration, cancellation,
non -renewal or any material change in coverage, a notice thereof shall be given to
the City by certified mail to:
City Manager, City of Round Rock
221 East Main Street
Round Rock, Texas 78664
Consultant shall also notify the 'City, within twenty-four (24) hours of receipt, of
any notices of expiration, cancellation, non -renewal, or material change in coverage
it receives from its insurer.
(2) Companies issuing the insurance policies shall have no recourse against the City for
payment of any premiums or assessments for any deductibles which all are at the
sole responsibility and risk of Consultant.
(3) Terms "the City" or "the City of Round Rock" shall include all authorities, boards,
commissions, departments, and officers of the City and individual members,
employees and agents in their official capacities, or while acting on behalf of the
City of Round Rock.
8
(4) The policy clause "Other Insurance" shall not apply to any insurance coverage
currently held by the City, to any future coverage, or to the City's Self -Insured
Retentions of whatever nature.
(5) Consultant and the City mutually waive subrogation rights each may have against
the other for loss or damage, to the extent same is covered by the proceeds of
insurance.
Cost of Insurance. The cost of all insurance required herein to be secured and
maintained by Consultant shall be borne solely by Consultant, with certificates of insurance
evidencing such minimum coverage in force to be filed with the City.
1.22 COMPLIANCE WITH LAWS, CHARTER AND ORDINANCES
Consultant, its consultants, agents, employees and subcontractors shall use best efforts to
comply with all applicable federal and state laws, the Charter and Ordinances of the City of
Round Rock, as amended, and with all applicable rules and regulations promulgated by local,
state and national boards, bureaus and agencies. Consultant shall further obtain all permits,
licenses, trademarks, or copyrights required in the performance of the services contracted for
herein, and same shall belong solely to the City at the expiration of the term of this Agreement.
1.23 FINANCIAL INTEREST PROHIBITED
Consultant covenants and represents that Consultant, its officers, employees, agents,
consultants and subcontractors will have no financial interest, direct or indirect, in the purchase
or sale of any product, materials or equipment that will be recommended or required under this
Agreement.
1.24 DESIGNATION OF REPRESENTATIVES
The City hereby designates the following representative authorized to act in its behalf
with re and to this Agreement:
tNO7A.2._ NS; LA .1" V`r\
Director, Department
City of Round Rock
221 East Main Street
Round Rock, Texas 78664
(512) 218- 540
Email: 4Y;dk. round-rock.tx.us
Consultant hereby designates the following representative authorized to act in its behalf
with regard to this Agreement:
9
1.25 NOTICES
All notices and other communications in connection with this Agreement shall be in
writing and shall be considered given as follows:
(1) When delivered personally to recipient's address as stated herein; or
(2) Three (3) days after being deposited in the United States mail, with postage
prepaid to the recipient's address as stated in this Agreement.
Notice to Consultant:
'1,1la 4-C �^SCS `l rv1".
Notice to City:
Sao
City Manager, City of Round Rock
221 East Main Street
Round Rock, TX 78664
AND TO:
Stephan L. Sheets, City Attorney
309 East Main Street
Round Rock, TX 78664
Nothing contained in this section shall be construed to restrict the transmission of routine
communications between representatives of the City and Consultant.
1.26 APPLICABLE LAW; ENFORCEMENT AND VENUE
This Agreement shall be enforceable in Round Rock, Texas, and if legal action is
necessary by either party with respect to the enforcement of any or all of the terms or conditions
herein, exclusive venue for same shall lie in Williamson County, Texas. This Agreement shall
be governed by and construed in accordance with the laws and court decisions of Texas.
1.27 EXCLUSIVE AGREEMENT
10
The terms and conditions of this Agreement, including exhibits, constitute the entire
agreement between the parties and supersede all previous communications, representations, and
agreements, either written or oral, with respect to the subject matter hereof. The parties
understand and expressly agree that, in the event of any conflict between the terms of this
Agreement and any other writing, this Agreement shall prevail. No modifications of this
Agreement will be binding on any of the parties unless acknowledged in writing by the duly
authorized governing body or representative for each party.
1.28 DISPUTE RESOLUTION
If a dispute arises under this Agreement, the parties agree to first try to resolve the
dispute with the help of a mutually selected mediator. If the parties cannot agree on a mediator,
the City shall select one mediator and Consultant shall select one mediator and those two
mediators shall agree upon a third mediator. Any costs and fees, other than attorney fees,
associated with the mediation shall be shared equally by the parties.
The City and Consultant hereby expressly agree that no claims or disputes between the
parties arising out of or relating to this Agreement or a breach thereof shall be decided by any
arbitration proceeding, including without limitation, any proceeding under the Federal
Arbitration Act (9 USC Section 1-14) or any applicable state arbitration statute.
1.29 FORCE MAJEURE
Notwithstanding any other provisions of this Agreement to the contrary, no failure, delay
or default in performance of any obligation hereunder shall constitute an event of default or a
breach of this Agreement, only to the extent that such failure to perform, delay or default arises
out of causes beyond control and without the fault or negligence of the party otherwise
chargeable with failure, delay or default; including but not limited to acts of God, acts of public
enemy, civil war, insurrection, riots, fires, floods, explosion, theft, earthquakes, natural disasters
or other casualties, strikes or other labor troubles, which in any way restrict the performance
under this Agreement by the parties.
Consultant shall not be deemed to be in default of its obligations to the City if its failure
to perform or its substantial delay in performance is due to the City's failure to timely provide
requested information, data, documentation, or other material necessary for Consultant to
perform its obligations hereunder.
1.30 SEVERABILITY
The invalidity, illegality, or unenforceability of any provision of this Agreement or the
occurrence of any event rendering any portion of provision of this Agreement void shall in no
way affect the validity or enforceability of any other portion or provision of this Agreement. Any
void provision shall be deemed severed from this Agreement, and the balance of this Agreement
shall be construed and enforced as if this Agreement did not contain the particular portion of
11
provision held to be void. The parties further agree to amend this Agreement to replace any
stricken provision with a valid provision that comes as close as possible to the intent of the
stricken provision. The provisions of this Article shall not prevent this entire Agreement from
being void should a provision which is of the essence of this Agreement be determined void.
1.31 STANDARD OF CARE
Consultant represents that it is specially trained, experienced and competent to perform
all of the services, responsibilities and duties specified herein and that such services,
responsibilities and duties shall be performed, whether by Consultant or designated
subconsultants, in a manner according to generally accepted business/industry practices.
1.32 GENERAL AND MISCELLANEOUS
The section numbers and headings contained herein are provided for convenience only
and shall have no substantive effect on construction of this Agreement.
No delay or omission by either party in exercising any right or power shall impair such
right or power or be construed to be a waiver. A waiver by either party of any of the covenants
to be performed by the other or any breach thereof shall not be construed to be a waiver of any
succeeding breach or of any other covenant. No waiver of discharge shall be valid unless in
writing and signed by an authorized representative of the party against whom such waiver or
discharge is sought to be enforced.
This Agreement may be executed in multiple counterparts, which taken together shall be
considered one original. The City agrees to provide Consultant with one fully executed original.
IN WITNESS WHEREOF, the parties have executed this Agreement on the dates
hereafter indicated.
Cit of Round Rock, Texas
Titl
Date Signed:
Date Signed: f -S.1.-' Ufa
12
Christine R. Martinez, City Secretary
For •'ty Approved ps to Form:
Step . n L. Sheets, City Attorney
PROPRIETARY — CyberDefenses, Inc.
2006
Scope of Services for the City of Round Rock
Full Spectrum Integrated Vulnerability Assessment (FSIVA)
This Scope of Services contains confidential and proprietary information belonging to CyberDefenses,
Inc, (hereafter called the contractor). For any purpose other than to evaluate this Scope of Services, the
data and information herein shall not be disclosed to outside organizations; this includes other
Government organizations or commercial contractors that may tender the same, or similar, services.
Furthermore, information contained in this Scope of Services shall not be duplicated, used, or disclosed, in
whole or in part. This restriction does not limit the Government's right to use information contained in
this Scope of Services if it is obtained from another source without restriction. Pages of this Scope of
Services subject to this restriction are marked with the word "PROPRIETARY" on the top and bottom of
each page.
CyberDefenses, Inc. wishes to thank the City of Round Rock for the opportunity to perform a
Full Spectrum Integrated Vulnerability Assessment (FSIVA) which will include a vulnerability
assessment, countermeasure recommendation, risk analysis, and result in FSIVA Residual Risk
document for the City of Round Rock network. The CyberDefenses team understands the City
of Round Rock's vision of information management and goal of providing an uninterrupted flow
of information to its customers and citizens. This effort will identify potential vulnerabilities
within Round Rock's infrastructure that pose significant risk of exploitation, malicious attacker
or unintentional internal threat. Any high risk vulnerabilities discovered will be reported to the
security manager so that corrective action can be taken immediately. CyberDefenses, Inc. will
perform a vulnerability review and risk assessment in order to develop cost-effective and
sensible countermeasures for potential implementation and complete the FSIVA documentation
listed in this Scope of Services (SOS).
CyberDefenses, Inc. is comprised of a team of prior service military and specialized IT
personnel geared to provide technical expertise in IT security and electronic forensics. Team
members hold credentials from NSA, Microsoft, Cisco, Linux, and other technical certifications.
They offer subject matter expertise in all areas of information operations. Team members come
from the high tech industry with a proud military background. They have conducted
accreditations and vulnerability assessments for the last 15 years, focusing on the Certification
and Accreditation process. Our team consists of highly skilled members with a broad leadership
background in the State Infrastructure Protection Committee and many other national boards for
IT security development. Members of the staff include a previous state Chief Information
Officer, Director of Information Management, Network Control Center Chief, IT Security Chief,
and Systems Engineer. This knowledge lends insight to the processes and complexities of the
government and private industry missions and the need to focus on the salient issues that directly
impact service delivery and security. CyberDefenses, Inc. has the talents, tools, experiences and
the specific knowledge to provide quality service and recommendations based on real world,
relevant security expertise.
This Scope of Services is valid for 30 days from the date of submission, unless an extension is
authorized by a CyberDefenses representative.
Scope of Services for the City of Round Rock
PROPRIETARY — CyberDefenses, Inc.
1
EXHIBIT
PROPRIETARY — CyberDefenses, Inc.
2006
SECTION 1— PROPOSED SCOPE OF SERVICES WORK (SOS)
In accordance with Homeland Security Presidential Directive 7 (HSPD-7), applicable
DoD Policies and Directives, including AR 25-2, DoD 8510.1-M and the Full Spectrum
Integrated Vulnerability Assessment (FSIVA) process, CyberDefenses, Inc. (hereafter referenced
as Contractor) has prepared the following task areas and formatted them for ease of
implementation into a Government -provided SOS.
The result of completing the tasks delineated within this specified SOS will be to provide
the City of Round Rock, hereafter called the customer, with an independent security assessment
of the customer's network using state-of-the-art security tools and proven Information Assurance
techniques and processes.
CyberDefenses, Inc will conduct the proposed work in direct coordination with the City
of Round Rock technical staff and network operations personnel. Each element will be reviewed
in advance and potential risks will be discussed, mitigated to the fullest extent possible and
agreed to before procedures are initiated.
Cyber Defenses is fully insured and bonded for the work performed in the conduct of any IT
assessment or managed services including FSIVA, DITSCAP and DIACAP operations.
Cyber Defenses will ensure that all operations are fully monitored and that all processes can be
immediately ceased upon notice and all systems remain in full operational configuration.
The overall goal of the FISVA is to provide the City of Round Rock with a full understanding of
any vulnerabilities and residual risk on the existing network and systems infrastructure and to
leave the City in a more secure operating posture.
All documentation, data and site specific information will be the property of the City of Round
Rock and will remain in the possession of Round Rock personnel at the conclusion of the
FSIVA. The Contractor will produce 1 final copy of the summary document and the CD of
applicable data. The FSVIA Summary Document will use sanitized and typified data to represent
the FSIVA/CIP reporting requirements.
Task Area 1: FSIVA Technical Support Services
Develop a FSIVA Residual Risk Analysis covering the following items:
• Patch Management
• Business Recovery Plan
• Configuration Management
• External Connections
• Training
• Human Security
• Physical Security
• Documentation Security
• Access Control Lists Security
• Auditing Security
• Modems Security
• Computers Security
• Servers Security
• Workstations Security
• Network Security
• Firewalls Security
Scope of Services for the City of Round Rock
PROPRIETARY — CyberDefenses, Inc.
2
• Policy Security
• Password Security
• Services Security
• Accounts Security
• IDS/IPS Security
• Network Devices Secur
• Wireless Security
• Operational Security
PROPRIETARY — CyberDefenses, Inc.
2006
Subtask 1: Security Documentation Review — The contractor shall review a representative
sample of the applicable system and security documentation for completeness and currency with
respect to the current system configuration. The technical and non-technical documentation that
could be selected for review may include:
• Prior network testing and accreditation documentation
• Configuration Management (CM) Plan
• Physical and Personnel Security Plans
• Standing Operating Procedures (SOPs)
• Trusted Facility Manual (TFM)
• Security Features Users Guide (SFUG)
• Security Education, Training & Awareness Plan (SETAP)
• System and/or Security Concept of Operations (CONOPS)
• Contingency Plan (COOP)
• Incident Response Plan (IRP)
• Memorandums of Agreement/Understanding (MOA/MOU)
• Network Diagrams
• Hardware/Software Specification Documents
• Rules of Behavior
• Security Policy
Recommendations resulting from this review will either be included in the Residual Risk Report.
Subtask 2: Site Survey and Automated Scanning — The contractor conduct interviews and a site
survey, including review of the initial FSIVA Minimum Security Requirements checklist in
concert with the City of Round Rock Information Technology leadership. The contractor shall
also conduct automated network scans of a representative sample of the site's network backbone,
servers, equipment and management. Automated scanning and network -related testing
techniques which may be used in support of Subtask 2 are listed below.
Research Scanning Network — The Contractor shall research and discover all objects producing a
signature on the network and sub -networks as designated in the request for service. An edited
map of the current picture of the network and sub -networks will be delivered as a product of this
task.
Hardware and Software Configuration — The Contractor shall test and verify the current
configuration of servers and workstations. This task will produce a description of the baseline
systems to include the operating systems they are running along with the software versions
(patches and service releases).
Scope of Services for the City of Round Rock
PROPRIETARY — CyberDefenses, Inc.
3
PROPRIETARY — CyberDefenses, Inc.
2006
Vulnerability Scan — The Contractor shall research and test for vulnerabilities to existing
network and workstations using an industry standard vulnerability scanning tool, which currently
tests for approximately 1,000 distinct vulnerabilities.
Vulnerability Discovery — The Contractor shall research and test for vulnerabilities to existing
network and workstations using port scanning software to determine the existence of open shares
and ports for connections.
Vulnerability Sniffer — The Contractor shall research and test for vulnerabilities related to
network usage to determine traffic load, both high and low. This test will also provide metrics of
the categories of traffic on the network.
Vulnerability Telephony Connections — The Contractor shall research and test for vulnerabilities
to existing network and workstations using an automated dialer to determine the existence of
unauthorized telephony connections to the network. This test will provide a list of all potential
data transmission connections (both fax and data) that are accessible from external dial -in.
Vulnerability Anti -Virus — The Contractor shall research and test for vulnerabilities to existing
network and workstations using Symantec's Norton Anti -Virus Corporate Edition software to
assess the effectiveness of the current virus protection and methodology of deployment.
Vulnerability Logon Scripts — The Contractor shall research and test for vulnerabilities to
existing network and workstations by reviewing the current logon scripts being used for
authorized users and applications.
Vulnerability Physical Observation — The Contractor shall observe and test for potential security
breaches using known social engineering practices. This includes the observation of password
resets and escalation of privileges on the network.
Vulnerability Compliance Checks — The Contractor shall research and test for vulnerabilities to
existing network and workstations by reviewing the deployment of current Vulnerability Alerts
required fixes to include recommended solutions.
A product of this analysis will include editing existing maps of the current picture of the network
and subnets.
Subtask 3: Security Survey Report, Risk Assessment and Manual Testing — The contractor shall
prepare a Security Survey Report, and initial Risk Assessment (CUSTOMER input required).
Test and research the current configuration of servers and workstations. Produce a baseline
systems description to include operating systems and software versions (patches and service
releases) that are on the network. The contractor shall also identify and document network,
workstations and server vulnerabilities for those segments representative of the entire
CUSTOMER network to include but not limited to identifying; modems, external network
connections, remote access and remote control capabilities, virus vulnerabilities and security
compliance.
Scope of Services for the City of Round Rock
PROPRIETARY — CyberDefenses, Inc.
4
PROPRIETARY — CyberDefenses, Inc.
2006
Subtask 4: Countermeasure Recommendations — The contractor shall analyze information
gathered in Subtasks 1 — 3 in order to develop cost-effective countermeasure recommendations
that the City of Round Rock Technical Support Staff may consider for implementation.
Countermeasure recommendations developed under this task will seek to reduce and/or mitigate
identified vulnerabilities to an acceptable level of risk, as established by the Customer.
Subtask 5: Preparation of Security Test & Evaluation Report and Risk Assessment Documents —
Using the analysis results and countermeasure recommendations from Subtask 4, the contractor
shall prepare the Residual Risk Analysis document outlining the non-technical and technical
vulnerabilities, their severity levels and associated countermeasure recommendations as
identified during the course of ST&E execution.
Task Area 2: Specialized Information Assurance (IA) Consultation
Contractor shall provide specialized information assurance and/or security engineering services
in the areas of security -related documentation preparation (i.e., Security Features User's Guides,
Trusted Facility Manuals, etc.), and/or providing technical assistance toward the implementation
of countermeasures during the course of the FSIVA engagement for no fee. Support and
execution is limited to the time the CDI FSIVA team is engaged in work on the customer's site.
Scope of Services for the City of Round Rock
PROPRIETARY — CyberDefenses, Inc.
5
PROPRIETARY — CyberDefenses, Inc.
2006
SECTION 2 — PROPOSED SCHEDULE & DELIVERABLES
The following Task Schedule and Deliverable Schedule have been provided as a
guideline. This schedule is a proposed baseline only and is flexible depending on the dates
required by the City of Round Rock and the, availability of Government security personnel for
the required testing activities and when a resulting contract is issued.
Proposed Task and Deliverable Schedule
Week 0
Week 1
Week 1
Week 3
Week 4
System Information Gathering
FSIVA Execution 18-22 September
FSIVA Technical Out brief 22 September
FSIVA Residual Risk Analysis
FSIVA Executive Out Brief - Scheduled and coordinated with the
City of Round Rock Assistant City Manager
SECTION 3 — PRICING & CONTRACT OPTIONS
A summary of the proposed pricing is listed below.
Price Summary
Total Price:
$0.00 - This FSIVA engagement is being
provided as part of U.S. Government contract
administered via the Texas Army National
Guard as part of a proof of concept on the cyber
preparedness of the national Critical
Infrastructure Program (CIP) locations.
Estimated Travel Requirements
None.
Scope of Services for the City of Round Rock
PROPRIETARY — CyberDefenses, Inc.
6
BLUE SHEET FORMAT
DATE: September 13, 2006
SUBJECT: City Manager - September 15, 2006
ITEM: Consider approval of an agreement with CyberDefenses,
Inc. for professional consulting services for the
assessment of the City's network.
Department: Administration
Staff Person: David Kautz, Assistant City Manager
Justification:
Funding:
Cost:
Source of
funds:
CyberDefenses, Inc. will perform a Full Spectrum
Integrated Vulnerability Assessment (FSIVA) which
includes a vulnerability assessment, countermeasure
recommendation, risk analysis, and results in FSIVA
Residual Risk document for the City's network.
CyberDefenses, Inc. will work around the City's vision of
information management and goal of providing an
uninterrupted flow of information to its customers and
citizens. This assessment will identify potential
vulnerabilities within the City's infrastructure that pose
significant risk of exploitation, malicious attackers or
unintentional internal threats. CyberDefenses, Inc. will also
perform a vulnerability review and risk assessment in
order to develop cost-effective and sensible
countermeasures for potential implementation.
$0
None
Outside Resources: CyberDefenses, Inc.
Background Information: None
Public Comment: None
Blue Sheet Format
Updated 01/20/04