The URL can be used to link to this page

AG 22-126 - CRITICAL INSIGHT, INC.RETURN TO: Terry Smith EXT: 2550 CITY OF FEDERAL WAY LAW DEPARTMENT ROUTING FORM 1. ORIGINATING DEPT./DIV: Information Technology 2. ORIGINATING STAFF PERSON: Thomas Fichtner EXT: 2547 3. DATE REQ. BY: ASAP 4. TYPE OF DOCUMENT (CHECK ONE): ❑ CONTRACTOR SELECTION DOCUMENT (E.G., RFB, RFP, RFQ) ❑ PUBLIC WORKS CONTRACT ❑ SMALL OR LIMITED PUBLIC WORKS CONTRACT ID PROFESSIONAL SERVICE AGREEMENT ❑ MAINTENANCE AGREEMENT ❑ GOODS AND SERVICE AGREEMENT ❑ HUMAN SERVICES / CDBG ❑ REAL ESTATE DOCUMENT ❑ SECURITY DOCUMENT (E.G. BOND RELATED DOCUMENTS) ❑ ORDINANCE ❑ RESOLUTION ❑ CONTRACT AMENDMENT (AG#): ❑ INTERLOCAL ❑ OTHER 5. PROJECT NAME: Subject Matter Expert (SME) Advisor, Security Policy Development, and Incident Response Procedures 6. NAME OF CONTRACTOR: Critical Insight, Inc. ADDRESS: 2454th Street, Suite 405, Bremerton, WA, 98337 TELEPHONE (630)346-3525 E_M A I L. randy.oppenborn@criticelinsight.com FAX: SIGNATURE NAME: Randy OppenbO.rn TITLEConsuning Practive Director 7. EXHIBITS AND ATTACHMENTS: R SCOPE, WORK OR SERVICES ❑ COMPENSATION ❑ INSURANCE REQUIREMENTS/CERTIFICATE ❑ ALL OTHER REFERENCED EXHIBITS ❑ PROOF OF AUTHORITY TO SIGN ❑ REQUIRED LICENSES ❑ PRIOR CONTRACT/AMENDMENTS 8. TERM: COMMENCEMENT DATE: TBD COMPLETION DATE: 1 Year 1a3 9. TOTAL COMPENSATION $ 60,654.09 (INCLUDE EXPENSES AND SALES TAX, IF ANY) (IF CALCULATED ON HOURLY LABOR CHARGE - ATTACH SCHEDULES OF EMPLOYEES TITLES AND HOLIDAY RATES) _REJMRURSARI.F. FXPF.NSER axFS A N0 IF YES MAXII1tIU�vL�QLLARAMOIINT:. $ _ _ _ _ _ IS SALES TAX OWED OYES ®NO IF YES, $ PAID BY: ❑ CONTRACTOR IN! CITY RETAINAGE: RETAINAGE AMOUNT: ❑ RETAINAGE AGREEMENT (SEE CONTRACT) OR ❑ RETAINAGE BOND PROVIDED 9 PURCHASING: PLEASE CHARGE TO: 502-1100-046-518-88-414 10. DOCUMENT/CONTRACT REVIEW INITIAL/DATE REVIEWED INITIAL/DATE APPROVED ❑ PROJECT MANAGER .NJ DIRECTOR ❑ RISK MANAGEMENT (IF APPLICABLE) ❑ LAW JRC 10/7/2022 L f 11. COUNCILAPPROVAL (IF APPLICABLE) COMMITTEE APPROVAL DATE: Ig' COUNCIL APPROVAL DATE: ,v 12. CONTRACT SIGNATURE ROUTING ;SENT TO VENDOR/CONTRACTOR DATE SENT: v I 'J1 ^ DATE REC'D: ❑ ATTACH: SIGNATURE AUTHORITY, INSURANCE CERTIFICA E, LCENSES, EXHIBITS ❑ CREATE ELECTRONIC REMINDER/NOTIFICATION FOR I MONTH PRIOR TO EXPIRATION DATE (Include dept. support staff if necessary and feel free to set notification more than a month in advance if council approval is needed.) INITIAL / DATE SIGNED ❑ LAW DEPARTMENT A SIGNATORY (MAYOR OR DIRECTOR) J8 g'Z2 ❑ CITY CLERK q k r.t ❑ ASSIGNED AG# AG COMMENTS: W1017 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight CRITICAL INSIGHT MASTER SERVICES AGREEMENT THIS MASTER SERVICES AGREEMENT ("MSA"), together with any then -current Statement of Service ("SOS") between Customer and Critical Insight, 111c.("Ci") and the related exhibits, documentation and specifications CI may from time ti time deliver or' make available to Customer, govern and control titre Services described In the ordering SOS. Capitalized terms not otherwise defined below shall have the meaning assioned to them in the SOS. Untess otherwise stated in a SOS. the terms of this VISA shall control any conflicting or inconsistent term in such SOS 1. Defintilla . Capitalized terms in this Agreement not otherwise defined have the meaning described below, for both singular and plural form- a. "Agreement" means this MSA, each SOS, and each exhibit that supplements the MSA andler a SOS, as each such docutnent may be amended from time to tune. b. "Appliance" means the computer hardware unit integrated in Customer's Internet server stack as part of CI's provisioning process and included in, and required to enable activation and performance of, the Cl Products. C. "Cl Assets" means all computer hardware, software, networking tools and equipment, appliances and devices owned and operated by Cl that are deployed or engaged in performance, in whale or part, of the Services, including any Appliance(s) provided to Customer in connection with the Services. d. "CI Products" means the Cl programs, Appliances, munii.ni-Ing and response services, action plans, Reports. graphics, pictorial and functional representations, spreaushects, presentations, analyses, processes, methods, procedures, concepts, know-how, techniques, practices, and all relaateti manuals and Documentation, and modifications and improvements in respect to any of the. foregoing. provided., delivered ar made available to Customer by Cl pursuant to a mutually executed SOS. e. "Cl Programs" means the Critical InsrtihtY" monitoring software programs and applications, designs, inventions, source code, tools. patches, updates and new versions in any of the foregoing, user ID's, user interfaces. tokens, passwords and Mortals licensed to Customer by CI as part of the Gl Products but excludes thirc-party software and custom programs. Ir any, developed by Cl for Customer. f, "Cl Services" means the consulting services described in the ordering SOS and any other professional services that Cl provides to Customer at Customers request g. "Customer Data" means the in -bound and out -bound Internet borne data hosted on Customer's proprietary servers that is accessed and monitored by the Cl Programs. In. "Customer Infringement Exclusion" means (i) Customer's use of the Cl Programs except as permitted under this Agreement or ustornei s com4tnatlbn .nf The -CI 'Programs-Ihith aTFTFmrdvvai .—sa vt -or-other malerials-eilhet that are not provided by Cl, or that could not reasonably have been anticipated to be used in combination with the Cl Programs, in each case where absent such combination the Cl Programs would be non -infringing, (ii) Customer's use of other than the most current release of the Cl Programs that results in a claim or action for infringement that could have been avoided by use of the current release, provided that Cl has supplied Customer with the most current release at no additional fee, or (hi) the provision by Customer to Cl of materials, designs, know-how, software or other intellectual property with instructions to Cl to use the same in connection with the Cl Programs. i. "Confidential Information!' means all information, data. and material one party hereto (the receiving party) obtains from the other party (the disclosing party) in connection with this Agreement; WQvideo, that Confidential Information does not include information than (i) was known to the receiving party without restriction before receipt from the disclosing party; (ii) is publicly available through no fault of the receiving party; (ii!) is rightfully received by the receiving party from a third party without a duty of confidentiality: or (iv) is independently developed by the receiving party without reference to any Confidential Information of the disclosing party. Confidential Information also includes the terms of this Agreement, non-public personal or financial information relating to a party's employees, customers or contractors, all trade secrets, processes, proprietary data, information or documentation and any pricing or product information the disclosing party provides to the receiving party. j. "Documentation" means the Service descriptions. playbooks, instructions and protocols set forth in digital or hard copy format and provided or made available to Customer by.Cl. k. "Effective Date" means the date set forth in the signature block of this Agreement. 1. "Excused Downtime" means any of the following: (i) force majeure events as defined in Sec�6.a- hereof; (n) data transmission failures outside the control of Cl; and (iii) scheduled and emergency maintenance outages. Schedule maintenance is generally conducted between the hours of 8 p.m. Saturday and 8 a.in. Sunday, U.S. Pacific Time. Maintenance outages include, without limitation, installation of software updates and patches, service packs and routine server and application configuration changes. CI may schedule a non -routine maintenance outage an an as needed basis in its sole discretion and, except in instances of emergency maintenance, will use commercially i easunable efforts to notlfv Customer forty-eight (48) hours in advanime of any such outage. m. "Report" means any written summary, analysis, finding, schedule or other, similar document prepared for Customer by Cl as part of the Services specified in the ordering SOS. n. "Security Breach" means the actual or suspected unautho6.zed third -party access to or use of the Cl Assets that compromises the security or funetlonality or such assets or the confidentiality or integrity of any Customer Confidential Information stored thereon. o. "Services" means the Cl Products and Cl Services together. 03/52021 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B 4, 5. C Critical Insight P. "5ervices Term' shall have the meaning set forth in Section 11.a. hereef. q. "Termination Event" means with respect to either parry. that party becomes the subject of a proceeding under the Bankruptcy Code, (1) seeking the appointment of a trustee, receiver Or cusi or (!rl seeking tile lequi0ation, winding -tip. dissolution, reorganisation or the like of such party, anti the proceeding i� not dismissed within 30 days of its commencement. If a party is subject to a Termination Event. such party shall promptly use commercially reasonable efforts to seek court authorization to pay all post -petition fees as an administrative expense. r. "Termination Fee" means the pro -rated portion of the total Service fee specified in the. orde, ing SOS applicable to the period remaining in the then current Services Term as of the effective date of termination. Services, Cl will provide Customer the Services set forth in one or more SOS's, which the parties may enter into from time to time. for the term of such SOS. Each SOS, and any related exhibits, will provide additional terms and conditions specific to the Services described in such SOS. Implementation & Performance. At all times during the term of the SOS. Customer will provide to Cl such access to Customer's technology infrastructure, including proprietary and licensed software and service prpgrarns and appiirateons, and authorized personnel as specified in the SOS. the Documentation, and as Cl may otherwise reasonably require to configure, integrate, enable, deliver and perform the Services set forth in the SOS Customer will prori obtain and provide to Cl any required licenses, approvals, consents, permissions and credentials to Customer's facilities. systems, hardware. devices, software and services, as necessary for Ci's timely access, performance and delivery of the Services. Customer acknowledges and agrees (3) that GIs performance and delivery of the Services are at all times conditioned upon (i) Customer providing timely. secure and unencumbered across io Customer's author zed pel'srnnel, facilities, equipment, systems, hardware, software, devices. network and data, and (ii) Customer's timely decislon-makwq and granting of approvals or permissions; and. (b) that CI shall nest be in breach of its Services obligations hereunder, or Gable for any resulting loss damage or injury. arising from or in any way related to Customer's failure to timely satisfy and perform the conditions to CI's performance herein specified. CI Pro ram License. Upon mutual execution of an SOS for delivery of Cl Program support, payment of the fees set forth in such SOS and for the duration of the term of such SOS, Customer will have a nonexclusive, non -assignable (except as provided in Section 16,), non-sublicensable, royalty -free, worldwide limited right to access and use the Cl Programs solely for Customers internal business operations and subject to the terms of this Agreement. Only Customer's authorized personnel may access and use the CI Programs, and Customer is solely responsible for compliance with this Agreement by users accessing the Cl Programs with Customer's credentials. Ownership and Resbiations. Customer retains all ownership and intellectual property rights in and to Customer Data and, subjectto payment of applicable Service fees, any Reports prepared by Cl for Customer. CI irrevocably assigns and transfers to Customer all of its worldwide right and title to, and interest in, the Reports, including all associated copyright, patent, trade secret, trademark and any tither ln[effeviva par perry rsr proprietary rights j"trrtellectual Prap�rtyRfghis j Addst#onally C grants to Customer a non-exclusive, worldwide. royalty -free, irrevocable, perpetual, non -terminable, transferable, sublicensable license to all Intellectual Property Rights used in the creation of the Reports in order for Customer to exercise its rights in the Reports as contemplated by the applicable SOS. Without limiting the foregoing, (i) the Reports are "works made for hire" to the extent permitted by law, and (ii) Cl will not assert, and otherwise waives, any "moral rights" in the Reports and Cl hereby assigns all right, title and interest in such materials to Customer and agrees to reasonably assist Customer at Customer's expense, to perfect such interest. Except for Reports provided to Customer as part of the Services. Cl retains all ownership and Intellectual Property Rights in and to the Services, and in furtherance thereof, Customer may not: a. Remove or modify any proprietary marking or notice of Ci's proprietary rights; b. Make any aspect of the Services available in any manner to any third party for commercial use by such party, unless such access in expressly permitted in a SOS; c. Modify. make derivative works from, disassemble, reverse engineer or reverse compile any Dart of the Services (the foregoing .prohibition includes. without limitation, review of data structures, signatures or similar materials produced by the Services), or access or use the Services in order to bulid or support. adlor assist a third party in building or supporting, products or services conipetillve tD CI; d. Except for Reports and as requ!red by applir"Ia law, disclose to any third party the resttl.ts a any Serdice without Ci's prior written consent; e. License, sell, rent, lease, transfer, assign, distribute, display. host, outsource, disclose, permit timeshare or service bureau use, or otherwise commercially exploit or make the Services available to any third party other than as expressly authorized under this Agreement. 6. Exclusions. Customer es solely responsible for any hardware. software and networking tools, devices and appliances that are not provided by Ct pursuant to this Agreement. Custt:rmers responsibilities Include. withor:et limitation, Customer systems installation. maintenance and administrator act+pities, software and application licensing requirements, conditions and related financial commitments. Customer is solely responsible, at Customers expense. foreslaNishing, maintaining, operating and regulating Customer's access to the Internet, including without limitation, all computer hardware and software and properly configured and installed systems, browsers. modems, access lines and distributed networks necessary to enable, maintain. monitor and control Customer's Internet access. 7. Cl Assets- qureng the term of this Argreernent, Q shall ob58rv8 and maintain data, technical and physical systems and asset security, personnel pracllces. and continuous monitoring and maintenance pebtar<ols in respect to cacil of t1le foregoing, all in design, manner and practice conststenf with then prevailing Industry standards, to.: (a) protect and maintain the integrity 03152021 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42CB7528B C Critical Insight of (1) all Customer Data and Customer Canfidential Information in C I I s possession, and (il) CI Assess, from unauthorised use, alteration, access, disclosure, damage or ceslructfon; (b) detect, proiec¢ against and prevent a Security Sreaehi and (c) provide Cl employees and agents the appropriate trsining necessary to maintain the confidentiality, security and physical integrity of (i) Customer Data and Customer Confidential information in Ct's possession, (i) Critical Insight's Cunfidenlial Information, and (iti) the Cl Assets. Cl shall promptly notify C,jstomer upon discovery of a confirmed Security Breach. 8, CI Programs Service Levels. CI will use commercially reasonable efforts to achieve the minimum availability of the Cl Programs set forth in the Documentation, not including the Excused Downtime, and Cl will monitor the availability of its systems on a 24R basis. 9 Warranties Disclaimers and Exclusive Remedies. Cl warrants (i) that the Cl Products will be performed in all material respects in accordance with the Service Documentation referenced in the ordering SOS, (ii) that the Cl Programs shall be maintained and available at the service levels specified to Section 8 hereof, and (iii) that the CI Services will be performed in a goad and vxrkmanlike mariner substanlially in accordance with industry standards. If the Services provided to Customer for arty given calendar month during the Semites Term are not performed as warranted, Customer must provide written notice to Cl no later than five (5) business days after the last calendar day of such month or, if different, as provided in the ordering SOS. Cl DOES NOT GUARANTEE THAT THE SERVICES WILL BE PERFORMED ERROR -FREE OR UNINTERRUPTED, OR THAT Cl WILL CORRECT ALL SERVICE ERRORS. CUSTOMER ACKNOWLEDGES THAT Cl DOES NOT CONTROL THE TRANSFER OF DATA OVER COMMUNICATIONS FACILITIES: INCLUDING WITHOUT LIMITATION, THE INTERNET, AND THAT THE SERVICES MAY BE SUBJECT TO THE LIMITATION, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES. IN ADDITION, DELIVERY OF THE Cl SERVICES MAY BE CONTINGENT UPON THE ACCESS SUPPORT AND COOPERATION OF CUSTOMER, WITHOUT WHICH SUCH SERVICES CANNOT BE PERFORMED. Cl IS NOT RESPONSIBLE FOR, AND SPECIFICALLY DISCLAIMES LIABILITY FOR; ANY DELAYS, DELIVERY OR SERVICE FAILURES OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS AND CONDITIONS. FOR ANY BREACH OF THE ABOVE WARRANTIES, Cl WILL REMIT A SERVICE FEE CREDIT TO CUSTOMER EQUAL TO TEN PERCENT (10%) OF (A), IF FOR Cl PRODUCTS, THE NET MONTHLY FEES FOR THE APPLICABLE Cl PRODUCTS FOR THE MONTH IN WHICH THE BREACH OCCURRED: AND (B), IF FOR Cl SERVICES, THE NET SERVICE FEE SET FORTH IN THE ORDERING SOS. THE CREDIT WILL BE APPLIED AS FOLLOWS: (X) FOR CI PRODUCTS, AT CUSTOMER'S SOLE ELECTION, (i) AS AN OFFSET AGAINST ACCRUED BUT UNPAID FEES THEN OWED TO Cl, IF ANY, (ii) AS A CREDIT TOWARD RENEWAL TERM FEES, IF ANY. NEXT COMING DUE; OR (iii) AS A REFUND PAYMENT BY CI; AND (Y) FOR CI SERVICES, ONLY AS AN OFFSET TOWARD ANY ACCRUED BUT UNPAID FEES OWED TO Cl FOR THE RELATED SERVICES, AND APPLICATION CR-REM TTANCE. AS 1 HE-GASEItY-BE; OF SUCH CREDIT WILL REPRESENT CUSTOMER'S EXCLUSIVE REMEDY, AND FULL SATISFACTION OF CI'S SOLE LIABILITY, FOR ALL WARRANTIES SPECIFIED IN THIS AGREEMENT EXCEPT AS SPECIFICALLY SET FORTH HEREIN, THE SERVICES, INCLUDING ANY REPORTS OR OTHER TANGIBLE OR INTANGIBLE ITEMS FURNISHED BY Cl TO CUSTOMER, ARE PROVIDED ON AN "AS IS" BASIS WITH NO WARRANTIES OR REPRESENTATIONS OF ANY KIND. CI MAKES NO WARRANTY, EXPRESS OR IMPLIED, THAT THE SERVICES WILL RENDER CUSTOMER'S NETWORK AND SYSTEMS SAFE FROM MALICIOUS CODE, INTRUSIONS, OR OTHER SECURITY RISKS OR BREACHES OR THAT THE SERVICES WILL DETECT, REPORT OR NEUTRALIZE ALL SUCH MALICIOUS CODE, INTRUSIONS, SECURITY RISKS OR BREACHES. TO THE EXTENT NOT PROHIBITED BY LAW. THE FOREGOING WARRANTIES ARE EXCLUSIVE AND THERE ARE NO OTHER EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF ANY KIND, INCLUDING FOR HARDWARE, SOFTWARE, SYSTEMS, NETWORKS, ENVIRONMENTS OR SERVICES OR FOR MERCHANTABILITY, NONINFRINGEMENT, SATISFACTORY QUALITY AND FITNESS FOR A PARTICULAR PURPOSE. 10. Indemn . a. CI Infringement Indemnity. Subject to Section 10,r-., Cl will defend Customer In any Null or cause of action, and indemnify and hold Customer harmless against, and pay on behalf of Custvrner. any damages awarded to third parties in any such suit or cause of action (including reasonable attorneys' fees awarded to such third parties and settlement amounts) alleging that the Cl Programs as provided by Cl and used in accordance with the terms of this Agreement infringe upon any United States patent, caipyright, trade secret or other proprietary rlght of a third party, p►owded that, the foregoing Infringement indemnity will not apply and Cl will not be liable for any damages assessed in any suit or cause of action to the extent resulting from a Customer Infringement Exclusion. If any Cl Program is held or believed to infringe on any third party's intellectual property rights, Cl may, in its sole discretion, (i) modify the Cl Program to be non -infringing, (ii) obtain for Customer a license to continue using such CI Program, or (iii) if neither (i) nor (J) are commercially practical, terminate this Agreement as to the infringing Cl Program and return to Customer any unearned fees paid by Customer to Cl in advance. This Section 10.0 states CL's.entire liability and Customer's exclusive remedies for infringement of intellectual property right; of any kind. b. Customer Infringement Indemnity. Sut?ject to Section 1fl^c., Customer will :defend CI in any su.lt or cause of action, and indemnify and hold Cl harmless against. and pay an behalf of Cl. any damages awarded to third parties in.anysuch suit orcause of action (including reasonable attorneys fees awarded to such third parties and settlement amounts) alleging infringement upon any United States patent, copyright, trade secret. or other proprietary right of -33152021 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B 11 C Critical Insight a third party, to the extent that any such suit or cause of action results from an allegation of a Customer Infringement Exclusion. This Seclion 10.b. states Customer's entire liability and CI's exclusive remedies for tnfringement afting from a Customer Infringement Exclusion. r.., Indemnity Conditions. The indemnities set forth in this Agreement are conditioned upon the following' (i) the indemnitee ("Indemnitee') promptly notifies the indemnitur ("Indemnitor") In writing :tf such suit or cause of action. provided, that, any failure by Indemnitee to so promptly notify Indernr itor will not serve to reduce or iorreil an Indemnitee's rights hereunder unless and only to the extent such failure prejudices the rights and remedies of Indemnitor in respect to such suit or proceeding, (ii) the Indemnitor controls any negotiations or defense and the Indemnitee assists the Indemnitor as reasonably required by the Indemnitor, and (iii) the Indemnitee takes all reasonable steps to mitigate any potential damages that may result. Terre and Termination. a. Services under this Agreement shall be provided for the initial Services Term set forth in the ordering SOS. Unless Cl receives written notice from Customer at least sixty (60) days prior to the expiration of the then current Services Term, the SOS and related Services shall automatically renew for successive renewal Services Terms of one (1) year each. The initial term of the Services and any renewal term thereof are, herein; the "Services Term". Upon expiration or earlier termination of the Services Tenn, (i) if Cl Services, all obligations of Cl to perform and deliver, and all rights of Customer to receive, the Cl Services, including the Cl Services listed on the ordering SOS, shall end, (ii) if Cl Products, all rights of Customer to access and use, and all obligations of Cl to enable and provide, the Cl Products; including the Cl Products listed in the ordering SOS, shall end, and (iii) if no ordering SOS is then in effect, the term of this Agreement shall contemporaneously terminate or expire, as applicable. b. If either party breaches a material term of the Agreement and fails to cure the breach within thirty (30) calendar days of delivery by the non -breaching party of written notice of breach and demand for cure thereof, then the breaching party is in default and the non -breaching party may without further notice to the breaching party immediately terminate the then current SOS. If Cl terminates the SOS and related Services Term as specified in the immediately preceding sentence. Customer shall pay to Cl all accrued but unpaid fees, if any, for the period prior to the effective date of termination, plus, as a non-exclusive remedy, an amount equal to the fees payable for the balance of the then current Services Term following the termination date as liquidated damages. In addition to the foregoing, any then current SOS will automatically terminate in the event of a Termination Event. c. In addition, Cl may immediately suspend the Services under the ordering SOS, including without limitation and if applicable, Customer's passwords, account and access to and use of the Cl Products (i) if Customer fails to pay Cl as required under this Agreement and fails to cure the non-payment within the first ten (10) calendar days of the above -noted :30-day cure period, or (ii) if Customer violates any provision of Sactions a, 5 or 13 hereof. Any suspension by Cl of the Services under this Section 11.c. shall not exouse-Customarfrnm-its contint;ing oblfgatlon to make payment(s) under the ordering SOS. d. Sec ion$ 1, 5, 6, 9, 10 and 12 - 16 shall survive termination or expiration of this Agreement. 12. Fees, Expenses. Taxes and Involaing. a. Customer shall pay the fees for the Services ordered as set forth in the ordering SOS. All fees due under this Agreement are non -cancelable and payments thereof are rion-refundable. Customer shall reimburse CI for actual and reasonable expenses incurred by Cl in pvTorming the Services (i) only on a pass -through basis without markup. and (ii) only if preapproved by Customer in the ordering SOS or sisltilar writing Fees and expenses. If any, listed in a SOS are exclusive of taxes. Customer is responsible for payment of any sales, value-added or similar taxes imposed by applicable law for the Services ordered by Customer, except for taxes based on CI's income. b. Commencing the initial renewal Services Term (if any) and on an annual basis thereafter, all fees shall be subject to adjustment, in CI's sole reasonable discretion, in an amount not to exceed the greater of (i) the change in the U.S. Deoartro" of Labor CPI -All Urban Consumers for the immediately preceding annual period, and (ii) 5%. c. Unless rthenvise specified in the ordering SOS, (i) fees for CI Products are payable in advance on an annual basis, and (ii) rees for Cl Services are payable in arrears on a monthly basis. to each instance payment is due within thirty (M) calendar days from the invoice date. Late payments shall accrue interest at We lesser of (i) 12°.� per annum, and (ii) the highesl statutory rate, from the payment due date unlll paid in full. In the aver! of Cuslomer s terrninatlan of a SOS for any reason prior to expiration of its stated Services Term Cl shall be entitled to receive. and Customer shall pay on demand: as an early termination fee and not a penalty, the Termination Fee. In the event Customer's past due account is submitted to an attgrhey or collections service for recovery, Cl shall be entitled to recover the cost of collection, including reasonable attorneys' fees, in addition to :III past due amounts. The rights and remedies set forth in this Section 12 are in addition to any other legal, equitable and contractual rights and remedies available to Cl. 13. Confidentiality. ' Securit . a. The receiving i,arty will use Confidential Information of the disclosing party solely for the purposes of performing its obligations under the Agreement, The receiving party will not dlSclase or make Confidential Information of the disclosing party available to any third party, except as specifically autl iorized by the disclosing party in wr°ting. Upon the disclosing party's written request, the receiving parry vtill promptly retun3 to the disclosing parry all of its Confidential Information, or certify in writing signed by an authorized representatNe that it has destroyed all such materials, provided that, in no event will the receiving party be obligated or required to amend, modify or destroy 03152021 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight back up media and systems maintained in the ordinary course of business and designed in a manner to prevent the unauthorized access to or use of the data stored on such media and systems. Neither party will disclose to the other party or use in performance of its obligations hereunder any information: data. materials. or documents of a third party considered confidential or proprietary without the written authorization of such third party. Each party may disclose Confidential Information of the other party when compelled to do so by law if it provides; where legally permissible, reasonable prior notice to such other party. In furtherance of the foregoing, Cl shall require each of its employees and agents prbvlding any aspect of the Services hereunder to execute a confidentiality agreement incorporating confidentiality and non-use provisions consistent with; and no less restrictive than, the requirements of this:Seclion_11a. b. At all times during the Services Term, Cl shall maintain reasonable and appropriate safeguards, security measures and protocols, which in no event shall be less effective than industry -standard safeguards, security measures and protocols, designed to (i) reasonably protect Customer's Confidential Information in CI's possession or control from unauthorized use, alteration, access or disclosure:. and (ii) detect and prevent a breach of such safeguards, security measures and protocols by any unauthorized party. c. Notwithstanding the foregoing, CI may use the Customer's information for purposes other than the performance of the Services but only in an aggregated, anonymized form, such that Customer is not identified, and Customer will have no ownership interest in such aggregated, anonymized data. 14. Limitation of Liability. WITHOUT LIMITING. ANY INDEMNIFICATION OBLIGATIONS OF A PARTY t.IND'=R SECTION 14 OF THIS AGREEMENT OR (EXCEPT AS �_:XPRESSLY PROVIDED OTHERWISE BELOW) THE LIABILITY OF A PARTY FOR ANY BREACH OF ITS OBLIGATIONS UNDER SECTION 13 OF THIS AGREEMENT, TO THE MAXIMUM EX T ENT PERMITTED BY LAW, IN NO EVENT WILL (A) EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTIAL, OR CONSEQUENTIAL LOSSES OR DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES), WHETHER OR NOT SUCH PARTY WAS ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE AND (B) A PARTY'S TOTAL LIABILITY FOR ALL CLAIMS ARISING FROM OR RELATING TO THIS AGREEMENT, REGARDLESS OF THE NATURE OF THE CLAIM; EXCEED THE AMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER UNDER THIS AGREEMENT FOR THE SERVICES DURING THE TWELVE (12)-NUNTH P`EfRIOD IMMEDIATELY PRIOR TO THE EVENT, ACT OR OMISSION GIVING RISE TO SUCH LIABILITY, EXCEPT THAT WITH REGARD TO LIABILITY OF A PARTY FOR BREACH OF ITS OBLIGATIONS UNDER SECTION 13 OF THIS AGREEMENT, IN NO EVENT SHALL EITHER PARTY'S CUMULATIVE LIABILITY EXCEED THE LESSER OF (X) THE TOTAL CONTRACT PRICE OF THE APPLICABLE SOS. OR (Y) TWO HUNDRED AND FIFTY THOUSAND DOLLARS ($250,000). THIS LIMITATION OF LIABILITY IS INTENDED TO APPLY WITHOUT REGARD TO !iJHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE. 15. > ,xporL Export laws of the United States and any other relaled local laws and regulations May apply to the 5etvir:as. Such laws govern Customer's use of the Services and any data provided by Ci to Customer under this Agreement, and Customer Shall comply with all such laws and regulations. No data, Information, software pra jrams andlor lather materials resulting from the Services will be exported, directly or indirectly, in violation of these laws. or will be used fur any purpose prohibited by these laws. 16. General. a. Force Majeure. Neither party shall be liable to the other party or deemed to be in default for any delay orfai.Ure in performance of any obligation under the Agreement or interruption of any Service resulting, directly or indirectly, from acts of God, civil or military authority, acts of the public enemy, acts of terrorism, acts of third parties over whom the party has no control, war, riots, civil disturbances, insurrections, accidents, fire, explosions, earthquakes, floods, epidemics, pandemics, the elements or any other similar cause beyond the reasonable control of such party. b. Audit. Cl may audit, at its own expense, Customer's user logs and related data for the purpose of determining Customer's compliance with the terms of this Agreement, including any then operative SOS. Audits shall be conducted by Cl or its designee and shall be limited to records from the Effective Date of the ordering SOS to the month of the audit. Cl shall be limited to one (1) audit per twelve (12) consecutive calendar month period. Cl shall give ten (10) business days prior written notice of its intention to perform an audit. If any audit reveals non- compliance by Customer of any material terra of the Agreement, then (i) CUslnnter shall promptly initiate and prosecute to completion any remedial action required to cure such nort-rnrnpliaflce, provided such icon -compliance is reasonably subject to cure, and (ii) if the non-compliance is a variance of 5% or more in the total count of network users upon which Customer's then -current annual subscription fee is based, then Cl may adjust the annual subscription fee specified in the ordering SOS for the period then remaining in the Services. In addition, if any audit reveals actual network users exceeding contracted network users by 5% or more, then Customer shall pay Cl for all underpayments, plus interest, and shall reimburse Cl for the reasonable cost of the audit. c. Notice. Except as provided herein, any notice, approval or consent required ar permitted he*Amder shall be: (.i) in writing, (ii) delivered by (A) hand or by overniaht courier service, or (B) electronic mail to the respective addresses of the parties as set forth in the ordering S6S (or such ether address a party may designate in writing), and (iii) effecilve upon actual delivery if by hand or courier service (or upon attempted delivery if receipt is refused), or upon electronic confirmation of successful delivery if by email. d. Integration; Waiver. This Agreement, including any SC , Documentation, exhibit, document or information or policy accessed by referenced. U.!RL, is the corpplete agreement for the Services ordered by Customer, and 03152021 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight supersedes all prior or contemporaneous agreements, representations and understandings, written or oral, regarding such Services. If any provision of this Agreement shall be judicially determined to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that the Agreement shall otherwise remain in full force and effect and enforceable. A party's rights, obligations and restrictions hereunder may not be waived except in a writing signed or digitally accepted by an authorized representative of each party. e. Assignment. No right or obligation under the Agreement (including the obligation to pay or right to receive monies due) may be assigned, delegated or subcontracted by a party without the prior written consent of the other party, and any purported assignment without such consent shall be void. f. Controlling Law. This Agreement shall be construed in accordance with the laws of the State of Washington without regard to its principles of conflict of laws. The exclusive jurisdiction and venue of any action relating to this Agreement shall be the Superior Court of Washington for the County of King or the United States District Court for the Western District of Washington and each party hereto submits itself to the exclusive jurisdiction of such courts and waives any argument relating to the convenience of forum. The rights and remedies herein provided are in addition to those available to either party at law or in equity. g. Customer Reference. Cl may use Customer's name and logo to identify Customer as a Cl customer on CI's website and in other marketing materials so long as Customer's name and logo do not appear with greater prominence than CI's other customers- h. Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed to be an original as against any party whose signature appears thereon, and all of which shall together constitute one and the same instrument. A faxed, .pdf or electronic signature shall have the same legally binding effect as an original signature. i. Modification. This Agreement and any SOS may not be changed, altered or modified except in a writing signed by an authorized representative of each of the parties hereto. IN WITNESS WHEREOF, the parties have executed this Agreement effective as of CRITICALA§ 1GJJTf_INC. By: r Title: CEO 03152021 10/12/2022 CITY OF �DE�,4,WASHINGTON By:�7 Print: Sriqn Title:��f rr (the "Effective Date"). DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Name: Kevin Rolnick Email: Kevin.Rolnick@criticalinsight.com Phone: 206-307-80335 Bill To: Name Thomas Fichtner Company City of Federal Way, WA Street Address 33325 81h Ave. South City, State, Zip Federal Way, WA 98003 Phone 425-452-3500 STATEMENT OF SERVICE Quote Date: 9/27/2022 Quote Expiration: 10/26/2022 Ship To: Name Thomas Fichtner Company City of Federal Way, WA Street Address 33325 81h Ave. South City, State, Zip Federal Way, WA 98003 Phone 425-452-3500 Professional Services Extended Extended' Service Code oe,criptlopl Unit Type MSRP Discount SUb-5000171 CI-PS-SMESME Advisor (24 minimum) 24 hour(s) $6.000.00 $6,000.00 CI -PS -CUSTOM CVIPRO Vulnerability Management SME 17 hours $4,250.00 $4,250.00 Initial Invoice Subtotal $10.250.00 $10,250.00 PerB*W Period 12 months $10,250.00 S10.250.00 'Estknated Sales Tax 0.00% estimated rate $0.00 $0.00 Invoice $10,250.00 $10,250,00 Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. 02022 Critical Insight, Inc. All rights reserved. 1 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Terms and Conditions STATEMENT OF SERViOE This Statement of Service ("S09), effective as of the date of the signature of the last party to siggn the "Effective Date') is subject to the Critical Insight Master Services Agreement, dated as of 10/1T/2 22 and any other Exhibits, Attachments or Amendments hereto, which are each incorporated herein by reference, and which together with this SOS constitute the "Agreement". Unless otherwise provided in this SOS, capitalized terms herein shall be as defined elsewhere in the Agreement. The terms of this Agreement constitute the final expression of the parties' binding understanding in respect to the subject matter hereof and supersede all prior or contemporaneous agreements, representations and understandings, written and oral, in respect to same. Customer acknowledges that it has read the Agreement and agrees to be bound by its terms. • Contract term is one (1) year, commencing the Effective Date hereof. • Billing shall be based on Critical Insight reporting. Critical Insight and Customer shall reconcile in good faith any discrepancies in their respective tracking records, provided Critical Insight's reporting shall control in the event of an irreconcilable discrepancy. • Time & Materials (T&M) services will be invoiced on a monthly basis in arrears for hours expended and authorized expenses incurred in the billing period, subject to the Not -To -Exceed amount specified in this SOS. • Paym__ent-of invoiced amounts due no later than thirty (30) calendar days from date of invoice. Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. ©2022 Critical Insight, Inc. All rights reserved. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Check one of the following: ❑ Purchase Order Required Purchase Order Not Required Customer � 1 Signature Name ail: a v� STATEMENT OF SERVICE Billing Contact �f Name M I Billing Street � Address 3332 c1- Title State, Zipj Billing Contact Date /b {[�2� Phone (253� �3S-2SSd_ BillingEmail Critical Insight, Inc. Qxusignod by: Signature 3Qfi8F5F6E7Fb4CE.. Name Garrett silvver Title CEO Date 10/12/2022 Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. 3 02022 Critical Insight, Inc. All rights reserved. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B EXHIBIT A Critical Insight io CITY OF .4 1% Federal Way Centered on 0wortunity The City of Federal Way, Washington QN AC Arlilosor - — -- -- Presented To: Thomas Fichtner IT Manager The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 (425) 452-3500 Thomas, Fichtner@cityoffederaway.com SCOPE OF WORK SOW 2022-744 SEPTEMBER 27, 2022 Submitted By: Randy Oppenborn Consulting Practice Director Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 (630) 346-3525 Randy.oppenborn@criticalinsight.com CRITICAL INSIGHT, INC. 1 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 Table of Contents KEY BUSINESS AND TECHNICAL CONTACTS...............................................................1 THE CITY OF FEDERAL WAY, WASHINGTON CONTACT INFORMATION................ ..... ..........................1 CRITICAL INSIGHT CONTACT INFORMATION........................................................................... ... -1 SERVICE DESCRIPTION AND SCOPE..........................................................................2 GENERALDESCRIPTION................................................................................_................_.........2 SCOPEOF ACTIVITY...............................................................................................................2 COORDINATION, PLANNING, & PROJECT INITIATION ................................ .................... ............ .__.....2 THE CITY OF FEDERAL WAY RESOURCE REQUIREMENTS..................................................................3 PROJECT INITIATION MEETING..................................................................................................3 INITIATION OF SERVICE REQUESTS ................................ .......... ......... ..... ........---- ....................... 4 SCHEDULE............................................................................................. ........5 PERIODOF PERFORMANCE.......................................................................................................5 PROJECTCHANGE CONTROL .................................................... ................................ _................ 5 SERVICEDELIVERABLES.................................................... :....................... I .............. 7 DESCRIP`TION.......................................................................................................................7 ASSUMPTIONS.. ........................................__..............._ ........ ......... .A 10 COST..................................................................................... ............................ TRAVEL AND EXPENSE REIMBURSEMENT..................................................................................- 10 CRITICAL INSIGHT, INC. �� DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight NOTICE Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 Critical Insight has made every reasonable attempt to ensure that the information contained within this Scope of Work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. TRADEMARK NOTICE 2022 Critical Insight, Inc. All Rights Reserved, Critical Insight@, the Critical Insight and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Insight in the United States and in foreign countries. © Copyright 2022 Critical Insight, Inc. CRITICAL INSIGHT, INC. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B Critical Insight Scope A Work C SME Advisor The City of Federal Way, Washington September 27, 2022 Key Business and Technical Contacts The City of Federal Way, Washington Contact Information Name: Thomas Fichtner IT Manager Mailing Address: The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 E-Mail Address: Thomas.Fichtner@cityoffederaway.com Phone Number: (425) 452-3500 Critical Insight Contact Information Name: Randy Oppenborn Consulting Practice Director Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton WA 98337 E-Mail Address: Randy.0ppenborn@criticalinsight.com Phone Number: (630) 346-3525 CRITICAL INSIGHT, INC. I DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Service Description and Scope Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 This section provides a description of services, scope of activity, and support requirements associated with the services. General Description The scope of work to be performed includes advisory and consulting services from a Critical Insight subject matter expert (SME) and other Critical Insight resources as necessary. Notably, this scope of work excludes: ■ Emergency and/or Incident Response Services, which can be requested in a separate Scope of Work M Implementation or remediation of technical controls Scope of Activity The scope outlined below depicts the scope of activity associated with this engagement. Table 1 - SOW Scope Statement Consulting s Up to 24 hours of general information security, cyber Services security, and GRC consulting and advisory services, provided by onsite or by phone and/or email ■ Hours are available to be used as -needed by the the City of Federal Way within 1 year/365 days of the execution of this SOW ■ Hours can be extended or replenished when depleted through either extensions/renewals to this SOW or under a new engagement Coordination, Planning, & Project Initiation Critical Insight will assign a Principal Consultant to be the primary point of contact for all project work. The Lead Consultant will coordinate, plan, manage, and report CRITICAL INSIGHT, INC. 2 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 all project activities and findings to the the City of Federal Way's designated Project Sponsor and/or Project Manager. Critical Insight will provide project management for all aspects of this project, including tracking and resolution of project related issues, progress tracking, project reporting, and communication. A key component of Critical Insight's project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project, and ensures that all project stakeholders are completely informed at all times. To support this, Critical Insight will conduct a monthly status report or check -in teleconference with the City of Federal Way's project team. Follow-up discussions and deliverables will occur on a case -by -case basis to ensure clear and timely communication of all issues. the City of Federal Way Resource Requirements Achieving the City of Federal Way's objectives will require active participation from both the Critical Insight Project Lead Consultant as well as the City of Federal Way's own personnel. To ensure the timely and successful completion of this project, the City of Federal Way should expect at least the following resource time commitments from its own personnel: a A Project Sponsor should be assigned to provide resolution of issues, escalation of issues, clarification of requirements, sign -off deliverables, and access to resources as required by the project team d This role will require only a 2-3 hour per week of commitment to the project Additionally, the following activities and estimated time allocations will be performed as part of the project in which the the City of Federal Way -identified staff will participate: ■ Kick-off meeting: 1 hour a Additional calls, meetings, or projects as needed Project Initiation Meeting Critical Insight recognizes the value of communication and ongoing collaboration with our customers. As such, we include a project initiation meeting (kick-off meeting) with all our engagements. During the meeting, Critical Insight will address the following topics: CRITICAL INSIGHT, INC. 3 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B Cf� SME Critical Insight Scope A Work Advisor The City of Federal Way, Washington September 27, 2022 ■ Introduce key people at the City of Federal Way and Critical Insight ■ Exchange contact information (for regular reporting and emergencies) Review communication, notification, and issue escalation procedures ■ Discuss other specific the City of Federal Way requests and rules of engagement Critical Insight will discuss the nature and time requirements for specific deliverable types that might be requested by the City of Federal Way during the project, the designated recipient, and the method which Critical Insight will forward those deliverables. The project activities will be performed both onsite and remotely. Initiation of Service Requests To initiate the use of hours on this contract, an email or phone request must be made to Critical Insight. Critical Insight will respond with an expected effort required to achieve the objective. Upon approval from the City of Federal Way, Critical Insight will complete the work and deliver and work product. CRITICAL INSIGHT, INC. 4 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CCL Critical Insight Schedule Period of Performance Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 Critical Insight will make every reasonable attempt to meet the dates requested. the City of Federal Way understands and agrees that changes in critical factors (such as those listed below in Project Change Control, or a delay in signature of this document) may impact Critical Insight's ability to meet certain dates. Project Change Control Critical Insight has made every attempt to accurately estimate time required to successfully complete the project. The the City of Federal Way acknowledges and agrees that if impediments, complications, or the the City of Federal Way requested changes in scope arise, these factors are out of the con-tr-0J—Critical Insight, and the length of the project and associated price could be impacted. Examples of valid impediments, complications, and changes in scope consist of (but are not limited to): The the City of Federal Way initiated delay where the the City of Federal Way is not prepared to allow Critical Insight to begin work on the agreed upon start date thus resulting in additional cost to Critical Insight for resources that have been sent to the the City of Federal Way's site but cannot begin the Services ■ The the City of Federal Way provided information necessary for timely delivery by Critical Insight is not accurate ■ Delays or problems associated with third party telecommunication equipment ■ This includes, but is not limited to, cabling, servers, routers, hubs, and switches managed or installed by third parties w Malfunctioning hardware Inability to access equipment or personnel that are required to complete the project CRITICAL INSIGHT, INC. 5 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 ■ Conflicts or incompatibilities associated with the installation of hardware or software installed by Critical Insight the City of Federal Way increases the scope of services requiring additional labor, hardware, software, materials, travel, lodging, meals, or other direct costs If any change(s) from impediments, complications, or the City of Federal Way changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in the written change, then the price, delivery schedules and other affected provision(s), if any, as applicable, shall be equitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this Section. CRITICAL INSIGHT, INC. 6 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Service Deliverables Description Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 There are no predefined deliverables for this project. CRITICAL INSIGHT, INC. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Assumptions Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 Critical Insight used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitments. The the City of Federal Way will provide Critical Insight access to the business, customer, and technical information, and facilities necessary to execute the solution The the City of Federal Way will provide Critical Insight on -site and off -site access to documents necessary for this assessment E The the City of Federal Way will ensure that appropriate personnel are available to meet with Critical Insight, as necessary The Critical Insight professional working day is eight hours, including reasonable time for meals Critical Insight understands that occasions arise during customer engagements that require a longer or shorter working day E Critical Insight will not be obligated to extend engagements when delays result from the the City of Federal Way inability to meet stated prerequisites prior to an engagement, nor when delays result from the the City of Federal Way personnel not being available to provide required support During this effort, Critical Insight will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between the the City of Federal Way and third parties _1 Critical Insight, at the request of the the City of Federal Way, will provide input to the the City of Federal Way regarding optimal product or vendor selection Any application code, documentation, and/or presentations developed under this SOW will be in English. F Critical Insight will perform the work between 8:30 a.m. and 5:00 p.m. (local time) Ln After -hour and weekend work (when required), must be explicitly identified below or as otherwise agreed to in writing by the parties: After-hours required? Yes ❑ No CRITICAL INSIGHT, INC. 8 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 Weekend hours required? Yes ❑ No Location of onsite services? the City of Federal Way 33325 8th Ave South Federal Way, WA 98003 And/Or Remotely CRITICAL INSIGHT, INC. 9 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B •� Critical Insight Cost Travel and Expense Reimbursement Scope of Work SME Advisor The City of Federal Way, Washington September 27, 2022 If travel, meals, lodging, and other direct costs for the described effort are incurred at the request of and after obtaining prior authorization from the the City of Federal Way, those expenses shall be reimbursed by the the City of Federal Way at actual cost. No travel is expected on this engagement. CRITICAL INSIGHT, INC. 10 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B EXHIBIT B C*6 4 Critical Insight CITY OF Federal Way Centered on Opportunity THE CITY OF FEDERAL WAY, WASHINGTON CVIPRO VULNERABILITY MANAGEMENT SME Presented To: Thomas Fichtner IT Manager The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 (425) 452-3500 Thomas. Fichtner@cityoffederaway.com ADVISOR Scope of Work SOW 2022-745 September 27, 2022 Submitted By: Wes Hardcastle Consulting Practice Director Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 (206) 923-8748 Wes.Hardcastle@criticalinsight.com CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Table of Contents Scope of Work Vulnerability Management SME The City of Federal Way September 27, 2022 GENERALINFORMATION .............. ....... ........ ...................... :.:........................... ......... 1 BACKGROUND& OBJECTIVES....................................................................................................1 KEY BUSINESS AND TECHNICAL CONTACTS...............................................................2 CVIPRO - VULNERABILITY MANAGEMENT SME ADVISOR SERVICE DESCRIPTION AND SCOPE .................................................................................................................3 PROJECT MANAGEMENT, COORDINATION, AND PLANNING........................... ....................................3 SCHEDULE...........................................................................................................6 PERIODOF PERFORMANCE ............................................ .. ........... ...... ............ .......................6 PROJECTCHANGE CONTROL ......... ........................... .. . . .. .................................................6 SERVICEDELIVERABLES.........................................................................................8 DESCRIPTION....................................................... ............ ..-_ ..... ................... 8 ACCEPTANCE OF DELIVERABLES.................................................................. ....... ........ ...... ....8 ASSUMPTIONS.......................................................................................................9 COST..............................................................................................................11 TRAVEL AND EXPENSE REIMBURSEMENT....................................................... .................... ....... 11 APPENDIX A: PROJECT COMPLETION FORM .................... ............................. :.......... 12 CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight NOTICE Scope of Work Vulnerability Management SME The City of Federal Way September 27, 2022 Critical Insight has made every reasonable attempt to ensure that the information contained within this Scope of Work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. NON -DISCLOSURE STATEMENT The information in this document is Critical Insight Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Insight, Inc. TRADEMARK NOTICE 2022 Critical Insight, Inc. All Rights Reserved, Critical Insight@, the Critical Insight and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Insight, Inc. in the United States and in foreign countries. © Copyright 2022 Critical Insight, Inc. CRITICAL INSIGHT, INC. CONFIDENTIAL III DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CCL Critical Insight General Information Background & Objectives Purpose Scope of Work Vulnerability Management SME The City of Federal Way September 27, 2022 This SOW describes the activities, scope, and deliverables for: w CVIPro — Continuous Vulnerability Identification (CVI) Vulnerability Management Subject Matter Expert (SME) ■ Scanning for vulnerabilities in your environment is a critical step in a robust vulnerability management process but should be part of a larger program to ensure you're reducing the number one risk to cyber-security — unpatched or inadequately configured systems and devices CVI Pro provides a subject matter expert to perform the following tasks: o Kick-off call (up to 2 hours) to discuss the vulnerability management program, provide recommendations to increase the effectiveness of the program, and set baseline vulnerability scanning approach 0 Monthly 1-hour teleconference to discuss recent activity and scan results o Phone assistance during normal business hours (8:00 AM-5:00 PM Pacific time) for: Tuning vulnerability scans ■ Using advanced vulnerability scan policies ■ Scan scope refinement ■ Scan scheduling o Assistance with the CVI Portal or Vendor Vulnerability Portal, if in use This SOW includes: ■ Scope of Work — Critical Insight's methodology for conducting assessments and the scope of work which will be performed. Deliverables — Description of the deliverables for this project. Project Assumptions — any assumptions that were used to derive the scope of work or pricing for this engagement. CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Vulnerability Management SME The City of Federal Way September 27, 2022 Key Business and Technical Contacts The City of Federal Way, Washington Business Contact Information Name: Thomas Fichtner IT Manager Mailing Address: The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 E-Mail Address: Thomas.Fichtner@cityoffederaway.com Phone Number: (425) 452-3500 Critical Insight Business Contact Information Name: Wes Hardcastle Consulting Practice Director Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton WA 98337 E-Mail Address: Wes.Hardcastle@criticaIinsight.com Phone Number: (206) 923-8748 CRITICAL INSIGHT, INC. CONFIDENTIAL 2 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Vulnerability Management SME The City of Federal Way September 27, 2022 CVIPro — Vulnerability Management SME Advisor Service Description and Scope Project Management, Coordination, and Planning A key component of Critical Insight's project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project and ensures that all project stakeholders are completely informed at all times. Critical Insight will provide a qualified resource as Lead Consultant on the project and the Point of Contact (PoC) for the life of the contract; additional resources may address specific areas of this body of work. The Lead Consultant has experience in incident management, regulatory compliance and information security, managing enterprise -level projects, and communicating with Executives, Steering Committees, Regulators, and Auditors as well as IT and operational staff. The City of Federal Way Resource Requirements ' Achieving the City of Federal Way's objectives will require active participation from -bo-th the Critical Insight Project Team as well as the City of Federal Way's own personnel. To ensure the timely and successful completion of this project, the City of Federal Way should expect at least the following resource time commitments from its own personnel: ■ A Project Manager should be assigned to the project to serve as the single point of contact for the Critical Insight Project Team The City of Federal Way may choose to assign the Project Sponsor and Project Manager role to the same person) ■ This role will require a commitment of approximately 8-12 hours during the course of the project ■ Additionally, the following activities and estimated time allocations will be performed as part of the project in which the City of Federal Way -identified staff will participate: ■ Kick-off meeting: 2 hours Monthly Review: 1 hour Vulnerability Management Program Review Kick-off Call (Up to 2 hours) our approach for the annual program review executes the following tasks: CRITICAL INSIGHT, INC. CONFIDENTIAL 3 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Vulnerability Management SME The City of Federal Way September 27, 2022 m Assess the vulnerability Management program for the following components: Monitoring of — o Security alert and vulnerability lists and notifications o Release of security patches c End -of -Life notifications o Vendor security bulletins Process to address critical and high -risk vulnerabilities in a timely manner © Vulnerability Scanning o Scan policies o Credentialed scans o Scan targets o Vulnerability remediation process o Verification of remediation o Triggers and frequency of scanning o Record keeping, audit artifacts, and compliance Monthly Teleconference (1-hour) The SME will hold a monthly call to discuss: That month's findings and interpretation of those findings W remediation prioritization Remediation approaches Compensating controls to mitigate vulnerabilities m Validation of recent remediation Once a quarter, we will focus on provide recommendations on the following: Target lists ® Scan configurations CRITICAL INSIGHT, INC. CONFIDENTIAL 4 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Add or modify credentialed scans Scope of Work Vulnerability Management SME The City of Federal Way September 27, 2022 M For use of additional scanning policies to provide deeper insights and, assess regulatory compliance CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CCL critical Insight Schedule Period of Performance Scope of Work Vulnerability Management SME The City of Federal Way September 27, 2022 The City of Federal Way understands and agrees that changes in critical factors (such as those listed below in Project Change Control, or a delay in signature of this document) may impact Critical Insight's ability to meet certain dates. Project Change Control Critical Insight has made every attempt to accurately estimate time required to successfully complete the project. the City of Federal Way acknowledges and agrees that if impediments, complications, or the City of Federal Way requested changes in scope arise, these factors are out of the control of Critical Insight, and the length of the project and associated price could be impacted. Examples -of valid impediments, complications, and changes -in -scope consist of .(b-ut. are not limited to): ■ The City of Federal Way initiated delay where the City of Federal Way is not prepared to allow Critical Insight to begin work on the agreed upon start date thus resulting in additional cost to Critical Insight for resources that have been sent to the City of Federal Way's site but cannot begin the Services ■ The City of Federal Way provided information necessary for timely delivery by Critical Insight is not accurate ■ Delays or problems associated with third party telecommunication equipment ■ This includes, but is not limited to, cabling, servers, routers, hubs, and switches managed or installed by third parties ■ Malfunctioning hardware ■ Inability to access equipment or personnel that are required to complete the project ■ Conflicts or incompatibilities associated with the installation of hardware or software installed by Critical Insight CRITICAL INSIGHT, INC. CONFIDENTIAL 6 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CtPL Critical Insight Vulnerability Management SME The -City of Federal Way September 27, 2022 fLt the City of Federal Way increases the scope of services requiring additional labor, hardware, software, materials, travel, lodging, meals, or other direct costs If any change(s) from impediments, complications, or the City of Federal Way changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in the written change, then the price, delivery schedules and other affected provision(s), if any, as applicable, shall be equitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this Section. CRITICAL INSIGHT, INC. CONFIDENTIAL 7 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Service Deliverables Description Scope of Work Vulnerability Management SME The City of Federal Way September 27, 2022 Critical Insight will provide the following deliverables as part of this project: Table 3: Deliverable Description SME Advisor For each meeting, an email synopsis will be provided that Meeting Notes identifies the subjects discussed and any recommendations, interpretations of findings and risks relevant to the the City of Federal Way. Acceptance of Deliverables The City of Federal Way has five (5) business days to inspect and acknowledge full delivery of the Services to be provided by Critical Insight hereunder upon completion and delivery of the Services by Critical Insight, The City of Federal Way will indicate such acknowledgement by signing Critical Insight's Project Completion Form, a sample of which is attached as Appendix B. If the City of Federal Way believes that Critical Insight has not fully delivered the Services to be provided hereunder and refuses to sign the Project Completion Form on that basis, the City of Federal Way shall identify in reasonable detail the specific Services or deliverables which the City of Federal Way believes were not delivered, with specific reference to the corresponding sections of this SOW, via written notice to Critical Insight within such five (5) business day period. Following Critical Insight's receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining Service delivery requirements. Upon Critical Insight's delivery of the remaining Services, if any, the City of Federal Way's right to inspect and acknowledge full delivery shall be as stated above. If the City of Federal Way fails to provide such acknowledgement or notice within the five (5) business days of receiving final deliverables, the City of Federal Way agrees that the Services shall be deemed fully delivered to the City of Federal Way, even if the City of Federal Way have not signed the Critical Insight Project Completion Form. CRITICAL INSIGHT, INC. CONFIDENTIAL 8 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Assumptions Scope of Work Vulnerability Management SME The City of Federal Way September 27, 2022 Critical Insight used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitments. The City -of Federal Way will provide Critical Insight access to the business, customer, and technical information, and facilities necessary to execute the solution a The City of Federal Way will provide Critical Insight on -site and off -site access to documents necessary for this assessment ■ The City of Federal Way will ensure that appropriate personnel are available to meet with Critical Insight, as necessary ■ Layer-3 devices will allow the protocols needed to discover and identify network services ■ Critical Insight will have approved access to vendors, for the purpose of obtaining device configurations, network diagrams, and details on monitoring or other processes that are performed on behalf of the City of Federal Way • if required, the City of -Federal Way will assist with obtaining this access a During this engagement, any vulnerabilities, sensitive data, or configuration data found will not be disclosed except to specified the City of Federal Way staff ■ Critical Insight will not be obligated to extend engagements when delays result from the City of Federal Way's inability to meet stated prerequisites prior to an engagement, nor when delays result from the City of Federal Way personnel not being available to provide required support ■ During this effort, Critical Insight will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between the City of Federal Way and third parties ■ Critical Insight, at the request of the City of Federal Way, will provide input to the City of Federal Way regarding optimal product or vendor selection ■ Critical Insight will perform the work between 8:30 a.m. and 5:00 p.m. (local time) ■ After -hour and weekend work (when required), must be explicitly identified below or as otherwise agreed to in writing by the parties: CRITICAL INSIGHT, INC. CONFIDENTIAL 9 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B •L, Critical Insight Scope of Work Vulnerability Management SME The City of Federal Way September 27, 2022 After-hours required? Yes ❑ No Weekend hours required? Yes __! No N Location of onsite services? The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 OR Remotely, if pandemic restrictions remain in place CRITICAL INSIGHT, INC. CONFIDENTIAL 10 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CCL Critical Insight Cost Travel and Expense Reimbursement Scope of Work Vulnerability Management SME The City of Federal Way September 27, 2022 All work can be conducted remotely, if desired or requested. Travel and expenses are not required on this engagement, especially if pandemic restrictions are in place. If travel, meals, lodging, and other direct costs for the described effort are incurred after obtaining approval from the the City of Federal Way, those expenses shall be invoiced to and reimbursed by the City of Federal Way at actual cost. CRITICAL INSIGHT, INC. CONFIDENTIAL 11 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Vulnerability Management SME The City of Federal Way September 27, 2022 Appendix A: Project Completion Form Critical Insight has completed all of the agreed upon tasks outlined in the Scope of Work titled "CVIPro Vulnerability Management SME Advisor" and dated September 27, 2022. Accepted and Agreed By: The City of Federal Way, Washington ` Signature: -------- Printed Name:+k^f �-----�---- Date: -- Please email the signed form to ConsuIli ng(&critiealinr;ghLLD-M- CRITICAL INSIGHT, INC. CONFIDENTIAL 12 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B C Critical Insight Name: Kevin Rolnick Email: Kevin.Rolnick@criticalinsight.com Phone: 206-307-8035 Bill To: STATEMENT OF SERVICE Quote Date: 9/27/2022 Quote Expiration: 10/26/2022 Ship To: Name Thomas Fichtner Name Thomas Fichtner Company City of Federal Way, WA Company City of Federal Way, WA Street Address 33325 8th Ave. South Street Address 33325 81h Ave. South City, State, Zip Federal Way, WA 98003 City, State, Zip Federal Way, WA 98003 Phone 425-452-3500 Phone 425-452-3500 Professional Services Service Coda Description Policy Development Quantity Unit 1 flat FmtendDd Type MSRP D15rauni $11,400.00 ExTendcd Subscription $11,400.00 CI-PSDEV CI-PS-IRP Incident Response Preparedness 1 flat $14.676.00 $14.675.00 subtotal $26,075.00 $26,D75.00 Initial Invoice Per MigPeriod 12 months $26,075.00 $26,075.00 'Estimated Sales Tax 0.00% estimated rate $0.00 $0.00 Invoice $26,075.00 $26,075.00 Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. 7 02022 Critical Insight, Inc. All rights reserved. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Terms and Conditions STATEMENT OF SERVICE This Statement of Service ("SOS), effective as of the date of the signature of the last partyy to si n ((the "Effective Date') is subject to the Critical Insight Master Services Agreement, dated as of 10/1 /2022 and any other Exhibits, Attachments or Amendments hereto, which are each incorporated herein by reference, and which together with this SOS constitute the "Agreement". Unless otherwise provided in this SOS, capitalized terms herein shall be as defined elsewhere in the Agreement. The terms of this Agreement constitute the final expression of the parties' binding understanding in respect to the subject matter hereof and supersede all prior or contemporaneous agreements, representations and understandings, written and oral, in respect to same. Customer acknowledges that it has read the Agreement and agrees to be bound by its terms. • Contract term is one (1) year, commencing the Effective Date hereof. • Billing shall be based on Critical Insight reporting. Critical Insight and Customer shall reconcile in good faith any discrepancies in their respective tracking records, provided Critical Insight's reporting shall control in the event of an irreconcilable discrepancy. • Customer shall be invoiced on an annual basis in advance. • The first year invoice shall be issued thirty (30) days following the Effective Date, and each subsequent annual invoice shall be issued on the anniversary of the Effective Date or the next following business day .if. such date falls. on a weekend. or national halid.ay. • Payment of invoiced amounts due no later than thirty (30) calendar days from date of invoice. Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. @2022 Critical Insight, Inc. All rights reserved. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Check one of the following: ❑ Purchase Order Required 19 Purchase Order Not Required Customer Signature _ Name _ _ STATEMENT OF SERVICE Billing Contact Name r�J i Billing Street Address �j33Z 'AvejI S. �' II Title ri• ' ��Y, State, Zip 1 R00 Billing Contact Date Phone C?,,y3�� Billing Email Critical Insight, Inc. oncuSipned by: Signature 3{166F5F6E7Fa4CE.. Name Garrett silvver Title CEO Date 10/12/2022 Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. @2022 Critical Insight, Inc. All rights reserved. 3 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B EXHIBIT A C Critical Insight F YOF A'Ai�ederal Allay Centered on Opportunity THE CITY OF FEDERAL WAY, WASHINGTON POLICY DEVELOPMENT SERVICES Presented To: Thomas Fichtner IT Manager The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 (425) 452-3500 Thomas.Fichtner@cityoffederaway.com Scope of Work SOW 2022-748 September 27, 2022 Submitted By: Randy Oppenborn Consulting Practice Director Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 (630) 346-3525 Randy.Oppenborn@criticalinsight.com CRITICAL INSIGHT, INC. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCL Critical Insight Policy Development Services The City of Federal Way September 27, 2022 Table of Contents GENERALINFORMATION................................................................I........................1 BACKGROUND& OBJECTIVES....................................................................................................1 KEY BUSINESS AND TECHNICAL CONTACTS................................................................2 POLICY DEVELOPMENT SERVICE DESCRIPTION AND SCOPE.........................................3 SCOPEOF ACTIVITY...............................................................................................................3 COORDINATION, PLANNING, & PROJECT INITIATION ...................................... ........... ..................... 4 SECURITYPOLICY GAP ANALYSIS................................................................... .........................6 METHODOLOGY.....................................................................................................................6 REVIEW& ANALYSIS.............................................................................................................7 TARGET PLAN/POLICY DEVELOPMENT, GAP ANALYSIS AND PLAN/POLICY ROADMAP ........... _............... 7 SCHEDULE...........................................................................................................9 PERIODOF PERFORMANCE.......................................................................................................9 PROJECTCHANGE CONTROL....................................................................................................9 SERVICEDELIVERABLES.......................................................................................11 DESCRIPTION............................................................. :....................................................... 11 ACCEPTANCE OF -DEL TVERARLES..................... .................... _..................... _.................... --- .-.-_..1.1 ASSUMPTIONS.................................................................................................... 13 COST..............................................................................................................15 TRAVEL AND EXPENSE REIMBURSEMENT...................................................................................1 s APPENDIX A: PROJECT COMPLETION FORM ........ ............. ....................... ................ 16 CRITICAL INSIGHT, INC. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight NOTICE Scope of Work Policy Development Services The City of Federal Way September 27, 2022 Critical Insight has made every reasonable attempt to ensure that the information contained within this Scope of Work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. TRADEMARK NOTICE 2022 Critical Insight, Inc. All Rights Reserved, Critical Insight®, the Critical Insight and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Insight, Inc. in the United States and in foreign countries. © Copyright 2022 Critical Insight, Inc. CRITICAL INSIGHT, INC. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B CK Critical Insight General Information Background & Objectives Purpose Scope of Work Policy Development Services The City of Federal Way September 27, 2022 This SOW describes the activities, scope, and deliverables for: M Information Security Policy Development Review any existing information security policies Draft a set of information security policies and procedures to address compliance and risk mananement objectives r Conduct a gap analysis against internal risk management requirements, regulatory requirements and standards of good practice which as a whole represent a target policy set for the City of Federal Way Assess the City of Federal Way's capabilities to demonstrate policy adherence to the target policy set v Document any gaps by removing policy statements that the City of Federal Way cannot currently demonstrate compliance with and placing them in one of two "parking lots" o Statements that need to be added or restored into the policy once the capability to demonstrate compliance has been implemented o Statements that do not need to be added or restored into the policy Each policy statement in this parking lot will have a documented justification such as "Not Applicable to the City of Federal Way" or "Risk Managed by Compensating Controls" This SOW includes. +a Scope of Work — Critical Insight's methodology for conducting assessments and the scope of work which will be performed. m Deliverables — Description of the deliverables for this project. M Project Assumptions — any assumptions that were used to derive the scope of work or pricing for this engagement. CRITICAL INSIGHT, INC. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B 5 Scope of Work [FL Critical Insight Policy Development Services The City of Federal Way September 27, 2022 Key Business and Technical Contacts The City of Federal Way, Washington Business Contact Information Name: Thomas Fichtner IT Manager Mailing Address: The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 E-Mail Address: Thomas.Fichtner@cityoffederaway.com Phone Number: (425) 452-3500 Critical Insight Business Contact Information Name: Randy Oppenborn Consulting Practice Director - - - Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton WA 98337 E-Mail Address: Randy.Oppenborn@criticalinsight.com Phone Number: (630) 346-3525 CRITICAL INSIGHT, INC. 2 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work Critical Insight Policy Development Services The City of Federal Way September 27, 2022 Policy Development Service Description and Scope This section provides a description of services, scope of activity, and support requirements associated with the services. Scope of Activity The scope outlined below depicts the scope of activity associated with this engagement. Table 1 - SOW Scope Statement Interviews Up to 4 interviews of the City of Federal Way staff knowledgeable in operations, risk management, compliance, procurement, HR, and others having a role in Vendor, Risk, Information Security, technology management, or technical administration of externally accessible infrastructure Policy Review and . Review of existing policies and the policy Analysis Process maintenance process Identify policies and practices to be developed ■ Document specific internal risk management objectives and regulatory requirements driving policy objectives Information Security w Conduct a gap analysis against internal risk Policy Update and management requirements, regulatory requirements Enhancement and standards of good practice which as a whole represent a target policy for the City of Federal Way Assess the City of Federal Way's capabilities to demonstrate policy adherence to the target policy ■ Document any gaps by removing policy statements that the City of Federal Way cannot currently demonstrate compliance with and placing them in one of two "parking lots" CRITICAL INSIGHT, INC. 3 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-BFE1-gEC42C87528B Critical Insight Scope of Work Policy Development Services The City of Federal Way September 27, 2022 ■ Statements that need to be added or restored into the policy once the capability to demonstrate compliance has been implemented o Gaps resulting from new acquisitions will also be noted Statements that do not need to be added or restored into the policy ■ Each policy statement in this parking lot will have a documented justification such as "Not Applicable to the City of Federal Way" or "Risk Managed by Compensating Controls" Coordination, Planning, & Project Initiation Critical Insight will assign a Lead Consultant to be the primary point of contact for all project work. The Lead Consultant will coordinate, plan, manage, and report all project activities and requirements to the City of Federal Way's designated Project Sponsor and/or Project Manager. A key component of Critical Insight's project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project and ensures that all project stakeholders are completely informed at all times. To support this, Critical Insight will conduct a weekly status report teleconference with the City of Federal Way project team. Follow-up discussions and deliverables will occur on a case -by -case basis to ensure clear and timely communication of all issues. The City of Federal Way Resource Requirements Achieving the City of Federal Way's objectives will require active participation from both the Critical Insight Project Lead Consultant as well as the City of Federal Way's own personnel. To ensure the timely and successful completion of this project, the City of Federal Way should expect at least the following resource time commitments from its own personnel: A Project Sponsor should be assigned to provide resolution of issues, escalation of issues, clarification of requirements, sign -off deliverables, and access to resources as required by the project team. This role will require only a 2-3 hour per week of commitment to the project. CRITICAL INSIGHT, INC. 4 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical insight Policy Development Services The City of Federal Way September 27, 2022 Additionally, the following activities and estimated time allocations will be performed as part of the project in which the City of Federal Way -identified staff will participate: ■ Kick-off meeting: 1 hour rr Interviews - Up to 1 1 /2 hour each Project Initiation Meeting Critical Insight recognizes the value of communication and ongoing collaboration with our customers. As such, we include a project initiation meeting (kick-off meeting) with all our engagements. During the meeting, Critical Insight will address the following topics: Introduce key people at the City of Federal Way and Critical Insight w Exchange contact information (for regular reporting and emergencies) Review communication, notification, and issue escalation procedures �. Discuss other specific the City of Federal Way requests and rules of engagement - — Critical Insight will discuss the nature and time requirements for specific deliverable types that might be requested by the City of Federal Way during the project, the designated recipient, and the method which Critical Insight will forward those deliverables. CRITICAL INSIGHT, INC. 5 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B C Critical Insight Security Policy Gap Analysis Scope of Work Policy Development Services The City of Federal Way September 27, 2022 This section presents Critical Insight's approach to providing the Policy gap analysis element of this SOW: Table 2 - Policy Development Workflow Kickoff meeting Review exiting policies Determine compliance and risk management drivers Methodology Gap analysis against exisiting policies/plan Policy/plan addition development & alignment Creation & population of "Parking Lots" Draft Policies/Plan Policy/Plan Development Agile Review cycles Final current Policies Roadmap to Target Policies/Plan Critical Insight will address plan/policy focus areas as a basis for the plan/policy structure and content. Critical Insight bases its approach on business drivers, ensuring to address key risk areas within the policy, and provide clear linkage to standards of good practice and regulatory requirements. Kickoff Meeting and Interviews The kickoff meeting will accomplish multiple objectives: ■ Describe history and current policies ■ Policy governance and ownership E Identify drivers — compliance, legal, strategic, and risk management Representatives from the City of Federal Way stakeholders which may include Executives, Legal, IT, HR, Compliance, Procurement, Facilities, and Information Security. This same group will be included in the capabilities review interviews. Key attributes of an effective plan/policy include: CRITICAL INSIGHT, INC. 6 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42CB7528B Scope of Work CiPL Critical Insight Policy Development Services The City of Federal Way September 27, 2022 0 Defining ownership of information security policy, standards, guidelines, and procedures ® Providing central oversight, but flexible enough for business areas to implement successfully and appropriately Developing a process to support ongoing policy management activities (for example, plan/policy updates and deviations) a Information Security Policy aligned with selected standards of practice and regulatory requirements A Completing and expanding current approved information security policies Review & Analysis Critical Insight will review and analyze information gathered during the interviews as well as other material that may support or parallel the information, to identify the most effective policy structures and appropriate guidelines. Existing plan/policies will be reviewed and for any areas where security may be enhanced, or plan/policies need to address compliance requirements that are not in the current the City of Federal Way plan/policies. Critical Insight will provide edits, amendments or replacement policies that will address all the required elements and that supports a robust security program. Roadmap items are things you do not do now and therefore cannot include in this plan/policy version, i.e., these are things that as soon as the organization is capable of meeting that policy's requirements, they will do to but cannot currently do. These plan/policy elements either are needed to meet regulatory compliance requirements or enable the City of Federal Way to meet risk management objectives. Target Plan/Policy Development, Gap Analysis and Plan/Policy Roadmap In this phase, Critical Insight will conduct these major activities: Identify the policy set CCL needs to cover compliance and risk management objectives ■ Gap Analysis of Target plan/policy against existing plan/policies 0 Ensuring easy -to -understand and easy to apply plan/policies ■ Clearly defining terminology and responsibilities CRITICAL INSIGHT, INC. 7 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCL Critical Insight Policy Development Services The City of Federal Way September 27, 2022 Documenting a process to support the maintenance and ongoing management of the plan, policies, standards, guidelines, or processes delivered m Addition of new policies IM Population of plan/policy statement parking lots © Finalize current practice plan/policy for approval and publication which reflects current capabilities ta Develop a plan/policy roadmap to add elements in the target plan/policy parking lot into the approved plan/policies CRITICAL INSIGHT, INC 8 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Schedule Period of Performance Scope of Work Policy Development Services The City of Federal Way September 27, 2022 The City of Federal Way understands and agrees that changes in critical factors (such as those listed below in Project Change Control, or a delay in signature of this document) may impact Critical Insight's ability to meet certain dates. Project Change Control Critical Insight has made every attempt to accurately estimate time required to successfully complete the project. the City of Federal Way acknowledges and agrees that if impediments, complications, or the City of Federal Way requested changes in scope arise, these factors are out of the control of Critical Insight, and the length of the project and associated price could be impacted. Examples of valid impediments, complications, and changes in scope consist of (but are not limited to): The City of Federal Way initiated delay where the City of Federal Way is not prepared to allow Critical Insight to begin work on the agreed upon start date thus resulting in additional cost to Critical Insight for resources that have been sent to the City of Federal Way's site but cannot begin the Services + The City of Federal Way provided information necessary for timely delivery by Critical Insight is not accurate ■ Delays or problems associated with third party telecommunication equipment ■ This includes, but is not limited to, cabling, servers, routers, hubs, and switches managed or installed by third parties ■ Malfunctioning hardware ■ Inability to access equipment or personnel that are required to complete the project ■ Conflicts or incompatibilities associated with the installation of hardware or software installed by Critical Insight CRITICAL INSIGHT, INC. 9 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work Critical Insight Policy Development Services The City of Federal Way September 27, 2022 the City of Federal Way increases the scope of services requiring additional labor, hardware, software, materials, travel, lodging, meals, or other direct costs If any change(s) from impediments, complications, or the City of Federal Way changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in the written change, then the price, delivery schedules and other affected provision(s), if any, as applicable, shall be equitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this Section. CRITICAL INSIGHT, INC. 10 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B CCL Critical Insight Service Deliverables Description Scope of Work Policy Development Services The City of Federal Way September 27, 2022 Critical Insight will provide the following deliverables as part of this project: Table 3: Deliverable Description Information A document detailing all findings and recommendations Security Policy identified during the review. Findings will include all Review Report and identified gaps, policy statement elements that have been Updated Policy placed into the two parking lots, and a roadmap with Set prioritized recommended strategies to support the target policy: ■ Target Policy to be achieved after remediation ■ Updated policy that represents current practices ready for approval and publication ■ 2 policy statement/objective parking lots ■ Statements that need to be added or restored into the policy once the capability to demonstrate compliance has been implemented ■ Statements that do not need to be added or restored into the policy Acceptance of Deliverables The City of Federal Way has five (5) business days to inspect and acknowledge full delivery of the Services to be provided by Critical Insight hereunder upon completion and delivery of the Services by Critical Insight. The City of Federal Way will indicate such acknowledgement by signing Critical Insight's Project Completion Form, a sample of which is attached as Appendix B. If the City of Federal Way believes that Critical Insight has not fully delivered the Services to be provided hereunder and refuses to sign the Project Completion Form on that basis, the City of Federal Way shall identify in reasonable detail the specific CRITICAL INSIGHT, INC- 11 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCL Critical Insight Policy Development Services The City of Federal Way September 27, 2022 Services or deliverables which the City of Federal Way believes were not delivered, with specific -reference to the corresponding sections of this SOW, via written notice to Critical Insight within such five (5) business day period. Following Critical Insight's receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining Service delivery requirements. Upon Critical Insight's delivery of the remaining Services, if any, the City of Federal Way's right to inspect and acknowledge full delivery shall be as stated above. If the City of Federal Way fails to provide such acknowledgement or notice within the five (5) business days of receiving final deliverables, the City of Federal Way agrees that the Services shall be deemed fully delivered to the City of Federal Way, even if the City of Federal Way have not signed the Critical Insight Project Completion Form. CRITICAL INSIGHT, INC. 12 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42CB7528B Scope of Work cl'� Critical Insight Policy Development Services MU The City of Federal Way September 27, 2022 Assumptions Critical Insight used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitments. The City of Federal Way will provide Critical Insight access to the business, customer, and technical information, and facilities necessary to execute the solution ■ The City of Federal Way will provide Critical Insight on -site and off -site access to documents necessary for this assessment ■ The City of Federal Way will ensure that appropriate personnel are available to meet with Critical Insight, as necessary a Layer-3 devices will allow the protocols needed to discover and identify network services s Critical Insight will have approved access to vendors, for the purpose of obtaining device configurations, network diagrams, and details on monitoring or other processes that are performed on behalf of the City of Federal Way ■ If required, the City of Federal Way will assist with obtaining this access ■ During this engagement, any vulnerabilities, sensitive data, or configuration data found will not be disclosed except to specified the City of Federal Way staff ■ Critical Insight will not be obligated to extend engagements when delays result from the City of Federal Way's inability to meet stated prerequisites prior to an engagement, nor when delays result from the City of Federal Way personnel not being available to provide required support ■ During this effort, Critical Insight will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between the City of Federal Way and third parties ■ Critical Insight, at the request of the City of Federal Way, will provide input to the City of Federal Way regarding optimal product or vendor selection s Critical Insight will perform the work between 8:30 a.m. and 5:00 p.m. (local time) CRITICAL INSIGHT, INC 13 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work Critical Insight Policy Development Services The City of Federal Way September 27, 2022 After -hour and weekend work (when required), must be explicitly identified below or as otherwise agreed to in writing by the parties: After-hours required? Yes ❑ No Weekend hours required? Yes ❑ No Location of onsite services? The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 OR Remotely, if pandemic restrictions remain in place CRITICAL INSIGHT, INC 14 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Critical Insight Cost Travel and Expense Reimbursement Scope of Work Policy Development Services The City of Federal Way September 27, 2022 All work can be conducted remotely, if desired or requested. Travel and expenses are not required on this engagement, especially if pandemic restrictions are in place. If travel, meals, lodging, and other direct costs for the described effort are incurred after obtaining approval from the the City of Federal Way, those expenses shall be invoiced to and reimbursed by the City of Federal Way at actual cost. CRITICAL INSIGHT, INC. 15 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Policy Development Services The City of Federal Way September 27, 2022 Appendix A: Project Completion Form Critical Insight has completed all of the agreed upon tasks outlined in the Scope of Work titled "Policy Development Services" and dated September 27, 2022. Accepted and Agreed By: The City of Federal Wa , Washin on Signature: ---------- Printed Name: iAN ----------- — �y. Title: _ ,A4 L�157`kra Date: -- Please email the signed form to Consult ingUwcriticalin, sight, corn.. CRITICAL INSIGHT, INC. 16 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B EXHIBIT B LO Critical Insight Federal Way Centered on Opportunity THE CITY OF FEDERAL WAY, WASHINGTON INCIDENT REPONSE PREPAREDNESS Presented To: Thomas Fichtner IT Manager The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 Thomas. Fichtner@cityoffederaway.com (425) 452-3500 SCOPE OF WORK SOW-2022-146 SEPTEMBER 27, 2022 Submitted By: John -Luke Peck Consulting Practice Director & Critical Insight dCISO Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 jlp@Criticallnsight.com (425) 508-5150 CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FEl-9EC42C87528B . ��~1�^�~��U |��U�� CCL��nU�U~=~�i |..~°.��nn� Table of Contents Scope ofWork The City ofFederal Way, Washington Incident Response Preparedness September 2T'2U22 GENERALINFORMATION ........................................................ ......... ...... ---- --- ' � BACKGROUND & OBJECTIVES .................................................... ................ -... .... - -- i Purpose ------------------------''-----.------'_.. l KEY BUSINESS AND TECHNICAL CONTACTS ...................................... ........................ u the City ufFederal Way Business Contact information .... ... ...... ---........... ---.... .2 Critical Insight Business Contact Information --. ............ --..2 SERVICE DESCRIPTION AND SCOPE ................................................................ -... 3 SCOPE OF Acrwnv-----.------__-____________._,.___ _._� 3 |RPLAN De,sLopmsmr-----------------� --�--- � -�-'�-___� 3 |R PLAN TAousnp EXERCISE ........................................................... --.......... ____~,_ 4 PROJECT MANAGEMENT, COORDINATION, AND PLANNING ............................. -............ ----.-5 THE CITY oFFEDERAL WAY RESOURCE REQUIREMENTS .............. .................... ..................... _-�6 ProjectInitiation Meeting ................................................... '............... - --- ................... 6 TTs ..........-______________~_.________~________ 7 Prepare and Plan ------------_-___---___,____________ o Conduct Exercise ----------------__.-~____ __ -___~_,.______ 9 Lessons Leamed------_--------__-_,~,---_-._'_______- 9 Improve Cybersecuh� Pmgmm------'-.�'-_.--__.--------^'~-_ � Repeatpapoe and Plan ................................. ....... ,... ........... ................................... ,,_g SCHEDULE -----------------^~-^'---^-'~^'^^^^-^----~'- 1n PERIOD upPERFORMANCE -------------...... lV PROJECT CHANGE CONTROL -----------^.--,,.~--~ .--___.--_--_- 10 SERVICE osuwsRABLEa----------'-_._---.---~------~.-. �% DESCRIPTION --------------------------------___._. lc ACCEPTANCE o=DcuvsnAaaa-------------.-~.'---'---'-_---_ lz � ASSUxxPT|Omm-------_________._._._.____,__,,.,,.,___~_,,_,~ �4 ��T --------'----------^---^--'�^-~`--~-"^'^^------- lh TnxvsL AND EXPENSE Rowoonoswswr------'~._.---._----'_._---' lu APPENDIX A: PROJECT COMPLETION FORM ...... ....... ~............................................. l7 CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCritical Insight The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 NOTICE Critical Insight has made every reasonable attempt to ensure that the information contained within this Scope of Work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. NON -DISCLOSURE STATEMENT The information in this document is Critical Insight Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Insight, Inc. TRADEMARK NOTICE 2022 Critical In.s.i.ght.,. Iris._ All Rights Reserved, Critical Insight@, the Critical Insight, and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Insight, in the United States and in foreign countries. © Copyright 2022 Critical Insight, Inc. CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B Critical Insight General Information Background & Objectives Purpose Scope of Work The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 This SOW presents Critical Insight's approach and methodology for development of an Incident Response Plan (IR Plan) for the City of Federal Way. We will create an Incident Response Plan and process which includes: Review of current Incident Management practices, processes and documentation currently in use at the City of Federal Way Conducting a Gap Analysis of these incident management practices against Standards of Good Practice and compliance with regulations Based on the Gap Analysis, development of programmatic components not already in place and harmonization of existing incident management structures, plans, and guidance documents with the overall Incident Management program objectives resulting in an IR Plan M Conduct a Tabletop Exercise (TTE) or 'dry run' using the new IR Plan Ensure the City of Federal Way staff understand the roles, responsibilities and activities they will be required to perform when the IR Plan is activated Provide recommendations for subsequent TTEs that will include scenarios designed to validate the remediation of weaknesses identified in the first TTE This SOW includes: Scope of Work - Critical Insight's methodology for assisting and supporting the City of Federal Way's technology & executive teams, and the scope of work that will be performed Deliverables - Description of the deliverables for this project ci Project Assumptions - any assumptions that were used to derive the scope of work or pricing for this engagement CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work Cf� Critical Insight The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 Key_ Business and Technical Contacts the City of Federal Way Business Contact Information Name: Thomas Fichtner IT Manager Mailing Address: The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 E-Mail Address: Thomas.Fichtner@cityoffederaway.com Phone Number: (425) 452-3500 Critical Insight Business Contact Information Name: John -Luke Peck Consulting Practice Director & Critical Insight dCISO Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton WA 98337 E-Mail Address: jlp@Criticallnsight.com Phone Number: (425) 508-5150 CRITICAL INSIGHT, INC. CONFIDENTIAL 2 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCritical Insight • The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 Service Description and Scope This section provides a description of services, scope of activity, and required support requirements associated with the services. Scope of Activity The scope outlined below depicts the scope of activity associated with this engagement. Table 1: Scope of the Security Services IR Plan a Up to 4 meetings to establish of a comprehensive and Development formal incident management framework based on defined and managed processes for incident notification, communications, documentation, lessons learned, training, testing and auditing IR Plan Q An up to 41/2 hour exercise of the IR- Plan, conducted Tabletop either onsite or virtually Exercise IR Plan Development Our Approach will execute the following tasks: G Review of current Incident Management practices, processes and documentation © Conduct a Gap Analysis against Standards of Good Practice and compliance with regulations Develop new programmatic components with the establishment and implementation of comprehensive, defined, managed, and measurable incident management processes Develop/Amend/Enhance (existing) security policies and practices for incident monitoring and management Develop a customized incident response plan and methodology guide (based on industry -leading policies, guidelines, and processes) to provide a step -by - CRITICAL INSIGHT, INC. CONFIDENTIAL 3 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work Critical Insight The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 step process for detecting and responding to incidents occurring within your organization. Serving as a roadmap for effective incident response, the methodology guide includes decision matrices for establishing incident severity, escalation areas, and management decision points ■ Develop documentation tools, operational procedures, and incident handling guides for consistent and repeatable guidance for the response team ■ Harmonize existing incident management structures, plans, and guidance documents with the refined Incident Management program objectives The result is an IR Plan ready for use and for a Tabletop Exercise (TTE) to ensure readiness to deliver on the plan. IR Plan Tabletop Exercise our approach for the TTE program executes the following tasks: ■ Review of current incident management and incident response practices, processes and documentation against applicable standards of practice ■ Document a formal incident response testing program for periodic evaluation of the effectiveness and applicability of the program Develop testing criteria, requirements and procedures for the periodic evaluation of the Incident Response Plan and its critical components ■ Conduct the first TTE according to one of the following IR frameworks ■ HITRUST CyberRX 2.0 Playbook Level 1 (Basic), a scenario -based exercise program to assess the cyber security response preparedness of healthcare organizations but is fully applicable to any organization o We recommend the CyberRX approach as the MIST methodology is not part of an integrated TTE approach M A combination of the NIST 800-62r2 Computer Security Incident Handling Guide (NIST.SP.800-61 r2), NIST 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities (NIST.SP.800-84) and NIST 800-184 Guide for Cybersecurity Event Recovery (NIST.SP.800-184) ■ Provide an after -action report that includes a Table of Findings and Recommendations for increasing the effectiveness of the IR process and plans Table 2: IR Roles Description CRITICAL INSIGHT, INC. CONFIDENTIAL 4 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Management Information Security Information Technology Physical Security Legal Human Resources Communications oversight Lead Support Primary Scope of Work The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 Make decisions on issues not outlined in procedures Investigations Provide technical support as required a Assess Physical Damage ■ Business Continuity ■ Physical Property Investigation Safeguarding Evidence Secondary Provide legal advice when requested Consultation Provide information with regards to situations involving employees Secondary I Communicate with: 19 Internal: shareholders/owner, management, staff ■ External: press, public, .vendors, law enforcement Project Management, Coordination, and Planning A key component of Critical Insight's project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project and ensures that all project stakeholders are completely informed at all times. CRITICAL INSIGHT, INC. CONFIDENTIAL 5 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CC� Critical Insight Scope Work The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 Critical Insight will provide a highly qualified resource as Lead Consultant on the project and the Point of Contact (PoC) for the life of the contract; additional resources may address specific areas of this body of work. The Lead Consultant has experience in incident management, regulatory compliance and information security, managing enterprise -level projects, and communicating with Executives, Steering Committees, Regulators, and Auditors as well as IT and operational staff. the City of Federal Way Resource Requirements Achieving the City of Federal Way's objectives will require active participation from both the Critical Insight Project Team as well as the City of Federal Way's own personnel. To ensure the timely and successful completion of this project, the City of Federal Way should expect at least the following resource time commitments from its own personnel: ■ A Project Manager should be assigned to the project to serve as the single point of contact for the Critical Insight Project Team (the City of Federal Way may choose to assign the Project Sponsor and Project Manager role to the same person). This role will require a commitment of approximately 4-6 hours during the course of the project. ■ Additionally, the following activities and estimated time allocations will be performed as part of the project in which the City of Federal Way -identified staff will participate: Kick-off meeting — Interview on IR processes and document collection: 1-2 hours ■ TTE Preparation: 1-2 hours Project Initiation Meeting Critical Insight recognizes the value of communication and ongoing collaboration with our customers. As such, we include a project initiation meeting (kick-off meeting) with all of our engagements. During the meeting, Critical Insight will address the following topics: ■ Introduce key people at the City of Federal Way and Critical Insight ■ Exchange contact information (for regular reporting and emergencies) ■ Review scope of services ■ Review communication, notification, and issue escalation procedures CRITICAL INSIGHT, INC. CONFIDENTIAL 6 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42CB7528B Scope of Work Critical Insight The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 ■ Discuss other specific the City of Federal Way requests and rules of engagement ■ Discuss the involvement of the the City of Federal Way staff in the project for the purpose of knowledge transfer and security ■ Critical Insight will discuss the deliverables required at completion of the project, the designated recipient, and the manner in which Critical Insight will forward those deliverables ■ Describe/provide the the City of Federal Way IR Plan, processes and policies ■ Plan the TTE and identify participants ■ Discuss pre-TTE communications from management to participants TTE Our preferred methodology is modeled on the CyberRX, a scenario -based exercise program to assess the cyber security response preparedness of healthcare organizations. CyberRX 2.0 is the next iteration following the successful introduction of CyberRX 1 .0 in 2013. The CyberRX program is overseen by a steering committee comprised of representatives from -the healthcare industry, HITRUST, and Department of Health and Human Services (DHHS). ■ htt s. hi r s is nets171!?I1t c er in I b r e R 2P1 !k LVLI pd.f The CyberRX cycle includes the following phases and who is responsible for each phase: ■ Prepare and Plan — Critical Insight and the City of Federal Way + Conduct Exercise — Critical Insight and the City of Federal Way ■ Identify Lessons Learned — Critical Insight * Improve Cybersecurity Program — the City of Federal Way The NIST-based methodology has the following components: ■ Design. The design phase and planning for exercises typically starts at least one month in advance. The major steps in the event design process are as follows: ■ Determine the exercise topic based on the focus of the plan being exercised CRITICAL INSIGHT, INC. CONFIDENTIAL 7 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 = Determine the exercise scope based on the target audience ■ Identify the objectives of the exercise Identify the individuals that should participate in the exercise and invite them to the event Identify the staff for the exercise, including a facilitator and a data collector ■ Coordinate the logistics for the exercise event. Development. Typical documentation includes a briefing, a facilitator guide, a participant guide, and an after -action report. w Conduct. In this phase, the IR plan is actually exercised. Tabletop exercises are usually conducted in a classroom -type setting, The facilitator provides a briefing to the participants, then walks them through the scenario and initiates a group discussion using a question from the facilitator guide. As the discussion continues, the facilitator may inject additional questions periodically. The data collector documents issues to be included in the after - action report. Immediately following the facilitated discussion, the facilitator and data collector conduct an exercise debrief, in which they ask the participants in which areas they excel, in which areas they could use additional training, and which areas of the IT plan should be updated. ■ Evaluation. The comments from the debrief, along with lessons learned during the exercise, are captured in an after -action report. The report should include background information about the exercise, documented observations made by the facilitator and data collector, and recommendations for enhancing the IR plan that was exercised. Outcomes of the evaluation could include updating the IR plan or other security -related documents, briefing managers on the results, and performing other actions. Prepare and Plan The Kickoff Meeting will service as the forum for initial TTE planning and exchange of information. Fourteen example scenarios are presented in the CyberRX ranging in complexity from one to three stars (levels of complexity, 3 being the most complex) and a subset of those chosen to be used in the first TTE. After review of the collected information and documentation, the Lead Consultant will adjust the plan and communicate those adjustments back to the City of Federal Way. Approximately 48 hours prior to the TTE, a short, final pre-TTE conference call will be conducted to ensure any final details have been addressed. CRITICAL INSIGHT, INC. CONFIDENTIAL 8 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Conduct Exercise Scope of Work The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 The Lead Consultant will conduct the formal onsite TTE and document the strengths and weaknesses of the the City of Federal Way IR plan, process and policy. The areas measured in a TTE are referred to in the CyberRX as the 10 Markers. The following ten markers are typical industry practices and are key activities, policies, or products to strengthen an organization's cybersecurity capabilities: 1. Governance/People 2. Incident Response Policy and/or Guidelines 3. Internal Communications and Escalation 4. Training 5. Information Sharing 6. Vulnerability & Threat Management 7. Asset Management and 8. Vendor assessment 9. Lessons Learned 1 O.Updating plans and policies Lessons Learned Critical Insight will create a TTE report with a Table of Findings and Recommendations built around the Ten Markers and will form the basis of the Lessons Learned phase and will include the remediation activities for the City of Federal Way to consider for the Improve Cybersecurity Program phase, Improve Cybersecurity Program the City of Federal Way addresses prioritized list of items for remediation. Repeat Prepare and Plan Each CyberRX cycle will include a Prepare and Plan stage that integrates scenarios design to provide validation of remediation and incorporation of lessons learned into the the City of Federal Way IR plan, processes and policies. CRITICAL INSIGHT, INC. CONFIDENTIAL 9 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B C Critical Insight Schedule Period of Performance Scope of Work The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 the City of Federal Way understands and agrees that changes in critical factors (such as those listed below in Project Change Control, or a delay in signature of this document) may impact Critical Insight's ability to meet certain dates. Project Change Control Critical Insight has made every attempt to accurately estimate time required to successfully complete the project. the City of Federal Way acknowledges and agrees that if impediments, complications, or the City of Federal Way requested changes in scope arise, these factors are out of the control of Critical Insight, and the length of the project and associated price could be impacted. Examples of valid impediments, complications, and changes in scope consist of (but are not limited to): the City of Federal Way initiated delay where the City of Federal Way is not prepared to allow Critical Insight to begin work on the agreed upon start date thus resulting in additional cost to Critical Insight for resources that have been sent to the City of Federal Way's site but cannot begin the services the City of Federal Way provided information necessary for timely delivery by Critical Insight is not accurate ■ Delays or problems associated with third party telecommunication equipment ■ This includes, but is not limited to, cabling, servers, routers, hubs, and switches managed or installed by third parties Malfunctioning hardware ■ Inability to access equipment or personnel that are required to complete the project ■ Conflicts or incompatibilities associated with the installation of hardware or software installed by Critical Insight CRITICAL INSIGHT, INC. CONFIDENTIAL 10 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B Cf�Critical Insi ht Scope Work g The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 ■ the City of Federal Way increases the scope of services requiring additional labor, hardware, software, materials, travel, lodging, meals, or other direct costs If any change(s) from impediments, complications, or the City of Federal Way changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in the written change, then the price, delivery schedules and other affected provision(s), if any, as applicable, shall be equitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this section. CRITICAL INSIGHT, INC. CONFIDENTIAL 11 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B Critical I nsi ht Scope hWork g The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 Service Deliverables Description Critical Insight will provide the following deliverables as part of this project: Table 3: Deliverable Description Name of Deliverable D escription of Deliverable Incident Response Plan Incident Response Plan & up to 4 playbooks (scenario -based response guides) A plan that provides a step-by-step process for detecting and responding to incidents occurring within your organization and can serve as a roadmap for effective incident response Tabletop Exercise One (1) day onsite exercise designed to identify any weaknesses in the IR Program and to familiarize the staff with their responsibilities in the event of an incident TTE Report with Table of A written report summarizing the results of the Findings and, TTE that will include a Table of Findings and Recommendations Recommendations for improving the the City of Federal Way Incident Management Program Acceptance of Deliverables the City of Federal Way has thirty (30) business days to inspect and acknowledge full delivery of the services to be provided by Critical Insight hereunder upon completion and delivery of the Services by Critical Insight. the City of Federal Way will indicate such acknowledgement by signing Critical Insight's Project Completion Form, a sample of which is attached as Appendix A: Project Completion Form. If the City of Federal Way is not able to inspect and acknowledge deliverables within 30 business days, the City of Federal Way will notify Critical Insight in writing and work together to define a mutually agreed date. CRITICAL INSIGHT, INC. CONFIDENTIAL 12 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCL Critical Insight The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 If the City of Federal Way believes that Critical Insight has not fully delivered the services to be provided hereunder and refuses to sign the Project Completion Form on that basis, the City of Federal Way shall identify in reasonable detail the specific services or deliverables which the City of Federal Way believes were not delivered, with specific reference to the corresponding sections of this SOW, via written notice to Critical Insight within such thirty (30) business day period. Following Critical Insight's receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining service delivery requirements. Upon Critical Insight's delivery of the remaining services, if any, the City of Federal Way's right to inspect and acknowledge full delivery shall be as stated above. If the City of Federal Way fails to provide such acknowledgement or notice within the thirty (30) business days of receiving final deliverables, the City of Federal Way agrees that the services shall be deemed fully delivered to the City of Federal Way, even if the City of Federal Way has not signed the Critical Insight Project Completion Form. CRITICAL INSIGHT, INC. CONFIDENTIAL 13 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CL Critical Insight Assumptions Scope of Work The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 Critical Insight used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitments. r, the City of Federal Way will provide Critical Insight access to the business, customer, and technical information and facilities necessary to execute the solution the City of Federal Way will provide Critical Insight on -site and off -site access to documents necessary for this assessment ri the City of Federal Way will ensure that appropriate personnel are available to meet with Critical Insight, as necessary 1M Layer-3 devices will allow the protocols needed to discover and identify network services M Critical Insight will have approved access to vendors, for the purpose of obtaining device configurations, network diagrams, and details on monitoring or other processes that are performed on behalf of the City of Federal Way If required, the City of Federal Way will assist with obtaining this access p, During this engagement, any vulnerabilities, sensitive data, or configuration data found will not be exploited or disclosed except to specified the City of Federal Way staff E Discovery and investigation processes should not interrupt any processes or services or cause any impact to the availability of operations t3 Critical Insight will not be obligated to extend engagements when delays result from the City of Federal Way's inability to meet stated prerequisites prior to an engagement, nor when delays result from client personnel not being available to provide required support y During this effort, Critical Insight will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between the City of Federal Way and third parties = Critical Insight, at the request of the City of Federal Way, will provide input .to the City of Federal Way regarding optimal product or vendor selection CRITICAL INSIGHT, INC. CONFIDENTIAL 14 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work Critical Insight The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 Critical Insight will perform the work between 8:30 a.m. and 5:00 p.m. (local time) As technical testing is included in the SOW which could require after -hour and weekend work, Critical Insight agrees to provide services as indicated below: After-hours upon request? Yes No Weekend upon request? Yes _; No Location of onsite services? All work can be conducted remotely Or the City of Federal Way 33325 8th Ave South Federal Way, WA 98003 CRITICAL INSIGHT, INC. CONFIDENTIAL 15 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CC� Critical Insight Cost Travel and Expense Reimbursement Scope of Work The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 Travel and expense costs may be expected on this engagement though all work can be conducted remotely. If travel, meals, lodging, and other direct costs for the described effort are incurred, with prior approval from the City of Federal Way, those expenses shall be reimbursed by the City of Federal Way at actual cost. CRITICAL INSIGHT, INC. CONFIDENTIAL 16 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42CB7528B Scope of Work C Critical Insight The City of Federal Way, Washington Incident Response Preparedness September 27, 2022 Appendix A: Project Completion Form Critical Insight has completed all of the agreed upon tasks outlined in the Scope of Work titled "Incident Response Preparedness" and dated September 27, 2022. Accepted and Agreed By: The City of Federal Way, Washington Signature: Printed Name: N -ILA I Title: Cate: Ifl f It�2Z Please email the signed form to Consulting a crilicalinsight cam. CRITICAL INSIGHT, INC. CONFIDENTIAL 17 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CCL Critical Insight Name: Kevin Rolnick Email: Kevin.Rolnick@criticalinsight.com Phone: 206-307-8035 Bill To: "TATEMENT OF SERVICE Quote Date: 9/27/2022 Quote Expiration: 10/26/2022 Ship To: Name Thomas Fichtner Name Thomas Fichtner Company City of Federal Way, WA Company City of Federal Way, WA Street Address 33325 81h Ave. South Street Address 33325 81th Ave. South City, State, Zip Federal Way, WA 98003 City, State, Zip Federal Way, WA 98003 Phone 425-452-3500 Phone 425-452-3500 Professional Services Extended Extended Service Code ., Security Awareness Training Program 1 flat $12,785.00 $12,785.00 CI -PS -SAT Development CI-PS-LR •; Retention Camp!iancc Review 1 flat :,.980.00 $5,980.00 Subtotal $18,765.00 :: 8,765.00 Initial Invoice Per Blf6nc�Period 12 months $18,765.00 $18.765.00 'Estimated Safes Tax 0 00% estimated rate $0.00 $0.00 Invoke $18,765.00 $18,765.00 Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. 1 02022 Critical Insight, Inc. All rights reserved. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CCL Critical Insight Terms and Conditions STATEMENT OF SERVICE This Statement of Service ("SOS"), effective as of the date of the signature of the last party to si n (the "Effective Date') is subject to the Critical Insight Master Services Agreement, dated as of 10/1/202 2 and any other Exhibits, Attachments or Amendments hereto, which are each incorporated herein by reference, and which together with this SOS constitute the "Agreement". Unless otherwise provided in this SOS, capitalized terms herein shall be as defined elsewhere in the Agreement. The terms of this Agreement constitute the final expression of the parties' binding understanding in respect to the subject matter hereof and supersede all prior or contemporaneous agreements, representations and understandings, written and oral, in respect to same. Customer acknowledges that it has read the Agreement and agrees to be bound by its terms. Contract term is one (1) year, commencing the Effective Date hereof. • Billing shall be based on Critical Insight reporting. Critical Insight and Customer shall reconcile in good faith any discrepancies in their respective tracking records, provided Critical Insight's reporting shall control in the event of an irreconcilable discrepancy. • Customer shall be invoiced on an annual basis in advance. • The first year invoice shall be issued thirty (30) days following the Effective Date, and each subsequent annual invoice shall be issued on the anniversary of the Effective Date or the next following business day if such date. fall a on a weekend or natio.nai holiday. • Payment of invoiced amounts due no later than thirty (30) calendar days from date of invoice. Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. @2022 Critical Insight, Inc. All rights reserved. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Check one of the following: ❑ Purchase Order Required Purchase Order Not Required STATEMENT OF SERVICE Customer Billing Contact Signature Name Billing Street Name 6, _ Address_LL Title "� T WdVjLja4yLk State, Zipy W �+!/�},_. l Billing Contact Date 1d%ll ZZ Phone (27.3 .3 S-25S 0 Billing Emailirn, Critical Insight, Inc. Signature D"uSigncd by: r4t� — Name 3DWF5FSUFD4CE .. Garrett silvver Title CEO Date 10/12/2022 Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. 3 02022 Critical Insight, Inc. All rights reserved. DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B EXHIBIT A CqLw Critical Insight CITY OF Federal Way C en i vred urr oppuituirrty THE CITY OF FEDERAL WAY, WASHINGTON SECURITY AWARENESS TRAINING PROGRAM Presented To: Thomas Fichtner IT Manager The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 (425) 452-3500 Thomas. Fichtner@cityoffederaway.com DEVELOPMENT Scope of Work SOW 2022-749 September27, 2022 Submitted By: Randy Oppenborn Consulting Practice Director Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 (630) 346-3525 Randy.Oppenborn@criticalinsight.com CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C41� Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 Table of Contents GENERALINFORMATION.........................................................................................1 BACKGROUND& OBJECTIVES....................................................................................................1 KEY BUSINESS AND TECHNICAL CONTACTS...............................................................2 SECURITY AWARENESS TRAINING PROGRAM DEVELOPMENT SERVICE DESCRIPTION AND SCOPE..........................................................................I ............................3 SECURITY AWARENESS TRAINING PROGRAM DEVELOPMENT & DELIVERY .......... ................................3 SECURITYAWARENESS TRAINING............................................................................................ 3 SECURITY AWARENESS TRAINING PROGRAM DEVELOPMENT.............................................................4 SATMETHODOLOGY........................................................................................... ... ... ..... 4 COMPONENTS OF THE SAT FRAMEWORK................................................................................... 7 AUDIENCE........................ .........................................................................__........:.........,..... f DELIVERYMECHANISMS..........................................................................................................i� MESSAGETHEMES.................................................................................._.......__..._..........._.. 1 L1 METkICS........................................................................................................................... 1 1 TRAIN -THE -TRAINER AND SAT PROGRAM ROADMAP.................................................................... 12 BENEFITS OF AFPROACH....... .. 13 .....•......• •........... SCHEDULE...................................................................................................... 14 PERIOD OF PERFORMANCE...................................................... ........... ... ............................. 14 PROJECT CHANGE CONTROL...................................................................... ..........................1 4 SERVICEDELIVERABLES ......................... ..................................... I .......... I ...... .......16 'DESCRIPTION ................. ..................................... ...................... ....... ........ ............... ...._..._..15 ACCEPTANCE OF DELIVERABLES ............................ :............... :................................................... 16 ASSUMPTIONS............................................................. ........ .....................:.........18 COST..............................................................................................................20 TRAVEL AND EXPENSE REIMBURSEMENT...................................................................................20 APPENDIX A: PROJECT COMPLETION FORM ... ......................................................... 21 CRITICAL INSIGHT, INC. CONFIDENTIAL I DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 NOTICE Critical Insight has made every reasonable attempt to ensure that the information contained within this Scope of Work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document•. NON -DISCLOSURE STATEMENT The information in this document is Critical Insight Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Insight, Inc. TRADEMARK NOTICE 2022 Critical Insight, Inc. All Rights Reserved, Critical Insight®, the Critical Insight and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Insight, Inc. in the United States and in foreign countries. © Copyright 2022 Critical Insight, Inc. CRITICAL INSIGHT, INC. CONFIDENTIAL ii DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight General Information Background & Objectives Purpose Scope of Work Security Awareness Training Program Development The City of Federal Way September 27, 2022 This SOW describes the activities, scope, and deliverables for: ■ Security Awareness Training Program Development " SAT Materials which may include: o Videotaped (by the City of Federal Way) delivery of training sessions o PowerPoint presentation with narration o Phishing and awareness materials o SAT Program - Train -the -trainer o SAT Delivery — up to two sessions This SOW includes: ■ Scope of Work — Critical Insight's methodology for conducting assessments and the scope of work which will be performed. Deliverables — Description of the deliverables for this project. Project Assumptions — any assumptions that were used to derive the scope of work or pricing for this engagement. CRITICAL INSIGHT, INC. CONFIDENTIAL I DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 Key Business and Technical Contacts The City of Federal Way, Washington Business Contact Information Name: Thomas Fichtner IT Manager Mailing Address: The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 E-Mail Address: Thomas.Fichtner@cityoffederaway.com Phone Number: (425) 452-3500 Critical Insight Business Contact Information Name: Randy Oppenborn Consulting Practice Director Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton WA 98337 E-Mail Address: Randy.Oppenborn@criticalinsight.com Phone Number: (630) 346-3525 CRITICAL INSIGHT, INC. CONFIDENTIAL 2 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-BFE1-gEC42C87528B Scope of Work C Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 Security Awareness Training Program Development Service Description and Scope Security Awareness Training Program Development & Delivery Critical Insight's approach to Security Awareness Training (SAT) is to design a high - impact, maintainable Security Training and Awareness curriculum for employees which can be cost-effectively delivered to targeted audiences throughout the City of Federal Way. Critical Insight recommends building an understanding of the security awareness requirements by investigating the business, the role of information technology and future plans. This step is not intended to undertake a detailed investigation; it will simply form an outline view of the current state and culture of the organization. Understanding the baseline environment is an important component of building an appropriate SAT program. For example, any Security Awareness initiatives undertaken in the past may be critical later to ensure that no conflicts or overlaps occur. Security Awareness Training Coordination, Planning, & Project Initiation Critical Insight will provide day-to-day project management for all aspects of this project, including tracking and resolution of project related issues, progress tracking, project reporting, and communication. A key component of Critical Insight's project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project and ensures that all project stakeholders are completely informed at all times. The City of Federal Way Resource Requirements Achieving the City of Federal Way's objectives will require active participation from both the Critical Insight Project Team as well as the City of Federal Way's own personnel. To ensure the timely and successful completion of this project, the City of Federal Way should expect at least the following resource time commitments from its own personnel: ■ A Project Manager should be assigned to the project to serve as the single point of contact for the Critical Insight Project Team (the City of Federal Way may choose to assign the Project Sponsor and Project Manager role to the same person) CRITICAL INSIGHT, INC. CONFIDENTIAL 3 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCL Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 ■ This role will require a commitment of approximately 12 hours during the course of the project Security Awareness Training Program Development Security Education Training- & Awareness Methodology and Approach Critical Insight's approach to Security Awareness Training (SAT) is to design a high - impact, maintainable Security Training and Awareness Curriculum for employees which can be cost-effectively delivered to targeted audiences throughout the City of Federal Way. Critical Insight SAT methodology is illustrated below. Figure 1 - Security Awareness Training (SAT) Methodology o x 3 e. c v o MCL U vai SAT Methodology Critical Insight recommends building an understanding of the security awareness requirements by investigating the business, the role of information technology and future plans. This step is not intended to undertake a detailed investigation; it will simply form an outline view of the current state and culture of the organization. Understanding the baseline environment is an important component of building an appropriate SAT program. For example, any Security Awareness initiatives undertaken in the past may be critical later to ensure that no conflicts or overlaps occur. In order to accomplish this with minimal use of resources and impact to operations, Critical Insight will complete the tasks in the following sections. Phase 1 — Understand Current Environment CRITICAL INSIGHT, INC. CONFIDENTIAL 4 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B Scope of Work C Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 In order to determine the state of preparedness for implementing an Information Security Awareness Program, begin by determining the following: Existence of Corporate Information Security Policy and Standards documents c Existence of other employee policies, guidelines, or handbooks that may include security activities Extent to which these have been communicated internally ■ Current process in use for promulgation of policy and standards Phase 2 - Determine Desired SAT Framework The second step in developing the SAT Program Plan is to determine the preferred framework and customize that framework to fit the culture. This process will establish the SAT Program goals and scope. To accomplish this, Critical Insight will complete the following tasks: Review of documentation gathered, and interview notes to identify common concerns throughout the enterprise Review of business and security processes to determine necessary content to achieve the highest benefit through the implementation of a SAT program Identify existing business and security processes that could be expanded to include SAT activities Examine SAT program options and identify SAT Program goals and scope. Once the desired goals and scope are defined, develop and customize a framework for the SAT Program and for the environment Phase 3 - Develop SAT Program Roadmap The final step in developing the SAT Program plan is to identify the disparity between current SAT activities and map out the path that the City of Federal Way must take to reach their preferred SAT Program. Using the results gained from the review of existing documentation, assessing current business and security processes, interviewing appropriate staff and taking into consideration the identified goals, scope, and desired SAT framework, Critical Insight will: Adjust the SAT framework based upon Customer recommendations M Prioritize tasks/activities to achieve the preferred SAT Program CRITICAL INSIGHT, INC. CONFIDENTIAL 5 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 Determine efforts required to complete tasks/activities Develop detailed plan or roadmap to complete tasks/activities Phase 4 — Creation of Awareness Content Based on the input from the previous three phases, Critical Insight will create customized awareness content. The content may contain awareness messages regarding the following information security topics: 73 PCI requirements 12.6 Make all employees aware of the importance of cardholder information security. 12.6.1 Educate employees (e.g., through posters, letters, memos, meetings, and promotions). 12.6.2 Require employees to acknowledge in writing they have read and understood the company's security policy and procedures. Li HIPAA requirement 164.308(a)(5) Implement a security awareness and training program for all members of its workforce (including management). Security Reminders - Periodic security updates Protection from Malicious Software - Procedures for guarding against, detecting, and reporting malicious software Log -in Monitoring - Procedures for monitoring log- in attempts and reporting discrepancies Password Management - Procedures for creating, changing, and safeguarding passwords. L. Industry best practice security awareness on Passwords Computer Viruses Malicious Code G Data Backup and Storage Incident Response Personal Use and Gain CRITICAL INSIGHT, INC. CONFIDENTIAL 6 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight e Environmental ■ Inventory Control ■ Physical Security Is Social Engineering Scope of Work Security Awareness Training Program Development The City of Federal Way September 27, 2022 In order to create the appropriate messaging, Critical Insight will consider the following foundational components while creating the SAT framework. These essential components are described in detail in the following section "Components of the SAT Framework": Audience Delivery Mechanisms m Message Themes 0 Metrics Components of the SAT Framework Using the above approach, Critical Insight will create a SAT Program framework tailored to the City of Federal Way's needs, culture, and budget. Although the exact structure of the program has yet to be determined, this section seeks to describe the key components that comprise a SAT Program: audience, delivery mechanism, message themes, and performance metrics. Critical Insight will establish these components through significant security experience combined with industry standards of good practice. Audience There are many different types of roles and individuals an organization. In creating a SAT Program, it is important to recognize that different audience types may require different methods to provide the intended message. During the planning stages of a SAT program, it is important to identify which audience segments will be targeted. Critical Insight promotes the philosophy that the development of security awareness and training program must be based on the roles and responsibilities of individuals and geared towards different levels of understanding of information security issues. Roles and responsibilities provide the basis for the differing audiences for all awareness, training, and education activities. With this in mind, Critical Insight will identify additional potential target audiences within the organization and identify key groups at this time. once identification is complete, Critical Insight will create CRITICAL INSIGHT, INC. CONFIDENTIAL 7 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 a cohesive SAT strategy that addresses each audience. The following audiences should be addressed: General users ITS users o Managers Executives with governance responsibilities The following groups are examples of additional potential audiences to include during the SAT activities: Executives Business Owners Supervisors Senior Management Corporate Office Personnel and End Users Line of Business Executives Line of Business Project Managers Branch Personnel Help Desk Personnel IT Managers Systems Development Personnel Project Managers IT Architects 0 IT Developers o Operations Personnel Business Partners Delivery Mechanisms The purpose of this component is to identify program communication and delivery mechanisms appropriate for the environment. Critical Insight will review and CRITICAL INSIGHT, INC. CONFIDENTIAL 8 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCL Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 evaluate the communication mechanisms currently available in the environment that for potential use by the SAT program, while considering any other mechanisms that have been utilized in similar engagements. Critical Insight recommends as a best practice to incorporate security awareness and training into the existing corporate training programs and methods. In order to make this approach effective, the SAT strategy must identify broader communications/training initiatives that may be appropriate for delivery of Information Security content. This will not only provide economies of scale in the use of resources and personnel, but also encourage acceptance of security awareness messages as being integral to the business of informing and training management and staff. Critical Insight expects different levels of response from varying audiences based on the use of different media. As such, SAT program developers must present key messages in as many ways as the available resources allow. Program delivery staff should consider the most effective means of using media to communicate messages with maximum impact. This is particularly applicable to the design and delivery of security awareness programs. These principles may apply to the following examples of various delivery mechanisms: r- Security discourses Employee seminars Employee training and workshops e Instructional videos Awareness posters Mouse pads, pens or stickers Corporate Intranet web site M Paper distribution (Newsletters, Pamphlets/inserts) M Security awareness calendars Employee orientation programs Security Awareness day events Webinars CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCL Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 Message Themes The SAT Program Plan must identify and incorporate the program themes and messages communicated during awareness and training activities. SAT program content needs to be both opportunistic in terms of the immediate objectives of the corporate security program, and appropriate to the level of the audience and the medium in which that content is to be delivered. The content development process should consider opportunities for including elements of security risk analysis (as reflected in corporate policy and standards) in the training process. Critical Insight has found that presenting these in creative ways that involve the participants in becoming familiar with corporate policy on particular risk areas provides the maximum benefit to staff, and the maximum retention of the information provided. In addition, the following approaches proactively involve participants and may provide valuable feedback for the Information Security Program. a Allowance for discussion on weakness and shortcomings of existing solutions and suggestion of alternatives Identification of "what can go wrong" threat scenarios, with suggested approaches and appropriate responses v. Actively seek feedback on the appropriateness and success of programs The following are examples of the general areas and themes that SAT Program may focus on: ;, Relevance of Information Security to the employee Management commitment to Information Security (Management audience) FZ General threat awareness Maintaining a high standard of security on a day-to-day basis General awareness of applicable Information Security practices, guidelines and standards Understanding and accepting the need for information security U The security organization and its role and activities Skills development for staff responsible for specific Information Security - related actions CRITICAL INSIGHT, INC. CONFIDENTIAL 10 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 w Specific content areas related to areas of particular concern (past vulnerabilities, emerging threats, etc.) ■ Specific content areas relevant in terms in immediate and prioritized business risk ■ Special content for management staff that address areas related to security such as Privacy, Legal liability, Fiduciary responsibility, and so on. Metrics Like any significant activity that consumes business resources, suitable metrics should be used to measure the effectiveness of the SAT program over time. Working with key personnel, Critical Insight will identify existing and suggested metrics appropriate to the environment. These metrics can be used to help determine the quality and effectiveness of the SAT program at any given point in time. Given this information, appropriate corrections can be made to the content, audience targeting, and delivery mechanisms, providing a means for ensuring that the SAT program is continuously improved. In addition, metrics can help determine the appropriateness of resource allocations supporting the SAT program. The City of Federal Way can use two distinct sets of metrics that measure specific SAT activities and metrics measuring the overall information security program to which SAT is an integral component. Metrics specific to SAT activities typically measure in terms of the quality, clarity, and usefulness of the content provided as well as the effectiveness of the delivery mechanism. In addition, more general surveys can also provide insight into the audience's perceived value of SAT initiatives and various assessment/audit findings can serve to validate the effectiveness of SAT. Examples include: ■ Pre -training surveys to determine baseline security awareness metrics ■ Post -training surveys of attendees to determine the quality, clarity, and usefulness of the information presented in the training and education session ■ Periodic surveys of various audience groups to determine their level of knowledge and appreciation of SAT activities ■ Results of quizzes and tests completed at the conclusion of computer -based or manual training ■ Audit and assessment findings that clearly point to insufficient awareness and training CRITICAL INSIGHT, INC. CONFIDENTIAL I DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B Scope of Work C Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 ■ Number of 'help' calls and inquiries to the information security staff. In addition to metrics specifically focused on SAT activities, measuring the quality and effectiveness of the overall information security program may help determine, in a general sense, the relative impact SAT activities have on the overall information security efforts. These metrics are often difficult to tie directly back to SAT activities, but serve a useful purpose, nonetheless. An effective SAT program should have a positive, measurable effect on the information security program as a whole. Effectiveness can be measured by: a The number of information security -related audit findings ■ The number and severity of information security related intrusion and incidents Train -the -Trainer and SAT Program Roadmap Working with the internal training group at the City of Federal Way, Critical Insight will develop a SAT Program Roadmap that provides a detailed SAT Program framework that assists in successfully implementing the awareness content in the corporate environment. the City of Federal Way should base this roadmap upon existing awareness, training and education activities, review of documentation, interviews with staff, and standards of good practice. The roadmap should include the following: ■ A detailed description of each audience segment, including a summary of estimated SAT requirements A summary of existing documents to be included in the SAT Program ■ A summary of SAT Program activities ■ Content development recommendations including a description of all documentation, processes, and deliverables that will form the SAT Program ■ A detailed description of all recommended delivery mechanisms for the SAT Program, targeted to each audience segment ■ The recommended delivery mechanisms will leverage any existing applications and tools ■ Identification of existing business processes in which SAT activities can be integrated a Annual Update processes which include: CRITICAL INSIGHT, INC. CONFIDENTIAL 12 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CoPL Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 Incorporation of new threat information and methods to avoid these threats Y Incorporation of new Policy elements Incorporation of new compliance requirements Benefits of Approach The general benefits of the SAT approach are that it: Distinguishes between levels of learning L Focuses the content on specific roles and responsibilities Delivers the content in a clear and concise manner Measures and evaluates the effectiveness of the program Integrates security awareness and training activities into established business processes, where possible, to ensure cost-effectiveness Conveys the corporate mission and objectives Specific roles and responsibilities determine the appropriate learning approach for staff, which, in turn, determines delivery mechanisms, the message content, and the metrics used to evaluate the effectiveness of the program. Each of these four components is dependent upon the other and cannot be developed without considering one or the other. CRITICAL INSIGHT, INC. CONFIDENTIAL 13 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CfN� Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 Schedule Period of Performance The City of Federal Way understands and agrees that changes i-n critical factors (such as those listed below in Project Change Control, or a delay in signature of this document) may impact Critical Insight's ability to meet certain dates. Project Change Control Critical Insight has made every attempt to accurately estimate time required to successfully complete the project. the City of Federal Way acknowledges and agrees that if impediments, complications, or the City of Federal Way requested changes in scope arise, these factors are out of the control of Critical Insight, and the length of the project and associated price could be impacted. Examples of valid impediments, complications, and changes in scope consist of (but - are not limited to): M The City of Federal Way initiated delay where the City of Federal Way is not prepared to allow Critical Insight to begin work on the agreed upon start date thus resulting in additional cost to Critical Insight for resources that have been sent to the City of Federal Way's site but cannot begin the Services The City of Federal Way provided information necessary for timely delivery by Critical Insight is not accurate ■ Delays or problems associated with third party telecommunication equipment = This includes, but is not limited to, cabling, servers, routers, hubs, and switches managed or installed by third parties ■ Malfunctioning hardware rr Inability to access equipment or personnel that are required to complete the project ■ Conflicts or incompatibilities associated with the installation of hardware or software installed by Critical Insight CRITICAL INSIGHT, INC. CONFIDENTIAL 14 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 o the City of Federal Way increases the scope of services requiring additional labor, hardware, software, materials, travel, lodging, meals, or other direct costs If any change(s) from impediments, complications, or the City of Federal Way changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in the written change, then the price, delivery schedules and other affected provision(s), if any, as applicable, shall be equitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this Section. CRITICAL INSIGHT, INC. CONFIDENTIAL 15 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Service Deliverables Description Scope of Work Security Awareness Training Program Development The City of Federal Way September 27, 2022 Critical Insight will provide the following deliverables as part of this project: Table 3: Deliverable Description Security Awareness Training Program Development Acceptance of Deliverables A set of Security Awareness Training Materials specifically tailored to threats facing NHI that include: >. Up to 2 different SAT presentation decks tailored for specific audiences ■ One delivered session ■ Videotaped delivery of training sessions, if desired, or PowerPoint presentation with recorded narration ■ Phishing and awareness materials SAT Program: Train -the -trainer The City of Federal Way has five (5) business days to inspect and acknowledge full delivery of the Services to be provided by Critical Insight hereunder upon completion and delivery of the Services by Critical Insight. The City of Federal Way will indicate such acknowledgement by signing Critical Insight's Project Completion Form, a sample of which is attached as Appendix B. If the City of Federal Way believes that Critical Insight has not fully delivered the Services to be provided hereunder and refuses to sign the Project Completion Form on that basis, the City of Federal Way shall identify in reasonable detail the specific Services or deliverables which the City of Federal Way believes were not delivered, with specific reference to the corresponding sections of this SOW, via written notice to Critical Insight within such five (5) business day period. Following Critical Insight's receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining Service CRITICAL INSIGHT, INC. CONFIDENTIAL 16 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C('L Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 delivery requirements. Upon Critical Insight's delivery of the remaining Services, if any, the City of Federal Way's right to inspect and acknowledge full delivery shall be as stated above. If the City of Federal Way fails to provide such acknowledgement or notice within the five (5) business days of receiving final deliverables, the City of Federal Way agrees that the Services shall be deemed fully delivered to the City of Federal Way, even if the City of Federal Way have not signed the Critical Insight Project Completion Form. CRITICAL INSIGHT, INC. CONFIDENTIAL 17 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CEL Critical Insight Assumptions Scope of Work Security Awareness Training Program Development The City of Federal Way September 27, 2022 Critical Insight used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitments. w The City of Federal Way will provide Critical Insight access to the business, customer, and technical information, and facilities necessary to execute the solution The City of Federal Way will provide Critical Insight on -site and off -site access to documents necessary for this assessment w The City of Federal Way will ensure that appropriate personnel are available to meet with Critical Insight, as necessary • Layer-3 devices will allow the protocols needed to discover and identify network services ■ Critical Insight will have approved access to vendors, for the purpose of obtaining device configurations, network diagrams, and details on monitoring or other processes that are performed on behalf of the City of Federal Way dr If required, the City ❑f Federal Way will assist with obtaining this access s During this engagement, any vulnerabilities, sensitive data, or configuration data found will not be disclosed except to specified the City of Federal Way staff Critical Insight will not be obligated to extend engagements when delays result from the City of Federal Way's inability to meet stated prerequisites prior to an engagement, nor when delays result from the City of Federal Way personnel not being available to provide required support ■ During this effort, Critical Insight will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between the City of Federal Way and third parties ■ Critical Insight, at the request of the City of Federal Way, will provide input to the City of Federal Way regarding optimal product or vendor selection w Critical Insight will perform the work between 8:30 a.m. and 5:00 p.m. (local time) w After -hour and weekend work (when required), must be explicitly identified below or as otherwise agreed to in writing by the parties: CRITICAL INSIGHT, INC. CONFIDENTIAL 18 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work el, Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 After-hours required? Yes ❑ No Weekend hours required? Yes F No 19 Location of onsite services? The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 OR Remotely, if pandemic restrictions remain in place CRITICAL INSIGHT, INC. CONFIDENTIAL 19 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCritical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 Cost Travel and Expense Reimbursement All work can be conducted remotely, if desired or requested. Travel and expenses are not required on this engagement, especially if pandemic restrictions are in place. If travel, meals, lodging, and other direct costs for the described effort are incurred after obtaining approval from the the City of Federal Way, those expenses shall be invoiced to and reimbursed by the City of Federal Way at actual cost. CRITICAL INSIGHT, INC. CONFIDENTIAL 20 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work Critical Insight Security Awareness Training Program Development The City of Federal Way September 27, 2022 Appendix A: Project Completion Form Critical Insight has completed all of the agreed upon tasks outlined in the Scope of Work titled "Security Awareness Training Program Development" and dated September 27, 2022. Accepted and Agreed By: The City of Federal Way, Washington Signature: -- Printed Name: ��L�5------ -- --- Title:�— Date: Please email the signed form to Consulti" aZcrit4calinsight:corn.--- CRITICAL INSIGHT, INC. CONFIDENTIAL 21 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42CB7528B EXHIBIT B Critical Insight 4 CITY OF A 1% Federal Way Cc-ntered on Opportunity THE CITY OF FEDERAL WAY, WASHINGTON LOG RETENTION COMPLIANCE REVIEW Presented To: Thomas Fichtner IT Manager The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 (425) 452-3500 Thomas. Fichtner@cityoffederaway.com Scope of Work SOW 2022-747 September 27, 2022 Submitted By: Randy Oppenborn Consulting Practice Director Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 (630) 346-3525 Randy.Oppenborn@criticalinsight.com CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Log Retention Compliance Review The City of Federal Way September 27, 2022 Table of Contents GENERALINFORMATION.........................................................................................1 BACKGROUND& OBJECTIVES .......................... ................................. ,.:...,................................... 1 KEY BUSINESS AND TECHNICAL CONTACTS...............................................................2 LOG RETENTION COMPLIANCE REVIEW SERVICE DESCRIPTION AND SCOPE....................3 PROJECT MANAGEMENT, COORDINATION, AND PLANNING...................................................... .........3 SCHEDULE...........................................................................................................5 PERIODOF PERFORMANCE.......................................................................................................5 PROJECTCHANGE CONTROL....................................................................................................5 SERVICEDELIVERABLES.........................................................................................7 DESCRIPTION.......................................................................................................................7 ACCEPTANCE OF DELIVERABLES..............................................................:.................................7 ASSUMPTIONS......................................................................................I...............9 COST..............................................................................................................11 TRAVEL AND EXPENSE REIMBURSEMENT.......................................................................... .... ... 11 APPENDIX A: PROJECT COMPLETION FORM............................................................12 CRITICAL INSIGHT, INC. CONFIDENTIAL F DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B C Critical Insight NOTICE Scope of Work Log Retention Compliance Review The City of Federal Way September 27, 2022 Critical Insight has made every reasonable attempt to ensure that the information contained within this Scope of Work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. NON -DISCLOSURE STATEMENT The information in this document is Critical Insight Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Insight, Inc. TRADEMARK NOTICE 2022 Critical Insight, Inc. All Rights Reserved, Critical Insight®, the Critical Insight and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Insight, Inc. in the United States and in foreign countries. © Copyright 2022 Critical Insight, Inc. CRITICAL INSIGHT, INC. CONFIDENTIAL FE DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight General Information Background & Objectives Purpose Scope of Work Log Retention Compliance Review The City of Federal Way September 27, 2022 This SOW describes the activities, scope, and deliverables for: a Log Retention Compliance Review ■ Organizations with regulatory or standards requirements compliance often struggle to identify the systems that should be in scope for log collection, aggregation and retention, and misconfigure system's and application's log setting resulting in incomplete, non -compliant log management programs and audit trails. Without a complete, defensible audit trail, investigations, forensics and breach identification are all compromised, and the organization is out of compliance with regulations and standards. ■ Critical Insight's Log Retention Service Compliance Review assesses your logging, auditing and monitoring policy, program, configuration and regulatory scope, identifies gaps in meeting the standards or requirements, and provides recommendations and regular processes required to maintain logging and auditing compliance, monitor logs for unauthorized activity and review logs for appropriate access. This SOW includes: ■ Scope of Work — Critical Insight's methodology for conducting assessments and the scope of work which will be performed. s Deliverables — Description of the deliverables for this project. s Project Assumptions — any assumptions that were used to derive the scope of work or pricing for this engagement. CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work CCritical Insight Log Retention Compliance Review The City of Federal Way September 27, 2022 Key Business and Technical Contacts The City of Federal Way, Washington Business Contact Information Name: Thomas Fichtner IT Manager Mailing Address: The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 E-Mail Address: Thomas.Fichtner@cityoffederaway.com Phone Number: (425) 452-3500 Critical Insight Business Contact Information Name: Randy Oppenborn Consulting Practice Director Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton WA 98337 E-Mail Address: Randy.Oppenborn@criticalinsight.com Phone Number: (630) 346-3525 CRITICAL INSIGHT, INC. CONFIDENTIAL 2 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Log Retention Compliance Review The City of Federal Way September 27, 2022 Log Retention Compliance Review Service Description and Scope Critical Insight will identify that activities that the City of Federal Way must complete and processes the City of Federal Way must operate after implementation of a Log Retention program so that the City of Federal Way can work to ensure that compliance with standards is achieved and maintained. Project Management, Coordination, and Planning A key component of Critical Insight's .project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project and ensures that all project stakeholders are completely informed at all times. Critical Insight will provide a qualified resource as Lead Consultant on the project and the Point of Contact (PoC) for the life of the contract; additional resources may address specific areas of this body of work. The Lead Consultant has experience in incident management, regulatory compliance and information security, managing enterprise -level projects, and communicating with Executives, Steering Committees, Regulators, and Auditors as well as IT and operational staff. The City of Federal Way Resource Requirements Achieving the City of Federal Way's objectives will require active participation from both the Critical Insight Project Team as well as the City of Federal Way's own personnel. To ensure the timely and successful completion of this project, the City of Federal Way should expect at least the following resource time commitments from its own personnel: ■ A Project Manager should be assigned to the project to serve as the single point of contact for the Critical Insight Project Team (the City of Federal Way may choose to assign the Project Sponsor and Project Manager role to the same person). This role will require a commitment of approximately 8- 12 hours during the course of the project. ■ Additionally, the following activities and estimated time allocations will be performed as part of the project in which the City of Federal Way -identified staff will participate: ■ Kick-off meeting: 2 hours Interviews: up to four 1- to 2-hour meetings CRITICAL INSIGHT, INC. CONFIDENTIAL 3 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Log Retention Compliance Review The City of Federal Way September 27, 2022 To assist the City of Federal Way in creating, implementing and maintaining a robust logging and auditing system and program that will meet or exceed all regulatory requirements or industry standards, Critical Insight will: Conduct interviews to determine: - The scope of the environment that the logging and auditing program will cover a The regulations or industry standards that the City of Federal Way needs or wants to comply with r The subset of the overall enterprise environment that the requirements and standards apply to G For each regulatory/standards-defined subset of the environment, document or collect from the City of Federal Way an inventory of systems that are required to be included in the logging and auditing program and any other systems that the City of Federal Way believes would benefit from the same requirements and standards It is not uncommon to apply the standards and requirements enterprise wide for risk management purposes For each regulatory/standards-defined subset of the environment, identify and map the logging requirements and retention periods to each system in the inventory and each log in the system, if applicable r Estimate the change in storage requirements, architecture or technology, if significant Conduct a gap analysis on the current logging and auditing configuration against the desired configuration, and identify remediation actions needed to bring the systems or program into compliance Create a description of each defined regular/periodic process that must be conducted along with the frequency that the City of Federal Way will need to conduct the process p Commonly, human -conducted or automated log, access, maintenance, fault and security alert reviews CRITICAL INSIGHT, INC. CONFIDENTIAL 4 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Log Retention Compliance Review The City of Federal Way September 27, 2022 Schedule Period of Performance The City of Federal Way understands and agrees that changes in critical factors (such as those listed below in Project Change Control, or a delay in signature of this document) may impact Critical Insight's ability to meet certain dates. Project Change Control Critical Insight has made every attempt to accurately estimate time required to successfully complete the project. the City of Federal Way acknowledges and agrees that if impediments, complications, or the City of Federal Way requested changes in scope arise, these factors are out of the control of Critical Insight, and the length of the project and associated price could be impacted. Examples of valid impediments, complications, and changes in scope consist of (but are not limited to): The City of Federal Way initiated delay where the City of Federal Way is not prepared to allow Critical Insight to begin work on the agreed upon start date thus resulting in additional cost to Critical Insight for resources that have been sent to the City of Federal Way's site but cannot begin the Services ■ The City of Federal Way provided information necessary for timely delivery by Critical Insight is not accurate ■ Delays or problems associated with third party telecommunication equipment This includes, but is not limited to, cabling, servers, routers, hubs, and switches managed or installed by third parties ■ Malfunctioning hardware ■ Inability to access equipment or personnel that are required to complete the project w Conflicts or incompatibilities associated with the installation of hardware or software installed by Critical Insight CRITICAL INSIGHT, INC. CONFIDENTIAL 5 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work Critical Insight Log Retention Compliance Review The City of Federal Way September 27, 2022 a the City of Federal Way increases the scope of services requiring additional labor, hardware, software, materials, travel, lodging, meals, or other direct costs If any change(s) from impediments, complications, or the City of Federal Way changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in the written change, then the price, delivery schedules and other affected provision(s), if any, as applicable, shall be equitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this Section. CRITICAL INSIGHT, INC. CONFIDENTIAL 6 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Service Deliverables Description Scope of Work Log Retention Compliance Review The City of Federal Way September 27, 2022 Critical Insight will provide the following deliverables as part of this project: Table 3: Deliverable Description Log Retention The report will contain: Service Compliance ■ Logging and auditing regulatory/Standards the Review Report City of Federal Way must complied with ■ Definition of Regulatory/Standards Environment Scope ■ Identify any subset environments with differing standards Inventory of systems and their associated standards/regulatory requirements and Tetention periods s Identification of periodic/regular processes the City of Federal Way must conduct to maintain compliance ■ Logging and auditing configuration Gap Analysis with recommendations per system/application to achieve and maintain compliance Acceptance of Deliverables The City of Federal Way has five (5) business days to inspect and acknowledge full delivery of the Services to be provided by Critical Insight hereunder upon completion and delivery of the Services by Critical Insight. The City of Federal Way will indicate such acknowledgement by signing Critical Insight's Project Completion Form, a sample of which is attached as Appendix B. If the City of Federal Way believes that Critical Insight has not fully delivered the Services to be provided hereunder and refuses to sign the Project Completion Form on that basis, the City of Federal Way shall identify in reasonable detail the specific CRITICAL INSIGHT, INC. CONFIDENTIAL 7 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B Scope of Work CCritical Insight Log Retention Compliance Review The City of Federal Way September 27, 2022 Services or deliverables which the City of Federal Way believes were not delivered, with specific reference to the corresponding sections of this SOW, via written notice to Critical Insight within such five (5) business day period. Following Critical Insight's receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining Service delivery requirements. Upon Critical Insight's delivery of the remaining Services, if any, the City of Federal Way's right to inspect and acknowledge full delivery shall be as stated above. If the City of Federal Way fails to provide such acknowledgement or notice within the five (5) business days of receiving final deliverables, the City of Federal Way agrees that the Services shall be deemed fully delivered to the City of Federal Way, even if the City of Federal Way have not signed the Critical Insight Project Completion Form. CRITICAL INSIGHT, INC. CONFIDENTIAL 8 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B CCL Critical Insight Assumptions Scope of Work Log Retention Compliance Review The City of Federal Way September 27, 2022 Critical Insight used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitments. In The City of Federal Way will provide Critical Insight access to the business, customer, and technical information, and facilities necessary to execute the solution a The City of Federal Way will provide Critical Insight on -site and off -site access to documents necessary for this assessment �- The City of Federal Way will ensure that appropriate personnel are available to meet with Critical Insight, as necessary t: Layer-3 devices will allow the protocols needed to discover and identify network services p Critical Insight will have approved access to vendors, for the purpose of obtaining device configurations, network diagrams, and details on monitoring or other processes that are performed on behalf of the City of Federal Way ft if requiredih-e City - of -Fe dera l--Way-wil-l-assist with-obta-ining-thi-s-acccs-s During this engagement, any vulnerabilities, sensitive data, or configuration data found will not be disclosed except to specified the City of Federal Way staff {= Critical Insight will not be obligated to extend engagements when delays result from the City of Federal Way's inability to meet stated prerequisites prior to an engagement, nor when delays result from the City of Federal Way personnel not being available to provide required support During this effort, Critical Insight will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between the City of Federal Way and third parties Critical Insight, at the request of the City of Federal Way, will provide input to the City of Federal Way regarding optimal product or vendor selection TU Critical Insight will perform the work between 8:30 a.m. and 5:00 p.m. (local time) After -hour and weekend work (when required), must be explicitly identified below or as otherwise agreed to in writing by the parties: CRITICAL INSIGHT, INC. CONFIDENTIAL 9 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-gEC42C87528B Scope of Work CiPL Critical Insight Log Retention Compliance Review The City of Federal Way September 27, 2022 After-hours required? Yes No Weekend hours required? Yes ❑ No Location of onsite services? The City of Federal Way, Washington 33325 8th Ave South Federal Way, WA 98003 OR Remotely, if pandemic restrictions remain in place CRITICAL INSIGHT, INC. CONFIDENTIAL 10 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B C Critical Insight Cost Travel and Expense Reimbursement Scope of Work Log Retention Compliance Review The City of Federal Way September 27, 2022 All work can be conducted remotely, if desired or requested. Travel and expenses are not required on this engagement, especially if pandemic restrictions are in place. If travel, meals, lodging, and other direct costs for the described effort are incurred after obtaining approval from the the City of Federal Way, those expenses shall be invoiced to and reimbursed by the City of Federal Way at actual cost. CRITICAL INSIGHT, INC. CONFIDENTIAL 11 DocuSign Envelope ID: 8D5DCCAE-OEE7-4A88-8FE1-9EC42C87528B Scope of Work C Critical Insight Log Retention Compliance Review The City of Federal Way September 27, 2022 Appendix A: Project Completion Form Critical Insight has completed all of the agreed upon tasks outlined in the Scope of Work titled "Log Retention Compliance Review" and dated September 27, 2022. Accepted and Agreed By: The City of Federal Way, Washington Signature: __r------ ____-- Printed Name:i �v�i--------------- Title: Date: Please email the signed form to ons Itin cri i i si CRITICAL INSIGHT, INC. CONFIDENTIAL 12 DocuSign- Certificate Of Completion Envelope Id: 8D5DCCAEOEE74A888FE19EC42C87528B Status: Completed Subject: Please DocuSign: Critical Insight MSA_SOS (CVIPRO_SME)_City of Federal Way signed 10122022.pdf Source Envelope: Document Pages: 122 Signatures: 4 Envelope Originator: Certificate Pages: 5 Initials: 0 Lori Nguyen AutoNav: Enabled 245 4th Street, Suite 405 Envelopeld Stamping: Enabled Bremerton, WA 98337 Time Zone: (UTC-08:00) Pacific Time (US & Canada) Lori. Nguyen@criticalinsight.com IP Address: 64.207.219.7 Record Tracking Status: Original Holder: Lori Nguyen Location: DocuSign 10/12/2022 7:22:38 AM Lori.Nguyen@criticalinsight.com Signer Events Signature Timestamp Garrett Silvver pocy� [g-d by C Sent: 10/12/2022 7:27:59 AM garrett.silver@criticalinsight.com Resent: 10/12/2022 7:31:26 AM CEO ' `E Resent: 10/12/2022 12:27:27 PM Critical Insight, Inc. Resent: 10/12/2022 3:12:24 PM Security Level: Email, Account Authentication Signature Adoption: Drawn on Device Viewed: 10/12/2022 3:33:21 PM (None) Using IP Address: 65.132.158.114 Signed: 10/12/2022 3:33:44 PM Electronic Record and Signature Disclosure: Accepted: 10/12/2022 3:33:21 PM ID:390dbe5a-e4f6-4d40-a84f-d6b206309532 In Person Signer Events Signature Timestamp Editor Delivery Events Status Timestamp Agent Delivery Events Status Timestamp Intermediary Delivery Events Status Timestamp Certified Delivery Events Status Timestamp Carbon Copy Events Status Timestamp Cl Operations COPIED Sent: 10/12/2022 3:33:45 PM operations@criticalinsight.com Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via DocuSign Kevin Rolnick COPIED Sent: 10/12/2022 3:33:45 PM kevin.rolnick@criticalinsight.com Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via DocuSign Witness Events Signature Timestamp Notary Events Signature Timestamp Envelope Summary Events Status Timestamps Envelope Summary Events Status Envelope Sent Hashed/Encrypted Certified Dellvered Security Checked Signing Complete Security Checked Completed Security Checked Payment Events Status Electronic Record and Signature Disclosure Timestamps 1011212022.7:27:59 AM 10/1212022 3:33:21 PM 10/12/2022 3:331-44 PM 10/12/2022 3 33:45 PM Timestamps Electronic Record and Signature Disclosure created on: 8/3/2020 8:24:16 AM Parties agreed to: Garrett Silwer ELECTRONIC RECORD AND SIGNATURE DISCLOSURE From time to time, Critical Informatics Inc. dba Cl Security (we, us or Company) may be required by law to provide to you certain written notices or disclosures. Described below are the terms and conditions for providing to you such notices and disclosures electronically through the DocuSign system. Please read the information below carefully and thoroughly, and if you can access this information electronically to your satisfaction and agree to this Electronic Record and Signature Disclosure (ERSD), please confirm your agreement by selecting the check -box next to `I agree to use electronic records and signatures' before clicking `CONTINUE' within the DocuSign system. Getting paper copies At any time, you may request from us a paper copy of any record provided or made available electronically to you by us. You will have the ability to download and print documents we send to you through the DocuSign system during and immediately after the signing session and, if you elect to create a DocuSign account, you may access the documents for a limited period of time (usually 30 days) after such documents are first sent to you. After such time, if you wish for us to send you paper copies of any such documents from our office to you, you will be charged a $0.00 per -page fee. You may request delivery of such paper copies from us by following the procedure described below. Withdrawing your consent If you decide to receive notices and disclosures from us electronically, you may at any time change your mind and tell us that thereafter you want to receive required notices and disclosures only in paper format. How you must inform us of your decision to receive future notices and disclosure in paper format and withdraw your consent to receive notices and disclosures electronically is described below. Consequences of changing your mind If you elect to receive required notices and disclosures only in paper format, it will slow the speed at which we can complete certain steps in transactions with you and delivering services to you because we will need first to send the required notices or disclosures to you in paper format, and then wait until we receive back from you your acknowledgment of your receipt of such paper notices or disclosures. Further, you will no longer be able to use the DocuSign system to receive required notices and consents electronically from us or to sign electronically documents from us. All notices and disclosures will be sent to you electronically Unless you tell us otherwise in accordance with the procedures described herein, we will provide electronically to you through the DocuSign system all required notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you during the course of our relationship with you. To reduce the chance of you inadvertently not receiving any notice or disclosure, we prefer to provide all of the required notices and disclosures to you by the same method and to the same address that you have given us. Thus, you can receive all the disclosures and notices electronically or in paper format through the paper mail delivery system. If you do not agree with this process, please let us know as described below. Please also see the paragraph immediately above that describes the consequences of your electing not to receive delivery of the notices and disclosures electronically from us. How to contact Critical Informatics Inc. dba CI Security: You may contact us to let us know of your changes as to how we may contact you electronically, to request paper copies of certain information from us, and to withdraw your prior consent to receive notices and disclosures electronically as follows: To contact us by email send messages to: lori.nguyen@ci.security To advise Critical Informatics Inc. dba CI Security of your new email address To let us know of a change in your email address where we should send notices and disclosures electronically to you, you must send an email message to us at lori.nguyen@ci.security and in the body of such request you must state: your previous email address, your new email address. We do not require any other information from you to change your email address. If you created a DocuSign account, you may update it with your new email address through your account preferences. To request paper copies from Critical Informatics Inc. dba CI Security To request delivery from us of paper copies of the notices and disclosures previously provided by us to you electronically, you must send us an email to lori.nguyen@ci.security and in the body of such request you must state your email address, full name, mailing address, and telephone number. We will bill you for any fees at that time, if any. To withdraw your consent with Critical Informatics Inc. dba CI Security To inform us that you no longer wish to receive future notices and disclosures in electronic format you may: i. decline to sign a document from within your signing session, and on the subsequent page, select the check -box indicating you wish to withdraw your consent, or you may; ii. send us an email to lori.nguyen@ci.security and in the body of such request you must state your email, full name, mailing address, and telephone number. We do not need any other information from you to withdraw consent.. The consequences of your withdrawing consent for online documents will be that transactions may take a longer time to process.. Required hardware and software The minimum system requirements for using the DocuSign system may change over time. The current system requirements are found here: htt s://su ort.doctisign.com/ uides/si ner- uide- signing-system-requirements. Acknowledging your access and consent to receive and sign documents electronically To confirm to us that you can access this information electronically, which will be similar to other electronic notices and disclosures that we will provide to you, please confirm that you have read this ERSD, and (i) that you are able to print on paper or electronically save this ERSD for your future reference and access; or (ii) that you are able to email this ERSD to an email address where you will be able to print on paper or save it for your future reference and access. Further, if you consent to receiving notices and disclosures exclusively in electronic format as described herein, then select the check -box next to `I agree to use electronic records and signatures' before clicking `CONTINUE' within the DocuSign system. By selecting the check -box next to `I agree to use electronic records and signatures', you confirm that: You can access and read this Electronic Record and Signature Disclosure; and You can print on paper this Electronic Record and Signature Disclosure, or save or send this Electronic Record and Disclosure to a location where you can print it, for future reference and access; and Until or unless you notify Critical Informatics Inc. dba Cl Security as described above, you consent to receive exclusively through electronic means all notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you by Critical Informatics Inc. dba Cl Security during the course of your relationship with Critical Informatics Inc. dba Cl Security.