The URL can be used to link to this page

Home My WebLink About06.b.01.f CA- Quadrant PSA Renewal EXECUTIVE SUMMARY AGENDA ITEM: Proposed Professional Service Agreement Renewal with Quadrant Security,LLC. (Quadrant) Date: November 13, 2024 BACKGROUND: The Professional Service Agreement with Quadrant for Security Event and Incident Monitoring (SIEM) is scheduled to expire on December 30, 2024, with no terms for renewal. CCUA Staff is requesting a three(3)year Professional Service Agreement with Quadrant for the continuation of SIEM services. SIEM is a critical part of CCUA's security protection strategy. Quadrant provides CCUA with 24/7/365 monitoring, notification, and remediation assistance. Quadrant continually enhances their solution and develops technologies to identify, validate and report threats. Quadrant has sensors deployed at CCUA's primary office and wastewater treatment plants to provide real-time threat detection, analysis and notification. Successful replacement of the SEIM solution would require extensive planning and time by staff to deploy sensors then monitor during and after the changeover. The time and cost associated with changing providers is significant and would distract priorities like critical infrastructure lifecycles in the current fiscal year. A three (3) year Agreement will be sufficient for the department to evaluate security vendors, plan a deliberate changeover process that does not put CCUA at risk, and implement a changeover if necessary. BUDGET IMPACT: Staff has budgeted for the annual amount of $51,000.00. The fee for this service has increased to $51,352.70. The increase will be covered by funds in the approved subcontractors cost center. RECOMMENDATION: Staff respectfully recommends the Board of Supervisors approval of the Professional Service Agreement Renewal for three (3) years with Quadrant Security, LLC (Quadrant) to provide Security Event and Incident Monitoring (SIEM). ATTACHMENTS: Professional Service Agreement PROFESSIONAL SERVICES AGREEMENT BETWEEN CLAY COUNTY UTILITY AUTHORITY AND QUADRANT SECURITY,LLC. This PROFESSIONAL SERVICES AGREEMENT (the "Agreement"), made and entered into as of this day of , 2024, between CLAY COUNTY UTILITY AUTHORITY, an independent special district established and created pursuant to Chapter 94-491, Laws of Florida, by Special Act of 1994, 3176 Old Jennings Road, Middleburg, FL 32068 (hereinafter "CCUA"), and QUADRANT SECURITY, LLC. (hereinafter"Consultant" or"Quadrant"), whose principal business address is 4651 Salisbury Road, Suite 315,Jacksonville,Florida 32256. The CCUA and Consultant may hereinafter be individually referred to as a"Party" and collectively referred to as the "Parties". WITNESSETH WHEREAS, CCUA desires to engage a consultant to provide managed detection and response and enterprise security consulting services; and WHEREAS, Consultant has experience and success in providing such services for similar government entities; and WHEREAS, CCUA and the Consultant desire by mutual agreement, to enter into this Agreement as set forth herein. NOW THEREFORE,for good and valuable consideration,the receipt and sufficiency of which is hereby acknowledged, the Parties do hereby agree as follows: 1. RECITALS The Parties agree that all the foregoing recitals are true and correct and are hereby incorporated by reference herein. 2. SERVICES BY THE CONSULTANT Consultant shall be responsible for providing on-going managed detection and response and enterprise security consulting services to CCUA. A. Quadrant Security, LLC. will deploy, monitor, and manage Quadrant's SIEM solution (Sagan) and provide 24/7/365 alerting on all log traffic deemed malicious by the Quadrant Security Operations team. This deployment will provide Client IT staff with around-the- clock monitoring of the internal environment and external points-of-presence, allowing internal team members to concentrate their efforts on other IT-related priorities. The Client is seeking an Information Security Firm that can provide 24/7/365 eyes-on-target, report on unusual network activity and compromise attempts, as well as provide assessment services. B. The scope of work is further defined in Exhibit 'A', and which is hereby made part of this Agreement. 3. COMPENSATION A. Compensation will be as outlined in Exhibit 'A'. Any additional expenses incurred will require pre-approval from the designated CCUA staff member. B. CCUA shall make payments to the Consultant based upon the approved invoices and supporting documentation and deliverables within thirty (30) days of the receipt by CCUA of a complete invoice. All invoices shall be sent to the attention of the Accounts Payable Office at accountspayablecZi clavutility.org, and shall include back-up documentation as required by CCUA. Invoice payment requirements do not start until a properly completed invoice is provided to CCUA. If an invoice is not approved, in whole or in part, CCUA will inform the Consultant of the issue and Consultant will not be paid until the issue has been resolved to the satisfaction of CCUA. 4. LIMITATION OF LIABILITY A. Limitation of Liability. In no event will either party or its affiliates or suppliers, or any of their respective officers, directors, employees, or agents,be liable to the other party or its affiliates, whether in contract or in tort or under any other legal theory (including, without limitation, strict liability and negligence), for lost profits or revenues, loss of use or loss or corruption of data, for equipment or systems outages or downtime, or for any indirect, special, exemplary, punitive, multiple, incidental, consequential or similar damages, arising out of or in connection with this Agreement or any Statement of Work(SOW or Exhibit) or otherwise, even if advised of the possibility of such damages. In no event will Quadrant's, their supplier's, or their respective members', managers', officers', directors', employees' or agents' aggregate liability for all claims arising out of or in connection with the Services, Deliverables, this Agreement, the SOWs, the Exhibits, or otherwise exceed the amount of fees actually paid by Client to Quadrant under the applicable SOW or Exhibit describing services in an active term. No action regarding the Services or Deliverables,other than with respect to payments hereunder, may be brought more than one (1) year after the first to occur of either (a) the conclusion of Services and delivery of any Deliverables under the applicable SOW or Exhibit, or (b) the claimant party's knowledge of the event giving rise to such cause of action. B. Exclusive Remedy. The parties' sole and exclusive remedy for any breach of this Agreement, any misrepresentation or any other claim or cause of action arising out of or relating to this Agreement shall be limited to claims for monetary damages, arising from the breach of the terms set forth herein and that no party shall have a separate cause of action under tort,statute, theory of"rescission" or otherwise; provided, however, that the foregoing limitation shall not apply to a party's right to request equitable relief for a breach of a party's obligations with respect to Confidentiality provisions of this Agreement. 5. TERM OF AGREEMENT AND TERMINATION A. This Agreement shall be effective on the date first written above and shall be effective until December 31, 2027. B. If either party believes that the other party has failed in any material respect to perform its obligations under this Agreement ("Cause"), then that party may provide written notice to the other party within sixty(60)days of the Cause describing the alleged failure in reasonable detail. If the alleged failure relates to a failure to pay any sum due and owing under this Agreement, the breaching party shall have fifteen (15) business days after notice of such failure to cure the breach. If the breaching party fails to cure within fifteen (15) business days, then the non-breaching party may immediately terminate this Agreement, in whole or part, for cause by providing written notice to the breaching party. With respect to all other defaults, if the breaching party does not,within thirty(30)calendar days after receiving such written notice cure the material failure, or if the breach is not one that can reasonably be cured within thirty (30) calendar days, then the non-breaching party may terminate this Agreement, in whole or in part, for cause by providing written notice to the breaching party. C. Either party shall have the immediate right to terminate this Agreement,by providing written notice to the other party, in the event that (i) the other party becomes insolvent, enters into receivership, is the subject of a voluntary or involuntary bankruptcy proceeding, or makes an assignment for the benefit of creditors; or(ii) a substantial part of the other party's property becomes subject to any levy,seizure,assignment,or sale for or by any creditor or government agency. D. These termination provisions shall be made a part of all subcontracts under this Agreement. E. After the effective date of the Notice of Termination, CCUA will only pay for work/services already performed and goods already delivered and accepted in accordance with the terms of the Agreement. At the discretion of CCUA, CCUA may make an equitable adjustment to the compensation due to the Consultant, but under no circumstances shall the Consultant be entitled to payment for any anticipatory profit, for work/services not yet performed, or for goods not accepted by CCUA. 6. STATUS AND ACTIVITIES OF CONSULTANT Consultant (and all of its employees and subconsultants) is associated with CCUA as an independent contractor and not as an employee. A. It is understood that Consultant is an independent contractor and is not an employee, agent, partner, or representative of CCUA. As such, Consultant is responsible, where necessary, to obtain, at Consultant's sole cost, workers' compensation insurance, disability benefits insurance, and any other insurances that may be required by law. CCUA will not provide, nor will it be responsible to pay for, benefits for Consultant. Any such benefits, if provided for Consultant, including, but not limited to health insurance, paid vacation, paid holidays, sick leave, or disability coverage of whatever nature, must be obtained and paid for by Consultant or by other means but in no event will they be obtained and paid for by CCUA. B. Consultant,and not CCUA,will be responsible for the manner and scope in which Consultant performs the Scope of Work, but agrees that all manner and methods employed by it will be subject to approval by CCUA. Notwithstanding that, Consultant agrees that it will at all times conduct itself in an ethical and honest manner and in full compliance with all applicable laws and regulations. C. Consultant may use materials prepared by CCUA for purposes of carrying out its obligations under this Agreement. Consultant may use such materials only upon the terms and conditions stated by CCUA from time to time. Consultant may not modify or amend any materials that it is authorized to use without the prior written consent of CCUA. Except as expressly authorized in this Agreement,Consultant shall not have any right to use any name,trademark, copyright, or other designation of CCUA in advertising,publicity or marketing materials. In the event that Consultant desires to produce its own materials referring to CCUA's business, using CCUA's intellectual property, and suggesting any relationship,whatsoever,between it and CCUA, except as otherwise authorized in this Agreement ("Consultant Produced Materials"), Consultant shall submit the Consultant Produced Materials to and obtain advance written approval from an authorized representative of CCUA prior to printing and the dissemination of any such Consultant Produced Materials to any third party. CCUA shall have sole discretion to approve or disapprove of all Consultant Produced Materials. All materials furnished to Consultant by CCUA are the property of CCUA and shall be used only in the manner intended and for the furtherance of CCUA's business. Any materials, including Consultant Produced Materials, in Consultants possession or control at the termination of this Agreement shall be promptly returned to CCUA. D. Consultant shall not be subject to the provisions of any handbook or the rules and regulations applicable to employees of CCUA, since it shall fulfill her responsibilities independent of and without supervisory control by CCUA. E. Consultant agrees to pay all employment taxes and other applicable taxes, including sales taxes and income taxes. F. Consultant agrees that it is not a joint employer with CCUA and further agrees that neither Party possess control over the essential terms and conditions of employment the other Party's employees. 7. CONFIDENTIALITY A. For purposes of this Agreement, "Confidential Information" shall include all information or material that has or could have commercial value or other utility in the business or industry in which Disclosing Party is engaged. Additionally, "Confidential Information" shall also include any and all personal, protected or otherwise sensitive information which the Receiving Party might be exposed to during the day-to-day operations of the Disclosing Party. B. Receiving Party's obligations under this Agreement do not extend to information that is: (a) publicly known at the time of disclosure or subsequently becomes publicly known through no fault of the Receiving Party; (b) discovered or created by the Receiving Party before disclosure by Disclosing Party; (c) learned by the Receiving Party through legitimate means other than from the Disclosing Party or Disclosing Party's representatives; or(d) is disclosed by Receiving Party with Disclosing Party's prior written approval. C. Receiving Party shall hold and maintain the Confidential Information in strictest confidence for the sole and exclusive benefit of the Disclosing Party. Receiving Party shall carefully restrict access to Confidential Information to employees, contractors and third parties as is reasonably required and shall require those persons to sign nondisclosure restrictions at least as protective as those in this Agreement. Receiving Party shall not, without prior written approval of Disclosing Party, use for Receiving Party's own benefit, publish, copy, or otherwise disclose to others, or permit the use by others for their benefit or to the detriment of Disclosing Party, any Confidential Information. Receiving Party shall return to Disclosing Party any and all records, notes, and other written, printed, or tangible materials in its possession pertaining to Confidential Information immediately, if Disclosing Party requests it in writing. D. The nondisclosure provisions of this Agreement shall survive the termination of this Agreement by a period of five (5)years. E. Nothing contained in this Agreement shall be deemed to constitute either Party a partner, joint venture or employee of the other Party for any purpose. F. If a court finds any provision of this Agreement invalid or unenforceable, the remainder of this Agreement shall be interpreted so as best to affect the intent of the parties. G. This Agreement expresses the complete understanding of the Parties with respect to the subject matter and supersedes all prior proposals, agreements, representations and understandings. This Agreement may not be amended except in a writing signed by both Parties. H. The failure to exercise any right provided in this Agreement shall not be a waiver of prior or subsequent rights. 8. PUBLIC RECORDS AND RELATED INQUIRIES A. Notwithstanding anything contained in this Agreement to the contrary, the Consultant acknowledges that CCUA is subject to the Florida Public Records Law, and that in compliance therewith, at the sole discretion of CCUA, CCUA may disseminate or make available to any person, without the consent of the Consultant, information regarding this Agreement, including but not limited to information in the: responses; requirements; specifications; drawings; sketches; schematics; models; samples; tools; computer or other apparatus programs; or technical information or data, whether electronic, written, or oral, furnished by the Consultant to CCUA under this Agreement,and that copies of work products and related materials prepared or received by the Consultant under this Agreement are public records. B. Notwithstanding anything contained in this Agreement to the contrary, the Consultant shall allow public access to all documents, papers, letters, or other material subject to the provisions of Chapter 119, Florida Statutes, made or received by the Consultant in conjunction with this Agreement. Specifically, if the Consultant is acting on behalf of CCUA, the Consultant shall: 1. Keep and maintain public records that ordinarily and necessarily would be required by CCUA in order to perform the services being performed by the Consultant; 2. Provide the public with access to public records on the same terms and conditions that CCUA would provide the records and at a cost that does not exceed the cost provided in chapter 119 Florida Statutes, or as otherwise provided by law; 3. Ensure that public records that are exempt or confidential and exempt from public records disclosure requirements are not disclosed except as authorized by law; and 4. Meet all requirements for retaining public records; transfer, at no cost to CCUA, all public records in possession of the Consultant upon termination of this Agreement; and destroy any duplicate public records that are exempt or confidential and exempt from public records disclosure requirements. All records stored electronically must be provided to CCUA in a format that is compatible with the information technology systems of CCUA. C. The Consultant shall immediately provide CCUA with a copy of any Request to Inspect or Copy Public Records in possession of the Consultant and the Consultant shall also promptly provide CCUA with a copy of the proposed response to each such request. No release of any such records by the Consultant shall be made without approval of CCUA. The Consultant's failure to grant approved public access will be grounds for immediate termination of this Agreement by CCUA. D. All media and other inquiries concerning the Agreement and/or the Consultant's Scope of Work shall be directed to CCUA's Executive Officer. The Consultant shall not make any statements, press releases, or publicity releases concerning this Agreement or its subject matter or otherwise disclose or permit to be disclosed any of the data or other information obtained or furnished in compliance with this Agreement, or any particulars thereof, without CCUA's written consent. However, the Consultant may communicate directly with public agencies when required to do so as part of the Scope to be performed hereunder. 9. CONFLICT OF INTEREST A. The Consultant shall not promise any employee of CCUA, whose duties include matters relating to or affecting the subject matter of this Agreement, compensation of any kind or nature from the Consultant, while such employee is employed by CCUA, or for one (1)year thereafter. B. The Consultant affirms that it will not take part in any activities that will be a conflict of interest with CCUA or that would appear to compromise the integrity of CCUA. The Consultant shall provide written notice to CCUA immediately upon occurrence or first identification of any potential conflict-of-interest situation. C. Upon request by CCUA, the Consultant shall execute any Conflict-of-Interest Certification that may be required. 10. INDEMNIFICATION To the fullest extent permitted by law,the Consultant shall indemnify,defend,and hold harmless CCUA and its Board of Supervisors, officers, and employees, from liabilities, damages, losses, and costs, including but not limited to reasonable attorneys' fees, to the extent caused by the negligence, recklessness, or intentionally wrongful conduct of the Consultant and other persons or entities employed or utilized by the Consultant in the performance of this Agreement. The provisions of this Paragraph shall survive the termination of this Agreement.The indemnification obligation hereunder shall not be limited in any way by amount or type of damages, compensation or benefits payable under workers' compensation acts, disability benefits acts, or other employee benefit acts. 11. PUBLIC ENTITY CRIMES CCUA reserves the right to terminate this Agreement effective immediately upon written notice in the event that the Consultant or any of its affiliate(s) are placed on the State of Florida convicted vendor list pursuant to Section 287.133, Florida Statutes. For purposes hereof, "affiliate" shall have the meaning set forth in Section 287.133(1)(a), Florida Statutes. The Consultant shall advise CCUA promptly after conviction of any"public entity crime"as defined in Section 287.133(1)(g), Florida Statutes, applicable to the Consultant or any of its affiliate(s). 12. EQUAL EMPLOYMENT OPPORTUNITY AND NONDISCRIMINATION A. The Consultant on its own behalf, and on behalf of any subconsultants, agrees that it, and they, will comply with all federal, state and local laws and ordinances as well as any and all rules, regulations and executive orders promulgated to ensure that it will not unlawfully discriminate against anyone based on race, color, religion, national origin, sex (including gender identity, sexual orientation, and pregnancy), age, genetic information, disability, veteran status, or other protected class in the performance of work or any other activity under this Agreement. This provision binds the Consultant and any subconsultants from the effective date of the Agreement through the completion of the Agreement. Consultant agrees to include the language in this paragraph in any Agreement between it and its subconsultants and to provide evidence to CCUA that such language has, in fact, been included in the Agreement. B. The Consultant shall permit access to its books, records, accounts, other sources of information, and its facilities, as may be determined by CCUA to be pertinent to ascertain compliance with this Section. 13. DISPUTES,DEFAULTS AND REMEDIES A. Disputes arising in the performance of this Agreement shall be decided in writing by CCUA's Executive Director, and the decision rendered shall be final and conclusive for CCUA. B. The Consultant and CCUA agree that any suit, action, or other legal proceeding arising out of or relating to this Agreement shall be brought in the Circuit Court of Clay County, and each Party hereby consents to the jurisdiction of each such court over any such suit, action, or proceeding, and waives any objection which it or they may have to the laying of venue of any such suit, action, or proceeding, and any of such courts. This provision is a material inducement for CCUA and the Consultant entering into the transactions contemplated hereby. C. Each Party shall bear their own attorney's fees in connection with the performance, interpretation, and enforcement of this Agreement. 14. INSURANCE Insurance will be as outlined in Exhibit 'B'. 15. MISCELLANEOUS A. The Consultant is not authorized to act as CCUA's agent and shall have no authority, expressed or implied, to act for or bind CCUA, unless otherwise expressly set forth for a particular purpose in a separate writing by CCUA. B. This Agreement and the rights of all Parties hereunder shall be construed and enforced in accordance with the laws of the State of Florida. C. No recourse under or upon any obligation, covenant, or agreement contained in this Agreement or any other agreements or documents pertaining to the work, as such may from time to time be altered or amended in accordance with the provisions hereof, or under any judgment obtained against CCUA or by the enforcement of any assessment or by any legal or equitable proceeding by virtue of any statute or otherwise, whether under or independent of this Agreement, shall be had against any Board Member, officer, employee or agent, as such, past, present or future, of CCUA either directly or indirectly, for any claim arising out of this Agreement, or for any sum that may be due and unpaid by CCUA. Any and all personal liability of every nature, whether at common law, in equity, by statute, by constitution or otherwise, of any CCUA member, officer, employee, or agent as such, to respond by reason of any act or omission on his or her part or otherwise for any claim arising out of this Agreement, or for the payment for or to CCUA, or any receiver therefor or otherwise,of any sum that may remain due and unpaid by CCUA,is hereby expressly waived and released as a condition of and as consideration for the execution of this Agreement. D. Consultant will not use the name of CCUA or quote the opinion of any employees of CCUA or refer to CCUA directly or indirectly in any promotional literature or correspondence,news release, advertisement, or release to any professional or trade publications without receiving specific written approval for such use or release from CCUA. However, this Paragraph will in no way limit the Consultant's ability to satisfy any governmental required disclosure of its relationship with CCUA. E. This Agreement is binding upon the Parties hereto and their respective successors and assigns. The Consultant shall not assign, sell, or transfer its interest in this Agreement without CCUA's express written consent. Any such assignment by the Consultant must contain a provision allowing CCUA to assert against any assignee, any and all defenses, setoffs, or counterclaims which CCUA would be entitled to assert against the Consultant. F. This Agreement may be modified or amended only by a writing signed by each of the Parties hereto. Neither electronic mail nor instant messaging shall be considered a "writing" for purposes of amending, supplementing, or modifying this Agreement. No additional services shall be performed until such additional services are provided for in an Amendment executed by both Parties. G. The Consultant shall perform (and cause all subconsultants to perform) the Scope of Work in a manner that is consistent with the level of reasonable care, skill, judgment, and ability provided by others providing a similar scope of work in the same geographic area. The standard of care shall not be altered by the application, interpretation, or construction of any other provision of this Agreement, or any document incorporated or referenced herein, including the Solicitation. Unless otherwise expressly allowed by the specifications,all items furnished by the Consultant in connection with the work performed hereunder must be completely new and free from defects. H. All of the personnel assigned by the Consultant and all subconsultants shall be qualified and authorized under state and local laws to perform the services described in the Scope of Work, whether by appropriate license, registration, certification, or other authorization. I. When the Agreement requires services, all correspondence, documents, drafts, data compilations and tabulations,research,analysis,plans,reports,and work product of any kind, in any medium, submitted to or prepared by or for the Consultant in connection with this Agreement, are the sole property of CCUA and shall be scanned into electronic format and provided to CCUA in an indexed, logical, searchable format on computer Compact Disks (CDs) or other format acceptable to CCUA. Such correspondence must be provided to CCUA within thirty(30)days of the close-out of the Agreement and must be received before CCUA will release final payment to the Consultant. The original documents shall be maintained by the Consultant for a period of five (5) years after the completion of final payment by CCUA. Thereafter, or upon termination of this Agreement for any reason, such records shall immediately be delivered to CCUA. J. This Agreement, when executed by the Parties, shall be effective as of the date stated above. This Agreement fully and completely expresses the agreement of the Parties with respect to the matters contained herein and shall not be modified or further amended except by written agreement executed by each of the Parties hereto. The Consultant understands and agrees that no representations of any kind whatsoever have been made to it other than as appear in this Agreement,that it has not relied on any such representations and that no claim that it has so relied on may be made at any time and for any purpose. K. This Agreement may be executed in any number of counterparts, each of which shall be deemed original;however,all of which when taken together shall constitute one and the same instrument. L. This Agreement and all Ancillary Documents may be executed and delivered by email or other electronic signature method in accordance with Chapter 668, Florida Statutes, and will have the same force and effect as a written signature. (Signatures on following page) IN WITNESS WHEREOF, the Parties have executed this Professional Services Agreement, effective as of the date indicated above. QUAD SECURITY, LLC.: By: Printed Name: Erik Breuhaus Title: COO CLAY COUNTY UTILITY AUTHORITY: By: Printed Name: Jeremy Johnston Title: Executive Director APPROVED AS TO FORM: By: Angelia Wilson, Procurement Manager Execute in Triplicate Distribution (electronic): 1. Quadrant Security, LLC. 2. CCUA Contract Repository 3. CCUA Project Manager—User Department EXHIBIT 'A' Products & Services Quantity Unit Price Price Advanced Managed Extended Detection&Response (MXDR) - - 3yr Annual Payments, 24/7 Advanced Managed Extended Detection and Response. Up to 500 Endpoints = Servers. SAGAN Cloud Log Ingestion Engine, SAGAN Network Packet. $35,136.50/year Ingestion Engine 53 Weeks Data after 30% Retention, 0365 or GW Suite Ingestion, 500 $100.39/year discount for 3 EDR or A/V Ingestion, Approved years Identity application integration, End Point Quarantine Threat Intelligence, Domain Monitoring, Malware Detonation, Threat Hunting, External Attack Surface Management,Dark Web Monitoring MXDR- External Firewall - 3yr- Annual Payments Log and alert monitoring of primary office and data $3,243.24/ center multifunction firewalls. 2 $2,316.60/year year after Multifunction firewalls include IDS, 30% IPS, Web Filtering, and Email Gateway discount for 3 capabilities.Firewalls must support years Secure Syslog or API integration. NDR- <1G- 3yr-Annual Payments $12,972.96/year Network Detection and Response 3 $6,177.60/yearafter 30% (NDR) delivering packet inspection. discount for 3 <=1 G years Network Throughput Term: 1/1/25 to 12/31/27 The Client Communication Process Quadrant's SOC analysts assess each IDS/Sagan alert to determine the nature and significance of the attack. When the security alerts occur based on data observed within client environments, the system automatically notifies the SOC, 24 hours a day 7 days a week, 365 days a year. In the event of a high-risk alert where analysts determine that the Client could be compromised, the analysts either block the source address of the offending traffic (requires IDS and additional configuration), quarantine the device via available EDR tools (e.g. SentinelOne, Defender, Crowdstrike), or notify the Client's management personnel. All entries are prioritized into one of the three categorized as outlined below: High(Priority 1): The Security Event could cause significant impact to business operations if executed. Medium (Priority 2): The Security Event could severely restrict the use of an application, system or piece of equipment affecting significant business functions. Low(Priority 3): The Security Event could impact a single user or Client users where the restriction is not critical to the overall operation of the Client. Each event category is associated with a timeframe which represents the length of time in which the Client must be notified after the Security Event has taken place. High(Priority 1): Within 15 minutes Medium(Priority 2): Within 30 minutes Low(Priority 3): Within 60 minutes During initial IDS/Sagan deployment projects, Quadrant will work with the Client to determine how and when event categories are reported. While Quadrant does apply general priority to alerts, the context(derived from analyst investigation) is what truly determines criticality. As such, Quadrant applies an additional level of criticality post alert disposition, labeled as either"Non-Critical" or"Critical". In the case of a"Critical"event, and unless otherwise defined by the Client, Quadrant will attempt to contact the client via all contacts available in the "Contact Tree". Client may choose to be notified via email and/or phone.A contact Tree will be completed during deployment and regularly updated throughout the life od this Agreement. The Implementation and Action Items Once the decision has been made to implement the Sagan solution, whether as a Proof-of-Concept (POC) or full implementation, there are several considerations and subsequent actions that will be required to commence with the security event analyzer and network detection services. Primary considerations will be the number and placement of sensors for both network packet analysis (IDS) and log analysis. To ensure a smooth implementation and minimize the use of Client resources, Quadrant provides a Client Liaison/Project Manager to coordinate the efforts of the Client's and Quadrant's teams. Much of the hardware setup and installation is completed by Quadrant, although some actions, such as directing log traffic to Sagan, need to be completed by the Client. Quadrant will assist with these efforts throughout the implementation process. The Service Level Agreements The Service Level Agreements (SLAs) listed in this section apply to the services provided within this SOW, subject to the terms, conditions, and limitations contained in this SOW and the Master Services Agreement(MSA), if applicable. • The SLAs shall not apply during Scheduled Downtime or Emergency Downtime and therefore are not eligible for any Agreement credit. Quadrant shall provide Client at least forty-eight(48)hours prior notice of each period of Scheduled Downtime. "Scheduled Downtime"means periods when the services are rendered inoperable or unavailable by Quadrant to permit Quadrant to perform maintenance for the services. Scheduled Downtime shall occur no more frequently than once per calendar month and only between the hours of 12:00 a.m. and 6:00 a.m. Eastern Time on a Saturday or Sunday. "Emergency Downtime" means periods when the services are rendered inoperable or unavailable by Quadrant to permit Quadrant to perform emergency maintenance required solely to maintain the operation of the services or to address critical security vulnerabilities of the services, which maintenance Quadrant cannot timely perform during Scheduled Downtime. Quadrant shall provide Client as much advance notice of Emergency Maintenance as reasonably possible, and shall endeavor to limit the duration and number of periods of Emergency Maintenance to the minimum necessary. • The SLAs shall not apply in the event of any Client-caused service outage that prohibits or otherwise limits Quadrant from providing the service, including but not limited to, misconduct, negligence, inaccurate or incomplete information, modifications made to the services other than by Quadrant, or modifications made to any managed hardware or software devices by the Client. This includes issues caused by Client's employees, agents, or third parties. • The SLAs shall not apply to the extent Client does not fulfill and comply with its obligations and interdependencies. Third-Party Service Providers The SLAs outlined in this SOW do not apply in the event of any service outages, interruptions, or degradations caused by third-party service providers, including but not limited to Internet Service Providers (ISPs), cloud service providers (e.g., AWS, Azure), or any other external networks or services not directly managed by Quadrant. Quadrant shall not be held responsible for service interruptions due to failures in such third-party systems. Quadrant will, however, make reasonable efforts to work with these providers to restore services as promptly as possible. SOC / Service Availability Availability to the service shall equal no less than 99.4% of the time (unless otherwise affected by the exceptions outlined within"The Service Level Agreements"portion of this document) during a given calendar month. In the event that this SLA is not met for a given calendar month, Client shall be entitled to a monetary credit equal to one-thirtieth (1/30th) of the monthly contract value for each sixty(60)minutes that communication availability was below the 99.4% threshold. Client Requests for Assistance Standard requests submitted via email or via telephone will be subject to "initial response" (either through the SOC help desk ticketing system, email, telephonically or otherwise). Log Retention The Client's raw log data as forwarded to Quadrant's sensor(s) will be stored and retained for a period of 53 weeks on the sensor residing within the Client's network. Client can request, in writing, that this period be extended. After the 53-week retention, raw log data is automatically rotated out. Client Acceptance of Security Measures Client acknowledges and agrees that, as part of Quadrant's services, Quadrant may take actions to secure the Client's network and IT infrastructure in response to identified security threats or malicious activity. These actions may include, but are not limited to, locking user accounts, quarantining devices, blocking IP addresses, and limiting network access, provided the Client has provisioned the necessary access to the Quadrant to perform such actions. Client further acknowledges and accepts that such actions may temporarily disrupt or impact Client's normal business operations, including but not limited to the loss of access to accounts, systems, or devices, delays in business processes, or other service interruptions. Quadrant agrees to undertake these actions in good faith and with the reasonable care expected of a professional cybersecurity service provider. Client agrees that Quadrant shall not be liable for any disruptions, interruptions, or damages to Client's business operations, including loss of data,productivity, or revenue, that may result from the execution of reasonable security measures. Client accepts full responsibility for any risks associated with these necessary actions and acknowledges that such actions are taken in the interest of safeguarding the security of Client's systems and data. Limitation of Liability Quadrant's liability related to any interruption or business impact caused by the implementation of security measures shall be governed by the limitations set forth in the Master Services Agreement (MSA) (or equivalent Agreement) and this SOW/Exhibit. In no event shall Quadrant be liable for any indirect, consequential, or incidental damages resulting from its good faith execution of security measures as described herein. Client Responsibilities Client agrees to provide all necessary access, credentials, and permissions required for Quadrant to implement security measures as outlined in this SOW. Failure to provide such access may impede Quadrant's ability to respond to security incidents, for which Quadrant shall not be held liable. Term and Renewal Initial Term The SOW shall become effective upon mutual execution and acceptance of the Master Service Agreement "MSA" and the applicable SOWs. The SOW shall remain in effect through the last day of the Initial Term or terminated as defined in the MSA. Renewal At the end of the Initial Term and any renewal thereof, if any, services shall continue on a month-to- month basis (i.e. for automatically renewing, successive, one-month terms) at the list price for such Services ("Month-to-Month Service"), unless Quadrant and the Client expressly agree in writing in advance of the end of the then current Term to an alternative renewal of the SOW. Terms and Conditions • Quadrant shall be under no liability to the Client for any direct/indirect loss and/or expense (including loss of profit) suffered by the Client as a result of any Sagan appliance being tampered with or manipulated by Client staff. • Quadrant shall be under no liability to the Client for any direct/indirect loss and/or expense (including loss of profit) suffered by the Client arising out of a breach of this SOW by any 3rd party or unauthorized external user of the services. • Quadrant is not responsible for any system performance issues or network availability issues that are a result of Client-initiated changes to network resources or network design/layout. Client is responsible for notifying Quadrant forty-eight (48) hours prior to any network/ infrastructure changes that could affect connectivity to the Sagan sensor/platform. • Client is responsible for providing all cabling/connection material needed for the Client's side of each sensor. If the Client has a fiber connection, Quadrant will provide the transceiver needed for Quadrant's side of the connection,but the Client is responsible for obtaining the transceiver for the Client side. If the Client has Copper, the Client is responsible for providing the cabling needed Client-side for the Quadrant sensor. • Quadrant is responsible for the replacement of all Sagan appliances (and associated costs) that fall within the scope of this SOW,unless the hardware is procured by the Client. Quadrant is responsible for preconfiguring and shipping the hardware to the Client but, may at times require Client input regarding configuration settings. In some cases, Client may be responsible for international shipping expenses, which will be negotiated prior to hardware re-deployment. In the event that travel is required in association with installing replacement hardware, Quadrant will assume all costs related to the travel,unless otherwise agreed upon by Quadrant or the Client. • In the event the Client chooses to redeploy existing hardware from one physical location to another, the Client will be responsible for any costs incurred as part of the redeployment. These costs could include any shipping costs, hardware procurement costs, etc. • Bespoke signature development requiring more than five (5)hours of development effort are subject to professional services billing at a rate of$300 per hour • Upon the ending or the termination of an SOW, the Client is responsible for returning to Quadrant all hardware obtained from Quadrant in relation to the services. All hardware is deemed to be owned by Quadrant,unless otherwise agreed upon in writing. The Client maintains the right to keep possession of any storage devices containing the Client's data (upon Quadrant agreement), but all other equipment must be returned at the Client's expense. In the event of contract termination, Quadrant will provide reasonable effort to assist Client with the transfer of all logs to the Client's storage of choice. EXHIBIT 'B' - GENERAL INFORMATION AND INSURANCE REQUIREMENTS 1. COMMERCIAL GENERAL LIABILITY INSURANCE The Consultant shall purchase and maintain at the Consultant's expense Commercial General Liability insurance coverage(ISO or comparable Occurrence Form)for the life of this Agreement. Modified Occurrence or Claims Made forms are not acceptable. The Limits of this insurance shall not be less than the following limits: Each Occurrence Limit $1,000,000 Personal & Advertising Injury Limit $1,000,000 Fire Damage Limit (any one fire) $ 300,000 Medical Expense Limit(any one person) $ 10,000 Products & Completed Operations Aggregate Limit $2,000,000 General Aggregate Limit(other than Products & Completed Operations) Applies Per Project $2,000,000 General liability coverage shall continue to apply to "bodily injury" and to "property damage" occurring after all work on CCUA's site of the covered operations to be performed by or on behalf of the additional insureds has been completed and shall continue after that portion of"your work" out of which the injury or damage arises has been put to its intended use. 2. WORKERS' COMPENSATION AND EMPLOYER'S LIABILITY INSURANCE The Consultant shall purchase and maintain at the Consultant's expense Workers' Compensation and Employer's Liability insurance coverage for the life of this Agreement. The Limits of this insurance shall not be less than the following limits: Part One—Workers' Compensation Insurance—Unlimited Statutory Benefits as provided in the Florida Statutes and Part Two—Employer's Liability Insurance Bodily Injury By Accident $500,000 Each Accident Bodily Injury By Disease $500,000 Policy Limit Bodily Injury By Disease $500,000 Each Employee *If leased employees are used,policy must include an Alternate Employer's Endorsement 3. EXCESS LIABILITY INSURANCE The Consultant shall purchase and maintain at the Consultant's expense Excess Liability (Umbrella Form) insurance coverage for the life of this Agreement. The Limits of this insurance shall not be less than the following limits: Each Occurrence Limit $2,000,000 Aggregate Limit $2,000,000 4. PROFESSIONAL LIABILITY (ERRORS & OMISSIONS) This additional coverage will be required for all projects involving consultants, engineering services, architectural or design/build projects, independent testing firms and similar exposures. The Consultant shall purchase and maintain at the Consultant's expense Professional Liability insurance coverage for the life of this Agreement. If the Agreement includes a requirement for Professional Liability or Errors and Omissions insurance, the minimum amount of such insurance shall be as follows: Each Occurrence/Annual Aggregate $2,000,000 Project Specific Design Professional Liability coverage will be provided on an Occurrence Form or a Claims Made Form with a retroactive date to at least the first date of this Agreement. If provided on a Claims Made Form, the coverages must respond to all claims reported within three years following the period for which coverage is required and which would have been covered had the coverage been on an occurrence basis. 5. CYBER AND DATA SECURITY LIABILITY This additional coverage will be required for all projects involving information technology services, software providers, programmers and similar exposures. The Consultant shall purchase and maintain at the Consultant's expense Cyber and Data Security Liability insurance coverage for the life of this Agreement. If the Agreement includes a requirement for Cyber and Data Security Liability insurance, the minimum amount of such insurance shall be as follows: Technology Errors and Omissions Liability coverage $2,000,000 Media $2,000,000 Network and Data(Information) Security $2,000,000 Policy coverage must include Third Party Liability coverage. Consultant shall require each of his Consultants to likewise purchase and maintain at their expense Commercial General Liability insurance, Workers' Compensation and Employer's Liability coverage, Automobile Liability insurance and Excess Liability insurance coverage meeting the same limit and requirements as the Consultant's insurance. Certificates of Insurance acceptable to CCUA for the Consultant's insurance must be received within five (5) days of Notification of Selection and at time of signing this Agreement. Certificates of Insurance and the insurance policies required for this Agreement shall contain an endorsement that coverage afforded under the policies will not be cancelled or allowed to expire until at least thirty(30) days prior written notice has been given to CCUA. Certificates of Insurance and the insurance policies required for this Agreement will include a provision that policies, except Workers' Compensation, are primary and noncontributory to any insurance maintained by the Consultant. CCUA must be named as an Additional Insured and endorsed onto the Commercial General Liability (CGL), Auto Liability and Excess Liability policy(ies). A copy of the endorsement(s) must be supplied to CCUA ten(10)days following the execution of this Agreement or prior to the first date of services, whichever comes first. CGL policy Additional Insured Endorsement must include Ongoing and Completed Operations (Form CG2010 11 84 OR Form CG2010 04 13 and GC2037 04 13 edition or equivalent). Other Additional Insured forms might be acceptable but only if modified to delete the word "ongoing" and insert the sentence "Operations include ongoing and completed operations". CGL policy shall not be endorsed with Exclusion - Damage to Work performed by Subconsultants on Your Behalf(CG2294 or CG2295) CGL policy shall not be endorsed with Contractual Liability Limitation Endorsement (CG2139) or Amendment of Insured Contract Definition (CG 2426) CGL policy shall not be endorsed with Exclusion-Damage to Premises Rented to you(CG 2145) CGL policy shall include broad form contractual liability coverage for the Consultant covenants to and indemnification of CCUA under this Agreement Certificates of Insurance and the insurance policies required for this Agreement shall contain a provision under General Liability,Auto Liability and Workers' Compensation to include a Waiver of Subrogation clause in favor of CCUA. All Certificates of Insurance shall be dated and shall show the name of the insured Consultant,the specific job by name and job number, the name of the insurer, the policy number assigned its effective date and its termination date and a list of any exclusionary endorsements. All Insurers must be authorized to transact insurance business in the State of Florida as provided by Florida Statute 624.09(1) and the most recent Rating Classification/Financial Category of the insurer as published in the latest edition of"Best's Key Rating Guide' (Property-Casualty) must be at least A- or above. All of the above referenced Insurance coverage is required to remain in force for the duration of this Agreement and for the duration of the warranty period. Accordingly,at the time of submission of final application for payment, Consultant shall submit an additional Certificate of Insurance evidencing continuation of such coverage. If the Consultant fails to procure,maintain or pay for the required insurance, CCUA shall have the right (but not the obligation) to secure same in the name of and for the account of Consultant, in which event, Consultant shall pay the cost thereof and shall furnish upon demand, all information that may be required to procure such insurance. CCUA shall have the right to back-charge Consultant for the cost of procuring such insurance. The failure of CCUA to demand certificates of insurance and endorsements evidencing the required insurance or to identify any deficiency in Consultant's coverage based on the evidence of insurance provided by the Consultant shall not be construed as a waiver by CCUA of Consultant's obligation to procure, maintain and pay for required insurance. The insurance requirements set forth herein shall in no way limit Consultant's liability arising out of the work performed under the Agreement or related activities. The inclusions, coverage and limits set forth herein are minimum inclusion, coverage and limits. The required minimum policy limits set forth shall not be construed as a limitation of Consultant's right under any policy with higher limits, and no policy maintained by the Consultant shall be construed as limiting the type, quality or quantity of insurance coverage that Consultant should maintain. Consultant shall be responsible for determining appropriate inclusions, coverage, and limits, which may be in excess of the minimum requirements set forth herein. If the insurance of any Consultant or any Subconsultant contains deductible(s),penalty(ies)or self- insured retention(s), the Consultant or Subconsultant whose insurance contains such provision(s) shall be solely responsible for payment of such deductible(s), penalty(ies) or self-insured retention(s). The failure of Consultant to comply at all times fully and strictly with the insurance requirements set forth herein shall be deemed a material breach of this Agreement.