HomeMy WebLinkAboutAgreement A-22-155.pdf Agreement No. 22-155
1 FIRST AMENDMENT TO AGREEMENT
2 THIS FIRST AMENDMENT TO AGREEMENT(hereinafter"Amendment") is made and entered
3 into this 19tn day of April 2022, by and between COUNTY OF FRESNO, a
4 Political Subdivision of the State of California, Fresno, California (hereinafter"COUNTY"), and
5 GlassRatner Advisory and Capital Group, LLC B. Riley Advisory Services, a limited liability company
6 organized and existing under the laws of the State of Delaware, whose address is 555 W V Street,
7 Los Angeles, CA, 90013, (hereinafter"CONTRACTOR").
8 WITNESSETH:
9 WWREAS,COUNTY and CONTRACTOR entered into Agreement number 21-512,dated
10 December14,2021 (hereinafter"Agreement"), pursuant to which CONTRACTOR agreed to provide a
11 comprehensive cybersecurity needs assessment and develop a County-wide cyber preparedness
12 plan; and
13 WHEREAS, COUNTY and CONTRACTOR now desire to amend the Agreement in order to
14 increase the maximum contract amount by $15,000.00 to account for travel costs incurred while
15 providing in-person tabletop exercises to ten County Departments.
16 NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which
17 is hereby acknowledged, COUNTY and CONTRACTOR agree as follows:
18 1. Section D of the Agreement, located on page 3, lines 10 through 19, is deleted in its
19 entirety and replaced with the following:
20 "D. COMPENSATION/INVOICING: COUNTY agrees to pay CONTRACTOR and
21 contractor agrees to receive compensation for the services rendered (as set forth in Revised Schedule
22 A). Contractor shall submit monthly invoices to the County of Fresno Department of Human
23 Resources-ATTN: Risk Management. Invoices shall include a report on completed work for prior
24 month/invoice period and total hours/costs. COUNTY shall pay all undisputed amounts invoiced within
25 forty-five (45) days of receipt of an invoice.
26 In no event shall compensation paid for services performed under this Agreement be in
27 excess of Three Hundred Twenty Thousand and NO/Dollars ($320,000.00) during the term of this
28 Agreement. It is understood that all expenses incidental to CONTRACTOR'S performance of services
- 1 -
1 under this Agreement shall be borne by CONTRACTOR."
2 2. All references in the Agreement to Schedule A shall be deleted and replaced with
3 "Revised Schedule A°, a copy of which is attached hereto and incorporated herein by this reference.
4 COUNTY and CONTRACTOR agree that this Amendment is sufficient to amend the
5 Agreement and, that upon execution of this Amendment, the Agreement and this Amendment together
6 shall be considered the Agreement.
7 The parties agree that this Amendment may be executed by electronic signature as provided in
8 this section. An "electronic signature" means any symbol or process intended by an individual signing
9 this Amendment to represent their signature, including but not limited to (1) a digital signature; (2) a
10 faxed version of an original handwritten signature; or(3) an electronically scanned and transmitted (for
11 example by PDF document) of a handwritten signature. Each electronic signature affixed or attached
12 to this Amendment(1) is deemed equivalent to a valid original handwritten signature of the person
13 signing this Amendment for all purposes, including but not limited to evidentiary proof in any
14 administrative or judicial proceeding, and (2) has the same force and effect as the valid original
15 handwritten signature of that person. The provisions of this section satisfy the requirements of Civil
16 Code section 1633.5, subdivision (b), in the Uniform Electronic Transaction Act (Civil Code, Division 3,
17 Part 2, Title 2.5, beginning with section 1633.1). Each party using a digital signature represents that it
18 has undertaken and satisfied the requirements of Government Code section 16.5, subdivision (a),
19 paragraphs (1)through (5), and agrees that each other party may rely upon that representation. This
20 Amendment is not conditioned upon the parties conducting the transactions under it by electronic
21 means and either party may sign this Amendment with an original handwritten signature.
22 The Agreement, as hereby amended, is ratified and continued. All provisions, terms,
23 covenants, conditions and promises contained in the Agreement and not amended herein shall remain
24 in full force and effect.
25
26
27 H
28
-2 -
1 EXECUTED AND EFFECTIVE as of the date first above set forth.
2
3 CONTRaC R �, COU�ITY��FRESNO
on ed Signa re) Brian Pacheco, Chairman of the Board of
5 Supervisors of the County of Fresno
6 �C C4 R�►�
Print Name &Title
7
8 J J)I N. 17'v rt ►���. gdu�rr�N V
9 Mailing Address ATTEST:
Bernice E. Seidel
10 Clerk of the Board of Supervisors
11 County of Fresno, State of California
12
13
14
15 By: _ —
16 Deputy
FOR ACCOUNTING USE ONLY;
17
18 Fund: 1060
19 Subclass:10000
20 ORG:89250100
21 Account: 7295:
22
23
24
25
26
27
28
- 3-
1 REVISED SCHEDULE A
2 SCOPE OF SERVICES
3 Background
4
CONTRACTOR understands that the Information Security and Technology teams follow good
5
cybersecurity practices, including cybersecurity awareness, polices, procedures and developing a
6
shared security culture, but that the COUNTY faces a challenge by the uneven embrace of, and
7
compliance with your central efforts to keep County data and systems as secure as possible from
8
cyber incidents that can impact sensitive County data, operations, and government functions.
9
10
CONTRACTOR shall perform a needs assessment to independently determine the current state of
11
security as practiced by County departments, assign a maturity score to each, and exercise and
12
empirically test their response capability. From the results of these activities, CONTRACTOR will then
13
propose remediation steps the County can consider, such as improving departmental awareness and
14
practice maturity, and to close the gaps that are identified during these assessment activities.
15
CONTRACTOR shall perform the following Services:
16
These 20 County departments will be in scope:
17
Auditor-Controller/Treasurer/Tax Collector Human Resources
18
19 Agriculture Internal Services Division
20 Assessor/Recorder Library
21 Behavioral Health Probation
22 Board of Supervisors Public Defender
23 Child Support Services Public Health
24 County Administrative Office Public Works and Planning
25
County Clerk Retirement
26
27 County Counsel Sheriffs Department
28
-4-
i
1 District A omey Social Services
2 The work streams are more specifically described below:
3 1. IT Interview
4
a. Work Description: CONTRACTOR will start with a "deeper dive" into the perspective of
5
the IT Department around the issues, challenges, and obstacles to adoption of its
6
7 cybersecurity policies and procedures, via a remote interview of IT leadership. This step
8 will give CONTRACTOR a central point of view. After preparing, the interview would
9 include both cybersecurity and government-sector continuity of operations planning
10 experts in a session that would last approximately 2-3 hours.
11 b. Time Frame: January 3—January 14, 2022
12 c. Fee Basis: $4,500.00
13
d. Department: Internal Services Division
14
e. Fee: $4,500.00
15
16 2. D partment Assessment
17 a. Work Description: CONTRACTOR assessments at the departmental level will follow to
18 give CONTRACTOR the organizational perspective at the operational level. This will
19 include preparation, execution, and analysis of a"trust-based" (validation not required
20 via artifact production) remote interview with one-three leaders/staff members of each
21 department who can speak to the department's mission, essential functions, underlying
22 processes, and the systems and data required to support those processes, at the day-
23 to-day operational level. The interviews will be completed within 2-3 hours each,
24
attended by a CONTRACTOR cybersecurity SME, Business Process expert and scribe
25
for notetaking. Included will be a modified CIS Assessment and a Business Process
26
27 Analysis; CONTRACTOR would plan for 3 departmental interviews per week at the rate
28 of one every other day.
5 -
i
I
1 b. Time Frame: January 17—March 4, 2022
2 c. Fee Basis: One-time preparation fee of$4,500.00; Assessments at $4,500.00 per
3 department
4 d. Department: All 20 County Departments
5
e. Fee: $94,500.00
6
7 3. Tabletop Exercises
8 a, Work Description: To "test' departmental capabilities around cyber incident response,
9 CONTRACTOR will then design three realistic incident scenarios and facilitate a remote
10 two-hour tabletop exercise with each selected County department, varying the
11 scenarios. These will be designed, not to embarrass participants and leadership, but to
12 observe knowledge as practiced during "real' events, to get an "as practiced"view of
13 departmental response capability. Tabletops will last approximately 2-3 hours,
14 facilitated in a low pressure, discussion-based format to promote optimal participation.
15
They will be administered at the rate of one per week, to accommodate preparation and
16
17 documentation, and would include 3-4 facilitators, scribes, and subject matter experts
18 from CONTRACTOR. Each will conclude with a brief virtual "hotwash"to ask for
19 participant feedback.
20 b. Time Frame: March 7—May 20, 2022
21 c. Fee Basis: One time design fee of$18,000; Departmental tabletop exercises at$7,500
22 each. Travel costs not to exceed $15,000 to conduct in-person tabletop exercises.
23 d. Department: Initial assumption that 10 departments would be selected for these
24 exercises. These numbers can be adjusted as we learn more from previous steps.
25
e. Fee: $108,000
26
27 4. Empirical Testing
28
- 6-
i
1 a. Work Description: In parallel with the tabletop exercises, CONTRACTOR will work with
2 the IT Department to plan a range of empirical tests to observe departmental
3 recognition and response efforts when faced with a realistic (but no-impact) set of
4
realistic attacks, including (1) phishing/social engineering to see how likely staff may be
5
to disclose credentials to our tester and notify IT, (2) penetration testing to test system
6
7 vulnerability of non-central systems at the department level, and (3) a single
8 departmental malware simulation . These efforts will all be closely coordinated with IT
9 so there is central awareness, rules of engagement, and no harm to data or production
10 systems can occur.
11 b. Time Frame: March 7—May 20, 2022
12 c. Fee Basis: Pen testing on up to 200 internal/external departmental Ips and (1)
13 departmental application at$11,000 each; Custom phishing and spear phishing
14 scenario simulations executed on up to 150 departmental users at $5,500 each
15
department; Malware/ransomware simulation at$14,000 per department.
16
17 d. Department: Library and Sheriffs Department
18 e. Fee: $47,000
19 5. D shboard Report
20 a. Work Description: CONTRACTOR will evaluate the findings from each of the four tasks
21 and with consideration of the findings and recommendations from CONTRACTOR's
22 earlier financial controls assessment, develop a"dashboard"to graphically
23 communicate department level cybersecurity maturity for administrative presentation,
24 and integrate CONTRACTOR findings for each department in a draft report-for-
25
comment by project sponsors. It will include a plan for closing gaps, vulnerabilities, and
26
27 improving practices, with a high-level timeline and order of magnitude levels of effort,
28 elapsed time and cost. After receiving COUNTY's feedback, CONTRACTOR will
-7 -
1 finalize the report, including an Executive Summary, for administrative presentation with
2 the Maturity Dashboard. CONTRACTOR will either support the presentation of results
3 and recommendations for closing maturity and practice gaps by the project sponsors, or
4 will make that presentation directly to County leadership, based on COUNTY's
5
preference. CONTRACTOR can work through County Counsel or outside counsel to
6
7 provide these deliverables in a privileged methodology.
8 b. Time Frame: May 23—June 17, 2022
9 c. Fee Basis: One time fixed fee of$18,000
10 d. Department: County Level
11 e. Fee: $18,000
12 6. Plan
13 a. After providing tactical findings about the gaps the County departments need to
14
remediate in their cybersecurity practices, CONTRACTOR will develop a draft Strategic
15
County Cybersecurity Plan that provides guidance on common minimum standards,
16
17 policies, and practices while accommodating the flexibility inherent in the County
18 departmental structure. The Plan will be based on solid cybersecurity practices and
19 widely accepted standards and frameworks, and will address optimal governance
20 structure, training and awareness, policies and procedures, improved security
21 competence, shared threat intelligence, county-wide IT coordination-while working
22 within the existing county culture,jurisdictional realities, and risk management strategy,
23 b. Time Frame: May 23 —July 5, 2022
24 c. Fee Basis: One time fixed fee of$30,000
25
d. Department: County Level
26
e. Fee: $30,000
27
28 7. Validation
- 8-
I a. Work Description: After approximately four (4) months, CONTRACTOR will conduct a
2 series of interviews with IT and the 20 County departments to determine—on a trust
3 basis — how much progress has been made on the recommended security
4 improvements. CONTRACTOR will then update the dashboard to indicate that progress
5
and provide support to project sponsors in informing County leadership about the level
6
of improvement and the road ahead to complete these improvements. The dashboard
7
8 will support regular progress assessments to show period-over-period improvement by
9 the County.
10 b. Time Frame: October 24— December 2, 2022
11 c. Fee Basis: One-time fixed fee of$18,000 .
12 d. Department: County Level
13 e. Fee: $18,000
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
-9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Al
18
19
20
21
22
23
24
25
26 .10-
21
28