The URL can be used to link to this page

22-144.00 Critical Insight: Security Assessment DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Critical L. • ns � Spokane .. Valley® THE CITY OF SPOKANE VALLEY, WA 13-POINT ASSESSMENT STATEMENT OF WORK SOW 2022-447 AUGUST 4, 2022 Presented To: Submitted By: Chad Knodel Randy Oppenborn IT Director Consulting Practice Director the City of Spokane Valley,WA Critical Insight, Inc. 10210 East Sprague Ave 245 4th Street,Suite 405 Spokane,WA 99206 Bremerton,WA 98337 (509)720-5055 (630) 346-3525 CKnodel@spokanevalley.org Randy.Oppenborn@Criticallnsight.com CRITICAL INSIGHT, INC. CONFIDENTIAL DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B COof ork Critical InsightCity Statement Valley, WA the of Spokane WA 13-Point Assessment August 4, 2022 Table of Contents GENERAL INFORMATION 1 BACKGROUND&OBJECTIVES 1 Purpose 1 KEY BUSINESS AND TECHNICAL CONTACTS 3 City of Spokane Valley Business Contact Information 3 Critical Insight Business Contact &Technical Contact Information 3 CIS CONTROLS® SECURITY ASSESSMENT SERVICE DESCRIPTION AND SCOPE 4 APPROACH AND METHODOLOGY 4 Coordination, Planning,& Project Initiation 4 City of Spokane Valley Resource Requirements 4 SCOPE OF WORK 4 SCHEDULE 7 PERIOD OF PERFORMANCE 7 CITY OF SPOKANE VALLEY SCHEDULING REQUIREMENTS 7 PROJECT CHANGE CONTROL 7 SERVICE DELIVERABLES 9 DESCRIPTION 9 ACCEPTANCE OF DELIVERABLES 9 ASSUMPTIONS 10 COST 12 FIRM FIXED PRICE COST FOR SERVICES 12 TRAVEL AND EXPENSE REIMBURSEMENT 12 PAYMENT SCHEDULE 12 SIGNATURES 13 APPENDIX A: PROJECT COMPLETION FORM 14 APPENDIX B: CRITICAL INSIGHT, INC. TERMS AND CONDITIONS 15 CRITICAL INSIGHT, INC. CONFIDENTIAL ii DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Cf3 Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Notice Critical Insight has made every reasonable attempt to ensure that the information contained within this statement of work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. Non-Disclosure Statement The information in this document is Critical Insight Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Insight, Inc. subject to the City's requirements pursuant to Washington's Public Record Act, chapter 42.56 RCW, and Appendix B, no. 2, subsection (v) of this Statement of Work. Trademark Notice 2022 Critical Insight, Inc. All Rights Reserved, Critical Insight®, the Critical Insight, and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Insight, in the United States and in foreign countries. © Copyright 2022 Critical Insight, Inc. CRITICAL INSIGHT, INC. CONFIDENTIAL iii DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641DAC212B6B Er Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 General Information This Statement of Work ("SOW"), effective as of the date of the last signature on the signature page to this Statement of Work ("Effective Date"), is by and between Critical Insight, Inc. ("Critical Insight") and the City of Spokane Valley, WA ("City of Spokane Valley", "Customer"). This Statement of Work is governed by the terms and conditions set forth in the Terms & Conditions set out in Appendix B: CRITICAL INSIGHT, INC. TERMS AND CONDITIONS and any other terms and conditions set forth in this SOW. The information in this document is Critical Insight Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Insight, Inc. subject to the City's requirements pursuant to Washington's Public Record Act, chapter 42.56 RCW, and Appendix B, no. 2, subsection (v) of this Statement of Work. For the avoidance of doubt, Customer hereby acknowledges and agrees that the offer of pricing and other terms set forth in this Statement of Work shall be valid for 45 days after the date set forth on the cover sheet of this Statement of Work. The offer of pricing and other terms set forth in this Statement of Work shall become effective and binding on Critical Insight and Customer only upon the execution of this Statement of Work by the parties on the Effective Date. Background & Objectives Purpose This SOW presents Critical Insight's methodology for using, evaluating, and reporting the results from our Cybersecurity Assessment tool, called the Critical Insight 13-Point Assessment Tool. The 13-Point Assessment is intended to provide lightweight process to create a point-in-time snapshot of an organization's security posture coupled with a set of prioritized actionable security recommendations. The Critical Insight Cybersecurity Assessment will focus on these key areas: ■ Policy ■ Vulnerability Identification ■ Application Security ■ Internet Connectivity ■ Extranet and Partner Connectivity CRITICAL INSIGHT, INC. CONFIDENTIAL 1 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B E-5 Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 • Malware and Virus • Encryption, PKI, and Certificates • Auditing and Monitoring • Messaging • Operating System Security • Network Security • Authentication/Authorization • Outsourcing The project activities will be performed remotely and will include: • Up to 1 1/2 hour interview by Critical Insight to complete a 13-Point Assessment using an excel-based tool ■ Critical Insight's analysis of the assessment and creation of an executive summary PowerPoint report with a "Top 5" actionable Information Security recommendations • Delivery of the report to City of Spokane Valley within 2 weeks This SOW includes: • Scope of Work - Critical Insight's methodology for assisting and supporting City of Spokane Valley's technology & executive teams, and the scope of work that will be performed • Deliverables - Description of the deliverables for this project • Pricing - Critical Insight's pricing model for this engagement and the included components CRITICAL INSIGHT, INC. CONFIDENTIAL 2 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B f Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Key Business and Technical Contacts City of Spokane Valley Business Contact Information Name: Chad Knodel IT Director Mailing Address: the City of Spokane Valley, WA 10210 East Sprague Ave Spokane, WA 99206 E-Mail Address: CKnodel@spokanevalley.org Phone Number: (509) 720-5055 Critical Insight Business Contact &Technical Contact Information Name: Randy Oppenborn Consulting Practice Director Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 E-Mail Address: Randy.Oppenborn@Criticallnsight.com Phone Number: (630) 346-3525 CRITICAL INSIGHT, INC. CONFIDENTIAL 3 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B C Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 CIS Controls® Security Assessment Service Description and Scope This section provides a description of services, scope of activity, and support requirements associated with the services. Approach and Methodology Critical Insight will work directly with City of Spokane Valley to Interview City of Spokane Valley to gather information for the 13-Point assessment and create a customer report based on the data collected and review the information with the customer. A Critical Insight information security consultant will deliver the results to the customer (by phone) to assist City of Spokane Valley in understanding the 5 key recommendations, as well as, to assist in planning the execution of these recommendations. Coordination, Planning, & Project Initiation Critical Insight will provide day-to-day project management for all aspects of this project, including tracking and resolution of project related issues, progress tracking, project reporting, and communication. City of Spokane Valley Resource Requirements Achieving City of Spokane Valley's objectives will require active participation from both the Critical Insight Project Team as well as City of Spokane Valley's own personnel. To ensure the timely and successful completion of this project, City of Spokane Valley should expect at least the following resource time commitments from its own personnel: ■ A Project Contact should be assigned to the project to serve as the single point of contact for the Critical Insight Project Team ■ This role will require a commitment of approximately 3 hours during the course of the project. Scope of Work Critical Insight will provide and complete the Critical Insight 13-Point Assessment tool which forms the basis of the assessment. The assessment is designed to conduct a high-level Information Security assessment for entities just beginning to CRITICAL INSIGHT, INC. CONFIDENTIAL 4 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B CCritical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 conduct due diligence around Information Security or that are not yet mature in Information Security. A Critical Insight Security Strategist will deliver the process as follows: Step 1 : Begin with tool Start & Results Tab: • Interview City of Spokane Valley using the tool (Excel worksheet) to gather the following information on the Start & Results Tab in the Excel tool • Company, Business Unit, Application or System name — This information and input is needed to describe their assessment environment ■ If a customer wishes to isolate the assessment around key assets or when used within a Business Unit or Division of a larger organization, then other fields following this may be useful: o Locations/Modules/Business Units, if applicable o Business Units using this organization/application/system o Business Units with the same Confidentiality, Integrity & Availability (CIA) requirements o The Confidentiality, Integrity & Availability (CIA) requirements for the environment Step 2: Using the tabs for each Information Security Control area: • Input answers from drop down menu by clicking an answer in the tool and selecting an option from the menu, from the following: Yes, No, or I Don't Know ■ I Don't Know is a perfectly valid answer that signifies risk may be present o If the answer is readily available, wait for that response to be gathered and input accordingly o If no answer is readily available, I Don't Know is the appropriate answer Step 3: Critical Insight evaluates results and creates the 13-Point Assessment report: • After completing the 13-Point Assessment, Critical Insight returns a PowerPoint report within 2 weeks to City of Spokane Valley CRITICAL INSIGHT, INC. CONFIDENTIAL 5 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Cf3 Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 • Critical Insight analyzes the entries in the tool, and creates a brief report with "Top 5" Actionable Information Security Recommendations • Recommendations are strategic and actionable, making them comprehensible by less mature clients. • The report has multiple functions: • Explains to City of Spokane Valley what underlies the recommendation which expands City of Spokane Valley's security knowledge • Provides value to City of Spokane Valley by telling them why a recommendation is key to reducing risks to critical infrastructure • Provides highly actionable recommendations with immediate strategic benefits • Provides a basis for applications for grant funding Step 4: SAM Partner-Critical Insight Call with SAM Customer • Critical Insight will participate by phone on a call to deliver the results of the 13-Point Assessment to City of Spokane Valley CRITICAL INSIGHT, INC. CONFIDENTIAL 6 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Schedule Period of Performance City of Spokane Valley understands and agrees that changes in critical factors (such as those listed below in Project Change Control, or a delay in signature of this document) may impact Critical Insight's ability to meet certain dates. Project Start Date: Within Two (2) weeks of Effective Date Project Completion Date: Within Two (2) weeks of Start Date City of Spokane Valley Scheduling Requirements In order to ensure timely delivery of services and to ensure continuity across information gathering activities, Critical Insight requires our clients to provide a defined information gathering window, with prescribed start and end dates for the interviews and document and information exchange. This is beneficial to both City of Spokane Valley and Critical Insight and ensures efficient delivery of value. This engagement has the following Information Gathering window: • 1 day This window will be scheduled prior to initiation of information gathering activities. Care must be given by City of Spokane Valley to ensure all resources need to complete the information gathering phase are available during the Information Gathering Window. If all information gathering is not completed with this window, the following impacts on the above schedule should be expected: ■ The Project Completion Date is no longer valid • The Project Completion Date is now dependent on rescheduling a new Information Gathering window, which will be entirely dependent on existing scheduling of other client work ■ Priority goes to already scheduled work Project Change Control Critical Insight has made every attempt to accurately estimate time required to successfully complete the project. City of Spokane Valley acknowledges and agrees that if impediments, complications, or City of Spokane Valley requested changes in CRITICAL INSIGHT, INC. CONFIDENTIAL 7 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641DAC212B6B CL Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 scope arise, these factors are out of the control of Critical Insight, and the length of the project and associated price could be impacted. Examples of valid impediments, complications, and changes in scope consist of (but are not limited to): ■ City of Spokane Valley initiated delay where City of Spokane Valley is not prepared to allow Critical Insight to begin work on the agreed upon start date thus resulting in additional cost to Critical Insight for resources that have been sent to City of Spokane Valley's site but cannot begin the Services • City of Spokane Valley provided information necessary for timely delivery by Critical Insight is not accurate • Delays or problems associated with third party telecommunication equipment. ■ This includes, but is not limited to, cabling, servers, routers, hubs, and switches managed or installed by third parties • Malfunctioning hardware • Inability to access equipment or personnel that are required to complete the project • Conflicts or incompatibilities associated with the installation of hardware or software installed by Critical Insight • City of Spokane Valley increases the scope of services requiring additional labor, hardware, software, materials, travel, lodging, meals, or other direct costs If any change(s) from impediments, complications, or City of Spokane Valley changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in the written change, then the price, delivery schedules and other affected provision(s), if any, as applicable, shall be equitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this Section. CRITICAL INSIGHT, INC. CONFIDENTIAL a DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Service Deliverables Description Critical Insight will provide the following deliverables as part of this project: Table 1: Deliverable Description Name of Deliverable Description of Deliverable 13-Point Each 13-Point Assessment report contains a written Assessment Report PowerPoint report that documents and highlights the five (5) most important findings, prioritized by Risk to City of Spokane Valley, and actionable recommendations to address each finding. Acceptance of Deliverables City of Spokane Valley has five (5) business days to inspect and acknowledge full delivery of the Services to be provided by Critical Insight hereunder upon completion and delivery of the Services by Critical Insight. City of Spokane Valley will indicate such acknowledgement by signing Critical Insight's Project Completion Form, a sample of which is attached as Appendix A: Project Completion Form. If City of Spokane Valley believes that Critical Insight has not fully delivered the Services to be provided hereunder and refuses to sign the Project Completion Form on that basis, City of Spokane Valley shall identify in reasonable detail the specific Services or deliverables which City of Spokane Valley believes were not delivered, with specific reference to the corresponding sections of this SOW, via written notice to Critical Insight within such five (5) business day period. Following Critical Insight's receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining Service delivery requirements. Upon Critical Insight's delivery of the remaining Services, if any, City of Spokane Valley's right to inspect and acknowledge full delivery shall be as stated above. If City of Spokane Valley fails to provide such acknowledgement or notice within the five (5) business days of receiving final deliverables, City of Spokane Valley agrees that the services shall be deemed fully delivered to City of Spokane Valley, even if City of Spokane Valley has not signed the Critical Insight Project Completion Form. CRITICAL INSIGHT, INC. CONFIDENTIAL 9 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B C Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Assumptions Critical Insight used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitment. ■ City of Spokane Valley will provide Critical Insight access to the business, customer, and technical information, and facilities necessary to execute the solution ■ City of Spokane Valley will provide Critical Insight on-site and off-site access to documents necessary for this assessment ■ City of Spokane Valley will ensure that appropriate personnel are available to meet with Critical Insight, as necessary ■ The Critical Insight professional working day is eight hours, including reasonable time for meals ■ Critical Insight understands that occasions arise during customer engagements that require a longer or shorter working day ■ Critical Insight will not be obligated to extend engagements when delays result from City of Spokane Valley's inability to meet stated prerequisites prior to an engagement, nor when delays result from City of Spokane Valley personnel not being available to provide required support ■ During this effort, Critical Insight will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between City of Spokane Valley and third parties ■ Critical Insight, at the request of City of Spokane Valley, will provide input to City of Spokane Valley regarding optimal product or vendor selection ■ Any application code, documentation, and/or presentations developed under this SOW will be in English ■ Critical Insight will perform the work between 8:30 a.m. and 5:00 p.m. (local time) ■ After-hour and weekend work (when required), must be explicitly identified below or as otherwise agreed to in writing by the parties: After-hours required? Yes ❑ No El CRITICAL INSIGHT, INC. CONFIDENTIAL 10 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641DAC212B6B C Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Weekend hours required? Yes ❑ No IZ Location of onsite services? Remotely CRITICAL INSIGHT, INC. CONFIDENTIAL 11 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Critical Insight CL. Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Cost Firm Fixed Price Cost for Services Critical Insight will provide the services for a Firm Fixed Price (FFP) for labor as of $1,000. Travel and Expense Reimbursement Travel and expenses are not expected on this engagement as all work can be conducted remotely. Where travel, meals, lodging, and other direct costs for the described effort are incurred, those expenses shall be reimbursed by City of Spokane Valley at actual cost. Payment Schedule This SOW will be invoiced on the following schedule in accordance with the Appendix C: Critical Insight. Inc. Terms and Conditions. Section 1. PAYMENTS: Payment Schedule Invoice Amount Invoiced on Contract Execution 50% of the Firm Fixed Price Invoiced on Project Completion and The remaining 50% of the Firm Fixed Deliverable Acceptance Price CRITICAL INSIGHT, INC. CONFIDENTIAL 12 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Signatures IN WITNESS WHEREOF, the parties have caused this Statement of Work to be executed and do each hereby warrant and represent that their respective signatory whose signature appears below has been and is on the date of this Statement of Work duly authorized by all necessary and appropriate corporate action to execute this Statement of Work. PAYMENT (Must check one) ❑ A purchase order has been approved and a copy is attached to this SOW. { ,My company does not issue purchase orders for these products and/or services ordered. In order to ensure correct and timely invoicing, I have provided a reference number and billing information to be identified on the invoice. Reference #: Qg oc ZjZZ Billing Contact Name /) PAttdaL� � Billing Address: /02 E. .-p✓ 5-too v6 Uf}2c 6y/ 1,WI4- ci\9 20 b Billing Contact Phone cpg - 720 - 511 y Billing Contact Email aCC0UrIIfpMA/4 (e @ya, e ti ley. c Critical Insight, Inc. ,-DocuSigned by: Signature: Printed Name: cr-raark6F -T r Title: CEO Date: 8/10/2022 the City of Spokane Valley,WA Signature: /f/X.— Printed Name: //` ig-76H.-uaov Title: C , 7 y 011,4it,4G,,, Date: $ _ /o -- z z CRITICAL INSIGHT, INC. CONFIDENTIAL 13 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B C Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Appendix A: Project Completion Form Critical Insight has completed all of the agreed upon tasks outlined in the Statement of Work titled "13-Point Assessment" and dated August 4, 2022. Accepted and Agreed By: the City of Spokane Valley,WA Signature: Printed Name: Title: Date: Please email the signed form to Consulting@Criticallnsight.com. CRITICAL INSIGHT, INC. CONFIDENTIAL 14 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Cr Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Appendix B: CRITICAL INSIGHT, INC. TERMS AND CONDITIONS 1 . PAYMENTS. Customer shall pay Critical Insight, Inc. the fees specified without deduction, setoff or delay for any reason. Such payment shall be made: (i) in U.S. Dollars, (ii) within thirty (30) days from the invoice date, and (iii) in accordance with the terms of the invoice. All fees paid are non-refundable. Beginning the day after the due date of the invoice, interest shall be due and payable by Customer at the rate of one percent (1%) per month or the highest rate allowed by law, whichever is less, on any portion of the invoice which has not been paid. Customer is responsible for payment of all taxes applicable to this Statement of Work, except for any tax on Critical Insight, Inc.'s net income. 2. CONFIDENTIAL INFORMATION The Parties acknowledge that by reason of their relationship under this Statement of Work, they may have access to and acquire Confidential Information of the other Party. Each Party receiving Confidential Information (the "Receiving Party") agrees to maintain all such Confidential Information received from the other Party (the "Disclosing Party"), both orally and in writing, in confidence and agrees not to disclose or otherwise make available such Confidential Information to any third party without the prior written consent of the Disclosing Party; provided, however, that the Receiving Party may disclose the terms of this Statement of Work to its legal and business advisors if such third parties agree to maintain the confidentiality of such Confidential Information under terms no less restrictive than those set forth herein. The Receiving Party further agrees to use the Confidential Information only for the purpose of performing this Statement of Work. Notwithstanding the foregoing, the obligations set forth herein shall not apply to Confidential Information which: (i) is or becomes a matter of public knowledge through no fault of or action by the Receiving Party; (ii) was lawfully in the Receiving Party's possession prior to disclosure by the Disclosing Party; (iii) subsequent to disclosure, is rightfully obtained by the Receiving Party from a third party who is lawfully in possession of such Confidential Information without restriction; (iv) is independently developed by the Receiving Party without resort to the Confidential Information; or (v) is required by law or judicial order, provided that the Receiving Party shall give the Disclosing Party prompt written notice of such required disclosure in order to afford the Disclosing Party an opportunity to seek a protective order or other legal remedy to prevent the disclosure, and shall reasonably cooperate with the Disclosing Party's CRITICAL INSIGHT, INC. CONFIDENTIAL 15 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B C Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 efforts to secure such a protective order or other legal remedy to prevent the disclosure. 3. RELATIONSHIP BETWEEN CRITICAL INSIGHT, INC. AND CUSTOMER. The parties to this Statement of Work are independent contractors. Neither party is an agent, representative, or partner of the other party. Neither party shall have any right, power, or authority to enter into any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind, the other party. Each party shall bear its own costs and expenses in performing this Statement of Work. 4. INTELLECTUAL PROPERTY OWNERSHIP A. Customer will own all right, title and interest in and to the Deliverables. For purposes of this Statement of Work, the term "Deliverables" shall mean any deliverables created by Critical Insight, Inc. during the performance of the Services that are specifically identified in this Statement of Work, whether published or unpublished, Deliverables excludes any Critical Insight, Inc. Intellectual Property. All Deliverables shall be considered a work made for hire, to the fullest extent permitted by law and all right, title and interest therein, including the intellectual property rights, shall be the property of Customer. In the event that any said Deliverables or portion thereof shall not be legally qualified as a work made for hire, or shall subsequently be so held to not be a work made for hire, Critical Insight, Inc. agrees to assign, and does hereby so assign to Customer, all right, title and interest in and to said work or portion thereof, including, but not limited to, the intellectual property rights, extensions of such rights and renewal rights therein. Critical Insight, Inc., without charge to Customer, shall duly execute, acknowledge and deliver to Customer all such further papers, including assignments and applications for intellectual property registration or renewal, as may be necessary to enable Customer to publish or protect said works by copyright, patent or otherwise in any and all countries and to vest title to said works in Customer, or its nominees, their successors or assigns, and shall render all such assistance as Customer may require in any proceeding or litigation involving the rights in said works. B. Critical Insight, Inc. will own right, title, and interest in all Critical Insight, Inc. Intellectual Property. To the extent the Deliverables contain or include any Critical Insight, Inc. Intellectual Property, Critical Insight, Inc. hereby grants to Customer and its Affiliates (defined below), a perpetual, revocable, worldwide, royalty-free, non-exclusive, limited, right and license to use, execute or copy, the Critical Insight, Inc. Intellectual Property solely for its internal business purposes and solely in connection with Customer's use of the Services or Deliverables. For purposes of this Statement of Work, the term "Critical Insight, Inc. Intellectual Property" means, CRITICAL INSIGHT, INC. CONFIDENTIAL 16 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Er Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 collectively, (i) all Pre-Existing Works, which shall mean all work product created, conceived, developed or first reduced to practice by Critical Insight, Inc., either solely or in collaboration with others, prior to Critical Insight, Inc.'s delivery of the Services including, without limitation, designs, inventions, improvements, processes, computer programs, software, source code, object code, graphics, pictorial representations, user interfaces, functional specifications, reports, spreadsheets, presentations and analyses, (ii) all Derivative Works, which shall mean a work which is based upon or related to one or more Pre-Existing Works such as a revision, modification, translation, abridgement, condensation, expansion or any other form in which such Pre-Existing works may be recast, transformed, or adapted, whether that work stands alone or is combined with other works and which may include processes, methods and procedures, (iii) methodologies, concepts, know-how and techniques utilized to produce the Deliverables (and any improvements or modifications thereto developed in the course of providing the Services) and any ideas, concepts, text, formats and industry best practices which are of a generally applicable nature and do not include or reference the Confidential Information of Customer, and (iv) all Documentation, which shall mean user manuals and other written materials that relate to the Intellectual Property or to the Services provided hereunder. 5. REPRESENTATIONS AND WARRANTIES; DISCLAIMERS Customer represents and warrants that it (i) has the corporate power and authority to enter into this Statement of Work and to fully perform its obligations under this Statement of Work; and (ii) will not make any unauthorized representation or warranty to any third party relating to any Services. Critical Insight, Inc. represents and warrants that (i) it has the corporate power and authority to enter into this Statement of Work and to fully perform its obligations under this Statement of Work (ii) the Services performed under this Statement of Work shall be performed or provided by competent personnel in a professional and workmanlike manner. EXCEPT AS SPECIFICALLY SET FORTH IN THIS STATEMENT OF WORK, THE SERVICES PERFORMED AND ANY ITEMS FURNISHED UNDER THIS STATEMENT OF WORK, INCLUDING BUT NOT LIMITED TO DATA, REPORTS, DOCUMENTATION, DELIVERABLES, HARDWARE AND SOFTWARE OF ANY KIND, AND ANY RECOMMENDATIONS OR CONCLUSIONS CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS WITH NO WARRANTIES OR REPRESENTATIONS OF ANY KIND. CRITICAL INSIGHT, INC. MAKES NO WARRANTY, EXPRESS OR IMPLIED, THAT THE SERVICES WILL RENDER CUSTOMER'S NETWORK AND SYSTEMS SAFE FROM MALICIOUS CODE, INTRUSIONS, OR OTHER SECURITY BREACHES. CRITICAL INSIGHT, INC. SPECIFICALLY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS CRITICAL INSIGHT, INC. CONFIDENTIAL 17 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B C Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT, AS WELL AS ANY WARRANTIES ALLEGED TO HAVE ARISEN FROM CUSTOM, USAGE, OR PAST DEALINGS BETWEEN THE PARTIES. 6. LIMITATION OF LIABILITY A. EXCEPT WITH RESPECT TO FEES DUE UNDER SECTION 1, A BREACH OF SECTION 2 OR 4, OR INDEMNIFICATION OBLIGATIONS UNDER SECTION 7, (i) EACH PARTY'S LIABILITY TO THE OTHER PARTY, INCLUDING ALL LIABILITIES ARISING OUT OF OR RELATED TO THIS STATEMENT OF WORK, FROM ANY CAUSE OR CAUSES, AND REGARDLESS OF THE LEGAL THEORY, INCLUDING BREACH OF CONTRACT, WARRANTY, NEGLIGENCE, STRICT LIABILITY, OR STATUTORY LIABILITY, SHALL NOT IN THE AGGREGATE EXCEED THE AMOUNTS PAID OR PAYABLE TO CRITICAL INSIGHT, INC. UNDER THIS STATEMENT OF WORK, AND (ii) IN NO EVENT SHALL CRITICAL INSIGHT, INC. OR CUSTOMER BE LIABLE TO THE OTHER FOR ANY SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR ECONOMIC DAMAGES (INCLUDING, BUT NOT LIMITED TO LOST PROFITS, LOSS OF USE OF DATA AND LOST BUSINESS OPPORTUNITY), REGARDLESS OF THE LEGAL THEORY UNDER WHICH DAMAGES ARE SOUGHT, AND EVEN IF THE PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. INDEMNIFICATION. A. Each party (the "Indemnitor") shall indemnify, defend and hold harmless the other party (the "Indemnitee") and its officers, directors, employees, agents, subsidiaries and Affiliates (as defined below) from and against any and all third party claims, demands, lawsuits, causes of action, losses, damages, liabilities, costs and expenses, including reasonable attorney's fees, related to or arising out of (i) Indemnitor's material breach of a specific representation or warranty hereunder; (ii) Indemnitor's willful misconduct or grossly negligent acts or omissions of the Indemnitor; and (iii) solely with respect to Critical Insight, Inc.'s indemnification of Customer, and subject to Critical Insight, Inc.'s rights below, any alleged infringement of any United States patent, copyright or trade secret by the unmodified Services, Deliverables or Critical Insight, Inc. Intellectual Property as delivered by Critical Insight, Inc. (excluding any open source components or third party specifications). In the event of any claim, suit, or proceeding relating to intellectual property infringement, Critical Insight, Inc. shall have the right, at its sole option, to obtain the right to continue use of the affected Services, Deliverables or Critical Insight, Inc. Intellectual Property, or to replace or modify the affected Services, Deliverables or Critical Insight, Inc. Intellectual Property so that they may be used without infringement of a third party's United States patent, copyright or trade secret rights. If neither of the foregoing options is available to Critical Insight, CRITICAL INSIGHT, INC. CONFIDENTIAL 18 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B Er Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 Inc. on a commercially reasonable basis, Critical Insight, Inc. may terminate this Statement of Work immediately upon written notice to Customer, and within thirty (30) days after such termination shall pay Customer a termination fee equal to fees paid for the infringing Services or Deliverables. Upon such termination, Customer will have no further right to use the infringing Services, Deliverables or Critical Insight, Inc. Intellectual Property and shall promptly return any such Deliverables of Critical Insight, Inc. Intellectual Property to Critical Insight, Inc. NOTWITHSTANDING ANY OTHER PROVISION OF THIS STATEMENT OF WORK, THE RIGHTS .AND REMEDIES SET FORTH IN SECTION CONSTITUTE THE ENTIRE OBLIGATION OF CRITICAL INSIGHT, INC. AND THE EXCLUSIVE REMEDIES OF CUSTOMER WITH RESPECT TO ANY THIRD PARTY INTELLECTUAL PROPERTY INFRINGEMENT CLAIM. B. The Indemnitor agrees to promptly notify the Indemnitee of any such claims, to permit the Indemnitee to control any resulting litigation or settlements and to reasonably cooperate with the defense of any such claims at the Indemnitor's expense. The Indemnitor shall not have any right, without the other party's consent, (which will not be unreasonably withheld), to settle any such claim if such settlement arises for or is part of any criminal action, suit or proceeding or contains a stipulation to or an admission or acknowledgement of any liability or wrongdoing (whether in contract, tort, or otherwise) on the part of the other party). As used herein, "Affiliate" means any entity controlling, controlled by, or under common control with Critical Insight, Inc. or Customer. The term "control" and its correlative meanings, "controlling," "controlled by," and "under common control with," means the legal, beneficial or equitable ownership, directly or indirectly, of more than fifty percent (50%) of the aggregate of all voting equity interests in an entity. 8. TERM A. Term. This Statement of Work will remain in force until the Services and Deliverables have been delivered ("Term"), unless terminated sooner as set forth below. B. Termination for Cause. In the event of a material breach of this Statement of Work, the non-breaching party may terminate this Statement of Work if such breach is not cured within thirty (30) days after written notice thereof. C. Termination for Bankruptcy. A party may terminate this Statement of Work by giving written notice to the other party if that other party makes an assignment for the benefit of creditors, becomes unable to pay its debts as they become due, dissolves or liquidates or files a voluntary petition in bankruptcy or a similar proceeding; if an involuntary petition in bankruptcy or a similar proceeding is filed against that other party and is not stayed or dismissed within thirty (30) days; if a CRITICAL INSIGHT, INC. CONFIDENTIAL 19 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B C Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 receiver is appointed for all or substantially all of that other party's assets; or if execution is made on all or substantially all of that other party's assets. D. Effect of Termination. Upon the effective date of a termination, Critical Insight, Inc. shall inform Customer of the extent to which Critical Insight, Inc.'s performance is completed through such date. At the same time, Critical Insight, Inc. shall collect and deliver to Customer whatever portion of the Deliverables have been completed, provided, however, that Critical Insight, Inc. has received all payments in full. Critical Insight, Inc. shall be entitled, in the event of any termination, to be paid for all Services performed through the effective date of termination. E. Survival. In addition to the terms of this Section, Sections 1, 2, 4, 5, 6, 7, and 9 shall survive any termination or expiration of this Statement of Work. 9. MISCELLANEOUS A. Entire Agreement. This Statement of Work and any amendments thereto, constitutes the entire agreement between the parties hereto relating to the subject matter hereof and supersedes all prior oral and written and all contemporaneous oral negotiations, commitments and understandings of the parties. This Statement of Work shall not be modified or amended in any respect, nor shall any of its terms or conditions be waived, except by a subsequent writing, mutually agreed upon and executed by the authorized representatives of both parties. B. Third Party Beneficiaries. No provisions of this Statement of Work are intended nor shall be interpreted to provide or create any third-party beneficiary rights or any other rights of any kind in any other party. C. Publicity. Any press release or other public announcement relating to the existence or terms of this Statement of Work, or any relationship between the parties, must be approved in advance in writing by the parties. D. Legal Effect. If any provision of this Statement of Work shall be held illegal, invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the parties shall substitute for the invalid provision a valid provision which most closely approximates the economic effect and the intent of the invalid provision. E. Waiver. No delay or failure by either party to exercise or enforce at any time any right or provision of this Statement of Work shall be considered a waiver thereof or of such party's right thereafter to exercise or enforce each and every right and provision of this Statement of Work. A waiver to be valid shall be in writing but need not be supported by consideration. No single waiver shall constitute a continuing or subsequent waiver. CRITICAL INSIGHT, INC. CONFIDENTIAL 20 DocuSign Envelope ID:CAAF242D-60A4-4155-8443-641 DAC212B6B C. Critical Insight Statement of Work the City of Spokane Valley, WA 13-Point Assessment August 4, 2022 F. No Hire. During the Term of the Statement of Work and for a period of one year thereafter, neither Critical Insight, Inc. nor Customer shall knowingly recruit, or solicit for hire any of the other party's employees assigned to this effort. Notwithstanding the foregoing, former employees of Critical Insight, Inc. who have left the employ of Critical Insight, Inc. for a period of six months after last performing hereunder are not subject to this provision. G. Force Majeure. Neither party shall be deemed in default hereunder, nor shall it hold the other party responsible for, any cessation, interruption or delay in the performance of its obligations hereunder due to earthquake, flood, fire, storm, natural disaster, act of God, war, armed conflict, terrorism, labor strike, lockout, boycott, or other similar events beyond the reasonable control of a party, provided that the party relying upon this Section shall have given the other party written notice thereof promptly and, in any event, within five (5) days of discovery thereof and (ii) shall take all steps reasonably necessary under the circumstances to mitigate the effects of the force majeure event upon which such notice is based; provided further, that in the event a force majeure event described in this Section extends for a period in excess of thirty (30) days in the aggregate, either party may immediately terminate this Statement of Work. H. Governing Law. This Statement of Work shall be governed and construed in all respects in accordance with the laws of the State of Washington, without giving effect to conflict of laws principles thereof. The parties hereby consent to the jurisdiction of the state courts of the State of Washington and the United States Federal District Court for the Western District of the State of Washington for any action or proceeding brought by either of them on or in connection with this Statement of Work or any alleged breach thereof. I. Assignment. Neither Customer nor Critical Insight, Inc. may assign or transfer this Statement of Work without the prior written approval of the other party; provided, however, that the sale of any portion of the assets of one party, or any of its subsidiaries, or its acquisition by or merger into another company, shall not be deemed an assignment of this Statement of Work. Any assignment in violation of this Section shall be void. Subject to the foregoing, this Statement of Work shall be binding upon and inure to the benefit of the successors and assigns of Customer and Critical Insight, Inc. CRITICAL INSIGHT, INC. CONFIDENTIAL 21 DocuSign. Certificate Of Completion Envelope Id:CAAF242D60A441558443641DAC212B6B Status:Completed Subject:Please DocuSign:Critical Insight SOW City Signed.pdf Source Envelope: Document Pages:24 Signatures: 1 Envelope Originator: Certificate Pages:5 Initials:0 Lori Nguyen AutoNav:Enabled 245 4th Street,Suite 405 Envelopeld Stamping: Enabled Bremerton,WA 98337 Time Zone:(UTC-08:00)Pacific Time(US&Canada) Lori.Nguyen@criticalinsight.com IP Address:64.207.219.136 Record Tracking Status:Original Holder:Lori Nguyen Location: DocuSign 8/10/2022 1:37:37 PM Lori.Nguyen@criticalinsight.com Signer Events Signature Timestamp Garrett Silver DoeuSigned by: Sent:8/10/2022 garrett.silver@criticalinsight.com Viewed:8/10/2022 3:31:03 PM CEO 3068F5Fee7F04CE... Signed:8/10/2022 3:31:24 PM Chris Robine Security Level:Email,Account Authentication Signature Adoption:Drawn on Device (None) Using IP Address:199.76.120.20 Signed using mobile Electronic Record and Signature Disclosure: Accepted:8/10/2022 3:31:03 PM ID:f8d2cb48-41d6-4651-abea-31c7536a9f37 In Person Signer Events Signature Timestamp Editor Delivery Events Status Timestamp Agent Delivery Events Status Timestamp Intermediary Delivery Events Status Timestamp Certified Delivery Events Status Timestamp Carbon Copy Events Status Timestamp CI Operations COPIED Sent:8/10/2022 3:31:27 PM operations@criticalinsight.com Security Level:Email,Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via DocuSign Sherri Jory COPIED Sent:8/10/2022 3:31:27 PM sherri.jory@criticalinsight.com Finance Manager Critical Insight Inc.dba CI Security Security Level:Email,Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via DocuSign Witness Events Signature Timestamp Notary Events Signature Timestamp Envelope Summary Events Status Timestamps Envelope Sent Hashed/Encrypted 8/10/2022 1:39:48 PM Certified Delivered Security Checked 8/10/2022 3:31:03 PM Signing Complete Security Checked 8/10/2022 3:31:24 PM Completed Security Checked 8/10/2022 3:31:27 PM Payment Events Status Timestamps Electronic Record and Signature Disclosure Electronic Record and Signature Disclosure created on:8/3/2020 8:24:16 AM Parties agreed to:Garrett Silver ELECTRONIC RECORD AND SIGNATURE DISCLOSURE From time to time, Critical Informatics Inc. dba CI Security(we,us or Company)may be required by law to provide to you certain written notices or disclosures. Described below are the terms and conditions for providing to you such notices and disclosures electronically through the DocuSign system. Please read the information below carefully and thoroughly, and if you can access this information electronically to your satisfaction and agree to this Electronic Record and Signature Disclosure (ERSD),please confirm your agreement by selecting the check-box next to `I agree to use electronic records and signatures' before clicking `CONTINUE' within the DocuSign system. Getting paper copies At any time, you may request from us a paper copy of any record provided or made available electronically to you by us. You will have the ability to download and print documents we send to you through the DocuSign system during and immediately after the signing session and, if you elect to create a DocuSign account, you may access the documents for a limited period of time (usually 30 days) after such documents are first sent to you. After such time, if you wish for us to send you paper copies of any such documents from our office to you, you will be charged a $0.00 per-page fee. You may request delivery of such paper copies from us by following the procedure described below. Withdrawing your consent If you decide to receive notices and disclosures from us electronically, you may at any time change your mind and tell us that thereafter you want to receive required notices and disclosures only in paper format. How you must inform us of your decision to receive future notices and disclosure in paper format and withdraw your consent to receive notices and disclosures electronically is described below. Consequences of changing your mind If you elect to receive required notices and disclosures only in paper format, it will slow the speed at which we can complete certain steps in transactions with you and delivering services to you because we will need first to send the required notices or disclosures to you in paper format, and then wait until we receive back from you your acknowledgment of your receipt of such paper notices or disclosures. Further, you will no longer be able to use the DocuSign system to receive required notices and consents electronically from us or to sign electronically documents from us. All notices and disclosures will be sent to you electronically Unless you tell us otherwise in accordance with the procedures described herein,we will provide electronically to you through the DocuSign system all required notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you during the course of our relationship with you. To reduce the chance of you inadvertently not receiving any notice or disclosure,we prefer to provide all of the required notices and disclosures to you by the same method and to the same address that you have given us. Thus,you can receive all the disclosures and notices electronically or in paper format through the paper mail delivery system. If you do not agree with this process,please let us know as described below. Please also see the paragraph immediately above that describes the consequences of your electing not to receive delivery of the notices and disclosures electronically from us. How to contact Critical Informatics Inc. dba CI Security: You may contact us to let us know of your changes as to how we may contact you electronically, to request paper copies of certain information from us, and to withdraw your prior consent to receive notices and disclosures electronically as follows: To contact us by email send messages to: lori.nguyen@ci.security To advise Critical Informatics Inc. dba CI Security of your new email address To let us know of a change in your email address where we should send notices and disclosures electronically to you, you must send an email message to us at lori.nguyen@ci.security and in the body of such request you must state: your previous email address, your new email address. We do not require any other information from you to change your email address. If you created a DocuSign account,you may update it with your new email address through your account preferences. To request paper copies from Critical Informatics Inc. dba CI Security To request delivery from us of paper copies of the notices and disclosures previously provided by us to you electronically, you must send us an email to lori.nguyen@ci.security and in the body of such request you must state your email address, full name,mailing address, and telephone number. We will bill you for any fees at that time, if any. To withdraw your consent with Critical Informatics Inc. dba CI Security To inform us that you no longer wish to receive future notices and disclosures in electronic format you may: i. decline to sign a document from within your signing session, and on the subsequent page, select the check-box indicating you wish to withdraw your consent, or you may; ii. send us an email to lori.nguyen@ci.security and in the body of such request you must state your email, full name,mailing address, and telephone number. We do not need any other information from you to withdraw consent.. The consequences of your withdrawing consent for online documents will be that transactions may take a longer time to process.. Required hardware and software The minimum system requirements for using the DocuSign system may change over time. The current system requirements are found here: https://support.docusign.com/guides/signer-guide- signing-system-requirements. Acknowledging your access and consent to receive and sign documents electronically To confirm to us that you can access this information electronically,which will be similar to other electronic notices and disclosures that we will provide to you, please confirm that you have read this ERSD, and(i)that you are able to print on paper or electronically save this ERSD for your future reference and access; or(ii)that you are able to email this ERSD to an email address where you will be able to print on paper or save it for your future reference and access. Further, if you consent to receiving notices and disclosures exclusively in electronic format as described herein,then select the check-box next to `I agree to use electronic records and signatures' before clicking `CONTINUE' within the DocuSign system. By selecting the check-box next to `I agree to use electronic records and signatures', you confirm that: • You can access and read this Electronic Record and Signature Disclosure; and • You can print on paper this Electronic Record and Signature Disclosure, or save or send this Electronic Record and Disclosure to a location where you can print it, for future reference and access; and • Until or unless you notify Critical Informatics Inc. dba CI Security as described above, you consent to receive exclusively through electronic means all notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you by Critical Informatics Inc. dba CI Security during the course of your relationship with Critical Informatics Inc. dba CI Security.