The URL can be used to link to this page

Home My WebLink AboutContractAGREEMENT FOR PENETRATION TESTING SERVICES THIS AGREEMENT, dated for reference purposes only as May 18, 2024 , is by and between NetSPI, LLC a Delaware limited liability company. The City and the Consultant are referred to nce fully executed by the Parties, this Agreement is effective as of the last date signed by both parties. 1. Scope of Work: Consultant agrees to provide Security Testing Services including penetration testing services as specified in Exhibit A, which is attached and incorporated herein and Work 2. Changes in Scope of Work: The City, without invalidating this Agreement, may request changes to the Workconsisting of additions, deletions or modifications.Any such changes to the Work shall be requested by the City in writing and the Compensation shall be adjusted as mutually agreed by the Parties. 3. Time of Performance:All Work shall be performed for this Exhibit A by no later than December 31, 2024. The Agreement is in effect until January 31, 2027, unless earlier terminated as set forth in this Agreement. 4. Compensation: A. Amount. Total compensation to Consultant for Work provided pursuant to this Agreement shall not exceed $58,000, as listed in Exhibit A, plus any applicable state and local sales taxes. Compensation shall be paid based upon Work actually performed according to the rate(s) or amounts specified in Exhibit A. The Consultant agrees that any hourly or flat rate charged by it for its Work shall remain locked at the negotiated rate(s) unless otherwise agreed to in writing or provided in Exhibit A. Except as specifically provided herein, the Consultant shall be solely responsible for payment of any taxes imposed as a result of the performance and payment of this Agreement. B. Method of Payment. On a monthly or no less than quarterly basis during any quarter in which Workisperformed, the Consultant shall submit a voucher or invoice in aform specified by the City, including a description of what Work has been performed, the name of the personnel performing such Work, and any hourly labor charge rate for such personnel. The Consultant shall also submit a final bill upon completion of all CAG-24-130 PAGE 2 OF 14 Work. Payment shall be made by the City for Work performed within thirty (30) calendar days after receipt and approval by the appropriate City representative of the voucher or invoice. If the does not meet the requirements of this Agreement, the Consultant will correct or modify its performance to comply with the Agreement. The City may withhold payment for work that does not meet the requirements of this Agreement. C. Effect of Payment. Payment for any part of the Work shall not constitute a waiver by the City of any remedies it may have against the Consultant for failure of the Consultant to perform the Work or for any breach of this Agreement by the Consultant. D. Non-Appropriation of Funds. If sufficient funds are not appropriated or allocated for payment under this Agreement for any future fiscal period, the City shall not be obligated to make payments for Work or amounts incurred after the end of the current fiscal period, and this Agreement will terminate upon the completion of all remaining Work for which funds are allocated. No penalty or expense shall accrue to the City in the event this provision applies. 5. Termination: A. Either Party reserves the right to terminate this Agreement at any time, with or without cause by giving ten (10) calendar other Party in writing. In the event of such termination or suspension, all finished or unfinished documents, data, studies, worksheets, models and reports, or other material prepared by the Consultant pursuant to this Agreement shall be submitted to the City, if any are required as part of the Work. B. In the event this Agreement is terminated, the Consultant shall be entitled to payment for all work performed up to to the effective date of termination. The Consultant will refund any payments made for work that has not been performed up to the effective date of termination. If the Agreement is terminated by the City after partial performance of Work for which the agreed compensation is a fixed fee, the City shall pay the Consultant an equitable share of the fixed fee. This provision shall not prevent the City from seeking any legal remedies it may have for the violation or nonperformance of any of the provisions of this Agreement and such charges due to the City shall be deducted from the final payment due the Consultant. No payment shall be made by the City for any expenses incurred or work done following the effective date of termination unless authorized in advance in writing by the City. 6. Warranties And Right To Use Work Product: Consultant represents and warrants that Consultant will perform all Work identified in this Agreement in a professional and workmanlike manner and in accordance with all reasonable and professional standards PAGE 3 OF 14 and laws. Compliance with professional standards includes, as applicable, performing the Work in compliance with applicable City standards or guidelines (e.g. design criteria and Standard Plans for Road, Bridge and Municipal Construction). Professional engineers shall certify engineering plans, specifications, plats, and reports, as applicable, pursuant to RCW 18.43.070. Consultant further represents and warrants that all final work product created for and delivered to the City pursuant to this Agreement shall be the original work of the Consultant and free from any intellectual property encumbrance which would restrict the City from using the work product. Consultant grants to the City a non- exclusive, perpetual right and license to use, reproduce, distribute, and display all final work product produced pursuant to this Agreement. The City shall be the sole owner of, and Consultant will assign to the City, all Services and deliverables, and all copyright, patent, trademark, and other proprietary rights in and to the Services and deliverables . Notwithstanding the foregoing, the Services or prepare deliverables, including those pre-existing concepts, ideas, models, code, templates, tools, policies, records, working papers, know-how, software, methodologies, technologies or techniques owned by Consultant -exclusive, perpetual, royalty free, worldwide, non-transferable right to license and use Consultant Materials incorporated into or otherwise necessary to use any Work Product for the internal use of the City The license granted to the City in the preceding sentence shall be a worldwide license, provided, however, that the City must comply with all applicable United States export control laws that would restrict use and distribution of deliverables, and the license is subject to any further limitations on use otherwise specified in the applicable statement of work. The provisions of this section shall survive the expiration or termination of this Agreement. 7. Record Maintenance: The Consultant shall maintain accounts and records, which properly reflect all direct and indirect costs expended and Work provided in the performance of this Agreement and retain such records for as long as may be required by applicable Washington State records retention laws, but in any event no less than six years after the termination of this Agreement. Upon at least fourteen (14) days written notice theConsultant agrees to provide access to and copies of any records related to this Agreement as required by the City to comply with the Washington State Public Records Act (Chapter 42.56 RCW). Consultant also agrees upon at least fourteen (14) days written notice to provide access to and copies of any records related to this Agreement as requested by the City to audit expenditures and charges. The provisions of this section shall survive the expiration or termination of this Agreement. 8. Public Records Compliance: To the full extent necessary to comply with the Washington State Public Records Act, Consultant shall make a due diligent search of all records in its possession or control relating to this Agreement and the Work, including, but not limited PAGE 4 OF 14 to, e-mail, correspondence, notes, saved telephone messages, recordings, photos, or drawings and provide them to the City for production. In the event Consultant believes said records need to be protected from disclosure, it may seek judicial protection. Consultant shall indemnify, defend, and hold harmless the City Public Records Act request for which Consultant has responsive records and for which Consultant has withheld records or information contained therein, or not provided them to the City in a timely manner. Consultant shall produce for distribution any and all records responsive to the Public Records Act request in a timely manner, unless those records are protected by court order. The provisions of this section shall survive the expiration or termination of this Agreement. 9. Independent Contractor Relationship: A. The Consultant is retained by the City only for the purposes and to the extent set forth in this Agreement. The nature of the relationship between the Consultant and the City during the period of the Work shall be that of an independent contractor, not employee. The Consultant, not the City, shall have the power to control and direct the details, manner or means of Work. Specifically, but not by means of limitation, the Consultant shall have no obligation to work any particular hours or particular schedule, unless otherwise indicated in the Scope of Work or where scheduling of attendance or performance is mutually arranged due to the nature of the Work. Consultant shall retain the right to designate the means of performing the Work covered by this agreement, and the Consultant shall be entitled to employ other workers at such compensation and such other conditions as it may deem proper, provided, however, that any contract so made by the Consultant is to be paid by it alone, and that employing such workers, it is acting individually and not as an agent for the City. B. The City shall not be responsible for withholding or otherwise deducting federal income tax or Social Security or contributing to the State Industrial Insurance Program, or otherwise assuming the duties of an employer with respect to Consultant or any employee of the Consultant. C. If the Consultant is a sole proprietorship or if this Agreement is with an individual, the Consultant agrees, if applicable, to notify the City and complete any required form if the Consultant retired under a State of Washington retirement system and agrees to 10. Hold Harmless: The Consultant agrees to release, indemnify, defend, and hold harmless the City, elected officials, employees, officers, representatives, and volunteers from any and all claims, demands, actions, suits, causes of action, arbitrations, mediations, proceedings, judgments, awards, injuries, damages, liabilities, losses, fines, fees, PAGE 5 OF 14 by any and all persons or entities, arising from, resulting from, or related to the negligent acts, errors or omissions of the Consultant in its performance of this Agreement or a breach of this Agreement by Consultant, except for that portion of the claims caused by Should a court of competent jurisdiction determine that this agreement is subject to RCW 4.24.115, (Validity of agreement to indemnify against liability for negligence relative to construction, alteration, improvement, etc., of structure or improvement attached to real in the event of liability for damages arising out of bodily injury to persons or damages to property caused by or resulting from the concurrent negligence of the liab It is further specifically and expressly understood that the indemnification provided in Insurance Act, RCW Title 51, if applicable, solely for the purposes of this indemnification. The Parties have mutually negotiated and agreed to this waiver. The provisions of this section shall survive the expiration or termination of this Agreement. Except for Public Records Act liability, In no event will either party be liable for any incidental, consequential, special, punitive, exemplary or indirect damages, demands, costs, fees, lost business profits, lost data, or downtime arising out of this Agreement or the Work. Each pa total aggregate liability to the other party for all losses, damages, will not exceed ten million dollars ($10,000,000). 11. Gifts and Conflicts:of Ethics and Washington State law prohibit City employees from soliciting, accepting, or receiving any gift, gratuity or favor from any person, firm or corporation involved in a contract or transaction. To ensure compliance and state law, the Consultant shall not give a gift of any kind to City employees or officials. Consultant also confirms that Consultant does not have a business interest or a close family relationship with any City officer or employee who was, is, or will be involved in selecting the Consultant, negotiating or administering this Work. 12. City of Renton Business License: Unless exempted by the Renton Municipal Code, Consultant shall obtain a City of Renton Business License prior to performing any Work and maintain the business license in good standing throughout the term of this agreement with the City. Information regarding acquiring a city business license can be found at: PAGE 6 OF 14 https://www.rentonwa.gov/Tax Information regarding State business licensing requirements can be found at: https://dor.wa.gov/doing-business/register-my-business 13. Insurance: Consultant shall secure and maintain: A. Commercial general liability insurance in the minimum amounts of $1,000,000 for each occurrence/$2,000,000 aggregate for the Term of this Agreement. B. In the event that Work delivered pursuant to this Agreement either directly or indirectly involve or require Professional Services, Professional Liability, Errors and Omissions coverage shall be provided with minimum limits of $1,000,000 per occurrence. "Professional Services", for the purpose of this section, shall mean any Work provided by a licensed professional or Work that requires a professional standard of care. C. State of Washington, shall also be secured. D. Commercial Automobile Liability for hired and non-owned with minimum limits of $1,000,000 per occurrence combined single limit, if there will be any use of normal commutes. E. Consultant shall name the City as an Additional Insured on its commercial general liability policy on a non- not be a source for payment of any Consultant liability, nor shall the maintenance of any insurance required by this Agreement be construed to limit the liability of recourse to any remedy available at law or in equity. Limits requirements may be satisfied by a combination of primary and excess insurance. F. proper endorsements, shall be delivered to the City before performing the Work. G. Consultant shall provide the City with written notice of any policy cancellation, within two (2) business days of their receipt of such notice. 14. Delays: Consultant is not responsible for delays caused by factors beyond the controloccur, the City agrees the Consultant is not responsible for damages, nor shall the Consultant be deemed to be in default of the Agreement. PAGE 7 OF 14 15. Successors and Assigns: Neither the City nor the Consultant shall assign, transfer or encumber any rights, duties or interests accruing from this Agreement without the written consent of the other. 16. Notices: Any notice required under this Agreement will be in writing, addressed to the appropriate party at the address which appears below (as modified in writing from time to time by such party), and given personally, by registered or certified mail, return receipt requested, by facsimile or by nationally recognized overnight courier service. Time period for notices shall be deemed to have commenced upon the date of receipt, EXCEPT facsimile delivery will be deemed to have commenced on the first business day following transmission. Email and telephone may be used for purposes of administering the Agreement, but should not be used to give any formal notice required by the Agreement. CITY OF RENTON Brett Tietjen 1055 South Grady Way Renton, WA 98057 Phone: (425) 430-6878 btietjen@rentonwa.gov CONSULTANT Project Manager: Felicia Weiderin 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Phone: 414-530-1144 E-mail: fjohnson@netspi.com 17. Discrimination Prohibited: Except to the extent permitted by a bona fide occupational qualification, the Consultant agrees as follows: A. with regard to the Work performed or to be performed under this Agreement, shall not discriminate on the basis of race, color, sex, religion, nationality, creed, marital status, sexual orientation or preference, age (except minimum age and retirement provisions), honorably discharged veteran or military status, or the presence of any sensory, mental or physical handicap, unless based upon a bona fide occupational qualification in relationship to hiring and employment, in employment or application for employment, the administration of the delivery of Work or any other benefits under this Agreement, or procurement of materials or supplies. B. The Consultant will take affirmative action to insure that applicants are employed and that employees are treated during employment without regard to their race, creed, color, national origin, sex, age, sexual orientation, physical, sensory or mental handicaps, or marital status. Such action shall include, but not be limited to the following employment, upgrading, demotion or transfer, recruitment or recruitment advertising, layoff or termination, rates of pay or other forms of compensation and selection for training. PAGE 8 OF 14 C.-discrimination provisions, the City shall have the right, at its option, to cancel the Agreement in whole or in part. D. The Consultant is responsible to be aware of and in compliance with all federal, state and local laws and regulations that may affect the satisfactory completion of the project, which includes but is not limited to fair labor laws, worker's compensation, and Title VI of the Federal Civil Rights Act of 1964, and will comply with City of Renton Council Resolution Number 4085. City of Renton Council Resolution Number 4085 18. Miscellaneous:The parties hereby acknowledge: A. The City is not responsible to train or provide training for Consultant. B. Consultant will not be reimbursed for job related expenses except to the extent specifically agreed within the attached exhibits. C. Consultant shall furnish all tools and/or materials necessary to perform the Work except to the extent specifically agreed within the attached exhibits. D. In the event special training, licensing, or certification is required for Consultant to provide Work he/she will acquire or maintain such at his/her own expense and, if Consultant employs, sub-contracts, or otherwise assigns the responsibility to perform the Work, said employee/sub-contractor/assignee will acquire and or maintain such training, licensing, or certification. E. This is a non-exclusive agreement and Consultant is free to provide his/her Work to other entities, so long as there is no interruption or interference with the provision of Work called for in this Agreement. F. Consultant is responsible for his/her own insurance, including, but not limited to health insurance. G. Consul that for any persons employed by the Consultant. 19. Other Provisions: A. Approval Authority. Each individual executing this Agreement on behalf of the City and Consultant represents and warrants that such individuals are duly authorized to execute and deliver this Agreement on behalf of the City or Consultant. PAGE 9 OF 14 B. General Administration and Management.project manager is Ian Hardgrave. In providing Work, Consultant shall manager or his/her designee. C. Amendment and Modification. This Agreement may be amended only by an instrument in writing, duly executed by both Parties. D. Conflicts. In the event of any inconsistencies between Consultant proposals and this Agreement, the terms of this Agreement shall prevai. Any exhibits/attachments to this Agreement are incorporated by reference only to the extent of the purpose for which they are referenced within this Agreement. To the extent a Consultant prepared exhibit conflicts with the terms in the body of this Agreement or contains terms that are extraneous to the purpose for which it is referenced, the terms in the body of this Agreement shall prevail and the extraneous terms shall not be incorporated herein. E. Governing Law. This Agreement shall be made in and shall be governed by and interpreted in accordance with the laws of the State of Washington and the City of Work in accordance with all applicable federal, state, county and city laws, codes and ordinances. F. Joint Drafting Effort. This Agreement shall be considered for all purposes as prepared by the joint efforts of the Parties and shall not be construed against one party or the other as a result of the preparation, substitution, submission or other event of negotiation, drafting or execution. G. Jurisdiction and Venue. Any lawsuit or legal action brought by any party to enforce or interpret this Agreement or any of its terms or covenants shall be brought in the King County Superior Court for the State of Washington at the Maleng Regional Justice Center in Kent, King County, Washington, or its replacement or successor. Consultant hereby expressly consents to the personal and exclusive jurisdiction and venue of such court even if Consultant is a foreign corporation not registered with the State of Washington. H. Severability. part of this Agreement is illegal or unenforceable shall not cancel or invalidate the remainder of this Agreement, which shall remain in full force and effect. I. Sole and Entire Agreement. This Agreement contains the entire agreement of the Parties and any representations or understandings, whether oral or written, not incorporated are excluded. PAGE 10 OF 14 J. Time is of the Essence. Time is of the essence of this Agreement and each and all of its provisions in which performance is a factor. Adherence to completion dates set forth in the description of the Work this Agreement. K. Third-Party Beneficiaries. Nothing in this Agreement is intended to, nor shall be construed to give any rights or benefits in the Agreement to anyone other than the Parties, and all duties and responsibilities undertaken pursuant to this Agreement will be for the sole and exclusive benefit of the Parties and no one else. L. Binding Effect. The Parties each bind themselves, their partners, successors, assigns, and legal representatives to the other party to this Agreement, and to the partners, successors, assigns, and legal representatives of such other party with respect to all covenants of the Agreement. M. Waivers. failure to enforce any provision of this Agreement shall not be a waiver and shall not prevent either the City or Consultant from enforcing that provision or any other provision of this Agreement in the future. Waiver of breach of any provision of this Agreement shall not be deemed to be a waiver of any prior or subsequent breach unless it is expressly waived in writing. N. Counterparts. The Parties may execute this Agreement in any number of counterparts, each of which shall constitute an original, and all of which will together constitute this one Agreement. 20. Appendix II to Part 200 Contract Provisions for Non-Federal Entity Contracts Under Federal Awards In addition to other provisions required by the Federal agency or non-Federal entity, all contracts made by the non-Federal entity under the Federal award must contain provisions covering the following, as applicable. A. Contracts for more than the simplified acquisition threshold, which is the inflation adjusted amount determined by the Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) as authorized by 41 U.S.C. 1908, must address administrative, contractual, or legal remedies in instances where contractors violate or breach contract terms, and provide for such sanctions and penalties as appropriate. B. All contracts in excess of $10,000 must address termination for cause and for convenience by the non-Federal entity including the manner by which it will be effected and the basis for settlement. PAGE 11 OF 14 C. Equal Employment Opportunity. Except as otherwise provided under 41 CFR Part 60, all 41 CFR Part 60 1.3 must include the equal opportunity clause provided under 41 CFR 60 1.4(b), in accordance with Executive Order 11246 30 FR 12319, 12935, 3 CFR Part, 1964 1965 Comp., p. 339), as amended by Executive Order 11375 Executive Order 11246 Relating to Equal Employment Opportunity and implementing regulations at 41 CFR part 60 D. Davis-Bacon Act, as amended (40 U.S.C. 3141 3148). When required by Federal program legislation, all prime construction contracts in excess of $2,000 awarded by non-Federal entities must include a provision for compliance with the Davis-Bacon Act (40 U.S.C. 3141 3144, and 3146 3148) as supplemented by Department of Labor regulations (29 CFR Part 5 contractors must be required to pay wages to laborers and mechanics at a rate not less than the prevailing wages specified in a wage determination made by the Secretary of Labor. In addition, contractors must be required to pay wages not less than once a week. The non-Federal entity must place a copy of the current prevailing wage determination issued by the Department of Labor in each solicitation. The decision to award a contract or subcontract must be conditioned upon the acceptance of the wage determination. The non-Federal entity must report all suspected or reported violations to the Federal awarding agency. The contracts must also include a provision for -40 U.S.C. 3145), as supplemented by Department of Labor regulations (29 CFR Part 3 Public Building or Public Work Financed in Whole or in Part by Loans or Grants from the prohibited from inducing, by any means, any person employed in the construction, completion, or repair of public work, to give up any part of the compensation to which he or she is otherwise entitled. The non-Federal entity must report all suspected or reported violations to the Federal awarding agency. E. Contract Work Hours and Safety Standards Act (40 U.S.C. 3701 3708). Where applicable, all contracts awarded by the non-Federal entity in excess of $100,000 that involve the employment of mechanics or laborers must include a provision for compliance with 40 U.S.C. 3702 and 3704, as supplemented by Department of Labor regulations (29 CFR Part 5). Under 40 U.S.C. 3702 of the Act, each contractor must be required to compute the wages of every mechanic and laborer on the basis of a standard work week of 40 hours. Work in excess of the standard work week is permissible provided that the worker is compensated at a rate of not less than one and a half times the basic rate of pay for all hours worked in excess of 40 hours in the work PAGE 12 OF 14 week. The requirements of 40 U.S.C. 3704 are applicable to construction work and provide that no laborer or mechanic must be required to work in surroundings or under working conditions which are unsanitary, hazardous or dangerous. These requirements do not apply to the purchases of supplies or materials or articles ordinarily available on the open market, or contracts for transportation or transmission of intelligence. F. Rights to Inventions Made Under a Contract or Agreement. If the Federal award meets 37 CFR § 401.2 (a)and the recipient or subrecipient wishes to enter into a contract with a small business firm or nonprofit organization regarding the substitution of parties, assignment or performance of recipient or subrecipient must comply with the requirements of 37 CFR Part 401 to Inventions Made by Nonprofit Organizations and Small Business Firms Under regulations issued by the awarding agency. G. Clean Air Act (42 U.S.C. 7401 7671q.) and the Federal Water Pollution Control Act (33 U.S.C. 1251 1387), as amended Contracts and subgrants of amounts in excess of $150,000 must contain a provision that requires the non-Federal award to agree to comply with all applicable standards, orders or regulations issued pursuant to the Clean Air Act (42 U.S.C. 7401 7671q) and the Federal Water Pollution Control Act as amended (33 U.S.C. 1251 1387). Violations must be reported to the Federal awarding agency and the Regional Office of the Environmental Protection Agency (EPA). H. Debarment and Suspension (Executive Orders 12549 and 12689)A contract award (see 2 CFR 180.220) must not be made to parties listed on the governmentwide exclusions in the System for Award Management (SAM), in accordance with the OMB guidelines at 2 CFR 180 that implement Executive Orders 12549 (3 CFR part 1986 Comp., p. 189) and contains the names of parties debarred, suspended, or otherwise excluded by agencies, as well as parties declared ineligible under statutory or regulatory authority other than Executive Order 12549. I. Byrd Anti-Lobbying Amendment (31 U.S.C. 1352)Contractors that apply or bid for an award exceeding $100,000 must file the required certification. Each tier certifies to the tier above that it will not and has not used Federal appropriated funds to pay any person or organization for influencing or attempting to influence an officer or employee of any agency, a member of Congress, officer or employee of Congress, or an employee of a member of Congress in connection with obtaining any Federal contract, grant or any other award covered by 31 U.S.C. 1352. Each tier must also disclose any lobbying with non-Federal funds that takes place in connection with obtaining any Federal award. Such disclosures are forwarded from tier to tier up to the non-Federal award. PAGE 13 OF 14 J. See § 200.323. K. See § 200.216. L. See § 200.322. 21. SLCGP Contracting and Procurement Requirements A. Per SLCGP requirements, all contracting agreements entered into pursuant to the SLCGP agreement shall incorporate the agreement by reference, represented in this document as Exhibit C. 1. Any and all parties to this agreement agree to comply and be bound by the requirements set forth therein. IN WITNESS WHEREOF, the Parties have voluntarily entered into this Agreement as of the date last signed by the Parties below. CITY OF RENTON By:_____________________________ NetSPI, LLC By:____________________________ Name Title _____________________________ Date _____________________________ Date 5/18/2024 5/18/2024 Approved by Cheryl Beyer via email 5/17/2024 PAGE 14 OF 14 Exhibit A Scope, Deliverables and Pricing Attached Separately Exhibit B City of Renton 2022 SLCGP Agreement Attached Separately EXHIBIT A NetSPI Proposal for: External Network, Wireless Network, Adversarial Simulation, Internal Network Services City of Renton April 5, 2024 Prepared For:Brett Tietjen Prepared By:Noah Katula Proposal ID:23426-V3 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Contents Contents 2 Proposal 3 About NetSPI and Our Services 3 Penetration Testing Methodology 3 NetSPI Engagement Management3 Key Deliverables 3 Statement of Work 4 Engagement Overview 4 Penetration Testing as a Service (PTaaS)6 Pricing Summary 7 11 Terms and Conditions 11 Acknowledgment and Acceptance 12 Appendix A: Full Service Descriptions 13 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Proposal About NetSPI and Our Services NetSPI is a penetration testing company that is transforming the cybersecurity testing industry with technology-enabled services and prevention-based cyber security techniques. Global enterprises choose penetration testing services to test their applications, networks, and cloud infrastructure at scale and continuously manage their attack surfaces. Learn why people choose NetSPI and explore our breadth of enterprise security testing services. For insight into our penetration testing process, view the links below: Penetration Testing Methodology NetSPI Engagement Management Key Deliverables 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Statement of Work Engagement Overview Based on NetSPI's understanding of the primary scope requirements, we propose the following services to achieve City of Renton (City of Renton critical business objectives. Our recommendations are based on our extensive experience working hands-on to help similar companies mitigate security risks through expert pentesting, analysis, and reporting. Our ultimate objective is to provide City of Renton with vulnerability findings for in-scope applications or environments, share actionable, prioritized recommendations to help your organization plan remediation activities, reduce risk to your business and operations, easily scale to address the level of complexity of your assessment, and improve your overall security posture. Below is a description of our recommended services (Please see Appendix A for more detail): Thumb Description ExternalPenetrationTesting NetSPI will identifyCityof susceptibility to an externalpenetration fromtheInternet(e.g.,hacker, worm, etc.). We will identify and verify system, network, and application layer weaknesses. We will target identified vulnerabilities and attempt togain unauthorized access to networks, systems, hosts, applications that may host sensitive or restricted data (including PCI data, PII, PHI, etc.). NetSPI relies on expert manual testing and leverages commercial, open source, and proprietary software to fulfill test objectives. WirelessPenetrationTesting wireless infrastructure or unauthorized rogue wireless networks connected to the internal corporate network. NetSPI willuseacombinationof manual techniques,commercial andopen sourcetools, in addition to proprietary scripts to identify weaknesses in corporate wireless configurations as well as identify and locate unauthorized wireless networks in the environment. SocialEngineering:Phone-BasedSocialEngineering Phone-based socialengineering tests identifyand minimize risk to yourorganization as it relatestoreal-time social engineering attacks. Phone calls will be placed to persuade employees to divulge sensitive information and scenarios will be designed based on information identified through public resources. Campaigns can follow an audit-based or open-ended approach, based on project goals. NetSPI will also review policy, process, and technical controls that can help reduce the impact of phone-based attacks. InternalPenetrationTesting 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 NetSPI will identify City of Renton's susceptibility to a penetration from an internal threat (e.g., malicious user, third party, or attacker that has breached the perimeter). We will identify and verify system, network, and application layer weaknesses. We willtarget identified vulnerabilities and attempt to gain unauthorized access to networks, systems,hosts, applications that may host anysensitiveor restricted data(including PCI data, PII, PHI, etc.). NetSPI relies on expert manual testing and leverages commercial, open source, and proprietary software to fulfill test objectives. 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Penetration Testing as a Service (PTaaS) With every NetSPI engagement, City of Renton a Service (PTaaS) platform, Resolve. PTaaS is delivery model for penetration testing. It enables you to simplify the scoping of new engagements, view testing results in real time, orchestrate faster remediation, perform always-on continuous testing, and more - all through the Resolve vulnerability management and orchestration platform. The following describes the functionality you receive with the PTaaS subscription: Manage Findings and Remediation:All vulnerabilities are correlated, deduplicated, and accessible directly through Resolve with the ability to search, sort, query, and filter your data. All vulnerability findings are aggregated in real-time and include a detailed description, severity rating, impact analysis, and remediation instructions. It also includes hand-written reproduction steps to guide you to reproducing and remediating your vulnerabilities. Program Management:The Program Management Dashboard houses all of your NetSPI engagements and reports on the status and results of your penetration tests. The dashboard also highlights the efficacy of each Scan Monster vs. traditional single network scanners). Resolve enables clients to collaborate directly with their testing team on specific assessments, Findings, Instances, Assets and more. It also enables direct communication with your client delivery manager to request additional assessments or make adjustments to upcoming assessments. This centralized communication reduces inefficient e-mail correspondence and streamlines communications among all stakeholders. Reporting and Trend Analysis: Access detailed vulnerability reports as well as executive summaries detailing at a high-level the results of the engagement. With Resolve you gain year-round trend analysis and access to dashboards tracking the state of your remediation efforts for all vulnerabilities. Continuous Penetration Testing: As a PTaaS client, you have the option to enhance your standard penetration tests with recurring touchpoints throughout the year. Between your deep-dive manual penetration tests, you can connect directly with your assigned NetSPI team in the Resolve platform to request additional testing for the supported service lines. Continuous testing results are aggregated into your respective applications/networks to give you an all-time view of your findings, irrespective of the assessment they were found on. 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Pricing Summary Name Scope and Assumptions QTY Price External Penetration Test One (1) deep dive Standard External Penetration Test: Discovery scanning on up to 64 total IP addresses Testing on up to 40 active systems Unauthenticated testing of web interfaces or applications identified through service discovery in addition to 27 specific URLs Privilege escalation will be performed where possible Remediation testing is included; each medium and higher vulnerability may be retested, in a single batch process, 1 time within 90 calendar days of delivery of preliminary reports Testing will be conducted from NetSPI facilities Remediation testing will be conducted from NetSPI facilities, will not be restricted to specific times of day, and may occur 24x7 Testing in a production environment A testing schedule will be coordinated between NetSPI project managers and client stakeholders Open source intelligence (OSINT) discovery will not be restricted to specific times of day and may occur 24x7 Discovery scanning (ping/port scanning and domain enumeration) will not be restricted to specific times and may occur 24x7 Automated testing (scanning) will not be restricted to specific times of day and may occur 24x7 Manual testing will not be restricted to specific times of day and may occur 24x7 Findings analysis, reporting, and quality assurance reviews One report Deliverables Include: Comprehensive Vulnerability PDF Report CSV Export of Identified Vulnerabilities 1 $16,125.00 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Attestation Letter Wireless Penetration Test One (1) Standard Wireless Network Penetration Test: Testing of up to 3 wireless networks (SSIDs) at each of 2 physical locations Rogue access point detection will not be performed Remediation testing is included; each medium and higher vulnerability may be retested, in a single batch process, 1 time within 90 calendar days of delivery of preliminary reports. Testing will be conducted from NetSPI facilities Remediation testing will be conducted from NetSPI facilities, will not be restricted to specific times of day, and may occur 24x7 Testing in a production environment A testing schedule will be coordinated between NetSPI project managers and client stakeholders Findings analysis, reporting, and quality assurance reviews One report Deliverables Include: Comprehensive Vulnerability PDF Report CSV Export of Identified Vulnerabilities Attestation Letter 1 $12,900.00 Social Engineering: Phone-Based Social Engineering One (1) Standard Social Engineering: Phone- Based Social Engineering assessment: 1 customer / client account access scenario Approximately 15 pretexting calls will be conducted; individual targets will be called a maximum of 3 times, with a total of 45 attempts Target phone numbers will be provided to NetSPI; client will confirm that all targets are corporate resources (e.g., company-provided phones, laptops, etc.) NetSPI will utilize an open-ended approach with the goal of identifying missing policies and edge case vulnerabilities. Information obtained will be leveraged throughout the test to build an overall attack narrative. By executing this Statement of Work, Client consents to all calls with employees being 1 $10,850.00 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 recorded and NetSPI's use of Caller ID- spoofing tools to increase the effectiveness of the engagement NetSPI will use a cloud-based service to place calls All testing will be conducted during daytime business hours Findings analysis, reporting, and quality assurance reviews One report Deliverables Include: Comprehensive Vulnerability PDF Report CSV Export of Identified Vulnerabilities Attestation Letter Internal Penetration Test One (1) deep dive Standard Internal Penetration Test: Discovery scanning on up to 762 total IP addresses Testing on a sample of up to 100 active systems from an environment containing 107 total systems Privilege escalation will be performed where possible Remediation testing is included; each high and critical vulnerability may be retested, in a single batch process, 1 time within 90 calendar days of delivery of preliminary reports. Testing will be conducted from NetSPI facilities Remediation testing will be conducted from NetSPI facilities, will not be restricted to specific times of day, and may occur 24x7 Testing in a production environment A testing schedule will be coordinated between NetSPI project managers and client stakeholders Automated testing (scanning) will not be restricted to specific times of day and may occur 24x7 Manual testing will not be restricted to specific times of day and may occur 24x7 Findings analysis, reporting, and quality assurance reviews One report Deliverables Include: 1 $18,060.00 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Comprehensive Vulnerability PDF Report CSV Export of Identified Vulnerabilities Attestation Letter Subtotal $57,935.00 1 Year Subscription $57,935.00 Travel & Expenses - Travel and related expenses are billed at cost as they are incurred - TBD Included with NetSPI PTaaS Subscriptions Access to Resolve PTaaS access enables: Management of findings and remediation efforts Program Management Reporting and trend analysis Secure communication with NetSPI personnel Remediation and SLA assignments Persona Dashboards Unlimited seats Severity rating customization DataLab analytics Engagement Management NetSPI will provide engagement planning, meeting coordination, and single point of contact and status updates. Pricing and invoicing considerations are: 1. This is a subscription service that does not include travel or other expenses. 100% of the Subscription total will be invoiced on May 31st, 2024. 2. All prices are shown in USD and all payments must be made in US Currency. 3. Pricing is exclusive of applicable sales taxes and any other applicable taxes that may be required. 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Terms and Conditions Additional service terms specific to the Services outlined in this SoW are set forth below. For the avoidance of doubt, these terms are specific to this SoW and do not supersede the terms of the MSA. By executing this SOW, Client represents and warrants that (i) all applications, computers, IP ranges, ) identified for testing in this SOW are owned by or under the control of Client, and (ii) if the status of any Resources changes during the term of this SOW, Client will immediately notify NetSPI regarding the change. For any Resource(s) which Client does not own or control but would like to include for testing within the scope of this SOW, NetSPI may be able to accommodate such testing subject to the execution of a third party security services consent and authorization agreement by NetSPI, Client, and the third party that owns or controls such Resource(s). 1. Client is purchasing PTaaS on a subscription basis for the entire term of this SoW, which begins on the the Service Period. The Subscription Total reflects pricing for the Service Period. If all Services listed in the Pricing Summary are not performed during the Service Period, no credits are given for paid but unused Services. 2. Any meeting to review results or reports (including preliminary results or reports) must be held no later Client. NetSPI may charge Client on a time and materials basis for preparation and attendance at meetings held after this 45-day period. Terms Applicable to Resolve 1. Definitions: o proprietary software as a service application in the version and release made available to Client. o which may be made available to Client in conjunction with Resolve. o reports that are provided as Deliverables. 2. NetSPI hereby grants Client a limited, non-exclusive, non-transferable worldwide right to access and use Resolve solely for the purpose of receiving Services enabled by Resolve and reviewing Deliverables available through Resolve, for the duration of the Service Period. This right to use Resolve shall be considered part of the Services, and subject to the same terms that apply to Services. 3. Client may only access and use Resolve via a NetSPI instance of a cloud environment located in the United States or Canada using credentials supplied by NetSPI. NetSPI will set up Client users based on the functional roles each user will play, and each user will be extended single user access to each of the modules that are applicable to their specific roles. Client shall be solely responsible for ensuring that its own systems are operating in a manner that permits Resolve to be available to its authorized users. 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 4. Client may permit a third party that Client has engaged to manage its information technology systems act as a Client user of Resolve, but only if Client notifies NetSPI of the identity of the Provider and obtains such Provider is a NetSPI competitor) to treat such Provider as one of to and use of Resolve shall be subject to the same terms and conditions as any Client user, and Client will be responsible for any unauthorized use or further disclosure of any portion of Resolve by any user including a Provider. 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Appendix A: Full Service Descriptions Full Description ExternalPenetrationTesting Penetration Test,NetSPI will identifysecurityissues on relevantCityof RentonInternet-facing infrastructure ExternalPenetrationTestfollowsthisprocess: NetSPI will workwith theClient togatherinformation on the current networkarchitecture, implemented technologies, and planned security initiatives. fromthe perspectiveof ananonymoususer(non-credentialed testing). During the testing,NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. An overview of the test approach is as follows: SystemandService Discovery Based on IP ranges or a list of individual targets provided by the Client, NetSPI will identify relevant IP addresses, domain names, and accessible services that will be targetedduring testing byreviewing publicresources,performing DNS enumeration, and scanning identified IP addresses. Vulnerability Enumeration: Automated Vulnerability Scanning This testingphaseusesmultiple vulnerabilityassessment scanners,including web application scanners from an unauthenticated perspective. Network and system testing include, but is not limited to, identifying open ports, services, and known vulnerabilities related to missing patches and configuration weaknesses. VulnerabilityEnumeration:ManualVerification NetSPI always conducts manual verificationof mediumand highseverityissuesto identify exploitable or significant vulnerabilities. During this phase NetSPI will attempt to leverage identified issue to gain unauthorized access to systems, applications, and sensitive data. VulnerabilityEnumeration:ManualWebApplicationTesting Using manual and automated processes, NetSPI will identify application vulnerabilitiesandexploitswith anonymousand/orself-registeredusers.Ourtesting includes, but is not limited to, OWASP Top 10 vulnerabilities such as advanced SQL injection, cross site scripting/request forgery, injection flaws, identification of usernames and passwords for user and administrative interfaces, information leakage, forced browsing, and weak access controls (including bypassing access controls). VulnerabilityEnumeration:ManualDictionaryAttacks NetSPIwillgatherpotentialusernamesandemailaddressesfrompubliclyaccessible 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 resources and attempt to guess associated passwords in order to gain unauthorized access to VPN, systems, applications, and sensitive data. As part of this effort,NetSPI will identify management interfaces where multi-factor authentication is not in use. VulnerabilityEnumeration:OpenSourceIntelligenceReview NetSPI willreviewopensource intelligenceresourcesforconfidentialdataleakage such as emails, passwords, configuration information, source code, and sensitive documents. NetworkPivoting NetSPI will attempt topivot through internet facing systems and applicationstogain a foothold on the internal network using a variety of tools in techniques. This includes, but is not limited to reverse SSH tunneling, ICMP tunneling, TCP tunneling, UDP tunneling, and web shells. DomainPrivilegeEscalation NetSPI will map domain trust relationships, identify excessive privilege paths, and exploit themtogain administrative access inthe domain in ordertofacilitate access to critical resources. AccessSensitiveDataandCriticalSystem Using successfulexploitpaths, NetSPI will attempt togain unauthorized accessto critical information assets such as systems, applications, and databases that are considered high value by your organization. processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihoodof process failure orexploitation. NetSPI will also collaborate with City of Renton stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements. WirelessPenetrationTesting Wireless network devices are often misconfigured or being used without the explicit permission or knowledgeof thecompany,leaving critical internal systems andsensitive information vulnerable to threats such as disgruntled employees, contractors, and external attackers. During the Wireless Penetration Test vulnerabili order to prevent system or data compromise through this attack vector ThefollowingisanoverviewoftheWirelessPenetration Testservice: NetSPI will begin byconducting an interview with theClient todiscuss the wireless implementation. Topics will include a high-level overview of the wireless architecture, configuration management, authentication, and encryption methods. NetSPI will evaluate the Clie fromthe perspectiveof ananonymoususer. During the test,manual and automated processes willbe followed that leverage commercial, open source, and proprietary software. The following objectives are typically targeted during this phase of the assessment: Attempttogainunauthorizedaccess toinscopewirelessnetworks. Attempttogainunauthorizedaccesstoworkstationsviawirelessconnections. 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 Performasitewalkthroughtoidentifyexistingrogueaccesspoints. Installrogueaccess pointstodetermine ifenduserswillconnect tounknowndevices. programprocesses,NetSPIwill suggest strategies for improvement and assign priorityto deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with City of Renton stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements. SocialEngineering:Phone-BasedSocialEngineering In order to determine the current level of employee security awareness, NetSPI will make calls to City of Renton employees in an attempt to persuade them to divulge sensitive information. NetSPI will also review policy and process that can help reduce the impact of phone-based attacks. NetSPI will then provide actionable recommendations, for controls and user awareness training, to help improve City of Renton's overallsecurity postureand minimize risk. This engagement and its deliverableswill assist Cityof Renton in reducing risk by continuing employee awareness training and maintaining secure procedures. ThefollowingisanoverviewoftheSocialEngineering:Phone-BasedSocialEngineeringservice: Callscenarioscanbedesignedbasedontwo styles: PolicyCheck:NetSPI will use a standard script and pretext throughout each scenario, with the goal of gathering client-defined sensitive during each placed call. Calls will be siloed and information obtained will not be leveraged throughout the test. Capture-the-Flag:NetSPI willutilize anopen-ended approach, with thegoal of identifying missing policies and edge case vulnerabilities. Information obtained will be leveraged throughout the test to build an overall attack narrative All of the data collected willbe consolidated and analyzed.Calls will be recordedand reviewed to identify insecure procedures. In addition, vulnerabilities will be prioritized based relevance and likelihood. Finally, NetSPI will formulate recommendations for mitigating the identified security issues. strengths and weaknesses with the Client and discuss the recommendations forimproving employee awarenessand securityprocesses. This collaboration will ensure that the Client will be able to effectively implement the recommendations. TheSocialEngineering:Phone-Based SocialEngineering findingsand recommendations will be presented in a report that includes both detailed descriptions of the identified issues and remediation recommendations, as well as summary information that will provide insight to senior management on high level strengths and weaknesses. This report will assist City of Renton in reducing risk by continuing employee awareness training and maintaining secure procedures. InternalPenetrationTesting Thedescribed approach toidentifying networkand application vulnerabilities is unique to NetSPI. During the Internal Penetration Test, NetSPI will identify security issues on relevant City of Renton internal infrastructure and provide actionable recommendations for InternalPenetrationTestfollowsthisprocess: 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 NetSPI will work with the Client to identify assessment requirements and goals. We will gather information on the current network architecture, implemented technologies, and planned security initiatives, and asktheClient to identifyany areas of concernthat theymayhaveabout the testing or reporting process. applications for known security vulnerabilities fromthe perspectiveof ananonymoususer(non-credentialed testing). During the testing,NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. An outline of the test approach is as follows: SystemandService Discovery Based on IP ranges or a list of individual targets provided by the Client, NetSPI will identify relevant IP addresses, domain names, and accessible services that will be targetedduring testing byreviewing publicresources,performing DNS enumeration, and scanning identified IP addresses. Important note: NetSPI will only perform asset discovery against the number of IP addresses and web applications specified in the statement of work. Any additional discoveryactivities must be explicitlydefined in the scoping sectionof thestatement of work to be executed. Vulnerability Enumeration: Automated Vulnerability Scanning This testingphaseusesmultiple vulnerabilityassessment scanners,including web application scanners from an unauthenticated perspective. Network and system testing includes, but is not limited to, identifying open ports, services, and known vulnerabilities related to missing patches and configuration weaknesses. VulnerabilityEnumeration:ManualVerification NetSPI always conducts manual verificationof mediumand highseverityissuesto identify exploitable or significant vulnerabilities. During this phase NetSPI will attempt to leverage identified issue to gain unauthorized access to systems, applications, and sensitive data. VulnerabilityEnumeration:ManualWebApplicationTesting Using manual and automated processes, NetSPI will identify the accessible web applications within the scoped environment. Once an inventory has been compiled, NetSPI will attempt to identify web application accounts configured with weak or default passwords. NetSPI will also review a sample of the web applications for common high impact vulnerabilities such as SQL Injection and remote command executionfromanunauthenticated perspective.As time allows,additionaltesting may be conducted against applications that support anonymous and/or self-registered user access. VulnerabilityEnumeration:ManualNetworkProtocolAttacks NetSPI will attempt togainunauthorized accessto data andsystems through common protocol attack that provide a man-in-the-middle position. Common attacks include, but are not limited to, NBNS spoofing, LLMNR spoofing, ARP spoofing, DTP spoofing, VLAN tag spoofing, DHCP spoofing, and PXE attacks. VulnerabilityEnumeration:ManualDictionaryAttacks NetSPI willgatherpotentialusernames andemailaddressesfrompubliclyaccessible resources and attempt to guess associated passwords in order to gain unauthorized access to VPN, systems, applications, and sensitive data. 241 N 5th Ave, Suite 1200 Minneapolis, MN 55401 NetworkPivoting NetSPI will attempt topivot through systems andapplications togain a footholdon protected internal network using a variety of tools and techniques. DomainPrivilegeEscalation NetSPI will map domain trust relationships, identify excessive privilege paths, and exploit themtogain administrative access inthe domain in ordertofacilitate access to critical resources. AccessSensitiveDataandCriticalSystem Using successfulexploitpaths, NetSPI will attempt togain unauthorized accessto critical information assets such as systems, applications, and databases that are considered high value by your organization. processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihoodof process failure orexploitation. NetSPI will also collaborate with City of Renton stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.