The URL can be used to link to this page

Agenda 06/13/2023 Item #16E2 (Local Government Cybersecurity Grant Program Contract #DMS-22/23-269 - $199,500.00)16.E.2 06/13/2023 EXECUTIVE SUMMARY Recommendation to provide "after -the -fact" approval for submitting a grant application and accepting the award for the Local Government Cybersecurity Grant Program Contract No. DMS-22/23-269, including Amendment No. 1 to the Contract, through the State of Florida Department of Management Services for Cyber Security applications and upgrades in the estimated amount of $199,500. OBJECTIVE: To fund the Cyber Security applications and upgrades to allow for enhanced security for the network and data infrastructure within the Collier County computer systems. CONSIDERATION: On April 3, 2023, an application was submitted to the Florida Department of Management Services through their Florida Digital Services Division for consideration of being awarded funds to help support the Cyber Security infrastructure within Collier County. The application was submitted through an electronic process with high security because of the sensitivity of the cyber information required for the grant. Collier County CMA #5330 authorizes the County Manager to approve the submittal of grant applications, with subsequent Board action at its next available meeting to ratify the approval as "after -the -fact." In the current Cyber Security environment, the Board must do everything in its power to secure the data and network infrastructure from threat actors who may want to cause the County and its citizens harm. With Cyber Security, these threats come in the way of attacking the network infrastructure and data held within the Collier County Computer systems. Most of these threats come from hacking into systems, phishing attacks in the hopes of installing malware/ransomware, and attacks on our infrastructure through denial -of -service attacks, to name a few. The County must protect itself from these harmful threats. The Collier County Information Technology Division ("County IT") is tasked with protecting these systems and the data within them. It is currently being done through security systems installed and implemented in different areas of the computer system. The best way to protect the County from these threats is by creating as many layers of security as possible. The grant that is being applied for will allow us to upgrade and add layers of security to the existing Cyber Security infrastructure. With this grant award, the County has qualified for five areas to improve or implement these security layers. The State will pay for the improvements in one or more of those five areas through this grant, which includes help in implementing and configuring the software. County IT will monitor and maintain the software after installation. Alerts from the software will allow County IT to act quickly to resolve any threats that may be found. There are no matching funds to acquire the grant, and the State will pay the vendors for the software the County installs. The only cost is that County IT will share telemetry (metrics, structured logs, and traces) data with the State so that it is alerted if a threat is identified. This allows the State to share the vectors for that attack with other Local Government Agencies that are participating in the grant. Along with Contract No. DMS-22/23/269, attached is Amendment No. 1 to that agreement, which the State requested to clarify the utilization of State Funds, the terms of indemnification and limitations of liability (if applicable), and revisions to a couple of other sections of which there is no objection. FISCAL IMPACT: A budget amendment is not necessary to appropriate funding as the State of Florida Department of Management Services will secure services directly with the Florida Department of Management Services contracted vendors in the estimated amount of $199,500. This grant program does not require a local match. The County will also administer and maintain the software after installation with the current complement of staff. GROWTH MANAGEMENT IMPACT: No growth management impact is associated with this action. LEGAL CONSIDERATIONS: Article 1, section 24, Florida Constitution, guarantees every person access to all Packet Pg. 1218 16.E.2 06/13/2023 public records, and section 119.011, F.S. provides a broad definition of a "public record." Public records are subject to disclosure unless exempt from disclosure by law. Records pertaining to cybersecurity insurance limits and deductibles, information relating to critical infrastructure, incident reporting information pursuant to sections 282.318 and 282.3185, F.S., network schematics, hardware and software configurations, and encryption information or information that identifies detection, investigation, or response practices for suspected or confirmed cybersecurity incidents, including suspected or confirmed breaches, are confidential and exempt pursuant to section 119.0725, F.S. References to such exempt materials in the Grant Agreement have been redacted but will appear in the signed Grant Agreement that will be returned to the State. This item is approved as to form and legality and requires a majority vote for Board approval. -SRT RECOMMENDATION: Recommendation to provide "after -the -fact" approval for submitting a grant application and accepting the award for the Local Government Cybersecurity Grant Program Contract No. DMS-22/23-269, including Amendment No. 1 to the Contract, through the State of Florida Department of Management Services for Cyber Security applications and upgrades estimated at $199,500 and authorize the Chairman to sign the attached Grant Agreement and Amendment No. 1. Prepared by: Mark Gillis, Division Director, Information Technology ATTACHMENT(S) 1. Board Pkg - AGRMT DOS FLGC DMS.22.23.269 Redacted (PDF) 2. Addendum - DMS-22-23-269 - Collier County CommissionersSigned (PDF) Packet Pg. 1219 16. E.2 06/13/2023 COLLIER COUNTY Board of County Commissioners Item Number: 16.E.2 Doe ID: 25728 Item Summary: Recommendation to provide "after -the -fact" approval for submitting a grant application and accepting the award for the Local Government Cybersecurity Grant Program Contract No. DMS-22/23-269, including Amendment No. 1 to the Contract, through the State of Florida Department of Management Services for Cyber Security applications and upgrades in the estimated amount of $199,500. Meeting Date: 06/13/2023 Prepared by: Title: Operations Analyst — Planning Commission Name: Diane Lynch 06/05/2023 1:54 PM Submitted by: Title: Division Director - Information Technology — Information Technology Name: Mark Gillis 06/05/2023 1:54 PM Approved By: Review: Corporate Business Operations Information Technology Grants County Attorney's Office County Attorney's Office Office of Management and Budget Grants Office of Management and Budget County Manager's Office Board of County Commissioners Kenneth Kovensky Additional Reviewer Mark Gillis Director Review Maria Kantaras Level 2 Grants Review Scott Teach Level 2 Attorney Review Jeffrey A. Klatzkow Level 3 County Attorney's Office Review Debra Windsor Level 3 OMB Gatekeeper Review Therese Stanley Additional Reviewer Blanca Aquino Luque Additional Reviewer Amy Patterson Level 4 County Manager Review Geoffrey Willig Meeting Pending Completed 06/05/2023 2:29 PM Completed 06/05/2023 3:38 PM Completed 06/05/2023 4:03 PM Completed 06/05/2023 4:30 PM Completed 06/06/2023 8:49 AM Completed 06/06/2023 9:09 AM Completed 06/06/2023 10:34 AM Completed 06/06/2023 3:22 PM Completed 06/07/2023 10:07 AM 06/13/2023 9:00 AM Packet Pg. 1220 1 6.E.2.a Co ]e-r County Office of Management & Budget TO: Amy Patterson, County Manager CC: Dan Rodriguez. Deputy County Manager Kenneth Kovensky, Executive Director, Corp Business Ops FROM: Therese Stanley Manager — OMB Grants Compliance DATE: May 31, 2023 Grant Application Keviewed and Approved by Manager, or desi r ee: A a w 4_�, 4 & �i_ County Manager c,V30date After -the -Fact Approval by the BCC is required at the .tune 13, 2023. BCC meeting RE County Manager review and approval to submit a state grant application, accept and execute a grant award from the Florida Department of Management Services (DMS) for a Florida Local Government Cybersecurity Grant to receive benefit of services in an estimated amount of $199,500. (ATF 23-007). The Florida Local Government Cybersecurity Grant (FLGCG) is a competitive grant program to provide cybersecurity technical assistance and capabilities to Florida's local governments to improve their cybersecurity posture and resiliency. Funding is awarded through a benefit of services rather than direct funding, administered through the Florida Department of Management Services and managed by Florida Digital Services. Services awarded through the FLGCG will allow the County to upgrade and add layers of security onto the County's existing Cyber Security infrastructure. Adding as many layers of security as possible is the best way to protect the County from threats such as but not limited to hacking, phishing, malware and ransomware The County has qualified for five for areas of improvement and implementation of these security layers. Due to the award providing a benefit of services directly engaging a third -party through the States contracted vendors, the County will not receive direct funding. The value of services is estimated at $199.500 and does not require a local match. The County will be considered a designated recipient for the upcoming State fiscal year funding cycle. County IT staff will administer and maintain software within the current compliment of staffing. On April 3. 2023, an application was submitted for consideration to be awarded funds to support the Cyber Security infrastructure within the County. The application was submitted through an electronic process with high security due to the sensitivity of the cyber information required for the grant. On May 17, 2023, the County received an award notification that requires acceptance and execution within 15 days or by May 31, 2023. Due to the short turnaround we are asking for your approval to the grant application previously submitted and accept the grant agreement followed an After -the -Fact approval by the Board of County Commissioners at the June 13, 2023, meeting. Once you have reviewed the application and grant agreement, please sign the areas marked throughout the agreement and call me for pickup at 239-252-2959. Thank you, and please let me know if you have any questions regarding this request. N M N N N v) 0 3299 Tamiami Trail East, Suite 201 • Naples, Florida 34112.5746.239-252-8973 • FAX 239-252-8828 Packet Pg. 1221 Ron DeSantis, Florida Governor Pedro Allende, Secretary James Grant, Florida State Chief Information Officer GRANT AGREEMENT FOR LOCAL GOVERNMENT CYBERSECURITY GRANT PROGRAM CONTRACT NO: DMS-22/23-269 CATALOG OF STATE FINANCIAL ASSISTANCE NUMBER: 72.009 BETWEEN THE STATE OF FLORIDA DEPARTMENT OF MANAGEMENT SERVICES AND Collier County Board of County Commissioners CAC rn N M N N N U) 0 16. E.2.a a GRANT AGREEMENT N This Grant Agreement (Agreement) is made and entered into by and between the Cl) Department of Management Services (Department), an agency of the State of Florida (State), N and the Collier County Board of County Commissioners (Grantee) and is effective as of the U) date last signed. The Department and the Grantee are sometimes referred to herein individually o as a "Party" or collectively as the "Parties." THIS AGREEMENT IS ENTERED INTO BASED ON THE FOLLOWING REPRESENTATIONS: WHEREAS, the Department, through the Florida Digital Service (FL[DS]), has the authority, pursuant to Chapter 2022-156, Laws of Florida, Specific Appropriation 2944A, to award grants to the Grantee for cybersecurity technical assistance; and WHEREAS, the Grantee represents that it is fully qualified and eligible to receive the grant identified herein in accordance with the terms and conditions hereinafter set forth. NOW THEREFORE, the Parties do mutually agree as follows: A. Deliverables and Performance Requirements: In accordance with Chapter 2022-156, Laws of Florida, Specific Appropriation 2944A, the Parties agree that the funds will be utilized as described in Attachment A.1 — Solution Statement of Work and/or Attachment A.2 — Funding Statement of Work, as applicable. The Grantee shall provide the deliverables specified herein in accordance with the terms and conditions of this Agreement, including its attachments and exhibits. B. Agreement Period: The performance period for this Agreement begins upon execution and ends upon the expiration of the applicable cybersecurity technical assistance services or commodities awarded or purchased pursuant to the Agreement, or in accordance with the final implementation plan(s), unless terminated earlier in accordance with the terms of this Agreement. No renewals or extensions of the Agreement are permitted. C. Agreement Documents and Amendments Thereto. Agreement Documents. "Agreement" means this Grant Agreement and all incorporated attachments, exhibits, and schedules, which set forth the entire understanding of the Parties and supersede any and all prior agreements and understandings related to the subject matter thereof. All attachments, exhibits, and schedules listed below are incorporated in their entirety into, and will form part of, this Agreement. In the event of a conflict, the following order of precedence shall apply: a• This Grant Agreement b. The Statement(s) of Work: Attachment A.1 — Solution Statement of Work Attachment A.2 — Funding Statement of Work (applicable if added by Amendment) c. Attachment B — Audit Requirements for Awards of State and Federal Financial Assistance, including its Exhibit 1 d. Attachment C, Grantee Data Sharing Agreement(s) ("DSA" ), if applicable Packet Pg. 1223 16. E.2.a a e. Final Implementation Plan(s), if awarded solutions under Attachment A.1. N 2. Counterparts. This Agreement may be executed in any number of counterparts, all of Cl) N N which taken together shall constitute one (1) single agreement between the Parties. v) 3. Survivability. This Agreement and any and all promises, covenants, and representations made herein are binding upon the Parties hereto and any and all respective heirs, assigns, Z and successors in interest. The respective obligations of the Parties, which by their nature would continue beyond the termination or expiration of this Agreement, including without limitation, the obligations regarding confidentiality, proprietary interests, and public o records, shall survive termination or expiration of this Agreement. U E 4. Severabilty. If a court of competent jurisdiction deems any term or condition of this M, Agreement void or unenforceable, the other provisions are severable to that void provision, and will remain in full force and effect. However, to the fullest extent permitted a by law, this Agreement shall be construed as if the scope or duration of such provision had been more narrowly drafted so as not to be invalid or unenforceable. c� 5. Amendments. With the exception of changes to the Primary Contacts, DSA/IT Coordinators, and the Department's/FL[DS]'s provision of the applicable vendor terms and N conditions, this Agreement may only be modified or amended by a written agreement duly a) executed by the Parties. U D. Notices and Primary Contacts: o0 1. Notices. The Parties shall use the contact information provided in Section D.2., Primary Contacts, below, for all communications and notices under this Agreement. Where the term "written notice" is used to specify a notice requirement herein, said notice will be 'deemed to have been given (i) when personally delivered; (ii) when transmitted via facsimile (with confirmation of receipt) or email (with confirmation of receipt), provided the sender on the same day sends a confirming copy of such notice by a recognized delivery service (charges prepaid); (iii) the day immediately following the day (except if not a Business Day then the next Business Day) on which the notice or communication has been provided prepaid by the sender to a recognized overnight delivery service; or (iv) on the date actually received except where there is a date of the certification of receipt. 2. Primary Contacts. a. Department's Grant Manager (see section 215.971, 1=.5.). Lacy Perkins Florida Digital Service Department of Management Services 2555 Shumard Oaks Blvd Tallahassee, Florida 32399 Telephone: (850) 413-0604 Email: CybersecurityGrants cCi}..di, itq al.fl.gov b. Grantee's Grant Manager Name: Augusto Vega Organization: Collier County Board of County Commissioners Mailing Address: 3299 Tamiami Trail East Suite 600 City, Zip Code: Naples, 34112 Telephone: (239) 252-4327 Email; augusto.vega@colliercoutnyfl.gov rAn Packet Pg. 1224 16. E.2.a rn 3. Changes in Primary Contacts. Either Party may provide notice to the other Party by N email identifying a change of a designated primary contact and providing the new N contact information for the newly designated primary contact. Such notice must be N sent to the other Party's Grant Manager and is sufficient to effectuate this change v) without requiring a written amendment to this Agreement. 0 E. Payment, Funding, and Award Considerations: 1. Fiscal Year. The funds utilized for this Agreement are from the State's 2022-2023 Fiscal Year, which begins July 1, 2022, and expires on June 30, 2023. 2. Funding_Awards. Pursuant to section 215.971, F.S., if funding is provided to the Grantee under this Agreement pursuant to Attachment A.2 — Funding Statement of Work, the following applies: a. The Grantee may only expend funding under this Agreement for allowable costs resulting from obligations incurred during the performance period. b. The Grantee shall refund to the Department any balance of unobligated funds that was advanced or paid to the Grantee. c. The Grantee shall refund to the Department all funds paid in excess of the amount to which the Grantee or its subrecipients are entitled under the terms and conditions of the Agreement. 3. Services Licenses or Commodities Awards. If applicable, the Grantee agrees to implement services, licenses, or commodities described in Attachment A.1 — Solution Statement of Work, according to the Final Implementation Plan(s) as executed by the Parties. All use of the items described in Attachment A.1 — Solution Statement of Work are subject to the terms and conditions of the DSA and applicable riders attached thereto. If awarded funding and the Grantee desires to integrate purchased services, licenses, or commodities with the State Cybersecurity Operations Center, a DSA shall be separately executed for such. As this Agreement will need to be entered prior to the procurement of the awarded services, licenses, or commodities, the availability of such awarded services, licenses, or commodities may be affected and are subject to change. If such changes are required, the Department will work with the Grantee to amend this Agreement. Such limitations do not apply for funding awards. 4. State Financial Assistance. In accordance with section 215.971(1), Florida Statutes (F.S.), the Grantee may utilize any provided commodities or services only in accordance with this Agreement. 5. Payment Process. The Department agrees to purchase all commodities or services awarded to the Grantee on behalf of the Grantee as described in Attachment A.1 -- Solution Statement of Work. For funding awards, please see Attachment A.2 —Funding Statement of Work. Packet Pg. 1225 16. E.2.a rn N F. Compliance with Law: N N 1. Applicable Law. The Parties shall comply with the applicable state and federal laws, rules, v regulations, and policies, including, but not limited to, those identified in thisAgreement. 0 2. Governing Law, The Grantee agrees that this Agreement is entered into in the State of Florida, and shall be construed, performed, and enforced in all respects in accordance with the laws, rules, and regulations of the State. Each Party shall perform its obligations herein in accordance with the terms and conditions of this Agreement. Without limiting the provisions of Section Q, Dispute Resolution, the exclusive venue of any legal or equitable action that arises out of or relates to the Agreement shall be the appropriate State court in Leon County, Florida; in any such action, the Parties waive any right tojury trial. 3. Ethics. The Grantee shall comply with the requirements of sections 11.062 and 216.347, F.S. The Grantee shall not, in connection with this or any other agreement with the State, directly or indirectly: a. offer, confer, or agree to confer any pecuniary benefit on anyone as consideration for any State officer or employee's decision, opinion, recommendation, vote, other exercise of discretion, or violation of a known legal duty; or b. offer, give, or agree to give to anyone any gratuity for the benefit of, or at the direction or request of, any State officer or employee. For purposes of this subsection b, "gratuity" means any payment of more than nominal monetary value in the form of cash, travel, entertainment, gifts, meals, lodging, loans, subscriptions, advances, deposits of money, services, employment, or contracts of any kind. Upon request of the Department's Inspector General, or other authorized State official, the Grantee shall provide any type of information the Inspector General deems relevant to the Grantee's integrity or responsibility. Such information may include, but shall not be limited to, the Grantee's business or financial records, documents, or files of any type or form that refer to or relate to this Agreement. The Grantee shall retain such records in accordance with the record retention requirements of Part V of Attachment B, Audit Requirements for Awards of State and Federal Financial Assistance. 4, Advertising. Subject to Chapter 119, F.S., the Grantee shall not publicly disseminate any information concerning this Agreement without prior written approval from the Department, including, but not limited to, mentioning this Agreement in a press release or other promotional material, identifying the Department or the State as a reference, or otherwise linking the Grantee's name and either a description of the Agreement or the name of the Department or the State in any material published, either in print or electronically, to any entity that is not a Party to this Agreement, except potential or actual authorized distributors, dealers, resellers, or service representatives. 5. Conflict of Interest. This Agreement is subject to Chapter 112, F.S. The Grantee shall disclose the name of any officer, director, employee, or other agent who is also an employee of the State. The Grantee shall also disclose the name of any State employee who owns, directly or indirectly, more than a five percent (5%) interest in the Grantee or its affiliates. 6. Records Retention. The Grantee shall retain all records made or received in conjunction with the Agreement for the longer of five (5) years after the end of the Agreement period and all pending matters or the period required by the General Records Schedules CAA Packet Pg. 1226 16.E.2.a am maintained by the Florida Department of State (available at: N https://dos.mOorida.com/media/703328/,qsl-sl-2020.p,df). If the Grantee's record N retention requirements terminate prior to the requirements stated herein, the Grantee may N meet the Department's record retention requirements for this Agreement by transferring v� its records to the Department at that time, and by destroying duplicate records in accordance with section 501.171, F.S., and, if applicable, section 119.0701, F.S. The Grantee shall adhere to established information destruction standards such as those c z established by the National Institute of Standards and Technology Special Publication 800-88, "Guidelines for Media Sanitization" (2014). See htt s:Hnvl ubs.nist. ov/nist ubs/S ecialPublications/NIST.SP.800-88r1. df. o 7. MyFloridaMarketPlace (MFMP). Disbursements under this Agreement are disbursements of State financial assistance to a recipient as defined in section 215.97, F.S., and are exempt from the MFMP Transaction Fee pursuant to Rule 60A-1.031(6)(d), F.A.C. The Department, on behalf of the Grantee, will process payments for commodities or services awarded through MFMP. G. Recoupment of Funds: Notwithstanding the damages limitations of Section S, Limitation of Liability, if the Grantee's non-compliance with any provision of the Agreement results in additional costs or monetary loss to the Department or the State, the Department can recoup the costs or losses from monies owed to the Grantee under this Agreement or any other agreement between the Grantee and any State entity. In the event that the discovery of additional costs or losses arises when no monies are available under this Agreement or any other agreement between the Grantee and any State entity, the Grantee shall repay such costs or losses to the Department in full within thirty (30) days from the date of discovery or notification, unless the Department agrees, in writing, to an alternative timeframe. The Department shall not be liable for any penalties or costs associated with the Grantee's misuse of the awarded services, licenses, or commodities. 2. If the Grantee or its independent auditor discovers that an overpayment has been made, the Grantee shall repay said overpayment within forty (40) calendar days without prior notification from the Department. In the event that the Department first discovers an overpayment has been made, the Department will notify the Grantee in writing. Should repayment not be made in a timely manner, the Department shall be entitled to charge interest at the lawful rate of interest on the outstanding balance beginning forty (40) calendar days after the date of notification or discovery. Refunds should be sent to the Department's Agreement Manager and made payable to the "Department of Management Services." If this Agreement is terminated for cause, the Department, at its discretion, may require that the Grantee return to the Department any funds that were used for purposes that are considered ineligible under this Agreement. H. Audits and Records, 1. Representatives of the Department, including the State's Chief Financial Officer, the State's Auditor General, and representatives of the federal government, shall have access to any of the Grantee's books, documents, papers, and records, including electronic storage media, as they may relate to this Agreement, for the purposes of conducting audits or examinations or making excerpts or transcriptions. 2. The Grantee shall maintain books, records, and documents in accordance with the generally accepted accounting principles to sufficiently and properly reflect all services, licenses, or commodities received by the Department under this Agreement. CAO Packet Pg. 1227 16. E.2.a rn N 3. The Grantee shall comply with all applicable requirements of section 215.97, F.S., and N Attachment B, Audit Requirements for Awards of State and Federal Financial Assistance. N If the Grantee is required to undergo an audit, the Grantee shall disclose all related party v) transactions to the auditor. 0 4. The Grantee shall retain all its records, financial records, supporting documents, statistical records, and any other documents, including electronic storage media, pertinent to this Agreement in accordance with the record retention requirements of Part V of Attachment B, Audit Requirements for Awards of State and Federal Financial Assistance, The Grantee shall cooperate with the Department to facilitate the duplication and transfer of such records or documents upon the Department's request. 5. If awarded services, licenses, or commodities described in Attachment A.1, Solution Statement of Work, the Grantee shall include records of the start and end dates for all tasks in the Final Implementation Plan(s). Additional requirements may be incorporated in the Final Implementation Plan(s). 6. The Grantee shall include the aforementioned audit and recordkeeping requirements in all approved subrecipient contracts and assignments. 1. Public Records and Records Production: Identification and Protection of Confidential Information. Article 1, section 24, Florida Constitution, guarantees every person access to all public records, and section 119.011, F.S., provides a broad definition of "public record." As such, records submitted to the Department (or any other State agency) are public records and are subject to disclosure unless exempt from disclosure by law. The following records for agencies, as "agency" is defined in section 119.011(2), F.S., are confidential and exempt pursuant to section 119.0725, F.S.: a. cybersecurity insurance limits and deductibles; b. information relating to critical infrastructure; c. incident reporting information pursuant to sections 282.318 and 282.3185, F.S.; d. network schematics; e. hardware and software configurations; and f. encryption information or information that identifies detection, investigation, or response practices for suspected or confirmed cybersecurity incidents, including suspected or confirmed breaches. If the Grantee considers any portion of other records it provides to the Department (or any other State agency) to be trade secret or otherwise confidential or exempt from disclosure under Florida or federal law, the Grantee shall mark the document as "confidential" and simultaneously provide the Department (or other State agency) with a separate, redacted copy of the record. Such records and those records made confidential and exempt pursuant to section 119.0725, F.S., shall be considered "Confidential Information." For each portion redacted, the Grantee shall describe in writing the grounds for claiming the exemption, including the specific statutory citation for such exemption. The Grantee shall only redact portions of records that it claims are Confidential Information. In the event of a request for public records pursuant to Chapter 119, F.S., the Florida Constitution, or other authority, to which records that are marked as "confidential" are responsive, the Department will provide the Grantee -redacted copy to the requestor. If a requestor asserts a right to the redacted Confidential Information, the Department will notify the Grantee such an assertion has been made. It is the Grantee's responsibility to Packet Pg. 1228 16.E.2.a am take the appropriate legal action to assert that the information in question is exempt from N disclosure under Chapter 119, F.S., or other applicable law. N N If the Department becomes subject to a demand for discovery or disclosure of documents v� that are marked as "confidential" in a legal proceeding, the Department will give the Grantee notice of the demand or request. The Grantee shall take the appropriate legal action in response to the demand and to defend its claims of confidentiality. If the Grantee z fails to take appropriate and timely action to protect the records it has designated as Confidential Information, the Grantee agrees that the Department is permitted to treat P those records as not confidential and the Department is permitted to provide the o unredacted records to the requester and the Grantee agrees not to pursue any suit, action, 0 or claim, including for damages, against the Department or its employees, attorneys, E �a agents or volunteers. The Grantee shall protect, defend, and indemnify the Department from all suits, claims, actions, demands, liability, costs, fines, and attorneys' fees arising from or relating to the Grantee's determination that the redacted portions of its records are Confidential Information, including all costs, including attorney's fees, incurred regarding the entitlement or amount of such attorney's fees. If the Grantee fails to submit a redacted copy in accordance with this section, of information it claims is Confidential Information, the Department is authorized to produce the entire record submitted to the Department, including those records marked "confidential," in response to a public records request for, or demand for discovery or disclosure of, these records and the Grantee agrees not to pursue any suit, action, or claim, including for damages, against the Department or its employees, attorneys, agents, or volunteers. 2. Inspection of Records. In accordance with section 216.1366, F.S., the Department is authorized to inspect the: (a) financial records, papers, and documents of the Grantee that are directly related to the performance of this Agreement or the expenditure of State funds; and (b) programmatic records, papers, and documents of the Grantee which the Department determines are necessary to monitor the performance of this Agreement or to ensure that the terms of this Agreement are being met. The Grantee shall provide such records, papers, and documents requested by the Department within ten (10) Business Days after the request is made. J. Non -Discrimination: The Grantee shall not unlawfully discriminate against any individual employed in the performance of this Agreement due to race, religion, color, sex, physical handicap unrelated to such person's ability to engage in this work, national origin, ancestry, or age. The Grantee shall provide a harassment -free workplace, and any allegation of harassment shall be given priority attention and action. K. Duty of Continuing Disclosure of Legal Proceedings and Instances of Fraud: The Grantee shall provide written notice to the Department disclosing any criminal litigation, investigation, or proceeding that arises during the Agreement period involving the Grantee except where the Grantee is involved in a prosecutorial or administrative capacity, or, to the extent the Grantee is aware, any of the Grantee's subrecipients or contractors (or any of the foregoing entities' current officers or directors). The Grantee shall also provide written notice to the Department disclosing any civil litigation, arbitration, or proceeding that arises during the Agreement period that is related to or involves any services, licenses, or commodities under the Agreement, to which the Grantee (or, to the CAO Packet Pg. 1229 16.E.2.a am extent the Grantee is aware, any subrecipient or contractor hereunder) is a party, and N which: n N N a. might reasonably be expected to adversely affect the viability or financial stability of v� the Grantee or any subrecipient or contractor hereunder; or o b. involves a claim or written allegation of fraud against the Grantee, or any subrecipient or contractor hereunder, by a governmental or public entity arising out of business z dealings with governmental or public entities. All notices under this section must be provided to the Department within thirty (30) business days following the date that the Grantee first becomes aware of any such litigation, investigation, arbitration, or other proceeding (collectively, a "Proceeding"). Details of settlements that are prevented from disclosure by the terms of the settlement must be annotated as such. 2. This duty of disclosure applies to each officer and director of the Grantee, subrecipients, or contractors when any proceeding relates to the officer's or director's business or financial activities. 3. Instances of Grantee operational fraud or criminal activities, regardless of whether a legal proceeding has been initiated, shall be reported to the Department's Agreement Manager within twenty-four (24) hours of the Grantee being made aware of the incident. 4. The Grantee shall promptly notify the Department's Grant Manager of any Proceeding relating to or affecting the Grantee's, subrecipient's, or contractor's business. If the existence of such Proceeding causes the State to conclude that the Grantee's ability or willingness to perform the Agreement is jeopardized, the Grantee shall be required to provide the Department's Grant Manager all reasonable assurances requested by the Department to demonstrate that: a. the Grantee will be able to perform the Agreement in accordance with its terms and conditions; and b. the Grantee and/or its employees, agents, subrecipients, or contractor(s) have not and will not engage in conduct in performance under the Agreement that is similar in nature to the conduct alleged in such Proceeding. L. Assignments, Subgrants, and Contracts: 1. Unless otherwise specified in either version of Attachment A, Statement of Work, or through prior written approval of the Department, the Grantee may not: 1) subgrant any of the services, licenses, or commodities provided to the Grantee by the Department under this Agreement; 2) contract its duties or responsibilities under this Agreement out to a third party; or 3) assign, transfer, or sell any of the Grantee's rights or responsibilities or granted commodities and services hereunder, unless specifically permitted by law to do so. Any such subgrant, contract, or assignment occurring without the prior approval of the Department shall be null and void. In the event the Department approves transfer of the Grantee's obligations, the Grantee remains responsible for all work performed and all expenses incurred in connection with the Agreement. In addition, this Agreement shall bind the successors, assigns, and legal representatives of the Grantee, and of any legal entity that succeeds the Grantee, to the Grantee's obligations to the Department. 2. The Grantee agrees to be responsible for all work performed in fulfilling the obligations of this Agreement. CAO Packet Pg. 1230 16. E.2.a a 3. The Grantee agrees that the Department may assign or transfer its rights, duties, or N obligations under this Agreement to another governmental entity upon giving prior written N notice to the Grantee. N N U) M. Intellectual Property Rights: o Where activities supported by this Agreement result in the creation of intellectual property rights, the Grantee shall notify the Department, and the Department will determine whether the Grantee will be required to grant the Department a perpetual, irrevocable, royalty -free, nonexclusive license to use, and to authorize others to use for State government purposes, any resulting patented, copyrighted, or trademarked work products developed under this Agreement. N. Independent Contractor Status: It is mutually understood and agreed to that at all times during the Grantee's performance of its duties and responsibilities under this Agreement that Grantee is acting and performing as an independent contractor. The Department shall neither have nor exercise any control or direction over the methods by which the Grantee shall perform its work and functions other than as provided herein. Nothing in this Agreement is intended to or shall be deemed to constitute a partnership or joint venture between the Parties. 1. The Grantee (and its officers, agents, employees, subrecipients, contractors, or assignees), in performance of this Agreement, shall act in the capacity of an independent contractor and not as an officer, employee, or agent of the State. Further, unless specifically authorized to do so, the Grantee shall not represent to others that, as the Grantee, it has the authority to bind the Department or the State. 2. Unless the Grantee is a State agency, neither the Grantee nor its officers, agents, employees, subrecipients, contractors, or assignees, are entitled to State retirement or State leave benefits, or to any other compensation of State employment as a result of performing the duties and obligations of this Agreement. 3. The Grantee agrees to take such actions as may be necessary to ensure that each subrecipient or contractor will also be deemed to be an independent contractor and will not be considered or permitted to be an agent, servant, joint venturer, or partner of the State. 4. Unless agreed to by the Department in either versions of Attachment A, Statement of Work, the Department will not furnish services of support (e.g., office space, office supplies, telephone service, secretarial, clerical support, etc.) to the Grantee or its subrecipient, contractor, or assignee. 5. The Department shall not be responsible for withholding taxes with respect to the Grantee's compensation hereunder. The Grantee shall have no claim against the Department for vacation pay, sick leave, retirement benefits, social security, workers' compensation, health or disability benefits, reemployment assistance benefits, or employee benefits of any kind. The Grantee shall ensure that its employees, subrecipients, contractors, and other agents, receive benefits and necessary insurance (health, workers' compensation, reemployment assistance benefits) from an employer other than the State. 6. At all times during the Agreement period, the Grantee must comply with the reporting and Reemployment Assistance contribution payment requirements of chapter 443, F.S. O. Entire Agreement: This Agreement, including all referenced attachments and exhibits, embodies the entire agreement of the Parties. There are no other provisions, terms, conditions, or obligations. This CAO Packet Pg. 1231 16.E.2.a Agreement supersedes all previous oral or written communications, representations, or N agreements on this subject. Cl) N P. Termination: `" v� 1. Termination for Failure to Implement. For awarded services, licenses or commodities o under Attachment A.1 — Statement of Work, if the Grantee does not approve a Final c Implementation Plan within 15 calendar days of purchase order issuance for the awarded Z solutions, this Agreement may be terminated by the Department, at its sole discretion. P 2. Termination Due to the Lack of Funds. The funds utilized for this Agreement are from the State's 2022-2023 Fiscal Year, which begins ,duly 1, 2022, and expires on .tune 30, 2023. If funds become unavailable for the Agreement's purpose, such event will not constitute a default by the Department or the State. The Department agrees to notify the Grantee in writing at the earliest possible time if funds are no longer available. In the event that any funding identified by the Grantee as funds to be provided for completion of the project as described herein becomes unavailable, including if any State funds upon which this Agreement depends are withdrawn or redirected, the Department may terminate this Agreement by providing written notice to the Grantee. The Department will be the final authority as to the availability of funds. 3. Termination for Cause. The Department may terminate the Agreement if the Grantee fails to: a. satisfactorily complete the deliverables within the time specified in theAgreement; b. maintain adequate progress, thus endangering performance of theAgreement; c. honor any term of the Agreement; or d. abide by any statutory, regulatory, or licensing requirement. The Grantee shall continue to perform any work not terminated. The Department's rights and remedies in this clause are in addition to any other rights and remedies provided by law or under the Agreement. The Grantee shall not be entitled to recover any cancellation charges or lost profits. 4. Termination for Convenience. The Department may terminate this Agreement, in whole or in part, by providing written notice to the Grantee that the Department determined, in its sole discretion, it is in the State's interest to do so. The Grantee shall not furnish any product or continue services after the specified termination date in the Department's notice of termination, except as necessary to complete the continued portion of the Agreement, if any. The Grantee will not be entitled to recover any cancellation charges or lost profits. 5. Grantee's Responsibilities upon Termination. If the Department provides a notice of termination to the Grantee, except as otherwise specified by the Department in that notice, the Grantee shall: a. Stop work under this Agreement on the date and to the extent specified in the notice. b. Complete performance of such part of the work that has not been terminated by the Department, if any. c. Take such action as may be necessary, or as the Department may specify, to protect and preserve any property which is in the possession and custody of the Grantee, and in which the Department has or may acquire an interest. d. Transfer, assign, and make available to the Department all property and materials belonging to the Department upon the effective date of termination of this Agreement. CAU Packet Pg. 1232 16. E.2.a a No extra compensation will be paid to the Grantee for its services in connection with N such transfer or assignment. N Q. Dispute Resolution: N Disputes concerning performance under the Agreement will be decided by the Department, who a shall reduce the decision to writing and serve a copy to the Grantee. In the event a Party is z6 dissatisfied with the dispute resolution decision, jurisdiction for any dispute arising under the terms of the Agreement will be in State courts, and the venue will be in the Second Judicial Circuit, in and for Leon County. Except as otherwise provided by law, the Parties agree to be responsible for their own attorney fees incurred in connection with disputes arising under the terms of this Agreement. R. Indemnification: 1. The Grantee shall be fully liable for the actions of its agents, employees, partners, subrecipients, or contractors and shall fully indemnify, defend, and hold harmless the State and the Department, and their officers, agents, and employees, from suits, actions, damages, and costs of every name and description, arising from or relating to personal injury and damage to real or personal tangible property alleged to be caused in whole or in part by the Grantee, its agents, employees, partners, subrecipients, or contractors provided, however, that the Grantee shall not indemnify for that portion of any loss or damages proximately caused by the negligent act or omission of the State or the Department. 2. Further, the Grantee shall fully indemnify, defend, and hold harmless the State and the Department from any suits, actions, damages, and costs of every name and description, including attorneys' fees, arising from or relating to violation or infringement of a trademark, copyright, patent, trade secret, or intellectual property right provided, however, that the foregoing obligation shall not apply to the Department's misuse or modification of the Grantee's products or the Department's operation or use of the Grantee's products in a manner not contemplated by the Agreement. The Department will not be liable for any royalties. 3. The Grantee shall not be liable for any cost, expense, or compromise incurred or made by the State or the Department in any legal action without the Grantee's prior written consent, which shall not be unreasonably withheld. 4. For the avoidance of doubt, as the Grantee is a subdivision, as defined in section 768.28(2), F.S., pursuant to section 768,28(19), F.S., neither Party indemnifies nor insures or assumes any liability to the other Party for the other Party's negligence. Notwithstanding anything to the contrary in this section R., indemnification by either Party for tortclaims is limited to the amounts prescribed in section 768.28, F.S., plus the Party's reasonable attorneys' fees. S. Limitation of Liability: Unless otherwise specifically enumerated in this Agreement, no Party shall be liable to the other Party for special, indirect, punitive, or consequential damages, including lost data or records (unless the Agreement requires the Grantee to backup data or records), even if the Party has been advised that such damages are possible. No Party shall be liable to the other Party for lost profits, lost revenue, or lost institutional operating savings. The State and the Department may, in addition to other remedies available to them at law or in equity and upon notice to the Grantee, CAO Packet Pg. 1233 16.E.2.a am retain such monies from amounts due the Grantee as may be necessary to satisfy any claim for N damages, penalties, costs, and the like asserted by or against them. Except as otherwise provided in this Agreement or the Data Sharing Agreement or its attachments or Riders, the Department is N N not liable for unauthorized access to information except as directly attributable to the actions of `, the Department. For all claims against Grantee under this Agreement, and regardless of the basis on which the claim is made, Grantee's liability under this Agreement for direct damages shall be o limited to the dollar value of this Agreement. This limitation shall not apply to claims arising under z6 the Indemnity paragraphs contained in this Agreement. �a L T. Force Majeure and Notice of Delay from Force Majeure: 0 U Neither Party shall be liable to the other for any delay or failure to perform under this Agreement E if such delay or failure is neither the fault nor caused by the negligence of the Party or its employees or agents and the delay is due directly to acts of God, wars, acts of public enemies, o strikes, fires, floods, or other similar cause wholly beyond the Party's control, or for any of the a foregoing that affects subrecipients, contractors, or suppliers if no alternate source of supply is available. However, in the event a delay arises from the foregoing causes, the Party shall take all reasonable measures to mitigate any and all resulting damages, costs, delays, or disruptions r to the project in accordance with the Party's performance requirements under this Agreement. 3 In the case of any delay the Grantee believes is excusable under this section, the Grantee shall m ;n provide written notice to the Department describing the delay or potential delay and the cause of the delay within: ten (10) calendar days after the cause that creates or will create the delay first v arose (if the Grantee could reasonably foresee that a delay could occur as a result); or five (5) ao calendar days after the date the Grantee first had reason to believe that a delay could result (if N the delay is not reasonably foreseeable). THE FOREGOING SHALL CONSTITUTE THE N GRANTEE'S SOLE REMEDY OR EXCUSE WITH RESPECT TO DELAY. Providing notice in strict accordance with this section is a condition precedent to such remedy. d The Department, in its sole discretion, will determine if the delay is excusable under this section �a and will notify the Grantee of its decision in writing. The Grantee shall not assert a claim for damages, other than for an extension of time, against the Department. The Grantee will not be N entitled to an increase in the Agreement price or payment of any kind from the Department for N any reason. If performance is suspended or delayed, in whole or in part, due to any of the causes N described in this section, after the causes have ceased to exist, the Grantee shall resume Ci Cn performance, unless the Department determines, in its sole discretion, that the delay will significantly impair the ability of the Grantee to timely complete its obligations under this Agreement, in which case, the Department may terminate the Agreement in whole or in part. J LL U. Mandatory Disclosure Requirements: co Convicted Vendor List. The Grantee has a continuous duty to disclose to the Department if the Grantee or any of its affiliates, as defined by section 287.133(1)(a), F.S., are placed on the convicted vendor list. Pursuant to section 287.133(2)(a), F.S.: "A person or affiliate who has been placed on the convicted vendor list following a conviction for a public entity crime may not submit a bid, proposal, or reply on a contract to provide any goods or services to a public entity; may not submit a bid, proposal, or reply on a contract with a public entity for the construction or repair of a public building or public work; may not submit bids, proposals, or replies on leases of real property to a public entity; may not be awarded or perform work as a contractor, supplier, subcontractor, or consultant under a contract with any public entity; and may not transact business with any public entity in excess of the threshold amount provided in s. 287.017, F.S., for CATEGORY TWO for a period of 36 months following the date of being placed on the convicted vendor list." CAO Packet Pg. 1234 16.E.2.a 2. Discriminatory Vendor List. The Grantee has a continuous duty to disclose to the N Department if the Grantee or any of its affiliates, as defined by section 287.134(1)(a), F.S., n are placed on the discriminatory vendor list. Pursuant to section 287.134(2)(a), F.S.: "An N entity or affiliate who has been placed on the discriminatory vendor list may not submit a v� bid, proposal, or reply on a contract to provide any goods or services to a public entity; may not submit a bid, proposal, or reply on a contract with a public entity for the o construction or repair of a public building or public work; may not submit bids, proposals, 6 or replies on leases of real property to a public entity; may not be awarded or perform work as a contractor, supplier, subcontractor, or consultant under a contract with any public L entity; and may not transact business with any public entity." 3. Antitrust Violator Vendor List. The Grantee has a continuous duty to disclose to the Department if the Grantee or any of its affiliates, as defined by section 287.137(1)(a), F.S., are placed on the antitrust violator vendor list. Pursuant to section 287.137(2)(a), F.S.: "A person or an affiliate who has been placed on the antitrust violator vendor list following a conviction or being meld civilly liable for an antitrust violation may not submit a bid, proposal, or reply for any new contract to provide any goods or services to a public entity; may not submit a bid, proposal, or reply for a new contract with a public entity for the construction or repair of a public building or public work; may not submit a bid, proposal, or reply on new leases of real property to a public entity; may not be awarded or perform work as a contractor, supplier, subcontractor, or consultant under a new contract with a public entity; and may not transact new business with a public entity." 4. Foreign Gifts and Contracts. The Grantee shall comply with any applicable disclosure requirements in section 286.101, F.S. Pursuant to section 268.101(7), F.S.: "In addition to any fine assessed under [section 286.101(7)(a), F.S.], a final order determining a third or subsequent violation by an entity other than a state agency or political subdivision shall automatically disqualify the entity from eligibility for any grant or contract funded by a state agency or any political subdivision until such ineligibility is lifted by the Administration Commission for good cause." REMAINDER OF PAGE INTENTIONALLY LEFT BLANK CAO Packet Pg. 1235 16. E.2.a IN WITNESS WHEREOF, the Parties agree to the terms and conditions of this Agreement and have duly authorized their respective representatives to sign it on the dates indicated below. Grantee: Department of Management Services: Collier County Board of County Commissioners k BY By:_ Name: Am Patterson Name: Title: County Manager Title: Date: ,31 I P3 Date: ATTEST CRYSTAL K. KiNZEL,CLMK BY; Approved as to form and legality Scott R. Teach, Deputy County Attorney Packet Pg. 123 16.E.2.a ATTACHMENT A.1 SOLUTION STATEMENT OF WORK 1. Scope of Work. Pursuant to Chapter 2022-156, Laws of Florida, Specific Appropriation 2944A, the Parties agree that the Department shall, on behalf of the Grantee, expend funds for the provision of services, licenses, or commodities awarded to the Grantee to be utilized for cybersecurity technical assistance purposes. The Grantee is being granted assistance in the form of services, licenses, or commodities to enhance its cybersecurity framework, to identify and mitigate risks, and to protect its infrastructure from threats through Florida's Local Government Cybersecurity Grant Program (the "Project"). The Florida Local Government Cybersecurity Grant is a competitive grant program to provide funding for cybersecurity technical assistance to local Florida governments to enhance their Cybersecurity capabilities. 2. Awarded Capabilities. The Department shall offer one (1) or more solutions to the Grantee for the following capabilities: Note: The Department will make its best effort to award the Grantee's preferred solution per capability. However, the Department can only contract for a limited number of solutions based on best value, technical acceptability, and operational volume. 3. Grantee Responsibilities. The Grantee shall complete the Project in accordance with the requirements set forth in this Agreement and any applicable local, State, and federal laws and regulations. The Grantee is solely responsible for ensuring that any provided solutions are compliant with applicable state and federal laws and regulations based on Grantee's intended use, including, but not limited to, Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy Act, Driver Privacy Protection Act, and General Data Protection Regulation. 4. Department Responsibilities. The Department shall review Grantee reports and other records and reconcile them to ensure that the requirements of section 215.971, F.S., pertaining to agreements funded with State financial assistance are fulfilled. S. Deliverables. The Grantee shall complete the following deliverable(s) on the dates specified, but Deliverables 1-3 shall be completed by June 30, 2023: "0 Packet Pg. 1237 16. E.2.a Deliverables No. Tasks Performance Measures and Due Dates 1 Execute this Grant Agreement. The Grantee must execute the Grant Agreement within 15 calendar days of award. 2 Participate in a kick-off meeting with The Grantee shall participate in the kick-off meeting with FL[DS] and the solution provider FL[DS] and the solution provider, within five (6) calendar days of Purchase Order PO issuance. 3 Approve Final Implementation The Grantee must coordinate with the solution Plan(s) for solutions awarded. provider(s) to review the Implementation Plan(s). If the Grantee chooses to proceed with a solution, the Grantee must approve the Final Implementation Plan within five (5) calendar days of the vendor providing the draft Implementation Plan. 4 Complete all tasks in accordance The Grantee shall provide all necessary with the Final Implementation resources to execute tasks assigned to the Plan(s). Grantee in the Final Implementation Plan(s). 5 Notify the Department's Grant The Grantee shall notify the Department's Manager of implementation Grant Manager in writing within 10 calendar completion per the Final days of implementation completion. Implementation Plan. 6. Reporting Requirements. The Department may request status meetings for the Grantee to report on the implementation status, as necessary, with the Grantee's Grant Manager, The Department may, at its sole discretion, develop a format and deadlines the Grantee must comply with when reporting the information above. The Grantee's failure to confirm completion of the Final implementation Plan(s) or comply with the reporting format and schedule may result in termination of the awarded solutions. 7. Performance Standards. The Grantee shall timely perform all tasks and provide deliverables as set forth in this Agreement. The Department is entitled at all times, upon request, to be advised as to the status of work being done by the Grantee, on behalf of the grantee, and the details thereof. If the Department determines that there is a performance deficiency that requires correction by the Grantee, then the Department shall notify the Grantee. The Grantee shall make the correction within a timeframe specified by the Department. The Grantee shall provide the Department with a corrective action plan describing how the Grantee will address all performance deficiencies identified by the Department. If the corrective action plan is unacceptable to, or implementation of the plan falls to remedy the performance deficiencies, the Grantee shall work cooperatively with the Department to modify the corrective action plan or to remedy the deficiencies. Additionally, if a performance deficiency is attributable to the rn N M N N N U) 0 Packet Pg. 1238 16. E.2.a rn N performance of a contractor or subcontractor of the Grantee, the Grantee shall take all actions N available to it to enforce financial consequences in its contract with the contractor or N subcontractor or to pursue damages. U) 0 8. Financial Consequences for Failure to Timely and Satisfactorily Perform. o Violations of this Agreement or applicable licenses, or failure to provide the deliverables, may result, except as detailed above, in termination of access to awarded solutions and require immediate removal of all software, hardware, or related services. Grantee may be subject to financial assessments related to such violations. This provision for financial consequences shall not affect the Department's right to terminate the Agreement as provided elsewhere in the Agreement. REMAINDER OF PAGE INTENTIONALLY LEFT BLANK CAQ Packet Pg. 1239 16. E.2.a 0 Department of Financial Services Division of flccounling and Auditing - Bureau of editing Attachment B: AUDIT REQUIREMENTS FOR AWARDS OF STATE AND FE,DERAL FINANCIAL ASSISTANCE The administration of resources awarded by the Department of Management Services (Department) to the Grantee may be subject to audits and/or monitoring by the Department, as described in this section. MONITORING In addition to reviews of audits conducted in accordance with 2 CFR 200, Subpart F - Audit Requirements, and section 215.97, Florida Statutes (F.S.), as revised (see AUDITS below), monitoring procedures may include, but not be limited to, on -site visits by Department staff, limited scope audits as defined by 2 CFR §200,425, or other procedures. By entering into this agreement, the Grantee agrees to comply and cooperate with any monitoring procedures or processes deemed appropriate by the Department. In the event the Department determines that a limited scope audit of the Grantee is appropriate, the Grantee agrees to comply with any additional instructions provided by Department staff to the Grantee regarding such audit. The Grantee further agrees to comply and cooperate with any inspections, reviews, investigations, or audits deemed necessary by the Chief Financial Officer (CFO) or Auditor General. AUDITS Part 1: Federally Funded This part is applicable if the Grantee is a state or local government or a nonprofit organization as defined in 2 CFR §200.90, §200.64, and §200.70. 1. A Grantee that expends $750,000 or more in federal awards in its fiscal year must have a single or program -specific audit conducted in accordance with the provisions of 2 CFR 200, Subpart F - Audit Requirements. EXHIBIT 1 to this form lists the federal resources awarded through the Department by this agreement. In determining the federal awards expended in its fiscal year, the Grantee shall consider all sources of federal awards, including federal resources received from the Department. The determination of amounts of federal awards expended should be in accordance with the guidelines established in 2 CFR §§200.502- 503. An audit of the Grantee conducted by the Auditor General in accordance with the provisions of 2 CFR §200.514 will meet the requirements of this Part. 2. For the audit requirements addressed in Part I, paragraph 1, the Grantee shall fulfill the requirements relative to auditee responsibilities as provided in 2 CFR §§200.508-512. 3. A Grantee that expends less than $750,000 in federal awards in its fiscal year is not required to have an audit conducted in accordance with the provisions of 2 CFR 200, Subpart F - Audit Requirements. If the Grantee expends less than $750,000 in federal awards in its fiscal year and elects to have an audit conducted in accordance with the provisions of 2 CFR 200, Subpart F - Audit Requirements, the cost of the audit must be paid from non- federal resources (i.e., the cost of such an audit must be paid from Grantee resources obtained from other than federal entities). Part II: State Funded 1. In the event that the Grantee expends a total amount of state financial assistance equal to or in excess of $750,000 in any fiscal year of such Grantee (for fiscal years ending June 30, DFS-A2-CL Rev. 11/18 Rule 691-5.006, F.A.C. rn N M N N N U) 0 Packet Pg. 1240 16. E.2.a AUDIT REQUIREMENTS FOR AWARDS OF STATE AND FEDERAL FINANCIAL ASSISTANCE 2017, and thereafter), the Grantee must have a state single or project -specific audit for such fiscal year in accordance with section 215.97, F.S.; Rule Chapter 691-5, F.A.C., State Financial Assistance; and Chapters 10.550 (local governmental entities) and 10.650 (nonprofit and for -profit organizations), Rules of the Auditor General, EXHIBIT 1 to this form lists the state financial assistance awarded through the Department this agreement. In determining the state financial assistance expended in its fiscal year, the Grantee shall consider all sources of state financial assistance, including state financial assistance received from the Department, other state agencies, and other nonstate entities. State financial assistance does not include federal direct or pass -through awards and resources received by a nonstate entity for federal program matching requirements. 2. For the audit requirements addressed in Part II, paragraph 1, the Grantee shall ensure that the audit complies with the requirements of section 215.97(8), F.S. This includes submission of a financial reporting package as defined by section 215.97(2), F.S., and Chapters 10.550 (local governmental entities) and 10.650 (nonprofit and for -profit organizations), Rules of the Auditor General. 3. If the Grantee expends less than $750,000 in state financial assistance in its fiscal year (for fiscal years ending June 30, 2017, and thereafter), an audit conducted in accordance with the provisions of section 215.97, F.S., is not required. If the Grantee expends less than $750,000 in state financial assistance in its fiscal year and elects to have an audit conducted in accordance with the provisions of section 215.97, F.S., the cost of the audit must be paid from the nonstate entity's resources (i.e., the cost of such an audit must be paid from the Grantee's resources obtained from other than state entities). Part III: Other Audit Requirements N/A Part IV: Report Submission Copies of reporting packages for audits conducted in accordance with 2 CFR 200, Subpart F - Audit Requirements, and required by Part I of this form shall be submitted, when required by 2 CFR §200.512, by or on behalf of the Grantee directly to the Federal Audit Clearinghouse (FAC) as provided in 2 CFR §200.36 and §200.512. The FAC's website provides a data entry system and required forms for submitting the single audit reporting package. Updates to the location of the FAC and data entry system may be found at the OMB website. 2. Copies of financial reporting packages required by Part II of this form shall be submitted by or on behalf of the Grantee directly to each of the following: The Department at each of the following addresses: Electronic copies (preferred): C bersecurik rants di ital,fl. ov M1 Paper copies: Grant Manager Florida Digital Service Department of Management Services DFs-A2-CL Rev. 11118 Rule 69I-5.006, F.A.C. rn N Cl) N N N cn 0 Packet Pg. 1241 16. E.2.a AUDIT REQUIREMENTS FOR AWARDS OF STATE AND FEDERAL FINANCIAL ASSISTANCE 2555 Shumard Oaks Blvd, Suite 200 Tallahassee, Florida 32399 Email: Cybersecuritygrants _ digital.fl.gov b. The Auditor General's Office at the following address: Auditor General Local Government Audits/342 Claude Pepper Building, Room 401 111 West Madison Street Tallahassee, Florida 32399-1450 The Auditor General's website (https:0/flauditor.govl) provides instructions for filing an electronic copy of a financial reporting package. 3. Any reports, management letters, or other information required to be submitted to the Department pursuant to this agreement shall be submitted timely in accordance with 2 CFR §200.512, section 215.97, F.S., and Chapters 10.550 (local governmental entities) and 10.650 (nonprofit and for -profit organizations), Rules of the Auditor General, as applicable. 4. Grantees, when submitting financial reporting packages to the Department for audits done in accordance with 2 CFR 200, Subpart F - Audit Requirements, or Chapters 10.550 (local governmental entities) and 10.650 (nonprofit and for -profit organizations), Rules of the Auditor General, should indicate the date that the reporting package was delivered to the Grantee in correspondence accompanying the reporting package. Part V: Record Retention The Grantee shall retain sufficient records demonstrating its compliance with the terms of the award(s) and this agreement for a period of five (5) years from the date the audit report is issued, and shall allow the Department, or its designee, the CFO, or Auditor General access to such records upon request. The Grantee shall ensure that audit working papers are made available to the Department, or its designee, the CFO, or Auditor General upon request for a period of five (5) years from the date the audit report is issued, unless extended in writing by the Department. DFS-A2-CL Rev. 11 / 1$ Rule 691-5.006, F.A.C. rn N Cl) N N N cn 0 Packet Pg. 1242 16. E.2.a AUDIT REQUIREMENTS FOR AWARDS OF STATE AND FEDERAL FINANCIAL, ASSISTANCE EXHIBIT 1 Federal Resources Awarded to the Grantee Pursuant to this Agreement Consist of the Following: 1. Federal Program A: N/A 2. Federal Program B: NIA Compliance Requirements Applicable to the Federal Resources Awarded Pursuant to this Agreement are as Follows: 1. Federal Program A: N/A 2. Federal Program B: N/A State Resources Awarded to the Grantee Pursuant to this Agreement Consist of the Following: Matching Resources for Federal Programs: 1. Federal Program A: N/A 2. Federal Program B: N/A Subject to Section 215.97, F.S.: 1. State Project A: Cybersecurity Technical Assistance Grants State Awarding Agency: Florida Department of Management Services Catalog of State Financial Assistance Title and Number: 72.009 Amount: $ 2. State Project B: N/A Compliance Requirements Applicable to State Resources Awarded Pursuant to this Agreement Are as Follows: The compliance requirements are as stated in Grant Agreement No. DMS-22/23-269 between the Grantee and the Department, entered in State fiscal year 2022-23, DFS-A2-CI, Rev. 11/18 Rule 691-5.006, F.A.C. VAQ Packet Pg. 1243 16. E.2.a rn N Attachment C N Grantee Data Sharing Agreement N U) 0 Purposes C Grantee desires to utilize software licenses, applications, and solutions, as applicable, in connection with the attached Exhibit A — Cybersecurity Incident Response Rider and Exhibit B — Solution Rider, incorporated herein. This DSA describes the terms and conditions for the use of software licenses, applications, and solutions and protection of Covered Data, including requirements to safeguard the availability, confidentiality, and integrity of Covered Data in furtherance of the security objectives of Chapter 282, F.S. I. Definitions A. Access — The authorization to inspect, review, transmit, duplicate, communicate with, retrieve data from, or otherwise make use of any Covered Data, regardless of type, form, or nature of storage. "Access" to a computer system or network includes local and remote access, as applicable. B. Authorized Purpose — The purpose(s) for which an Authorized Third Party may access, use, or disclose the Covered Data. C. Authorized Third Party — An individual, state agency, other Florida state or local governmental entity, or a private sector contractor or service provider of the Grantee which receives Covered Data. D. Authorized User — An individual granted Access or to use Software Entitlement by either FL[DS] or Grantee. E. County and Municipality Cybersecurity Technical Assistance Program ("the Program") — refers to the grant program established by the 2022-2023 General Appropriations Act to enhance county and municipal cybersecurity and protect the infrastructure of local governments from threats. F. Covered Data — The limited subset of security data that is derived from Grantee's use of any Software Entitlements as defined in the attached Rider(s); a Grantee's confidential or proprietary information; and personal information as defined under section 501.171, F.S., and any other applicable privacy or data breach notification laws as may exist. G. Data Breach — Either (1) any unauthorized access to, or use or disclosure of, Covered Data for any purpose other than as expressly permitted by this DSA or required by law; or (2) a breach of privacy or of the security of the Covered Data. Good faith access of data by an employee or agent of the Grantee does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use. H. DSA Coordinators — The individuals appointed by the signatories to this DSA as the point of contact for this DSA, who are responsible for ensuring that the Authorized Users comply with the activities identified herein. I. HIPAA - Health Insurance Portability and Accountability Act of 1996. CAO Packet Pg. 1244 16.E.2.a rn N J. Information Technology (IT) Coordinators — The individuals appointed by the signatories N to this DSA as responsible for data flow and other technology -related considerations under N this DSA. 0 K. Information Technology Resources —As defined in section 282.0041, Florida Statutes, the c data processing hardware and software and services, communications, supplies, Z personnel, facility resources, maintenance, and training. As used in this DSA, the term L also includes the definition for "information Technology," as defined in section 282.0041, Florida Statutes, to add equipment, hardware, software, firmware, programs, systems, v networks, infrastructure, media, and related material used to automatically, electronically, E and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, a exchange, convert, converge, interface, switch, or disseminate information of any kind or form. L C9 L. Software Entitlement— Proprietary software provided to the Grantee under the Agreement r to satisfy provision of the solution(s) awarded to the Grantee, as identified in Attachment A.I. d) ll. Responsibilities of the Parties A. Data Transmission, Covered Data shall only be transmitted through secure file transfer protocol or other secure transmission methods utilizing a National Institute of Standards and Technology approved means of electronic encryption as well as password protection and in a file format and layout determined by FL[DS]. Covered Data shall not be transmitted via any other means, including electronic mail. If applicable to any transmission of the Covered Data, both transmitting and receiving Grantee shall completely and permanently remove Covered Data from any temporary transfer location within twenty-four (24) hours of receipt of the Covered Data. B. Compliance with Applicable Laws. Each Party covenants and agrees that, in the performance of this DSA, it shall comply with all applicable federal, state, and local laws, statutes, and regulations including, but not limited to, such laws set forth in Article VI as applicable to a Project and such other data privacy or security laws, all as they exist now and as they may be amended from time to time ("Applicable Laws"). In the event of any notice of a material violation of Applicable Laws, or an investigation into an alleged material violation, the affected Party shall promptly notify the other in writing of such notice. The Parties further agree to follow and be bound by the terms and conditions of any policy decisions or directives from the federal and state agencies with jurisdiction over the use of the data described herein upon receipt of written notice directing that such rules, policy decisions, or directives apply to this DSA. C. Compliance with Information Security Standards. Each Party covenants and agrees to comply with Rule Chapter 60GG-2, Florida Administrative Code ("Security Standards"), with respect to its obligations under this DSA. Grantee shall implement the Security Standards with respect to its obligations under this DSA as an "Agency," regardless of whether they meet the definition of "Agency" in Rule Chapter 60GG-2, Florida Administrative Code. CAO Packet Pg. 1245 16. E.2.a rn N FL[DS], Grantee, and Authorized Third Parties shall implement reasonable and Cl) appropriate administrative, technical, and physical safeguards to maintain the security and N protect the confidentiality, integrity, and availability of Access. U) 0 Grantee shall instruct all its Authorized Users with the opportunity for Access on the c safeguards and requirements of the DSA and all applicable federal and state Z r requirements. D. HIPAA Business Associate Agreement. To the extent that a Party is acting as a Business Associate (as defined by HIPAA) of the other Party, the Parties further agree to enter into a Business Associate Agreement as necessary, in the form of a mutually agreed - upon appendix to the DSA. E. Incorporation and Compliance with Exhibits, Appendices and Riders, ifApplicable. The Project Riders, and any exhibits or appendices to this DSA are hereby incorporated and made a part hereof and are an integral part of this DSA. Each Rider, Exhibit, and Appendix attached hereto or referred to herein are hereby incorporated in and made a part of this DSA as if set forth in full herein. Ill. FL[DS] Role and Responsibilities A. FL[DS] is responsible for: 1. Processing Covered Data in accordance with the State Cybersecurity Act; 2. Facilitating data sharing with the Grantee and/or an Authorized Third Party in accordance with this DSA; 3. Providing the Grantee with the option to utilize Software Entitlements; and 4. Protecting the integrity of Covered Data obtained by FL[DS] through Grantee's use of any of the Software Entitlements. FL[DS] will not disclose this Covered Data to any third party unless required by law or as otherwise authorized by Grantee. B. FL[DS] will only access, use, or disclose Covered Data, as permitted by Grantee, as required by Applicable Law, or as necessary for completion of its responsibilities under this DSA, including any Project Riders. FL[DS] will ensure that its Authorized Users only access, use, or disclose Covered Data, as permitted by Grantee, as required by Applicable Law, or as necessary for completion of its responsibilities for any Projects, as assigned by FL[DS]. C. FL[DS] will exercise reasonable care and no less than the same degree of care FL[DS] uses to protect its own confidential information to prevent confidential information from being used in a manner that is not expressly a purpose authorized in this DSA or as required by Applicable Law, IV. Grantee's Role and Responsibilities A. Covered Data is and shall remain the property of Grantee. Cho Packet Pg. 1246 16. E.2.a rn N B. Grantee is solely responsible for its Access to and use of Software Entitlements and Cl) Covered Data, including: N U) 1. Ensuring a level of security appropriate to the risk in respect of Covered Data; o 0 2. Securing Grantee's and its Authorized Users' systems and devices that can Access Z FL[DS] systems and Software Entitlements and complying with the Security Standards; 3. Selecting and/or ensuring that Grantee has selected its Authorized Users; activating and deactivating the Access, credentials, and privileges of its Authorized Users; and managing access controls to the FL[DS] system and Software Entitlements in a timely manner in accordance with the Security Standards; 4. Securing the account authentication credentials, systems, and devices of Grantee personnel who the Grantee designates to be Authorized Users; 5. Managing the compliance of its Authorized Users with the Grantee's established security measures and as required by Applicable Law; 6. Maintaining audit logs, as deemed necessary by the Grantee to demonstrate compliance with its obligations under this DSA; 7. Backing up Covered Data, if required by law or Grantee policy; and 8. Ensuring that it and its Authorized Users remain in compliance with the terms and conditions of any Software Entitlements. C. FL[DS] is not responsible for, and has no obligation for: 1. Selecting or verifying Grantee's Authorized Users, activating or deactivating the Access or credentials of Authorized Users; or 2. Protecting Covered Data that Grantee elects to store or transfer outside of FL[DS]'s and its sub -processors' systems (for example, offline or on -premises storage). V. Unauthorized Disclosure/Data Breach A. In the event of a Data Breach of the Covered Data while in Grantee's (or an Authorized Third Party's) custody or control or as a result of Grantee's (or an Authorized Third Party's) access to or use of the Covered Data, which requires the provision of notice in accordance with section 501,171, F.S., or other Applicable Law (including, but not limited to, HIPAA), the Parties agree as follows: 1. Grantee shall notify FL[DS] of the Data Breach not more than 24 hours after discovery that a Data Breach has occurred or is reasonably likely to have occurred. 2. Grantee (or its Authorized Third Party) shall be responsible for ail costs related to the Data Breach including FLCDS]' and/or Grantee's (or an Authorized Third Party's) costs of complying with all legal requirements, including the requirements for Data Breach Packet Pg. 1247 16.E.2.a rn N eM notification under Applicable Law, as well as defending any claims, actions, or lawsuits N related thereto. N If a Data Breach is subject to the notice provisions of section 501.171, F.S., or o Applicable Law, the Parties agree to cooperate and work together to ensure full legal c compliance and to provide breach notification to the extent required by Applicable Law. z Grantee shall use its best and diligent efforts to identify the individuals entitled to receive notice of the Data Breach and obtain the names and mailing information of such individuals, so that FL[DS] and/or Grantee are able to distribute the notices within o the legally required time periods. FL[DS] and/or Grantee, as applicable, shall bear its V internal administrative and other costs incurred in identifying the affected individuals and their mailing information. o 4. In the event of a Data Breach, including the privacy or security of the Covered Data, while in the custody or control of the Grantee, if the Grantee must provide notice as a result of the requirements contained in section 501.171, F.S., or other Applicable Law, the Grantee shall submit a draft of the notice to FL[DS] for prior review and approval of the contents of the notice, prior to disseminating the notice. Such approval shall not be unreasonably delayed or withheld. B. If Grantee experiences a breach of the security of its systems that results in a breach of the security of FL[DS]'s systems ("FL[DS] Breach"), Grantee shall be responsible for all costs related to the FL[DS] Breach including FL[DS]'s costs of complying with all legal requirements, including any costs for data breach notification under section 501.171, F.S., or Applicable Law, as well as defending any claims, actions, or lawsuits against the FL[DS] related thereto. Grantee, at its own expense, shall cooperate fully with FL[DS] in the investigation, eradication, remediation, and recovery from the FL[DS] Breach. C. If FL[DS] experiences a breach of the security of its systems that results in a breach of the security of Grantee's systems ("Grantee Breach"), FL[DS] shall be responsible for all costs related to the Grantee Breach including Grantee's costs of complying with all legal requirements, including the requirements for data breach notification under section 501.171, F.S., or Applicable Law, as well as defending any claims, actions or lawsuits related thereto. FL[DS], at its own expense, shall cooperate fully with Grantee in the investigation, eradication, remediation, and recovery from the Grantee Breach. D. If either FL[DS] or Grantee is obligated under this Section to pay costs incurred by the other Party, the Party required to pay such costs shall submit a draft of the legal notifications and other public communications to the other Party for prompt review and approval of the contents prior to disseminating the notification or communication. Such approval shall not be unreasonably delayed or withheld. E. The Parties understand and agree the provisions of this DSA relating to the protection and security of the Covered Data constitute a material condition of this DSA. VI. Additional Terms Applicable to Certain Circumstances. A. Grantee is responsible for their Covered Data and entering into any required additional agreements related thereto. Grantee shall provide the FL[DS] DSA Coordinator with written notice prior to granting Access to any of the data types listed in subsections B-E, 00 Packet Pg. 1248 16. E.2.a rn N below, to FL[DS] or Software Entitlements. In the event of a conflict between the terms N and conditions of this Article VI and the remainder of the DSA, the terms and conditions N of Article VI shall control. Moreover, a Project may include the use of information described U) in more than one (1) of the provisions set forth in this Article VI, or it may include the use o of information not described in this Article VI. In the event of a conflict between or among c the terms and conditions of Subsections B, C, D or E of this Article VI, the more restrictive Z r terms and conditions shall apply unless otherwise provided by Applicable Law or guidance by the applicable regulatory enforcement agencies or bodies. B. CJIS. The terms and conditions of this Section VI.B. apply when Covered Data involved in a Project includes criminal justice information. CJIS Covered Data. Covered Data may also include, but shall not be limited to, CJIS Covered Data. For purposes of this DSA, CJIS Covered Data shall mean criminal justice information that is provided by the Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) system and that is necessary for law enforcement and civil agencies to perform their missions, including, but not limited to, biometric, identity history, biographic, property, and case/incident history data. 2. Disclosure of CJIS Covered Data. The disclosure of CJIS Covered Data under the DSA, as modified by this section, is governed by the CJIS Security Policy, available at httr)s://www.fbi.govlserviceslciislciis-securitv-policy-resource-center. In accordance with the CJIS Security Policy and 28 CFR Part 20, use of the CJIS system under the DSA is restricted to: detection, apprehension, detention, pretrial release, post -trial release, prosecution, adjudication, correctional supervision, rehabilitation of accused persons or criminal offenders, and other legally authorized purposes. 3. Training. The Parties agree to work together to provide Authorized Users with confidentiality, privacy, and security training regarding access, use, and disclosure requirements for the CJIS Covered Data under the CJIS Security Policy. 4. Access Re uirements. Unique authorization is required for Access to the CJIS Covered Data and must be properly authenticated and recorded for audit purposes, including CJIS security and other applicable audit requirements. C. HIPAA and State Protected Health Information. The terms and conditions of this Section VI.C. apply when Covered Data involved in a Project includes protected health information (PHI) and such other sensitive health information, the disclosure of which may be limited or restricted by law, including, but not limited to, mental health and drug and alcohol related information. PHI Covered Data. Covered Data may also include, but shall not be limited to, PHI Covered Data. For purposes of this DSA, "PHI Covered Data" shall mean "protected health information" or "PHI," as such term is defined by HIPAA. PHI shall include, but shall not be limited to, any other medical or health -related information that is afforded greater protection under more restrictive federal or state law, including, but not limited to, the Substance Abuse and Mental Health Services Act (SAMSHA), located at 42 C.F.R. Part 2, the Florida Mental Health Act (the Baker Act), located at Fla. Stat. § 394.451 — 394.47892,, and the Hal S. Marchman Alcohol and Other Drug Services Act, located at -Fla. Stat. § 397.301 et seq. CAG Packet Pg. 1249 16. E.2.a rn N 2. Disclosure of PHI Covered Data. The disclosure of PHI Covered Data under the DSA, N as modified by this section, is governed by HIPAA and more restrictive federal or state N law, as applicable. Accordingly, the disclosure of PHI Covered Data under the DSAis U) permitted only with the consent of the individual who is the subject of the PHI Covered o Data, by court order that meets the requirements of applicable law, and for other c purposes as permitted by Applicable Law. Z r 3. Business Associate Agreement. To the extent that FL[DS] is a "Business Associate" of Grantee, as such term is defined under HIPAA, the Parties agree to enter into a 0 mutually agreeable Business Associate Agreement. E 4. Training. The Parties agree to work together to provide Authorized Users with L o confidentiality, privacy, and security training regarding access, use, and disclosure a requirements for the PHI Covered Data under HIPAA and more restrictive federal or state law, to the extent applicable. 5. Access Requirements. Unique authorization is required for Access and must be properly authenticated and recorded for audit purposes, including HIPAA audit requirements and other audit requirements under more restrictive federal or state law, N to the extent applicable. D. FERPA. The terms and conditions of this Section Vi.D. apply when Covered Data includes student education records as defined by the Family Educational Rights and Privacy Act, 20 USC §1232g, and its implementing regulations set forth at 34 CFR Part 99 (collectively, "FERPA"). 1. FERPA Covered Data. Covered Data may also include, but shall not be limited to, FERPA Covered Data. For purposes of this DSA, "FERPA Covered Data" shall mean student education records as defined by FERPA). 2. Disclosure of FERPA Covered Data. The disclosure of FERPA Covered Data under the DSA, as modified by this section, is governed by FERPA. Accordingly, the disclosure of FERPA Covered Data under the DSA is permitted with parent or eligible student consent and, without such consent, in the following circumstances: (i) to school officials with legitimate educational interest; (ii) to other schools to which a student is transferring; (iii) to specified officials for audit or evaluation purposes; (iv) to appropriate parties in connection with financial aid to a student; (v) to organizations conducting certain studies for or on behalf of the school; (vi) to accrediting organizations; (vii) to comply with a judicial order or lawfully issued subpoena; (viii) to appropriate officials in cases of health and safety emergencies; (ix) to state and local authorities, within a juvenile justice system, pursuant to specific state law; and (x) as otherwise provided by FERPA. 3. Training. The Parties agree to work together to provide Authorized Users with confidentiality, privacy, and security training regarding access, use, and disclosure requirements for the FERPA Covered Data under FERPA. 4. Access Requirements. Unique authorization is required for Access and must be properly authenticated and recorded for audit purposes, including FERPA and any other applicable audit requirements. -$ Packet Pg. 1250 16. E.2.a rn N E. DPPA. The terms and conditions of this Section VI.E. apply when Covered Data includes N motor vehicle record information. N U) 1. DPPA Covered Data. For purposes of the DSA, Covered Data may include, but shall o not be limited to, DPPA Covered Data. For purposes of this DSA, "DPPA Covered c Data" shall mean motor vehicle information as set forth in the Driver Privacy Protection Z r Act, 18 U.S.C. § 2721 ("DPPA"). 2. Disclosure of DPPA Covered Data. The disclosure of DPPA Covered Data under the DSA, as modified by this section, is governed by DPPA. DPPA prohibits the disclosure of personal information, as defined in 18 U.S.C. § 2725(3), that is contained in motor vehicle records, but such information may be used by any government agency, such as FL[DS] and Grantee, in carrying out its functions. Such personal information may not be re -disclosed by FL[DS] or Grantee, however, except in accordance with the permissible uses set forth at 18 U.S.C. § 2721(b). With certain limited exceptions, DPPA further prohibits the disclosure of highly restricted personal information, as defined in 18 U.S.C. § 2725(4), without the express consent of the individual who is the subject of such information. In accordance with section 119.0712(2)(d)(2), F.S., the emergency contact information contained in a motor vehicle record, without the express consent of the person to whom such emergency contact information applies, may be released only to: (a) law enforcement agencies for purposes of contacting those listed in the event of an emergency; or (b) a receiving facility, hospital, or licensed detoxification or addictions receiving facility pursuant to sections 394.463(2)(a) or 397.6772(1)(a), F.S., for the sole purpose of informing a patient's emergency contacts of the patient's whereabouts. E-mail addresses that are collected by the Florida Department of Highway Safety and Motor Vehicles also may not be disclosed pursuant to Section 119.0712(2)(c), F.S. 3. Trani_n_n. The Parties agree to work together to provide Authorized Users with confidentiality, privacy, and security training regarding access, use, and disclosure requirements for the DPPA Covered Data under DPPA and the Florida Statutes referenced above. 4. Access Requirements. Unique authorization is required for Access and must be properly authenticated and recorded for audit purposes, including, but not limited to, compliance with these terms and conditions. VII. Designation of DSA Coordinators A. The Coordinators for this DSA are: FL[DS1 DSA Coordinator: Policy Manager 2555 Shumard Oak Boulevard Tallahassee, FL 32399 Telephone: 850-413-0604 Email: mailto:Policyndigital.fl.gov Packet Pg. 1251 16. E.2.a FUDS] IT Coordinator: State Cybersecurity Information Security Officer 2555 Shumard Oak Boulevard Tallahassee, FL 32399 Telephone: 850-413-0604 Email: Cyber(@digital.fl.gov Grantee's DSA Coordinator: Name: Augusto Vega Organization: Collier County Board of County Commissioners Mailing Address: 3299 Tamiami Trail East Suite 600 City, Zip Code: Naples, 34112 Telephone: (239) 252-4327 Email: augusto.vega@colliercoutnyfl.gov Grantee's IT Coordinator: Name: Mark Gillis Organization: Collier County Board of County Commissioners Mailing Address: 3299 Tamiami Trail East Suite 600 City, Zip Code: Naples, 34112 Telephone: (239) 252-6134 Email: mark.gillis@colliercountyfl.gov B. Changes to the DSA and/or IT Coordinator designations may be accomplished by providing email change notification that is acknowledged by both Parties. Vill. Inspection of Records Each Party shall permit the other Party and any other applicable state and federal representatives with regulatory oversight over the other Party, or their designees, to conduct inspections described in this paragraph, or to make on -site inspections of records relevant to this DSA to ensure compliance with any state and federal law, regulation, or rule. Such inspections may take place with notice during normal business hours wherever the records are maintained. Each Party shall ensure a system is maintained that is sufficient to permit an audit of such Party's compliance with this DSA and the requirements specified above. Failure to allow such inspections constitutes a material breach of this DSA. This DSA may be terminated in accordance with Section VI I.C. for a material breach. IX. Grantee Additional Terms A. Contractors. Grantee shall ensure all contractors that have Access to Covered Data or Software Entitlements comply with all requirements of this DSA. The Software Entitlements shall not be Accessible by, or deployed on, Information Technology Resources not owned, employed, or controlled by Grantee. RELEVANT FLORIDA STATUTES 2022 rn N M N N N U) 0 CAG Packet Pg. 1252 16. E.2.a rn N Section 282.3185, Florida Statutes (F.S.), the "Local Government Cybersecurity Act," directs the Cl) Florida Digital Service (FL[DS]) to provide training in cybersecurity to local governments, oversee N their compliance in adopting cybersecurity standards, and to receive cybersecurity incident and U) ransomware event notifications through the State Cybersecurity Operations Center. Such incident o reporting must also include "[a] statement requesting or declining assistance from the 6 Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement, Z or the sheriff who has jurisdiction over the local government." S. 282.3185, F.S. P Under Specific Appropriation 2944A of the 2022-2023 General Appropriations Act, FL[DS] was directed to establish a competitive cybersecurity technical assistance grant program for municipalities and counties. Section 119.0725, F.S., establishes that coverage limits and deductible or self-insurance amounts of insurance or other risk mitigation coverages acquired for the protection of information technology systems, operational technology systems, or data of entities subject to the requirements of section 119.07(1), F.S., and section 24(a), Article I of the State Constitution; information relating to existing or proposed information technology and operational technology systems and assets, whether physical or virtual, the incapacity or destruction of which would negatively affect security, economic security, public health, or public safety; cybersecurity incident information reported under section 282.3185, F.S.; network schematics, hardware and software configurations, or encryption information or information that identifies detection, investigation, or response practices for suspected or confirmed cybersecurity incidents, including suspected or confirmed breaches, if the disclosure of such information would facilitate unauthorized access to or unauthorized modification, disclosure, or destruction of data or information, whether physical or virtual, or information technology resources, which include an agency's existing or proposed information technology systems; and the recordings and transcripts of public meetings where such information may be revealed are confidential and exempt, and such public meetings are exempt from section 286.011, F.S., and section 24(b), Article I of the State Constitution. REMAINDER OF PAGE INTENTIONALLY LEFT BLANK Packet Pg. 1253 16.E.2.a I. Definitions In addition to the defined terms in the DSA, capitalized terms used herein have the meanings provided below; A. Cloud Console — The global administrative accounts for Software Entitlements directly managed and licensed by FL[DS]. B. Customer Account — The accounts for Software Entitlements directly utilized by Grantee. C. Information Technology Resources -- As defined in section 282.0041, Florida Statutes, data processing hardware and software and services, communications, supplies, personnel, facility resources, maintenance, and training. As used in this IR Rider, the term also includes the definition for "Information Technology," as defined in section 282.0041, Florida Statutes, to add equipment, hardware, software, firmware, programs, systems, networks, infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge, interface, switch, or disseminate information of any kind or form. D. Managing Organization — The entity managing the use of the Software Entitlements and their Cloud Consoles. As used in this IR Rider, the Managing Organization is FL[DS]. E. Protected Grantee Data — Data, not including Telemetry Data, maintained and generated by Grantee, which shall not be Accessed or Accessible by, or sent to, Software Entitlements. F. Solution Data — Data, reports, or other information generated by Software Entitlements. This may be derived from, but does not include, Telemetry Data. G. Telemetry Data -- Data generated by Grantee through automated communication processes from multiple data sources and processed by Software Entitlements. H. View - The permissions Grantee grants to FL[DS] to see Telemetry and Solutions Data provided to the Managing Organization by Customer Accounts. A View does not permit FL[DS] Access to Protected Grantee Data. II. Purpose FL[DS] and Grantee enter into this IR Rider to establish the terms and conditions for FL[DS] access to assist Grantee with responding to incidents. rn N eM N N N CAO Packet Pg. 1254 16.E.2.a III. Incident Response A. Incident Response Support. As specified in section 282.3185(5), F.S., upon discovery of an incident, Grantee may request, or FL[DS] may offer to provide, incident response support. Access to Grantee Information Technology Resources shall be limited to the extent expressly agreed to by Grantee. Such Access and support are unilaterally terminable at any time by either Party. FL[DS] may establish, and Grantee shall comply with, protocols or procedures for reporting and requesting support for incidents under this IR Rider, responding to incidents, and the types of support available to be provided for an incident. Grantee shall mitigate the impact of the incident and preserve all relevant documents, records, and data. Grantee shall cooperate and coordinate with FL[DS] in responding to incidents where incident response support is received, including, but not limited to: 1. Assisting with any incident response related investigation by FL[DS]; 2. Providing FL[DS] with physical access to the affected facilities and operations; 3. Facilitating interviews with Grantee personnel; and 4. Making all relevant records, logs, files, data reporting, and other materials available to FL[DS] or Grantee -authorized third parties. FL[DS] shall only Access Covered Data, other Grantee data, and Grantee Information Technology Resources as permitted by Grantee. Any specific limitations on such Access shall be documented. Upon termination of each instance of incident response support, regardless of the reason for such termination, Grantee shall assist FL[DS] with any close-out or post - incident documentation upon request. B. Covered Data and Personally Identifiable Information. FL[DS] will not disclose Covered Data or other data made Accessible during incident response support to any third party unless required by law or as authorized by Grantee. In the event such data is required by law to be disclosed, FL[DS] shall make best efforts to notify Grantee prior to such disclosure. IV. FL[DS] Role and Responsibilities FL[DS] shall provide Grantee with the option to utilize the Software Entitlements to enhance the Grantee's cybersecurity and protect the Grantee's infrastructure from threats FL[DS] will Access a View of the Telemetry Data and Solution Data. FL[DS] will only use Telemetry and Solutions Data for the purpose of developing and implementing the Program; identifying and responding to risks and incidents; and in furtherance of meeting FL[DS]' and Grantee's statutory and regulatory obligations. FL[DS] will not disclose the Telemetry Data and Solutions Data to any third party unless required by law or as otherwise authorized by Grantee. FL[DS] will provide incident response services and resources as allowed and agreed to by FL[DS] and Grantee in responding to risks and incident. rn N n N N N 0 Cr' (v Packet Pg. 1255 16.E.2.a rn N V. Grantee Roles and Responsibilities N N N Grantee small cooperate with and provide all assistance necessary to FL[DS]' incident response support. o VI. Indemnification For the avoidance of doubt, the Grantee agrees to indemnify FL[DS] and the Department for any claims related to this rider pursuant to the terms provided in section R., Indemnification, of the Grant Agreement. VII. Conflict In the event of a conflict between this IR Rider, the DSA, and any other rider, the terms of this tR Rider shall control, Vlll. Liability and Termination of Incident Response Support Except as described in the DSA or other riders, incident response services and resources of FL[DS] or Grantee -authorized third parties shall be provided by FL[DS] without warranty by, and without liability to, FL[DS] or such Grantee -authorized third parties. Upon request, FL[DSj or Grantee -authorized third parties shall provide reasonable assistance to return Grantee Information Technology Resources to the operational status prior to the involvement of FL[DS] incident response support. REMAINDER OF PAGE INTENTIONALLY LEFT BLANK CAO Packet Pg. 1256 16.E.2.a Definitions In addition to the defined terms in the DSA, capitalized terms used herein have the meanings provided below: A. Protected Grantee Data — Data, not including Telemetry Data, maintained, and generated by Grantee, which shall not be Accessed or Accessible by, or sent to, the Licensed Software Solution. B. Customer Account — The Licensed Software Solution account directly utilized by Grantee. C. Local Government Cybersecurity Grant Program ("the Program") --The Program established by the 2022-2023 General Appropriations Act to improve county and municipal cybersecurity posture and resiliency. D. Licensed Software Solutions —Proprietary software provided to the Grantee under the Agreement to satisfy provision of the solution(s) awarded to the Grantee, as identified in Attachment A.1 of the Grant Agreement. E. Managing Organization — The entity managing the use of the Licensed Software Solution and its implementation. As used in this Rider, the Managing Organization is FL[DS]. F. Protected Grantee Data — Data, not including Telemetry Data, maintained, and generated by Grantee, which shall not be Accessed or Accessible by, or sent to, the Licensed Software Solution. G. Solution Console -- The global administrative account(s) directly managed and licensed by FL[DS] to provide the Grantee with the Software Entitlement. H. Solution Data —Data, reports, or other information generated by the Licensed Software Solution. May be derived from but shall not include Telemetry Data. Telemetry Data —The data generated by Grantee through automated communication processes from multiple data sources and processed by the Licensed Software Solution. View -- The permissions granted for FL[DS] to see Telemetry Data provided to the Managing Organization's Solution Console by the Customer Account. A View does not permit FL[DS] Access to Protected Grantee Data. II. Statement of Work A. Purpose/Scope: FL[DS] and Grantee enter into this Rider to establish the terms and conditions for Grantee Access to the Licensed Software Solution provided by FL[DS]; to establish the maintenance, use, and disclosure of the Telemetry Data generated by rn N eM N N N CAS Packet Pg. 1257 16. E.2.a rn N Grantee and uploaded to the Solution Console; and to provide terms and conditions for Cl) the use of the Licensed Software Solution. N cn B. FL[DS] Role and Responsibilities: FL[DS] is responsible for providing Grantee with o the option to utilize the Licensed Software Solution. c FL[DS] shall be permitted to Access a View of the Telemetry Data provided within the Solution Console via permissions to the Customer Account. FL[DS] will only use Telemetry Data for the express purpose of developing and implementing the Program and in furtherance of FL[DS]' and Grantee's statutory and regulatory obligations. FL[DS] will not disclose the Telemetry Data to any third party unless required by law or as otherwise authorized by Grantee. C. Grantee's Role and Responsibilities: Grantee is responsible for: a. Grantee Access to and use of the Licensed Software Solution in compliance with all terms and conditions related thereto, including the Agreement terms and the vendor terms and conditions to be provided to the Grantee by FL[DS] without need for an amendment hereto by the Parties and which, after provision thereof, will be deemed incorporated herein and a material component hereof; b. Activating and deactivating the Access, credentials, and privileges of its authorized users; c. Ensuring no Protected Grantee Data is submitted to the Licensed Software Solution; d. Entering into any additional agreement with FL[DS], the Licensed Software Solution provider, or other third -parties as may be required by law regarding Protected Grantee Data, as applicable; and e. Managing access controls to allow View by FL[DS] and Access by the Licensed Software Solution. Telemetry Data, even as it may be housed, maintained, or processed by the Licensed Software Solution, is and shall remain the property of Grantee. D. Indemnification: For the avoidance of doubt, the Grantee agrees to indemnify FL[DS] and the Department for any costs related to Grantee's use of the licensed Software Solution pursuant to the terms provided in section R., Indemnification, of the Grant Agreement. E. Conflict: In the event of a conflict between this Rider and the DSA, the terms of this Rider shall control. REMAINDER OF PAGE INTENTIONALLY LEFT BLANK CAA Packet Pg. 1258 16.E.2.a Florida Local Government Cybersecurity Grant Application Aide Website https://cybergrants.f1.gov/cybergrant/ Florida Local Government Cybersecurity Grant Application Aide This application aide is designed to assist you by identifying the information you will need to collect to submit an official grant application through the online grants portal. This document will not be accepted as a grant application. Florida Local Government Cybersecurity Grant Program The Florida Digital Service (FL[DS]) is the lead entity for cybersecurity in the state of Florida. It is responsible for establishing safeguards to protect data, responding to cybersecurity incidents, assessing cybersecurity risk and maturity, and developing necessary cybersecurity standards and frameworks. The FL[DS] is administering the Florida Local Government Cybersecurity Grant Program, a competitive program to extend the cybersecurity capabilities of the FL[DS] Cybersecurity Operations Center (CSOC) to Florida municipal and county governments to improve their cybersecurity posture and resiliency. * Denotes required information unless not applicable ORGANIZATIONIAPPLICANT INFORMATION *Organization Name: Collier County BCC *Organization Type (Municipality, County): County *Organization Subtype (Mayor, Board of Commissioners, Clerk of Court, Property Appraiser, Sheriff's Office, Supervisor of Elections, Tax Collector, Other) Board of Commissioners *If Other Subtype: *Organization County: Collier *Mailing Address: 3299 Tamiami Trail East *City: Naples *Zip Code: 34112 *Main Website Address: 11 Collier County, FL I Home Executive Sponsor for Grant: *Name: Mark Gillis Title: IT Director *Office Phone Number: 239-252-6134 *Receive texts? (YIN) N Mobile Phone Number: 239-285-7821 Receive texts? (YIN) Y *Email Address mark.gillis@colliercountyfl.gov Primary Contact for Grant., *Name: Augusto Vega *Title: IT Cybersecurity Manager *Office Phone Number: 239-252-4327 *Receive texts? (YIN) N Mobile Phone Number: 239-821-8987 Receive texts? (YIN) Y *Email Address augusto.vega@colliercoutnyn.gov Packet Pg. 1259 16.E.2.a Additional Contacts - Information Technology Director: *Name: Mark Gillis Title: IT Director *Office Phone Number: 239-252-6134 Receive texts? (YIN) N Mobile Phone Number: Receive texts? (YIN) *Email Address mark.gillis@colliercountyfl.gov Additional Contacts - Chief Information Security Officer or Security Manager., *Name: Augusto Vega Title: IT Cybersecurity Manager *Office Phone Number: 239-252-4327 Receive texts? (YIN) Mobile Phone Number: Receive texts? (YIN) *Email Address augusto.vega@colliercoutnyn.gov ABOUT YOUR ORGANIZATION., Total number of supported users (Customers, Staff, Contractors, Students): 3000 Total number of staff members dedicated to cybersecurity (Employees and Contractors): 5 Employees and 2 Vendor Annual operating budget of organization: Total budget for cybersecurity: - Total number of physical sites/locations: Local Eligibility: Is your organization funded or its budget approved by a county or municipality? (YIN) Yes Is your organization governed by a county or municipality? (Y/N) Yes Are your organization's systems or data integrated with those of a county or municipality? (YIN) Yes Are there other reasons your organization is considered to be a local entity? If so, please explain them: NIA ABOUT YOUR IT ENVIRONMENT., Does your infrastructure send data across My Florida Network MFN2? (YIN) No Do any of your network(s) send or receive data to/from infrastructure or applications hosted by the State of Florida? (YIN) - Do the employees of your organization use applications provided by the State of Florida? (YIN) Yes Does your entity provide constituenf/public facing applications? (YIN) Yes Haw many constituents/members of the public do your applications serve annually? 392,000 Does your organization manage critical infrastructure as defined by rule 60GG-2.001(2)(a)10.,F.A.C.? (Y/N) Y How many sites/locations include critical infrastructure? ■ Provide any additional information regarding critical infrastructure as it pertains to this grant application: Total number of supported endpoints/devices (e.g. laptops, desktops, servers, mobile devices)? 9,000 o� N M N N N �C G O Z V M L C O L) E M L O L a C 'L^ V L 7 V d N L d i 00 N ti tt) N d V M N W on to N M N N N C6 0 U J LL CID C� C Q Y d L M 0 m C E t 0 M r r+ Q Packet Pg. 1260 16.E.2.a Date of your most recent cybersecurity risk assessment? I June 2022 1 What is your biggest motivation(s)/ reason(s) to apply for this grant opportunity? As part of our risk management ,Collier county has been diligently working to secure the county from cyber threats, threat actors, ransomwarelmalware, physical threats to network infrastructure, and reduce vulnerabilities. REQUESTED DOCUMENTATION To align your organization with the right capabilities and to be better prepared to support you when responding to an incident, the following documents are requested post award. Which of these documents is your organization willing to consider sharing with the FL[DS], subject to the protections of 119.0725, F.S.? *Network Diagrams (Y/N): Yes *Critical Systems Inventory (Y/N): Yes *Critical Infrastructure Inventory (if applicable) (Y/N) Yes OUR COMMITMENTS TO YOU The FL[DS] is committed to least privileged access because we believe in privacy and the minimum access required to administer the offered cyber capabilities and incident response, when requested. The following agreements will be delivered as two-party agreements with FL[DS] and your organization. They clearly describe the Florida Digital Service's intent, limitations, and restrictions. These signed agreements between FL[DS] and your organization are required within 30 days after award and prior to any solution implementation. Example riders and agreements can be found on the main Local Government Cybersecurity Grant Program webpage under the "Additional Resources" section. Grant Agreement Grantee Data Sharing Agreement Incident Response Rider Software Rider(s) as needed Warranties and Commitments will be included as part of the post -award process and provide important assurances to your organization regarding this grant. FUTURE CYSERSECUR/TY CAPABILITY NEEDS To help us plan for future grant program offerings should they become available, please tell us about other capabilities/ solutions that you would like to see offered, the provider, and product/service name of your preferred solution (if you have a preference). Check all that apply: Provider: Preferred Product/Service Name: ❑ MS Azure, Physical hardware tokens Multi -Factor Authentication (MFA) ❑ Cisco ThousandEyes, NetBrain, LogicMonitor Application Dependency and Performance Monitoring ❑ Veritas, ManageEngine, NetApp SAN, Tape drives, VMware, Iron Mountain Business Continuity (backup, disaster recovery, data encryption) ❑ MS Azure, Crowdstrike Identity and Access Management ❑ Atlassian JIRA, Cisco DNA, MAAS 360, MS Endpoint Manager Centralized Ticketing and Asset Management ❑ Zscaler, Crowstrike, Cisco VPN, Cisco Meraki Private Access / Secure (Access) Service Edge ❑ Microsoft Sentinel Security Event Information Management ❑ Nessus, Flexera, Burp Suite Governance, Risk and Compliance Tool ❑ Crowdstrike, Endpoint Manager, Quest, Zscaler, Cisco DNA Investigation, Visualization and Reporting Tool ❑ Cisco ThreatGrid, Cisco Ironport, Cisco Advanced Phishing Protection Email Security Service or Solution ❑ Tenable Nessus, Flexera, Crowdstrike Vulnerability assessment and management tool ❑ SOAR Solution Other: 01 CID N M N N N O Z V L �O♦ V E M L O L a C 'L^ V L V d to L d i Go N ti Ln N d V M N W C711 to N M N N N CC G 0 U J U_ co 0 C� C Q Y IL L M O m C E t V M r r+ Q Packet Pg. 1261 16.E.2.a CYBERSECURITY CAPABILITIES Please tell us about the following cybersecurity capabilities as it pertains to your IT environment and if you are requesting these capabilities for your organization as part of this grant opportunity. If you have questions about any of these capabilities, please contact cybersecuritygrants@digital.fl.gov. Endpoint -Based Asset Discovery - A solution focused on infrastructure which discovers network connected devices and provide a comprehensive inventory of hardware and software assets across your enterprise. Agents are typically deployed to all laptop, desktop, and server devices. *Do you have a solution providing this capability deployed in your environment? (YIN) Yes Percentage of your assets (Windows, Linux, MacOS) covered by this solution (if yes): - *Name of the solution(s) you have deployed (if yes): *Are you requesting Endpoint -Based Asset Discovery capabilities through this grant opportunity? (YIN) Yes If Yes: Provider and producttservice name of your preferred solution (if you have a preference): Cisco DNA, NESSUS How many computer users will be covered by this capability? 3000 How many devices in your environment (Windows, Linux, & MacOS) will be covered by this capability? 3000 *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: pess than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) 61.90 days Network -Based Asset Discovery - Asolution providing enterprise visibility into managed, unmanaged and Internet of Things (IOT) devices discovered via network traffic. *Do you have a solution providing this capability deployed in your environment? (YIN) Yes Percentage of your assets covered by this solution (if yes): - *Name of the solution(s) you have deployed (if yes): Nessus *Are you requesting Agentless Network -Based Asset Discovery capabilities through this grant opportunity? (YIN) Yes If Yes: Provider and product'service name of your preferred solution (if you have a preference): Nessus Tennable Cloud How many physical locations (local area networks) will be covered by this capability?■ Total number of staff members in organization (include all employment types): 3000 *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) 61- 90 days External -Facing Asset Discovery -A web -facing attack surface discovery tool which provides a continuously updated inventory and vulnerability scanning of all global internet-facing assets to detect on -premises and cloud systems. *Do you have a solution providing this capability deployed in your environment? (YIN) No Percentage of your external -facing assets covered by this solution (if yes): NIA *Name of the solution(s) you have deployed (if yes): NIA Packet Pg. 1262 16.E.2.a *Are you requesting Internet -Facing Asset Discovery capabilities through this grant opportunity? (Y/N) Yes If Yes: Provider and product/service name of your preferred solution (if you have a preference): No Preference How many external -facing assets are in your environmentU *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) 91.120 days Content Delivery Network - Software to manage and secure enterprise web and mobile assets, both .corn and .gov, by protecting websites and APIs against DDoS and targeted web app attacks while fending off adversarial bots, detecting client -side script attacks, and protecting your users accounts from fraud. *Do you have a solution providing this capability deployed in your environment? (YIN) Yes Percentage of your hostnames covered by this solution (if yes): 90% *Name of the solutions) you have deployed (if yes): MAAS 360, MS Azure, DigiCert, UTM, Cisco FMC *Are you requesting Content Delivery Network capabilities through this grant opportunity? (Y/N) Yes If Yes: Provider and product/service name of your preferred solution (if you have a preference): No preference Number of hostnames/domain names in your environment: Percentage of your hostnames that will be protected by this capability: - Total estimated monthly web traffic (ex. 50GB):= *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: pess than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) 61- 90 days Endpoint Detection & Response (EDR) -An agent deployed to each endpoint, including desktops, laptops, and servers, runs autonomously on each device and monitors all processes in real-time to provide enterprise visibility, analytics, and automated response. *Do you have a solution providing this capability deployed in your environment? (YIN) Yes Percentage of your assets (Windows, Linux, MacOS) protected by this solution (if yes�:- *Name of the solution(s) you have deployed (if yes): Crowdstrike Falcon Identity and Falcon Complete ThreatGrid, Zscaler *Are you requesting Endpoint Protection & Response (EDR) capabilities through this grant opportunity? Yes Provider and product/service name of your preferred solution (if you have a preference): Crowdstrike How many devices in your environment (Windows, Linux, MacOS) will be protected by this capability?. *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, long implemented for a few years now. Security Operations Platform - Providing 24171365 monitoring and initial incident investigations to augment your security staffing. *Do you have a solution providing this capability deployed in your environment? (YIN) Yes As a percentage, how complete is your implementation of this solution (if yes)? 100% er) We currently have 01 N M N N N N O Z 0 M L O U E O L O L a 'L^ V �L fJ d N L d A Go N ti Ln N d V M N W Gn to N M N N N C6 0 U J LL co 0 Q Y d L M MO W C E t M r r+ Q Packet Pg. 1263 16.E.2.a *Name of the solution(s) you have deployed (if yes): Crowdstrike Falcon Identity and Falcon Complete ThreatGrid, Zscaler(ZIAIZPA) *Are you requesting Security Operations Platform capabilities through this grant opportunity? (YIN) Yes If Yes: Provider and productfservice name of your preferred solution (if you have a preference): Falcon Identity and Falcon Complete ThreatGrid Log volume per day (in GB) to be consumed by Cyber Security Operations Center (if known): SOGB List of Unique Log Sources and providers to be consumed (Ex: Firewall, Antivirus, Web Proxy, Etc.) that are not included in the capabilities offered by this grant opportunity: Crowstrike, Zscaler, Cisco DNA, Cisco ISE How many devices in your environment (Windows, Linux, MacOS1- *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) We currently have implemented for a few years now. ADDITIONAL NEEDS If there are cybersecurity capabilities specific to your organization you would like us to consider, please provide information about the need and its criticality, the solution and its projected impact, the estimated cost, and how you would procure, manage, and integrate the solution with the State Cybersecurity Operations Center. Provide sufficient information to establish goals for award and to demonstrate performance post - award. You may upload any supporting documentation in the attachments section labeled as Additional Needs. Additional Needs Attachments ADDITIONAL INFORMATION If you have additional information to share regarding your application including justification, explanation of needs, information on critical infrastructure, environmental factors, state resiliency or any other relevant information, please provide below or upload the information in the attachments section labeled as Additional Information. Packet Pg. 1264 16.E.2.b CONTRACT No.: DMS-22/23- 26 BETWEEN FLORIDA DEPARTMENT OF MANAGEMENT SERVICES AND Collier County Board of Commissioners (Grantee) AMENDMENT NO.: 1 This Amendment to Grant Agreement for the Local Government Cybersecurity Grant Program, Contract No.: DMS-22/23-2-`69 , Catalog of State Financial Assistance NUMBER: 72.009 (the "Agreement") is by and between the Florida Department of Management Services (the "Department") and Collier County Board of Commissioners (the "Grantee"), collectively referred to herein as the "Parties". Therefore, the Parties agree to amend the Contract as follows: The language in Section E.1. Fiscal Year, of the Grant Agreement is hereby struck in its entirety and replaced with the following: The funds utilized for this Agreement are from the State's 2022-2023 Fiscal Year. 2. Section R. Indemnification of the Grant Agreement is hereby struck in its entirety and replaced with the follow: R. Unauthorized Use: Further, the Grantee shall fully defend and hold harmless the State and the Department from any suits, actions, damages, and costs of every name and description, including attorneys' fees, arising from or relating to violation or infringement of a trademark, copyright, patent, trade secret, or intellectual property right provided, however, that the foregoing obligation shall not apply to the Department's misuse or modification of the Grantee's products or the Department's operation or use of the Grantee's products in a manner not contemplated by the Agreement. The Department will not be liable for any royalties. 2. The Grantee shall not be liable for any cost, expense, or compromise incurred or made by the State or the Department in any legal action without the Grantee's prior written consent, which shall not be unreasonably withheld. The State and the Department shall have the right, at its own cost and expense, to participate in all actions under this Section R. 3. For the avoidance of doubt, as the Grantee is a subdivision, as defined in section 768.28(2), F.S., pursuant to section 768.28(19), F.S., neither Party indemnifies nor insures or assumes any liability to the other Party for the other Party's negligence. Notwithstanding anything to the contrary in this section R., liability by either Party for tort claims is limited to the amounts prescribed in section 768.28, F.S., plus the Party's reasonable attorneys' fees. Contract No.: DMS-22/23-000 Amendment No.: 1 Page 1 of 3 Packet Pg. 1265 3. The last sentence in Section S. Limitation of Liability of the Grant Agreement is hereby struck and replaced with the following: This limitation shall not apply to claims arising under Section R. of this Agreement. 4. Section II.C. of Attachment C, Grantee Data Sharing Agreement, is hereby struck in its entirety. 5. The following sentence is hereby appended to Section V.E. of Attachment C, Grantee Data Sharing Agreement: This Section V. Unauthorized Disclosure/Data Breach is subject to Sections R. and S. of the Agreement. 6. To the extent any of the terms of this Amendment conflict with the terms of the Agreement, the terms of this Amendment shall control. 7. Unless otherwise modified by this Amendment, all terms and conditions contained in the Agreement shall continue in full force and effect. This Amendment is effective on the last date of execution. THIS SPACE LEFT INTENTIONALLY BLANK. Contract No.: DMS-22/23-000 Amendment No.: 1 Page 2 of 3 Packet Pg. 1266 16.E.2.b SO AGREED by the Parties' authorized representatives on the dates noted below: FLORIDA DEPARTMENT OF MANAGEMENT SERVICES Printed Name and Title <See Delegation Chart for signature authority> Date Colliertounty Board of Commissioners (Grantee) Signature Print Name and Title Date ATTEST CRYSTAL K. KINZEL, CLERK Approved as to form and legality Scott R. Teach, Deputy County Attorney c� Contract No.: DMS-22/23-000 C;� a Amendment No.: 1 Page 3 of 3 6 Packet Pg. 1267