2023-06-06 V. B. Cybersecurity Grant Agreement, Exhibit 1 • • Exhibit 1
06/06/2023
FL [DIGITAL SERVICE] MANAGEMENT
SERVICES
Ron DeSantis, Florida Governor
Pedro Allende,Secretary
James Grant,Florida State Chief Information Officer
GRANT AGREEMENT
FOR
LOCAL GOVERNMENT CYBERSECURITY GRANT PROGRAM
CONTRACT NO: DMS-22/23-345
CATALOG OF STATE FINANCIAL ASSISTANCE NUMBER: 72.009
BETWEEN
THE STATE OF FLORIDA
DEPARTMENT OF MANAGEMENT SERVICES
AND
City of Okeechobee
Florida Digital Service • 2555 Shumard Oak Blvd. • Tallahassee, FL 32399 • digital.fl.gov
• •
GRANT AGREEMENT
This Grant Agreement (Agreement) is made and entered into by and between the
Department of Management Services(Department), an agency of the State of Florida(State), and
the City of Okeechobee(Grantee) and is effective as of the date last signed. The Department and
the Grantee are sometimes referred to herein individually as a "Party" or collectively as the
"Parties."
THIS AGREEMENT IS ENTERED INTO BASED ON THE FOLLOWING
REPRESENTATIONS:
WHEREAS, the Department, through the Florida Digital Service (FL[DS]), has the
authority, pursuant to Chapter 2022-156, Laws of Florida, Specific Appropriation 2944A, to award
grants to the Grantee for cybersecurity technical assistance;and
WHEREAS, the Grantee represents that it is fully qualified and eligible to receive the grant
identified herein in accordance with the terms and conditions hereinafter set forth.
NOW THEREFORE, the Parties do mutually agree as follows:
A. Deliverables and Performance Requirements:
In accordance with Chapter 2022-156, Laws of Florida, Specific Appropriation 2944A, the Parties
agree that the funds will be utilized as described in Attachment A.1 —Solution Statement of Work
and/or Attachment A.2 — Funding Statement of Work, as applicable. The Grantee shall provide
the deliverables specified herein in accordance with the terms and conditions of this Agreement,
including its attachments and exhibits.
B. Agreement Period:
The performance period for this Agreement begins upon execution and ends upon the expiration
of the applicable cybersecurity technical assistance services or commodities awarded or
purchased pursuant to the Agreement, or in accordance with the final implementation plan(s),
unless terminated earlier in accordance with the terms of this Agreement. No renewals or
extensions of the Agreement are permitted.
C. Agreement Documents and Amendments Thereto.
1. Agreement Documents. "Agreement" means this Grant Agreement and all incorporated
attachments, exhibits, and schedules, which set forth the entire understanding of the
Parties and supersede any and all prior agreements and understandings related to the
subject matter thereof.
All attachments, exhibits, and schedules listed below are incorporated in their entirety into,
and will form part of, this Agreement. In the event of a conflict, the following order of
precedence shall apply:
a. This Grant Agreement
b. The Statement(s) of Work:
Attachment A.1 — Solution Statement of Work
Attachment A.2 — Funding Statement of Work(applicable if added by Amendment)
c. Attachment B —Audit Requirements for Awards of State and Federal Financial
Assistance, including its Exhibit 1
d. Attachment C, Grantee Data Sharing Agreement(s) ("DSA"), if applicable
• •
a. Final Implementation Plan(s), if awarded solutions under Attachment A.1.
2. Counterparts. This Agreement may be executed in any number of counterparts, all of
which taken together shall constitute one (1) single agreement between the Parties.
3. Survivability. This Agreement and any and all promises, covenants, and representations
made herein are binding upon the Parties hereto and any and all respective heirs, assigns,
and successors in interest. The respective obligations of the Parties, which by their nature
would continue beyond the termination or expiration of this Agreement, including without
limitation, the obligations regarding confidentiality, proprietary interests, and public
records, shall survive termination or expiration of this Agreement.
4. Severability. If a court of competent jurisdiction deems any term or condition of this
Agreement void or unenforceable, the other provisions are severable to that void
provision, and will remain in full force and effect. However, to the fullest extent permitted
by law, this Agreement shall be construed as if the scope or duration of such provision
had been more narrowly drafted so as not to be invalid or unenforceable.
5. Amendments. With the exception of changes to the Primary Contacts, DSA/IT
Coordinators, and the Department's/FL[DS]'s provision of the applicable vendor terms and
conditions, this Agreement may only be modified or amended by a written agreement duly
executed by the Parties.
D. Notices and Primary Contacts:
1. Notices. The Parties shall use the contact information provided in Section D.2.,
Primary Contacts, below, for all communications and notices under this Agreement.
Where the term "written notice" is used to specify a notice requirement herein, said
notice will be deemed to have been given (i) when personally delivered; (ii) when
transmitted via facsimile (with confirmation of receipt) or email (with confirmation of
receipt), provided the sender on the same day sends a confirming copy of such notice
by a recognized delivery service (charges prepaid); (iii) the day immediately following
the day(except if not a Business Day then the next Business Day) on which the notice
or communication has been provided prepaid by the sender to a recognized overnight
delivery service; or (iv) on the date actually received except where there is a date of
the certification of receipt.
2. Primary Contacts.
a. Department's Grant Manager(see section 215.971, F.S.).
Lacy Perkins
Florida Digital Service
Department of Management Services
2555 Shumard Oaks Blvd
Tallahassee, Florida 32399
Telephone: (850)413-0604
Email: CybersecurityGrants(asdiaital.fl.gov
b. Grantee's Grant Manager
Gary Ritter
City of Okeechobee
55 SE Third Avenue
Okeechobee, Florida 34974
Telephone: (863) 763-9811
• •
Email: gritter@cityofokeechobee.com
1. Changes in Primary Contacts. Either Party may provide notice to the other Party by
email identifying a change of a designated primary contact and providing the new
contact information for the newly designated primary contact. Such notice must be
sent to the other Party's Grant Manager and is sufficient to effectuate this change
without requiring a written amendment to this Agreement.
E. Payment, Funding, and Award Considerations:
1. Fiscal Year. The funds utilized for this Agreement are from the State's 2022-2023 Fiscal
Year, which begins July 1, 2022, and expires on June 30, 2023.
2. Funding Awards. Pursuant to section 215.971, F.S., if funding is provided to the Grantee
under this Agreement pursuant to Attachment A.2 — Funding Statement of Work, the
following applies:
a. The Grantee may only expend funding under this Agreement for allowable costs
resulting from obligations incurred during the performance period.
b. The Grantee shall refund to the Department any balance of unobligated funds that was
advanced or paid to the Grantee.
c. The Grantee shall refund to the Department all funds paid in excess of the amount to
which the Grantee or its subrecipients are entitled under the terms and conditions of
the Agreement.
3. Services, Licenses, or Commodities Awards. If applicable, the Grantee agrees to
implement services, licenses, or commodities described in Attachment A.1 — Solution
Statement of Work, according to the Final Implementation Plan(s) as executed by the
Parties.
All use of the items described in Attachment A.1 —Solution Statement of Work are subject
to the terms and conditions of the DSA and applicable riders attached thereto. If awarded
funding and the Grantee desires to integrate purchased services, licenses, or commodities
with the State Cybersecurity Operations Center, a DSA shall be separately executed for
such.
As this Agreement will need to be entered prior to the procurement of the awarded
services, licenses, or commodities, the availability of such awarded services, licenses, or
commodities may be affected and are subject to change. If such changes are required,
the Department will work with the Grantee to amend this Agreement. Such limitations do
not apply for funding awards.
4. State Financial Assistance. In accordance with section 215.971(1), Florida Statutes(F.S.),
the Grantee may utilize any provided commodities or services only in accordance with this
Agreement.
5. Payment Process. The Department agrees to purchase all commodities or services
awarded to the Grantee on behalf of the Grantee as described in Attachment A.1 —
Solution Statement of Work. For funding awards, please see Attachment A.2 —Funding
Statement of Work.
• •
A. Compliance with Law:
1. Applicable Law. The Parties shall comply with the applicable state and federal laws, rules,
regulations, and policies, including, but not limited to, those identified in thisAgreement.
2. Governing Law. The Grantee agrees that this Agreement is entered into in the State of
Florida, and shall be construed, performed, and enforced in all respects in accordance
with the laws, rules, and regulations of the State. Each Party shall perform its obligations
herein in accordance with the terms and conditions of this Agreement.Without limiting the
provisions of Section Q, Dispute Resolution, the exclusive venue of any legal or equitable
action that arises out of or relates to the Agreement shall be the appropriate State court in
Leon County, Florida; in any such action, the Parties waive any right tojury trial.
3. Ethics. The Grantee shall comply with the requirements of sections 11.062 and 216.347,
F.S. The Grantee shall not, in connection with this or any other agreement with the State,
directly or indirectly:
a. offer, confer, or agree to confer any pecuniary benefit on anyone as consideration for
any State officer or employee's decision, opinion, recommendation, vote, other
exercise of discretion, or violation of a known legal duty; or
b. offer, give, or agree to give to anyone any gratuity for the benefit of, or at the direction
or request of, any State officer or employee. For purposes of this subsection b,
"gratuity" means any payment of more than nominal monetary value in the form of
cash, travel, entertainment, gifts, meals, lodging, loans, subscriptions, advances,
deposits of money, services, employment, or contracts of any kind.
Upon request of the Department's Inspector General, or other authorized State official, the
Grantee shall provide any type of information the Inspector General deems relevant to the
Grantee's integrity or responsibility. Such information may include, but shall not be limited
to, the Grantee's business or financial records, documents, or files of any type or form that
refer to or relate to this Agreement. The Grantee shall retain such records in accordance
with the record retention requirements of Part V of Attachment B, Audit Requirements for
Awards of State and Federal Financial Assistance.
3. Advertising. Subject to Chapter 119, F.S., the Grantee shall not publicly disseminate any
information concerning this Agreement without prior written approval from the Department,
including, but not limited to, mentioning this Agreement in a press release or other
promotional material, identifying the Department or the State as a reference, or otherwise
linking the Grantee's name and either a description of the Agreement or the name of the
Department or the State in any material published, either in print or electronically, to any
entity that is not a Party to this Agreement, except potential or actual authorized
distributors, dealers, resellers, or service representatives.
4. Conflict of Interest. This Agreement is subject to Chapter 112, F.S. The Grantee shall
disclose the name of any officer, director, employee, or other agent who is also an
employee of the State. The Grantee shall also disclose the name of any State employee
who owns, directly or indirectly, more than a five percent (5%) interest in the Grantee or
its affiliates.
5. Records Retention. The Grantee shall retain all records made or received in conjunction
with the Agreement for the longer of five (5) years after the end of the Agreement period
and all pending matters or the period required by the General Records Schedules
• •
maintained by the Florida Department of State (available at:
https://dos.mvflorida.comlmedia/703328/gs1-s1-2020.pdf). If the Grantee's record
retention requirements terminate prior to the requirements stated herein, the Grantee may
meet the Department's record retention requirements for this Agreement by transferring
its records to the Department at that time, and by destroying duplicate records in
accordance with section 501.171, F.S., and, if applicable, section 119.0701, F.S. The
Grantee shall adhere to established information destruction standards such as those
established by the National Institute of Standards and Technology Special Publication
800-88, "Guidelines for Media Sanitization" (2014). See
https://nvlpubs.nist.qov/nistpubs/Special Publications/NIST.SP.800-88r1.pdf.
3. MvFloridaMarketPlace(MFMP). Disbursements under this Agreement are disbursements
of State financial assistance to a recipient as defined in section 215.97, F.S., and are
exempt from the MFMP Transaction Fee pursuant to Rule 60A-1.031(6)(d), F.A.C. The
Department, on behalf of the Grantee, will process payments for commodities or services
awarded through MFMP.
A. Recoupment of Funds:
1. Notwithstanding the damages limitations of Section S, Limitation of Liability, if the
Grantee's non-compliance with any provision of the Agreement results in additional costs
or monetary loss to the Department or the State, the Department can recoup the costs or
losses from monies owed to the Grantee under this Agreement or any other agreement
between the Grantee and any State entity. In the event that the discovery of additional
costs or losses arises when no monies are available under this Agreement or any other
agreement between the Grantee and any State entity, the Grantee shall repay such costs
or losses to the Department in full within thirty (30) days from the date of discovery or
notification, unless the Department agrees, in writing, to an alternative timeframe. The
Department shall not be liable for any penalties or costs associated with the Grantee's
misuse of the awarded services, licenses, or commodities.
2. If the Grantee or its independent auditor discovers that an overpayment has been made,
the Grantee shall repay said overpayment within forty (40) calendar days without prior
notification from the Department. In the event that the Department first discovers an
overpayment has been made, the Department will notify the Grantee in writing. Should
repayment not be made in a timely manner, the Department shall be entitled to charge
interest at the lawful rate of interest on the outstanding balance beginning forty (40)
calendar days after the date of notification or discovery. Refunds should be sent to the
Department's Agreement Manager and made payable to the"Department of Management
Services." If this Agreement is terminated for cause,the Department, at its discretion, may
require that the Grantee return to the Department any funds that were used for purposes
that are considered ineligible under this Agreement.
B. Audits and Records:
1. Representatives of the Department, including the State's Chief Financial Officer, the
State's Auditor General, and representatives of the federal government, shall have access
to any of the Grantee's books, documents, papers, and records, including electronic
storage media, as they may relate to this Agreement, for the purposes of conducting audits
or examinations or making excerpts or transcriptions.
2. The Grantee shall maintain books, records, and documents in accordance with the
generally accepted accounting principles to sufficiently and properly reflect all services,
licenses, or commodities received by the Department under this Agreement.
• •
1. The Grantee shall comply with all applicable requirements of section 215.97, F.S., and
Attachment B, Audit Requirements for Awards of State and Federal Financial Assistance.
If the Grantee is required to undergo an audit, the Grantee shall disclose all related party
transactions to the auditor.
2. The Grantee shall retain all its records, financial records, supporting documents, statistical
records, and any other documents, including electronic storage media, pertinent to this
Agreement in accordance with the record retention requirements of Part V of Attachment
B,Audit Requirements for Awards of State and Federal Financial Assistance. The Grantee
shall cooperate with the Department to facilitate the duplication and transfer of such
records or documents upon the Department's request.
3. If awarded services, licenses, or commodities described in Attachment A.1, Solution
Statement of Work, the Grantee shall include records of the start and end dates for all
tasks in the Final Implementation Plan(s). Additional requirements may be incorporated in
the Final Implementation Plan(s).
4. The Grantee shall include the aforementioned audit and recordkeeping requirements in
all approved subrecipient contracts and assignments.
C. Public Records and Records Production:
1. Identification and Protection of Confidential Information. Article 1, section 24, Florida
Constitution, guarantees every person access to all public records, and section 119.011,
F.S., provides a broad definition of "public record." As such, records submitted to the
Department (or any other State agency) are public records and are subject to disclosure
unless exempt from disclosure by law. The following records for agencies, as "agency" is
defined in section 119.011(2), F.S., are confidential and exempt pursuant to section
119.0725, F.S.:
a. cybersecurity insurance limits and deductibles;
b. information relating to critical infrastructure;
c. incident reporting information pursuant to sections 282.318 and 282.3185, F.S.;
d. network schematics;
e. hardware and software configurations; and
f. encryption information or information that identifies detection, investigation, or
response practices for suspected or confirmed cybersecurity incidents, including
suspected or confirmed breaches.
If the Grantee considers any portion of other records it provides to the Department(or any
other State agency) to be trade secret or otherwise confidential or exempt from disclosure
under Florida or federal law, the Grantee shall mark the document as "confidential" and
simultaneously provide the Department (or other State agency) with a separate, redacted
copy of the record. Such records and those records made confidential and exempt
pursuant to section 119.0725, F.S., shall be considered "Confidential Information." For
each portion redacted, the Grantee shall describe in writing the grounds for claiming the
exemption, including the specific statutory citation for such exemption. The Grantee shall
only redact portions of records that it claims are Confidential Information.
In the event of a request for public records pursuant to Chapter 119, F.S., the Florida
Constitution, or other authority, to which records that are marked as "confidential" are
responsive, the Department will provide the Grantee-redacted copy to the requestor. If a
requestor asserts a right to the redacted Confidential Information, the Department will
notify the Grantee such an assertion has been made. It is the Grantee's responsibility to
• •
take the appropriate legal action to assert that the information in question is exempt from
disclosure under Chapter 119, F.S., or other applicable law.
If the Department becomes subject to a demand for discovery or disclosure of documents
that are marked as "confidential" in a legal proceeding, the Department will give the
Grantee notice of the demand or request. The Grantee shall take the appropriate legal
action in response to the demand and to defend its claims of confidentiality. If the Grantee
fails to take appropriate and timely action to protect the records it has designated as
Confidential Information, the Grantee agrees that the Department is permitted to treat
those records as not confidential and the Department is permitted to provide the
unredacted records to the requester and the Grantee agrees not to pursue any suit, action,
or claim, including for damages, against the Department or its employees, attorneys,
agents or volunteers.
The Grantee shall protect, defend, and indemnify the Department from all suits, claims,
actions, demands, liability, costs, fines, and attorneys' fees arising from or relating to the
Grantee's determination that the redacted portions of its records are Confidential
Information, including all costs, including attorney's fees, incurred regarding the
entitlement or amount of such attorney's fees. If the Grantee fails to submit a redacted
copy in accordance with this section, of information it claims is Confidential Information,
the Department is authorized to produce the entire record submitted to the Department,
including those records marked"confidential," in response to a public records request for,
or demand for discovery or disclosure of, these records and the Grantee agrees not to
pursue any suit, action, or claim, including for damages, against the Department or its
employees, attorneys, agents, or volunteers.
1. Inspection of Records. In accordance with section 216.1366, F.S., the Department is
authorized to inspect the: (a)financial records, papers, and documents of the Grantee that
are directly related to the performance of this Agreement or the expenditure of State funds;
and (b) programmatic records, papers, and documents of the Grantee which the
Department determines are necessary to monitor the performance of this Agreement or to
ensure that the terms of this Agreement are being met. The Grantee shall provide such
records, papers, and documents requested by the Department within ten (10) Business
Days after the request is made.
D. Non-Discrimination:
The Grantee shall not unlawfully discriminate against any individual employed in the performance
of this Agreement due to race, religion, color, sex, physical handicap unrelated to such person's
ability to engage in this work, national origin, ancestry, or age. The Grantee shall provide a
harassment-free workplace, and any allegation of harassment shall be given priority attention and
action.
E. Duty of Continuing Disclosure of Legal Proceedings and Instances of Fraud:
1. The Grantee shall provide written notice to the Department disclosing any criminal
litigation, investigation, or proceeding that arises during the Agreement period involving
the Grantee except where the Grantee is involved in a prosecutorial or administrative
capacity, or, to the extent the Grantee is aware, any of the Grantee's subrecipients or
contractors (or any of the foregoing entities' current officers or directors). The Grantee
shall also provide written notice to the Department disclosing any civil litigation, arbitration,
or proceeding that arises during the Agreement period that is related to or involves any
services, licenses, or commodities under the Agreement, to which the Grantee (or,to the
• •
extent the Grantee is aware, any subrecipient or contractor hereunder) is a party, and
which:
a. might reasonably be expected to adversely affect the viability or financial stability of
the Grantee or any subrecipient or contractor hereunder; or
b. involves a claim or written allegation of fraud against the Grantee, or any subrecipient
or contractor hereunder, by a governmental or public entity arising out of business
dealings with governmental or public entities.
All notices under this section must be provided to the Department within thirty (30)
business days following the date that the Grantee first becomes aware of any such
litigation, investigation, arbitration, or other proceeding (collectively, a "Proceeding").
Details of settlements that are prevented from disclosure by the terms of the settlement
must be annotated as such.
2. This duty of disclosure applies to each officer and director of the Grantee, subrecipients,
or contractors when any proceeding relates to the officer's or director's business or
financial activities.
3. Instances of Grantee operational fraud or criminal activities, regardless of whether a legal
proceeding has been initiated, shall be reported to the Department's Agreement Manager
within twenty-four (24) hours of the Grantee being made aware of the incident.
4. The Grantee shall promptly notify the Department's Grant Manager of any Proceeding
relating to or affecting the Grantee's, subrecipient's, or contractor's business. If the
existence of such Proceeding causes the State to conclude that the Grantee's ability or
willingness to perform the Agreement is jeopardized, the Grantee shall be required to
provide the Department's Grant Manager all reasonable assurances requested by the
Department to demonstrate that:
a. the Grantee will be able to perform the Agreement in accordance with its terms and
conditions; and
b. the Grantee and/or its employees, agents, subrecipients, or contractor(s)have not and
will not engage in conduct in performance under the Agreement that is similar in nature
to the conduct alleged in such Proceeding.
F. Assignments, Subgrants, and Contracts:
1. Unless otherwise specified in either version of Attachment A, Statement of Work, or
through prior written approval of the Department,the Grantee may not: 1) subgrant any of
the services, licenses, or commodities provided to the Grantee by the Department under
this Agreement; 2)contract its duties or responsibilities under this Agreement out to a third
party; or 3) assign, transfer, or sell any of the Grantee's rights or responsibilities or granted
commodities and services hereunder, unless specifically permitted by law to do so. Any
such subgrant, contract, or assignment occurring without the prior approval of the
Department shall be null and void. In the event the Department approves transfer of the
Grantee's obligations, the Grantee remains responsible for all work performed and all
expenses incurred in connection with the Agreement. In addition, this Agreement shall
bind the successors, assigns, and legal representatives of the Grantee, and of any legal
entity that succeeds the Grantee, to the Grantee's obligations to the Department.
2. The Grantee agrees to be responsible for all work performed in fulfilling the obligations of
this Agreement.
•
1. The Grantee agrees that the Department may assign or transfer its rights, duties, or
obligations under this Agreement to another governmental entity upon giving prior written
notice to the Grantee.
G. Intellectual Property Rights:
Where activities supported by this Agreement result in the creation of intellectual property rights,
the Grantee shall notify the Department, and the Department will determine whether the Grantee
will be required to grant the Department a perpetual, irrevocable, royalty-free, nonexclusive
license to use, and to authorize others to use for State government purposes, any resulting
patented, copyrighted, or trademarked work products developed under this Agreement.
H. Independent Contractor Status:
It is mutually understood and agreed to that at all times during the Grantee's performance of its
duties and responsibilities under this Agreement that Grantee is acting and performing as an
independent contractor. The Department shall neither have nor exercise any control or direction
over the methods by which the Grantee shall perform its work and functions other than as provided
herein. Nothing in this Agreement is intended to or shall be deemed to constitute a partnership or
joint venture between the Parties.
1. The Grantee (and its officers, agents, employees, subrecipients, contractors, or
assignees), in performance of this Agreement, shall act in the capacity of an independent
contractor and not as an officer, employee, or agent of the State. Further, unless
specifically authorized to do so, the Grantee shall not represent to others that, as the
Grantee, it has the authority to bind the Department or the State.
2. Unless the Grantee is a State agency, neither the Grantee nor its officers, agents,
employees, subrecipients, contractors, or assignees, are entitled to State retirement or
State leave benefits, or to any other compensation of State employment as a result of
performing the duties and obligations of this Agreement.
3. The Grantee agrees to take such actions as may be necessary to ensure that each
subrecipient or contractor will also be deemed to be an independent contractor and will
not be considered or permitted to be an agent, servant, joint venturer, or partner of the
State.
4. Unless agreed to by the Department in either versions of Attachment A, Statement of
Work, the Department will not furnish services of support (e.g., office space, office
supplies, telephone service, secretarial, clerical support, etc.) to the Grantee or its
subrecipient, contractor, or assignee.
5. The Department shall not be responsible for withholding taxes with respect to the
Grantee's compensation hereunder. The Grantee shall have no claim against the
Department for vacation pay, sick leave, retirement benefits, social security, workers'
compensation, health or disability benefits, reemployment assistance benefits, or
employee benefits of any kind. The Grantee shall ensure that its employees,
subrecipients, contractors, and other agents, receive benefits and necessary insurance
(health, workers' compensation, reemployment assistance benefits) from an employer
other than the State.
6. At all times during the Agreement period, the Grantee must comply with the reporting and
Reemployment Assistance contribution payment requirements of chapter 443, F.S.
I. Entire Agreement:
This Agreement, including all referenced attachments and exhibits, embodies the entire
agreement of the Parties. There are no other provisions, terms, conditions, or obligations. This
• •
Agreement supersedes all previous oral or written communications, representations, or
agreements on this subject.
A. Termination:
1. Termination for Failure to Implement. For awarded services, licenses or commodities
under Attachment A.1 — Statement of Work, if the Grantee does not approve a Final
Implementation Plan within 15 calendar days of purchase order issuance for the awarded
solutions, this Agreement may be terminated by the Department, at its sole discretion.
2. Termination Due to the Lack of Funds. The funds utilized for this Agreement are from the
State's 2022-2023 Fiscal Year, which begins July 1, 2022, and expires on June 30, 2023.
If funds become unavailable for the Agreement's purpose, such event will not constitute a
default by the Department or the State. The Department agrees to notify the Grantee in
writing at the earliest possible time if funds are no longer available. In the event that any
funding identified by the Grantee as funds to be provided for completion of the project as
described herein becomes unavailable, including if any State funds upon which this
Agreement depends are withdrawn or redirected, the Department may terminate this
Agreement by providing written notice to the Grantee. The Department will be the final
authority as to the availability of funds.
3. Termination for Cause. The Department may terminate the Agreement if the Grantee fails
to:
a. satisfactorily complete the deliverables within the time specified in theAgreement;
b. maintain adequate progress, thus endangering performance of theAgreement;
c. honor any term of the Agreement; or
d. abide by any statutory, regulatory, or licensing requirement.
The Grantee shall continue to perform any work not terminated. The Department's rights
and remedies in this clause are in addition to any other rights and remedies provided by
law or under the Agreement. The Grantee shall not be entitled to recover any cancellation
charges or lost profits.
4. Termination for Convenience. The Department may terminate this Agreement, in whole or
in part, by providing written notice to the Grantee that the Department determined, in its
sole discretion, it is in the State's interest to do so. The Grantee shall not furnish any
product or continue services after the specified termination date in the Department's notice
of termination, except as necessary to complete the continued portion of the Agreement,
if any. The Grantee will not be entitled to recover any cancellation charges or lost profits.
4. Grantee's Responsibilities upon Termination. If the Department provides a notice of
termination to the Grantee, except as otherwise specified by the Department in that notice,
the Grantee shall:
a. Stop work under this Agreement on the date and to the extent specified in the notice.
b. Complete performance of such part of the work that has not been terminated by the
Department, if any.
c. Take such action as may be necessary, or as the Department may specify, to protect
and preserve any property which is in the possession and custody of the Grantee, and
in which the Department has or may acquire an interest.
d. Transfer, assign, and make available to the Department all property and materials
belonging to the Department upon the effective date of termination of this Agreement.
• •
No extra compensation will be paid to the Grantee for its services in connection with
such transfer or assignment.
A. Dispute Resolution:
Disputes concerning performance under the Agreement will be decided by the Department, who
shall reduce the decision to writing and serve a copy to the Grantee. In the event a Party is
dissatisfied with the dispute resolution decision,jurisdiction for any dispute arising under the terms
of the Agreement will be in State courts, and the venue will be in the Second Judicial Circuit, in
and for Leon County.
Except as otherwise provided by law, the Parties agree to be responsible for their own attorney
fees incurred in connection with disputes arising under the terms of this Agreement.
B. Indemnification:
1. The Grantee shall be fully liable for the actions of its agents, employees, partners,
subrecipients, or contractors and shall fully indemnify, defend, and hold harmless the State
and the Department, and their officers, agents, and employees, from suits, actions,
damages, and costs of every name and description, arising from or relating to personal
injury and damage to real or personal tangible property alleged to be caused in whole or
in part by the Grantee, its agents, employees, partners, subrecipients, or contractors
provided, however, that the Grantee shall not indemnify for that portion of any loss or
damages proximately caused by the negligent act or omission of the State or the
Department.
2. Further, the Grantee shall fully indemnify, defend, and hold harmless the State and the
Department from any suits, actions, damages, and costs of every name and description,
including attorneys' fees, arising from or relating to violation or infringement of a
trademark, copyright, patent, trade secret, or intellectual property right provided, however,
that the foregoing obligation shall not apply to the Department's misuse or modification of
the Grantee's products or the Department's operation or use of the Grantee's products in
a manner not contemplated by the Agreement. The Department will not be liable for any
royalties.
3. The Grantee shall not be liable for any cost, expense, or compromise incurred or made by
the State or the Department in any legal action without the Grantee's prior written consent,
which shall not be unreasonably withheld.
4. For the avoidance of doubt, as the Grantee is a subdivision, as defined in section
768.28(2), F.S., pursuant to section 768.28(19), F.S., neither Party indemnifies nor insures
or assumes any liability to the other Party for the other Party's negligence. Notwithstanding
anything to the contrary in this section R., indemnification by either Party for tortclaims is
limited to the amounts prescribed in section 768.28, F.S., plus the Party's reasonable
attorneys' fees.
C. Limitation of Liability:
Unless otherwise specifically enumerated in this Agreement, no Party shall be liable to the other
Party for special, indirect, punitive, or consequential damages, including lost data or records
(unless the Agreement requires the Grantee to back-up data or records), even if the Party has
been advised that such damages are possible. No Party shall be liable to the other Party for lost
profits, lost revenue, or lost institutional operating savings. The State and the Department may, in
addition to other remedies available to them at law or in equity and upon notice to the Grantee,
• •
retain such monies from amounts due the Grantee as may be necessary to satisfy any claim for
damages, penalties, costs, and the like asserted by or against them. Except as otherwise provided
in this Agreement or the Data Sharing Agreement or its attachments or Riders, the Department is
not liable for unauthorized access to information except as directly attributable to the actions of
the Department. For all claims against Grantee under this Agreement, and regardless of the basis
on which the claim is made, Grantee's liability under this Agreement for direct damages shall be
limited to the dollar value of this Agreement. This limitation shall not apply to claims arising under
the Indemnity paragraphs contained in this Agreement.
A. Force Majeure and Notice of Delay from Force Majeure:
Neither Party shall be liable to the other for any delay or failure to perform under this Agreement
if such delay or failure is neither the fault nor caused by the negligence of the Party or its
employees or agents and the delay is due directly to acts of God, wars, acts of public enemies,
strikes, fires, floods, or other similar cause wholly beyond the Party's control, or for any of the
foregoing that affects subrecipients, contractors, or suppliers if no alternate source of supply is
available. However, in the event a delay arises from the foregoing causes,the Party shall take all
reasonable measures to mitigate any and all resulting damages, costs, delays, or disruptions to
the project in accordance with the Party's performance requirements under this Agreement.
In the case of any delay the Grantee believes is excusable under this section, the Grantee shall
provide written notice to the Department describing the delay or potential delay and the cause of
the delay within: ten (10) calendar days after the cause that creates or will create the delay first
arose (if the Grantee could reasonably foresee that a delay could occur as a result); or five (5)
calendar days after the date the Grantee first had reason to believe that a delay could result (if
the delay is not reasonably foreseeable). THE FOREGOING SHALL CONSTITUTE THE
GRANTEE'S SOLE REMEDY OR EXCUSE WITH RESPECT TO DELAY. Providing notice in
strict accordance with this section is a condition precedent to such remedy.
The Department, in its sole discretion, will determine if the delay is excusable under this section
and will notify the Grantee of its decision in writing. The Grantee shall not assert a claim for
damages, other than for an extension of time, against the Department. The Grantee will not be
entitled to an increase in the Agreement price or payment of any kind from the Department for
any reason. If performance is suspended or delayed, in whole or in part, due to any of the causes
described in this section, after the causes have ceased to exist, the Grantee shall resume
performance, unless the Department determines, in its sole discretion, that the delay will
significantly impair the ability of the Grantee to timely complete its obligations under this
Agreement, in which case, the Department may terminate the Agreement in whole or in part.
B. Mandatory Disclosure Requirements:
1. Convicted Vendor List. The Grantee has a continuous duty to disclose to the Department
if the Grantee or any of its affiliates, as defined by section 287.133(1)(a), F.S., are placed
on the convicted vendor list. Pursuant to section 287.133(2)(a), F.S.: "A person or affiliate
who has been placed on the convicted vendor list following a conviction for a public entity
crime may not submit a bid, proposal, or reply on a contract to provide any goods or
services to a public entity; may not submit a bid, proposal, or reply on a contract with a
public entity for the construction or repair of a public building or public work; may not
submit bids, proposals, or replies on leases of real property to a public entity; may not be
awarded or perform work as a contractor, supplier, subcontractor, or consultant under a
contract with any public entity; and may not transact business with any public entity in
excess of the threshold amount provided in s. 287.017, F.S., for CATEGORY TWO for a
period of 36 months following the date of being placed on the convicted vendor list."
• •
1. Discriminatory Vendor List. The Grantee has a continuous duty to disclose to the
Department if the Grantee or any of its affiliates, as defined by section 287.134(1)(a), F.S.,
are placed on the discriminatory vendor list. Pursuant to section 287.134(2)(a), F.S.: "An
entity or affiliate who has been placed on the discriminatory vendor list may not submit a
bid, proposal, or reply on a contract to provide any goods or services to a public entity;
may not submit a bid, proposal, or reply on a contract with a public entity for the
construction or repair of a public building or public work; may not submit bids, proposals,
or replies on leases of real property to a public entity; may not be awarded or perform work
as a contractor, supplier, subcontractor, or consultant under a contract with any public
entity; and may not transact business with any public entity."
2. Antitrust Violator Vendor List. The Grantee has a continuous duty to disclose to the
Department if the Grantee or any of its affiliates, as defined by section 287.137(1)(a), F.S.,
are placed on the antitrust violator vendor list. Pursuant to section 287.137(2)(a), F.S.:"A
person or an affiliate who has been placed on the antitrust violator vendor list following a
conviction or being held civilly liable for an antitrust violation may not submit a bid,
proposal, or reply for any new contract to provide any goods or services to a public entity;
may not submit a bid, proposal, or reply for a new contract with a public entity for the
construction or repair of a public building or public work; may not submit a bid, proposal,
or reply on new leases of real property to a public entity; may not be awarded or perform
work as a contractor, supplier, subcontractor, or consultant under a new contract with a
public entity; and may not transact new business with a public entity."
3. Foreign Gifts and Contracts. The Grantee shall comply with any applicable disclosure
requirements in section 286.101, F.S. Pursuant to section 268.101(7), F.S.: "In addition to
any fine assessed under [section 286.101(7)(a), F.S.], a final order determining a third or
subsequent violation by an entity other than a state agency or political subdivision shall
automatically disqualify the entity from eligibility for any grant or contract funded by a state
agency or any political subdivision until such ineligibility is lifted by the Administration
Commission for good cause."
REMAINDER OF PAGE INTENTIONALLY LEFT BLANK
• •
IN WITNESS WHEREOF, the Parties agree to the terms and conditions of this Agreement and
have duly authorized their respective representatives to sign it on the dates indicated below.
Grantee: Department of Management Services:
City of Okeechobee
By: / /1 By:
Nameara Lo� ►n g � l c�e��-co�r .i r. Name:-- ---
Title:1 fct Title:
Date: 5.1 0 1 c9 Pa 3 Date:
• •
ATTACHMENT A.1
SOLUTION STATEMENT OF WORK
1. Scope of Work.
Pursuant to Chapter 2022-156, Laws of Florida, Specific Appropriation 2944A, the Parties
agree that the Department shall, on behalf of the Grantee, expend funds for the provision of
services, licenses, or commodities awarded to the Grantee to be utilized for cybersecurity
technical assistance purposes. The Grantee is being granted assistance in the form of
services, licenses, or commodities to enhance its cybersecurity framework, to identify and
mitigate risks, and to protect its infrastructure from threats through Florida's Local Government
Cybersecurity Grant Program (the "Project"). The Florida Local Government Cybersecurity
Grant is a competitive grant program to provide funding for cybersecurity technical assistance
to local Florida governments to enhance their cybersecurity capabilities.
2. Awarded Capabilities.
The Department shall offer one (1) or more solutions to the Grantee for the following
capabilities:
Endpoint-Based Asset Discovery (Agent); Network-Based Asset Discovery (Agentless); External-
Facing Asset Discovery; Security Operations Platform.
Note: The Department will make its best effort to award the Grantee's preferred solution per
capability. However, the Department can only contract for a limited number of solutions based
on best value, technical acceptability, and operational volume.
3. Grantee Responsibilities.
The Grantee shall complete the Project in accordance with the requirements set forth in this
Agreement and any applicable local, State, and federal laws and regulations. The Grantee is
solely responsible for ensuring that any provided solutions are compliant with applicable state
and federal laws and regulations based on Grantee's intended use, including, but not limited
to, Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy
Act, Driver Privacy Protection Act, and General Data Protection Regulation.
4. Department Responsibilities.
The Department shall review Grantee reports and other records and reconcile them to ensure
that the requirements of section 215.971, F.S., pertaining to agreements funded with State
financial assistance are fulfilled.
5. Deliverables.
The Grantee shall complete the following deliverable(s) on the dates specified, but
Deliverables 1-3 shall be completed by June 30, 2023:
• •
Deliverables
No. Tasks j Performance Measures and Due Dates
Execute this Grant Agreement. The Grantee must execute the Grant
1 Agreement within 15 calendar days of award.
2 Participate in a kick-off meeting with The Grantee shall participate in the kick-off
FL[DS] and the solution provider. i meeting with FL[DS] and the solution provider
within five (5) calendar days of Purchase Order
(PO) issuance.
3 Approve Final Implementation The Grantee must coordinate with the solution
Plan(s) for solutions awarded. provider(s) to review the Implementation
Plan(s).
If the Grantee chooses to proceed with a
solution, the Grantee must approve the Final
Implementation Plan within five (5) calendar
days of the vendor providing the draft
Implementation Plan.
4 Complete all tasks in accordance The Grantee shall provide all necessary
with the Final Implementation resources to execute tasks assigned to the
Plan(s). Grantee in the Final Implementation Plan(s).
5 Notify the Department's Grant The Grantee shall notify the Department's
Manager of implementation Grant Manager in writing within 10 calendar
completion per the Final i days of implementation completion.
Implementation Plan.
5. Reporting Requirements.
The Department may request status meetings for the Grantee to report on the implementation
status, as necessary, with the Grantee's Grant Manager.
The Department may, at its sole discretion, develop a format and deadlines the Grantee must
comply with when reporting the information above. The Grantee's failure to confirm completion
of the Final Implementation Plan(s) or comply with the reporting format and schedule may
result in termination of the awarded solutions.
6. Performance Standards.
The Grantee shall timely perform all tasks and provide deliverables as set forth in this
Agreement. The Department is entitled at all times, upon request, to be advised as to the
status of work being done by the Grantee, on behalf of the grantee, and the details thereof.
If the Department determines that there is a performance deficiency that requires correction
by the Grantee, then the Department shall notify the Grantee. The Grantee shall make the
correction within a timeframe specified by the Department. The Grantee shall provide the
Department with a corrective action plan describing how the Grantee will address all
performance deficiencies identified by the Department. If the corrective action plan is
unacceptable to, or implementation of the plan fails to remedy the performance deficiencies,
the Grantee shall work cooperatively with the Department to modify the corrective action plan
or to remedy the deficiencies. Additionally, if a performance deficiency is attributable to the
performance of a contractor or subcontractor of the Grantee,the Grantee shall take all actions
• •
available to it to enforce financial consequences in its contract with the contractor or
subcontractor or to pursue damages.
5. Financial Consequences for Failure to Timely and Satisfactorily Perform.
Violations of this Agreement or applicable licenses, or failure to provide the deliverables, may
result, except as detailed above, in termination of access to awarded solutions and require
immediate removal of all software, hardware, or related services. Grantee may be subject to
financial assessments related to such violations.
This provision for financial consequences shall not affect the Department's right to terminate
the Agreement as provided elsewhere in the Agreement.
REMAINDER OF PAGE INTENTIONALLY LEFT BLANK
• •
Department of Financial Services
Dii isinn o/_-lccouniirtc,arrcl —Bureau of.1 ucli�in�
AUDIT REQUIREMENTS FOR AWARDS OF
STATE AND FEDERAL FINANCIAL ASSISTANCE
The administration of resources awarded by the Department of Management Services
(Department) to the Grantee may be subject to audits and/or monitoring by the Department, as
described in this section.
MONITORING
In addition to reviews of audits conducted in accordance with 2 CFR 200, Subpart F - Audit
Requirements, and section 215.97, Florida Statutes (F.S.), as revised (see AUDITS below),
monitoring procedures may include, but not be limited to, on-site visits by Department staff, limited
scope audits as defined by 2 CFR §200.425, or other procedures. By entering into this agreement,
the Grantee agrees to comply and cooperate with any monitoring procedures or processes
deemed appropriate by the Department. In the event the Department determines that a limited
scope audit of the Grantee is appropriate, the Grantee agrees to comply with any additional
instructions provided by Department staff to the Grantee regarding such audit. The Grantee
further agrees to comply and cooperate with any inspections, reviews, investigations, or audits
deemed necessary by the Chief Financial Officer (CFO) or Auditor General.
AUDITS
Part I: Federally Funded
This part is applicable if the Grantee is a state or local government or a nonprofit organization as
defined in 2 CFR §200.90, §200.64, and §200.70.
1. A Grantee that expends $750,000 or more in federal awards in its fiscal year must have a
single or program-specific audit conducted in accordance with the provisions of 2 CFR 200,
Subpart F - Audit Requirements. EXHIBIT 1 to this form lists the federal resources awarded
through the Department by this agreement. In determining the federal awards expended in
its fiscal year, the Grantee shall consider all sources of federal awards, including federal
resources received from the Department. The determination of amounts of federal awards
expended should be in accordance with the guidelines established in 2 CFR §§200.502-
503. An audit of the Grantee conducted by the Auditor General in accordance with the
provisions of 2 CFR §200.514 will meet the requirements of this Part.
2. For the audit requirements addressed in Part I, paragraph 1, the Grantee shall fulfill the
requirements relative to auditee responsibilities as provided in 2 CFR§§200.508-512.
3. A Grantee that expends less than$750,000 in federal awards in its fiscal year is not required
to have an audit conducted in accordance with the provisions of 2 CFR 200, Subpart F -
Audit Requirements. If the Grantee expends less than $750,000 in federal awards in its
fiscal year and elects to have an audit conducted in accordance with the provisions of 2
CFR 200, Subpart F - Audit Requirements, the cost of the audit must be paid from non-
federal resources (i.e., the cost of such an audit must be paid from Grantee resources
obtained from other than federal entities).
Part II: State Funded
1. In the event that the Grantee expends a total amount of state financial assistance equal to
or in excess of$750,000 in any fiscal year of such Grantee(for fiscal years ending June 30,
DFS-A2-CL
Rev. 11/18
Rule 69I-5.006,F.A.C.
• •
AUDIT REQUIREMENTS FOR AWARDS OF
STATE AND FEDERAL FINANCIAL ASSISTANCE
2017, and thereafter), the Grantee must have a state single or project-specific audit for such
fiscal year in accordance with section 215.97, F.S.; Rule Chapter 691-5, F.A.C., State
Financial Assistance; and Chapters 10.550 (local governmental entities) and 10.650
(nonprofit and for-profit organizations), Rules of the Auditor General. EXHIBIT 1 to this form
lists the state financial assistance awarded through the Department this agreement. In
determining the state financial assistance expended in its fiscal year, the Grantee shall
consider all sources of state financial assistance, including state financial assistance
received from the Department, other state agencies, and other nonstate entities. State
financial assistance does not include federal direct or pass-through awards and resources
received by a nonstate entity for federal program matching requirements.
1. For the audit requirements addressed in Part II, paragraph 1, the Grantee shall ensure that
the audit complies with the requirements of section 215.97(8), F.S. This includes
submission of a financial reporting package as defined by section 215.97(2), F.S., and
Chapters 10.550 (local governmental entities) and 10.650 (nonprofit and for-profit
organizations), Rules of the Auditor General.
2. If the Grantee expends less than $750,000 in state financial assistance in its fiscal year(for
fiscal years ending June 30, 2017, and thereafter), an audit conducted in accordance with
the provisions of section 215.97, F.S., is not required. If the Grantee expends less than
$750,000 in state financial assistance in its fiscal year and elects to have an audit conducted
in accordance with the provisions of section 215.97, F.S., the cost of the audit must be paid
from the nonstate entity's resources (i.e., the cost of such an audit must be paid from the
Grantee's resources obtained from other than state entities).
Part Ill: Other Audit Requirements
N/A
Part IV: Report Submission
1. Copies of reporting packages for audits conducted in accordance with 2 CFR 200, Subpart
F-Audit Requirements, and required by Part I of this form shall be submitted, when required
by 2 CFR §200.512, by or on behalf of the Grantee directly to the Federal Audit
Clearinghouse (FAC) as provided in 2 CFR §200.36 and §200.512.
The FAC's website provides a data entry system and required forms for submitting the
single audit reporting package. Updates to the location of the FAC and data entry system
may be found at the OMB website.
2. Copies of financial reporting packages required by Part II of this form shall be submitted by
or on behalf of the Grantee directly to each of the following:
a. The Department at each of the following addresses:
Electronic copies (preferred): Cybersecurityqrants a(7digital.fl.gov
or
Paper copies:
Grant Manager
Florida Digital Service
Department of Management Services
2555 Shumard Oaks Blvd, Suite 200
DFS-A2-CL
Rev. 11/18
Rule 69I-5.006,F.A.C.
• •
AUDIT REQUIREMENTS FOR AWARDS OF
STATE AND FEDERAL FINANCIAL ASSISTANCE
Tallahassee, Florida 32399
Email: Cybersecuritygrants(a�digital.fl.gov
a. The Auditor General's Office at the following address:
Auditor General
Local Government Audits/342
Claude Pepper Building, Room 401
111 West Madison Street
Tallahassee, Florida 32399-1450
The Auditor General's website (https://flauditor.gov/) provides instructions for filing an
electronic copy of a financial reporting package.
3. Any reports, management letters, or other information required to be submitted to the
Department pursuant to this agreement shall be submitted timely in accordance with 2 CFR
§200.512, section 215.97, F.S., and Chapters 10.550 (local governmental entities) and
10.650 (nonprofit and for-profit organizations), Rules of the Auditor General, as applicable.
4. Grantees, when submitting financial reporting packages to the Department for audits done
in accordance with 2 CFR 200, Subpart F - Audit Requirements, or Chapters 10.550 (local
governmental entities) and 10.650 (nonprofit and for-profit organizations), Rules of the
Auditor General, should indicate the date that the reporting package was delivered to the
Grantee in correspondence accompanying the reporting package.
Part V: Record Retention
The Grantee shall retain sufficient records demonstrating its compliance with the terms of the
award(s) and this agreement for a period of five (5) years from the date the audit report is issued,
and shall allow the Department, or its designee, the CFO, or Auditor General access to such
records upon request. The Grantee shall ensure that audit working papers are made available to
the Department, or its designee, the CFO, or Auditor General upon request for a period of five (5)
years from the date the audit report is issued, unless extended in writing by the Department.
DFS-A2-CL
Rev. 11/18
Rule 69I-5.006, F.A.C.
• •
AUDIT REQUIREMENTS FOR AWARDS OF
STATE AND FEDERAL FINANCIAL ASSISTANCE
EXHIBIT 1
Federal Resources Awarded to the Grantee
Pursuant to this Agreement Consist of the Following:
1. Federal Program A:
N/A
2. Federal Program B:
N/A
Compliance Requirements Applicable to the Federal Resources
Awarded Pursuant to this Agreement are as Follows:
1. Federal Program A:
N/A
2. Federal Program B:
N/A
State Resources Awarded to the Grantee
Pursuant to this Agreement Consist of the Following:
Matching Resources for Federal Programs:
1. Federal Program A:
N/A
2. Federal Program B:
N/A
Subject to Section 215.97, F.S.:
1. State Project A: Cybersecurity Technical Assistance Grants
State Awarding Agency: Florida Department of Management Services
Catalog of State Financial Assistance Title and Number: 72.009
Amount: $
2. State Project B:
N/A
Compliance Requirements Applicable to State Resources Awarded
Pursuant to this Agreement Are as Follows:
The compliance requirements are as stated in Grant Agreement No. DMS-22/23-345 between
the Grantee and the Department, entered in State fiscal year 2022-23.
DFS-A2-CL
Rev. 11/18
Rule 69I-5.006, F.A.C.
• •
Attachment C
Grantee Data Sharing Agreement
Purposes
Grantee desires to utilize software licenses, applications, and solutions, as applicable, in
connection with the attached Exhibit A — Cybersecurity Incident Response Rider and Exhibit B —
Solution Rider, incorporated herein. This DSA describes the terms and conditions for the use of
software licenses, applications, and solutions and protection of Covered Data, including
requirements to safeguard the availability, confidentiality, and integrity of Covered Data in
furtherance of the security objectives of Chapter 282, F.S.
Definitions
A. Access — The authorization to inspect, review, transmit, duplicate, communicate with,
retrieve data from, or otherwise make use of any Covered Data, regardless of type, form,
or nature of storage. "Access"to a computer system or network includes local and remote
access, as applicable.
B. Authorized Purpose — The purpose(s) for which an Authorized Third Party may access,
use, or disclose the Covered Data.
C. Authorized Third Party — An individual, state agency, other Florida state or local
governmental entity, or a private sector contractor or service provider of the Grantee which
receives Covered Data.
D. Authorized User—An individual granted Access or to use Software Entitlement by either
FL[DS] or Grantee.
E. County and Municipality Cybersecurity Technical Assistance Program ("the Program") —
refers to the grant program established by the 2022-2023 General Appropriations Act to
enhance county and municipal cybersecurity and protect the infrastructure of local
governments from threats.
F. Covered Data —The limited subset of security data that is derived from Grantee's use of
any Software Entitlements as defined in the attached Rider(s); a Grantee's confidential or
proprietary information; and personal information as defined under section 501.171,F.S.,
and any other applicable privacy or data breach notification laws as may exist.
G. Data Breach — Either (1) any unauthorized access to, or use or disclosure of, Covered
Data for any purpose other than as expressly permitted by this DSA or required by law; or
(2) a breach of privacy or of the security of the Covered Data. Good faith access of data
by an employee or agent of the Grantee does not constitute a breach of security, provided
that the information is not used for a purpose unrelated to the business or subject to further
unauthorized use.
H. DSA Coordinators—The individuals appointed by the signatories to this DSA as the point
of contact for this DSA,who are responsible for ensuring that the Authorized Users comply
with the activities identified herein.
I. HIPAA - Health Insurance Portability and Accountability Act of 1996.
• •
A Information Technology (IT) Coordinators — The individuals appointed by the signatories
to this DSA as responsible for data flow and other technology-related considerations under
this DSA.
B. Information Technology Resources—As defined in section 282.0041, Florida Statutes,the
data processing hardware and software and services, communications, supplies,
personnel, facility resources, maintenance, and training. As used in this DSA, the term
also includes the definition for "Information Technology," as defined in section 282.0041,
Florida Statutes, to add equipment, hardware, software, firmware, programs, systems,
networks, infrastructure, media, and related material used to automatically, electronically,
and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze,
evaluate, process, classify, manipulate, manage, assimilate, control, communicate,
exchange, convert, converge, interface, switch, or disseminate information of any kind or
form.
C. Software Entitlement—Proprietary software provided to the Grantee under the Agreement
to satisfy provision of the solution(s) awarded to the Grantee, as identified in Attachment
A.1.
II. Responsibilities of the Parties
A Data Transmission. Covered Data shall only be transmitted through secure file transfer
protocol or other secure transmission methods utilizing a National Institute of Standards
and Technology approved means of electronic encryption as well as password protection
and in a file format and layout determined by FL[DS]. Covered Data shall not be
transmitted via any other means, including electronic mail. If applicable to any
transmission of the Covered Data, both transmitting and receiving Grantee shall
completely and permanently remove Covered Data from any temporary transfer location
within twenty-four (24) hours of receipt of the Covered Data.
B. Compliance with Applicable Laws. Each Party covenants and agrees that, in the
performance of this DSA, it shall comply with all applicable federal, state, and local laws,
statutes, and regulations including, but not limited to, such laws set forth in Article VI as
applicable to a Project and such other data privacy or security laws, all as they exist now
and as they may be amended from time to time ("Applicable Laws"). In the event of any
notice of a material violation of Applicable Laws, or an investigation into an alleged
material violation, the affected Party shall promptly notify the other in writing of such notice.
The Parties further agree to follow and be bound by the terms and conditions of any policy
decisions or directives from the federal and state agencies with jurisdiction over the use
of the data described herein upon receipt of written notice directing that such rules, policy
decisions, or directives apply to this DSA.
C. Compliance with Information Security Standards. Each Party covenants and agrees
to comply with Rule Chapter 60GG-2, Florida Administrative Code("Security Standards"),
with respect to its obligations under this DSA. Grantee shall implement the Security
Standards with respect to its obligations under this DSA as an "Agency," regardless of
whether they meet the definition of "Agency" in Rule Chapter 60GG-2, Florida
Administrative Code.
• •
FL[DS], Grantee, and Authorized Third Parties shall implement reasonable and
appropriate administrative, technical, and physical safeguards to maintain the security and
protect the confidentiality, integrity, and availability of Access.
Grantee shall instruct all its Authorized Users with the opportunity for Access on the
safeguards and requirements of the DSA and all applicable federal and state
requirements.
A HIPAA Business Associate Agreement. To the extent that a Party is acting as a
Business Associate (as defined by HIPAA) of the other Party, the Parties further agree to
enter into a Business Associate Agreement as necessary, in the form of a mutually agreed-
upon appendix to the DSA.
B. Incorporation and Compliance with Exhibits, Appendices and Riders, ifApplicable.
The Project Riders, and any exhibits or appendices to this DSA are hereby incorporated
and made a part hereof and are an integral part of this DSA. Each Rider, Exhibit, and
Appendix attached hereto or referred to herein are hereby incorporated in and made a
part of this DSA as if set forth in full herein.
III. FL[DS] Role and Responsibilities
A FL[DS] is responsible for:
1. Processing Covered Data in accordance with the State Cybersecurity Act;
2. Facilitating data sharing with the Grantee and/or an Authorized Third Party in
accordance with this DSA;
3. Providing the Grantee with the option to utilize Software Entitlements; and
4. Protecting the integrity of Covered Data obtained by FL[DS] through Grantee's use of
any of the Software Entitlements. FL[DS] will not disclose this Covered Data to any
third party unless required by law or as otherwise authorized by Grantee.
B. FL[DS] will only access, use, or disclose Covered Data, as permitted by Grantee, as
required by Applicable Law, or as necessary for completion of its responsibilities under
this DSA, including any Project Riders. FL[DS] will ensure that its Authorized Users only
access, use, or disclose Covered Data, as permitted by Grantee, as required by Applicable
Law, or as necessary for completion of its responsibilities for any Projects, as assigned by
FL[DS].
C. FL[DS] will exercise reasonable care and no less than the same degree of care FL[DS]
uses to protect its own confidential information to prevent confidential information from
being used in a manner that is not expressly a purpose authorized in this DSA or as
required by Applicable Law.
IV. Grantee's Role and Responsibilities
A Covered Data is and shall remain the property of Grantee.
• •
A Grantee is solely responsible for its Access to and use of Software Entitlements and
Covered Data, including:
1. Ensuring a level of security appropriate to the risk in respect of Covered Data;
2. Securing Grantee's and its Authorized Users' systems and devices that can Access
FL[DS] systems and Software Entitlements and complying with the Security
Standards;
3. Selecting and/or ensuring that Grantee has selected its Authorized Users; activating
and deactivating the Access, credentials, and privileges of its Authorized Users; and
managing access controls to the FL[DS] system and Software Entitlements in a timely
manner in accordance with the Security Standards;
4. Securing the account authentication credentials, systems, and devices of Grantee
personnel who the Grantee designates to be Authorized Users;
5. Managing the compliance of its Authorized Users with the Grantee's established
security measures and as required by Applicable Law;
6. Maintaining audit logs, as deemed necessary by the Grantee to demonstrate
compliance with its obligations under this DSA;
7. Backing up Covered Data, if required by law or Grantee policy; and
8. Ensuring that it and its Authorized Users remain in compliance with the terms and
conditions of any Software Entitlements.
B. FL[DS] is not responsible for, and has no obligation for:
1. Selecting or verifying Grantee's Authorized Users, activating or deactivating the
Access or credentials of Authorized Users; or
2. Protecting Covered Data that Grantee elects to store or transfer outside of FL[DS]'s
and its sub-processors' systems (for example, offline or on-premises storage).
V. Unauthorized Disclosure/Data Breach
A In the event of a Data Breach of the Covered Data while in Grantee's (or an Authorized
Third Party's) custody or control or as a result of Grantee's(or an Authorized Third Party's)
access to or use of the Covered Data, which requires the provision of notice in accordance
with section 501.171, F.S., or other Applicable Law (including, but not limited to, HIPAA),
the Parties agree as follows:
1. Grantee shall notify FL[DS] of the Data Breach not more than 24 hours after discovery
that a Data Breach has occurred or is reasonably likely to have occurred.
2. Grantee (or its Authorized Third Party) shall be responsible for all costs related to the
Data Breach including FL[DS]' and/or Grantee's (or an Authorized Third Party's) costs
of complying with all legal requirements, including the requirements for Data Breach
• •
notification under Applicable Law, as well as defending any claims, actions,or lawsuits
related thereto.
1. If a Data Breach is subject to the notice provisions of section 501.171, F.S., or
Applicable Law, the Parties agree to cooperate and work together to ensure full legal
compliance and to provide breach notification to the extent required by Applicable Law.
Grantee shall use its best and diligent efforts to identify the individuals entitled to
receive notice of the Data Breach and obtain the names and mailing information of
such individuals, so that FL[DS] and/or Grantee are able to distribute the notices within
the legally required time periods. FL[DS] and/or Grantee, as applicable, shall bear its
internal administrative and other costs incurred in identifying the affected individuals
and their mailing information.
2. In the event of a Data Breach, including the privacy or security of the Covered Data,
while in the custody or control of the Grantee, if the Grantee must provide notice as a
result of the requirements contained in section 501.171, F.S., or other Applicable Law,
the Grantee shall submit a draft of the notice to FL[DS] for prior review and approval
of the contents of the notice, prior to disseminating the notice. Such approval shall not
be unreasonably delayed or withheld.
B. If Grantee experiences a breach of the security of its systems that results in a breach of
the security of FL[DS]'s systems ("FL[DS] Breach"), Grantee shall be responsible for all
costs related to the FL[DS] Breach including FL[DS]'s costs of complying with all legal
requirements, including any costs for data breach notification under section 501.171, F.S.,
or Applicable Law, as well as defending any claims, actions,or lawsuits against the FL[DS]
related thereto. Grantee, at its own expense, shall cooperate fully with FL[DS] in the
investigation,eradication, remediation, and recovery from the FL[DS] Breach.
C. If FL[DS]experiences a breach of the security of its systems that results in a breach of the
security of Grantee's systems("Grantee Breach"), FL[DS] shall be responsible for all costs
related to the Grantee Breach including Grantee's costs of complying with all legal
requirements, including the requirements for data breach notification under section
501.171, F.S., or Applicable Law, as well as defending any claims, actions or lawsuits
related thereto. FL[DS], at its own expense, shall cooperate fully with Grantee in the
investigation, eradication, remediation, and recovery from the Grantee Breach.
D. If either FL[DS] or Grantee is obligated under this Section to pay costs incurred by the
other Party, the Party required to pay such costs shall submit a draft of the legal
notifications and other public communications to the other Party for prompt review and
approval of the contents prior to disseminating the notification or communication. Such
approval shall not be unreasonably delayed or withheld.
E. The Parties understand and agree the provisions of this DSA relating to the protection and
security of the Covered Data constitute a material condition of this DSA.
VI. Additional Terms Applicable to Certain Circumstances.
A Grantee is responsible for their Covered Data and entering into any required additional
agreements related thereto. Grantee shall provide the FL[DS] DSA Coordinator with
written notice prior to granting Access to any of the data types listed in subsections B-E,
• •
below, to FL[DS] or Software Entitlements. In the event of a conflict between the terms
and conditions of this Article VI and the remainder of the DSA, the terms and conditions
of Article VI shall control. Moreover, a Project may include the use of information described
in more than one (1) of the provisions set forth in this Article VI, or it may include the use
of information not described in this Article VI. In the event of a conflict between or among
the terms and conditions of Subsections B, C, D or E of this Article VI,the more restrictive
terms and conditions shall apply unless otherwise provided by Applicable Law or guidance
by the applicable regulatory enforcement agencies or bodies.
A. CJIS. The terms and conditions of this Section VI.B. apply when Covered Data involved
in a Project includes criminal justice information.
1. CJIS Covered Data. Covered Data may also include, but shall not be limited to, CJIS
Covered Data. For purposes of this DSA, CJIS Covered Data shall mean criminal
justice information that is provided by the Federal Bureau of Investigation (FBI)
Criminal Justice Information Services (CJIS) system and that is necessary for law
enforcement and civil agencies to perform their missions, including, but not limited to,
biometric, identity history, biographic, property, and case/incident history data.
2. Disclosure of CJIS Covered Data. The disclosure of CJIS Covered Data under the
DSA, as modified by this section, is governed by the CJIS Security Policy, available at
https://www.fbi.gov/services/ciis/ciis-security-policv-resource-center. In accordance
with the CJIS Security Policy and 28 CFR Part 20, use of the CJIS system under the
DSA is restricted to: detection, apprehension, detention, pretrial release, post-trial
release, prosecution, adjudication, correctional supervision, rehabilitation of accused
persons or criminal offenders, and other legally authorized purposes.
3. Training. The Parties agree to work together to provide Authorized Users with
confidentiality, privacy, and security training regarding access, use, and disclosure
requirements for the CJIS Covered Data under the CJIS Security Policy.
4. Access Requirements. Unique authorization is required for Access to the CJIS
Covered Data and must be properly authenticated and recorded for audit purposes,
including CJIS security and other applicable audit requirements.
B. HIPAA and State Protected Health Information. The terms and conditions of this
Section VI.C. apply when Covered Data involved in a Project includes protected health
information (PHI) and such other sensitive health information,the disclosure of which may
be limited or restricted by law, including, but not limited to, mental health and drug and
alcohol related information.
1. PHI Covered Data. Covered Data may also include, but shall not be limited to, PHI
Covered Data. For purposes of this DSA, "PHI Covered Data" shall mean "protected
health information" or"PHI," as such term is defined by HIPAA. PHI shall include, but
shall not be limited to, any other medical or health-related information that is afforded
greater protection under more restrictive federal or state law, including, but not limited
to, the Substance Abuse and Mental Health Services Act (SAMSHA), located at 42
C.F.R. Part 2, the Florida Mental Health Act(the Baker Act), located at Fla. Stat. §
394.451 —394.47892,and the Hal S. Marchman Alcohol and Other Drug Services Act,
located at_Fla. Stat. § 397.301 et seq.
•
1. Disclosure of PHI Covered Data. The disclosure of PHI Covered Data under the DSA,
as modified by this section, is governed by HIPAA and more restrictive federal or state
law, as applicable. Accordingly, the disclosure of PHI Covered Data under the DSA is
permitted only with the consent of the individual who is the subject of the PHI Covered
Data, by court order that meets the requirements of applicable law, and for other
purposes as permitted by Applicable Law.
2. Business Associate Agreement. To the extent that FL[DS] is a "Business Associate"
of Grantee, as such term is defined under HIPAA, the Parties agree to enter into a
mutually agreeable Business Associate Agreement.
3. Training. The Parties agree to work together to provide Authorized Users with
confidentiality, privacy, and security training regarding access, use, and disclosure
requirements for the PHI Covered Data under HIPAA and more restrictive federal or
state law, to the extent applicable.
4. Access Requirements. Unique authorization is required for Access and must be
properly authenticated and recorded for audit purposes, including HIPAA audit
requirements and other audit requirements under more restrictive federal or state law,
to the extent applicable.
C. FERPA. The terms and conditions of this Section VI.D. apply when Covered Data includes
student education records as defined by the Family Educational Rights and Privacy Act,
20 USC §1232g, and its implementing regulations set forth at 34 CFR Part 99 (collectively,
"FERPA").
1. FERPA Covered Data. Covered Data may also include, but shall not be limited to,
FERPA Covered Data. For purposes of this DSA, "FERPA Covered Data" shall mean
student education records as defined by FERPA).
2. Disclosure of FERPA Covered Data. The disclosure of FERPA Covered Data under
the DSA, as modified by this section, is governed by FERPA. Accordingly, the
disclosure of FERPA Covered Data under the DSA is permitted with parent or eligible
student consent and,without such consent, in the following circumstances:(i)to school
officials with legitimate educational interest; (ii) to other schools to which a student is
transferring; (iii) to specified officials for audit or evaluation purposes; (iv) to
appropriate parties in connection with financial aid to a student; (v) to organizations
conducting certain studies for or on behalf of the school; (vi) to accrediting
organizations; (vii) to comply with a judicial order or lawfully issued subpoena; (viii) to
appropriate officials in cases of health and safety emergencies; (ix) to state and local
authorities, within a juvenile justice system, pursuant to specific state law; and (x) as
otherwise provided by FERPA.
3. Training. The Parties agree to work together to provide Authorized Users with
confidentiality, privacy, and security training regarding access, use, and disclosure
requirements for the FERPA Covered Data under FERPA.
4. Access Requirements. Unique authorization is required for Access and must be
properly authenticated and recorded for audit purposes, including FERPA and any
other applicable audit requirements.
• •
A. DPPA. The terms and conditions of this Section VI.E. apply when Covered Data includes
motor vehicle record information.
1. DPPA Covered Data. For purposes of the DSA, Covered Data may include, but shall
not be limited to, DPPA Covered Data. For purposes of this DSA, "DPPA Covered
Data"shall mean motor vehicle information as set forth in the Driver Privacy Protection
Act, 18 U.S.C. § 2721 ("DPPA").
2. Disclosure of DPPA Covered Data. The disclosure of DPPA Covered Data under the
DSA, as modified by this section, is governed by DPPA. DPPA prohibits the disclosure
of personal information, as defined in 18 U.S.C. § 2725(3), that is contained in motor
vehicle records, but such information may be used by any government agency, such
as FL[DS] and Grantee, in carrying out its functions. Such personal information may
not be re-disclosed by FL[DS] or Grantee, however, except in accordance with the
permissible uses set forth at 18 U.S.C. § 2721(b). With certain limited exceptions,
DPPA further prohibits the disclosure of highly restricted personal information, as
defined in 18 U.S.C. § 2725(4), without the express consent of the individual who is
the subject of such information. In accordance with section 119.0712(2)(d)(2), F.S.,
the emergency contact information contained in a motor vehicle record, without the
express consent of the person to whom such emergency contact information applies,
may be released only to: (a) law enforcement agencies for purposes of contacting
those listed in the event of an emergency; or(b)a receiving facility, hospital, or licensed
detoxification or addictions receiving facility pursuant to sections 394.463(2)(a) or
397.6772(1)(a), F.S., for the sole purpose of informing a patient's emergency contacts
of the patient's whereabouts. E-mail addresses that are collected by the Florida
Department of Highway Safety and Motor Vehicles also may not be disclosed pursuant
to Section 119.0712(2)(c), F.S.
3. Training. The Parties agree to work together to provide Authorized Users with
confidentiality, privacy, and security training regarding access, use, and disclosure
requirements for the DPPA Covered Data under DPPA and the Florida Statutes
referenced above.
4. Access Requirements. Unique authorization is required for Access and must be
properly authenticated and recorded for audit purposes, including, but not limited to,
compliance with these terms and conditions.
VII. Designation of DSA Coordinators
A. The Coordinators for this DSA are:
FLIDSI DSA Coordinator:
Policy Manager
2555 Shumard Oak Boulevard
Tallahassee, FL 32399
Telephone: 850-413-0604
Email: mailto:Policy(a digital.fl.gov
• •
FL[DSI IT Coordinator:
State Cybersecurity Information Security Officer
2555 Shumard Oak Boulevard
Tallahassee, FL 32399
Telephone: 850-413-0604
Email: Cyber(c�digital.fl.gov
Grantee's DSA Coordinator:
Name: Gary Ritter
City/County of: City of Okeechobee
Street: 55 SE Third Avenue
Okeechobee, 34974
Telephone: (863) 763-9811
Email: gritter@cityofokeechobee.com
Grantee's IT Coordinator:
Name: India Riedel
City/County of: City of Okeechobee
Street: 55 SE Third Avenue
Okeechobee, 34974
Telephone: (863) 763-9818
Email: iriedel@cityofokeechobee.com
A. Changes to the DSA and/or IT Coordinator designations may be accomplished by
providing email change notification that is acknowledged by both Parties.
VIII. Inspection of Records
Each Party shall permit the other Party and any other applicable state and federal
representatives with regulatory oversight over the other Party, or their designees, to
conduct inspections described in this paragraph, or to make on-site inspections of records
relevant to this DSA to ensure compliance with any state and federal law, regulation, or
rule. Such inspections may take place with notice during normal business hours wherever
the records are maintained. Each Party shall ensure a system is maintained that is
sufficient to permit an audit of such Party's compliance with this DSA and the requirements
specified above. Failure to allow such inspections constitutes a material breach of this
DSA. This DSA may be terminated in accordance with Section VII.C.for a material breach.
IX. Grantee Additional Terms
A. Contractors. Grantee shall ensure all contractors that have Access to Covered Data or
Software Entitlements comply with all requirements of this DSA. The Software
Entitlements shall not be Accessible by, or deployed on, Information Technology
Resources not owned, employed, or controlled by Grantee.
• •
RELEVANT FLORIDA STATUTES (2022)
Section 282.3185, Florida Statutes (F.S.), the "Local Government Cybersecurity Act,"directs the
Florida Digital Service (FL[DS])to provide training in cybersecurity to local governments, oversee
their compliance in adopting cybersecurity standards, and to receive cybersecurity incident and
ransomware event notifications through the State Cybersecurity Operations Center. Such incident
reporting must also include "[a] statement requesting or declining assistance from the
Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement,
or the sheriff who has jurisdiction over the local government." S. 282.3185, F.S.
Under Specific Appropriation 2944A of the 2022-2023 General Appropriations Act, FL[DS] was
directed to establish a competitive cybersecurity technical assistance grant program for
municipalities and counties.
Section 119.0725, F.S.,establishes that coverage limits and deductible or self-insurance amounts
of insurance or other risk mitigation coverages acquired for the protection of information
technology systems, operational technology systems, or data of entities subject to the
requirements of section 119.07(1), F.S., and section 24(a), Article I of the State Constitution;
information relating to existing or proposed information technology and operational technology
systems and assets, whether physical or virtual, the incapacity or destruction of which would
negatively affect security, economic security, public health, or public safety; cybersecurity incident
information reported under section 282.3185, F.S.; network schematics, hardware and software
configurations, or encryption information or information that identifies detection, investigation, or
response practices for suspected or confirmed cybersecurity incidents, including suspected or
confirmed breaches, if the disclosure of such information would facilitate unauthorized access to
or unauthorized modification, disclosure, or destruction of data or information, whether physical
or virtual, or information technology resources, which include an agency's existing or proposed
information technology systems; and the recordings and transcripts of public meetings where such
information may be revealed are confidential and exempt, and such public meetings are exempt
from section 286.011, F.S., and section 24(b), Article I of the State Constitution.
REMAINDER OF PAGE INTENTIONALLY LEFT BLANK
• •
chibitA
Cvbersecuritv Incident Response Rider
I. Definitions
In addition to the defined terms in the DSA, capitalized terms used herein have the
meanings provided below:
A. Cloud Console — The global administrative accounts for Software Entitlements directly
managed and licensed by FL[DS].
B. Customer Account—The accounts for Software Entitlements directly utilized by Grantee.
C. Information Technology Resources — As defined in section 282.0041, Florida Statutes,
data processing hardware and software and services, communications, supplies,
personnel, facility resources, maintenance, and training. As used in this IR Rider, the term
also includes the definition for "Information Technology," as defined in section 282.0041,
Florida Statutes, to add equipment, hardware, software, firmware, programs, systems,
networks, infrastructure, media, and related material used to automatically, electronically,
and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze,
evaluate, process, classify, manipulate, manage, assimilate, control, communicate,
exchange, convert, converge, interface, switch, or disseminate information of any kind or
form.
D. Managing Organization — The entity managing the use of the Software Entitlements and
their Cloud Consoles. As used in this IR Rider, the Managing Organization is FL[DS].
E. Protected Grantee Data— Data, not including Telemetry Data, maintained and generated
by Grantee, which shall not be Accessed or Accessible by, or sent to, Software
Entitlements.
F. Solution Data — Data, reports, or other information generated by Software Entitlements.
This may be derived from, but does not include, Telemetry Data.
G. Telemetry Data — Data generated by Grantee through automated communication
processes from multiple data sources and processed by Software Entitlements.
H. View - The permissions Grantee grants to FL[DS] to see Telemetry and Solutions Data
provided to the Managing Organization by Customer Accounts. A View does not permit
FL[DS] Access to Protected Grantee Data.
II. Purpose
FL[DS] and Grantee enter into this IR Rider to establish the terms and conditions for
FL[DS] access to assist Grantee with responding to incidents.
• •
Incident Response
A. Incident Response Support. As specified in section 282.3185(5), F.S., upon
discovery of an incident, Grantee may request, or FL[DS] may offer to provide,
incident response support. Access to Grantee Information Technology Resources
shall be limited to the extent expressly agreed to by Grantee. Such Access and
support are unilaterally terminable at any time by either Party. FL[DS] may
establish, and Grantee shall comply with, protocols or procedures for reporting and
requesting support for incidents under this IR Rider, responding to incidents, and
the types of support available to be provided for an incident.Grantee shall mitigate
the impact of the incident and preserve all relevant documents, records, and data.
Grantee shall cooperate and coordinate with FL[DS] in responding to incidents
where incident response support is received, including, but not limited to:
1. Assisting with any incident response related investigation by FL[DS];
2. Providing FL[DS]with physical access to the affected facilities and
operations;
3. Facilitating interviews with Grantee personnel; and
4. Making all relevant records, logs, files, data reporting, and other materials
available to FL[DS] or Grantee-authorized third parties.
FL[DS] shall only Access Covered Data, other Grantee data, and Grantee
Information Technology Resources as permitted by Grantee. Any specific
limitations on such Access shall be documented.
Upon termination of each instance of incident response support, regardless of the
reason for such termination,Grantee shall assist FL[DS]with any close-out or post-
incident documentation upon request.
B. Covered Data and Personally Identifiable Information. FL[DS] will not disclose
Covered Data or other data made Accessible during incident response support to
any third party unless required by law or as authorized by Grantee. In the event
such data is required by law to be disclosed, FL[DS] shall make best efforts to
notify Grantee prior to such disclosure.
II. FL[DS] Role and Responsibilities
FL[DS] shall provide Grantee with the option to utilize the Software Entitlements to
enhance the Grantee's cybersecurity and protect the Grantee's infrastructure from threats.
FL[DS] will Access a View of the Telemetry Data and Solution Data. FL[DS] will only use
Telemetry and Solutions Data for the purpose of developing and implementing the
Program; identifying and responding to risks and incidents; and in furtherance of meeting
FL[DS]' and Grantee's statutory and regulatory obligations. FL[DS] will not disclose the
Telemetry Data and Solutions Data to any third party unless required by law or as
otherwise authorized by Grantee. FL[DS] will provide incident response services and
resources as allowed and agreed to by FL[DS] and Grantee in responding to risks and
incident.
• •
I. Grantee Roles and Responsibilities
Grantee shall cooperate with and provide all assistance necessary to FL[DS]' incident
response support.
II. Indemnification
For the avoidance of doubt, the Grantee agrees to indemnify FL[DS] and the Department
for any claims related to this rider pursuant to the terms provided in section R.,
Indemnification, of the Grant Agreement.
III. Conflict
In the event of a conflict between this IR Rider, the DSA, and any other rider, the terms of
this IR Rider shall control.
IV. Liability and Termination of Incident Response Support
Except as described in the DSA or other riders, incident response services and resources
of FL[DS] or Grantee-authorized third parties shall be provided by FL[DS]without warranty
by, and without liability to, FL[DS] or such Grantee-authorized third parties. Upon request,
FL[DS] or Grantee-authorized third parties shall provide reasonable assistance to return
Grantee Information Technology Resources to the operational status prior to the
involvement of FL[DS] incident response support.
REMAINDER OF PAGE INTENTIONALLY LEFT BLANK
• •
Exhibit B
SolutjgaRider
I. Definitions
In addition to the defined terms in the DSA, capitalized terms used herein have the
meanings provided below:
A. Protected Grantee Data — Data, not including Telemetry Data, maintained, and
generated by Grantee, which shall not be Accessed or Accessible by, or sent to, the
Licensed Software Solution.
B. Customer Account — The Licensed Software Solution account directly utilized by
Grantee.
C. Local Government Cybersecurity Grant Program ("the Program") —The Program
established by the 2022-2023 General Appropriations Act to improve county and
municipal cybersecurity posture and resiliency.
D. Licensed Software Solutions—Proprietary software provided to the Grantee under the
Agreement to satisfy provision of the solution(s) awarded to the Grantee, as identified
in Attachment A.1 of the Grant Agreement.
E. Managing Organization — The entity managing the use of the Licensed Software
Solution and its implementation. As used in this Rider, the Managing Organization is
FL[DS].
F. Protected Grantee Data — Data, not including Telemetry Data, maintained, and
generated by Grantee, which shall not be Accessed or Accessible by, or sent to, the
Licensed Software Solution.
G. Solution Console — The global administrative account(s) directly managed and
licensed by FL[DS] to provide the Grantee with the Software Entitlement.
H. Solution Data—Data, reports, or other information generated by the Licensed Software
Solution. May be derived from but shall not include Telemetry Data.
I. Telemetry Data —The data generated by Grantee through automated communication
processes from multiple data sources and processed by the Licensed Software
Solution.
J. View — The permissions granted for FL[DS] to see Telemetry Data provided to the
Managing Organization's Solution Console by the Customer Account. A View does not
permit FL[DS] Access to Protected Grantee Data.
II. Statement of Work
A. Purpose/Scope: FL[DS] and Grantee enter into this Rider to establish the terms and
conditions for Grantee Access to the Licensed Software Solution provided by FL[DS];
to establish the maintenance, use, and disclosure of the Telemetry Data generated by
• •
Grantee and uploaded to the Solution Console; and to provide terms and conditions for
the use of the Licensed Software Solution.
A. FL[DS] Role and Responsibilities: FL[DS] is responsible for providing Grantee with
the option to utilize the Licensed Software Solution.
FL[DS] shall be permitted to Access a View of the Telemetry Data provided within the
Solution Console via permissions to the Customer Account.
FL[DS] will only use Telemetry Data for the express purpose of developing and
implementing the Program and in furtherance of FL[DS]' and Grantee's statutory and
regulatory obligations. FL[DS] will not disclose the Telemetry Data to any third party
unless required by law or as otherwise authorized by Grantee.
B. Grantee's Role and Responsibilities: Grantee is responsible for:
a. Grantee Access to and use of the Licensed Software Solution in compliance
with all terms and conditions related thereto, including the Agreement terms
and the vendor terms and conditions to be provided to the Grantee by FL[DS]
without need for an amendment hereto by the Parties and which, after provision
thereof,will be deemed incorporated herein and a material component hereof;
b. Activating and deactivating the Access, credentials, and privileges of its
authorized users;
c. Ensuring no Protected Grantee Data is submitted to the Licensed Software
Solution;
d. Entering into any additional agreement with FL[DS], the Licensed Software
Solution provider, or other third-parties as may be required by law regarding
Protected Grantee Data, as applicable; and
e. Managing access controls to allow View by FL[DS]and Access by the Licensed
Software Solution.
Telemetry Data, even as it may be housed, maintained, or processed by the
Licensed Software Solution, is and shall remain the property of Grantee.
C. Indemnification: For the avoidance of doubt, the Grantee agrees to indemnify FL[DS]
and the Department for any costs related to Grantee's use of the Licensed Software
Solution pursuant to the terms provided in section R., Indemnification, of the Grant
Agreement.
D. Conflict: In the event of a conflict between this Rider and the DSA, the terms of
this Rider shall control.
REMAINDER OF PAGE INTENTIONALLY LEFT BLANK