approval of contract over $1 million: march … mainframe program enhancements for the cros ......

subject: APPROVAL OF CONTRACT OVER $1 MILLION: 2016-4130- International Network Consulting, Inc.

State of California Board of Equalization Administration Department-MIC: 69

Telephone: (916) 445-4272

Memorandum

To David J. Gau Executive Director Date: March 15, 2017

From Edna Murphy, Deputy Director Administration Department

Your approval is requested to place an Administrative Agenda item before the Board at the March 28-30, 2017 Board Meeting.

Information Technology Consultant services:

• Senior Level Programmers Standard Agreement #2016-4130 - International Network Consulting, Inc.

Because this Agreement exceeds $1 million, Board Member approval is required. Attached is a brief description of the services to be provided by this Agreement, and a copy of the signature-ready 2016-4130 Agreement with International Network Consulting, Inc. This contract has been reviewed and approved by Legal.

With your approval, the Board Proceedings Division will place this item on the Public Agenda Notice and provide a copy of the attachments to each Board Member. If you have any questions or wish to discuss the contract further, please call me or have your staff call Linda Fergurson at 445-3814.

EM:lm

Attachment

cc: Kevin Hanks, MIC 49 Brian Manuel, MIC 35

Approved David J. Gau Executive Director

BOARD AP.PROVED At the 3/.:,f/lZ Board Meeting

~~~ Joann Richmond, Chief Board Proceedings Division

"{;ffyn,+-:

Item P6.le 03/28/17

Board of Equalization Proposed Contracts

Over $1 Million

Contractor Start Date

3/1/2017

Expire Date

2/28/2021

Total Cost Pur ose International Network Consulting, Inc. \ $3,440,640

B. Senior Level Programmers to conduct data remediation and provide mainframe program enhancements for the CROS Project.

Contract #2016-4130

Business Management Division

Acquisitions Branch

Contracts Section

March 2017 Page 1 of 1

REGISTRATION NUMBER STATE OF CAUFORNIA

STANDARD AGREEMENT PURCHASING AUTHORITY NUMBER AGREEMENT NUMBER STD, 213 {REVISED 07113) I BOE-0860 2016-4130

1. This Agreement is entered Into between the State Agency and the Contractor named below STATE AGENCY'S NAME

State Board of Equalization CONTRACTOR'S NAME

International Network Consulting, Inc. 2. The term of this . . March 1, 2017, or upon California Department Technology approval through February 28, 2021 Agreementis:

3. The maximum amount $ 3,440,640.00 If this Agreement is: Three Million Four Hundred Forty Thousand Six Hundred Forty Dollars and No Cents

4. The parties agree to comply with the terms and conditions of the following attachments which are by this reference made a part of the Agreement:

Attachment A- Statement of Work 29 Page(s) •Attachment 1 - Resume of Fred Sutarjo 7 Page(s) •Attachment 2 - Resume. of Kitsy �erez 6 Page(s) •Attachment 3 - Resume of Raymundo Valderama 5 Page(s) 'Attachment 4- Resume of Wayne Rodgers 3 Page(s) 'Attachment 5 - Resume of Roy C. Woods 4 Page(s)

Attachment I i i-A-Add, Delete or Substitute Contractor Personnel Fonm 1 Page(s) Attachment 111-B -Special Provisions 15 Page(s) •Attachment 111-C-Contractor's Response dated 1/30/17, to RFO 2016-4130 (Incorporated by Reference as if attached hereto) 'Attachment 111-D - CROS RFO 2016-4130 (Incorporated by Reference as if attached hereto) Exhibit c• • General Terms and Conditions GSPD 401 IT (elf. Date: 912014) (Incorporated by Reference as if attached hereto) 'California Multiple Award Schedule 3-12-70-1227D (Incorporated by Reference as if attached hereto)

Where the Department of General Services, Procurement Division Is referenced In the GSPD, it shall mean the Department of Technology, Statewide Technology Procurement.

Items shown with an Asterisk ('), are hereby incorporated by reference and made part of this agreement as If attached hereto

IN WITNESS WHEREOF, this Agreement has been executed by the parties hereto. Statewide Technology CONTRACTOR Procurement Use only

CONTRACTOR'S NAME (If other than an lndiv/dua/, slate whether a corporation, partnership, eto.)

International Network Consulting, Inc. BY (Authorized Signature) DATE SIGNED

PRINTED NAME AND TITLE OF PERSON SIGNING Fred Sutarjo ADDRESS P.O. Box 254620, Sacramento, CA 95865

STATE OF CALIFORNIA AGENCY NAME State Board of Equalization BY (Authorized Signature) D ATE SIGNED N5

PRINTED NAME AND TITLE OF PERSON SIGNING David J. Gau, Executive Director or Designee ADDRESS

D Exempt 450 N Street, Sacramento, CA 95814 per

INTERNATIONAL NETWORK CONSULTING, INC. Standard Agreemanl No.: 2016-4130

Page 1 of 15

ATTACHMENT A'

STATEMENT OF WORK

1. PURPOSE- GENERAL

This Statement of Work (SOW) reflects the services to be provided by International Network Consulting, Inc, (hereinafter referred to as the "Contractor,") to the Board of Equalization, (hereinafter referred to as the "BOE" or "State"). This SOW is governed by and incorporates by reference the terms and conditions of the California Multiple Award Schedule (CMAS) number 3·12·70-1227D, Supplement No. 1.

2. TERM

a. The contract terms are forty.eight (48) months, but may be extended at the originally agreed-upon hourly rates specified in this Agreement and the terms of the California Multiple Award Schedule Agreement for time and funding with mutual. agreement of the parties.

b, The Contractor shall not be authorized to deliver or commence performance of services described in this Agreement prior to the Effective Date. Any delivery or performance of services by the Contractor that is commenced prior to the Effective Date shall be considered gratuitous on the part of the Contractor.

3. WORK LOCATION

The BOE Headquarters is located at 450 N Street, Sacramento, CA 95814. The Contractor is required to perform all services under this Agreement onsite at the BOE Headquarters from approximately 8:00 a.m. to 5:00 p.m. Pacific Time, Monday through Friday, excluding State Holidays as Identified by California Department of Human Resources (Cal HR) may be found at this link: http://www.calhr.ca.gov/ernployees/Pages/state•holldays.aspx, for the duration of the Contract. Work hours and location may be modified with approval of the BOE Contract Manager .. The Contractor and Contractor's staff wlll not be authorized nor paid to travel under this Agreement.

4. COST

Cost details are located In the Cost Worksheet, Attachment 11-J.

5. SCOPE OF SERVICES

The Contractor wlll provide the Centralized Revenue Opportunity System (CROS) Project with the services of experienced Senior Level Programmers to conduct data remediation and provide mainframe program enhancements for the IRIS and Timber Tax systems throughout the CROS Project implernentatlon. The Senior Programmers wlll work with the OROS System Integrator to prepare, remedlate as needed, and map legacy data to the GROS solution.

INTERNATIONAL NETWORK CONSULTING, INC. Slandard Agreement No.: 2018-4130

Page2of15

ATTACHMENT A

STATEMENT OF WORK (oontlnuedl

They will update current BOE mainframe objects and documentation in order to provide new or enhanced functionality In the legacy systems as needed by the CROS solution during Implementation. They will provide maintenance of legacy systems as required by crltlcal business needs during the CROS implementation phases to free up existing BOE staff with subject matter expertise to work with !Re CROS Project team. The Senior Programmers will also develop Interfaces or perform maintenance on current mainframe objects and documentation in order to resolve system integration issues and provide Interim functionality during the GROS Implementation phases.

The BOE requires the Senior Programmers to have a unique synthesis of experience and skills that cross several areas. The Senior Programmer's must be experts In an outmoded mainframe platform such as Natural/ADABAS and bring a d�l!ed knowledge of the complexity and structure of the legacy data· as It relates to the functionality of existing systems. The Senior Programmers must be proficient with relational database platforms and SQL In order to analyze data quality, conduct data mining activities, synthesize redundant data and prepare data for migration from the mainframe platform to the SQL staging platform. This level of expertise comes from a

· strong work history in the multiple programming languages and disciplines.

The Senior Programmers wlll work with analysts and technology staff from the CROS Project and with Data Conversion consultants to migrate legacy data to a CROS conversion staging environment. The Senior Programmers wlll map data elements across legacy systems and sub-systems and provide Extract, Transform, and Load (ETL) scripts to load BOE's legacy data Into the staging environment. They will also validate that all source data migrating to the new system has been accounted for In the target system or documented as purposely archived or abandoned due to invalid data Integrity.

The Senior Programmers wlll work with analysts and technology staff from Technology Services Department when called upon to maintain BOE mainframe objects and documentation to provide new or enhanced functionality In the legacy systems for Interfacing with GROS.

The BOE Is requesting the consulting services of five (5) highly experienced Senior Level Programmers for the duration of this Contract. Working hours are anticipated to be full-time but may fluctuate based upon the needs and phases of the Project.

6, DELIVERABLES

Contractor shall provide a Deliverable Expectation Document (DED) that defines the format, content and table of contents, resources needed, milestones and additional Deliverables used for tracking and billing, and constraints for each Deliverable, The DED may be used to authorize work performed by the Contractor.

INTERNATIONAL NETWORK CONSULTING, INC. Slandard ,¾ireamant No.: 2016-4130

Page 3 of 16

ATTACHMENT A

STATEMENT OF WORK (continued)

The initial Deliverables to be completed Include, but are not limited to the following:

a. Tlmeline for resource loading. b. Documented repeatable process to extract, transform and load legacy data to the

SQL staging environment. c. Test output and results, together with summary reports for record count validation

(records archived, converted, staged, transformed, orphaned). d. Maintenance and operations plan for all implemented data migration processes, e. Natural/ADABAS programs to fix data quality errors. f. Updated program specifications for modifications required In legacy system(s). g. New and modified Natural/ADABAS programs for modified functionality of legacy

system(s). h. Unit test and integration test scripts for functional modifications.

. I. Documented Integration test results for legacy system program modifications. j. Updated Traceability for legacy system program modifications based on B0E's

existing SDLC standards. k. Status reports for a time period determined by the Project Director (or designee},

including key accomplishments, next steps, significant issues, hours expended by date In period, hours expected to spend In the next time period.

These Deliverables' (and any additional Dellverables Identified through subsequent · DEDs) will provide the basis that along with a valid Invoice can trigger compensation to

the Contractor for consulting services (as identified In Sections 111.5, Scope of Services, and 111.11.a, Contractor Responsibilities).

A. Other Reporting Requirements

The Contractor will submit a written report on a monthly basis to provide feedback to the GROS Project Director (or designee) which shall Include the following Information:

a. Summary of the work completed during the reporting period. b: Status of the overall engagement, and all phases/projects, Including discussion

of problems encountered, solutions, and proposed solutions. c. Tasks within the PED completed during the reporting period for all

phases/projects.

If requested, the Contractor shall participate In periodic briefings for BOE's executive management and divisional management, as deemed appropriate by BOE's Chief Information Officer or other BOE executive management.

INTERNATIONAL NETWORK CONSUL TING, INC. Standard Agreement No.: 2016·4130

Page 4 of 16

ATTACHMENT A

STATEMENT OF WORK (continued) '

The Contractor shall designate a person to whom all Project communications may be addressed and who has the authority to act on all aspects of this Contract. The Contractor shall comply with all appllcable BOE and California Department of Technology policies and procedures, including but not limited to, policies regarding Sexual Harassment Prevention, IT Security, Confidentiality Statement (BOE-4), Workplace Violence Prevention, and Emergency Preparedness. Upon Contract award, a signed acknowledgement to comply with these policies wlll be attached to the Contractor's Agreement. Breach of any of the policies Is considered a breach of Contract.

Notwithstanding CMAS General Provisions - Information Technology, any and all work product produced for this Project, Including, but not limited to: schedules, analysis, plans, proposals, reports and materials, is the property of the BOE.

B. Deliverable Expectation Documents (DEDs)

The Contractor will develop a Deliverable Expectation Document (OED) in collaboration with and approved by the CROS Project Director or deslgnee prior to work commencing on the Deliverab.le. Tne use of the DED Is to identify the applicable Acceptance Criteria and number of days allotted to BOE for Its review and notice obligations and to ensure a mutual understanding exists between BOE and Contractor regarding the scope, format and content ( depth and breadth) of Deliverables prior to Contractor's beginning work on the activities associated

. therewith. The Acceptance Criteria set forth in the DED must contain specific, measureable success factors. The approved OED will be submitted with each Deliverable. The DED will Identify the Deliverable, the tasks associated with completing the Deliverable and the Deliverable Acceptance Criteria. All Deliverables must be accompanied with the corresponding DED and submitted to the CROS Project Director or deslgnee for final acceptance. It shall be BOE's sole determination as to whether a Deliverable has been successfully completed and accepted.

The following is an overview of the OED approval process:

1 . Contractor shall develop the Deliverable Expectation Document (DED) and submit to the CROS Project Director or deslgnee five (5) business days In advance of DED review;

2. The CROS Project Director or deslgnee provides verbal feedback to Contractor; 3. Contractor finalizes DED based on received feedback and re-submits to BOE; · 4. The CROS Project Dlrector·or deslgnee provides sign-off of DED within five (5)

business days or returns for additional revisions.

INTERNATIONAL NETWORK CONSULTING, INC, Standard Agreement No.: 2016-4130

Page 5 of 15

ATTACHMENT A


C, Deliverable Format

1 . All Deliverables shall be provided In a format compatible with the CROS Project Management Office standard applications (currently, Microsoft Office 2013). In all cases, Iha Contractor shall verify application compatibility with the State Contracts Manager prior to creation or delivery of any electronlc documentation. Any deviations to these standards shall be approved by CROS Project Management Office.

2. Hardcopy Deliverables shall be on standard 8 ½" x 11" paper. Electronlc versions sh�II be stored In a State designated central repository and remain the sole property of the State. The delivery media shall be compatible with the State storage devices.

3. · If the State does not accept the Deliverable(s) or services In the executed Agreement, payment for the Dellverable(s)/servlces shall be withheld by the State and the Contractor will be notified. The Contractor shall take timely and appropriate measures within five (5) business days to correct or remedlate the reason(s) for non-acceptance and demonstrate to the State that the Contractor has successfully completed the scheduled work for each DEillverable before payment Is made.

D. Media and Number of Coples

Written reports/plans/Deliverables shall be submitted In the following numbers and formats to the CROS Project Director or deslgnee:

· • One (1) hard copy • Two (2) electronic copies (one placed in the appropriate loca·11on on the GROS

Share Point site and the other sent as an email attachment)

7, CONTRACTOR PERSONNEL

The collective knowledge and experience of the .proposed team of Senior Level Programmers (one (1) Senior Programmer with Database Administration experience, two (2) Senior Programmers with experience as Technical Lead, and two (2) Senior Programmers with experience developing and maintaining Natural/ADABAS programs) must cover, but not be llmlted to, the following minimum qualifications outlined below for the duration of the term:

INTERNATIONAL NETWORK CONSUL TING, INC. · Standard Agreement No.: 2010-4130

Page 6 of 15

ATTACHMENT A

STATEMENT OF WORK (continued}

1 . Each Senior Programmer must have a minimum of five (5) years' experience with Software AG's Natural/ADABAS programming in a mainframe/CICS environment.

2 . Each Senior Programmer must have a minimum of two (2) years' ex erlence with develo In s stems usin Natural Construct.

3, Each Senior Programmer must have a minimum of five (5) years demonstrated experience with JCL.

4. Each Senior Programmer must have a minimum of five (5) years of formal testin ex erlence,

5. The proposed team must have up to two (2) Senior Programmers with a combined experience mapping and migrating data from mainframe environment to a non-mainframe platform on at least two 2 ro ects.

6. The proposed team must provide at least one Senior Programmer that has Data Base Administrator experience with relational databases for at least three 3 ears.

7. The proposed team must provide at least one Senior Programmer that has Data Base Administrator experience with Natural/ADABAS for at least three 3 ears.

8. The proposed team must provide at least two (2) Senior programmers, each with a minimum of five (5) years of. experience working in a lead ca acit with both business and technical staff In a team environment.

Desirable Qualifications (DQs) 9. Experience with Software AG's Event Replicator for at least one Senior

Pro rammer. 1 O. Experience coding and Implementing ETL scripts on at least two (2) projects,

s theslzln redundant data. 1 1 . Experience perlorming data cleansing and conversion, developing tools and

processes for conversion, and planning operations for outover on at least two (2) ro acts.

1 2 . . Experience with Software Development Life Cycle (SDI..C methodology), Rapid A llcatlon Develo ment RAD , and Joint A licatlon Develo men! JAD .

1 3. Experience with government data center services. 1 4. Previous experience working with State revenue collection agency.

a. Reassignment of Personnel

1 . The Contractor shall not add and/or substitute staff without the prior written consent of the BOE, which consent shall not be unreasonably withheld . The · Contractor shall make every reasonable effort to provide suitable substitute staff. The additional and/or substitute staff shall meet all the requirements and shall be approved In writing by the BOE prior to substitute staff beginning work.

INTERNATIONAL NETWORK CONSULTING, INC. Standard Agreement No.: 2016-41$0

Pag� 7 of 15

ATTACHMENT A


2. Additional and/or substitute staff shall not automatically receive the hourly rate of the staff or positions being replaced. The BOE and the Contractor shall negotiate the hourly rate of any additional and/or substitute staff to the Agreement. The hourly rate negotiated shall be dependent, in part, upon the experience and Individual skflfs of the proposed additional and/or substitute staff. The negotiated hourly rate shall not exceed the hourly rate for that position as sei forth In the Agreement.

3. The Contractor shall provide the following forms when the addition or substitution of Contractor staff Is acceptable to the BOE and permissible by this Agreement:

3.1 The Contractor shall submit an Add, Delete or Substitute Staff Request Form, Attachment Ill-A; a completed Staff Resume Table, Attachment 11-C, signed Staff Reference Forms, Attachment 11-D, from all references listed on the Staff Resume Table to validate the experience listed; and the completed GSA/GSA Classification Qualifications table, Attachment 11-E, with any required degrees. The request and the completed documents shall be provided to the Identified BOE Contract Manager for review and approval. The BOE will provide approval of the request and related materials within ten (10) business days after receipt of these documents. However, addition of staff may require an amendment to this Agreement.

4. If the deletion of Contractor staff is acceptable to the BOE and permissible by this Agreement:

4.1 The Contractor shall submit an Add, Delete or Substitute Staff Request Form, Attachment I l l -A to the BOE Contract Manager for review and approval within (1 0) business days after receipt of this document.

5, If the addition, substitution and/or deletion does not Increase the total cost of the Agreement, an amendment may not be required to make this change to the Agreement.

8. INVOICING AND PAYMENT

Invoices shall be submitted electronically to [email protected] no more frequently than once monthly, In arrears. The invoice must reference Contract Number 2016-4130, Identify each approved Deliverable by Deliverable Item number, the associated cost charged for each Deliverable, and Include copies of the approved associated Letter of Deliverable Acceptance.

· Payment shall be based on the Deliverables that the Contractor delivers In accordance with the DED accepted by the CROS Project Director (or deslgnee). It shall be the

INTERNATIONAL NETWORK CONSULTING, INC. Standard Agreement No.: 2016,4130

Page a of 15

ATTACHMENT A


BOE's sole determination as to whether a Deliverable has been successfully completed and accepted. Payment Is subject to a 10% withhold amount per Public Contract Code section 1 21 1 2, to be released at the BOE's acceptance· of the final Deliverable and at the termination of the Contract.

It Is mutually agreed that if the Budget Act of the current year and/or any subsequent years covered under this Agreement does not appropriate sufficient funds for the CROS Project, this Agreement shall be of no further force and effect. In this event, the State shall have no liability to pay any funds for incomplete Deliverables to the Contractor or · to furnish any other conslderaUon under this Agreement and the Contractor shall not be obliged to further perform any provision of this Agreement.

If funding for any fiscal year Is reduced by the Budget Act for purpose.s of the CROS Project, the State shall have the option to either cancel this Agreement with no llability occurring to the State, or to amend the Contract to reflect the reduced amount. The State will not be reimbursing for any travel as part of this Agreement.

9. POINTS OF CONTACT

Board of Equalization Contract Manager International Network Consulting, Inc. Name Chris Kahue (or Designee) Name · Fred SutarJo Phone : 91 6-323-4333 Phone (91 6) 21 3-3387 Fax : 91 6·327-3483 Fax (91 6) 91 4-2209 Email : [email protected] Email [email protected]

Direct all Agreement Inquiries to:

Board of Equalization International Network Consulting, Inc. Name Contracts Section Name Fred Sutarjo Address 450 N Street, MIC: 24 Address P.O.Box 254620

Sacramento, CA 9581 4 Sacramento, CA 95865 Phone 916-322-2107 Phone (916) 21 3-3387 Fax 91 6-322-31 84 Fax (916) 91 4-2209 Email [email protected] Email [email protected]

In the case that either Contract Manager Is changed, the changing party will notify the other party with a ten (1 0) day prior written notice either by fax, mail or email, which will contain · the new Contractor Manager's name, malling address, email address, telephone and fax numbers.

10 . STATE FURNISHED ITEMS

The following Items shall be provided by the BOE to support this effort and all policies and procedures regarding access to and the use of the BOE facilities shall be applicable:

INTERNATIONAL NETWORK CONSULTING, INC. Standard Agreement No.: 2016·4130

Pago 9 of 16

ATTACHMENT A


a. Office space for the duration of the Agreement, Including desk, chair, desk phone, and Internet connection.

b. Access to office bulldlng and office suite.

1 1 . RESPONSIBILITIES OF PARTIES

a. Contractor Responsibilities

As directed by BOE, the Programmer resources shall serve as the technical experts · directly responsible for performing and conducting data remediation, legacy data

m igration and providing mainframe program enhancements for the IRIS and Timber systems throughout the CROS Project implementation. The Senior Programmers will perform the following services:

1 ) Work closely with managers and staff to validate data requirements and data quality;

2) Work with the data and conversion architects and key data custodians to validate logical data models and data dictionaries;

3) Map data across systems and subsystems; 4) Identify and analyze data errors and anomalies across systems, and

subsystems; 5) Code algorithms to Identify data anomalies; 6) Write ETL scripts to extract cleanse and synthesize data, and import them into

target databases; 7) Recommend how data can be fixed In the legacy systems and assist In

developing the data remediation programs as needed; 8) Coordinate and plan with the System Integrator for data migration; 9) Ensure that the historical archive data Is maintained for future accesslblllty; 10)Resolve data conversion anomalies; 1 1 )Provide critical mainframe system enhancements required for CROS; 1 2)Provlde programming support for IRIS and Timber Tax system enhancements,

as required, for Interfacing with CROS; 13)Develop new functionality in Natural/ADABAS; 14)Enhance existing applications In Natural/ADABAS; 1 5)Coordlnate application changes with legacy systems utilizing EntlreX; 1 6)Malntaln legacy system requirement specifications and traceability matrix; 17)Develop unit and Integration test scripts In accordance with the BOE's existing

SDLC; 1 8)Conduct unit and Integration tests In accordance with the BOE's existing SDLC; 1 9)Assist with system and user acceptance test In accordance with BOE's existing

SDLC; 20)Provlde staff with unit, system, and integration tests In accordance with the

BOE's existing SDLC;

INTERNATIONAL NETWORK CONSUlTING, INC. Standa<d Agreement No.: 2016·4130

Page 10 of 16

ATTACHMENT A

STATEMENT OF WORK {continued)

21 )Work In partnership with BOE management, System Integrator, and other Project staff to coordinate activities;

22)Work with BOE's Administrative staff, managers, business and technical teams, and various State agenQy personnel, Including but not limited to: Department of Finance, C�llfornla Department of Technology (CDT) and Department of General Services;

23)Malntaln open communication and shall communicate as frequently as necessary with alf CROS Project managers, Technology Services Department managers, the System Integrator, or other Project staff to help ensure timely completion of project activities.

24)Attend CROS Project status meetings and other meetings as requested by the CROS Project Director (or deslgnee) to fulfill the Contractor's listed key tasks and responsibilities;

25)Provlde status reports for time periods to be determined by the CROS Project Director (or deslgnee) including key accomplishments, next steps, significant · issues, hours expended per dates in each time period, hours expected to spend in the next time period;

26)Partlcipate in the data mapping effort of legacy data to the CROS solution:

a. Participate In CROS Requirements and Data Mapping JADs, as needed; b. Attend meetings and provide feedback, responses in writing to emails or

development of short papers or presentation, as directed by the Project Director {or· designee) to fulfill the Contractor's listed key tasks and responsibilities.

27)AII work products and Dellverables shall be stored on the State document repository (e.g. Workslte Web or SharePolnt) I n a format compatible with the BOE document standards. The most current version of all work products and Deliverables shall be continuously available for BOE review at all times.

28)The Contractor shall receive all Project communications and has the authority to act on all aspects of the services. The Contractor will review the Agreement and associated Agreement documents With the BOE Contract Manager to ensure understanding of the responsibilities of both parties.

29)Prlor to expiration of the Agreement, the Contractor shall return all BOE property, Including security badges, to the BOE Contract Manager.

30)As part of this Agreement, the Contractor (data custodian) shall be responsible for all costs incurred by the State (data owner) due to any and every security Incident resulting from the Contractor's failure to perfo,m or negligent acts of Its personnel, and resulting In an unauthorized disclosure, release, access, review, or destruction; or loss, theft or misuse of an information asset. If the Contractor

INTERNATIONAL NETWORK CONSULTING, INC. Standard Agreement No.: 2016-4130

Paga 11 of 15

ATTACHMENT A


experiences an actual or potential loss of data or breach of data security, the Contractor shall, within two (2) hours of its discovery thereof, report the loss or security breach to the BOE Information Security Officer at [email protected]. If the BOE determines that notice to the lndividual(s) whose data has been lost or breached Is appropriate, the Contractor will bear any and all costs associated with the notice or any mitigation selected by the BOE. These costs Include, but are not limited to, consultant time, material costs, postage, ·media announcements, and other identifiable costs associated with the breach or loss of data.

31 )The Contractor shall comply with all applicable State policies Including, but not l imited to State Administrative Manual 5300-5399, State Information Management Manual procedures, and the BOE's security policies Including, but not limited to, BOE's Acceptable Use Policy, Confidentlallty and Non-Disclosure Polley, State Security Policies (SIMM 5300 series), and the BOE Security templates. (See Attachment 1 1 1-B, Special Provisions.)

32)AII the Contractor-ownecj or managed laptops, Ultra books, net books, tablets, Smart phones and similar devices, If allowed by the BOE Contract Manager, shall be encrypted using commercial third-party encryption software. The encryption software shall meet the level standards of National Institute of Standards and Technology (NIST), Federal Information· Processing Standards (FIPS) Publlcatlon 140-2, Security Requirements for Cryptographic Modules, Additionally, anti-virus, anti-malware software shall be used and kept up to date along with software patches and supported versions. The BOE Information Security Office shall audit the Contractor-owned devices connected to BOE networks.

33)1f the Contractor's use of removable media storage devices (I.e. Universal Serial Bus (USB] thumb .drives, disk tapes, micro SD, SD cards, CD/DVD, etc.) is allowed by the BOE Contract Manager, all electronic files stored on the removable media storage device used to store State Information shall be encrypted using a commercial third-party encryption software. The encryption software !!hall meet the standards set forth in NIST FIPS 140-2, Information stored on approved removable storage devices shall not be copied to any unencrypted computer (I.e., desktop or laptop) not connected to BOE network. Any" personally Identifiable information, personal health information, or other confidential Information shall be encrypted when stored on BOE network file shares or document repositories.

34)Contractor understands and agrees that should award of this contract be based in part on their commitment to use the Disabled Veteran Business Enterprise

INTERNATIONAL NETWORK CONSULTING, INC. · Standard Agreement No.; 2018,4130

Page 120116

ATTACHMENT A

STATEMENT QF WORK (continued)

(DVBE) subcontractor(s) Identified In their bid or offer, per MIiitary and Veterans Code section 999,6 {e), a DVBE subcontractor may only be replaced by another

36)DVBE subcontractor and must be approved by ;

the Department of General Services (DGS). Changes to the scope of work that Impact the DVBE subcontractor{s) identified In the bid or offer and approved DVBE substitutions will be documented by contract amendment.

Failure of Contractor to seek substitution and adhere to the DVBE participation level Identified in the bid or offer may be cause for contract termination, recovery of damages under rights and remedies due to the State, and penalties as outlined in M&VC section 999.9; Public Contract Code {PCC) section 101 15. 10,

. .

b. BOE Responsibilities

1 ) The BOE Contract Manager shall receive all Project communications and has the authority to act on all aspects of the services. The BOE Contract Manager will review the Agreement and associated Agreement documents with the Contractor to ensure understanding of the responsibilities of both parties,

2) The BOE will provide timely review and approval of the information and documentation provided in order for the Contractor to perform its obligations under this Agreement.

3) Provide workstations, which wHI Include Microsoft Office 2010 (or higher), virus protection software and other project related software 8$ needed.

4) Provide access to the workslte.

5) Provide onslte workspace for the Contractor. This will include the assignment or use of hardware, connection to LAN, telephone, fax, copy machine, and other

· resources as needed.

6) Provide workspace for work sessions, meetings, conferences, presentations, etc.

7) Provide timely access to BOE staff with expertise In the BOE's business and technical environment.

8) Provide timely access to BOE artifacts, which includes Project, technlcal and business artifacts (plans, schedules, metrics and other Project documents) and such other material as may be approved by BOE.

INTERNATIONAL NETWORK CONSULTING, INC. Standard Agreement No.: 2016,4130

Page 1J 01 15

ATTACHMENT A


9) Coordinate contacts with project stakeholders, System Integrator, outside agencies and other contractors.

tO)Provlde review of Deliverables and written communication to Contractor as to whether Deliverables are acceptable per Section 111.6, Deliverables.

12. PROBLEM ESCALATION

The parties acknowledge and agree that certain technical and/or project-related problems or Issues may arise, and that such matters shall be brought to the BOE's attention. Problems or issues shall normally be reported In regular status reports or In· person meetings. However, there may be Instances where the severity of the problem Justifies escalated reporting. To this extent, the BOE Contract Manager in charge shall determine the level of severity, and notify the appropriate BOE personnel, as set forth below. The BOE personnel notified, and the time period taken to report the problem or Issue shall be at a level commensurate with the severity of the problem or issue. The BOE personnel include., but are not limited to, the following: a. First level, the CROS Project Director or designee. b. Second level, the BOE Chief Information Officer.

1 3, SPECIAL PROVISIONS

Special Provisions shall Include any special d irections or project specific requirements that are not otherwise stated explicitly In the Agreement. Refer to Attachment 1 1 1-B.

14. FINGERPRINTING AND BACKGROUND CLEARANCE

Prior to accessing any confidential Information, · personal identifying Information, personal health information, federal tax Information, or financial information contained in the Information systems and devices of the BOE, or any other Information as required by federal and State law or guidance, all Contractor personnel who peliorm seivices under this Agreement must comply with the criminal background check requirements set forth In Government Code section 1043, and its Implementing regulations set forth In California Code of Regulations, Title 10, section 6456, The State will provide th'e appropriate forms upon award to the Contractor and provide direction to the Contractor on how to complete the background clearance and fingerprinting process per the State's background clearance process. This clearance process Is In addition to any processes that may be Instituted by the Contractor related to their Individual hiring process prior to award. The cost of fingerprinting and background checks will be paid solely by the Contractor and are not reimbursable by the State.


Page 14 of 15

ATTACHMENT A

STATEMENT OF WORK (continued}

15. SUBCONTRACTORS

The Contractor may, with the approval of the BOE, enter Into subcontracts with third parties for the performance of any part of the Contractor's duties and obligations. Any such BOE approval may be rescinded for reasonable cause. The Contractor Is responsible and liable for the proper performance and quality of any work performed by any, and all, subcontractors. The BOE reserves the right to reject or refuse admission to any subcontractor staff whose performance, in the reasonable judgment of the BOE, is deemed to be substandard. In no event shall the existence of a subcontract operate to release or reduce the liability of the Contractor to the BOE for any breach in performance of the Contractor's duties.

The Contractor warrants and agrees that any subcontract resulting from Its performance under the terms and conditions of the Agreement and the associated leveraged procurement agreement (LPA) shall Include a provision that the subcontractor shall abide by the terms and conditions of the Agreement and the associated LPA, as well as all other applicable federal and state laws, rules, and regulations pertinent hereto that have been or may hereafter be estabUshed. Also, the Contractor warrants and agrees that all subcontracts shall Include a provision that the subcontractor shall Indemnify and hold harmless the BOE to the same extent as provided In the LPA. Any Agreement between the Contractor and its subcontractors ·shall require the subcontractors to adhere to the same performance standards and other standards required of the Contractor.

When a subcontractor ultimately performs all of the services that the Contractor has agreed to provide and the prime Contractor only handles the Invoicing of expenditures, then the prime Contractor's role becomes that of a fiscal agent because It is merely administrative In nature, and does not provide a commercially useful function. It Is unacceptable to use fiscal agents· In this manner because the agency Is paying unnecessary administrative costs. Contractors may not subcontract 100 percent of the tasks of this SOW.

1 6. AMENDMENTS

Should It become necessary, during the course of the resulting Contract, to modify the terms of the SOW, those modifications may be made by mutual agreement by the contracting parties through an am·endment to the Contract A Contract amendment shall not be effective untll fully executed. An oral understanding or agreement must be Incorporated through the proper contractual process to be binding on either the Contractor or the BOE.

INTERNATIONAL NETWORK CONSULTING, ING. SIMdard Agreement No.: 2016·4130

Page 16of15

ATTACHMENT A


The State has the option to extend this agreement, subject to the California Multiple Award Schedule contract requirements, and to extend for time for the purposes of completing all tasks listed In the original Agreement without additional cost. This agreement may also be amended to add additional resources, additional funds and/or additional time for Unanticipated Tasks, as necessary to complete this project. If this amendment option is Invoked, the Contractor's hourly rates offered shall remain the same as stated In Attachment IJ.J, Cost Worksheet.

INTERNATIONAL NETWORI< CONSUL 'flNG, INC. Standard Agreement No,; 2016-4130

ATTACHMENT Ill-A ADD, DELETE OR SUBSTITUTE

CONTRACTOR PERSONNEL REQUEST FORM

Co!lll'RCIOl' Phone No, Conh·nctor Name Date

GSA Number Project Name/Agreement Number

Perso1111el 1'o De Added Persomtel Replaced P1•opoied Clnsslflcntlon Resume Effective Meets MQs

Dnte and GSA requirements

D

D

D

.

D

Personnel To Be Date Reason Deleted Effective

Reason :

Reason:

Reason :

Reason:

Comments/Special Instructions Please note: The changes as Indicated in this request are being made at no additional cost to the ST ATE. - Sample (Include this language, If applicable).

BOE Acceptance Contractor Acceptance Division/Project Contractor (If other than an Individual, state whether

a corporation, partnership, etc.)

By (Authorized Signature) By (Authorized Signature)

Printed Name of Person Signing Printed Name of Person Signing

Title Title

INTERNATIONAL NETWORK CONSUL TING, INC. Standard Agreement No.: 2016-4130

ATTACHMENT lll•B Page 1 of 15

Special Provisions

Special Provisions shall Include any special directions or project specific requirements that are not otherwise stated explicitly in the Agreement.

I, SECURITY

Information Confidentiality and Security Requirements for Leveraged Procurements

1 . Definitions. For purposes ofthls Exhibit, the following definitions shall apply:

a. Public Information: Information that is not exempt from disclosure under the provisions of the California Public Records Act (Government Code sections 6250-6270) or other applicable state or federal laws.

b. Confidentia.1 Information: Information that is exempt from disclosure under the provisions of the California Public Records · Act (Government Code sections 6250-6270) or other applicable state or federal laws,

c. Sensitive Information: Information that requires special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion. Sensitive Information may · be either Public Information or Confidential Information. It Is Information that requires a higher than normal assurance of accuracy and completeness. Thus, the key factor for Sensitive Information Is that of Integrity. Typically, Sensitive Information Includes records of agency financial transactions and regulatory actions.

d. Personal Information: · Information that Identifies or describes an Individual, includlng, but not limited to, their name, Social Security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. It is the BOE's policy to consider all information about Individuals private unless such Information Is determined to be a public record. This Information shall be protected from inappropriate access, use, or disclosure and shall be made accessible to data subjects upon request. Personal Information Includes the following:

Notice-triggering Personal Information: Specific Items of personal Information (name plus Social Security number, driver license/California Identification card number, or financial account number) that may trigger a requirement to notify Individuals if It Is acquired by an unauthorized person. For purposes of this provision, identity shall Include, but not be limited to name, Identifying number, symbol, or other Identifying particular assigned to

INTERNATIONAL NETWORK CONSULTING, INC, Standard Agreement No.: 2016·4130

ATTACHMENT 111-B Page 2 of 15

Special Provisions (continued)

the Individual, such as finger or voice print or a photograph. See Civil Code sections 1 798,29 and 1 798.82.

2. Nondisclosure. The Contractor and Its employees, agents, or subcontractors shall protect from unauthorized disclosure any Personal Information, Sensitive Information, or Confidential Information (hereinafter Identified as PSCI).

3. The Contractor and Its employees, agents, or subcontractors shall not use any PSCI for any purpose other than carrying out the Contractor's obligations under this Agreement.

4. The Contractor and its employees, agents, or subcontractors shall promptly transmit to the BOE Contract Manager all requests for disclosure of any PSCI not emanating from the person who is the subject of PSCI.

5. The Contractor shall not disclose, except as otherwise specifically permitted by this Agreement or authorized by the person who Is the subject of PSCI, any PSCI to anyone other than the BOE without prior written authorization from the BOE Contract Manager, except If disclosure is required by State or Federal law.

6. The Contractor shall observe the following requirements:

a. Requirements and Guidelines.

1) The Contractor shall classify their data pursuant to the California State Administrative Manual (SAM) 5305.5.

2) The Contractor shall comply with the following:

I. The California Information Practices Act (Civil Code Sections 1 798 et seq.);

II. Security provisions of the SAM (Chapters 5100 and 5300) and the California Statewide Information Management Manual (SIMM) (Sections 58-C, 58-D, 66-B, 5305-A, 531 0-A and B, 5325-A and B, 5330-A, B and C, 5340-A, B and C, 53608);

iii. Privacy provisions of the Federal Privacy Act of 1974;

3) The Contractor shall comply with the Information security and privacy controls set forth In the National Institute of Standards and Technology (NIST) Special Publication (SP); Including but not limited to NIST 800· 53R4 (tailored to the BOE Requirements for a Low or Moderate Level Of Concern),

INTERNATIONAL NETWORI< CONSUL TING, INC, Standard Agreement No,: 201 6-4130

ATTACHMENT 111-B Page 3 of 1 5


b. Safeguards. The Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, Integrity, and availability of personal, sensitive, and confidential Information (PSCI), including electronic PSCI that it creates, receives, maintains, uses, or transmits on · behalf of the BOE. The Contractor shall develop and maintain a written Information privacy and security program that Includes administrative, technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the appropriate levels of security (confldentlallty, Integrity, and avallabillty) for the data based on data categorization and classificatlon and FIPS Publication 1 99 protection levels, Including at a minimum the following safeguards:

1 ) Personnel Controls

a) Employee Training. All Contractor workforce members who assist in the performance of functions or activities on behalf of the BOE, or access or disclose Protected Health Information (PHI) or Personally Identifiable Information (Pit) shall complete information privacy and security training, at least annually, at the Contractor's expense. Each Contractor workforce member who receives information privacy and security training shall sign a certification, Indicating the member's name and the date on which the training was completed, These certifications shall be retained for a period of three (3) years following Agreement termination.

b) Employee Dlsclpllne. Appropriate sanctions shall be applied against Contractor workforce members who fall to comply with privacy policies and procedures or any provisions of these requirements, Including termination of employment where appropriate.

c) Confidentiality Statement. All Contractor workforce members that will be working with PSCI shall sign a confidentiality statement. The statement . shall Include at a minimum, General Use, Security and Privacy safeguards, Unacceptable Use, and Enforcement Policies. The statement shall be signed by the workforce member prior to access to PSCI. The statement shall be renewed annually. The Contractor shall retain each person's written confidentiality statement for the BOE Inspection for a period of three (3) years following agreement termination.

INTERNATIONAL Nl=TWORI< CONSUL TING, INC. Standard Agreement No.: 2016-4130

ATTACHMENT lll·B Page 4 of 1 5


d) Background Check. Before a member of the Contractor's workforce may access PSCI, the Contractor shall conduct a thorough background check of that worker and evaluate the results to assure that there Is no Indication that the worker may present a risk to the security or Integrity of confidential data or a risk for theft or misuse of confidential data. The Contractor shall retain each workforce member's background check documentation for a period of three (3) years following agreement termination.

2) Technical Security Controls

a. Workstation/Laptop Encryption. All workstations and laptops that process and/or store PSCI shall be encrypted with the BOE approved solution (i.e. FIPS 140-2). The encryption solution shall be full disk.

b. Minimum Necessary. Only the minimum necessary amount of PSCI may be downloaded to a laptop or hard drive when absolutely necessary for current business purposes.

c. Removable Media Devices. All electronic files that contain PSCI data shall be encrypted when stored on any removable media type

. device (I.e. USS thumb drives, floppies, CD/DVD, etc.) with the BOE approved solution (I.e. FIPS 140-2).

d. Email Security. All emails that include PSCI shall be sent in an encrypted method using the BOE approved solution.

e. Antlvlrus Software. All workstations, laptops, other devices, and systems that process and/or store PSCI shall have a commercial third-party anti-virus software solution with a minimum daily automatic update.

f. Patch Management. All workstations, laptops, other devices, and systems that process and/or store PSCI shall have security patches applied and up-to-da,te.

INTERNATIONAL NETWORK CONSUL TING, INC. Standard Agreement No.: 201 6-4130



g. User IDs and Password Controls. All users shall be Issued a unique user name for accessing PSCI. Passwords shall not to be shared. Passwords shall adhere to the following:

• Be at least eight characters • .Be a non-diotionary word • Not be stored In readable format on the computer. • Be changed every 90 days • Be changed if revealed or compromised

Passwords shall be composed of characters from at least three of the following four groups from the standard keyboard:

• Upper case letters (A·Z) • Lower .case letters (a-z) • Arabic numerals (0-9) • Non-alphanumeric characters (punctuation symbols)

h. Data Destruction. The Contractor shall meet the standards as set forth in NIST 800-88 for destruction of data. All PSCI shall be wiped from systems when the data Is no longer necessary. The wipe method shall conform to Department of Defense standards for data destruction. If data was PII or PHI, then the Gutmann 36 pass wipe Is required. All PSCI on removable. media shall be returned to the BOE when the data Is no longer necessary. Once data has been destroyed and logged, the BOE Contract Manager shall be notified and provided logs for audltlng and retention period.

I . Remote Access. Any remote access to PSCI shall be executed over an encrypted method approved by the BOE. All remote access shall be limited to minimum necessary and least privilege principles. Remote Access shall meet security standards as defined In SAM 5360.1 and SIMM 6360-A.

3) System Security Controls

a. 'system Timeout, The System shall provide an automatic timeout after no more than 20 minutes of Inactivity.

b. Warning Banners, AU Systems containing PSCI shall d isplay a warning banner stating that data Is oonfldentlal, systems are logged, and system use Is for business purposes only; Users shall be


ATTACHMENT 111-B Page 6 of 15


directed to log off the system If they do not agree with these requirements.

c. System Logging. The System shall log successes and failures of user authentication at all layers. The System shall log all system administrator/developer access and changes If the system is processing and/or storing PSCI . The System shall log all user transactions at the database layer if processing and/or storing PSCI.

d. Access Controls. The System shall use role based access controls for all user authentications, enforcing the principle of least privilege.

e. Transmission Encryption. Confidential, sensitive or personal information shall be encrypted In accordance with SAM 6350.1 and SIMM 5305-A. Ali data transmissions shall be encrypted end-to-end using the BOE approved solution, when transmitting PSCI. See the CHHS Security Polley - Data Encryption at the following link:

f. Host Based Intrusion Detect/on. All systems that ·are accessible via the Internet or store PSCI shall actively use a comprehensive third-party real-time host based intrusion detection and prevention solution.

4) System Security Review

a. The Contractor $hall obtain independent security risk assessment consultants to meet the SAM 5305.7 and NIST standards (800-30, 800-37, 800-39, and 800-53) as well as OWASP standards Including but not limited to the Development and Testing Guidelines for web services. Asses$or independence provides a degree of impartiality to the monitoring process. To achieve such Impartiality, assessors should not:

• Create a mutual or conflicting Interest with the organizations where the assessments are being conducted.

• Self-assess their work. • Act as management or employees of the organizations they are

serving. • Place themselves In advocacy positions for the organizations • Have an affiliation, either personal or business, with the

Contractor or subcontractors working under agreement with the BOE.

INTERNATIONAL NETWORK CONSUi. TING, INC. Standard Agreement No.: 2016·4130

ATTACHMENT 111·8 Page 7 of 15


b. The BOE shall have approval of the Independent risk assessment consultants that will perform the security risk assessments prior to the Contractor hiring the firm.

c. The Independent security risk assessment firm shall have references from comparable State agencies (comparable system complexity as the BOE).

d. The Contractor shall have independent security risk assessment consultants conduct security risk assessments every two years of the BOE Project Systems and Project Support Systems (.e.g. shared drives, web sites, web applications, lnnotas, SharePolnt).

e. The Contractor shall have the security risk assessment provide a gap analysis using · the latest version of the Low or Moderate Tailored Basellne NIST 800·53 security controls.

f. The OROS Project Director or deslgnee arid the BOE ISO shall have full access to the results of the !ndependent risk assessment.

g. The Contractor shall provide to the BOE a Security Assessment Report created by the Independent security assessors as defined in NIST 800-53. This report shall contain, as a minimum, identification and score of risks and provide recommended mitigation solutions.

5) Audit Controls

a) Log Reviews. All systems processing and/or storing PSCI shall have a routine procedure in place to review system logs for unauthorized access.

b) Change Control. All systems processing and/or storing PSCI shall have a documented change control procedure that ensures separation of duties and protects the confidentiality, Integrity, and availability of data.

INTERNATIONAL NETWORK CONSUL TING, INC. Standard Agreement No.: 2016-4130

. ATTACHMENT lll·B Page 8 of 1 5


6) Business Continuity I Disaster Recovery Controls

a. Emergency Mode Operation Plan. The Contractor shall establish a documented plan to enable continuation of critical business processes and protection of the security of electronic PSCI In the event of an emergency. An emergency is an Interruption of business operations for more than 24 _hours.

b. Data Backup Plan. The Contractor shall have established documented procedures to backup PSCI to maintain retrievable

· . exact copies of PSCI. The plan shall Include a regular schedule for making backups, storing backup's offslte, an Inventory of backup media, and the amount of time to restore PSCI should it be lost At a minimum, the schedule shall be a weekly full backup and monthly offsite storage of data.

7) Paper Document Controls

a. Supervision of Data. PSCI in paper form shall not be left unattended at any time, unless It Is locked In a file cabinet, file room, or desk. Unattended means that Information is not being observed by an employee authorized to. access the information. PSCI In paper form shall not be left unattended at any time In vehicles or planes and shall not be checked In baggage on commercial airplanes.

b. Escorting Visitors. Visitors to areas where PSCI Is contained shall be escorted and PSCI shall be kept out of sight while visitors are In · the area.

c, Confidential Destruction. The Contractor shall meet the standards as set forth in NIST 800-88 for destruction of data. PSCI shall be disposed of through confidential means, such as cross cut shredding ·and pulverizing.

d. Removal. of Data, PSCI shall nc;,t be removed from the premises of the BOE except with express written permission of the BOE.

e. Faxing. Faxes containing PSCI shall not be left unattended and fax · machines shall be in secure areas. Faxes shall contain a . confidentiality statement notifying persons receiving faxes In error to destroy them. Fax numbers shall be verified with the Intended recipient before sending. The Contractor fax machines shall be located In secure areas, per SAM 6365. 1 .

INTERNATIONAL NETWORK CONSULTING, INC. Standard Agreement No.: 2016·4130


Special Provisions (continued}

f. Mai/Ing. PSCI shall only be malled using secure methods. Large volume mailings of PSCI shall be by a secure, bonded courier with signature required ,on receipt. Disks and other transportable media sent through the mall shall be. encrypted with the BOE approved solution.

8) Physical Transport of Paper/Electronic Data/Media

a. There are specific precautions that shall be taken when transporting electronic data/media. The data/media shall be wrapped or sealed in an envelope or pouch In such a manner that the contents cannot be identified during the transportation process. The outside of the · container shall clearly Identify the addressee, which includes the name, address and telephone number where he/she can be reached. The Contractor shall ensure that transported data/media be delivered only to the appropriate individuals who are authorized to receive the Information. This can be accomplished by 'implementing a tracking method by which the sender and the recipient can sign and verify delivery and receipt of the information.

b. The Contractor shall ensure that there is a tracking process in place for the transportation of data/media, whether in paper records or physical media devices, and that accountability be strongly emphasized with the establishment of this process. Existing tracking processes such as those associated with FedEx, UPS and the U.S. Postal Service are permitted. However, when sending information on physical media devices via these methods or by similar means, the Information shall be encrypted.

c, California Public Records Act. The Contractor shall work cooperatively with the State to respond timely and correctly to Public Records Act requests.

d, Security Officer, The Contractor shall designate a Security Officer to oversee its data security program who will be responsible for carrying out Its privacy and security programs and for communicating on security matters with the BOE,

e. Training. The Contractor shall provide training on :ts data privacy and security policies, at least annually, at its own expense, to all Its employees who assist In the performance of functions or activities on behalf of the BOE under this Agreement and use or disclose PSCI.

INTERNATIONAL NETWORK CONSUL TING, INC. Standard Agreement No.: 201 6-4130

ATTACHMENT lll•B Page 1 0 of 15


1) The Contractor shall require each employee who receives data privacy and security training to sign a certification, Indicating the employee's name and the date on which the training was completed. Such training must comply with BOE Information Security standards included In SIMM 5300 and Federal Tax· Information security information (Publicatfon 1075).

2) The Contractor shall retain each employee's written certifications for the BOE inspection for a period of.three years following Agreement termination.

f. Breaches.

1 ) Discovery and Notification of Breach. The Contractor shall be responsible for facilitating the security Incident process as described in California Civil Code 1798.29(e), California Civil Code 1798.82(f), and SAM 5340, Incident Management. The Contractor shall notify the BOE immediately by telephone call plus email or fax upon the discovery of breach of security of PSCI in computerized form ff the PSCf was, or Is reasonably believed to have been, acquired by an unauthorized person, or within two hours by email of the discovery of any suspected security Incident, Intrusion or unauthorized use or disclosure of PSCI In violation of this Agreement, this provision, the law, or potential loss of conffdentlal data affecting this Agreement. Notification shall be provided to the BOE Contract Manager, the BOE Disclosure Officer and the BOE Information Security Officer. If the Incident occurs after business hours or on a weekend or holiday and involves electronic PSCI, notification shall be provided by emailing the BOE Security Ortlce at [email protected]. The Contractor shall take the following actions:

a) Prompt corrective action to mitigate any risks or damages Involved with the breach and to protect the operating environment; and

b) Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.

2) Investigation of Breach. The Contractor shall immediately Investigate such security Incident, breach, or unauthorized use or disclosure of PSCI and within twelve (12) to twenty.four (24)

INTERNATIONAL NE'.TWORI< CONSUL TING, INC. Standard Agreement No.: 2016-4130

ATTACHMENT 111,B Page 1 1 of 1 5

Special Provisions (continued}

hours of the discovery, and shall notify the BOE Contract Manager, the BOE Disclosure Officer, and the BOE Information Security Officer of the following Information:

a) The · data elements involved and the extent of the data Involved In the breach,

b) A description of the unauthorized persons known or reasonably believed to have Improperly used or disclosed PSCI,

c) A description of where the PSCI Is believed to have been Improperly transmitted, sent, or utilized,

d) A description of the probable causes of the Improper use or disclosure; and

e) Whether Clvll Code sections 1798.29 or 1798.82 or any other federal or state · .laws requiring Individual notifications of breaches are triggered.

3) Updates on Investigation. The Contractor shall provide regular (every 24 hours) updates on the progress of the investigation to the BOE Contract Manager, the BOE Disclosure Officer, and the BOE Information Security Officer.

4) Written Report. The Contractor shall provide a written report of the investigation to the BOE Contract Manager, the BOE Disclosure Officer, and the BOE Information Security Officer within seven (7) working days of the discovery of the breach or unauthorized use or disclosure. The report wlll, al a minimum, follow the format of SIMM 5340-B. The report shall Include, but not be limited to, the Information specified above, as well as a full, detailed corrective action plan, including Information on measures that were taken to halt and/or contain the Improper use or disclosure.

INTERNATIONAL NETWORK CONSULTING, INC. Standard Agreement No.: 2016-4 130

ATTACHMENT 111·8 Page 12 of 1 5


5) Notification of Individuals. The Contractor shall notify individuals of the breach or unauthorized use or disclosure when notification Is required under state or federal law and shall pay any costs of such notifications, as well as any costs associated with the breach. The BOE Contract Manager, the BOE Disclosure Officer, and the BOE Information Security Officer shall approve the time, manner and content of any such notifications.

7. Effe.ct on lower.tier transactions, The terms of this Exhibit shall apply to all agreements, subcontracts, and subawards, regardless of whether they are for the acquisition of services, goods, or commodities. The Contractor shall Incorporate the contents of this Exhibit into each subcontract or subaward to Its agents, subcontractors, or independent consultants,

8. Contact Information. To direct communications to the above referenced BOE staff, the Contractor shall Initiate contact as indicated herein. The BOE reserves the right to make changes to the contact information below by giving written notice to the Contractor, Said changes shall not require an amendment to this Exhibit or the Agreement to which it Is incorporated.

BOE State BOE Disclosure Officer BOE Information �ontract Security Officer Manarier

See the Agreement for State Contract Manager Information

Disclosure Officer c/o BOE Legal Department Board of Equalization

Email: [email protected] Telephone: (916) 324-2598

Information Security Officer BOE Information Security Office Board of Equalization

Email: [email protected]. gov Telephone: (916) 324-2313

9. Audits and Inspections. From time to time, the BOE may Inspect the facilities, systems, books and records of the Contractor to monitor compliance with the safeguards required In the Information Confidentiality and Security Requirements (ICSR) exhibit. The Contractor shall promptly remedy any violation of any provision of this ICSR exhibit. The fact that the BOE Inspects, or falls to Inspect, or has the right to Inspect the Contractor's facilities, systems and procedures does not relieve . the Contractor of Its responslblllty to comply with this ICSR exhibit.


ATTACHMENT IU·B . Page 1 3 of 1 5


II. PERFORMANCE

In performance of this Contract, the Contractor agrees to comply with and assume responslblllty for compliance by his or her employees with the following requirements:

1 . All work will be done under the supervision of the Contractor or the Contractor's personnel.

2. Any return or return Information made available In any format shall be used only for the purpose of carrying out the provisions of this Contract. Information · contained In such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary In the performance of this Contract. Disclosure to anyone other than personnel of the Contractor will be prohibited.

3. All returns and re.turn Information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material.

4. The Contractor certifies that the data processed during the performance of this Contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the Contractor at the time the work Is completed, If Immediate purging of all data storage components is not possible, the Contractor certifies that any IRS data remaining In any storage component will be safeguarded per IRS Publication 1075 (https://www.lrs.gov/uac/safeguards-program) to prevent unauthorized disclosures.

6 . . Any spollage or· any Intermediate hard copy printout that may result during the processing of IRS data will be given to the CROS Project Director (or deslgnee). When this Is not possible, the Contractor will be responsible for the destruction of the spoilage or any Intermediate hard copy printouts, and will provide the GROS Project Director (or deslgnee) with a statement containing the date of destruction, description of material destroyed, and the method used.

6 . All computer systems receiving, processing, storing or transmitting Federal Tax Information (FTI) must meet the requirements defined In IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to FTI.




7, No work Involving FTI furnished under this Contract will be subcontracted without prior written approval of the IRS.

8. The Contractor will maintain a list of employees with authorized access. Such list will be provided to the BOE and, upon request, to the IRS reviewing office.

9. The BOE will have the right to void the Contract if the Contractor falls to provide the safeguards described above.

Ill. CRIMINAL/CIVIL SANCTIONS

1 . Each officer or employee of any person to whom returns or return Information is or may be disclosed will be notified In writing by such person that returns or return Information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return Information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each .such officer and employee that any such unauthorized further disclosure of returns or return information may also result In an award of civil damages against the officer or employee In an amount not less than $1 ,000 with respect to each Instance of unauthorized disclosure. These penalties are prescribed by Internal Revenue Code (IRC) sections 721 3 and 7431 and set forth at 26 CFR 301 .6103(n)-1 ,

2. Each officer or employee of any person to who returns or return Information is or may be disclosed shall be notified In writing by such person that any retum or return Information made available in any format shall be used only for the purpose of carrying out the provisions of this Contract. Information contained in such material shall be treated as confldentlal and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. Inspection by or disclosure to anyone without an official need-to-know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1 ,000 or Imprisonment for as long as 1 year, or both, together with the costs of prosecution, Such person shall also notify each such officer and employee that any such unauthorized Inspection or disclosure of returns or return information may also result In an award of civil damages against the officer or employee [United States for Federal employees] In an amount equal to the sum of the greater of $1 ,000 for ea9h act of unauthorized Inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus In the

I . l I

INTE:RNATIONAL NE:TWORI( CONSUL TING, INC. Standard Agreemenl No.: 2016-4130

ATTACHMENT lll·B Page 15 of 15


case of a willful Inspection or disclosure which Is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC 7213A and 7431 .

3. Additionally, It is incumbent upon the Contractor to inform its officers and employees of the penalties for Improper disclosure Imposed by the Privacy Act of 1 974, 5 U,S,C, 552a. Specifically, 5 U.S.C. 552a(l)(1 ), which Is made applicable to contractors by .5 0.S.C. 552a(m)(1 ), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to BOE records which contain Individually identifiable Information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunde'r, and who knowing that disclosure of the specific material ls .prohibited, willfully discloses the material In any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

4. Granting a Contractor access to FTI must be preceded by certifying that each individual understands the BOE's security policy and procedures for safeguarding IRS information. Contractors must maintain their authorization to access FTI through annual recertification. The lnltlal certification and recertification must be documented and placed In the BOE's files for review. As part of the certification and at least annually afterwards, Contractors must be advised of the provisions of IRCs 7431, 7213, and 7213A. The training provided before the Initial certification and annually thereafter must also cover the Incident response policy and procedure for reporting unauthorized disclosures and data breaches. (See Section 1 O) For both the initial certification and the annual certification, the contractor must sign, either with ink or electronic signature, a confidentiality statement certifying their understanding of the security requirements.

IV, INSPECTION

The IRS and the BOE shall have the right to send Its officers and employees Into the offices and plants of the Contractor for Inspection of the facilities and operations provided for the performance of any work under this Contract. On the basis of such Inspection, specific measures may be required in cases where the Contractor Is found to be noncompllant with Contract safeguards.

STATE OFC/11...lf'ORNlA

AGREEMENT SUMMARY AGREEMENT NUMBER AMENDMENT NUMBER S1D. 215 (RBV. 1•201-1) 2016-4130

0 CHECK HtlRE TF ADDITIONJ\L PAGES ARE ATTACHED 1. CONTRACTOR'S NAME 2, FEDERAL T.D, NUMBER International Network Consulting, Inc, 68·0445221

3. AGENCY 1RANSMlffiNG AGREEMENT 4. DIVISION, BUREAU, OR 01HER UNIT 5. AGENCY DILLING CODE Board of Equalization CROS PROJECT TEAM 024487

6. NAME AND 11JLEPHONE NUMBER OF CON1RACJ' ANAL YSTFOR QUESTIONS REGARDING 1HIS AGREEMENT Linda Merdlnger, 916·322·2107, [email protected]

7, HAS YOUR AGENCY CON1RACTED FOR 1HESE SERVICES BEFORE?

[g) NO O YES (!JYES, enter prior collfroctor name and Agreement Number)

8, BRIEF DESCRIPTION OF SERVICES • LIMIT 72 CHARACJERS INCLUDING PUNCTUATION AND SPACES IT Consulting Seivlces.

9. AGREEML:Nl'OUTLINE (lncfudo reosonfor Agreement: Identify specific problem, admi11istratlve req11iremenl, prog,wll need or other clrcin11st<111ces making the Agreement 11ecessat)',' include specie,{ or tmusua{ terms and condftlons.)

Contractor will provide five (5) Senior Programmers for the CROS Project to conduct data remediation and provide mainframe program enhancements for the IRIS and Timber Tax systems throughtout the CROS Project Implementation,

10, PAYMENT1ERMS (More than one may apply,)

D MON1HLY.l'LATRA1E D QUARIBRLY D ONE ·TIME PAYMENT D PROGRESS PAYMENT

181 t11JMIZED INVOICE 181 WllHHOLD jQ_, % D ADVANCED rAYMENTNOTTO EXCEED

D REtMBURSEMENlYREVENUE s _______ _ or _____ ___ _ %

D OUIER (E.,p/a/11) --------------- - -----------------------

l t . PROJECTED EXPENDITURES PROJECTED

F0NO TI1'LE ITEM F.Y CHAPTER EXrENDITURES STATUTE General Fund 0860-001·0001 2016/17 23 2016 3,440,640.00 $

$

$

3,440,640.00 OBJECT CODE 4160 AGIIEEMENTTOTAL $ AMOUNTENcrn.mERED BY IBIS DOCID.1ENT

OPTIONAL USE s: 3,440,640.00 I CERTJF1' upon my 011•11 persona{ knowledge that the budgetedfimdsfor the cu"ent budget year PRIOR AMOUNT ENCUMBERED FOR mrs AGREEMENT

are m•aflable for the period and purpose of the expenditure stated above. .I: 0.00 ACCOUNTING OFFICER'S SIGNATURE DAlE SIGNED TOTAL AMOUNT ENCUMBERED TO DA'JE

3,440,640.00 .I:

12 TERM TOTAi, COST OF

THIS TRANSACT10N AGREEl\lf.NT From 1hrough DID, SOLE SOURCR, F,XEMPT

Original 3/1/2017 2128/2021 $ 3,440,640.00 Exempt

Amendment No, I $

Amendment No. 2 $

Amendment No. 3 $

TOTAL 3,440,640.00 $

(Continue) Prlnt&d: 3/9/201711:13:21 Ml.

STA1EOF CALlfORNlA

AGREEMENT SUMMARY STD. 21$ (fIBV. 1•2014)

13. BIDDING ME1HOD USED: D REQUEST FOR PROIDSAl, (RFP) D INVITATION FOR BID (!Fil) D USE OF MAS'IER SERVICE AGREEMENT

(Allacltjust(ficntlon {!secondary method is 11sed) D SOLB SOURCE CONTRACT O EXEMPT FROM l3IDD1NG . � OIBER (Explain)

(Attach STD. 82/) (Gire autltorlryfor exempt status) CMAS

NOTE: Proof of ad•oertlsemenl In the State Contracts Register or an apprOl'edfom1 LPA # 3-12-70-1227D STD, 821. Contract Ad\1ertlsh1g Exempiion RequesJ, 11ms/ be allaclted

14. SUMl\{AR Y OF BIDS (l,isl of bidders, bid amount and smalt buslr/ess stallls) (1/ an amendment, sole source, or exempt, lem•e blank)

IS. IF AWARD OF AGREEMENTIS TO OTHER THAN1HB LO\VERDIDDER, PLEA5E EXPLAIN REASON(S) (I/ 011 (1n11.•11dmmt, sole Mur,:e, or ,•:cempl, lt•m·e b/011!<)

16. WHAT IS THE BASIS FOR DETERMINING THATTIIE PRiCE OR RATE JS REASONABLE?

17 \!l..,lUSTIFlCATION FOR CONlRACTING OUT(Check one) LJ · Contracting ou·l is based on cost savings per Government C9de Contracting out is justified bused on Goyernment Code 19130(b).

19130(11). 11te Slate Personnel Board hns been so notified. Justification for the Agreement is described below. Just(/Jcation: (3) The services contracted are not available within civil service, cannot be performed saUsfactorlly by civil !.ervlce employees, or are of such e highly specia!Jzed or technical nature thai the necessary expert knowledge, experience, end eblllty are not available through the clvll service system,

17 (b) EMPLOYEE BARGAINING UNITNOTIFICATION

D By checking this box, l hereby certify compliMce with Govemment Code section 19132(b)(l).

AU1HORIZED SIGNER: DAlE: 18. FOR AGREEi',lliNTS [N EXCESS OF 19. HAVE CONFLICT OF INTERESTISSUES 20. FOR CONSUL TING AGREEMENTS, DID YOU

$5,000, HAS 1lIB LETTING OF 1llE BEEN lDENTIFlliD AND RESOLVED AS REVIEW ANY CONTRACTOR EVALUATIONS AGREEMENT BEEN REK>RlED TO lHE REQUJRED BY 1HE STA11J CONTRACT ON FILE WITH THE DOS LEGAL OFFICE? DEPARlMENTOF FAIR EMPLOYMENT MANUAL SECTION 7.101 AND HOUSING?

l2l YES D NONE D NO � YES D N/A D NO ·� YES D N/A D NO D NIA ON FILE 2 1 , IS A SIGNED COPY OF THE FOLLOWING ON FILE AT YOUR AGENCY FOR THIS 22. REQUIRED RESOLU110NS ARE AlTACHED

CONfRACTOR? A CONTRACTOR CERTIFICATION CLAUSES D. STD. 204, VENDOR DATARECORD D NO D YES � NIA D NO 12?] YES D NIA D NO D YES 0 NIA

23. ARE DJ SABLED VETERANS BUSINESS EN'IERPRISE GOALS REQUIRED? (If an ame11d111e11t, exp/a/11 c/umges, if a11);

� NO (fa-plain he/ow) D YES (lfl'ESro111p/ete thefolloll'l11g)

DISABLED VB'IERAN BUSINESS ENTERPRISES: % OF AGREEMENT

E:i..plafn: Exempt

24. IS 1HIS A SMALL BUSINESS CERTIFIED BY OSBCR? SMALL BUSINESS REFERENCE NUMBER D NO � YES (Indicate Industry Grwp) 1 1 12

2S. IS '!HIS AGREEMENT(W11H MIENDMBNTS) FOR A PERIOD OF TIME LONGER THAN TWO YEARS? (If l'ES, pro1•/de Justification)

0 No 0 YES Mulit-year - Department of Technology, Statewide Technology Procurement approved

I certijj• that 11/l copies of the referencelf Agreeme11t will co11form to the orlghw/Agreeme11t set1t to the Dep11rtme11t ofGe11eral Services

SIGNATURBfTITLB I DATE SIGNED ,c; Prlnled: 319/2017 11:13:21 AM

Acauisition Allocation

Acq Nbr. Acq Date Vendor Nbr Vendor Name 2016-4130 03/01{201 7 16406 lnternaUonal Network Consulting, Inc,

�--- -·. ·--·- -· - -· --·--- -·- -· -- ·- -·--· Line Item Nbr F/saal Year Uni/ Objeat Code Program Code Cost Extension % --·· ·-------··------··--·

1 2016 487 4160 5050 $260,000,00 100.0000 Line Total $260,000,00

2 2016 487 4160 5050 $920,000.00 100,0000 line Total $920,000.00

3 2016 487 4160 5050 $920,000,00 100.0000 Line Total $920,000.00

4 2016 487 4160 5060 $920,000,00 100,0000 line Total $920,000.00

5 2016 487 4160 6050 $430,640,00 1 00,0000 Line Total $430,640.00

Grand Total $3,440,640.00

Allocation Summarv

2016 487 4160 5050 $3,440,640.00 Total $3,440,640.00

·--··--··--·---------""Mc-.,-,.--, ,.-