The URL can be used to link to this page

Home My WebLink AboutBack-Up DocumentsFlorida Local Government Cybersecurity Grant Application Aide This application aide is designed to assist you by identifying the information you will need to collect to submit an official grant application through the online grants portal. This document will not be accepted as a grant application. Florida Local Government Cybersecurity Grant Program The Florida Digital Service (FL[DS]) is the lead entity for cybersecurity in the state of Florida. It is responsible for establishing safeguards to protect data, responding to cybersecurity incidents, assessing cybersecurity risk and maturity, and developing necessary cybersecurity standards and frameworks. The FL[DS] is administering the Florida Local Government Cybersecurity Grant Program, a competitive program to extend the cybersecurity capabilities of the FL[DS] Cybersecurity Operations Center (CSOC) to Florida municipal and county governments to improve their cybersecurity posture and resiliency. * Denotes required information unless not applicable ORGANIZATION/APPLICANT INFORMATION *Organization Name: *Organization Type (Municipality, County) *Organization Subtype (Mayor, Board of Commissioners, Clerk of Court, Property Appraiser, Sheriff's Office, Supervisor of Elections, Tax Collector, Other) *If Other Subtype: *Organization County: *Mailing Address: *City: *Zip Code: *Main Website Address: *Tax ID: Executive Sponsor for Grant: *Name: Title: *Office Phone Number: *Receive texts? (Y/N) Mobile Phone Number: Receive texts? (Y/N) *Email Address Primary Contact for Grant: *Name: *Title: *Office Phone Number: *Receive texts? (Y/N) Mobile Phone Number: Receive texts? (Y/N) *Email Address liPage Additional Contacts - Information Technology Director: Name: Title: Office Phone Number: Receive texts? (Y/N) Mobile Phone Number: Receive texts? (Y/N) Email Address Additional Contacts - Chief Information Security Officer or Security Manager: Name: Title: Office Phone Number: Receive texts? (Y/N) Mobile Phone Number: Receive texts? (Y/N) Email Address ABOUT YOUR ORGANIZATION: Total number of supported users (Customers, Staff, Contractors, Students): Total number of staff members dedicated to cybersecurity (Employees and Contractors): Annual operating budget of organization: Total budget for cybersecurity: Total number of physical sites/locations: Local Eligibility: Is your organization funded or its budget approved by a county or municipality? (Y/N) Is your organization governed by a county or municipality? (Y/N) Are your organization's systems or data integrated with those of a county or municipality? (Y/N) Are there other reasons your organization is considered to be a local entity? If so, please explain them: ABOUT YOUR IT ENVIRONMENT: Does your infrastructure send data across My Florida Network MFN2? (Y/N) Do any of your network(s) send or receive data to/from infrastructure or applications hosted by the State of Florida? (Y/N) Do the employees of your organization use applications provided by the State of Florida? (Y/N) Does your entity provide constituent/public facing applications? (Y/N) How many constituents/members of the public do your applications serve annually? Does your organization manage critical infrastructure as defined by rule 60GG-2.001(2)(a)10.,F.A.C.? (Y/N) How many sites/locations include critical infrastructure? Provide any additional information regarding critical infrastructure as it pertains to this grant application: Total number of supported endpoints/devices (e.g. laptops, desktops, servers, mobile devices)? Date of your most recent cybersecurity risk assessment? What is your biggest motivation(s)/ reason(s) to apply for this grant opportunity? Wage REQUESTED DOCUMENTATION To align your organization with the right capabilities and to be better prepared to support you when responding to an incident, the following documents are requested post award. Which of these documents is your organization willing to consider sharing with the FL[DS], subject to the protections of 119.0725, F.S.? *Network Diagrams (Y/N) *Critical Systems Inventory (Y/N) *Critical Infrastructure Inventory (if applicable) (Y/N) INTEGRATION WITH STATE CYBERSECURITY OPERATIONS CENTER (CSOC) The State CSOC is designed to serve as a single point of ingestion for cybersecurity data and provides a multi -tenant framework that allows for relevant data sharing while preserving the sovereignty of participating entities. This data is used to monitor and detect threats across Florida's cybersecurity landscape. *Are you willing to integrate existing solutions into the Cybersecurity Operations Center? The FL[DS] will work with your team if your team to identify eligible solutions post award. (Y/N) OUR COMMITMENTS TO YOU The FL[DS] is committed to least privileged access because we believe in privacy and the minimum access required to administer the offered cyber capabilities and incident response, when requested. The following agreements will be delivered as two-party agreements with FL[DS] and your organization. They clearly describe the Florida Digital Service's intent, limitations, and restrictions. These signed agreements between FL[DS] and your organization are required within 30 days after award and prior to any solution implementation. Example riders and agreements can be found on the main Local Government Cybersecurity Grant Program webpage under the "Additional Resources" section. • Grant Agreement • Grantee Data Sharing Agreement • Incident Response Rider • Software Rider(s) as needed Warranties and Commitments will be included as part of the post -award process and provide important assurances to your organization regarding this grant. 3I Page FUTURE CYBERSECURITY CAPABILITY NEEDS To help us plan for future grant program offerings should they become available, please tell us about other capabilities/ solutions that you would like to see offered, the provider, and product/service name of your preferred solution (if you have a preference). Check all that apply: Provider: Preferred Product/Service Name: ❑ Multi -Factor Authentication (MFA) ❑ Application Dependency and Performance Monitoring ❑ Business Continuity (backup, disaster recovery, data encryption) ❑ Identity and Access Management ❑ Centralized Ticketing and Asset Management ❑ Private Access / Secure (Access) Service Edge ❑ Security Event Information Management ❑ Governance, Risk and Compliance Tool ❑ Investigation, Visualization and Reporting Tool ❑ Email Security Service or Solution ❑ Vulnerability assessment and management tool ❑ Other: CYBERSECURITY CAPABILITIES Please tell us about the following cybersecurity capabilities as it pertains to your IT environment and if you are requesting these capabilities for your organization as part of this grant opportunity. If you have questions about any of these capabilities, please contact cybersecuritygrants@digital.fl.gov. Endpoint -Based Asset Discovery - A solution focused on infrastructure which discovers network connected devices and provide a comprehensive inventory of hardware and software assets across your enterprise. Agents are typically deployed to all laptop, desktop, and server devices. *Do you have a solution providing this capability deployed in your environment? (Y/N) Percentage of your assets (Windows, Linux, MacOS) covered by this solution (if yes): *Name of the solution(s) you have deployed (if yes): *Are you requesting Endpoint -Based Asset Discovery capabilities through this grant opportunity? (Y/N) If Yes: Provider and product/service name of your preferred solution (if you have a preference): How many computer users will be covered by this capability? How many devices in your environment (Windows, Linux, & MacOS) will be covered by this capability? *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) Wage Network -Based Asset Discovery - A solution providing enterprise visibility into managed, unmanaged and Internet of Things (loT) devices discovered via network traffic. *Do you have a solution providing this capability deployed in your environment? (Y/N) Percentage of your assets covered by this solution (if yes): *Name of the solution(s) you have deployed (if yes): *Are you requesting Agentless Network -Based Asset Discovery capabilities through this grant opportunity? (Y/N) If Yes: Provider and product/service name of your preferred solution (if you have a preference): How many physical locations (local area networks) will be covered by this capability? Total number of staff members in organization (include all employment types): *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) External -Facing Asset Discovery - A web facing attack surface discovery tool which provides a continuously updated inventory and vulnerability scanning of all global Internet facing assets to detect on -premises and cloud systems. *Do you have a solution providing this capability deployed in your environment? (Y/N) Percentage of your external -facing assets covered by this solution (if yes): *Name of the solution(s) you have deployed (if yes): *Are you requesting Internet -Facing Asset Discovery capabilities through this grant opportunity? (Y/N) If Yes: Provider and product/service name of your preferred solution (if you have a preference): How many external -facing assets are in your environment? *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) 5IPage Content Delivery Network - Software to manage and secure enterprise web and mobile assets, both .com and .gov, by protecting websites and APIs against DDoS and targeted web app attacks while fending off adversarial bots, detecting client -side script attacks, and protecting your users' accounts from fraud. *Do you have a solution providing this capability deployed in your environment? (Y/N) Percentage of your hostnames covered by this solution (if yes): *Name of the solution(s) you have deployed (if yes): *Are you requesting Content Delivery Network capabilities through this grant opportunity? (Y/N) If Yes: Provider and product/service name of your preferred solution (if you have a preference): Number of hostnames/domain names in your environment: Percentage of your hostnames that will be protected by this capability: Total estimated monthly web traffic (ex. 50GB): *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) Endpoint Detection & Response (EDR) - An agent deployed to each endpoint, including desktops, laptops, and servers, runs autonomously on each device and monitors all processes in real-time to provide enterprise visibility, analytics, and automated response. *Do you have a solution providing this capability deployed in your environment? (Y/N) Percentage of your assets (Windows, Linux, MacOS) protected by this solution (if yes): *Name of the solution(s) you have deployed (if yes): *Are you requesting Endpoint Protection & Response (EDR) capabilities through this grant opportunity? If Yes: Provider and product/service name of your preferred solution (if you have a preference): How many devices in your environment (Windows, Linux, MacOS) will be protected by this capability? *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) Wage Security Operations Platform - Providing 24/7/365 monitoring and initial incident investigations to augment your security staffing. *Do you have a solution providing this capability deployed in your environment? (Y/N) As a percentage, how complete is your implementation of this solution (if yes)? *Name of the solution(s) you have deployed (if yes): *Are you requesting Security Operations Platform capabilities through this grant opportunity? (Y/N) If Yes: Provider and product/service name of your preferred solution (if you have a preference): Log volume per day (in GB) to be consumed by Cyber Security Operations Center (if known): List of Unique Log Sources and providers to be consumed (Ex: Firewall, Antivirus, Web Proxy, Etc.) that are not included in the capabilities offered by this grant opportunity: How many devices in your environment (Windows, Linux, MacOS): *When is the soonest your organization will be ready to start implementing this capability from date of award? Select one: (less than 30 days, 31-60 days, 61-90 days, 91-120 days, longer) ADDITIONAL NEEDS If there are cybersecurity capabilities specific to your organization you would like us to consider, please provide information about the need and its criticality, the solution and its projected impact, the estimated cost, and how you would procure, manage, and integrate the solution with the State Cybersecurity Operations Center. Provide sufficient information to establish goals for award and to demonstrate performance post -award. You may upload any supporting documentation in the attachments section labeled as Additional Needs. O1 Additional Needs Attachments ADDITIONAL INFORMATION If you have additional information to share regarding your application including justification, explanation of needs, information on critical infrastructure, environmental factors, state resiliency or any other relevant information, please provide below or upload the information in the attachments section labeled as Additional Information. i Additional Information Attachments 7IPage Ch. 2022-156 LAWS OF FLORIDA Ch. 2022-156 SECTION 6 - GENERAL GOVERNMENT 2940 OTHER PERSONAL SERVICES FROM GENERAL REVENUE FUND 196,185 2941 EXPENSES FROM GENERAL REVENUE FUND 1,543,533 2942 SPECIAL CATEGORIES CONTRACTED SERVICES FROM GENERAL REVENUE FUND 2,184,299 From the funds in Specific Appropriation 2942, $1,000,000 is provided to the Department of Management Services to competitively procure cybersecurity professional and advisory services. These funds shall be used to continue the development of the state's cybersecurity program, to improve staffing, governance, and operations. 2944 SPECIAL CATEGORIES ENTERPRISE CYBERSECURITY RESILIENCY FROM GENERAL REVENUE FUND 50,000,000 From the funds in Specific Appropriation 2944, $25,000,000 in nonrecurring funds from the General Revenue Fund is provided to the Department of Management Services to implement the recommendations of the February 1, 2021, Florida Cybersecurity Task Force Final Report. The funds shall be placed in reserve. The Department of Management Services shall incorporate the recommendations of the February 1, 2021, Florida Cybersecurity Task Force Final Report into an implementation plan developed as part of the statewide information technology security strategic plan pursuant to section 282.318(3) (b), Florida Statutes. The plan shall be submitted to the Executive Office of the Governor's Office of Policy and Budget, the chair of the Senate Committee on Appropriations, and the chair of the House of Representatives Appropriations Committee. Upon submission of the implementation plan, the department is authorized to submit quarterly budget amendments requesting release of these funds pursuant to the provisions of chapter 216, Florida Statutes, and based on the department's planned quarterly expenditures. Release is contingent upon the approval of a detailed operational work plan and a monthly spend plan that identifies all related work and costs budgeted for Fiscal Year 2022-2023. The department shall submit monthly project status reports on the progress of implementing each of the task force recommendations to the Executive Office of the Governor's Office of Policy and Budget, the chair of the Senate Committee on Appropriations, the chair of the House of Representatives Appropriations Committee, and the Florida Cybersecurity Advisory Council. Each status report shall include progress made to date for each project milestone, deliverable, and task order; planned and actual completion dates; planned and actual costs incurred; and any project issues and risks. The monthly project status reports shall be submitted by the 15th day following the end of each month. From the funds in Specific Appropriation 2944, $25,000,000 in recurring funds from the General Revenue Fund is provided to the Department of Management Services for cybersecurity services previously procured in Fiscal Year 2021-2022. From the funds in Specific Appropriation 2944, The Florida Digital Service will conduct a feasibility study to better integrate the capabilities of the state Cybersecurity Operations Center, Department of Homeland Security, and the Cybersecurity and Infrastructure Agency in a location that has the following attributes and existing facilities: a Navy Information Operations Center, a Navy Cyber Information Warfare Training Center, and Florida Department of Law Enforcement Cyber High-tech Crime Unit/Network Intrusion. The study should include but not be limited to increased rapid response capability, increased threat intelligence, and a reduced response time to a cybersecurity attack. 2944A SPECIAL CATEGORIES GRANTS AND AIDS - CYBERSECURITY GRANTS FROM GENERAL REVENUE FUND FROM FEDERAL GRANTS TRUST FUND . . 30,000,000 5,428,240 Funds provided in Specific Appropriation 2944A from the Federal Grants Trust Fund are contingent on federal grants being awarded. The State Chief Information Security Officer and the Department of Management 428 CODING: Language ctrickcn has been vetoed by the Governor Ch. 2022-156 LAWS OF FLORIDA Ch. 2022-156 SECTION 6 - GENERAL GOVERNMENT Services shall administer the competitive grant program, determine eligibility, and distribute grants based on guidance provided by the Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency. Funds in Specific Appropriation 2944A from the General Revenue Fund are for local government cybersecurity technical assistance grants. The Department of Management Services shall administer the competitive grant program, and the State Chief Information Security Officer shall develop the criteria and process for awarding such assistance funds to municipalities and counties. The Department of Management Services shall report quarterly to the Executive Office of the Governor's Office of Policy & Budget, the chair of the Senate Committee on Appropriations, and the chair of the House of Representatives Appropriations Committee regarding the use and distribution of these funds. The status reports shall be submitted the 15th day following the end of each quarter. 2944B SPECIAL CATEGORIES FLORIDA CENTER FOR CYBERSECURITY - UNIVERSITY OF SOUTH FLORIDA FROM GENERAL REVENUE FUND 37,000,000 From the funds in Specific Appropriation 2944B, $7,000,000 in nonrecurring funds from the General Revenue Fund shall be transferred to the Florida Center for Cybersecurity at the University of South Florida, established pursuant to section 1004.444, Florida Statutes, and in consultation with the Florida Cybersecurity Advisory Council, to conduct a comprehensive risk assessment of the state's critical infrastructure and provide recommendations to support actionable solutions for improvement of the state's preparedness and resilience to significant cybersecurity incidents. The university shall submit draft recommendations by January 9, 2023, and the final assessment by June 30, 2023, to the Governor, the President of the Senate, the Speaker of the House of Representatives, and the Florida Cybersecurity Advisory Council. From the funds in Specific Appropriation 2944B, $30,000,000 in nonrecurring funds from the General Revenue Fund shall be transferred to the Florida Center for Cybersecurity at the University of South Florida, established pursuant to section 1004.444, Florida Statutes, and in consultation with the Department of Management Services and the Florida Cybersecurity Advisory Council, to conduct cybersecurity training for state and local government executive, managerial, technical, and general staff. The university shall coordinate this training to minimize travel and to ensure that training already offered by state colleges and universities are utilized. The university shall report quarterly on the progress of providing this training to the Executive Office of the Governor's Office of Policy & Budget, the chair of the Senate Committee on Appropriations, and the chair of the House of Representatives Appropriations Committee. Each status report must identify, by government entity, the quantity and type of staff receiving training, planned and actual costs incurred, and any issues and risks. The quarterly status report shall be submitted by the 15th day following the end of each quarter. 2911C SPECIAL CATEGORIES CYBBRRESILIBNCE, SECURITY LEADERSIIIP, AND DISASTER RECOVERY FROM GENERAL REVENUE FUND 000,000 Pundc in Spccific Appr priati n 2911C arc pr vidcd f r funding a n nrccurring appr priati no pr jcct (IID 2203) (Scnatc P rm 1000). 2911D SPECIAL CATEC RIES LONCWOOD SERVER INFRASTRUCTURE REPLACEMENT FROM GENERAL REVENUE FUND 195,000 Funds in Spccific Appr priati n 2911D arc pr vidcd f r funding a n nrccurring appr priati ns pr jcct (IID 2111). 2945 SPECIAL CATEGORIES RISK MANAGEMENT INSURANCE FROM GENERAL REVENUE FUND 2946 SPECIAL CATEGORIES LEASE OR LEASE -PURCHASE OF EQUIPMENT FROM GENERAL REVENUE FUND 5,248 7,102 429 CODING: Language ctrickcn has been vetoed by the Governor Cybersecurity Function/Capability Descriptions KB0010020 ! Authored by Ishmael Hannah • O 94 Views • ® lld ago Cybersecurity Function/ Capability Descriptions *Security Operations Platform - Functions as the unified operations platform to consolidate telemetry from integrated products throughout the security stack. Provides a centralized single -pane -of -glass for monitoring and performing security operations. Also provides managed cybersecurity services, giving 24/7/365 monitoring and incident reporting augmentation. *Endpoint -Based Asset Discovery (Agent) - Quickly discover network connected devices and provide a comprehensive inventory of hardware and software assets across the Enterprise. Provides the ability to inventory all managed assets, identify rogue assets, categorize assets based on criticality, and utilize the comprehensive data provided to inform decisions such as future hardware. *Network -Based Discovery (Agentless) - An agentless platform to gain enterprise visibility into managed, unmanaged, and Internet of Things (loT) devices across the enterprise. Provide monitoring across all networked devices, passive sensors that continuously performs asset identification, and discovers devices communicating on your network to help characterize potential threats. *External -Facing Asset Discovery - Provides a comprehensive, continuously updated inventory of all internet-facing assets to detect on -premises and cloud systems. Provides a regularly updated view into the health and risk level of public -facing attack surface for enterprise assets. *Endpoint Protection (EDR) - An endpoint solution , including desktops, laptops, and servers, that monitors all processes and real time security to provide enterprise visibility, analytics, and automated rule -based response. EDR improves visibility across the enterprise, aids with investigation, and remediation efforts, and automatically collects and correlates data for threat detection and response. *Content Delivery Network (CDN) - Protects websites and application programming interfaces (API) against distributed denial of serve attacks and targeted web app attacks while fending off adversarial bots, detecting client - side script attacks, and protecting your users' accounts from fraud. Additionally, a CDN can reduce the attack surface on websites, protect Domain Name Services, enhance website performance through caching and can decrease egress charges from cloud -hosted solutions. Multi -Factor Authentication (MFA) - Multi -factor authentication is an authentication method requiring the user to provide two or more verification factors to gain access. Using MFA provides an additional layer of access protection. Email Security Service or Solution - Comprehensive email security spans gateways, email systems, user behavior, content security, as well as support processes, services, and adjacent security architecture to identify, detect and protect your accounts from threats such as phishing attacks and data leaks. Application Dependency and Performance Monitoring - A suite of tools including resource monitoring, identification of resource constraints, application discovery, tracing and diagnostics, and dependency modelling and visualization. Business Continuity (backup, disaster recovery, data encryption) - A suite of tools and capabilities that help ensure data is not lost due to a security incident, intrusion, or natural disaster. This solution also aids with data security in transit and at rest via encryption. Identity and Access Management - A framework of policies and technologies to identify a user and manage the relationship between the user and the resources they are allowed to access. Using an IdAM solution allows administrators to manage access through a single IdAM portal and not having to log into each application or resource to make changes. Centralized Ticketing and Asset Management - Organizes tickets (request) submitted via websites, apps, email, chat, phone, etc. to a single interface centralizing communications and reducing redundancies. Ticketing software can also be integrated with other systems and used for the asset management lifecycle. Private Access / Secure (Access) Service Edge - A network architecture technology that combines VPN and SD -WAN capabilities with cloud -native security functions such as secure web gateways, cloud access security brokers, firewalls, and zero -trust network access to deliver cloud computing directly to the source of connection rather than through a data center. Security Event Information Management - Real-time analysis of security alerts generated by applications and network hardware. Provides the capability to efficiently collect and analyze log data from multiple digital assets in one place to facilitate threat detection, analysis and response. Governance, Risk and Compliance (GRC) Tool - Along with processes, GRC software unifies an agency's strategy of governance, risk management and compliance and can be used to facilitate risk assessments. Investigation, Visualization and Reporting Tool - Software(s) used to provide a visual representation of an event, data, or an architecture within an organization with the capability to export and/or present the findings to a larger audience. Vulnerability Assessment and Management Tool — Software with the capability to manage the ongoing, process of identifying, assessing, reporting on, managing, and remediating cyber vulnerabilities across endpoints, and systems. *Identifies the tools or capabilities currently integrated with the State Cybersecurity Operations Center and are offered as ready to deploy solutions through the Florida Cybersecurity Grant Program Florida Digital Service 2555 Shumard Oaks Blvd Tallahassee, FL 32399 Department of MANAGEMENT SERVICES We serve those who serve Florida 4050 Esplanade Way Tallahassee, FL 32399-0950 850-488-2786 Ron DeSantis, Governor Pedro Allende, Secretary GRANT AGREEMENT FOR LOCAL GOVERNMENT CYBERSECURITY GRANT PROGRAM CONTRACT NO: DMS-22/23-XXX CATALOG OF STATE FINANCIAL ASSISTANCE NUMBER: 72.009 BETWEEN THE STATE OF FLORIDA DEPARTMENT OF MANAGEMENT SERVICES AND MUNICIPALITY/COUNTY OF GRANT AGREEMENT This Grant Agreement (Agreement) is made and entered into by and between the Department of Management Services (Department), an agency of the State of Florida (State), and the Municipality/County of (Grantee) and is effective as of the date last signed. The Department and the Grantee are sometimes referred to herein individually as a "Party" or collectively as the "Parties." THIS AGREEMENT IS ENTERED INTO BASED ON THE FOLLOWING REPRESENTATIONS: WHEREAS, the Department, through the Florida Digital Service (FL[DS]), has the authority, pursuant to Chapter 2022-156, Laws of Florida, Specific Appropriation 2944A, to award grants to the Grantee for cybersecurity technical assistance; and WHEREAS, the Grantee represents that it is fully qualified and eligible to receive the grant identified herein in accordance with the terms and conditions hereinafter set forth. NOW THEREFORE, the Department and the Grantee do mutually agree as follows: A. Deliverables and Performance Requirements: In accordance with Chapter 2022-156, Laws of Florida, Specific Appropriation 2944A, the Grantee shall utilize the granted cybersecurity technical assistance. The Grantee shall provide the deliverables specified herein in accordance with the terms and conditions of this Agreement, including its attachments and exhibits. B. Agreement Period: The performance period for this Agreement begins upon execution and ends upon the expiration of the applicable cybersecurity technical assistance services or commodities awarded, or in accordance with the final implementation plan(s), unless terminated earlier in accordance with the terms of this Agreement. No renewals or extensions of the Agreement are permitted. C. Agreement Documents and Amendments Thereto. 1. Agreement Documents. "Agreement" means this Grant Agreement and all incorporated attachments, exhibits, and schedules, which set forth the entire understanding of the Parties and supersede any and all prior agreements and understandings related to the subject matter thereof. All attachments, exhibits, and schedules listed below are incorporated in their entirety into, and will form part of, this Agreement. In the event of a conflict, the following order of precedence shall apply: a. This Grant Agreement b. Attachment A — Statement of Work c. Attachment B — Audit Requirements for Awards of State and Federal Financial Assistance, including its Exhibit 1 Page 2 of 15 d. Grantee Data Sharing Agreement ("DSA") e. Final Implementation Plan(s) f. Attachment C — Application of Grantee 2. Counterparts. This Agreement may be executed in any number of counterparts, all of which taken together shall constitute one (1) single agreement between the Parties. 3. Survivability. This Agreement and any and all promises, covenants, and representations made herein are binding upon the Parties hereto and any and all respective heirs, assigns, and successors in interest. The respective obligations of the Parties, which by their nature would continue beyond the termination or expiration of this Contract, including without limitation, the obligations regarding confidentiality, proprietary interests, and public records, shall survive termination or expiration of this Agreement. 4. Severability. If a court of competent jurisdiction deems any term or condition of this Agreement void or unenforceable, the other provisions are severable to that void provision, and will remain in full force and effect. However, to the fullest extent permitted by law, this Contract shall be construed as if the scope or duration of such provision had been more narrowly drafted so as not to be invalid or unenforceable. 5. Amendments. This Agreement may only be modified or amended by a written agreement duly executed by the Parties. D. Notices and Primary Contacts: 1. Notices. The Parties shall use the contact information provided in Section D.2., Primary Contacts, below, for all communications and notices under this Agreement. Where the term "written notice" is used to specify a notice requirement herein, said notice will be deemed to have been given (i) when personally delivered; (ii) when transmitted via facsimile (with confirmation of receipt) or email (with confirmation of receipt), provided the sender on the same day sends a confirming copy of such notice by a recognized delivery service (charges prepaid); (iii) the day immediately following the day (except if not a Business Day then the next Business Day) on which the notice or communication has been provided prepaid by the sender to a recognized overnight delivery service; or (iv) on the date actually received except where there is a date of the certification of receipt. Primary Contacts. a. Department's Grant Manager (see section 215.971, F.S.). Karen Milicic Florida Digital Service Department of Management Services 2555 Shumard Oaks Blvd Tallahassee, Florida 32399 Telephone: (850) 413-0604 Email: CybersecurityGrants@digital.fl.gov Page 3 of 15 b. Grantee's Grant Manager [Name] [City/County of XXX] [XXX Street] XXX, Florida XXXXX Telephone: (XXX) XXX-XXXX Email: XX@XXX.com 3. Changes in Primary Contacts. Either Party may provide notice to the other Party by email identifying a change of a designated primary contact and providing the new contact information for the newly designated primary contact. Such notice must be sent to the other Party's Grant Manager and is sufficient to effectuate this change without requiring a written amendment to this Agreement. E. Payment, Funding, and Award Considerations: 1. Services, Licenses, or Commodities. The Grantee agrees to implement commodities or services awarded according to the Final Implementation Plan(s) as executed by the Parties. All use of the items described above are subject to the terms and conditions of the DSA and applicable riders attached thereto. 2. State Financial Assistance. In accordance with section 215.971 (1), Florida Statutes (F.S.), the Grantee may utilize any provided commodities or services only in accordance with this Agreement. 3. Payment Process. The Department agrees to purchase all commodities or services awarded to the Grantee on behalf of the Grantee. F. Compliance with Law: 1. Applicable Law. The Parties shall comply with the applicable state and federal laws, rules, regulations, and policies, including, but not limited to, those identified in this Agreement. 2. Governing Law. The Grantee agrees that this Agreement is entered into in the State of Florida, and shall be construed, performed, and enforced in all respects in accordance with the laws, rules, and regulations of the State. Each Party shall perform its obligations herein in accordance with the terms and conditions of this Agreement. Without limiting the provisions of Section R, Dispute Resolution, the exclusive venue of any legal or equitable action that arises out of or relates to the Agreement shall be the appropriate State court in Leon County, Florida; in any such action, the Parties waive any right to jury trial. 3. Ethics. The Grantee shall comply with the requirements of sections 11.062 and 216.347, F.S. The Grantee shall not, in connection with this or any other agreement with the State, directly or indirectly: Page 4 of 15 a. offer, confer, or agree to confer any pecuniary benefit on anyone as consideration for any State officer or employee's decision, opinion, recommendation, vote, other exercise of discretion, or violation of a known legal duty; or b. offer, give, or agree to give to anyone any gratuity for the benefit of, or at the direction or request of, any State officer or employee. For purposes of this subsection b, "gratuity" means any payment of more than nominal monetary value in the form of cash, travel, entertainment, gifts, meals, lodging, loans, subscriptions, advances, deposits of money, services, employment, or contracts of any kind. Upon request of the Department's Inspector General, or other authorized State official, the Grantee shall provide any type of information the Inspector General deems relevant to the Grantee's integrity or responsibility. Such information may include, but shall not be limited to, the Grantee's business or financial records, documents, or files of any type or form that refer to or relate to this Agreement. The Grantee shall retain such records in accordance with the record retention requirements of Part V of Attachment B, Audit Requirements for Awards of State and Federal Financial Assistance. 3. Advertising. Subject to Chapter 119, F.S., the Grantee shall not publicly disseminate any information concerning this Agreement without prior written approval from the Department, including, but not limited to, mentioning this Agreement in a press release or other promotional material, identifying the Department or the State as a reference, or otherwise linking the Grantee's name and either a description of the Agreement or the name of the Department or the State in any material published, either in print or electronically, to any entity that is not a Party to this Agreement, except potential or actual authorized distributors, dealers, resellers, or service representatives. 4. Conflict of Interest. This Agreement is subject to Chapter 112, F.S. The Grantee shall disclose the name of any officer, director, employee, or other agent who is also an employee of the State. The Grantee shall also disclose the name of any State employee who owns, directly or indirectly, more than a five percent (5%) interest in the Grantee or its affiliates. 5. Records Retention. The Grantee shall retain all records made or received in conjunction with the Agreement for the longer of five (5) years after the end of the Agreement period and all pending matters or the period required by the General Records Schedules maintained by the Florida Department of State (available at: https://dos.myflorida.com/media/703328/gs1-s1-2020.pdf). If the Grantee's record retention requirements terminate prior to the requirements stated herein, the Grantee may meet the Department's record retention requirements for this Agreement by transferring its records to the Department at that time, and by destroying duplicate records in accordance with section 501.171, F.S., and, if applicable, section 119.0701, F.S. The Grantee shall adhere to established information destruction standards such as those established by the National Institute of Standards and Technology Special Publication 800-88, "Guidelines for Media Sanitization" (2014). See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf. 6. MyFloridaMarketPlace (MFMP). Disbursements under this Agreement are disbursements of State financial assistance to a recipient as defined in section 215.97, F.S., and are exempt from the MFMP Transaction Fee pursuant to Rule 60A-1.031(6)(d), F.A.C. The Page 5 of 15 Department, on behalf of the Grantee, will process payments for commodities or services awarded through MFMP. G. Recoupment of Funds: 1. Notwithstanding the damages limitations of Section T, Limitation of Liability, if the Grantee's non-compliance with any provision of the Agreement results in additional costs or monetary loss to the Department or the State, the Department can recoup the costs or losses from monies owed to the Grantee under this Agreement or any other agreement between the Grantee and any State entity. In the event that the discovery of additional costs or losses arises when no monies are available under this Agreement or any other agreement between the Grantee and any State entity, the Grantee shall repay such costs or losses to the Department in full within thirty (30) days from the date of discovery or notification, unless the Department agrees, in writing, to an alternative timeframe. H. Audits and Records: 1. Representatives of the Department, including the State's Chief Financial Officer, the State's Auditor General, and representatives of the federal government, shall have access to any of the Grantee's books, documents, papers, and records, including electronic storage media, as they may relate to this Agreement, for the purposes of conducting audits or examinations or making excerpts or transcriptions. 2. The Grantee shall maintain books, records, and documents in accordance with the generally accepted accounting principles to sufficiently and properly reflect all expenditures of funds provided by the Department under this Agreement. 3. The Grantee shall comply with all applicable requirements of section 215.97, F.S., and Attachment B, Audit Requirements for Awards of State and Federal Financial Assistance. If the Grantee is required to undergo an audit, the Grantee shall disclose all related party transactions to the auditor. 4. The Grantee shall retain all its records, financial records, supporting documents, statistical records, and any other documents, including electronic storage media, pertinent to this Agreement in accordance with the record retention requirements of Part V of Attachment B, Audit Requirements for Awards of State and Federal Financial Assistance. The Grantee shall cooperate with the Department to facilitate the duplication and transfer of such records or documents upon the Department's request. 5. The Grantee shall include records of the start and end dates for all tasks in the Final Implementation Plan(s). Additional requirements may be incorporated in the Final Implementation Plan(s). 6. The Grantee shall include the aforementioned audit and recordkeeping requirements in all approved subrecipient contracts and assignments. Page 6 of 15 I. Public Records and Records Production: 1. Identification and Protection of Confidential Information. Article 1, section 24, Florida Constitution, guarantees every person access to all public records, and section 119.011, F.S., provides a broad definition of "public record." As such, records submitted to the Department (or any other State agency) are public records and are subject to disclosure unless exempt from disclosure by law. The following records for agencies, as "agency" is defined in section 119.011(2), F.S., are confidential and exempt pursuant to section 119.0725, F.S.: a. cybersecurity insurance limits and deductibles; b. information relating to critical infrastructure; c. incident reporting information pursuant to sections 282.318 and 282.3185, F.S.; d. network schematics; e. hardware and software configurations; and f. encryption information or information that identifies detection, investigation, or response practices for suspected or confirmed cybersecurity incidents, including suspected or confirmed breaches. If the Grantee considers any portion of other records it provides to the Department (or any other State agency) to be trade secret or otherwise confidential or exempt from disclosure under Florida or federal law, the Grantee shall mark the document as "confidential" and simultaneously provide the Department (or other State agency) with a separate, redacted copy of the record. Such records and those records made confidential and exempt pursuant to section 119.0725, F.S., shall be considered "Confidential Information." For each portion redacted, the Grantee shall describe in writing the grounds for claiming the exemption, including the specific statutory citation for such exemption. The Grantee shall only redact portions of records that it claims are Confidential Information. In the event of a request for public records pursuant to Chapter 119, F.S., the Florida Constitution, or other authority, to which records that are marked as "confidential" are responsive, the Department will provide the Grantee -redacted copy to the requestor. If a requestor asserts a right to the redacted Confidential Information, the Department will notify the Grantee such an assertion has been made. It is the Grantee's responsibility to take the appropriate legal action to assert that the information in question is exempt from disclosure under Chapter 119, F.S., or other applicable law. If the Department becomes subject to a demand for discovery or disclosure of documents that are marked as "confidential" in a legal proceeding, the Department will give the Grantee notice of the demand or request. The Grantee shall take the appropriate legal action in response to the demand and to defend its claims of confidentiality. If the Grantee fails to take appropriate and timely action to protect the records it has designated as Confidential Information, the Grantee agrees that the Department is permitted to treat those records as not confidential and the Department is permitted to provide the unredacted records to the requester and the Grantee agrees not to pursue any suit, action, Page 7 of 15 or claim, including for damages, against the Department or its employees, attorneys, agents or volunteers. The Grantee shall protect, defend, and indemnify the Department from all suits, claims, actions, demands, liability, costs, fines, and attorneys' fees arising from or relating to the Grantee's determination that the redacted portions of its records are Confidential Information, including all costs, including attorney's fees, incurred regarding the entitlement or amount of such attorney's fees. If the Grantee fails to submit a redacted copy in accordance with this section, of information it claims is Confidential Information, the Department is authorized to produce the entire record submitted to the Department, including those records marked "confidential," in response to a public records request for, or demand for discovery or disclosure of, these records and the Grantee agrees not to pursue any suit, action, or claim, including for damages, against the Department or its employees, attorneys, agents, or volunteers. 2. Inspection of Records. In accordance with section 216.1366, F.S., the Department is authorized to inspect the: (a) financial records, papers, and documents of the Grantee that are directly related to the performance of this Agreement or the expenditure of State funds; and (b) programmatic records, papers, and documents of the Grantee which the Department determines are necessary to monitor the performance of this Agreement or to ensure that the terms of this Agreement are being met. The Grantee shall provide such records, papers, and documents requested by the Department within ten (10) Business Days after the request is made. J. Non -Discrimination: The Grantee shall not unlawfully discriminate against any individual employed in the performance of this Agreement due to race, religion, color, sex, physical handicap unrelated to such person's ability to engage in this work, national origin, ancestry, or age. The Grantee shall provide a harassment -free workplace, and any allegation of harassment shall be given priority attention and action. K. Duty of Continuing Disclosure of Legal Proceedings and Instances of Fraud: 1. The Grantee shall provide written notice to the Department disclosing any criminal litigation, investigation, or proceeding that arises during the Agreement period involving the Grantee, or, to the extent the Grantee is aware, any of the Grantee's subrecipients or contractors (or any of the foregoing entities' current officers or directors). The Grantee shall also provide written notice to the Department disclosing any civil litigation, arbitration, or proceeding that arises during the Agreement period, to which the Grantee (or, to the extent the Grantee is aware, any subrecipient or contractor hereunder) is a party, and which: a. might reasonably be expected to adversely affect the viability or financial stability of the Grantee or any subrecipient or contractor hereunder; or Page 8 of 15 b. involves a claim or written allegation of fraud against the Grantee, or any subrecipient or contractor hereunder, by a governmental or public entity arising out of business dealings with governmental or public entities. All notices under this section must be provided to the Department within thirty (30) business days following the date that the Grantee first becomes aware of any such litigation, investigation, arbitration, or other proceeding (collectively, a "Proceeding"). Details of settlements that are prevented from disclosure by the terms of the settlement must be annotated as such. 2. This duty of disclosure applies to each officer and director of the Grantee, subrecipients, or contractors when any proceeding relates to the officer's or director's business or financial activities. 3. Instances of Grantee operational fraud or criminal activities, regardless of whether a legal proceeding has been initiated, shall be reported to the Department's Agreement Manager within twenty-four (24) hours of the Grantee being made aware of the incident. 4. The Grantee shall promptly notify the Department's Grant Manager of any Proceeding relating to or affecting the Grantee's, subrecipient's, or contractor's business. If the existence of such Proceeding causes the State to conclude that the Grantee's ability or willingness to perform the Agreement is jeopardized, the Grantee shall be required to provide the Department's Grant Manager all reasonable assurances requested by the Department to demonstrate that: a. the Grantee will be able to perform the Agreement in accordance with its terms and conditions; and b. the Grantee and/or its employees, agents, subrecipients, or contractor(s) have not and will not engage in conduct in performance under the Agreement that is similar in nature to the conduct alleged in such Proceeding. L. Assignments, Subgrants, and Contracts: 1. Unless otherwise specified in Attachment A, Statement of Work, or through prior written approval of the Department, the Grantee may not: 1) subgrant any of the funds provided to the Grantee by the Department under this Agreement; 2) contract its duties or responsibilities under this Agreement out to a third party; or 3) assign, transfer, or sell any of the Grantee's rights or responsibilities or granted commodities and services hereunder, unless specifically permitted by law to do so. Any such subgrant, contract, or assignment occurring without the prior approval of the Department shall be null and void. In the event the Department approves transfer of the Grantee's obligations, the Grantee remains responsible for all work performed and all expenses incurred in connection with the Agreement. In addition, this Agreement shall bind the successors, assigns, and legal representatives of the Grantee, and of any legal entity that succeeds the Grantee, to the Grantee's obligations to the Department. 2. The Grantee agrees to be responsible for all work performed in fulfilling the obligations of this Agreement. Page 9 of 15 3. The Grantee agrees that the Department may assign or transfer its rights, duties, or obligations under this Agreement to another governmental entity upon giving prior written notice to the Grantee. M. Insurance: The Grantee shall, at its sole expense, maintain insurance coverage of such types and with such terms and limits as may be reasonably associated with the Agreement. Adequate insurance coverage is a material obligation of the Grantee, and the failure to maintain such coverage may void the Agreement. The limits of coverage under each policy maintained by the Grantee shall not be interpreted as limiting the Grantee's liability and obligations under the Agreement. All insurance policies shall be through insurers authorized to write policies in the State. Upon request, the Grantee shall provide the Department written verification of the existence and amount for each type of applicable insurance coverage. Within thirty (30) days of the request, the Grantee shall furnish the Department proof of applicable insurance coverage by standard ACORD form certificates of insurance. In the event that any applicable coverage is cancelled by the insurer for any reason, the Grantee shall obtain adequate replacement coverage conforming to the requirements herein and provide proof of such replacement coverage to the Department upon request. The Department shall be exempt from, and in no way liable for, any sums of money representing a deductible in any insurance policy. The payment of such deductible shall be the sole responsibility of the Grantee. N. Intellectual Property Rights: Where activities supported by this Agreement result in the creation of intellectual property rights, the Grantee shall notify the Department, and the Department will determine whether the Grantee will be required to grant the Department a perpetual, irrevocable, royalty -free, nonexclusive license to use, and to authorize others to use for State government purposes, any resulting patented, copyrighted, or trademarked work products developed under this Agreement. O. Independent Contractor Status: It is mutually understood and agreed to that at all times during the Grantee's performance of its duties and responsibilities under this Agreement that Grantee is acting and performing as an independent contractor. The Department shall neither have nor exercise any control or direction over the methods by which the Grantee shall perform its work and functions other than as provided herein. Nothing in this Agreement is intended to or shall be deemed to constitute a partnership or joint venture between the Parties. 1. The Grantee (and its officers, agents, employees, subrecipients, contractors, or assignees), in performance of this Agreement, shall act in the capacity of an independent contractor and not as an officer, employee, or agent of the State. Further, unless specifically authorized to do so, the Grantee shall not represent to others that, as the Grantee, it has the authority to bind the Department or the State. 2. Unless the Grantee is a State agency, neither the Grantee nor its officers, agents, employees, subrecipients, contractors, or assignees, are entitled to State retirement or State leave benefits, or to any other compensation of State employment as a result of performing the duties and obligations of this Agreement. Page 10 of 15 3. The Grantee agrees to take such actions as may be necessary to ensure that each subrecipient or contractor will also be deemed to be an independent contractor and will not be considered or permitted to be an agent, servant, joint venturer, or partner of the State. 4. Unless agreed to by the Department in Attachment A, Statement of Work, the Department will not furnish services of support (e.g., office space, office supplies, telephone service, secretarial, clerical support, etc.) to the Grantee or its subrecipient, contractor, or assignee. 5. The Department shall not be responsible for withholding taxes with respect to the Grantee's compensation hereunder. The Grantee shall have no claim against the Department for vacation pay, sick leave, retirement benefits, social security, workers' compensation, health or disability benefits, reemployment assistance benefits, or employee benefits of any kind. The Grantee shall ensure that its employees, subrecipients, contractors, and other agents, receive benefits and necessary insurance (health, workers' compensation, reemployment assistance benefits) from an employer other than the State. 6. At all times during the Agreement period, the Grantee must comply with the reporting and Reemployment Assistance contribution payment requirements of chapter 443, F.S. P. Entire Agreement: This Agreement, including all referenced attachments and exhibits, embodies the entire agreement of the Parties. There are no other provisions, terms, conditions, or obligations. This Agreement supersedes all previous oral or written communications, representations, or agreements on this subject. Q. Termination: 1. Termination for Failure to Implement. If the Grantee does not execute a Final Implementation Plan within 30 calendar days of purchase order issuance for the awarded solutions, this Agreement may be terminated by the Department, at its sole discretion. 2. Termination Due to the Lack of Funds. If funds become unavailable for the Agreement's purpose, such event will not constitute a default by the Department or the State. The Department agrees to notify the Grantee in writing at the earliest possible time if funds are no longer available. In the event that any funding identified by the Grantee as funds to be provided for completion of the project as described herein becomes unavailable, including if any State funds upon which this Agreement depends are withdrawn or redirected, the Department may terminate this Agreement by providing written notice to the Grantee. The Department will be the final authority as to the availability of funds. 3. Termination for Cause. The Department may terminate the Agreement if the Grantee fails to: a. satisfactorily complete the deliverables within the time specified in the Agreement; b. maintain adequate progress, thus endangering performance of the Agreement; c. honor any term of the Agreement; or d. abide by any statutory, regulatory, or licensing requirement. The Grantee shall continue to perform any work not terminated. The Department's rights and remedies in this clause are in addition to any other rights and remedies provided by Page 11 of 15 law or under the Agreement. The Grantee shall not be entitled to recover any cancellation charges or lost profits. 4. Termination for Convenience. The Department may terminate this Agreement, in whole or in part, by providing written notice to the Grantee that the Department determined, in its sole discretion, it is in the State's interest to do so. The Grantee shall not furnish any product or continue services after the specified termination date in the Department's notice of termination, except as necessary to complete the continued portion of the Agreement, if any. The Grantee will not be entitled to recover any cancellation charges or lost profits. 4. Grantee's Responsibilities upon Termination. If the Department provides a notice of termination to the Grantee, except as otherwise specified by the Department in that notice, the Grantee shall: a. Stop work under this Agreement on the date and to the extent specified in the notice. b. Complete performance of such part of the work that has not been terminated by the Department, if any. c. Take such action as may be necessary, or as the Department may specify, to protect and preserve any property which is in the possession and custody of the Grantee, and in which the Department has or may acquire an interest. d. Transfer, assign, and make available to the Department all property and materials belonging to the Department upon the effective date of termination of this Agreement. No extra compensation will be paid to the Grantee for its services in connection with such transfer or assignment. R. Dispute Resolution: Disputes concerning performance under the Agreement will be decided by the Department, who shall reduce the decision to writing and serve a copy to the Grantee. In the event a Party is dissatisfied with the dispute resolution decision, jurisdiction for any dispute arising under the terms of the Agreement will be in State courts, and the venue will be in the Second Judicial Circuit, in and for Leon County. Except as otherwise provided by law, the Parties agree to be responsible for their own attorney fees incurred in connection with disputes arising under the terms of this Agreement. S. Indemnification: 1. The Grantee shall be fully liable for the actions of its agents, employees, partners, subrecipients, or contractors and shall fully indemnify, defend, and hold harmless the State and the Department, and their officers, agents, and employees, from suits, actions, damages, and costs of every name and description, arising from or relating to personal injury and damage to real or personal tangible property alleged to be caused in whole or in part by the Grantee, its agents, employees, partners, subrecipients, or contractors provided, however, that the Grantee shall not indemnify for that portion of any loss or damages proximately caused by the negligent act or omission of the State or the Department. 2. Further, the Grantee shall fully indemnify, defend, and hold harmless the State and the Department from any suits, actions, damages, and costs of every name and description, including attorneys' fees, arising from or relating to violation or infringement of a Page 12 of 15 trademark, copyright, patent, trade secret, or intellectual property right provided, however, that the foregoing obligation shall not apply to the Department's misuse or modification of the Grantee's products or the Department's operation or use of the Grantee's products in a manner not contemplated by the Agreement. The Department will not be liable for any royalties. 3. The Grantee shall not be liable for any cost, expense, or compromise incurred or made by the State or the Department in any legal action without the Grantee's prior written consent, which shall not be unreasonably withheld. 4. For the avoidance of doubt, as the Grantee is a subdivision, as defined in section 768.28(2), F.S., pursuant to section 768.28(19), F.S., neither Party indemnifies nor insures or assumes any liability to the other Party for the other Party's negligence. T. Limitation of Liability: Unless otherwise specifically enumerated in this Agreement, no Party shall be liable to the other Party for special, indirect, punitive, or consequential damages, including lost data or records (unless the Agreement requires the Grantee to back-up data or records), even if the Party has been advised that such damages are possible. No Party shall be liable to the other Party for lost profits, lost revenue, or lost institutional operating savings. The State and the Department may, in addition to other remedies available to them at law or in equity and upon notice to the Grantee, retain such monies from amounts due the Grantee as may be necessary to satisfy any claim for damages, penalties, costs, and the like asserted by or against them. Except as otherwise provided in this Agreement or the Data Sharing Agreement or its attachments or Riders, the Department is not liable for unauthorized access to information except as directly attributable to the actions of the Department. U. Force Majeure and Notice of Delay from Force Majeure: Neither Party shall be liable to the other for any delay or failure to perform under this Agreement if such delay or failure is neither the fault nor caused by the negligence of the Party or its employees or agents and the delay is due directly to acts of God, wars, acts of public enemies, strikes, fires, floods, or other similar cause wholly beyond the Party's control, or for any of the foregoing that affects subrecipients, contractors, or suppliers if no alternate source of supply is available. However, in the event a delay arises from the foregoing causes, the Party shall take all reasonable measures to mitigate any and all resulting damages, costs, delays, or disruptions to the project in accordance with the Party's performance requirements under this Agreement. In the case of any delay the Grantee believes is excusable under this section, the Grantee shall provide written notice to the Department describing the delay or potential delay and the cause of the delay within: ten (10) calendar days after the cause that creates or will create the delay first arose (if the Grantee could reasonably foresee that a delay could occur as a result); or five (5) calendar days after the date the Grantee first had reason to believe that a delay could result (if the delay is not reasonably foreseeable). THE FOREGOING SHALL CONSTITUTE THE GRANTEE'S SOLE REMEDY OR EXCUSE WITH RESPECT TO DELAY. Providing notice in strict accordance with this section is a condition precedent to such remedy. The Department, in its sole discretion, will determine if the delay is excusable under this section and will notify the Grantee of its decision in writing. The Grantee shall not assert a claim for damages, other than for an extension of time, against the Department. The Grantee will not be Page 13 of 15 entitled to an increase in the Agreement price or payment of any kind from the Department for any reason. If performance is suspended or delayed, in whole or in part, due to any of the causes described in this section, after the causes have ceased to exist, the Grantee shall resume performance, unless the Department determines, in its sole discretion, that the delay will significantly impair the ability of the Grantee to timely complete its obligations under this Agreement, in which case, the Department may terminate the Agreement in whole or in part. V. Mandatory Disclosure Requirements: 1. Conflict of Interest. This Agreement is subject to Chapter 112, F.S. The Grantee shall disclose the name of any officer, director, employee, or other agent who is also an employee of the State. The Grantee shall also disclose the name of any State employee who owns, directly or indirectly, more than a five percent (5%) interest in the Grantee or its affiliates. 2. Convicted Vendor List. The Grantee has a continuous duty to disclose to the Department if the Grantee or any of its affiliates, as defined by section 287.133(1)(a), F.S., are placed on the convicted vendor list. Pursuant to section 287.133(2)(a), F.S.: "A person or affiliate who has been placed on the convicted vendor list following a conviction for a public entity crime may not submit a bid, proposal, or reply on a contract to provide any goods or services to a public entity; may not submit a bid, proposal, or reply on a contract with a public entity for the construction or repair of a public building or public work; may not submit bids, proposals, or replies on leases of real property to a public entity; may not be awarded or perform work as a contractor, supplier, subcontractor, or consultant under a contract with any public entity; and may not transact business with any public entity in excess of the threshold amount provided in s. 287.017, F.S., for CATEGORY TWO for a period of 36 months following the date of being placed on the convicted vendor list." 3. Discriminatory Vendor List. The Grantee has a continuous duty to disclose to the Department if the Grantee or any of its affiliates, as defined by section 287.134(1)(a), F.S., are placed on the discriminatory vendor list. Pursuant to section 287.134(2)(a), F.S.: "An entity or affiliate who has been placed on the discriminatory vendor list may not submit a bid, proposal, or reply on a contract to provide any goods or services to a public entity; may not submit a bid, proposal, or reply on a contract with a public entity for the construction or repair of a public building or public work; may not submit bids, proposals, or replies on leases of real property to a public entity; may not be awarded or perform work as a contractor, supplier, subcontractor, or consultant under a contract with any public entity; and may not transact business with any public entity." 4. Antitrust Violator Vendor List. The Grantee has a continuous duty to disclose to the Department if the Grantee or any of its affiliates, as defined by section 287.137(1)(a), F.S., are placed on the antitrust violator vendor list. Pursuant to section 287.137(2)(a), F.S.: "A person or an affiliate who has been placed on the antitrust violator vendor list following a conviction or being held civilly liable for an antitrust violation may not submit a bid, proposal, or reply for any new contract to provide any goods or services to a public entity; may not submit a bid, proposal, or reply for a new contract with a public entity for the construction or repair of a public building or public work; may not submit a bid, proposal, or reply on new leases of real property to a public entity; may not be awarded or perform work as a contractor, supplier, subcontractor, or consultant under a new contract with a public entity; and may not transact new business with a public entity." Page 14 of 15 5. Foreign Gifts and Contracts. The Grantee shall comply with any applicable disclosure requirements in section 286.101, F.S. Pursuant to section 268.101(7), F.S.: "In addition to any fine assessed under [section 286.101(7)(a), F.S.], a final order determining a third or subsequent violation by an entity other than a state agency or political subdivision shall automatically disqualify the entity from eligibility for any grant or contract funded by a state agency or any political subdivision until such ineligibility is lifted by the Administration Commission for good cause." IN WITNESS WHEREOF, the Parties agree to the terms and conditions of this Agreement and have duly authorized their respective representatives to sign it on the dates indicated below. Grantee: Department of Management Services: By: By: Name: Name: Title: Title: Date: Date: Page 15 of 15 ATTACHMENT A STATEMENT OF WORK 1. Scope of Work. Pursuant to Chapter 2022-156, Laws of Florida, Specific Appropriation 2944A, the Grantee is being granted assistance in the form of services, licenses, or commodities to enhance its cybersecurity framework, to identify and mitigate risks, and to protect its infrastructure from threats through Florida's Local Government Cybersecurity Grant Program (the "Project"). The Florida Local Government Cybersecurity Grant is a competitive grant program to provide funding for cybersecurity technical assistance to local Florida governments to enhance their cybersecurity capabilities. 2. Grantee Responsibilities. The Grantee shall complete the Project in accordance with the requirements set forth in this Agreement and any applicable local, State, and federal laws and regulations. 3. Department Responsibilities. The Department shall review Grantee reports and other records and reconcile them to ensure that the requirements of section 215.971, F.S., pertaining to agreements funded with State financial assistance are fulfilled. 4. Deliverables. The Grantee shall complete the following deliverable(s): Deliverables No. Tasks Performance Measures and Due Dates 1 • Data Sharing Agreement • Warranties and Commitments • The Incident Response Rider • The Software Response Rider • Grant Agreement The Grantee must complete the signed agreements with FL[DS] within 30 calendar days of award. 2 Grantees shall execute Final Implementation Plan(s) for solutions awarded Grantees must coordinate with the solution provider(s) to execute Final Implementation Plan(s) within 30 calendar days of award. 3 Complete all tasks in accordance with the Final Implementation Plan(s) Grantee shall provide all necessary resources to execute tasks in the Final Implementation Plan(s). TOTAL REIMBURSABLE AMOUNT NOT TO EXCEED $XXX.XX 5. Reporting Requirements. The Grantee shall confirm implementation completion to the Department's Grant Manager. The Department may request status meetings for the Grantee to report on the implementation status, as necessary, with the Grantee's Grant Manager. Page 1 of 2 The Department may, at its sole discretion, develop a format and deadlines the Grantee must comply with when reporting the information above. The Grantee's failure to confirm completion of the Final Implementation Plan(s) or comply with the reporting format and schedule may result in termination of the awarded solutions. 6. Performance Standards. The Grantee shall perform all tasks and provide deliverables as set forth in this Agreement. The Department is entitled at all times, upon request, to be advised as to the status of work being done by the Grantee and the details thereof. If the Department determines that there is a performance deficiency that requires correction by the Grantee, then the Department shall notify the Grantee. The Grantee shall make the correction within a timeframe specified by the Department. The Grantee shall provide the Department with a corrective action plan describing how the Grantee will address all performance deficiencies identified by the Department. If the corrective action plan is unacceptable to, or implementation of the plan fails to remedy the performance deficiencies, the Grantee shall work cooperatively with the Department to modify the corrective action plan or to remedy the deficiencies. Additionally, if a performance deficiency is attributable to the performance of a contractor or subcontractor of the Grantee, the Grantee shall take all actions available to it to enforce financial consequences in its contract with the contractor or subcontractor or to pursue damages. 7. Financial Consequences for Failure to Timely and Satisfactorily Perform. Violations of this Agreement or applicable licenses, or failure to provide the deliverables, shall result, except as detailed above, in termination of access to awarded solutions and require immediate removal of all software, hardware, or related services. Grantee may be subject to financial assessments related to such violations. This provision for financial consequences shall not affect the Department's right to terminate the Agreement as provided elsewhere in the Agreement. REMAINDER OF PAGE INTENTIONALLY LEFT BLANK Page 2 of 2 ATTACHMENT B Department of Financial Services Division of Accounting and Auditing — Bureau of Auditing AUDIT REQUIREMENTS FOR AWARDS OF STATE AND FEDERAL FINANCIAL ASSISTANCE The administration of resources awarded by the Department of Management Services (Department) to the Grantee may be subject to audits and/or monitoring by the Department, as described in this section. MONITORING In addition to reviews of audits conducted in accordance with 2 CFR 200, Subpart F - Audit Requirements, and section 215.97, Florida Statutes (F.S.), as revised (see AUDITS below), monitoring procedures may include, but not be limited to, on -site visits by Department staff, limited scope audits as defined by 2 CFR §200.425, or other procedures. By entering into this agreement, the Grantee agrees to comply and cooperate with any monitoring procedures or processes deemed appropriate by the Department. In the event the Department determines that a limited scope audit of the Grantee is appropriate, the Grantee agrees to comply with any additional instructions provided by Department staff to the Grantee regarding such audit. The Grantee further agrees to comply and cooperate with any inspections, reviews, investigations, or audits deemed necessary by the Chief Financial Officer (CFO) or Auditor General. AUDITS Part I: Federally Funded This part is applicable if the Grantee is a state or local government or a nonprofit organization as defined in 2 CFR §200.90, §200.64, and §200.70. 1. A Grantee that expends $750,000 or more in federal awards in its fiscal year must have a single or program -specific audit conducted in accordance with the provisions of 2 CFR 200, Subpart F - Audit Requirements. EXHIBIT 1 to this form lists the federal resources awarded through the Department by this agreement. In determining the federal awards expended in its fiscal year, the Grantee shall consider all sources of federal awards, including federal resources received from the Department. The determination of amounts of federal awards expended should be in accordance with the guidelines established in 2 CFR §§200.502- 503. An audit of the Grantee conducted by the Auditor General in accordance with the provisions of 2 CFR §200.514 will meet the requirements of this Part. 2. For the audit requirements addressed in Part I, paragraph 1, the Grantee shall fulfill the requirements relative to auditee responsibilities as provided in 2 CFR §§200.508-512. 3. A Grantee that expends less than $750,000 in federal awards in its fiscal year is not required to have an audit conducted in accordance with the provisions of 2 CFR 200, Subpart F - Audit Requirements. If the Grantee expends less than $750,000 in federal awards in its fiscal year and elects to have an audit conducted in accordance with the provisions of 2 CFR 200, Subpart F - Audit Requirements, the cost of the audit must be paid from non- federal resources (i.e., the cost of such an audit must be paid from Grantee resources obtained from other than federal entities). Part II: State Funded 1. In the event that the Grantee expends a total amount of state financial assistance equal to or in excess of $750,000 in any fiscal year of such Grantee (for fiscal years ending June 30, DFS-A2-CL Rev. 11/18 Rule 69I-5.006, F.A.C. Page -1- AUDIT REQUIREMENTS FOR AWARDS OF STATE AND FEDERAL FINANCIAL ASSISTANCE 2017, and thereafter), the Grantee must have a state single or project -specific audit for such fiscal year in accordance with section 215.97, F.S.; Rule Chapter 691-5, F.A.C., State Financial Assistance; and Chapters 10.550 (local governmental entities) and 10.650 (nonprofit and for -profit organizations), Rules of the Auditor General. EXHIBIT 1 to this form lists the state financial assistance awarded through the Department this agreement. In determining the state financial assistance expended in its fiscal year, the Grantee shall consider all sources of state financial assistance, including state financial assistance received from the Department, other state agencies, and other nonstate entities. State financial assistance does not include federal direct or pass -through awards and resources received by a nonstate entity for federal program matching requirements. 2. For the audit requirements addressed in Part 11, paragraph 1, the Grantee shall ensure that the audit complies with the requirements of section 215.97(8), F.S. This includes submission of a financial reporting package as defined by section 215.97(2), F.S., and Chapters 10.550 (local governmental entities) and 10.650 (nonprofit and for -profit organizations), Rules of the Auditor General. 3. If the Grantee expends Tess than $750,000 in state financial assistance in its fiscal year (for fiscal years ending June 30, 2017, and thereafter), an audit conducted in accordance with the provisions of section 215.97, F.S., is not required. If the Grantee expends Tess than $750,000 in state financial assistance in its fiscal year and elects to have an audit conducted in accordance with the provisions of section 215.97, F.S., the cost of the audit must be paid from the nonstate entity's resources (i.e., the cost of such an audit must be paid from the Grantee's resources obtained from other than state entities). Part III: Other Audit Requirements N/A Part IV: Report Submission 1. Copies of reporting packages for audits conducted in accordance with 2 CFR 200, Subpart F - Audit Requirements, and required by Part 1 of this form shall be submitted, when required by 2 CFR §200.512, by or on behalf of the Grantee directly to the Federal Audit Clearinghouse (FAC) as provided in 2 CFR §200.36 and §200.512. The FAC's website provides a data entry system and required forms for submitting the single audit reporting package. Updates to the location of the FAC and data entry system may be found at the OMB website. 2. Copies of financial reporting packages required by Part II of this form shall be submitted by or on behalf of the Grantee directly to each of the following: The Department at each of the following addresses: Electronic copies (preferred): Cybersecuritygrants@digital.fl.gov or Paper copies: Grant Manager Florida Digital Service Department of Management Services 2555 Shumard Oaks Blvd, Suite 200 DFS-A2-CL Rev. 11/18 Rule 69I-5.006, F.A.C. Page -2- AUDIT REQUIREMENTS FOR AWARDS OF STATE AND FEDERAL FINANCIAL ASSISTANCE Tallahassee, Florida 32399 Email: ybersecuritygrants©digital.fl.gov The Auditor General's Office at the following address: Auditor General Local Government Audits/342 Claude Pepper Building, Room 401 111 West Madison Street Tallahassee, Florida 32399-1450 The Auditor General's website (https://flauditor.gov/) provides instructions for filing an electronic copy of a financial reporting package. 3. Any reports, management letters, or other information required to be submitted to the Department pursuant to this agreement shall be submitted timely in accordance with 2 CFR §200.512, section 215.97, F.S., and Chapters 10.550 (local governmental entities) and 10.650 (nonprofit and for -profit organizations), Rules of the Auditor General, as applicable. 4. Grantees, when submitting financial reporting packages to the Department for audits done in accordance with 2 CFR 200, Subpart F - Audit Requirements, or Chapters 10.550 (local governmental entities) and 10.650 (nonprofit and for -profit organizations), Rules of the Auditor General, should indicate the date that the reporting package was delivered to the Grantee in correspondence accompanying the reporting package. Part V: Record Retention The Grantee shall retain sufficient records demonstrating its compliance with the terms of the award(s) and this agreement for a period of five (5) years from the date the audit report is issued, and shall allow the Department, or its designee, the CFO, or Auditor General access to such records upon request. The Grantee shall ensure that audit working papers are made available to the Department, or its designee, the CFO, or Auditor General upon request for a period of five (5) years from the date the audit report is issued, unless extended in writing by the Department. DFS-A2-CL Rev. 11/18 Rule 69I-5.006, F.A.C. Page -3- AUDIT REQUIREMENTS FOR AWARDS OF STATE AND FEDERAL FINANCIAL ASSISTANCE EXHIBIT 1 Federal Resources Awarded to the Grantee Pursuant to this Agreement Consist of the Following: 1. Federal Program A: N/A 2. Federal Program B: N/A Compliance Requirements Applicable to the Federal Resources Awarded Pursuant to this Agreement are as Follows: 1. Federal Program A: N/A 2. Federal Program B: N/A State Resources Awarded to the Grantee Pursuant to this Agreement Consist of the Following: Matching Resources for Federal Programs: 1. Federal Program A: N/A 2. Federal Program B: N/A Subject to Section 215.97, F.S.: 1. State Project A: Cybersecurity Technical Assistance Grants State Awarding Agency: Florida Department of Management Services Catalog of State Financial Assistance Title and Number: 72.009 Amount: $XXX 2. State Project B: N/A Compliance Requirements Applicable to State Resources Awarded Pursuant to this Agreement Are as Follows: The compliance requirements are as stated in Grant Agreement No. DMS-22/23-XXX between the Grantee and the Department, entered in State fiscal year 2022-23. DFS-A2-CL Rev. 11/18 Rule 69I-5.006, F.A.C. Page -4- This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. Grantee Data Sharing Agreement between Florida Department of Management Services and GRANTEE This Data Sharing Agreement ("DSA") is between the Florida Department of Management Services, on behalf of the Florida Digital Service ("FLDS"), and the GRANTEE ("Grantee"). FLDS and Grantee are referred to herein individually as a "Party" or collectively as the "Parties." Purposes FLDS and Grantee enter into this DSA in accordance with the Program. Grantee desires to utilize software licenses, applications, and solutions, as applicable, in connection with one or more projects (the "Projects") as described in one or more riders attached hereto (the "Project Rider" or collectively the "Project Riders"). This DSA describes the terms and conditions for the use of software licenses, applications, and solutions and protection of Covered Data, including requirements to safeguard the availability, confidentiality, and integrity of Covered Data in furtherance of the security objectives of Chapter 282, F.S. L Definitions A. Access — The authorization to inspect, review, transmit, duplicate, communicate with, retrieve data from, or otherwise make use of any Covered Data, regardless of type, form, or nature of storage. "Access" to a computer system or network includes local and remote access, as applicable. B. DSA Coordinators — The individuals appointed by the signatories to this DSA as the point of contact for this DSA, who are responsible for ensuring that the Authorized Users comply with the activities identified herein. C. Authorized Purpose — The purpose(s) for which an Authorized Third Party may access, use, or disclose the Covered Data. D. Authorized Third Party — An individual, state agency, other Florida state or local governmental entity, or a private sector contractor or service provider of the Grantee which receives Covered Data. E. Authorized User — An individual granted Access or to use Software Entitlement by either FLDS or Grantee. F. Covered Data — The limited subset of security data that is derived from Grantee's use of any Software Entitlements as defined in the attached Rider(s); an Grantee's confidential or This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. proprietary information; and personal information as defined under section 501.171, F.S., and any other applicable privacy or data breach notification laws as may exist. G. Data Breach — Either (1) any unauthorized access to, or use or disclosure of, Covered Data for any purpose other than as expressly permitted by this DSA or required by law; or (2) a breach of privacy or of the security of the Covered Data. Good faith access of data by an employee or agent of the Grantee does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use. H. County and Municipality Cybersecurity Resiliency Program ("the Program") — refers to the Program established by the 2021-2022 General Appropriations Act to enhance county and municipal cybersecurity and protect the infrastructure of local governments from threats. I. HIPAA - Health Insurance Portability and Accountability Act of 1996. J. Information Technology (IT) Coordinators — The individuals appointed by the signatories to this DSA as responsible for data flow and other technology -related considerations under this DSA. K. Information Technology Resources — As defined in section 282.0041, Florida Statutes, the data processing hardware and software and services, communications, supplies, personnel, facility resources, maintenance, and training. As used in this DSA, the term also includes the definition for "Information Technology," as defined in section 282.0041, Florida Statutes, to add equipment, hardware, software, firmware, programs, systems, networks, infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge, interface, switch, or disseminate information of any kind or form. L. Software Entitlement — Proprietary software provided under this DSA and identified in the Project Rider. II. Responsibilities of the Parties A. Data Transmission. Covered Data shall only be transmitted through secure file transfer protocol or other secure transmission methods utilizing a National Institute of Standards and Technology approved means of electronic encryption as well as password protection and in a file format and layout determined by FLDS. Covered Data shall not be transmitted via any other means, including electronic mail. If applicable to any transmission of the Covered Data, both transmitting and receiving Grantee shall completely and permanently remove Covered Data from any temporary transfer location within twenty-four (24) hours of receipt of the Covered Data. 2 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. B. Compliance with Applicable Laws. Each Party covenants and agrees that, in the performance of this DSA, it shall comply with all applicable federal, state, and local laws, statutes, and regulations including, but not limited to, such laws set forth in Article VI as applicable to a Project and such other data privacy or security laws, all as they exist now and as they may be amended from time to time ("Applicable Laws"). In the event of any notice of a material violation of Applicable Laws, or an investigation into an alleged material violation, the affected Party shall promptly notify the other in writing of such notice. C. Compliance with Information Security Standards. Each Party covenants and agrees to comply with Rule Chapter 60GG-2, Florida Administrative Code ("Security Standards"), with respect to its obligations under this DSA. Grantee shall implement the Security Standards with respect to its obligations under this DSA as an "Agency," regardless of whether they meet the definition of "Agency" in Rule Chapter 60GG-2, Florida Administrative Code. FLDS, Grantee, and Authorized Third Parties shall implement reasonable and appropriate administrative, technical, and physical safeguards to maintain the security and protect the confidentiality, integrity, and availability of Access. Grantee shall instruct all its Authorized Users with the opportunity for Access on the safeguards and requirements of the DSA and all applicable federal and state requirements. D HIPAA Business Associate Agreement. To the extent that a Party is acting as a Business Associate (as defined by HIPAA) of the other Party, the Parties further agree to enter into a Business Associate Agreement as necessary, in the form of a mutually agreed -upon appendix to the DSA. E. Incorporation and Compliance with Exhibits, Appendices and Riders, if Applicable. The Project Riders, and any exhibits or appendices to this DSA are hereby incorporated and made a part hereof and are an integral part of this DSA. Each Rider, Exhibit, and Appendix attached hereto or referred to herein are hereby incorporated in and made a part of this DSA as if set forth in full herein. III. FLDS Role and Responsibilities A. FLDS is responsible for: 1. Processing Covered Data in accordance with the State Cybersecurity Act; 2. Facilitating data sharing with the Grantee and/or an Authorized Third Party in accordance with this DSA; 3. Providing the Grantee with the option to utilize Software Entitlements; and 4. Protecting the integrity of Covered Data obtained by FLDS through Grantee's use of any of the Software Entitlements. FLDS will not disclose this Covered Data to any third party unless required by law or as otherwise authorized by Grantee. 3 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. B. FLDS will only access, use, or disclose Covered Data, as permitted by Grantee, as required by Applicable Law, or as necessary for completion of its responsibilities under this DSA, including any Project Riders. FLDS will ensure that its Authorized Users only access, use, or disclose Covered Data, as permitted by Grantee, as required by Applicable Law, or as necessary for completion of its responsibilities for any Projects, as assigned by FLDS. C. FLDS will exercise reasonable care and no less than the same degree of care FLDS uses to protect its own confidential information to prevent confidential information from being used in a manner that is not expressly a purpose authorized in this DSA or as required by Applicable Law. IV. Grantee's Role and Responsibilities A. Covered Data is and shall remain the property of Grantee. B. Grantee is solely responsible for its Access to and use of Software Entitlements and Covered Data, including: 1. Ensuring a level of security appropriate to the risk in respect of Covered Data; 2. Securing Grantee's and its Authorized Users' systems and devices that can Access FLDS systems and Software Entitlements and complying with the Security Standards; 3. Selecting and/or ensuring that Grantee has selected its Authorized Users; activating and deactivating the Access, credentials, and privileges of its Authorized Users; and managing access controls to the FLDS system and Software Entitlements in a timely manner in accordance with the Security Standards; 4. Securing the account authentication credentials, systems, and devices of Grantee personnel who the Grantee designates to be Authorized Users; 5. Managing the compliance of its Authorized Users with the Grantee's established security measures and as required by Applicable Law; 6. Maintaining audit logs, as deemed necessary by the Grantee to demonstrate compliance with its obligations under this DSA; 7. Backing up Covered Data, if required by law or Grantee policy; and 8. Ensuring that it and its Authorized Users remain in compliance with the terms and conditions of any Software Entitlements. C. FLDS is not responsible for, and has no obligation for: 1. Selecting or verifying Grantee's Authorized Users, activating or deactivating the Access or credentials of Authorized Users; or 4 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. 2. Protecting Covered Data that Grantee elects to store or transfer outside of FLDS's and its sub -processors' systems (for example, offline or on -premises storage). V. Unauthorized Disclosure/Data Breach A. In the event of a Data Breach of the Covered Data while in Grantee's (or an Authorized Third Party's) custody or control or as a result of Grantee's (or an Authorized Third Party's) access to or use of the Covered Data, which requires the provision of notice in accordance with section 501.171, F.S., or other Applicable Law (including, but not limited to, HIPAA), the Parties agree as follows: 1. Grantee shall notify FLDS of the Data Breach not more than 24 hours after discovery that a Data Breach has occurred or is reasonably likely to have occurred. 2. Grantee (or its Authorized Third Party) shall be responsible for all costs related to the Data Breach including FLDS' and/or Grantee's (or an Authorized Third Party's) costs of complying with all legal requirements, including the requirements for Data Breach notification under Applicable Law, as well as defending any claims, actions, or lawsuits related thereto. 3. If a Data Breach is subject to the notice provisions of section 501.171, F.S., or Applicable Law, the Parties agree to cooperate and work together to ensure full legal compliance and to provide breach notification to the extent required by Applicable Law. Grantee shall use its best and diligent efforts to identify the individuals entitled to receive notice of the Data Breach and obtain the names and mailing information of such individuals, so that FLDS and/or Grantee are able to distribute the notices within the legally required time periods. FLDS and/or Grantee, as applicable, shall bear its internal administrative and other costs incurred in identifying the affected individuals and their mailing information. 4. In the event of a Data Breach, including the privacy or security of the Covered Data, while in the custody or control of the Grantee, if the Grantee must provide notice as a result of the requirements contained in section 501.171, F.S., or other Applicable Law, the Grantee shall submit a draft of the notice to FLDS for prior review and approval of the contents of the notice, prior to disseminating the notice. Such approval shall not be unreasonably delayed or withheld. B. If Grantee experiences a breach of the security of its systems that results in a breach of the security of FLDS's systems ("FLDS Breach"), Grantee shall be responsible for all costs related to the FLDS Breach including FLDS's costs of complying with all legal requirements, including any costs for data breach notification under section 501.171, F.S., or Applicable Law, as well as defending any claims, actions, or lawsuits against the FLDS related thereto. Grantee, at its own expense, shall cooperate fully with FLDS in the investigation, eradication, remediation, and recovery from the FLDS Breach. C. If FLDS experiences a breach of the security of its systems that results in a breach of the security of Grantee's systems ("Grantee Breach"), FLDS shall be responsible for all costs related to the Grantee Breach including Grantee's costs of complying with all legal 5 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. requirements, including the requirements for data breach notification under section 501.171, F.S., or Applicable Law, as well as defending any claims, actions or lawsuits related thereto. FLDS, at its own expense, shall cooperate fully with Grantee in the investigation, eradication, remediation, and recovery from the Grantee Breach. D. If either FLDS or Grantee is obligated under this Section to pay costs incurred by the other Party, the Party required to pay such costs shall submit a draft of the legal notifications and other public communications to the other Party for prompt review and approval of the contents prior to disseminating the notification or communication. Such approval shall not be unreasonably delayed or withheld. E. The Parties understand and agree the provisions of this DSA relating to the protection and security of the Covered Data constitute a material condition of this DSA. VI. Additional Terms Applicable to Certain Circumstances. A. The Parties shall define the type of Covered Data to be utilized in connection with each Project as set forth in the attached Project Rider(s). Such Covered Data may include confidential or sensitive information that is subject to additional confidentiality or security requirements as set forth in this Article VI and such Project Rider. In the event of a conflict between the terms and conditions of this Article VI and the remainder of the DSA, the terms and conditions of Article VI shall control. Moreover, a Project may include the use of information described in more than one of the provisions set forth in this Article VI, or it may include the use of information not described in this Article VI. In the event of a conflict between or among the terms and conditions of Subsections B, C, D or E of this Article VI, the more restrictive terms and conditions shall apply unless otherwise provided by Applicable Law or guidance by the applicable regulatory enforcement agencies or bodies. B. CJIS. The terms and conditions of this Section VI.B. apply when Covered Data involved in a Project includes criminal justice information. 1. CJIS Covered Data. Covered Data may also include, but shall not be limited to, CJIS Covered Data. For purposes of this DSA, CJIS Covered Data shall mean criminal justice information that is provided by the Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) system and that is necessary for law enforcement and civil agencies to perform their missions, including, but not limited to, biometric, identity history, biographic, property, and case/incident history data. 2. Disclosure of CJIS Covered Data. The disclosure of CJIS Covered Data under the DSA, as modified by this section, is governed by the CJIS Security Policy, available at https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center. In accordance with the CJIS Security Policy and 28 CFR Part 20, use of the CJIS system under the DSA is restricted to: detection, apprehension, detention, pretrial release, post -trial release, prosecution, adjudication, correctional supervision, rehabilitation of accused persons or criminal offenders, and other legally authorized purposes. 6 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. 3. Training. The Parties agree to work together to provide Authorized Users with confidentiality, privacy, and security training regarding access, use, and disclosure requirements for the CJIS Covered Data under the CJIS Security Policy. 4. Access Requirements. Unique authorization is required for Access to the CJIS Covered Data and must be properly authenticated and recorded for audit purposes, including CJIS security and other applicable audit requirements. C HIPAA and State Protected Health Information. The terms and conditions of this Section VI.C. apply when Covered Data involved in a Project includes protected health information and such other sensitive health information, the disclosure of which may be limited or restricted by law, including, but not limited to, mental health and drug and alcohol related information. 1. PHI Covered Data. Covered Data may also include, but shall not be limited to, PHI Covered Data. For purposes of this DSA, "PHI Covered Data" shall mean "protected health information" or "PHI," as such term is defined by HIPAA. PHI shall include, but shall not be limited to, any other medical or health -related information that is afforded greater protection under more restrictive federal or state law, including, but not limited to, the Substance Abuse and Mental Health Services Act (SAMSHA), located at 42 C.F.R. Part 2, the Florida Mental Health Act (the Baker Act), located at Fla. Stat. § 394.451 — 394.47892,_and the Hal S. Marchman Alcohol and Other Drug Services Act, located at Fla. Stat. § 397.301 et seq. 2. Disclosure of PHI Covered Data. The disclosure of PHI Covered Data under the DSA, as modified by this section, is governed by HIPAA and more restrictive federal or state law, as applicable. Accordingly, the disclosure of PHI Covered Data under the DSA is permitted only with the consent of the individual who is the subject of the PHI Covered Data, by court order that meets the requirements of applicable law, and for other purposes as permitted by Applicable Law. 3. Business Associate Agreement. To the extent that FLDS is a "Business Associate" of Grantee, as such term is defined under HIPAA, the Parties agree to enter into a mutually agreeable Business Associate Agreement. 4. Training. The Parties agree to work together to provide Authorized Users with confidentiality, privacy, and security training regarding access, use, and disclosure requirements for the PHI Covered Data under HIPAA and more restrictive federal or state law, to the extent applicable. 5. Access Requirements. Unique authorization is required for Access and must be properly authenticated and recorded for audit purposes, including HIPAA audit requirements and other audit requirements under more restrictive federal or state law, to the extent applicable. D. FERPA. The terms and conditions of this Section VI.D. apply when Covered Data includes student education records as defined by the Family Educational Rights and Privacy Act, 20 7 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. USC §1232g, and its implementing regulations set forth at 34 CFR Part 99 (collectively, "FERPA"). 1. FERPA Covered Data. Covered Data may also include, but shall not be limited to, FERPA Covered Data. For purposes of this DSA, "FERPA Covered Data" shall mean student education records as defined by FERPA). 2. Disclosure of FERPA Covered Data. The disclosure of FERPA Covered Data under the DSA, as modified by this section, is governed by FERPA. Accordingly, the disclosure of FERPA Covered Data under the DSA is permitted with parent or eligible student consent and, without such consent, in the following circumstances: (i) to school officials with legitimate educational interest; (ii) to other schools to which a student is transferring; (iii) to specified officials for audit or evaluation purposes; (iv) to appropriate parties in connection with financial aid to a student; (v) to organizations conducting certain studies for or on behalf of the school; (vi) to accrediting organizations; (vii) to comply with a judicial order or lawfully issued subpoena; (viii) to appropriate officials in cases of health and safety emergencies; (ix) to state and local authorities, within a juvenile justice system, pursuant to specific state law; and (x) as otherwise provided by FERPA. 3. Training. The Parties agree to work together to provide Authorized Users with confidentiality, privacy, and security training regarding access, use, and disclosure requirements for the FERPA Covered Data under FERPA. 4. Access Requirements. Unique authorization is required for Access and must be properly authenticated and recorded for audit purposes, including FERPA and any other applicable audit requirements. E. DPPA. The terms and conditions of this Section VI.E. apply when Covered Data includes motor vehicle record information. 1. DPPA Covered Data. For purposes of the DSA, Covered Data may include, but shall not be limited to, DPPA Covered Data. For purposes of this DSA, "DPPA Covered Data" shall mean motor vehicle information as set forth in the Driver Privacy Protection Act, 18 U.S.C. § 2721 ("DPPA"). 2. Disclosure of DPPA Covered Data. The disclosure of DPPA Covered Data under the DSA, as modified by this section, is governed by DPPA. DPPA prohibits the disclosure of personal information, as defined in 18 U.S.C. § 2725(3), that is contained in motor vehicle records, but such information may be used by any government agency, such as FLDS and Grantee, in carrying out its functions. Such personal information may not be re -disclosed by FLDS or Grantee, however, except in accordance with the permissible uses set forth at 18 U.S.C. § 2721(b). With certain limited exceptions, DPPA further prohibits the disclosure of highly restricted personal information, as defined in 18 U.S.C. § 2725(4), without the express consent of the individual who is the subject of such information. In accordance with section 119.0712(2)(d)(2), F.S., the emergency contact information contained in a motor vehicle record, without the 8 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. express consent of the person to whom such emergency contact information applies, may be released only to: (a) law enforcement agencies for purposes of contacting those listed in the event of an emergency; or (b) a receiving facility, hospital, or licensed detoxification or addictions receiving facility pursuant to sections 394.463(2)(a) or 397.6772(1)(a), F.S., for the sole purpose of informing a patient's emergency contacts of the patient's whereabouts. E-mail addresses that are collected by the Florida Department of Highway Safety and Motor Vehicles also may not be disclosed pursuant to Section 119.0712(2)(c), F.S. 3. Training. The Parties agree to work together to provide Authorized Users with confidentiality, privacy, and security training regarding access, use, and disclosure requirements for the DPPA Covered Data under DPPA and the Florida Statutes referenced above. 4. Access Requirements. Unique authorization is required for Access and must be properly authenticated and recorded for audit purposes, including, but not limited to, compliance with these terms and conditions. VII. Duration of DSA and Designation of DSA Coordinators A. This DSA will be effective on the date on which fully executed by both Parties and will terminate as set forth herein. B. The DSA may be mutually terminated by written agreement of the Parties or unilaterally by either party, without cause, provided the terminating party serves the other party's DSA Coordinator with written notice of an intent to terminate the DSA in no less than thirty (30) calendar days from the date such notice is sent. C. In the event either party (the "Breaching Party") fails to fully comply with the terms and conditions of this DSA, the other party ("Terminating Party") may terminate the DSA upon no less than twenty-four (24) hours (excluding Saturday, Sunday, and Holidays) notice in writing to the Breaching Party. Such notice may be issued without providing an opportunity for cure if it specifies the nature of the noncompliance and states that provision for cure would adversely affect the interests of the State or is not permitted by law or regulation. Otherwise, notice of termination will be issued after a Breaching Party's failure to fully cure such noncompliance ten (10) days following the date of a written notice of noncompliance issued by the Terminating Party specifying the nature of the noncompliance and the actions required to cure such noncompliance. The Terminating Party's failure to demand performance of any provision of this DSA shall not be deemed a waiver of such performance. The Terminating Party's waiver of any one breach of any provision of this DSA shall not be deemed to be a waiver of any other breach and neither event shall be construed to be a modification of the terms and conditions of this DSA. The provisions herein do not limit the Terminating Party's right to remedies at law or in equity. D. The DSA Coordinators and IT Coordinators for this DSA are: FLDS DSA Coordinator: Adam Taylor 2555 Shumard Oak Boulevard 9 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. Tallahassee, FL 32399 Adam.Taylor@dms.fl.gov 850-728-6075 FLDS IT Coordinator: Jeremy Rodgers 2555 Shumard Oak Boulevard Tallahassee, FL 32399 Jeremy.Rodgers@dms.fl.gov 850-509-9919 Grantee's DSA Coordinator: Grantee's IT Coordinator: 10 VIII. Amendments and Changes A. With the exception of changes to DSA and/or IT Coordinator designations, any changes, alterations, deletions, or additions to the terms set forth in this DSA must be by written amendment executed by all Parties. Changes to the DSA and/or IT Coordinator designations may be accomplished by providing email change notification that is acknowledged by both Parties. B. The Parties agree to follow and be bound by the terms and conditions of any policy decisions or directives from the federal and state agencies with jurisdiction over the use of the data described herein upon receipt of written notice directing that such rules, policy decisions, or directives apply to this DSA. IX. Inspection of Records Each Party shall permit the other Party and any other applicable state and federal representatives with regulatory oversight over the other Party, or their designees, to conduct inspections described in this paragraph, or to make on -site inspections of records relevant to this DSA to ensure compliance with any state and federal law, regulation, or rule. Such inspections may take place with notice during normal business hours wherever the records are maintained. Each Party shall ensure a system is maintained that is sufficient to permit an audit of such Party's compliance with this DSA and the requirements specified above. Failure to allow such inspections constitutes a material breach of this DSA. This DSA may be terminated in accordance with Section VII.C. for a material breach. X. Governing Law and Jurisdiction This DSA shall be governed by and construed and enforced in accordance with the laws of the State of Florida and shall be binding upon the Parties hereto in the United States and worldwide. A state court of competent jurisdiction in Leon County, Florida, shall be the exclusive venue for any action regarding this DSA. XI. Grantee Additional Terms A. Assignment and Contractors. Grantee shall not sell, assign, or transfer any of its rights, duties, or obligations under this DSA. Grantee shall ensure all contractors that have Access to Covered Data or Software Entitlements comply with all requirements of this DSA. The Software Entitlements shall not be Accessible by, or deployed on, Information Technology Resources not owned, employed, or controlled by Grantee. B. Inspector General and Chief Inspector General. Grantee understands its, and its contractors' (if any), duty, pursuant to sections 20.055(5) and 14.32, F. S., to cooperate with the Inspector General in any investigation, audit, inspection, review, or hearing. Upon request of the Inspector General or any other authorized State official, and without charge, 11 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. Grantee must provide any type of information the official deems relevant to Grantee's integrity or responsibility. Such information may include, but will not be limited to, Grantee's business or financial records, documents, or files of any type or form that refers to or relates to this DSA. Grantee shall facilitate interviews with employees or contractors and provide access to facilities. Grantee agrees to reimburse the State for the reasonable costs of investigation incurred by the Inspector General or other authorized State official for investigations of Grantee's compliance with the terms of this DSA or any other agreement between Grantee and the State that results in the suspension or debarment of Grantee. Such costs will include, but will not be limited to, salaries of investigators, including overtime; travel and lodging expenses; and expert witness and documentary fees. [signature page follows] 12 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. IN WITNESS WHEREOF, the Parties hereto execute this DSA as of this day of , 2023. FLORIDA DEPARTMENT OF MANAGEMENT SERVICES By: Name: Title: GRANTEE By: Name: Title: 13 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. 14 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. RELEVANT FLORIDA STATUTES (2022) Section 282.0051(1), Florida Statutes (F.S.), in relevant part, grants the Department of Management Services (Department), through the Florida Digital Service (FLDS), authority to develop and publish information technology policy for the management of the state' s information technology resources; develop an enterprise architecture that acknowledges the unique needs of the entities within the enterprise in the development and publication of standards and terminologies to facilitate digital interoperability; establish best practices for the procurement of information technology products and cloud - computing services in order to reduce costs, increase the quality of data center services, or improve government services; and conduct annual assessments of state agencies to determine compliance with all information technology standards and guidelines developed and published by the department and provide results of the assessments to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives. Section 282.0051(3), F.S., in relevant part, requires the Department, through the FLDS, to create, not later than December 1, 2022, and maintain a comprehensive indexed data catalog in collaboration with the enterprise that lists the data elements housed within the enterprise and the legacy system or application in which these data elements are located; develop and publish, not later than December 1, 2022, in collaboration with the enterprise, a data dictionary for each agency that reflects the nomenclature in the comprehensive indexed data catalog; adopt, by rule, standards that support the creation and deployment of an application programming interface to facilitate integration throughout the enterprise, standards necessary to facilitate a secure ecosystem of data interoperability that is compliant with the enterprise architecture, and standards that facilitate the deployment of applications or solutions to the existing enterprise system in a controlled and phased approach. Section 282.0051(5), F.S., stipulates that the Department, through the FLDS, may not retrieve or disclose any data without a shared -data agreement in place between the Department and the enterprise entity that has primary custodial responsibility of, or data - sharing responsibility for, that data. Section 282.318(3), F.S., in relevant part, names the Department, through the FLDS, the lead entity responsible for establishing standards and processes for assessing state agency cybersecurity risks and determining appropriate security measures, and requires the Department, through the FLDS, to adopt rules that mitigate risks; safeguard state agency digital assets, data, information, and information technology resources to ensure availability, confidentiality, and integrity; and support a security governance framework; and requires the Department, through the FLDS, to designate an employee of the FLDS as the state chief information security officer responsible for the development, operation, and oversight of cybersecurity for state technology systems who shall be notified of all confirmed or suspected incidents or threats of state agency information technology resources and must report such incidents or threats to the state chief information officer and the Governor; develop, and annually update by February 1, a statewide cybersecurity 15 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. strategic plan that includes security goals and objectives for cybersecurity, including the identification and mitigation of risk, proactive protections against threats, tactical risk detection, threat reporting, and response and recovery protocols for a cyber incident; and develop and publish for use by state agencies a cybersecurity governance framework that, at a minimum, includes guidelines and processes for: 1. Establishing asset management procedures to ensure that an agency's information technology resources are identified and managed consistent with their relative importance to the agency's business objectives. 2. Using a standard risk assessment methodology that includes the identification of an agency's priorities, constraints, risk tolerances, and assumptions necessary to support operational risk decisions. 3. Completing comprehensive risk assessments and cybersecurity audits, which may be completed by a private sector vendor, and submitting completed assessments and audits to the department. 4. Identifying protection procedures to manage the protection of an agency's information, data, and information technology resources. 5. Establishing procedures for accessing information and data to ensure the confidentiality, integrity, and availability of such information and data. 6. Detecting threats through proactive monitoring of events, continuous security monitoring, and defined detection processes. 7. Establishing agency cybersecurity incident response teams and describing their responsibilities for responding to cybersecurity incidents, including breaches of personal information containing confidential or exempt data. 8. Recovering information and data in response to a cybersecurity incident. The recovery may include recommended improvements to the agency processes, policies, or guidelines. 9. Establishing a cybersecurity incident reporting process that includes procedures for notifying the department and the Department of Law Enforcement of cybersecurity incidents. 10. Incorporating information obtained through detection and response activities into the agency's cybersecurity incident response plans. 11. Developing agency strategic and operational cybersecurity plans required pursuant to this section. 12. Establishing the managerial, operational, and technical safeguards for protecting state government data and information technology resources that align with the state agency risk management strategy and that protect the confidentiality, integrity, and availability of information and data. 16 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. 13. Establishing procedures for procuring information technology commodities and services that require the commodity or service to meet the National Institute of Standards and Technology Cybersecurity Framework. 14. Submitting after -action reports following a cybersecurity incident or ransomware incident. Such guidelines and processes for submitting afteraction reports must be developed and published by December 1, 2022. Section 282.318(3), F.S., additionally requires the Department, through the FLDS, to operate and maintain a Cybersecurity Operations Center led by the state chief information security officer, which must be primarily virtual and staffed with tactical detection and incident response personnel and shall serve as a clearinghouse for threat information and coordinate with the Department of Law Enforcement to support state agencies and their response to any confirmed or suspected cybersecurity incident. Section 282.318(4), F.S., in relevant part, requires each state agency head to conduct, and update every three years, a comprehensive risk assessment to determine the security threats to the data, information, and information technology resources, including mobile devices and print environments, of the agency; develop, and periodically update, written internal policies and procedures, which include procedures for reporting cybersecurity incidents and ransomware incidents to the Cybercrime Office of the Department of Law Enforcement and the FLDS (such policies and procedures must be consistent with the rules, guidelines, and processes established by the Department to ensure the security of the data, information, and information technology resources of the agency); the internal policies and procedures that, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources are confidential information and exempt from section 119.07(1), F.S., except that such information shall be available to the Auditor General, the Cybercrime Office of the Department of Law Enforcement, the FLDS , and, for state agencies under the jurisdiction of the Governor, the Chief Inspector General; implement managerial, operational, and technical safeguards and risk assessment remediation plans recommended by the department to address identified risks to the data, information, and information technology resources of the agency; the Department, through the FLDS, shall track implementation by state agencies upon development of such remediation plans in coordination with agency inspectors general; and develop a process for detecting, reporting, and responding to threats, breaches, or cybersecurity incidents which is consistent with the security rules, guidelines, and processes established by the Department through the FLDS. Section 119.0725, F.S., establishes that records related to agency cybersecurity information are confidential and exempt from section 119.07(1), F.S., and s. 24(a), Art. I of the State Constitution. Section 282.318(5), F.S., further establishes that the portions of risk assessments, evaluations, external audits, and other reports of a state agency's cybersecurity program for the data, information, and information technology resources of the state agency which are held by a state agency are confidential and exempt from section 119.07(1), F.S., and s. 24(a), Art. I of the State Constitution if the disclosure of such 17 This sample agreement is not required for submission with your grant application. A data sharing agreement will need to be executed within 30 days of award. portions of records would facilitate unauthorized access to or the unauthorized modification, disclosure, or destruction of: (a) Data or information, whether physical or virtual; or (b) Information technology resources, which include: 1. Information relating to the security of the agency's technologies, processes, and practices designed to protect networks, computers, data processing software, and data from attack, damage, or unauthorized access; or 2. Security information, whether physical or virtual, which relates to the agency's existing or proposed information technology systems; and Section 282.318(7), F.S., establishes that portions of records made confidential and exempt in section 282.318(5), F.S., shall be available to the Auditor General, the Cybercrime Office of the Department of Law Enforcement, the FLDS, and, for agencies under the jurisdiction of the Governor, the Chief Inspector General; such portions of records may be made available to a local government, another state agency, or a federal agency for cybersecurity purposes or in furtherance of the state agency's official duties. This sample rider is not required for submission with your grant application. Software riders will need to be executed within 30 days of award. Solution Name Software Rider The terms and conditions set forth in this Software Rider ("Rider") apply to the Florida Digital Service, a part of the Florida Department of Management Services ("FLDS"), and the GRANTEE ("Grantee") in connection with the Grantee Data Sharing Agreement ("DSA") between FLDS and Grantee. Capitalized terms not otherwise defined herein are as defined in the DSA. In the event of a conflict between this Rider and the DSA, the terms of this Rider shall control. I. Definitions A. Protected Grantee Data — Data, not including Telemetry Data, maintained, and generated by Grantee, which shall not be Accessed or Accessible by, or sent to, the Licensed Software Solution. B. Customer Account — As used in this Rider, the Customer Account is the Licensed Software Solution Account directly utilized by Grantee. C. Local Government Cybersecurity Grant Program ("the Program") —The Program established by the 2022-2023 General Appropriations Act to improve county and municipal cybersecurity posture and resiliency. D. Licensed Software Solution — As used in this Rider, refers to all Solution Name software that is provided by FLDS for Grantee use under the Program. E. Managing Organization — The entity managing the use of the Licensed Software Solution and its SolutionName. As used in this Rider, the Managing Organization is FLDS. F. Solution Name — As used in this Rider, the Solution Name is the global administrative account directly managed and licensed by FLDS. G. Solution Data — Data, reports, or other information generated by the Licensed Software Solution. May be derived from but shall not include Telemetry Data. H. Telemetry Data —The data generated by Grantee through automated communication processes from multiple data sources and processed by the Licensed Software Solution. I. View — The permissions granted for FLDS to see Telemetry Data provided to the Managing Organization' s Solution Name by the Customer Account. A View does not permit FLDS Access to Protected Grantee Data. II. Statement of Work A. Purpose/Scope: FLDS and Grantee enter into this Rider to establish the terms and conditions for Grantee Access to the Licensed Software Solution provided by FLDS; 1 This sample rider is not required for submission with your grant application. Software riders will need to be executed within 30 days of award. to establish the maintenance, use, and disclosure of the Telemetry Data generated by Grantee and its upload to the Solution Name; and to provide terms and conditions for the use of the Licensed Software Solution. B. FLDS Role and Responsibilities: FLDS is responsible for providing Grantee with the option to utilize the Licensed Software Solution. FLDS shall be permitted to Access a View of the Telemetry Data provided within the Solution Name via permissions to the Customer Account. FLDS will only use Telemetry Data for the express purpose of developing and implementing the Program and in furtherance of FLDS' and Grantee' s statutory and regulatory obligations. FLDS will not disclose the Telemetry Data to any third party unless required by law or as otherwise authorized by Grantee. C. Grantee's Role and Responsibilities: Grantee is responsible for: a. Grantee Access to and use of the Licensed Software Solution and, where applicable, compliance with Appendix A - Purchase Order ##### Terms and Conditions; b. Activating and deactivating the Access, credentials, and privileges of its authorized users; c. Ensuring no Protected Grantee Data is submitted to the Licensed Software Solution; d. Identifying protected data sources in Section III and entering into any additional agreement with FLDS, the Licensed Software Solution provider, or other third - parties as may be required by law; and e. Managing access controls to allow View by FLDS and Access by the Licensed Software Solution. Telemetry Data, even as it may be housed, maintained, or processed by the Licensed Software Solution, is and shall remain the property of Grantee. D. Indemnification: See section W. Indemnification, of the Agreement. III. Data Types Telemetry Data may be collected from the following Protected Grantee Data sources: CJIS Covered Data HIPAA and State Protected Health Information FERPA Covered Data DPPA Covered Data Other 2 This sample rider is not required for submission with your grant application. Software riders will need to be executed within 30 days of award. N/A IV. Attachments Appendix A — Purchase Order ###### Terms and Conditions 3 This sample rider is not required for submission with your grant application. An Incident Response Rider will need to be executed within 30 days of award. Cybersecurity Incident Response Rider The terms and conditions set forth in this Cybersecurity Incident Response Rider ("IR Rider") apply to the Florida Digital Service, a part of the Florida Department of Management Services ("FLDS"), and the GRANTEE ("Grantee") in connection with the Grantee Data Sharing Agreement ("DSA") between FLDS and Grantee. Capitalized terms not otherwise defined herein are as defined in the DSA. In the event of a conflict between this IR Rider, the DSA, and any other rider, the terms of this IR Rider shall control. I. Definitions A. Cloud Console — The global administrative accounts for Software Entitlements directly managed and licensed by FLDS. B. Customer Account — The accounts for Software Entitlements directly utilized by Grantee. C. Local Government Cybersecurity Grant Program ("the Program") — The Program established by the 2022-2023 General Appropriations Act to improve county and municipal cybersecurity posture and resiliency. D. Information Technology Resources — As defined in section 282.0041, Florida Statutes, data processing hardware and software and services, communications, supplies, personnel, facility resources, maintenance, and training. As used in this IR Rider, the term also includes the definition for "Information Technology," as defined in section 282.0041, Florida Statutes, to add equipment, hardware, software, firmware, programs, systems, networks, infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge, interface, switch, or disseminate information of any kind or form. E. Managing Organization — The entity managing the use of the Software Entitlements and their Cloud Consoles. As used in this IR Rider, the Managing Organization is FLDS. F. Protected Grantee Data — Data, not including Telemetry Data, maintained and generated by Grantee, which shall not be Accessed or Accessible by, or sent to, Software Entitl ements. G. Solution Data — Data, reports, or other information generated by Software Entitlements. This may be derived from, but does not include, Telemetry Data. H. Telemetry Data —Data generated by Grantee through automated communication processes from multiple data sources and processed by Software Entitlements. 1 This sample rider is not required for submission with your grant application. An Incident Response Rider will need to be executed within 30 days of award. I. View - The permissions Grantee grants to FLDS to see Telemetry and Solutions Data provided to the Managing Organization by Customer Accounts. A View does not permit FLDS Access to Protected Grantee Data. II. Purpose FLDS and Grantee enter into this IR Rider to establish the terms and conditions for FLDS access to assist Grantee with responding to incidents. III. Incident Response A. Incident Response Support. Upon discovery of an incident, as determined by Grantee or FLDS, Grantee may request, or FLDS may offer to provide, incident response support. Access to Grantee Information Technology Resources shall be limited to the extent expressly agreed to by Grantee. Such Access and support are unilaterally terminable at any time by either Party. FLDS may establish, and Grantee shall comply with, protocols or procedures for reporting and requesting support for incidents under this IR Rider, responding to incidents, and the types of support available to be provided for an incident. Grantee shall mitigate the impact of the incident and preserve all relevant documents, records, and data. Grantee shall cooperate and coordinate with FLDS in responding to incidents where incident response support is received, including, but not limited to: 1. Assisting with any incident response related investigation by FLDS; 2. Providing FLDS with physical access to the affected facilities and operations; 3. Facilitating interviews with Grantee personnel; and 4. Making all relevant records, logs, files, data reporting, and other materials available to FLDS or Grantee -authorized third parties. FLDS shall only Access Covered Data, other Grantee data, and Grantee Information Technology Resources as permitted by Grantee. Any specific limitations on such Access shall be documented. Upon termination of each instance of incident response support, regardless of the reason for such termination, Grantee shall assist FLDS with any close-out or post - incident documentation upon request. B. Covered Data and Personally Identifiable Information. FLDS will not disclose Covered Data or other data made Accessible during incident response support to any third party unless required by law or as authorized by Grantee. In the event such data is required by law to be disclosed, FLDS shall make best efforts to notify Grantee prior to such disclosure. IV. FLDS Role and Responsibilities 2 This sample rider is not required for submission with your grant application. An Incident Response Rider will need to be executed within 30 days of award. FLDS shall provide Grantee with the option to utilize the Software Entitlements to enhance the Grantee's cybersecurity and protect the Grantee's infrastructure from threats. FLDS will Access a View of the Telemetry Data and Solution Data. FLDS will only use Telemetry and Solutions Data for the purpose of developing and implementing the Program; identifying and responding to risks and incidents; and in furtherance of meeting FLDS' and Grantee's statutory and regulatory obligations. FLDS will not disclose the Telemetry Data and Solutions Data to any third party unless required by law or as otherwise authorized by Grantee. FLDS will provide incident response services and resources as allowed and agreed to by FLDS and Grantee in responding to risks and incident. V. Grantee Roles and Responsibilities Grantee shall cooperate with and provide all assistance necessary to FLDS' incident response support. VI. Indemnification See section W. Indemnification, of the Agreement. VII. Liability and Termination of Incident Response Support Except as described in the DSA or other riders, incident response services and resources of FLDS or Grantee -authorized third parties shall be provided by FLDS without warranty by, and without liability to, FLDS or such Grantee -authorized third parties. Upon request, FLDS or Grantee -authorized third parties shall provide reasonable assistance to return Grantee Information Technology Resources to the operational status prior to the involvement of FLDS incident response support. REMAINDER OF PAGE INTENTIONALLY LEFT BLANK 3 Warranties and Commitments KB0010019 : Authored by Ishmael Hannah • O 49 Views • ® lld ago Local Government Cybersecurity Grants Program — 2023 Warranties and Commitments The following warranties and commitments are made by the Florida Digital Service (FL[DS]) to the awarded local government entities. The Local Government Cybersecurity Grants Program is funded by the State of Florida at no additional cost to your organization. Opting into the Local Government Cybersecurity Grants Program does not require your organization to participate in future program initiatives or to implement additional security solutions. The FL[DS] follows and will adhere to the principle of least privilege. FL[DS] will only have access to the specific data, resources, and applications needed to enable your organization with the agreed upon capabilities you request and are awarded. in circumstances where response assistance is requested, additional or elevated access may be needed. FL[DS] will only use the access for the scope of the incident, as granted by you, and will immediately remove this access when it is no longer needed. Your organization will maintain ownership, management, and administrative rights of your environment and the components within this program. Your organization agrees to share telemetry data with the FL[DS] Cybersecurity Operations Center and understands that doing so does not give or transfer ownership of any of your organization's data to FL[DS]. Any documents, network maps, inventories or other cybersecurity related information shared with and held by the FL[DS] are considered confidential and exempt from s. 119.07(1) and s. 24(a), Art. T of the State Constitution as prescribed in section 119.0725, Florida Statutes (F.S.). The FL[DS] commits to returning any shared information to your agency if the protections in section 119.0725, F.S., become insufficient by way of subsequent legislation. The FL[DS] will prioritize any future appropriations towards the renewal of awarded and implemented capabilities before expanding implementations to other entities. Last Revised: 1/26/2023 Florida Digital Service 2555 Shumard Oaks Blvd Tallahassee, FL 32399 Application Submitted! i For reference, your cybergrant application case number is CYBGR0001258. Your application has been successfully submitted and we will reach out if any additional information is needed. Go Home Florida Digital Service 2555 Shumard Oaks Blvd Tallahassee, FL 32399 Cybersecurity Grants Application Request Estimate Item Description Cost 1 Asset Vulnerability Management Solution $ 748,719.75 2 Security Incident and Event Management (SIEM) Solution $ 390,266.02 3 Content Delivery Network (CDN) and Domain Name Services (DNS) Resiliency $ 61,680.00 4 Multifactor Authentication and Single Sign On $ 438,587.03 5 CMDB $ 1,797,016.00 6 Security Operations Platform - ReliaQuest $ 205,000.00 7 Endpoint Detection & Response (EDR) $ 325,000.00 8 Intrusion detection or intrusion prevention $ 79,860.00 Total Grant Request $4,046,128.80 Page 1 of 1