The URL can be used to link to this page

Home My WebLink AboutDocumentation_Regular_Tab 07_01/10/2019 __ _ _.__ � \ / , �� o � � , � �� __ � ' � � � � To:1im Weinand From: Brad Gomberg Date: 11/7/2018 Re: Firewall Replacement Mr. Weinand, Our current firewall hardware is over 10 years old and recently went EOL(end-of-life) on September 30`n of this year.The lack of available direct support options, in addition to advances in security through new technology is driving force in replacing the existing hardware.You will find the attached request to approve the purchase of a new, highly available (redundant) Cisco Firepower firewall solution in addition to all applicable security and management products required to secure the Village's network infrastructure. Although it is the highest bid, I recommend awarding the project to CDW-G.The CDW-G portfolio of work in this space is impressive and cannot be undervalued. In addition,they have included a high tier engineer, normally assigned to much more complex projects,whose experience and knowledge will be critical in providing the most secure configuration. In addition, i believe their scope of work to be the most thorough and accurate representation of the work required to complete the job. $50,000 was budgeted in the current fiscal year for this item. Proposals: CDW- $48,060.41 (Recommended) SHI - $43,679.74 PCS- $39,913.46 Thank you, Brad Gomberg-IT Director � PEOPLE wHo Cisco Firepower Management Center GET IT Prepared For:VILLAGE OF TEQUESTA Bred Gomberg CDWAM:Ro65ullivan 561.575.6235 Contact:866.245.8105 Quote:39066539 baomberalc�.teauesta.ora emaii: robesul@cdwQ.com io/ie/zoia � �. 1 SFFMGVMW-2-K9 Cism Firepower Management Center,�VMWare)for 2 devices $ 500.00 $ 254.40 s Z54.40 1 CON-ECMU-SFMMCVWK SWSSUPGRADESCiscoFlrepowerManagementCen[er,�VMWa $ 100.00 $ 81.62 $ $1.(2 1 CON-ECMUS-SFMMCVWK SOLNSUPPSWSSCIscoFirepowerManagementCenter,(VMWa $ 120.00 $ 97.94 S 97.94 50 L-AGPLS-LIC= Cism AnyConnect Pius Term License,Total Authorized Users 5 - $ - . 50 L-AC-PLS-lY-Sl Clsco AnyConnect Plus License,SVR,25-99 Users $ 6.00 $ 3.05 S 1$z.[4 1 FPR2120-FTD-HA-BUN Cissco Firepower 2120 Threat Defense Chss,Subs HA Bundle $ - $ - . 2 FPR2120-NGFW-K9 Cisco Firepower 2120 NGFW Appliance,lU $ 19,995.00 $ 10,173.46 5 20,346.91 2 CON-SSSNT-FPR2IGFN SOLN SUPP SXSXNBD Cisw Firepower 1120 NGFW Appllance,lU $ 2,240.00 $ 1,828.29 $ 3,656.58 2 SF-F2K-TD613-K9 Cism Firepower Threat Defense sohware v6.23 for FPR2100 $ - $ - .. 2 FPR2K-SSD100 Flrepower2000SeriesSSDforFPR-2110/2120 $ - $ - _ 2 FPR2K-SSD-BBLKD firepower 2000 Series SSD Slot Carrier $ - $ - .. 2 CAB-AC AC Power Cord(North America�,C13,NEMA 5-SSP,21m 5 - $ - � .. 1 FPR2K-SSD100= Firepower20005eries55DforFPR-2110/2120 $ 1,050.00 5 534.24 $ 1,Q($.4$ Z FPR2K-SSD-BBLKD= Firepower 20005eries SSD Slot Carrier $ 125.00 $ 63.60 s 127.20 2 L-FPR2120T-TMG- Cisco FPR2120 Threat Defense Threat,Malware and URL License $ - $ - � 2 L-FPR2120T-TMC-lY Cisco FPR2120 Threat Defense Threat,Malware and URL lY Subs $ 7,650.00 $ 3,89232 $ 7,784.64 Grand Total: $33,570.41 Prices are Joi inJormational purposes anl y and are subject to change withaut notice. Vrices as quoted are valid Jor Ten Days after proposol date. Prices are contingent on finol pricinp opproval from ManuJatturer Quote provided based on specificotion provided by customer.No workload validation has 6een done. The Krms and ronditions provided on this link oppty:http://www.cdw.com/content/terms-conditions/deJault.asµr Applitable 7ares and Shippinp not shown. CDW Confidential Page 1 of 2 � � STATEMENT OF VVORK ! Project'.\ame: I irepower Install Seller Representative: j Customee•'�ame: 4"illage of Tequesta Robert Sullivan C`D��`Affitiate: C'DW Government,LLC. 8662458105 robesul@cdwg.com Date Keqaested: Uecember 13,2018 Solution Architect: Seller Services �lnnette Ditter Michael Lane :YtanaQer: I Version: I This statement of work(`Statement of Work"or"SOW") is made and entered into on the date this SOW is signed by both parties(the"SOW Effective Date")by and between the undersigned,CDW Government,LLC.("Provider", "Seller"and"we")and Village of Tequesta("Customer"and"yod'). PROJECT DESCRIPTION PROJECT SCOPE Customer currently utilizes a pair of ASA 5510 Firewalls and an Untangle Security Appliance to provide Internet security. Seller will provide professional services to assist with migrating Customer's Cisco ASA 5510 to Cisco Firepower Threat Defense (FTD) 2120 Series Appliances. As part of this project, Seller will perform the following tasks: • Review existing configuration of the ASA 5510 • General configuration of 2 Cisco FTD 2120 appliances • Design and configuration of Firepower Management Console(FMC) o Set the hostname,password,domain name, DNS, date and time o Configure Management[P o Configure the Firepower Management Console for reporting,and policy configuration of the FTD o Configure FMC communications with FTD Appliances o Configure Multiple Domain Management o Configure the Firepower Management Console for visibility into other data feeds o Configure High Availability Appliances o Firepower Threat Defense(FTD)Appliance Co�figurations ■ Configuration of Routed Mode ■ Configuration of Management Interface ■ Configuration of Physical or Logical Interfaces—up to 6 ■ Configuration of Security Zones—up to 3 ■ Configure High Availability based on design specifications Page 1 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number: 38476 Drafted by: Paul Davila ■ Configure Routing ■ Configuration ofNAT/PAT addressing policies to reflect connectivity requirements ■ Configuration of Access Control Policies ■ Configuration of any IPSec and/or SSL VPN connectivity reyuirements • Configure ISAKMP policies and enable ISAKMP on appropriate interfaces • Configure IPSec transform sets and crypto maps • Configuration of SSL AnyConnect Customer VPN services o Generate CSR for SSL Certificate o Install 3rd Party Certificate o Install AnyConnect Licenses o Configure(4)RA Group Policies ■ ADMIN ■ FIRE ■ TEQUESTA ■ POLICE o Integration Authentication to Active Directory for User VPN o Create RA IP Pools for each group o Create full tunnel or split tunnel policy • Test VPN Connectivity based on Customer Use-Cases o Configure Network Discovery Policy to identify hosts,servers,applications,users,and network devices o Configure IPS Inspection Policy o Configure Application Visibility and Control(AVC) o Configure URL Filtering policy o Configure AMP for Networks anti-malware file policy o Configure a User Access Policy • Analysis and basic tuning of the Firepower Services in effort to mitigate false positive events and to effectively position intrusion prevention within the relevant environment o Basic configuration of the Firepower connection events(i.e.logging,IP logging,dropping,etc.) o Configuration and basic tuning of whitelists,blacklists,and application identification o Configuration and basic tuning of the Signature Definitions;turning on/off signatures categories relative to Customer's network environment based upon Firepower recommendations from the Network Discovery Policy PROJECT PLAN PLANNMG The planning phase consists of the following: • Project Kickoff—The project team will be chartered and staff will be assigned to project roles.The team will review Customer's needs,discuss/revise the project scope and assumptions,and finalize logistical details. • Inventory Hardware—Seller staff will inventory,document,and hardware power-on test.Issues with faulty hardware,as well as inventory discrepancies,will be identified and resolved. • Project Planning—Members of the project team will develop a detailed project plan and test plan for the Firepower Threat Defense Services deployment. Page 2 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number:38476 Drafted by:Paul Davila DESIGN Seller will conduct a detailed design session with the project team.The goal of this design session is to identify and address architectural,security,and device management requirements.The design phase consists of the following sub- phases: • Analysis—Seller and Customer technical staff will work together to: o Review network architecture,technical specifications,and VPN requirements o Analyze hardware configuration o Review industry best practices in order to develop baseline design information. • Network Design—Seller staff will lead an effort to: o Develop the final design o Identify ail security zones on the network o Map security zones to physical and virtual interfaces o Design communication between Firepower Management Console and Firepower Appliances o Design site-to-site and remote access VPN considerations o Design SSL VPN considerations • Documentation—Seller staff will document and diagram the Firepower Threat Defense Services design, including VPN. STAGING The process for staging,configuring and testing the Firepower Threat Defense Appliances can be further detailed as follows: • Upgrade FTD Software to meet the standards specified in the design phase • Instail Firepower Management Console in the VMware o Download latest Security Intelligence and vulnerability database updates o Install User Agent on a Domain Member computer and ensure User and Group information is populated in the Firepower Management Console • Build the FTD Appliance configuration to the specifications documented in the design phase,including: o Firewall security wnes o Firepower connectivity to Firepower Management Console o Apply initial Network Discovery Policy and Access Control Policy o VPN configuration • Execute the test plan developed during the planning phase to ensure proper design and configuration FIREPOWER THREAT DEFENSE IMPLEMENTATION The process for implementing the Firepower Threat Defense can be further detailed as follows: • During a scheduled change period,the Firepower Threat Defense Appliances will be placed into production. • Seller will work with Customer to perform application testing to validate the implemented firewall policy developed in the design phase of this project. • Remote User VPN connectivity will be tested • Site to Site VPN connectivity will be tested • Next-Generation Services(IPS/AVC/AMP/URL)will be placed in promiscuous mode to aliow for Network and Application discovery Page 3 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number:38476 Drafted by:Paul Davila Seller will provide day one support on the first production day following the cutover. • During day one support,the network discovery information will be reviewed and corrected to account for Customer's unique environment • An initial IPS policy in"alert,don't block"configuration will be applied to begin creating a tuned ruleset based upon the initial network discovery information • An initial URL filtering policy will be applied for web browsing and reporting • An initial File Policy will be created to identify potential malware being transferred across the network or identify any infected hosts via the Security Intelligence information • Application Visibility and Control(AVC)rules will be created using the identified applications in the Firepower Management Console's application maps Seller will perform Two(2),Four(4)hour Firepower tuning sessions following the first day of support for the firewall implementation. The first tuning session will be scheduled between one (1) and two (2) weeks after the initial Firepower promiscuous deployment. Seller will work with Customer to review the events collected and tune the full solution. Any identified malware,IPS events and AVC connection events will be investigated and custom workflows for Customer will be created. The second Firepower tuning session will be performed within two (2) weeks of the first tuning session and not exceeding thirty (30) business days from the initial deployment. Inspection policies will be reviewed and tuned, custom reports scheduled,administrative access controls implemented and final configuration of event notifications. If a malware outbreak is identified Seller will assist Customer in identifying and remediating the infected hosts. If the outbreak is determined to be severe and Customer wishes Seller assistance with remediation a Change Order may be required for additional remediation efforts. Seller will provide first day of support after tuning sessions and IPS implementation changes for the Firepower Services. KNOWLEDGE TRANSFER Seller will provide up to 4 hours of knowledge transfer for the Firepower Management Console interface. Topics include operational tasks,managing security policies and updates. PROJECT CLOSURE This phase signifies the end of the project. All services in the Description of Services section of this document are completed and all items to be provided are received by Customer. CUSTOMER RESPONSIBILITIES Customer is responsible for the following: 1. Provide a 4 hour maintenance window to allow for the cutover to the FTD solution. 2. Configuration of their LDAP environment when integrating with the FTD solution. Seller will provide guidance on the required configuration for integration. 3. Customer will provide documentation for required connectivity through the firewall that includes source IP, destination IP,port,protocol information,and network address translation requirements.If traffic analysis is required to determine the appropriate connectivity information; it may result in a revision of the services estimate. Page 4 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number:38476 Drafted by:Paul Davila 4. Customer is responsible for all change control procedures and notifications that are necessary for the performance ofthis project. 5. Customer is responsible for racking,cabling,and powering of all equipment 6. Customer is responsible for application testing to be performed during cutover(s). 7. Customer will provide full access to all network devices to Seller. 8. Customer is responsible for any additional hardware,software,certificates,and Smart licenses that are required for installation. 9. Customer is responsible for providing a supported virtualization environment for any Firepower components that are to be virtualized. 10. Customer is responsible for interpreting firewall configuration or provide a resource who is familiar with the existing solution 11. Customer will provide at least one(1)domain member computer for installation of the User Directory Agent to allow for user policy creation. PROJECT ASSUMPTIONS 1. Customer will provide Seller staff with appropriate physical and network access to implement configurations defined in this SOW. 2. There is adequate power,UPS,rack space,and network connectivity for the devices included on the bill of materials 3. For the Firepower services, Seller will configure up to: a. 6 Access Control policies b. 4 IPS and Application Visibility policies c. 2 Application rules per security policy d. 2 File policies e. 2 URL policies f. 2 DNS Inspection and Sinkhole policies 4. Training documentation is not part of this project. 5. For Migration Deployments: a. Firewall configurations wiil be migrated `as-is'. b. Migrations may be manual and/or use Cisco's FTD Firewall Migration Tool. ***Note—Cisco's FTD Migration Tool only supports Cisco ASA code 9.1+and only migrates limited features within the configuration*** c. In addition,Seller will configure no more than 9 Interfaces/Zones. d. In addition,Seller will configure no more than 75 Security Policy Rules. e. In addition,Seller will configure no more than 50 Network Address Translation(NAT)or Port Address Translation(PAT)entries. f. In addition,Seller will configure no more than 3 SSL VPN Profile Policies. g. In addition,Seller wili configure no more than 3 LAN-to-LAN VPN tunnels. 6. Migration of URL policies from Untangle security appliance aze best effort only 7. Customer understands that Cisco FMC has limited log retention capability and Seller is not responsible for log retention OUT OF SCOPE Tasks outside this SOW include,but are not limited to: 1. Configuration of any other network equipment not directly related task of implementing the Firepower services and configuring required services.Within scope are minor changes to existing network Page 5 Proprietary and Confidential CDW Government, LLC. Version: I Contract Number:38476 Drafted by:Paul Davila infrastructure that may need to occur to accommodate required services,such as VLAN configurations, routing,and AAA(authentication,authorization,accounting)services. 2. Racking,cabling,and powering hazdware equipment 3. Advanced IPS tuning beyond normal Firepower tuned recommendations. 4. Custom IPS signature creation. 5. Custom Open-App ID creation. 6. Firewall Configuration Cleanup and Optimization 7. Certificate distribution of certificates or configuration of existing PKI solution 8. Migration of URL policy from Untangle appliance PROJECT MANAGEMENT Seller will assign a project management resource to perform the following activities during the project: • Kickoff Meeting.Review SOW including project objectives and schedule,logistics,identify and confirm project participants and discuss project prerequisites. • Project Schedule or Plan.A project schedule that details the schedule and resources assigned to the project. • Weekly Status Meetings and Reports.Status meetings will be conducted on a weekly basis.During these meetings,Seller and you will discuss action items,tasks completed tasks outstanding, issues and conduct a budget review. • Change Management.When a change to a project occurs, Seller's project change control process will be utilized. • Project Closure Meeting.The project team will meet to recap the project activities,provide required documentation,discuss any next steps,and formally close the project. Services not specified in this SOW are considered out of scope and will be addressed with a separate SOW or Change Order. ITEM(S�PROVIDED TO CUSTOMER Table 1—Item(s)Provided to Customer Design and As-Built A detailed design and as-built document including any PDF Document Firepower Services and/or VPN services Network Diagram Diagram of logical and physical connectivity Visio PROJECT SCHEDULING Customer and Seller,who will jointly manage this project,will together develop timelines for an anticipated schedule ("Anticipated Schedule") based on Seller's project management methodology. Any dates, deadlines, timelines or schedules contained in the Anticipated Schedule, in this SOW or otherwise,are estimates only,and the Parties will not rely on them for purposes other than initial planning. Page 6 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number:38476 Drafted by:Paul Davila TOTAL FEES The total fees due and payable under this SOW ("Total Fees") include both fees for Seller's performance of work ("Service Fees") and any other related costs and fees specified in the Expenses section ("Expenses"). Unless otherwise specified,ta�ces will be invoiced but are not included in any numbers or calculations provided herein. Seller will invoice for the Total Fees. SERVICES FEES Services Fees will be calculated on a T�1vtE nND MnTExlnLs basis. The invoiced amount of Services Fees will equal the rate applicable for a unit of a service or resource("Unit Rate") multiplied by the number of units being provided("Billable Units")for each unit type provided by Seller(see Table 2). The Total Estimated Services Fees of$14,490.00 is merely an estimate and does not represent a fi,red fee.Neither the Total Estimated Billable Units of 71 nor the Total Estimated Services Fees are intended to limit the bounds of what may be requested or required for performance of the Services. Nothing contained in this SOW shall be construed to allow total Service Fees in excess of$14,490.00 without the advance written approval of the Customer. Table 2—Services Fees Sr. Security Engineer —Per Hour $200.00 56 $11,200.00 Sr. Security Engineer OT—Per Hour $300.00 4 $1,200.00 Associate Security Engineer $150.00 0 $0.00 Project Manager—Per Hour $190.00 11 $2,090.00 Project Manager OT—Per Hour $285.00 0 $0.00 Project Admin $150.00 0 0.00 Estimated Totals 71 $14,490.00 The rates presented in Table 2 apply to scheduled Services that are performed during Standard Business Hours (meaning 8:00 a.m. to 5:00 p.m. local time,Monday through Friday, excluding holidays). When Seller invoices for scheduled Services that aze not performed during Standard Business Hours,Services Fees will be calculated at 150% of the Unit Rates. For any unscheduled(i.e., emergency) Services performed at any time of the day, Services Fees will be calculated at 200%of the Unit Rates. Any non-Hourly Units will be measured in one(1)unit increments when Services are performed remotely or at any Customer-Designated Location(s)(as defined below). EXPENSES When Seller's personnel are located more than 60 miles from the Customer-Designated location,travel charges will apply. Seller will invoice Customer for the time Seller's personnel spend traveling to and/or from the Customer- Designated Location(s) (or otherwise, as necessary) at a rate of$85.00/hour. Seller will make efforts to schedule appropriate personnel from Seller's offices located nearest to the Customer-Designated Location(s) in order to Page 7 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number:38476 Drafted by:Paul Davila minimize such expenses.Seller's ability to do so may depend on various factors(e.g.,specialized project skills needed, personnel availability,and changes to,or challenges inherent in,the Anticipated Schedule). Seller will invoice Customer for Seller's reasonable, direct costs incurred in performance of the Services. Direct expenses include,but may not be limited to:airfare,lodging,mileage,meals,shipping,lift rentals,photo copies,tolls and parking. Seller will charge actual costs for these expenses. Any projected expenses set forth in this SOW are estimates only. Two(2)weeks' advance notice from Customer is required for any necessary travel by Seller personnel. CUSTOMER-DESIGNATED LOCATIONS Seller will provide Services benefiting the locations specified on the attached Exhibit ("Customer-Designated Locations"). PROJECT-SPECIFIC TERMS 1. Customer is responsible for providing all physical and communications access,privileges,environmental conditions,properly functioning hardware and software,qualified personnel,project details,material information,decisions/directions,and personnel and stakeholder interviews that are reasonably necessary to assist and accommodate Seller's performance of the Services("Customer Components"). 2. Seller is not responsible for delays in performance directly caused by the unavailability of the Customer Components and will have the right,with prior written notice and after a reasonable opportunity for Customer to correct the failure,to reassign Seller personnel to work unrelated to this SOW and the services hereunder or to invoice Customer for time Seller personnel are thereby idled if reassignment is not feasible. 3. Both parties will treat all employee personally identifiable information as confidential per the Agreement. 4. Customer will provide in advance and in writing,and Seller will follow,all applicable Customer safety and security rules and procedures. 5. Customer is responsible for security at all Customer-Designated Locations;Seller is not responsible for lost or stolen equipment. 6. This SOW can be terminated by either party without cause upon at least fourteen(14)days'advance written notice. Page 8 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number:38476 Drafted by:Paul Davila SOW TERMS AND CONDITIONS CONTACT PERSON(S� Each Party will appoint a person to act as that Party's point of contact("Contact Person")as the time for performance nears and will communicate that person's name and information to the other Party's Contact Person. The Customer Contact Person is authorized to approve materials and Services provided by Seller,and Seller may rely on the decisions and approvals made by the Customer Contact Person(except that Seller understands that Customer may require a different person to sign any Change Orders amending this SOW). The Customer Contact Person will manage all communications with Seller, and when Services are performed at a Customer-Designated Location, the Customer Contact Person will be present or available. The Parties' Contact Persons shall be authorized to approve changes in personnel and associated rates for Services under this SOW. PAYMENT T�RMS Customer will pay invoices containing amounts authorized by this SOW within thirty(30)days of Customer's receipt of the invoice. Any objections to an invoice must be communicated to the Seller Contact Person within fifteen(15) days after receipt of the invoice. EXPIRATION AND TERMINATION This SOW expires and will be of no force or effect unless it is signed by Customer and Seller within thirty(30)days from the SOW Created Date,except as otherwise agreed by Seller. CHANGE ORDERS This SOW may be modified or amended only in a writing signed by both Customer and Seller,generally in the form provided by Seller("Change Order"). In the event of a conflict between the terms and conditions set forth in a fully executed Change Order and those set forth in this SOW or a prior fully executed Change Order,the terms and conditions of the most recent fully executed Change Order shall prevail. PUBLIC ENTITIES CRIME ACT As provided in Sections 287.132-133, Florida Statutes, by entering into this SOW or performing any work in furtherance hereof,the Seller certifies that it,its affiliates,suppliers,subcontractors and consultants who will perform hereunder, have not been placed on the convicted vendor list maintained by the State of Florida Department of Management Services within thirty-six(36)months immediately preceding the date hereof.This notice is required by Section 287.133(3)(a),Florida Statutes. INSPECTOR GENERAL Pursuant to Article XII of the Palm Beach County Charter, the Office of the Inspector General has jurisdiction to investigate municipal matters, review and audit municipal contracts and other transactions, and make reports and recommendations to municipal goveming bodies based on such audits, reviews,or investigations. All parties doing Page 9 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number:38476 Drafted by:Paul Davila business with the Customer shall fully cooperate with the inspector general in the exercise of the inspector general's functions,authority,and power.The inspector general has the power to take sworn statements,require the production of records, and to audit, monitor, investigate and inspect the activities of the Customer, as well as contractors and lobbyists of the Customer in order to detect,deter,prevent,and eradicate fraud,waste,mismanagement,misconduct, and abuses. PUBLIC RECORDS In accordance with Sec. 119.0701,Florida Statutes,the Selier must keep and maintain this SOW and any other records associated therewith and that are associated with the performance of the work described in the SOW. Upon request from the Customer's custodian of public records, the Seller must provide the Customer with copies of requested records,or allow such records to be inspected or copied,within a reasonable time in accordance with access and cost requirements of Chapter 119,Florida Statutes. Should Seller fail to provide the public records to the Customer,or fail to make them available for inspection or copying, within a reasonable time, Seller may be subject to attomey's fees and costs pursuant to Sec. 119.0701,Florida Statutes,and other penalties under Sec. 119.10,Florida Statutes. Further, the Seller shall ensure that any exempt or confidential records associated with this SOW or associated with the performance of the work described in the SOW aze not disclosed except as authorized by law for the duration of the SOW term,and following completion of the SOW if the Seller does not transfer the records to the Customer. Finally, upon completion of the SOW,the Seller shall transfer,at no cost to the Customer,all public records in possession of the Seller,or keep and maintain public records required by the Customer. If the Seller transfers all pubiic records to the Customer upon completion of the SOW,the Seller shall destroy any duplicate public records that are exempt or confidential and exempt from public records disclosure requirements. If the Seller keeps and maintains public records upon completion of the SOW,the Seller shall meet ali applicable requirements for retaining public records. Records that are stored electronically must be provided to the Customer,upon request from the Customer's custodian of public records,in a format that is compatible with the Customer's information technology systems. IF THE SELLER HAS QUESTIONS REGARDING THE APPLICATION OF CHAPTER 119, FLORIDA STATUTES, TO THE SELLER'S DUTY TO PROVIDE PUBLIC RECORDS RELATING TO THIS SOW, PLEASE CONTACT THE VILLAGE OF TEQUESTA CLERK, RECORDS CUSTODIAN FOR THE CUSTOMER, AT (561) 768-0685, OR AT lmcwilliams(�a,tequesta.org, OR AT 345 TEQUESTA DRIVE, TEQUESTA, FLORIDA 33469. MISCELLANEOUS This SOW shall be govemed by Seller's "Terms and Conditions of Sales and Service Projects", accessed via the "Terms&Conditions" link at www.cdwg.com(the"AgreemenY'). If there is a conflict between this SOW and the Agreement,then the Agreement will control, except as expressly amended in this SOW by specific reference to the Agreement.References in the Agreement to a SOW or a Work Order apply to this SOW.This SOW and any Change Order may be signed in separate counterparts, each of which shall be deemed an original and all of which together will be deemed to be one original.Electronic signatures on this SOW or on any Change Order(or copies of signatures sent via electronic means)are the equivalent of handwritten signatures.This SOW is the proprietary and confidentiai information of Seller. Page 10 Proprietary and Confidential CDW Government, LLC. Version: l Contract Number:38476 Drafted by:Paul Davila The Agreement is amended as follows: 1. References to Illinois law are changed to Florida law and references to Cook County, Il. venue are changed to Palm Beach County,Fl. venue. 2. The prohibition on class action participation is eliminated. 3. Seller shall provide Customer with a minimum of 30 days advance written notice in the event of an assignment or subcontract. Customer shall have the right to terrr►inate the SOW upon receipt of such notice. SIGNATURES In acknowledgement that the parties below have read and understood this Statement of Work and agree to be bound by it, each party has caused this Statement of Work to be signed and transferred by its respective authorized representative. CDW Government,LLC. Village of Tequesta By: By; signature Signature Name: Name: Date: Date: Mailing Address: Mailing Address: 230 N.Milwaukee Avenue,Vernon Hills,IL.60061 Street: City/ST/ZIP: ❑The following PSM has given approval: Billing Contact: Annette Ditter Street: City/ST/ZIP: ❑A purchase order for payment hereunder is attached. ❑A purchase order is not required for payment hereunder. Page 11 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number:38476 Drafted by:Paul Davila EXHIBIT A. CUSTOMER-DESIGNATED LOCATIONS Seller will provide Services benefiting the following locations("Customer-Designated Locations"). Table 3—Customer-Designated Locations Village of Tequesta ❑Assessment Q Implementation ❑Support 345 Tequesta Dr, Q Configuration Q Project Management ❑Training Tequesta, FL 33469 Q Design ❑ Staff Augmentation ❑Custom Work Page 12 Proprietary and Confidential CDW Government, LLC. Version: 1 Contract Number:38476 Drafted by:Paul Davila _� Cisco Firepower ' ' Deployment with � � ,� `� ; Threat Packa�e / ;�� ` , =`"`"."`�__ - . .� STATEMENT OF WORK .�.�►. -� � I 10/25/2018 Prepared for �, Village of Tequesta Presented By Jim Grogan ', Inside Account Execudve,SHI �I 732-652-0833 �, Jim Gro�an@shi.com • h Prepared for Village of Tequesta Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential ii Prepared for Vitlage of Tequesta Table of Contents 1. Executive Summary............................................................................................................................................1 2. Project Management...........................................................................................................................................1 3. Summary of Customer Environment...............................................................................................................1 4. Scope of Services Overview...............................................................................................................................2 5. Document Deliverables......................................................................................................................................3 1. Build Documents:..........................................................................................................................................4 6. Project Duration..................................................................................................................................................4 7. Resources and Skills...........................................................................................................................................4 S. Assumptions........................................................................................................................................................5 9. Locatior►s......................................................•-••---..........................................................---........_...........................7 10. Customer Responsibilities............................................................................................................................7 11. Change Control Process................................................................................................................................8 12. SOW Review Process....................................................................................................................................9 13. Price and Payment Schedule........................................................................................................................9 1. Payment Schedule.........................................................................................................................................9 2. Travel Expenses.............................................................................................................................................9 3. Billing Terms................................................................................................................................................10 14. Terms&Conditions....................................................................................................................................10 15. Special Data Security Considerarions.......................................................................................................10 16. SOW Acceptance..........................................................................................................................................11 17. CONFIDENTIAL.........................................................................................................................................11 18. APPENDIX A—Change Request Form....................................................................................................12 Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential iii Prepared for Vitlage of Tequesta Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential iv Prepared for Village of Tequesta Village of Tequesta("Customer")has engaged SHI International Corp("SHI") to deploy Cisco Firepower with Threat Defense("Services").The specific goals and objectives for this project are as follows: Collaborate with Village of Tequesta to: • Deploy a pair of Cisco FirePower 2120 • Deploy Threat Defense • Deploy Firepower Management Center on VMware • A resource will be provided by SHI to work with Village of Tequesta to see the entire project through to completion. This resource will be the first call for support of any kind at any time during the project. SHI project management covers items such as,but not limited to: • Conducts a kick off ineeting to ensure all project deliverables are outlined and sets proper project expectations. • Ensures project timelines, dependencies,budgets and closure are met within the project lifecycle. • Holds regular status meetings with SHI's delivery team to idenHfy proactively any issues that may arise in order to mitigate risk. • Holds regular status meetings with the Customer to review project status,open action items,and upcoming tasks. • Issues regular stahis reports to the management of all companies involved in the project. • Facilitates any necessary change orders and administrative tasks as necessary. � ' • • ' ' • Current State: • ASA 5510 • Untangle Firewall Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 1 Prepared for Village of Tequesta � • s . � • r SHI shall provide to Village of Tequesta the services described as follows: In-Scope Discoverv: • Kick-off Meeting: o Introduce parties. o Define Roles&Responsibilities. o Verify Requirements and Expectations. o Discuss Milestones&Schedules. • Gather existing company information. • Establish remote access to customer's environment. • Intemal Planning Meetings. • Review Customer provided documentation. • Conduct usability testing and analysis of the current site. Determine what is working and what is not working with the site(navigation,content, functionality). • Gather technical/functionality specifications. Have a general understanding of how the current environment functions and the specific technologies involved. • Conduct Network Discovery to obtain information on devices that will be monitored and managed. • Customer agreement of new Configuration&Deployment approach along with a tentative Schedule. Design&Build: • Download related softw-are and verify licensing. • Export existing system's configuration and perform a backup. • Review any ACLs, 1VATs, Static Routes, VPN tunnel policies,etc. • Review Untangle Firewall ConEiguration • Review&Remove Unnecessary Firewall Rules • Update Operating System and any other components to the latest safe harbor release. • Build new unit with defined configurarion parameters. • Configure SSL Inspection and create one rule to validate confi�iration • Integrate with AD • Deploy URL, AMP, [PS filtering. Configure based on industry best practices,and tune to any specific Customer recluirements. Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 2 Prepared for Villa�e of Teyuesta Implementation: • Schedule with Village of Tequesta an implementation date, and ensure all change management processes have been taken care of by Village of Tequesta. Ensure there are individuals are lined up by the Customer to do the testing. • Perform System Integration Testing(SIT),Validation, and Troubleshooting. • Perform Cutover to Production. Post-Im�lementation: • Check health indicators of the system post cutover. • Complete configur�tion documentation as applicable. • Provide Knowledge Transfer to Customer's IT Administrators(up to 4 hours). • Project Wrap-Up and Close-Out Meeting. Out of Scope 1. Technical support and hardware replacement due to equipment failures,software function failures,degraded performance,etc. 2. Communication to Customer's employees for changes made to the environment. 3. Racking and cabling devices,or providing an initial IP for remote net�vork connectivity. 4. Integrations or configtirations with products other than the ones specified in scope,and other that what is being ptuchased for this project. 5. Developing rules and clearing Ealse positives beyond of what's in scope. 6. NegoHations with the ISP for changes to the demarcation points and ordering of services. 7. Any other services that are not explicitly defined in the "In Scope" section. Such services may be ac�dressed with a separate SOW or Change Order. � � � ' • : The following documentation will be delivered in this project. Management of this documentation evill be as follows: 1. The SHI team will create the document 2. The SHI project manager will institute revision control on the document 3. Document will be sent to Village of Tequesta for revie�v. Unless agreed upon previously, feedback from Village of Tec�uesta will be required within five business days. If feedback is not received within that timeframe, the document will be considered "accepted" by the Customer Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 3 Prepared for Vitta�e of Teyuesta 4. Village of Tequesta reviews and either approves it,or returns to the SHI project manager with changes indicated 5. SHI team makes any necessary changes 6. SHI project manager delivers final version of document to Village of Tequesta.This version, if required, will be used in subsequent steps in the project 1. BUILD DOCUMENTS: Documentation is delivered in either Microsoft Visio,Microsoft Word,or Microsoft Excel formats. a. System Configuration , ' • � • The estimated project duration is 1 WEEK(depending on scheduling)*. SHI will work with Village of Tequesta to provide the required resources to meet a schedule that would be agreeable to all parties. In addition,the schedule assumes reasonable access to Village of Tequesta resources and does not allow for holidays,vacations,and unforeseen delays in deliveries. *Pleose be advised that the above timeframe is to provide a general timeline for delivery and is not a true reflection of the tota!man hours/effort involved for this engagement. . � . � SHI will provide individual resources outlined below to be participants for this project effort.These resources will participate in all required steps and will be fully or partially responsible Eor tasks and deliverables where appropriate: . . , � , � � • �� • � IT Resource(s) Remote Cisco Engineer Full Time Project Manager Responsible for overseeing the project success, Part Time I scope,and risk management Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 4 Prepared for Villa�e of Tequesta � � The program and associated price quoted within this Statement of Work are based on the following assumptions.Should any element(s)of these assumptions be lacking during execution of services, additional time and associated fees and expenses may be required to complete this Statement of Work. 1. SHI is not responsible for lost data.SHI recommends that Village of Tequesta perform a full working backup of their network prior to the commencement of services. 2. Please note that the time designated for knowledge transfer is throughout the engagement. Village of Tequesta is responsible for providing a resource dedicated to this engagement and the extent of the knowledge transfer is dependent upon the availability of this resource. 3. Minimum lead time for scheduling is fourteen(14)business days Erom our receipt of the signed SOW or fourteen(14)business days from the confirmed start date between SHI and Village of Tequesta; whichever date is later. Should you require more aggressive scheduling, please contact SHI to determine availability. 4. SHI will not develop applications as a part of this SOW. 5. Village of Tequesta will provide the necessary hardware to complete the engagement. 6. SHI is not responsible for delays caused by failures;including but not exclusive to systems, personnel or environmental causes or in receiving data from Village of Tequesta 7. Any restrictions or requirements regarding the engineer's use of personal equipment must be stated in advance of the commencement of the engagement. 8. Village of Tequesta will provide, to the extent necessary, administrative usernames and passwords to meet necessary obligations. 9. Village of Tequesta will provide necessary and accurate information regarding their current network environment.Such information may include,but not limited to network diagrams, configuration baselines and settings, procedures, host parameters(such as: hostnames/IP addresses/masks/ default gateways/DNS/SNMP/SMTP), and any other technical information that may be needed to support the environment,and/or complete the assigned project. 10. Village of Tequesta will provide adequate level of access to any peripheral equipment(routers/ switches) that interface to the managed equipment. Provide any necessary access to other systems(IT Help Desk,etc.)the Provider may be expected to interface with. If access to that equipment is not feasible, then Village of Tequesta will provide an IT Engineer who could supply SHI with configurations about peripheral equipment on a need basis. 11. Village of Tequesta shall be responsible to inform SHI of any other information that may be needed, before making any system changes. 12. Village of Tequesta will be responsible for racking and cabling of devices,as well as providing an IP address that SHI will use to access those devices. 13. Village of Tequesta will provide the necessary workspace and netw�ork access to provide the above services. Version 1-0 SHI intl.Corp.and Village of Tequesta Confidential 5 Prepared for Village of Tequesta 14. Village of Tequesta will provide VPN access into their company's network,so SHI may perform any necessary work. An IPsec coiulection is desired. 15. Village of Tequesta will provide access to building(s)and room(s)as necessary to complete the services described above. 16. All hardware and/or software and licensing required to perform the above services will be provided by and is the responsibility of Village of Tequesta.All wiring,hardware,and software required to perform the above services are in working order. 17. Village of Tequesta will ensure that a valid manufacturer maintenance contract exists at all times for the equipment included in the scope of this project. 18. Village of Tequesta will be directly responsible for escalation of all issues requiring manufacturer support. 19. Village of Tequesta will ensure that all affected equipment under this SOW have a valid manufacturer's license. 20. Village of Tequesta is to define Change"windows" for production changes. 21. Village of Tequesta will authorize SHI to be added in the Manufacti.irer's Support Contract for the purposes of placing Tech Support calls on behalf of Village of Tequesta. 22. It is understood that all wiring,hardware,and software required to perform the above services are in working order. 23. Customer will provide a designated onsite engineer who will be the"hands and feet" of the Provider for any physical access,and Eor any console access to the managed equipment, as needed. 24. Customer will be responsible in obtaining any internal Change Management approvals before Provider proceeds with any production changes 25. Village of Tequesta will provide a technical point of contact during the time of this engagement. 26. No cutovers will be scheduled on or near the Nationally recognized holidays of New Year's Eve or New Year's Day, Martin Luther King,Jr. Day, Memorial Day, Independence Day, Labor Day, Thanksgiving weekend (all four days),Christmas Eve or Christmas Day,unless mulually agreed by both parties. 27. No overtime services will be provided without a change order authorizing such charges. "Overtime" is defined as any work performed outside the hours of 8:00 AM to 5:00 PM local time. 28. All work is to be performed remotely. 29. All parties agree that personnel shall not be asked to perform, nor volunteer to perform,engineering and/ar consulting tasks that lie outside the skill sets and experience of personnel.Personnel have the right to decline on a service request if the request falls outside the scope of their experience and expertise. Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 6 Prepared for Village of Tequesta ' � • The location/s oE contacts and services is: CUSTOMER CONTACT INFORMATION Company Name: Villa e of Te uesta Street Address: 345 Te uesta Drive City,State,Zip Code: Tequesta,FL 33469 'Contact Name and Title: Brad Gomber ;Director of IT Contact Phone Number and E-mail address: (561)768-0554; b omber C�te uesta.or 'WORK LOCATION �I Street Address: iAll work to be performed remotely City,State,Zip Code: All work to be performed remotely 1 • ' � � Both Village of Tequesta and SHI are responsible for the successful execution of this engagement.Village of Tequesta agrees to the following assigned responsibilities: • Prior to the start of this project,Village of Tequesta will indicate to SHI in�vriting a person to be the point of contact. All engagement communications will be addressed to such point of contact(the "Customer Contact"). • The Customer Contact will have the authority to act for Village of Tequesta in all aspects of the engagement;however any changes that affect the scope of this SOW, schedule or price will require that an amendment to the SOW be executed between the parties. • The Customer Contact shall have the authority to resolve conflicting requirements. • The Customer Contact will ensure that any communication between Village of Tequesta and SHI is made through the SHI project manager. • The Customer Contact will obtain and provide engagement requirements,inFormaHon,data, decisions and approvals within one working day of the request,unless both parties agree to a different response time. Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 7 Prepared for Village of Tequesta • The Customer Contact will ensure that SHI engagement personnel have reasonable and safe access to the Engagement site and adequate office space, if required. • The Customer Contact will help resolve engagement issues and ensure that issues are brought to the attention of the appropriate persons within the Village of Tequesta organization, if required. • Customer Contact will provide technical points-of-contact, who have a working knowledge of the enterprise components to be considered during this engagement("Technical Contacts"). SHI may request that meetings be scheduled with Technical Contacts. • Village of Tequesta will inform SHI of any necessary access issues and security measures, and provide access to all necessary hardware and facilities as required. • Village of Tequesta will provide,at no expense to SHI:computer hardware,software,and necessary access to the Village of Tequesta network as required to complete the work described in this SOW. • Village of Tequesta is responsible for providing necessary telecommunications equipment,and related infrastructure as required for the successful completion of this Engagement. • Village of Tequesta agrees that all related information regarding this engagement will be communicated to SHI as expeditiously as possible. • • ' • The"Change Control Process" is that process which shall govern changes to the scope of Services during the life of the SOW.The Change Control Process will commence at the start of the Project and will continue throughout the Project's duration. Under the Change Control Process, a written"Change Reqt�est Form" (attached as Appendix A)will be the instrument for communicating any desired changes to the SOW. The Change Request Form will describe the proposed change; the reason for the change and the effect the change may have on the project. The project manager oE the requesting party will submit a written Change Request Form to the project manager for the other parties. SHI and Village of Tequesta will review the change request. All parties must sign the approval section of the Change Request Form to authorize the implementation of any change that affects the SOW's scope of services,schedule or price.Furthermore, any such changes that affect the scope of this SOW, schedule or price will require that an amendment to the SOW be executed between the parties. Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 8 Prepared for Villa�e of Tequesta � . . . � Upon receipt of a signed SOW and purchase order,planning for the project will commence. A key step in the planning process is the kickoff ineeting with SHI and Village of Tequesta's team. In the kickoff ineeting,the contents of the SOW will be reviewed.This is an opportunity for Village of Tequesta's team who will be involved with the project to understand the SOW's goals, tasks,deliverables, and timelines. Upon completion oF the project kick-off ineeting,minutes of the kickoff ineeHng will be created based on the meeting discussion and distributed to Village of Tequesta. Any changes to the project scope will be documented in these minutes.If Change Orders are necessary due to scope changes, that process would be initiated after the kickoff ineeting. ' � ' � � SHI proposes to deliver the services described here for a fixed price for the fees set forth below: Program Component Fee Cisco Firepower Deployment with Threat Package $10,347 This price quote is valid for 60 days from 10/2�/2018. Any additional work that is required outside the scope of this SOW shall follow the Change Control Process or initiate a new SOW. 1. PAYMENT SCHEDULE The following table describes the project milestones.When these are completed and approved by Village of Tec�uesta,SHI will invoice the speciEied amount. Project Milestones % Fee Project Close 100 $10,347 Tatal: 100 $10,347 2. TRAVEL EXPENSES No travel is requirecl for tlus project. Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 9 Prepared for Viltage of Tequesta 3. BILLING TERMS SHI will request the approval of Village of Tec�uesta when a milestone(see Payment Schedule above)has been completed. Upon receipt of Village of Tequesta's approval,SHI will invoice Village of Tequesta for the milestone. All im�oices are due and payable within 30 calendar days of the invoice date. The total fee does not include applicable taxes. Invoice(s) will include any applicable taxes due. � : • � � This statement of work(SOW) is subject to and governed by the terms of the Professional Services Agreement("Agreement") shown in SHI PSA-Terms and Conditions. In the event any terms and conditions of this SOW conflict with the Agreement,this SOW will control for the purposes of this SOW only.All terms defined in the Agreement and used herein will have the same meaning as set for in the Agreement. � • ' • � ' • As data security concerns and regulations continue to rise in import such as Health Insurance Portability and Accountability Act("HIPAA")and Payment Card Industry Data Security Standard ("PCI DSS"),SHI wants to ensure the project delivery team maintains that compliance. If the Customer organization utilizes special tools or has procedural requirements that must be observed during this project such as the use of cloud storage or file/email encryption,please advise your SHI sales representative and project manager as soon as possible. If required tools are not currently employed by the SHI team, the costs of those tools will be a project expense pass-through. Please allow project initialization time for acquisition of these tools. Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 10 Prepared for Village of Tequesta � ' The parties, intending to be legally bound,have caused this SOW to be executed by their authorized representatives on the dates set forth below. Village of Tequesta SHI International Corp. Name Name Title Title Signature Signature Date Date • � The information in this document shall not be duplicated, used,or disclosed in whote or in part outside Village of Tequesta's organization. If a contract is awarded to SHI as a result of or in connection with the submission of this document,Village of Tequesta shall have the right to duplicate, use,or disclose the information within its organization to the extent provided by the contract between Village of Tequesta and SHI. T'his restriction does not limit Village of Tequesta right to use information contained in this document if it is obtained from another source without restriction. Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 11 Prepared for Village of Tequesta . . � � � CHANGE REQUEST FORM Project Name: Cisco Firepower Deployment with Threat Package Customer Name: Village of Tequesta Change Request Number: Date: Submitted by: Change Evaluator: CHANGE REQUEST DESCRIPTION IMPACT OF CHANGE PRICE SIGNATURES Status:Accepted/Rejected Reason: Village of Tequesta Approval: Date: SHI Project Manager Approval: Date: Version 1-0 SHI Intl.Corp.and Village of Tequesta Confidential 12