STATEMENT OF WORK

Between

And

Cyber Security Solutions, Inc.

This Statement of Work for Information Technology Services (the “Solutions”) is entered into this day of , by and between {{company_name}} a company (hereinafter referred to as “Customer”), having offices located at TBC and Cyber Security Solutions, Inc., a Delaware corporation (hereinafter referred to as “CSS”), located at 2502 N. Rocky Point Drive, Suite 820, Tampa, FL 33607 (each a “Party”, and collectively referred to as the “Parties”).

RECITALS

WHEREAS, Customer is a federal contractor or supplier offering services to Department of Defense (DoD), or a supplier in the Defense Industrial Base.

WHEREAS, the DoD requires contractors, sub-contractors and suppliers to have Cybersecurity Maturity Model Certification (CMMC) in order to participate in the DoD supply chain.

WHEREAS, CSS is a Registered Provider Organization (RPO) accredited by the CMMC Accreditation Body (CMMC-AB) providing Managed Compliance Services to customers within the DoD supply chain.

WHEREAS, CSS is providing turn-key services for Customer to meet Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021 compliance requirements to include the protection of International Traffic in Arms Regulations (ITAR) data.

WHEREAS, CSS complies with FAR clause 52.204-21, DFARS clauses 252.204-7012, -7019 and -7020, with the inclusion of the text of the clauses, and acceptance of requirements of external cloud service providers under 48 CFR § 252.204-7012 (b)(2)(ii)(D) and (c)-(g).

WHEREAS, the Parties declare the terms and conditions, mutual promises, covenants, and agreements herein set forth for CSS to perform all CMMC compliance services as set forth in the Contract. The rights and obligations of the Parties shall be subject to and governed by the Schedule and other documents or specifications attached hereto or referenced herein.

WHEREAS, the Parties have entered into the MSA which is in force as of the date of this SOW. The Parties agree that in the event there is any conflict between the MSA and this SOW, this SOW shall control.

WHEREAS, the Parties agree that any capitalized terms used in this SOW that are not defined herein shall have the meanings ascribed to them in the MSA.

NOW, THEREFORE, in consideration of these premises and in express reliance upon the mutual promises and covenants contained herein, the Parties hereby agree as follows:

SECTION A – SCOPE OF WORK

A1. Solutions. The following Solutions will be provided by CSS and effective from TBC (the “Commencement Date“) for a period of Thirty Six (36) months (the “Initial Subscription Term”), unless terminated earlier as provided by the terms of this SOW or the MSA:

Network Vulnerability Scan (Quarterly) – Complete network scan identifying potential vulnerabilities.
Network Vulnerability Report (Quarterly) – Complete report highlighting new vulnerabilities, a mitigation plan to fix new vulnerabilities, and verifying existing vulnerabilities have been resolved.
Data Migration – Identified data migration services to include all necessary email and data migrations.
Hybrid Technical Environment – CSS proprietary security hardware solution complimented by a cloud environment to include configuration, migration, maintenance, failover, and redundancy
Ongoing Support and Services provided including:
- Firewall Protection
- Domain Controller
- VPN(Virtual Private Network)
- VLAN segmentation
- Multi-Factor Authentication (MFA)
- Incident Response & Disaster Recovery Services
- Security Information and Event Management (SIEM)
- Advanced Ransomware Defense
- Web Proxy & Web Filtering
- Data Destruction
- Patch Management
- Managed Anti-Malware & Anti-Virus
The following services are not included:
- Maintenance on peripherals like:
  - Printers
  - Cameras
  - Badging system
  - Third-Party Proprietary Software
  - Internally developed programs and/or applications
  - Hardware not owned by CSS

—– SEE SECTION F FOR MORE DETAILS —–

SECTION B – SERVICES & FEES

B1. Fees

Pricing in CMMC Level 2 Packages will vary, refer to the prices listed on the website more details. This template is to be used a a reference to our standard SOW that will be tailored to your solution after the checkout process on the website is completed.

Service Type

CMMC Level 2
The CMMC Level 2 Complete product is CSS’s most comprehensive compliance offering, built for organizations that handle Controlled Unclassified Information (CUI). It covers the full scope of NIST SP 800-171 practices and provides both advanced security services and IT support, ensuring companies can meet compliance requirements while simplifying day-to-day operations.

B2. Additional Devices, Deactivated Devices, and Dormant Devices.

Additional devices will be added to monthly invoices at $150.00 per device, per month, as applicable.

Deactivated devices will remove $150.00 per device, per month, as applicable.

Re-activation can take 5-10 business days before re-activation due to security updates and potential re-imaging.

CSS recommends transitioning unused devices into a dormant phase to ensure security patching and updates are still conducted.

Dormant device pricing is only and can be re-activated immediately for new employees. $ 50.00 per device, per month.

Customer agrees that the minimum monthly fee for the solution shall be $995.00 per month (regardless of the number of units), unless a reduced price was approved by a signed contract addendum.

All Fees shall be due and payable on the first day of every month, commencing on TBC .

The Fees required to be paid by Customer pursuant to this SOW, Quote, or Proposal are subject to an automatic increase at the option of CSS effective as of each annual anniversary of this SOW (the first increase date being) in the amount of four percent (4%) or eighty percent (80%) of the Consumer Price Index (CPI) for the United States as published by the United States Government for the prior calendar year, whichever is greater.

SECTION C – SERVCE LEVEL AGREEMENT

C1. Service Level Agreement. In support of services outlined in this document, CSS will respond to service-related issues and/or requests submitted by the Customer within the following timeframes:

- - Critical (30 Minutes) – Catastrophic inability to conduct business.
  - High (2 Hours) – Loss of major job duty.
  - Medium (4 Hours) – User is still operational but has other options available.
  - Normal (6 Hours) – All systems are operational.
  - Informational (1 Business Day) – Request for Information.

These timeframes do not reflect resolution times, they refer to the time it will take a technician to make initial contact and to become engaged in the issue. After being briefed the technician shall provide a plan with an estimated time of completion. Abuse of the level classification will initiate a review of this SOW and the unlimited on-site support for a flat fee. Upon sixty (60) days advance notice from CSS, CSS may increase the Fees being paid by Customer to include an hourly on- site/off-site support cost to prevent abuse. Remote service will be provided in-line with the above timescales dependent on the priority of the support request.

In the case of cyber incidents, CSS will provide required reports and assist the Customer in reporting procedures in accordance to their cybersecurity insurance policy within the time stipulated on such policy and under the advisement of the Customer legal representation.

SECTION D – INSPECTION AND ACCEPTANCE

All Solutions performed under this SOW shall be deemed accepted by Customer upon delivery. Customer shall have access to and the right to inspect all Solutions being performed under this SOW unless inspection will violate CSS’s protection of confidential and proprietary information. Inspections and tests shall be performed in such a manner as not to unduly delay work in progress. Rejected services shall be re-performed in an acceptable manner.

SECTION E – DELIVERABLES AND PERFORMANCE

E.1 Deliverables: CSS shall provide specified reports in the CDRLs to the Customer on a frequency basis as provided in the table below:

CDRL #	TITLE	DELIVERY
A001	Network Vulnerability Scan	Monthly
A002	Network Vulnerability Report	Quarterly
A003	CMMC Level 2 Compliance	180 days from contract start*
A004	CMMC Level 2 Compliant Policies & Procedures Templates	180 days from contract start*

*Delivery date may change due to uncontrollable delays in receiving Customer data.

SECTION G – PRIMARY POINT OF CONTACT

G1. Communications: All notices or communications (other than normal business communications) required by this SOW, or desired to be given hereunder, shall be in writing addressed as follows, and given by certified or registered mail, return receipt requested, or by email and shall be deemed to be given when received.

SECTION H – SPECIAL CONTRACT PROVISIONS

H1. Indemnification and Limited Liability. Both Parties shall indemnify and hold harmless the other from and against all loss, claim, damage, penalty, cost, and expense whatsoever, including reasonable attorneys’ fees, caused by its own negligence or that of its employees, agents or authorized representatives, arising out of the performance or nonperformance of obligations under this Contract. CSS will maintain $3,000,000 of cyber liability insurance and will provide a certificate to evidence this coverage upon execution of this Contract.

H2. Confidential and Proprietary Information. Confidential Information” refers to all data, reports, drawings, tapes, formulas, interpretations, forecasts, business plans and analyses, records, trade secrets, customer lists, documents, proposals, information regarding products, pricing, terms of sale, processes, research and development, apparatus and application methods and all other information reflecting upon or concerning a Party that are not openly communicated or made accessible by the Disclosing Party to third parties, and that is obtained from the Disclosing Party, its employees, subsidiaries and affiliates, or that the Receiving Party otherwise acquires while engaged hereunder, including information of a third party as to which the Disclosing Party has a nondisclosure obligation.

Any CSS property, such as drawings, specifications, data and the like, furnished to Customer for performance of the work shall remain the property of CSS, shall be considered private and confidential information, and shall not be given to others not having a need-to-know or used by Customer for its own purposes. Any designs, drawings, dies, molds, tooling, technical data/information, materials, equipment, etc. that CSS makes or buys from others for producing the supplies/services and charged to Customer’s account, shall become Customer’s property immediately upon manufacture or procurement. When practical, all such Customer property shall be marked as belonging to Customer, shall be held by CSS and shall be used exclusively to perform the work requirements of this Contract.

Upon contract completion, all CSS furnished property shall be returned to CSS in the same condition as received, allowing for reasonable wear and tear, except to the extent that the property has been incorporated into supplies delivered or consumed in the performance of the work. Documentation such as policies, procedures, and network diagrams belong to the Customer upon delivery and approval.

Any information reflecting upon or concerning either Party and known, communicated or accessible to the other Party shall also be deemed to be Confidential Information unless such information has been published by the Disclosing Party in publicly available documents.

H3. Non-disclosure. In addition to the provisions above, the Parties:

1. 1. Agree that Confidential Information is the sole property of Disclosing Party and that such Confidential Information shall be used only in providing consulting services hereunder;
  2. Shall hold the Confidential Information in confidence and not disclose it in any manner whatsoever, in whole or in part, to any person except to employees of CSS, or to employees of Customer who need to know in order to perform their duties and who agree in writing to use the Confidential Information only to assist in the performance of the duties hereunder;
  3. Shall take or cause to be taken all reasonable precautions to prevent the disclosure or communication of Confidential Information to third parties; The standard of care for protecting Confidential Information imposed on the Party receiving such information, will be that degree of care the receiving Party uses to prevent disclosure, publication or dissemination of its own Confidential Information. Neither Party shall be liable for the inadvertent or accidental disclosure of Confidential Information if such disclosure occurs despite the exercise of the same degree of care as such Party normally takes to preserve its own such data or information.
  4. Agrees that each reproduction, duplication, or copy of any portion of CSS Confidential Information shall be deemed CSS Confidential Information for all purposes hereunder; and
  5. Shall, upon expiration or termination of the Contract, discontinue all use of CSS Confidential Information and return all documents containing CSS Confidential Information to CSS.

H4. Security Breaches. Each party shall promptly provide the other party with notice of (i) any actual or potential disclosure, access to or use of any personal information relating to such other party’s customers or employees in breach of this Agreement and (ii) any unauthorized intrusion into systems containing such other party’s personal information.

The party who had possession or control of the applicable personal information at the time of such breach or intrusion shall, at its own cost and expense: 1) promptly (both orally, if practicable, and in any event in writing) notify the other Party of the security incident and 2) reasonably cooperate with the other Party to:

1. take commercially reasonable measures necessary to control and contain the security of such confidential information,
2. remedy any such security incident, including using commercially reasonable efforts to identify and address any root causes for such security incident,
3. provide the other Party with assurance reasonably satisfactory to such other party that such breach or intrusion shall not recur,
4. furnish full details of the security incident to the other Party and keep such other Party advised of all material measures taken and other developments with respect to such security incident, enter any litigation or formal action with a third party or in connection with any regulatory, investigatory or other action of any governmental authority and
5. notify the other Party’s or its Affiliates’ customers and personnel and other person of the security incident to the extent reasonably requested by the other party.

Customer shall have the right to participate in any security investigation relating to the personal information of any customer or client. Notwithstanding the foregoing or anything in this Agreement to the contrary, neither party shall be precluded from immediately pursuing any rights or remedies it may have under or relating to privacy, security or confidentiality.

H5. No License. CSS does not grant a license to Customer for the exclusive and perpetual right to use any and all of CSS’s know-how and trade secrets that are necessary for the implementation of work performed by CSS incident to this contract.

H6. Patent, Trademark and Copyright Indemnity. CSS agrees to indemnify, defend, and hold harmless Customer, its customers, and those for whom Customer may act as agent, for reasonable costs, expenses, damages, or liability that Customer may incur as a result of any proceedings charging infringement of any patent, copyright, or trademark by reason of sale or use of any supplies/services/data furnished by CSS. CSS shall have no liability regarding alleged patent infringement for supplies furnished to Customer in accordance with Customer’s design specifications.

H7. Independent Status. Both Parties expressly represent and warrants to the other Party that it is acting as an Independent Contractor and that:

1. 1. Neither Party is and shall not represent to be, and will not be construed to be an employee, agent, or legal representative of the other Party and that both Parties status shall be that of an independent Contractor solely responsible for their own actions and inactions;
  2. The Parties shall act solely as an independent Contractor, not as an employee or agent of the other Party and that all agents and employees shall be subject solely to the control, supervision and authority of their respective Contractor;
  3. Neither Party is authorized to enter into contracts or agreements on behalf of the Other Party or to otherwise create obligations of the other Party to third parties; and
  4. Neither Party’s employees, agents, heirs, successors and assigns shall be entitled, by virtue of any work done under this Contract, to any benefits under any medical or travel accident insurance, profit sharing, personal leave, life insurance, or disability, or other employee benefit plan or plans maintained by the other Party for its employees.

H8. Termination for Default. Customer may, without liability and in addition to any other rights or remedies provided herein or by law, terminate this Contract in whole or in part by written notice of default if CSS:

1. 1. Fails to deliver the supplies or perform the services within the time specified;
  2. Fails to make sufficient progress with the work, thereby endangering completion of performance within the time specified; or
  3. Fails to comply with any of the other instructions, terms, or conditions; AND

CSS does not cure the default within thirty (30) days after receiving Customer’s notice of such failure. If Contract is terminated in whole or in part based on default, Customer may purchase similar supplies or services from others and CSS shall be liable for reasonable additional costs above the original price for the terminated supplies/services. In the event of a partial termination, CSS shall continue the work not terminated. Customer shall provide CSS all supporting documentation necessary to document default.

CSS shall not be liable for any additional costs if failure to perform arises from causes beyond CSS’s or CSS’s agent’s control and without fault or negligence of either of them; provided, however, that the supplies/services to be furnished by CSS (at any tier) were not obtainable from others in time for CSS to meet Contract delivery requirements. Customer shall pay CSS the Contract price for any completed supplies/services delivered and accepted. Customer and CSS shall agree on the amount of payment for materials and services delivered and accepted by Customer that are not included in the Contract.

In the event of a valid contract termination CSS shall provide appropriate transition services to the Customer’s selected follow-on provider. A fair-value formula factoring in remaining equipment and pre-performed labor costs will be factored in to calculate the final payment at cancellation.

H9. Notices. All notices or communications (other than normal business communications) required by this Contract, or desired to be given hereunder, shall be in writing addressed as follows, and given by certified or registered mail, return receipt requested, or by email and shall be deemed to be given when received.

Company Point of Contact	{{first_name}} {{surname}}
Company Name	{{company_name}}
Company Address	TBC
Phone	TBC
Email	{{email_address}}

Company Point of Contact	Jose Vazquez
Company Name	Cyber Security Solutions
Company Address	2502 N. Rocky Point Drive, Suite 820 Tampa, Florida, 33607
Phone	(813) 422-4121
Email	jvazquez@securedbycss.com

Referrals. For each new CMMC Level 2 (or higher) account that Customer refers whom signs a contract, CSS shall remove the amount of 10% of the referred account’s total monthly invoice price from the Customer’s CMMC Level 2 Certification Readiness Package price for 12 consecutive months.

Referral example: If you refer Customer X who signs a CMMC Level 2 contract with CSS, and Customer X’s monthly invoice is $5,000, you will receive a monthly discount of $500 per month starting the month after Customer X signs the CMMC Level 2 contract with CSS.

SECTION I – RESERVED SECTION

SECTION J – MISCELLANEOUS

J1. Non-solicitation. All employees of each Party to this Contract shall remain the employees of such Party for all purposes. This restriction shall not prohibit either Party from hiring an employee of the other Party where an employee is acting on his/her own and responding to general job advertisements.

J2. Assignability. This Contract shall not be transferred or assigned, in whole or in part, by either Party without the prior written consent of the other party which shall not be unreasonably withheld.

J3. Governing Law. The validity, construction, scope and performance of this Contract shall be governed by the laws of the State of Florida . The Parties to this Contract hereby agree that the courts of the State of Florida shall have sole and exclusive jurisdiction over any matter arising from the interpretation, purpose, effect, or operation of this Contract and with regard to all matters associated with this Contract. The Parties consent to venue in Florida and waive any rights they may have to assert jurisdiction or venue in any other court, administrative forum, or other adjudicative body.

J4. Severability. If any provision of this Contract shall, to any extent, be held invalid, illegal or unenforceable, in whole or in part, the validity, legality, and enforceability of the remaining part of such provision, and the validity, legality and enforceability of the other provisions hereof, shall not be affected thereby and each term, covenant or condition shall be valid and enforceable to the fullest extent permitted by law.

J5. Waiver. No waiver by either party hereto of any performance of the other party required hereunder or any default of either under the terms hereof shall constitute or imply, whether by passage of time or otherwise, any further waiver of any other performance or default.

J6. Insolvency. If CSS ceases to conduct normal business operations (including inability to meet its obligations), or if any proceedings under bankruptcy or insolvency laws is brought by or against CSS, or a receiver for CSS is appointed or applied for, or CSS makes an assignment for the benefit of creditors, Customer may terminate this Contract, without liability, except for deliveries previously made and for supplies completed and subsequently delivered in accordance with the terms of the Contract. In the event of CSS’s insolvency, Customer shall have the right to procure the balance of this Contract from others without liability.

J7. Release of Information. No news releases, including photographs and films, advertisement, public announcements or confirmation of same, or any part of the subject matter of this Contract shall be made without the prior written approval of the other Party.

J8. Disputes. Either party may litigate any dispute arising under or relating to this Contract. Jurisdiction and venue shall be proper only in a state or a federal district court exercising jurisdiction over Florida. Pending resolution of any such dispute by settlement or by final judgment, the parties shall proceed diligently with performance.

J9. Equitable Remedies. The rights and remedies of the rights hereunder shall not be mutually exclusive, and the exercise of one or more of the provisions hereof shall not preclude the exercise of any other provisions hereof. The Parties to this Contract confirm that damages at law may be an inadequate remedy for a breach or threatened breach of this Contract and agree that in the event of a breach or threatened breach of any provision hereof, the respective rights and obligations hereunder shall be enforceable by specific performance, injunction (temporary and/or permanent), or other equitable remedy. Nothing herein contained is limited to, nor shall it limit or affect any right or rights at law or by statute or otherwise of any Party aggrieved against any other Party for a breach or threatened breach of any provision hereof, it being the intention of this Section to make clear the agreement of the Parties that the respective rights and obligations of the Parties hereunder shall be enforceable in equity as well as at law or otherwise.

The Parties acknowledge the possibility of situations in which emergency relief of an ex parte nature might be sought, and agree that the exercise of the right to seek emergency relief is not inconsistent with any provisions of this Contract which may require arbitration. The Parties further agree it is the moving Party’s obligation to initiate arbitration, if it is otherwise required herein, as soon as practicable after the issuance of any preliminary injunction.

J10. Changes. Changes to this contract may be made at any time, in writing, with consent of both Parties. Failure of the parties to agree to change shall be considered a dispute under the Disputes clause hereof; however, pending resolution of any dispute, CSS shall immediately proceed with work until the dispute is resolved.

J11. Exhibits. The exhibits attached to this Contract are hereby made a part hereof and incorporated herein by reference. All such exhibits shall read as of the date of this Contract or, as to any of the exhibits bearing a particular date, as of any other date specified therein.

J12. Entire Agreement. This is the entire agreement between the Parties relative to the Contract and the exchange of proprietary information concerning the Contract; it supersedes and replaces any and all previous understandings, commitments or agreements, oral or written, related to the Contract. This Contract shall not be amended, nor shall any waiver of any right hereunder be effective, unless set forth in a document executed by duly authorized representatives of CSS and Customer.

By signing this agreement, you are adhering to the terms of our Master Service Agreement, located at: https://securedbycss.com/master-service-agreement/

SIGNATURE PAGE

I, {{first_name}} {{surname}}, agree to the terms of this agreement and I agree that my typed name below can be used as a digital representation of my signature to that fact.