Download:
pdf |
pdfOMB # 1640-0012 / Expires 12/31/2013
COVER LETTER
MEMORANDUM OF AGREEMENT – DATA PROVIDER
Thank you for your interest in joining the PREDICT community as DATA PROVIDER. Questions
regarding this MOA may be directed to PREDICT Legal Counsel, PREDICT Coordinating Center, via
phone at +1 800 957 6422 (USA) or email, predict-contact@rti.org.
Please complete the information below and send an executed copy electronically to the PCC at PREDICTcontact@rti.org or fax it to +1 866 835 0255, Attn: Project Manager. An executed copy will be returned to
you for your files.
Contact Information For Person Signing Document
Name
Title
Organization
Address
Address 2
City
State/Province
Country
Phone
Postal Code
Email
Alt Phone
Fax
DHS Authority to Collect This Information: The Homeland Security Act of 2002 [Public Law 107‐296, §302(4)] authorizes the Science and Technology
Directorate to conduct “basic and applied research, development, demonstration, testing, and evaluation activities that are relevant to any or all elements
of the Department, through both intramural and extramural programs.” In exercising its responsibility under the Homeland Security Act, S&T is authorized
to collect information, as appropriate, to support R&D related to improving the security of the homeland. Principal Purpose: DHS collects name,
organization and title (if any), email address, home and/or work address, and telephone numbers for the purpose of contacting individuals regarding the
PREDICT project and/or their involvement with PREDICT. Routine Uses and Sharing: Some of your information will be disclosed to PREDICT team
members, such as data hosts, data providers, PREDICT contractors, the Predict Coordinating Center, the advisory board, and review board members to
help us deliver requested PREDICT services and operate the PREDICT Web site and deliver the services you have requested. Unless you consent otherwise,
this information will not be used for any purpose other than those stated above. However, DHS may release this information for an individual on a case‐
by‐case basis as described in the DHS/ALL‐002 System of Records Notice (SORN), which can be found at: www.dhs.gov/privacy. Disclosure: Furnishing this
information is entirely voluntary; however, failure to furnish at least the minimum information required to register (to include full name and email
address,) will prevent you from obtaining authorization to access system.
PRA Burden Statement: An agency may not conduct or sponsor an information collection and a person is not required to respond to this information
collection unless it displays a current valid OMB control number and an expiration date. The control number for this collection is 1640‐0012 and this form
will expire on 12/31/2013. The estimated average time to complete this form is 45 minutes per respondent. If you have any comments regarding the
burden estimate you can write to Department of Homeland Security, Science and Technology Directorate, Washington, DC 20528.
DHS Form 10036 (12/07)
Page 1 of 10
Last Updated: 9-8-11
MEMORANDUM OF AGREEMENT
PCC AND DATA PROVIDER
This Memorandum of Agreement (“MOA” or “Agreement”) is between the Research Triangle Institute (“RTI”), a
North Carolina corporation having offices at 3040 Cornwallis Road, Research Triangle Park, NC 27709, which
serves as the PREDICT Coordinating Center (“PCC”) and ________________________________, a _____[insert
kind of entity]___________ having offices at ___________________________________ (“Data Provider”),
(collectively referred to as “the Parties” or individually as “Party”). This Agreement is effective on
________________. References throughout this document to “PCC” shall be deemed to refer to RTI.
The PCC supports the Protected Repository for the Defense of Infrastructure against Cyber Threats (“PREDICT”)
project sponsored by the United States Department of Homeland Security (“DHS”). The PCC facilitates
interaction between PREDICT participants, processes applications from Researchers for access to Data, develops
a metadata catalog, and develops policies and procedures for PREDICT operations and the use of PREDICT
datasets.
In addition to DHS, the following eight types of organizations/individuals participate in PREDICT:
Data Provider
Data Host
Researcher
PCC
Referring
Organization
External Relations
Council
Application Review
Board
Contractors and Third
Parties
This Agreement consists of: the General Terms and Conditions, Attachments A, B, and C and any subsequent
Amendment(s) to the Agreement, if executed. The provisions of Attachments A, B, and C shall be incorporated
herein and construed so as to be fully consistent with all of the provisions of the General Terms and Conditions of
this Agreement and, in the case of any conflict, the General Terms and Conditions shall prevail unless an
Amendment to this Agreement is separately executed by both Parties and expressly amends particular provisions
of the General Terms and Conditions, in which case such Amendment shall prevail over such particular
provisions of the General Terms and Conditions.
General Terms and Conditions
Data Provider and the PCC agree to the following:
Data Category is the designation given to a grouping of all Data Sub-Categories of a certain type.
Data Sub-Category is the name given to distinguish a particular grouping of datasets within a Data Category that
have the same terms of use and which are described in Attachment A.
Data shall mean all datasets within a Data Category and Data Sub-Category.
Metadata is descriptive information about the Data (but not the Data itself) that is inserted in the PREDICT data
catalog.
DHS shall mean the U.S. Department of Homeland Security.
PCC shall mean the Predict Coordinating Center that manages the PREDICT data catalog and operations,
processes applications for PREDICT data, and handles administrative matters. The PCC does not store, maintain,
or have access to any of the Data.
Data Provider shall mean an entity that provides Data that it owns or has a right to control and disclose to
researchers, subject to the terms and conditions in an MOA between it and the PCC.
2
Last Updated: 9-8-11
Data Host shall mean an entity that maintains computing infrastructure to store Data received from one or more
Data Providers and provides approved Researchers access to such Data.
Principal Researcher shall mean a researcher who requests PREDICT datasets in an individual capacity and who
has been identified by a Referring Organization as someone who has a legitimate need for the data.
Referring Organization shall mean an entity that identifies a Principal Researcher as someone who is affiliated or
aligned with the Referring Organization and who has a legitimate need for PREDICT datasets.
Research Organization shall mean an organization that desires to have research conducted on its behalf and
designates individuals as Data Custodians to request and be responsible for PREDICT datasets.
Data Custodian shall mean the person designated by a Research Organization as responsible for requesting
PREDICT datasets for a research effort and ensuring that the organization’s responsibilities for the receipt,
security, oversight, and handling of the Data are met.
Researcher shall mean a Principal Researcher or Research Organization.
Application Review Board (“ARB”) shall mean an entity that reviews and approves or rejects applications for
Data from Researchers.
External Relations Council shall mean designated persons who advise and make recommendations to the PCC on
policy and issues relating to privacy and the general direction of the PREDICT project.
PREDICT Team shall consist of:
1. PREDICT Coordinating Center (PCC) personnel
2. Data Providers
3. Data Hosts
4. Referring Organizations
5. Application Review Board
6. External Relations Council
7. Contractors and third parties supporting or interacting with DHS PREDICT and/or other Cyber
Division programs
8. Department of Homeland Security.
Data Provider Obligations
1. Data Provider acknowledges that this is a research effort, and that the Data it provides will be used for
research purposes and will be released by the Data Host to approved Researchers and listed members of their
research teams in accordance with this Agreement, a Memorandum of Agreement between Researcher and the
PCC, and, if applicable, a Data Use Agreement between the Data Provider and Researcher as specified in
Attachment B. Data Provider hereby grants to the PCC and the Data Host, as its agents, the right and authority to
extend to an approved Researcher the right to use Data solely for the purposes described in Attachment A of the
MOA between Researcher and the PCC.
2. Data Provider shall provide the PCC with Metadata for the Data within each approved Data Category that it
makes available to PREDICT, as described in Attachment A and which will be made available to the public via
the PREDICT portal. Data Provider shall NOT provide actual Data to the PCC, and the PCC shall have no
liability to Data Provider for any Metadata or other information not specifically covered under this Agreement
that is provided by Data Provider to the PCC or Researchers.
3
Last Updated: 9-8-11
3. Data Provider shall provide to the PCC terms and conditions for access to and use of the Data, including any
terms and conditions from Data Host, (as described in Attachment B), which may include any of the following
information relevant to the use of the Data:
a.
Identification of Data Category and Data Sub-Category, including description of and attributes of
the Data;
b.
Any identification, authentication, and authorization requirements for the Researcher, including
access requirements of Data Host;
c.
Permitted uses of Data and any specific restrictions, including Data Use Agreement (if
applicable) to be executed between Researcher and Data Provider;
d.
Any required safeguards (administrative, technical, physical) to protect the confidentiality of the
Data;
e.
Institutional Review Board requirements (if applicable);
f.
Terms pertaining to archival of the Data by Researcher if permitted by Data Provider;
g.
Restrictions on publishing or releasing information about the Data.
4. Data Provider shall not supply any Data other than that which is within an approved Data Category and
specified on Attachment A. Data Provider is responsible for the release of the Data to be used by Researcher, and
is solely responsible for reviewing the Data and ensuring (a) that any Data it releases complies with (i) this
Agreement, including any restrictions with respect to Data that are specified by PCC on Attachment C, (ii) all
applicable legal requirements (laws, regulations, orders, etc.) and/or compliance requirements of governing
bodies, and (iii) any contractual agreements between the Data Provider and a third party; and (b) that any Data it
releases is consistent with Data Provider’s privacy, security, or other policies and procedures applicable to the
Data. Data Provider certifies that Data provided for use in the PREDICT program is in compliance with the
foregoing and that the Data has been sanitized, de-identified, or cleaned of any and all information that is not in
compliance or consistent with Attachments A, B, or C and the preceding sentence.
5. Data Provider may have a representative on the Application Review Board, if requested by PCC. The ARB
shall be composed of at least three persons, with one representative from the PCC, one from each Data Provider
of the Data requested (if the Data Provider for the requested Data elects to review applications for its Data), and
one ad-hoc representative from the cyber security research community, selected by the PCC. If the Data
Provider(s) elects not to participate in ARB reviews, at least one PREDICT Data Provider or Data Host must
participate in the ARB review of the application. A Data Provider shall have absolute veto power over any
application for access to its Data.
6. Data Provider shall provide all terms and conditions for access to and use of the Data as set forth in
Attachment B to the Data Host prior to transfer of Data to Data Host (if Data Provider is not hosting its own Data)
and shall confirm such terms and conditions for access to and use of the Data have been established by Data Host.
7. Data Provider further agrees and consents that the names, organization, and contact information of Data
Provider and specific Data Provider personnel collected by the PCC, either via the portal or through any other
means, may be disclosed to PREDICT Team Members, to Researchers, and/or publicly posted. Data Provider
attests that he/she has obtained the agreement and consent for such disclosure and public posting from all such
personnel.
8. Data Provider shall provide information as requested to allow the PCC to audit or confirm Data Provider’s
compliance with the foregoing Obligations of this Agreement.
PCC Obligations
1. An MOA between the PCC and Data Provider, and between PCC and Data Host shall be entered into before
the Data Provider transfers Data to the Data Host.
2. The Metadata provided by Data Provider shall be catalogued by the PCC and made available to the public
via the PREDICT portal.
3.
4
PCC shall notify Data Provider of:
Last Updated: 9-8-11
a.
b.
Applications received for access to and use of their Data; and/or
FOIA or other legal requests or actions that PCC receives for access to Data, Metadata or other records
pertaining to Data Provider.
4. PCC shall provide statistics and other information on the usage of Data and requests for Data on a monthly
basis to DHS and the PREDICT Team and shall, at its discretion, make such statistics publicly available.
Joint Obligations – Data Provider and PCC
1.
All transfers of Data under the terms of this Agreement shall at all times be subject to the applicable laws
and regulations of the United States. Each Party agrees that it shall not make any disposition, by way of
trans-shipment, re-export, diversion or otherwise, of Data furnished under this Agreement outside the United
States except as said laws and regulation or this Agreement may expressly permit. Each Party shall comply in all
respects with applicable U.S. statutes, regulations, and administrative requirements regarding its relationships and
sharing of Data with non-U.S. citizens or non-U.S. governmental and quasi-governmental entities, which may
include but are not necessarily limited to, the export control regulations of the International Traffic in Arms
Regulations (ITAR) and the Export Administration Act (EAA); the anti-boycott and embargo regulations and
guidelines issued under the EAA; and the regulations of the U.S. Department Of The Treasury, Office of Foreign
Assets Control.
2.
The relationship of PCC to Data Provider under this Agreement is that of independent contractors.
Personnel retained or assigned by one Party to perform services or obligations covered by this Agreement will at
all times be considered agents or employees of the Party with whom such personnel have a contractual
relationship, and not agents or employees of the other Party.
3.
(a) Either Party may terminate this Agreement at any time by providing written notice of termination to the
other. Except as otherwise mutually agreed, termination shall be effective thirty (30) days from receipt of the
notice. Unless otherwise agreed to in writing, any such termination shall not affect the obligations of either Party
with respect to Data previously provided to and in the possession of a Researcher, and such obligations shall
continue through the disposition of all such Data. No new access to Data shall be granted by the PCC after notice
of termination has been received. Data Provider shall provide PCC with any instructions for Researcher(s) and/or
Data Host regarding termination of access and disposal of the Data. In the event of termination by either Party,
Data Provider shall not communicate with Researcher(s) regarding Data. The PCC shall communicate with
Researcher(s) and Data Host regarding such termination.
(b) Either Party may decide to terminate one or more Data Sub-Categories provided by Data Provider. The
terminating Party shall provide written notification of such termination to the other Party. Unless otherwise
agreed to in writing, such termination shall be immediate, and the PCC shall not process any applications to use
such Data Sub-Categories after notice of termination is received. The PCC shall notify the Data Host regarding
termination of access to such Data Sub-Categories. The Data Provider shall not communicate with any
Researcher(s) impacted by such termination. The Data Provider shall provide the PCC with any instructions for
the Researcher(s) and/or Data Host regarding disposal of the Data, and the PCC shall communicate such
instructions to the Researcher(s) and/or Data Host. The Data Provider and the PCC shall execute an amendment
to this Agreement regarding such termination.
4.
(a) To the extent permitted by law, Data Provider shall indemnify, defend, and hold harmless the PCC, and
its employees, officers, directors, and agents (“PCC Indemnified Parties”), from any loss, damage, liability, claims,
costs, demands, suits, or judgments, including reasonable attorney’s fees and the assumption of the defense and its
costs, as a result of any damage or injury to PCC Indemnified Parties, including death or injury to property or to
third parties, which is directly or indirectly caused by Data Provider or the employees, officers, directors, or agents
of Data Provider through negligence or willful misconduct or violation of other statutory or regulatory duties by
Data Provider or of the obligations in paragraph 4 above under Data Provider Obligations. To the extent permitted
by law, Data Provider shall hold PCC Indemnified Parties harmless from any misuse of Data or Metadata by a
party other than PCC Indemnified Parties, and Data Provider shall not look to the PCC Indemnified Parties as an
5
Last Updated: 9-8-11
agent to protect Data Provider from misuses of its Data by Researchers, and the PCC Indemnified Parties do not
agree to serve in that capacity. The PCC Indemnified Parties shall promptly notify Data Provider of any claim
against it or a third party of which they become aware and that is covered by this provision and Data Provider
shall, to the extent permitted by law, authorize representatives to settle or defend any such claim or suit and to
represent PCC Indemnified Parties in such litigation. The PCC Indemnified Parties, in their sole discretion and at
its expense, may provide counsel to assist counsel for Data Provider, or represent said PCC Indemnified Parties.
No settlement shall be made on behalf of a PCC Indemnified Party, which admits the fault of the PCC Indemnified
Party, without that Party’s written consent, which shall not be unreasonably withheld.
(b) To the extent permitted by law, PCC shall indemnify, defend, and hold harmless the Data Provider, and
its employees, officers, directors, and agents (“DP Indemnified Parties”), from any loss, damage, liability, claims,
costs, demands, suits, or judgments, including reasonable attorney’s fees and the assumption of the defense and its
costs, as a result of any damage or injury to DP Indemnified Parties, including death or injury to property or to
third parties, which is directly or indirectly caused by PCC or the employees, officers, directors, or agents of PCC
through negligence or willful misconduct pertaining to the PCC Obligations set forth in paragraph 3 above under
PCC Obligations. The DP Indemnified Parties shall promptly notify the PCC of any claim against it or a third
party of which they become aware and that is covered by this provision and the PCC shall, to the extent permitted
by law, authorize representatives to settle or defend any such claim or suit and to represent DP Indemnified Parties
in such litigation. The DP Indemnified Parties, in their sole discretion and at its expense, may provide counsel to
assist counsel for PCC, or represent said DP Indemnified Parties. No settlement shall be made on behalf of a DP
Indemnified Party, which admits the fault of the DP Indemnified Party, without that Party’s written consent, which
shall not be unreasonably withheld.
5.
Failure of either Party to enforce any of its rights hereunder shall not constitute a waiver of such rights. If
any provision herein is, becomes, or is held invalid, illegal, or unenforceable, such provision shall be deemed
modified only to the extent necessary to conform with applicable laws or so as to be valid and enforceable. If it
cannot be so amended without materially altering the intent of the Parties as indicated herein, it shall be stricken
and the remainder of this Agreement shall remain in full force and effect and shall be enforced and construed as if
such provision had not been included.
6.
Neither this Agreement nor any interest herein may be assigned, in whole or in part, by either Party
without the prior written consent of the other Party; provided, however, that without securing such prior consent,
either Party shall have the right to assign this Agreement to any successor of such Party by way of merger or
consolidation or the acquisition of substantially all of the assets of such Party relating to the subject matter of this
Agreement; provided further, that such successor shall expressly assume all of the obligations of such Party under
this Agreement.
7.
This Agreement shall remain in force from its effective date until _____________. Any Amendments to
this Agreement, to be effective, shall be in writing and signed by an authorized Representative of each Party.
8.
Each Party represents that the person signing this Agreement on its behalf of him/herself or his/her entity
has full authority to do so.
6
Last Updated: 9-8-11
ACCEPTED AND AGREED TO BY:
7
RESEARCH TRIANGLE INSTITUTE
PREDICT Coordinating Center
DATA PROVIDER
Signature
Signature
Name
Name
Title
Title
Date
Date
Last Updated: 9-8-11
Attachment A
Data Provider Description of Data
Data
Category
Data Sub-Category
Description of Data Sub-Category
Description of Metadata for Data
to be Provided by Data Provider
(* indicates mandatory fields)
Name
*Dataset Name
*Data Category
*Data Sub-Category
*Data Host
*Short Description
Long Description
Data Structure
*Keywords
Dataset Size
Formats
*Collection Start Date/Time
Collection End Date/Time
*Ongoing Measurement
Checksum Value
Checksum Type
*Anonymization
Anonymization Method
*Metadata Version Date/Time
Availability Start Date/Time
Availability End Date/Time
*Application Review Required
*Publication Review Required
*Access Restrictions
Access Types
Data Use Restrictions
*Archiving Allowed
8
Description
Text name. Required to be unique in combination with a provider
name. Researchers can use these tags for reference purposes and
acknowledgment.
The Data Category to which this dataset belongs.
Descriptive name given to distinguish a particular grouping of
datasets within a Data Category which have the same terms of use
and which are described in Attachment A.
The organization hosting the Data.
Brief description of the dataset.
Lengthy description of the dataset.
Description of how data are stored.
One or more selections from PCC Keyword List.
Size in bytes of the dataset.
Format(s) of the dataset.
Date & time the data collection was begun.
Date & time the data collection ceased.
Boolean flag. Set (true) if the data collection is ongoing.
Checksum of the data set. Not shown in data catalog.
Type of the checksum. One or more values from a list, for
example: crc32, rsa-md4, etc.
Indicates whether data is anonymized
Indicates how data is anonymized
Date & time this version of the metadata was defined by the Data
Provider; not the date/time it was supplied or recorded.
Date & time the dataset is first available.
Date & time the dataset is no longer available (when it’s scheduled
to be purged).
Yes/No indicating whether the Data Provider is required to be
included in the ARB for any dataset request approval involving this
dataset.
Yes/No indicating whether Data Provider requires publication
review of Researcher work related to dataset.
Yes/No indicating whether remote access is required.
One or more access type specifications from a list, such as items
like HDD, Tape only, downloadable, etc.
Specific restrictions on use, such not trying to reverse anonymized
fields, monitoring if remote access, or whether Data Use Agreement
is required.
Yes/No indicating whether archiving of the dataset is allowed to
enable Researcher to reproduce research results.
Last Updated: 9-8-11
Attachment B
Data Provider Terms and Conditions for Access to and Use of Data
Within Each Data Sub-Category
Data
Category
Data Sub-Category
Data Provider Terms & Conditions for
Access to & Use of Data
Data Host Terms and Conditions for Access to and Use of Data
Within Each Data Sub-Category
Data
Category
9
Data Sub-Category
Data Host Terms & Conditions for
Access to & Use of Data
Last Updated: 9-8-11
Attachment C
PCC Privacy or Other Restrictions on Data
Data
Category
10
Data Sub-Category
PCC Restrictions on Data
Last Updated: 9-8-11
File Type | application/pdf |
File Title | Microsoft Word - HSARPA - PREDICT_MOA_PCC Data Provider_GENERIC PHASE II 9-8-11.doc |
Author | scantor |
File Modified | 2011-10-12 |
File Created | 2011-10-12 |