HomeMy WebLinkAbout071519_ca04Consent Agenda
JEFFERSON COUNTY
BOARD OF COUNTY COMMISSIONERS
AGENDA REQUEST
TO: Board of County Commissioners
Philip Morley, County Administrator
FROM: Barbara Carr
Juvenile Court Administrator
DATE: July 15, 2019
SUBJECT: WSART Consulting
STATEMENT OF ISSUE:
Contract in the amount of $23,700. Funding is for July 2019- June 2021
ANALYSIS:
Shannon Burns, a Juvenile Probation Counselor in Jefferson County is currently serving as one
of five statewide consultants to perform consultant duties to WSART programs. Jefferson
County is reimbursed for Shannon's time pursuant to the WSART Quality Assurance
requirements.
FISCAL IMPACT:
None. These funds reimburse for salary, benefits and travel.
RECOMMENDATION:
That the Board approve the Contract and sign 3 originals. A fully executed original will be
returned to the BOCC office.
REVIEWED BY:
C( hilip Morl y, unty A mini ator
Date
. $}
DCYF Agreement Number
COUNTY PROGRAM AGREEMENT
f
1963-57016
Ia
WSART Consultation for County
r -
Juvenile Courts
This Program Agreement is by and between the State of Washington
Administration or Division
Department of Children, Youth, and Families (DCYF) and the County
Agreement Number
identified below, and is issued in conjunction with a County and DCYF
Agreement On General Terms and Conditions, which is incorporated by
County Agreement Number
reference.
DCYF ADMINISTRATION
DCYF DIVISION
DCYF INDEX NUMBER
DCYF CONTRACT CODE
Department of Children, Youth,
Children, Youth and Families
1223
2000CC-63
and Families
DCYF CONTACT NAME AND TITLE
DCYF CONTACT ADDRESS
Del Hontanosas
PO Box 45720
Grants & Contracts Manager
Olympia, WA 98504
DCYF CONTACT TELEPHONE
DCYF CONTACT FAX
DCYF CONTACT E-MAIL
(360)902-8087
(360)902-8108
hontadr@_dshs.wa.gov
COUNTY NAME
COUNTY ADDRESS
Jefferson County
1820 Jefferson Street
Port Townsend, WA 98368
COUNTY FEDERAL EMPLOYER IDENTIFICATION
COUNTY CONTACT NAME
NUMBER
Barbara Carr
COUNTY CONTACT TELEPHONE
COUNTY CONTACT FAX
COUNTY CONTACT E-MAIL
360 385-9190
360 385-9191
bcarr@co.jefferson.wa.us
IS THE COUNTY A SUBRECIPIENT FOR PURPOSES OF THIS PROGRAM
CFDA NUMBERS
AGREEMENT?
No
PROGRAM AGREEMENT START DATE
PROGRAM AGREEMENT END DATE
MAXIMUM PROGRAM AGREEMENT AMOUNT
07/01/2019
I 06/30/2021
$23,700.00
EXHIBITS. When the box below is marked with an X, the following Exhibits are attached and are incorporated into this
County Program Agreement by reference:
® Exhibits (specify): Exhibit A: Data Security Requirements; Exhibit B:Statement of Work - WSART Consultation
for County Juvenile Courts
❑ No Exhibits.
The terms and conditions of this Contract are an integration and representation of the final, entire and exclusive
understanding between the parties superseding and merging all previous agreements, writings, and communications, oral
or otherwise, regarding the subject matter of this Contract. The parties signing below represent that they have read and
understand this Contract, and have the authority to execute this Contract. This Contract shall be binding on DCYF only
upon signature by DCYF.
COUNTY SIGNATURE(S)
PRINTED NAME(S) AND TITLE(S)
DATE(S) SIGNED
DCYF SIGNATURE
PRINTED NAME AND TITLE
DATE SIGNED
Del Hontanosas
Grants & Contracts Manager
Andsas t lf rm:"74
. �—�- Date:
Philip C. Hunsucker, Chief Civil Deputy Prosec ing, t orney
Jefferson County Prosecuting Attorney's Office
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 1
N
Definitions. The words and phrases listed below, as used in this Contract, shall each have the
following definitions:
a. "WSART" means Washington .State Aggression Replacement Training.
b. "DCYF" means the Department of Children, Youth, and Families.
c. "Juvenile Rehabilitation" or "JR" means the Division under the Department of Children, Youth, and
Families.
2. Purpose.
The purpose of this Contract is to provide clinical consultation services to the county juvenile courts that
are providing a Community Juvenile Accountability Act (CJAA) funded WSART program to youth
receiving community supervision in order to ensure program fidelity.
3. Data Security Requirements — Exhibit A. The Contractor shall protect, segregate, and dispose of
data from DCYF as described in Exhibit A, and as required in the Section below entitled Secure
Management of Confidential Information.
4. Statement of Work — Exhibit B. The Contractor shall provide services and staff as described in the
Statement of Work attached as Exhibit B.
5. Background Checks and Sexual Misconduct.
a. Background Check/Criminal History - In accordance with Chapters 388-700 WAC (JR -Practices &
Procedures), 72.05 RCW (Children & Youth Services), and by the terms of this contract, Contractor
and each of its employees, subcontractors, and/or volunteers who may or will have regular access
to any client/juvenile must be cleared through a JR approved criminal history and background
check. In addition, Contractor, each of their employees, subcontractors, and/or volunteers, who
may or will have limited access to any clienVjuvenile, may be required to be cleared through a JR
approved criminal history and background check.
By execution of this contract, Contractor affirms that Contractor, each of its employees,
subcontractors, and/or volunteers, who may or will have regular access have not been convicted of
any of the following:
(1) Any felony sex offense as defined in 9.94A.030 RCW (Sentencing Reform Act -Definitions) and
9A.44.130 RCW (Sex Offenses);
(2) Any crime specified in Chapter 9A.44 RCW (Sex Offenses) when the victim was a juvenile in the
custody of or under the jurisdiction of JR; or
(3) Any violent offense as defined in 9.94A.030 RCW (Sentencing Reform Act -Definitions).
Contractor must require that current employees, volunteers, and contracted service providers who
are authorized for regular access to a juvenile(s) report any guilty plea or conviction of any of the
above offenses. The report must be made to the person's supervisor within seven (7) days of
conviction and any person who have reported a guilty plea or conviction for one or more of these
offenses must not have regular access to any offender. Contractor shall also document
background checks/criminal history clearances for monitoring purposes.
b. Sexual Misconduct - 13.40.570 RCW (Sexual misconduct by state employees, contractors) states
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018)
Page 2
that when the Secretary has reasonable cause to believe that sexual intercourse or sexual contact
between the employee of a contractor and an offender has occurred, the Secretary shall require the
employee of a contractor to be immediately removed from any employment position which would
permit the employee to have any access to any offender.
By execution of this contract, contractor affirms that contractor, each of its employees,
subcontractors, and/or volunteers are knowledgeable about the requirements of 13.40.570 RCW
(Sexual misconduct by state employees, contractors) and of the crimes included in 9A.44 RCW
(Sex Offenses).
In addition, the Secretary shall disqualify for employment with a contractor in any position with
access to an offender, any person:
(1) Who is found by the department, based on a preponderance of the evidence, to have had
sexual intercourse or sexual contact with the offender; or
(2) Convicted of any crime specified in chapter 9A.44 RCW (Sex Offenses) when the victim was an
offender
If any actions are taken under 13.40.570 RCW, subsections (3) or (4), the Contractor must
demonstrate to the Secretary they have greatly reduced the likelihood that any of its employees,
volunteers, or subcontractors could have sexual intercourse or sexual contact with any offender.
The contract shall not be renewed unless the Secretary determines significant progress has been
made.
6. Billing and Payment.
a. The contracted activities shall be paid up to the amount specified for the deliverables identified in
the Statement of Work and payment shall be made upon receipt of the deliverable. JR shall not
make payment for any deliverable not completed in accordance to the specifications identified in
this contract.
b. DCYF shall pay the Contractor upon acceptance by DCYF of a properly completed A-19 Invoice
Voucher. The invoice shall include the following documentation of the services delivered:
(1) Date and time period of service(s) performed; and
(2) The Description of work performed.
c. Payment shall be considered timely if made by DCYF within 30 days after the receipt of the properly
completed invoice.
d. Payment shall be sent to the Contractor's address on page one of this Contract.
e. The Contractor accepts the DCYF payment as the sole and complete payment for the services
provided under this contract.
f. DCYF shall not reimburse the Contractor for authorized services not provided to clients, or for
services provided which are not authorized or are not provided in accordance with paragraph 2,
"Statement of Work." If DCYF pays the Contractor for services authorized but not provided by the
Contractor in accordance with this Contract's "Statement of Work," the amount paid shall be
considered to be an overpayment.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 3
g. If this Contract is terminated for any reason, DCYF shall pay for only those services authorized and
provided through the date of termination.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 4
Special Terms and Conditions
Exhibit A — Data Security Requirements
Definitions. The words and phrases listed below, as used in this Exhibit, shall each have the following
definitions:
a. "AES" means the Advanced Encryption Standard, a specification of Federal Information Processing
Standards Publications for the encryption of electronic data issued by the National Institute of
Standards and Technology (http://nvipubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf).
b. "Authorized Users(s)" means an individual or individuals with a business need to access DCYF
Confidential Information, and who has or have been authorized to do so.
c. "Business Associate Agreement' means an agreement between DCYF and a contractor who is
receiving Data covered under the Privacy and Security Rules of the Health Insurance Portability
and Accountability Act of 1996. The agreement establishes permitted and required uses and
disclosures of protected health information (PHI) in accordance with HIPAA requirements and
provides obligations for business associates to safeguard the information.
d. "Category 4 Data" is data that is confidential and requires special handling due to statutes or
regulations that require especially strict protection of the data and from which especially serious
consequences may arise in the event of any compromise of such data. Data classified as Category
4 includes but is not limited to data protected by: the Health Insurance Portability and Accountability
Act (HIPAA), Pub. L. 104-191 as amended by the Health Information Technology for Economic and
Clinical Health Act of 2009 (HITECH), 45 CFR Parts 160 and 164; the Family Educational Rights
and Privacy Act (FERPA), 20 U.S.C. §1232g; 34 CFR Part 99; Internal Revenue Service
Publication 1075 (https://www.irs.gov/pub/irs-pdf/pl075.pdD; Substance Abuse and Mental Health
Services Administration regulations on Confidentiality of Alcohol and Drug Abuse Patient Records,
42 CFR Part 2; and/or Criminal Justice Information Services, 28 CFR Part 20.
e. "Cloud" means data storage on servers hosted by an entity other than the Contractor and on a
network outside the control of the Contractor. Physical storage of data in the cloud typically spans
multiple servers and often multiple locations. Cloud storage can be divided between consumer
grade storage for personal files and enterprise grade for companies and governmental entities.
Examples of consumer grade storage would include iTunes, Dropbox, Box.com, and many other
entities. Enterprise cloud vendors include Microsoft Azure, Amazon Web Services, and Rackspace.
f. "Encrypt' means to encode Confidential Information into a format that can only be read by those
possessing a "key"; a password, digital certificate or other mechanism available only to authorized
users. Encryption must use a key length of at least 256 bits for symmetric keys, or 2048 bits for
asymmetric keys. When a symmetric key is used, the Advanced Encryption Standard (AES) must
be used if available.
g. "FedRAMP" means the Federal Risk and Authorization Management Program (see
www.fedramp.gov), which is an assessment and authorization process that federal government
agencies have been directed to use to ensure security is in place when accessing Cloud computing
products and services.
h. "Hardened Password" means a string of at least eight characters containing at least three of the
following four character classes: Uppercase alphabetic, lowercase alphabetic, numeral, and special
characters such as an asterisk, ampersand, or exclamation point.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 5
Special Terms and Conditions
i. "Mobile Device" means a computing device, typically smaller than a notebook, which runs a mobile
operating system, such as iOS, Android, or Windows Phone. Mobile Devices include smart phones,
most tablets, and other form factors.
"Multi -factor Authentication" means controlling access to computers and other IT resources by
requiring two or more pieces of evidence that the user is who they claim to be. These pieces of
evidence consist of something the user knows, such as a password or PIN; something the user has
such as a key card, smart card, or physical token; and something the user is, a biometric identifier
such as a fingerprint, facial scan, or retinal scan. "PIM' means a personal identification number, a
series of numbers which act as a password for a device. Since PINs are typically only four to six
characters, PINs are usually used in conjunction with another factor of authentication, such as a
fingerprint.
k. "Portable Device" means any computing device with a small form factor, designed to be transported
from place to place. Portable devices are primarily battery powered devices with base computing
resources in the form of a processor, memory, storage, and network access. Examples include, but
are not limited to, mobile phones, tablets, and laptops. Mobile Device is a subset of Portable
Device.
I. "Portable Media" means any machine readable media that may routinely be stored or moved
independently of computing devices. Examples include magnetic tapes, optical discs (CDs or
DVDs), flash memory (thumb drive) devices, external hard drives, and internal hard drives that have
been removed from a computing device.
m. "Secure Area" means an area to which only authorized representatives of the entity possessing the
Confidential Information have access, and access is controlled through use of a key, card key,
combination lock, or comparable mechanism. Secure Areas may include buildings, rooms or
locked storage containers (such as a filing cabinet or desk drawer) within a room, as long as access
to the Confidential Information is not available to unauthorized personnel. In otherwise Secure
Areas, such as an office with restricted access, the Data must be secured in such a way as to
prevent access by non -authorized staff such as janitorial or facility security staff, when authorized
Contractor staff are not present to ensure that non -authorized staff cannot access it.
n. "Trusted Network" means a network operated and maintained by the Contractor, which includes
security controls sufficient to protect DCYF Data on that network. Controls would include a firewall
between any other networks, access control lists on networking devices such as routers and
switches, and other such mechanisms which protect the confidentiality, integrity, and availability of
the Data.
o. "Unique User ID" means a string of characters that identifies a specific user and which, in
conjunction with a password, passphrase or other mechanism, authenticates a user to an
information system.
Authority. The security requirements described in this document reflect the applicable requirements of
Standard 141.10 (https:/locio.wa.-gov/policies) of the Office of the Chief Information Officer for the state
of Washington, and of the DCYF Information Security Policy and Standards Manual. Reference
material related to these requirements can be found here: https://www.dcyf.wa.gov/services/child-
welfare-providers which is a site developed by the DSHS Information Security Office and hosted by
DCYF.
3. Administrative Controls. The Contractor must have the following controls in place:
a. A documented security policy governing the secure use of its computer network and systems, and
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 6
Special Terms and Conditions
which defines sanctions that may be applied to Contractor staff for violating that policy.
b. Security awareness training for all employees, presented at least annually, which informs
Contractor staff of their responsibilities under the Contractor's security policy. If the Contractor
does not have an appropriate security awareness course, any of their staff who will work with the
Data or systems housing the Data, must successfully complete the DSHS Information Security
Awareness Training, which can be taken on this web page: https://www.dshs.wa.gov/fsa/central-
contract-services/it-security-awareness-training, or a replacement later identified by DCYF.
c. If the Data shared under this agreement is classified as Category 4, the Contractor must be aware
of and compliant with the applicable legal or regulatory requirements for that Category 4 Data.
d. If Confidential Information shared under this agreement is classified as Category 4, the Contractor
must have a documented risk assessment for the system(s) housing the Category 4 Data.
4. Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to
authorized staff, the Contractor must:
a. Have documented policies and procedures governing access to systems with the shared Data.
b. Restrict access through administrative, physical, and technical controls to authorized staff.
c. Ensure that user accounts are unique and that any given user account logon ID and password
combination is known only to the one employee to whom that account is assigned. For purposes of
non -repudiation, it must always be possible to determine which employee performed a given action
on a system housing the Data based solely on the logon ID used to perform the action.
d. Ensure that only authorized users are capable of accessing the Data.
e. Ensure that an employee's access to the Data is removed immediately:
(1) Upon suspected compromise of the user credentials.
(2) When their employment, or the contract under which the Data is made available to them, is
terminated.
(3) When they no longer need access to the Data to fulfill the requirements of the contract.
Have a process to periodically review and verify that only authorized users have access to systems
containing DCYF Confidential Information.
g. When accessing the Data from within the Contractor's network (the Data stays within the
Contractor's network at all times), enforce password and logon requirements for users within the
Contractor's network, including:
(1) A minimum length of 8 characters, and containing at least three of the following character
classes: uppercase letters, lowercase letters, numerals, and special characters such as an
asterisk, ampersand, or exclamation point.
(2) That a password does not contain a user's name, logon ID, or any form of their full name.
(3) That a password does not consist of a single dictionary word. A password may be formed as a
passphrase which consists of multiple dictionary words.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 7
Special Terms and Conditions
(4) That passwords are significantly different from the previous four passwords. Passwords that
increment by simply adding a number are not considered significantly different.
h. When accessing Confidential Information from an external location (the Data will traverse the
Internet or otherwise travel outside the Contractor's network), mitigate risk and enforce password
and logon requirements for users by employing measures including:
(1) Ensuring mitigations applied to the system don't allow end-user modification.
(2) Not allowing the use of dial-up connections.
(3) Using industry standard protocols and solutions for remote access. Examples would include
RADIUS and Citrix.
(4) Encrypting all remote access traffic from the external workstation to Trusted Network or to a
component within the Trusted Network. The traffic must be encrypted at all times while
traversing any network, including the Internet, which is not a Trusted Network.
(5) Ensuring that the remote access system prompts for re -authentication or performs automated
session termination after no more than 30 minutes of inactivity.
(6) Ensuring use of Multi -factor Authentication to connect from the external end point to the internal
end point.
Passwords or PIN codes may meet a lesser standard if used in conjunction with another
authentication mechanism, such as a biometric (fingerprint, face recognition, iris scan) or token
(software, hardware, smart card, etc.) in that case:
(1) The PIN or password must be at least 5 letters or numbers when used in conjunction with at
least one other authentication factor
(2) Must not be comprised of all the same letter or number (11111, 22222, aaaaa, would not be
acceptable)
(3) Must not contain a "run" of three or more consecutive numbers (12398, 98743 would not be
acceptable)
If the contract specifically allows for the storage of Confidential Information on a Mobile Device,
passcodes used on the device must:
(1) Be a minimum of six alphanumeric characters.
(2) Contain at least three unique character classes (upper case, lower case, letter, number).
(3) Not contain more than a three consecutive character run. Passcodes consisting of 12345, or
abcd12 would not be acceptable.
k. Render the device unusable after a maximum of 10 failed logon attempts.
Protection of Data. The Contractor agrees to store Data on one or more of the following media and
protect the Data as described:
a. Hard disk drives. For Data stored on local workstation hard disks, access to the Data will be
restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 8
Special Terms and Conditions
and Hardened Password or other authentication mechanisms which provide equal or greater
security, such as biometrics or smart cards.
b. Network server disks. For Data stored on hard disks mounted on network servers and made
available through shared folders, access to the Data will be restricted to Authorized Users through
the use of access control lists which will grant access only after the Authorized User has
authenticated to the network using a Unique User ID and Hardened Password or other
authentication mechanisms which provide equal or greater security, such as biometrics or smart
cards. Data on disks mounted to such servers must be located in an area which is accessible only
to authorized personnel, with access controlled through use of a key, card key, combination lock, or
comparable mechanism.
For DCYF Confidential Information stored on these disks, deleting unneeded Data is sufficient as
long as the disks remain in a Secure Area and otherwise meet the requirements listed in the above
paragraph. Destruction of the Data, as outlined below in Section 8 Data Disposition, may be
deferred until the disks are retired, replaced, or otherwise taken out of the Secure Area.
c. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DCYF
on optical discs which will be used in local workstation optical disc drives and which will not be
transported out of a Secure Area. When not in use for the contracted purpose, such discs must be
Stored in a Secure Area. Workstations which access DCYF Data on optical discs must be located
in an area which is accessible only to authorized personnel, with access controlled through use of a
key, card key, combination lock, or comparable mechanism.
d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided by
DCYF on optical discs which will be attached to network servers and which will not be transported
out of a Secure Area. Access to Data on these discs will be restricted to Authorized Users through
the use of access control lists which will grant access only after the Authorized User has
authenticated to the network using a Unique User ID and Hardened Password or other
authentication mechanisms which provide equal or greater security, such as biometrics or smart
cards. Data on discs attached to such servers must be located in an area which is accessible only
to authorized personnel, with access controlled through use of a key, card key, combination lock, or
comparable mechanism.
e. Paper documents. Any paper records must be protected by storing the records in a Secure Area
which is only accessible to authorized personnel. When not in use, such records must be stored in
a Secure Area.
Remote Access. Access to and use of the Data over the State Governmental Network (SGN) or
Secure Access Washington (SAW) will be controlled by DCYF staff who will issue authentication
credentials (e.g. a Unique User ID and Hardened Password) to Authorized Users on Contractor's
staff. Contractor will notify DCYF staff immediately whenever an Authorized User in possession of
such credentials is terminated or otherwise leaves the employ of the Contractor, and whenever an
Authorized User's duties change such that the Authorized User no longer requires access to
perform work for this Contract.
g. Data storage on portable devices or media.
(1) Except where otherwise specified herein, DCYF Data shall not be stored by the Contractor on
portable devices or media unless specifically authorized within the terms and conditions of the
Contract. If so authorized, the Data shall be given the following protections:
(a) Encrypt the Data.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 9
Special Terms and Conditions
(b) Control access to devices with a Unique User ID and Hardened Password or stronger
authentication method such as a physical token or biometrics.
(c) Manually lock devices whenever they are left unattended and set devices to lock
automatically after a period of inactivity, if this feature is available. Maximum period of
inactivity is 20 minutes.
(d) Apply administrative and physical security controls to Portable Devices and Portable Media
by:
i. Keeping them in a Secure Area when not in use,
ii. Using check-in/check-out procedures when they are shared, and
iii. Taking frequent inventories.
(2) When being transported outside of a Secure Area, Portable Devices and Portable Media with
DCYF Confidential Information must be under the physical control of Contractor staff with
authorization to access the Data, even if the Data is encrypted.
h. Data stored for backup purposes.
(1) DCYF Confidential Information may be stored on Portable Media as part of a Contractor's
existing, documented backup process for business continuity or disaster recovery purposes.
Such storage is authorized until such time as that media would be reused during the course of
normal backup operations. If backup media is retired while DCYF Confidential Information still
exists upon it, such media will be destroyed at that time in accordance with the disposition
requirements below in Section 8 Data Disposition.
(2) Data may be stored on non-portable media (e.g. Storage Area Network drives, virtual media,
etc.) as part of a Contractor's existing, documented backup process for business continuity or
disaster recovery purposes. If so, such media will be protected as otherwise described in this
exhibit. If this media is retired while DCYF Confidential Information still exists upon it, the data
will be destroyed at that time in accordance with the disposition requirements below in Section 8
Data Disposition.
i. Cloud storage. DCYF Confidential Information requires protections equal to or greater than those
specified elsewhere within this exhibit. Cloud storage of Data is problematic as neither DCYF nor
the Contractor has control of the environment in which the Data is stored. For this reason:
(1) DCYF Data will not be stored in any consumer grade Cloud solution, unless all of the following
conditions are met:
(a) Contractor has written procedures in place governing use of the Cloud storage and
Contractor attests in writing that all such procedures will be uniformly followed.
(b) The Data will be Encrypted while within the Contractor network.
(c) The Data will remain Encrypted during transmission to the Cloud.
(d) The Data will remain Encrypted at all times while residing within the Cloud storage solution.
(e) The Contractor will possess a decryption key for the Data, and the decryption key will be
possessed only by the Contractor and/or DCYF.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 10
Special Terms and Conditions
(f) The Data will not be downloaded to non -authorized systems, meaning systems that are not
on either the DCYF or Contractor networks.
(g) The Data will not be decrypted until downloaded onto a computer within the control of an
Authorized User and within either the DCYF or Contractor's network.
(2) Data will not be stored on an Enterprise Cloud storage solution unless either:
(a) The Cloud storage provider is treated as any other Sub -Contractor, and agrees in writing to
all of the requirements within this exhibit; or,
(b) The Cloud storage solution used is FedRAMP certified.
(3) If the Data includes protected health information covered by the Health Insurance Portability and
Accountability Act (HIPAA), the Cloud provider must sign a Business Associate Agreement prior
to Data being stored in their Cloud solution.
6. System Protection. To prevent compromise of systems which contain DCYF Data or through which
that Data passes:
a. Systems containing DCYF Data must have all security patches or hotfixes applied within 3 months
of being made available.
b. The Contractor will have a method of ensuring that the requisite patches and hotfixes have been
applied within the required timeframes.
c. Systems containing DCYF Data shall have an Anti-Malware application, if available, installed.
d. Anti-Malware software shall be kept up to date. The product, its anti-virus engine, and any malware
database the system uses, will be no more than one update behind current.
7. Data Segregation.
a. DCYF Data must be segregated or otherwise distinguishable from non-DCYF data. This is to
ensure that when no longer needed by the Contractor, all DCYF Data can be identified for return or
destruction. It also aids in determining whether DCYF Data has or may have been compromised in
the event of a security breach. As such, one or more of the following methods will be used for data
segregation.
(1) DCYF Data will be kept on media (e.g. hard disk, optical disc, tape, etc.) which will contain no
non-DCYF Data. And/or,
(2) DCYF Data will be stored in a logical container on electronic media, such as a partition or folder
dedicated to DCYF Data. And/or,
(3) DCYF Data will be stored in a database which will contain no non-DCYF data. And/or,
(4) DCYF Data will be stored within a database and will be distinguishable from non-DCYF data by
the value of a specific field or fields within database records.
(5) When stored as physical paper documents, DCYF Data will be physically segregated from non-
DCYF data in a drawer, folder, or other container.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 11
Special Terms and Conditions
b. When it is not feasible or practical to segregate DCYF Data from non-DCYF data, then both the
DCYF Data and the non-DCYF data with which it is commingled must be protected as described in
this exhibit.
Data Disposition. When the contracted work has been completed or when the Data is no longer
needed, except as noted above in Section 5.b, Data shall be returned to DCYF or destroyed. Media on
which Data may be stored and associated acceptable methods of destruction are as follows:
Data stored on:
Will be destroyed by:
Server or workstation hard disks, or
Using a "wipe" utility which will overwrite the Data at
least three (3) times using either random or single
Removable media (e.g. floppies, USB flash
character data, or
drives, portable hard disks) excluding optical
discs
Degaussing sufficiently to ensure that the Data
cannot be reconstructed, or
Physically destroying the disk
Paper documents with sensitive or
Confidential Information
Recycling through a contracted firm, provided the
contract with the recycler assures that the
confidentiality of Data will be protected.
Paper documents containing Confidential
On-site shredding, pulping, or incineration
Information requiring special handling (e.g.
protected health information
Optical discs (e.g. CDs or DVDs)
Incineration, shredding, or completely defacing the
readable surface with a coarse abrasive
Magnetic tae
Degaussing, incinerating or crosscut shredding
9. Notification of Compromise or Potential Compromise. The compromise or potential compromise of
DCYF shared Data must be reported to the DCYF Contact designated in the Contract within one (1)
business day of discovery. If no DCYF Contact is designated in the Contract, then the notification must
be reported to the DCYF Privacy Officer at: dcyfprivacyofficer(-Wdcyf.wa.pov. Contractor must also take
actions to mitigate the risk of loss and comply with any notification or other requirements imposed by
law or DCYF.
10. Data shared with Subcontractors. If DCYF Data provided under this Contract is to be shared with a
subcontractor, the Contract with the subcontractor must include all of the data security provisions within
this Contract and within any amendments, attachments, or exhibits within this Contract. If the
Contractor cannot protect the Data as articulated within this Contract, then the contract with the sub -
Contractor must be submitted to the DCYF Contact specified for this contract for review and approval.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 12
Special Terms and Conditions
EXHIBIT B
Statement of Work
WSART Consultation for County Juvenile Courts
The Contractor shall provide to statewide WSART Teams by telephone or in-person clinical
consultation services. Services shall include, but are not limited to:
a. Providing clinical consultation to WSART Teams throughout the state;
b. Participating in and providing WSART training;
c. Monitoring by direct observation or videotaped WSART sessions WSART Teams for adherence
and compliance to WSART project standards;
d. Reporting monitoring results to the JR Juvenile Court Program Administrator and to the statewide
WSART Quality Assurance Specialist on a monthly basis;
e. Providing assistance with individual WSART Team's improvement plans; and
f. Participating in implementation and ongoing program development meetings.
2. Deliverables.
a. Monthly Reporting
The Contractor shall provide monthly activity and monitoring summary reports to the JR Juvenile
Court Program Administrator.
b. Quarterly Reporting
The Contractor on a quarterly basis shall provide the JR Juvenile Court Program Administrator and
the Statewide ART Quality Assurance Specialist (QAS) a report that summarizes the following
information for all WSART Trainers served that quarter:
(1) Number of WSART Trainers served;
(2) Number of WSART Trainers who were rated as Highly Competent, Competent, Borderline
Competent, and Not Competent;
(3) Number of WSART Trainers placed on Informal Improvement Plans;
(4) Number of WSART Trainers who successfully completed their Informal Improvement Plans;
(5) Number of WSART Trainers who did not complete or unsuccessfully completed their Informal
Improvement Plans and are referred to the WSART QAS for further action; and
(6) Number of WSART Trainers who were rated as Not Competent and forwarded to the WSART
QAS for further action.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 13
Special Terms and Conditions
c. Outcome Reporting
The Contractor shall report to the JR Juvenile Court Program Administrator at the completion of
services to WSART Trainers the following information:
(1) The frequency that WSART Consultants were available for monthly telephone consultation;
(2) The frequency of participation of each Juvenile Court's participation in monthly telephone
consultation;
(3) Any changes in the Juvenile Courts' WSART programs; and
(4) The adherence and competence rating of each Juvenile Court's WSART Trainer.
3. DCYF Program Contact.
The Contractor shall notify the DCYF Program Contact listed below for any questions or issues related
to services under this contract:
Cory Redman
Juvenile Court Programs Administrator
Juvenile Rehabilitation - HQ
360.902.8079
Red maCA(a-).dshs.wa.gov
4. Consideration.
Total consideration payable to Contractor for satisfactory performance of the work under this Contract
is up to a maximum of $23,700, including any and all expenses, and shall be based on the following:
a. The maximum consideration payable for Fiscal Year 2020 is $12,500 and for Fiscal Year 2021 is
$11,200. Funds not expended in Fiscal Year 2020 cannot be carried over to the following Fiscal
Year.
b. The Contractor shall be paid $40.00 per hour for clinical consultation services and payment shall be
based upon the JRA Juvenile Court Program Administrator receipt and approval of monthly
summary report.
c. The Contractor shall only be reimbursed for travel costs pre -approved in writing by the JR Juvenile
Court Program Administrator.
Department of Children, Youth, and Families
2017CF County Program Agreement (12-14-2018) Page 14