Download:
pdf |
pdfOMB No. 1640-New
Expires: TBD
DHS PREDICT Memorandum of Agreement between PREDICT Coordinating
Center and Researcher/User Form
Cover Sheet
1. Department Name: Department of Homeland Security
2. Component/Agency Name: Science and Technology Directorate
3. OMB Control Number: 1640-New
4. Expiration Date: TBD (Three years from approval date)
5. Agency Form Number:
6. Name of Form: Memorandum of Agreement (MoA) between PREDICT
Coordinating Center (PCC) and Researcher/User
7. Purpose of Form: The MoA is required for all applications to be a data host.
The MoA defines the roles of the Researcher/User and the PCC
8. How to submit: Sign and fax to the PREDICT Coordinating Center, RTI
International, Attn: Renee Karlsen, 866.835.0255 (toll free).
8
�COVER LETTER
MEMORANDUM OF AGREEMENT
Thank you for your interest in joining the PREDICT community. In order for your application to be
considered you must execute the attached Memorandum of Agreement. The memo must be received
before your application can be considered.
Directions:
1. Print out the MOA.
2. Fill in appropriate names.
3. Complete all Attachments as they pertain to your application
4. Complete the Contact Information form below with the requested information for the person who
is signing this document.
5. Sign and fax to the PREDICT Coordinating Center, RTI International, Attn: Renee Karlsen, at
866.835.0255 (toll free.). An executed copy will be returned to you for your files.
Questions regarding your application may be directed to the PCC via email: [email protected]
Contact Information
Name
Title
Organization
Address
City
State
Zip
Email
Phone
Fax
An agency may not conduct or sponsor an information collection and a person is not required to respond to this information
collection unless it displays a current valid OMB control number and an expiration date. The control number for this
collection is 1640-XXXX and this form will expire on XX/XX/XXXX. The estimated average time to complete this form is
60 minutes per respondent. If you have any comments regarding the burden estimate you can write to Department of
Homeland Security, Science and Technology Directorate, Washington, DC 20528
DHS Form 10035 (12/07)
Rev. 2-19-08
Page 1 of 10
�MEMORANDUM OF AGREEMENT
PCC AND RESEARCHER/USER
This Memorandum of Agreement (Agreement) is between _____________________, a _____________
corporation having offices at __________________________________________________________________
or _____________________, with address of ___________________________________ (“Researcher/User”)
and Research Triangle Institute (“RTI”), a North Carolina corporation having offices at 3040 Cornwallis Road,
Research Triangle Park, NC 27709. RTI serves under contract to the United States Department of Homeland
Security (“DHS”) as the operator of the PREDICT Coordinating Center (“PCC”). References throughout this
document to “PCC” shall be deemed to refer to RTI.
Recitals
The PCC supports the Protected Repository for the Defense of Infrastructure against Cyber Threats (PREDICT)
project sponsored by the United States Department of Homeland Security (DHS). DHS will provide funding to
the PCC and the Data Hosts for the PREDICT Project.
It is anticipated that the following eight types of organizations will participate in project PREDICT:
Department of Homeland
Security (DHS)
PCC
Data Providers
Researchers/Users
Data Hosts
Sponsoring Institutions
Application Review
Board (ARB)
Publication Review
Board (PRB)
This Agreement consists of the General Terms and Conditions and Attachment A. The provisions of each
Attachment shall be construed so as to be fully consistent with all of the provisions of the General Terms and
Conditions and, in the case of any conflict, the General Terms and Conditions shall prevail unless an Attachment
is separately executed by both Parties and expressly amends particular provisions of the General Terms and
Conditions, in which case the amendments of such Attachment shall prevail over such particular provisions of the
General Terms and Conditions.
General Terms and Conditions
Researcher/User and PCC agree to the following:
Data shall mean the information described in Attachment A that is owned or controlled by a Data Provider, made
available to the PREDICT project via a Data Host, and which is being requested by the Researcher/User.
Attachment A shall be incorporated into this Agreement at the time and to the extent that Researcher/User’s
application for Data described therein is approved by the Application Review Board (ARB).
Metadata, as described in Attachment A, is information about the Data (but not the Data itself) which Data
Provider and/or Data Host agree to disclose to the PCC and to permit the PCC to compile in a catalog with other
Metadata which is accessible by Data Providers and Data Hosts via the PREDICT portal, and which PCC may
further disclose to approved Researchers/Users in a manner consistent with the terms of its Agreements with the
Data Provider and Data Host. The PCC agrees to receive the Metadata, enter the Metadata in the PREDICT data
catalog, and facilitate the release of the Metadata to Researchers/Users in accordance with the approved terms.
DHS will provide funding to the PCC and the Data Hosts for the PREDICT project via separate agreements
entered into individually between DHS and the PCC, and DHS and Data Hosts.
PCC facilitates the data flow between PREDICT participants, processes applications from Researcher/User for
access to Data or approval to publish research results, develops Metadata catalogs, and develops protocols (which
are subject to DHS approval) to help protect the confidentiality and integrity of data and direct its proper usage.
PCC will receive and catalog Metadata about the Data and make the Metadata catalog available to approved
2
Rev. 2-19-08
�Researchers/Users, subject to the terms and conditions of its Agreements with the Data Providers and Data Hosts.
PCC does not store, maintain, or have access to any of the Data.
Data Provider shall mean an entity that provides Data that it owns or has a right to control and disclose to the
PREDICT project via a Data Host, subject to the terms and conditions in an MOA between it and PCC. A Data
Provider may select a Data Host to receive and host the Data or it may host its own Data, in which case it shall
also be deemed a Data Host. If Data Provider selects a third party Data Host to store its Data, Data Provider will
provide Data to a Data Host who will host the Data for the benefit of the PREDICT project. A Data Provider
must enter into a Data Provider “Memorandum of Agreement” with PCC.
Data Host shall mean an entity that provides computing infrastructure to store Data received from one or more
Data Providers, and provides Researchers/Users access to Data when the Researcher/User’s application requesting
Data has been approved by the Application Review Board. Data Host may also host its own Data. If Data Host
hosts its own Data, it shall also enter into a Data Provider “Memorandum of Agreement” with PCC.
Researcher/User shall mean a person or entity that is a member of the cyber defense research and development
community who completes an official PCC application requesting Data from PREDICT for use in research and is
approved by the ARB for access to Data. A Researcher/User which is an entity shall complete the application for
itself, identifying an individual employed by the entity to serve as the Data Custodian responsible for the security,
oversight, use, and return of the Data. An individual Researcher/User must be affiliated with and obtain a letter of
support from a Sponsoring Institution as part of his/her PCC application for Data.
Data Custodian shall mean the person with primary responsibility for the receipt, security, oversight, use, and
return of Data on behalf of the Researcher/User. An approved individual Researcher/User shall be deemed the
Data Custodian for his/her application.
Sponsoring Institution is an organization that is affiliated with or otherwise sponsors Researchers/Users and
validate their research and need for PREDICT data, and which agree to notify PCC in the event of a change in the
sponsored Researcher/User’s affiliation with the Sponsoring Institution.
Application Review Board (“ARB”) shall mean an entity that reviews and approves or rejects applications for
requested Data or Metadata and forwards approved applications to Data Hosts for delivery of Data, and to PCC to
enable access to Metadata.
Publication Review Board (“PRB”) shall mean an entity that reviews and comments upon applications from
Researchers/Users or Sponsoring Institutions to publish or otherwise release any study results or other
information relating to Data or Metadata received through PCC. The PRB is empowered to reject applications to
publish should the proposed publication violate the terms associated with the Data, including attribution of the
source of the Data, or applicable laws and regulations governing release of Data, and the proposed author or
publisher refuses to amend the publication to comply with the terms, laws, or regulations.
Any and all terms and conditions besides those set forth in the General Terms and Conditions of this Agreement
concerning permitted access to, handling, storage, disclosure, and use of Data by Researcher/User shall be set
forth in Attachment A. Signature on Attachment A is a condition precedent to Researcher/User obtaining any
Data under PREDICT.
Researcher/User Rights and Obligations
By requesting and receiving Data from the PCC, and in consideration of the release to Researcher/User of the
Data described in Attachment A, the Researcher/User agrees to all terms and conditions as follows:
1. Researcher/User has certified that all information contained in Researcher/User’s application for PREDICT
Data are accurate and complete, and that such certification is a material term of this Agreement. Should it be
determined that such information was false, inaccurate, incomplete, or otherwise designed to conceal material
information from the PCC, Data Host, or Data Provider, the PCC may in its sole discretion immediately
3
Rev. 2-19-08
�suspend this Agreement and require additional information from Researcher/User and/or immediately
terminate this Agreement and require return of all Data (including any copies thereof) to the entity from
which obtained. Researcher further agrees that all information contained in Researcher/User’s application
may be shared as necessary to facilitate PCC operations and compliance with PCC operational policies and
procedures, including sharing the information with the ARB, PRB, Data Hosts, Data Providers, and, if
necessary, DHS.
2. For applications made by Researcher/User and approved by the ARB, PCC hereby grants to Researcher/User,
on behalf of Data Provider and/or Data Host, a right to use the Data solely for the purposes described in the
Researcher/User’s approved application and in all respects in accordance with the terms and conditions
included herein and in Attachment A. Researcher/User shall not use the Data for purposes other than those
described in the Researcher/User’s application. Furthermore, Researcher/User shall not transmit, send,
export, or use the Data outside of the United States, and Researcher/User shall take steps to ensure that all
persons named on Researcher/User’s application are aware of this restriction and do not transmit, send,
export, or use the Data outside the United States. Upon receipt of the Data, Data Provider hereby grants to
Researcher/User, on behalf of Data Provider (itself) and the Data Host(s), a license to Researcher/User to use
the Data solely for the purposes described in the Researcher/User’s application.
3. Use of Data by Researcher/User shall conform to the terms of the license granted, and the terms of this MOA
and Attachments. Researcher/User shall not through negligence or willful misconduct violate or infringe
existing intellectual property or confidentiality rights of the person(s) or entity(ies) with such rights in the
Data. Researcher/User shall not be liable to the property right holder for any such infringement where such
infringement results solely from the release by Data Provider or Data Host of the Data to Researcher/User, or
results solely from use by Researcher/User in accordance with its approved application and the terms of this
MOA, including Attachment A. The Terms and Conditions of this Article are for the primary benefit of PCC
and Researcher/User; however, a violation by Researcher/User of these Obligations may create harm to Data
Providers and/or Data Hosts of the Data to which Researcher/User is granted access. These Parties are
therefore deemed third party beneficiaries under this agreement for only those purposes and Research/User
hereby acknowledges the third party beneficiary rights of such Data Providers and Data Hosts provided,
however, that if the MOA entered between the PCC and any specific Data Provider or Data Host does not
contain a reciprocal third party beneficiary right in favor of Researcher/User, then this Article shall not apply
in favor of such Data Provider or Data Host.
4. The Researcher/User will not disclose Data to any persons other than those identified in the approved
application which results in Researcher/User being granted access to the Data, or such other persons as shall
be approved in writing by the PCC (after consultation with the Data Provider or Application Review Board,
as required by the terms set by the Data Provider of the Data in question) in response to a written request of
Researcher/User.
5. Researcher/User will establish and maintain the appropriate administrative, technical, and physical safeguards
to protect the confidentiality of the Data and to prevent unauthorized use or access to the Data, including the
use of locked storage facilities and strong passwords for Data accessible electronically. Strong passwords
must be at least 6 characters in length, and must include both alpha-numeric characters and symbols.
6. Researcher/User will permit others to use the Data only in accordance with the terms of this Agreement and
the procedures in Researcher/User’s approved application. Access to the Data shall be limited to the
minimum number of individuals necessary to achieve the purpose stated in Researcher/User’s application, but
in no event shall access be granted to persons not identified in the Researcher/User’s approved application or
subsequently approved in writing by the PCC.
7. Researcher/User, whether individual or entity and whether or not they are also a Sponsoring Institution, shall
notify PCC in writing within thirty (30) days if any approved individual leaves the Sponsoring Institution or
the research project or, in the case of a Researcher/User that is an entity, if the controlling ownership (or other
controlling entity) of the Researcher/User changes.
4
Rev. 2-19-08
�8. (a) Researcher/User as an Individual
If Researcher/User is an individual and moves to a different institution after access to Data is granted,
Researcher/User’s approval to use or disclose the Data shall immediately be suspended, as shall use by any
other individual named in Researcher/User’s application or located at Researcher/User’s Sponsoring
Institution. Researcher/User will notify PCC and Researcher/User’s current Sponsoring Institution in writing
within thirty (30) days regarding the proposed disposition of all copies of the Data and follow PCC’s
directions and Researcher/User’s Sponsoring Institution’s guidelines. Continued use of the Data to which
Researcher/User had approved access shall be contingent upon the submission and approval of a new
application from Researcher/User, complete with a letter of Sponsorship from Researcher/User’s new
Sponsoring Institution. Should other individuals at the institution which sponsored Researcher/User’s initial
application desire continued access to the Data, a primary Researcher/User at that institution must complete
and submit a new application for access to the Data and receive approval from the ARB for such access.
(b) Researcher/User as an Entity
If Researcher/User is an entity and the individual identified as the primary Data Custodian leaves employment
with Researcher/User, Researcher/User shall immediately propose an alternate Data Custodian to the PCC for
its review and approval. Researcher/User shall provide such information on the proposed new Data
Custodian as PCC shall reasonably require, and PCC may consult with the ARB, Data Provider, or Data Host
during the review as required by the terms set by the Data Provider and Data Host of the Data in question or,
in the absence of such terms, as PCC shall in its sole discretion deem appropriate. PCC shall approve or deny
the proposed substitution within five business days, or such longer period as may be required to obtain
adequate information from Researcher/User or third parties as is necessary to fully evaluate the proposed Data
Custodian’s fitness for the position, or to obtain approval of the ARB or Data Provider or Data Host as the
terms associated with the Data require. During the period of review, no individuals other than those
previously approved shall have access to the Data pending the PCC decision.
9. No findings, analysis, or information derived from the Data may be released if such findings contain any
combination of data elements that might allow for identification or the deduction of a person’s or institution’s
identity, unless such identification is both (a) explicitly permitted under the terms governing handling and
release of Data incorporated herein and (b) not in violation of applicable U.S. or state law.
10. Researcher/User shall submit any findings, results of analysis, or manuscripts proposed for public release,
publication, or any other type of disclosure to persons not listed and approved in this application (e.g.,
abstracts, presentations (oral or written), publications) to review by a Publications Review Board (PRB)
managed by PCC prior to release to assure that data confidentiality is maintained, entities or individuals
cannot be identified (except as permitted under Article 9 above), and the terms and conditions attached to the
use of the Data have been followed. In addition, Researcher/User shall identify the PREDICT program as the
source of Data in all proposed publications, and DHS as the sponsor of PREDICT. Researcher/User shall
abide by any decisions made by the PCC and PRB with respect to non-publication or changes necessary to
ensure these conditions are met, and will not submit such documents for publication or otherwise publicly
release them until receiving the PCC’s approval to do so; provided, PCC may withhold approval to publish on
the results of research only if it reasonably determines that the format of Data presentation is such that it does
not meet the terms and conditions for the use of the Data as reflected in this MOA and Attachments or if
publication may result in identification of the Data Provider or another institution, organization, or individual
or otherwise breach a duty of confidence owed to Data Provider or the subject from whom the Data was
collected. A link to or copy of all approved publications shall be provided to the PCC by Researcher/User.
11. Researcher/User will report immediately to PCC any use or disclosure of the Data other than as permitted by
this Agreement, and will take all commercially reasonable steps to mitigate the effects of such improper use
or disclosure, including cooperating with all reasonable requests of PCC towards that end.
12. Unless re-identification of Data is required and was disclosed and approved in the application by
Researcher/User to the ARB, Researcher/User may not attempt to or actually unlock, override, reverse
5
Rev. 2-19-08
�engineer, or otherwise take any steps to defeat any anonymization or obfuscation methods or tools that have
been applied to any Data by the Data Provider or Data Host, or otherwise to violate any of the terms of use
associated with the Data.
13. Researcher/User agrees that in the event PCC determines or has a reasonable belief that Researcher/User has
violated any terms of this Agreement, PCC may terminate this Agreement and require that Researcher/User
return the data and all derivative files. PCC may also seek injunctive relief against Researcher/User to
prevent any unauthorized disclosure of Data by Researcher/User. Researcher/User understands that as a result
of this determination or reasonable belief that a violation of this Agreement has occurred, PCC may also
refuse to release further Data to Researcher/User. In addition, PCC may report any misuse or improper
disclosure of Data to Data Provider and Data Host and to appropriate authorities as permitted or required by
applicable Federal or state law.
14. Upon expiration or termination of this Agreement or an expiration date specified for certain Data in
Attachment A, and as directed by PCC, Researcher/User agrees to either destroy all copies of the Data or
return such Data to the Data Host per PCC’s instructions. Researcher/User or the Data Custodian shall certify
such destruction or return by signing and providing to PCC a Certification of Data Return or Destruction.
15. Researcher/User shall indemnify, defend, and hold PCC and its or their employees, officers, directors, or
agents harmless from any loss, damage, liability, claims, costs, demands, suits, or judgments, including
reasonable attorney’s fees and the assumption of the defense and its costs, as a result of any damage or injury
(including death) to PCC, and its or their employees, officers, directors, or agents, or injury to the property of
PCC and its or their employees, officers, directors or agents, or for any injury (including death) to third
persons or their property which is directly caused by the gross negligence or willful misconduct of
Researcher/User or its agents, in the course of performance or arising out of or connected to any of the Data
or related research specified in or arising out of this Agreement. PCC will promptly notify Researcher/User
of any claim against it of which PCC becomes aware and that is covered by this provision and
Researcher/User shall authorize representatives to settle or defend any such claim or suit and to represent
PCC or other indemnified parties in such litigation; provided, PCC may, in its sole discretion and at its
expense, provide counsel to represent it or to assist counsel for Researcher/User.
16. Researcher/User will promptly notify PCC of any claim against it or a third party of which it becomes aware
pertaining to Data or this Agreement and Researcher/User shall authorize representatives to settle or defend
any such claim or suit and to represent PCC or other indemnified parties in such litigation; provided, PCC
may, in its sole discretion and at its expense, provide counsel to assist counsel for Researcher/User.
PREDICT Coordinating Center (PCC) Obligations
1. PCC shall notify Researcher/User of
a) FOIA or other legal requests for access to Data
b) Data return or destruction requirements at expiration date for Data specified in Attachment A.
2. Unless otherwise indicated in Attachment A, PCC has obtained from all Data Providers and Data Hosts with
rights in the Data acquired by Researcher/User hereunder an agreement containing third-party beneficiary
rights in Researcher/User to enable Researcher/User to seek redress against Data Providers and Data Hosts for
any claim, suit or proceeding asserted or commenced against Researcher/User by a third party for violation of
the rights of that third party where such claim, suit or proceeding arises out of an allegation that Data
furnished to Researcher/User hereunder infringes any intellectual property or confidentiality right.
Joint Rights and Obligations – Researcher/User and PCC, and Other Provisions
1. Either party may terminate this Agreement by providing thirty days written notice. Upon any termination or
the expiration of this Agreement, Researcher/User will return or destroy all copies of Data or portions thereof
in its possession that it has received from Data Host or created (or had others create) using Data that
Researcher/User received from any Data Host. Researcher/User will have the Data Custodian certify to Data
6
Rev. 2-19-08
�Host and PCC such destruction or return by signing and providing to each a Certification of Data Return or
Destruction.
2. This Agreement shall remain in force for a period of one year commencing with the date of latest signature
below, or through the end date of the license in Data granted to Researcher/User, whichever is longer. All
obligations or rights which by their nature survive and continue after the end date of this Agreement shall
survive and continue, and this shall specifically include the obligation of Researcher/User to seek review by
the PCC and PRB prior to publication as noted above. Any Amendments to this Agreement, to be effective,
shall be in writing and signed by an authorized Representative of each Party. This Agreement shall be
construed and interpreted in accordance with the laws of the state of North Carolina.
3. No rights or licenses under the intellectual property rights of PCC or Researcher/User are granted or implied
hereunder. Nothing contained herein shall be construed as conferring by implication, estoppel or otherwise
any license or right in favor of either party or any third party in any patents or other intellectual property
rights of the other. All intellectual property, technology, information and data provided or disclosed
hereunder shall be the sole and exclusive property of its owner or valid licensee and neither party shall use or
disclose such intellectual property, technology, information and data except as expressly agreed to in writing
by the owning or controlling party.
4. Neither party shall in any manner reference or cause to be referenced the other party, its trade names,
trademarks, service marks or any other indicia of origin owned by it, or indicate that its operations are any
way sponsored, approved or endorsed by the other. Except with the written consent of Researcher/User, PCC
shall not cause to be issued or released for publication, or participate in the publication of, any articles or
publicity relating to Researcher/User and the subject matter of this Agreement; provided, however, that PCC
may reveal all information supplied by Researcher/User in its applications to the ARB or PRB as necessary
for those bodies to act upon such applications, so long as that information is used only for purposes of
evaluating those applications and not shared with third parties unless necessary to such review and approved
by Researcher/User.
5. Neither this Agreement nor the receipt of Data by Researcher/User shall constitute or imply any promise or
intention by Researcher/User to evaluate, process or make use of the Data either now or in the future;
provided, Researcher/User shall comply with any requirements of the entity supplying any Data or Metadata
to Researcher/User even if they conflict with this provision.
6. NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR INCIDENTAL, INDIRECT,
CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES OF ANY KIND
(INCLUDING LOST REVENUES OR PROFITS, OR LOSS OF BUSINESS) IN ANY WAY
RELATED TO THIS AGREEMENT, REGARDLESS OF WHETHER IT WAS ADVISED, HAD
OTHER REASON TO KNOW, OR IN FACT KNEW OF THE POSSIBILITY THEREOF.
7. Any legal action arising in connection with this Agreement must begin within two (2) years after the cause of
action arises.
8. This Agreement shall not be considered accepted or effective until signed below by authorized representatives
of both of the parties. Each party represents and warrants that the person signing this Agreement on its behalf has full
authority to do so. By signing below, each individual warrants that he or she is authorized to bind his or her
organization to this Agreement. Neither party may assign all or a portion of its rights and obligations
hereunder without the prior written approval of the other party.
9. The Parties may execute two or more copies of this Agreement, each of which shall constitute an original
copy of this Agreement. A scanned, imaged, facsimile or photocopy of this Agreement as executed by the
Parties shall be deemed to be an original executed copy for all purposes.
7
Rev. 2-19-08
�RESEARCH TRIANGLE INSTITUTE
PREDICT Coordinating Center
RESEARCHER/USER
Signature
Signature
Name
Name
Title
Title
Date
Date
8
Rev. 2-19-08
�Attachment A
Description of Data being Requested by the Researcher/User
[One row must be completed for each data set being requested in Researcher/User’s Application]
Dataset
Catalog
Number
Dataset
Name
Proposed
Use
Persons to
Access Data
(Name,
Address,
Telephone,
Email, and
Citizenship)
IRB
Approval
Date (If
Applicable)
9
Access
Time
Period
Additional
Terms and
Conditions
from
Provider
and/or Host
Expiration
Date
Rev. 2-19-08
�Memorandum of Agreement
Attachment A - continued
Terms and Conditions for Access to and Use of Data as set by Data Provider
Terms and Conditions for Access to and Use of Data as set by Data Host
This Attachment A and its terms and conditions shall be a part of the Memorandum of Agreement between the
PCC and Researcher/User upon both approval of Researcher/User’s application by the Application Review Board
and signature below by Researcher/User. Such agreement and signature shall be a condition precedent to
Researcher/User’s access to any Data requested in Attachment A.
RESEARCHER/USER
Signature
Name
Title
Date
10
Rev. 2-19-08
�
| File Type | application/pdf |
| File Title | Microsoft Word - PREDICT_MOA_PCC Researcher_Final_8-06-07.doc |
| Author | scantor |
| File Modified | 2008-04-15 |
| File Created | 2007-08-07 |