Form 10036 (12/07) 10036 (12/07) MOA PCC Data Provider

OMB No. 1640-New
Expires: TBD
DHS PREDICT Memorandum of Agreement between PREDICT Coordinating
Center and Data Providers Form
Cover Sheet
1. Department Name: Department of Homeland Security
2. Component/Agency Name: Science and Technology Directorate
3. OMB Control Number: 1640-New
4. Expiration Date: TBD (Three years from approval date)
5. Agency Form Number:
6. Name of Form: Memorandum of Agreement (MoA) between PREDICT
Coordinating Center (PCC) and Data Providers
7. Purpose of Form: The MoA is required for all applications to be a data host.
The MoA defines the roles of the Data Provider and the PCC
8. How to submit: Sign and fax to the PREDICT Coordinating Center, RTI
International, Attn: Renee Karlsen, 866.835.0255 (toll free).

7

COVER LETTER
MEMORANDUM OF AGREEMENT
Thank you for your interest in joining the PREDICT community. In order for your application to be
considered you must execute the attached Memorandum of Agreement. The memo must be received
before your application can be considered.
Directions:
1. Print out the MOA.
2. Fill in appropriate names.
3. Complete all Attachments as they pertain to your application
4. Complete the Contact Information form below with the requested information for the person who
is signing this document.
5. Sign and fax to the PREDICT Coordinating Center, RTI International, Attn: Renee Karlsen, at
866.835.0255 (toll free.). An executed copy will be returned to you for your files.
Questions regarding your application may be directed to the PCC via email: [email protected]
Contact Information
Name
Title
Organization
Address
City

State

Zip

Email
Phone
Fax

An agency may not conduct or sponsor an information collection and a person is not required to respond to this information
collection unless it displays a current valid OMB control number and an expiration date. The control number for this
collection is 1640-XXXX and this form will expire on XX/XX/XXXX. The estimated average time to complete this form is
45 minutes per respondent. If you have any comments regarding the burden estimate you can write to Department of
Homeland Security, Science and Technology Directorate, Washington, DC 20528

DHS Form 10036 (12/07)

Rev. 2-20-08

Page 1 of 9

MEMORANDUM OF AGREEMENT
PCC AND DATA PROVIDER
This Memorandum of Agreement (MOA) is between ________________________________ (Data Provider) and
the RTI International PREDICT Coordinating Center (“PCC” ), (together the “Parties”). PCC supports the
Protected Repository for the Defense of Infrastructure against Cyber Threats (PREDICT) project sponsored by the
United States Department of Homeland Security (DHS). The PCC facilitates the data flow between PREDICT
participants, processes applications from Researchers/Users for access to Data and publication of research results,
develops metadata catalogs, and develops protocols (which are subject to DHS approval) to protect the
confidentiality and integrity of certain data and direct its proper usage.
It is anticipated that the following eight types of organizations will participate (“Participants”) in project
PREDICT:
Department of Homeland
Security (DHS)
PCC

Data Providers

Researchers/Users

Data Hosts

Sponsoring
Institutions

Application Review
Board (ARB)
Publication Review
Board (PRB)

The definitions of terms used herein and Participants’ roles are as follows:
Data Category is the designation given to a grouping of one or more separate, but similar, files of Data provided
to the PREDICT project by the Data Provider, as specified on Attachment A.
Data is the information contained in separate files that comprise a Data Category and which are owned or
controlled by the Data Provider and made available to the PREDICT project via a Data Host.
Metadata, as described in Attachment A, is information about the Data within each Data Category (but not the
Data itself) which Data Provider and/or Data Host agree to disclose to the PCC and to permit the PCC to compile
a catalog with other Metadata which is accessible by Data Providers and Data Hosts via the PREDICT portal, and
which PCC may further disclose to approved Researchers/Users in a manner consistent with the terms of this
Agreement. The PCC agrees to receive the Metadata, enter the Metadata in the PREDICT data catalog, and
facilitate the release of the Metadata to Researchers/Users in accordance with the terms of this Agreement.
DHS will provide funding to the PCC and the Data Hosts for the PREDICT project.
PCC will receive and catalog Metadata about the Data and make the Metadata catalog available to approved
Researchers/Users, subject to the terms and conditions in Attachment B. PCC does not store, maintain, or have
access to any of the Data.
Data Provider shall mean an entity that provides Data that it owns or has a right to control to the PREDICT
project via a Data Host, subject to the terms and conditions of this Agreement. A Data Provider may select a Data
Host to receive and host the Data or it may host its own Data, in which case it shall also be deemed a Data Host.
If Data Provider selects a third party Data Host to store its Data, Data Provider will provide Data to a Data Host
who will host the Data for the benefit of the PREDICT project, subject to terms and conditions in Attachment B.
A Data Provider must enter into a Data Provider “Memorandum of Agreement” with PCC.
Data Host shall mean an entity that provides computing infrastructure to store Data received from one or more
Data Providers, and provides Researchers/Users access to the Data when the Researcher/User’s application
requesting Data has been approved by the Application Review Board. Regardless of whether Data Provider acts
as its own Data Host, or has a third party serve as its Data Host, the Data Host must enter into a “Memorandum of
Agreement, PCC and Data Host.”

2

Rev. 2-20-08

Researcher/User shall mean a person or entity that is a member of the cyber defense research and development
community and who completes an official PCC application requesting Data from PREDICT for use in research
and is approved by the ARB for access to Data. A Researcher/User which is an entity shall complete the
application for itself, identifying an individual employed by the entity to serve as the Data Custodian. An
individual Researcher/User must be affiliated with and obtain a letter of support from a Sponsoring Institution as
part of his/her PCC application for Data.
Data Custodian shall mean the person with primary responsibility for the receipt, security, oversight, use, and
return of Data on behalf of the Researcher/User. An approved individual Researcher/User shall be deemed the
Data Custodian for his/her application.
Sponsoring Institutions are organizations that are affiliated with or otherwise sponsor Researchers/Users and
validate their research and need for PREDICT data, and which agree to notify PCC in the event of a change in the
sponsored Researcher/User’s affiliation with the Sponsoring Institution.
Application Review Board (“ARB”) shall mean an entity that, in conjunction with the PCC and the Data
Provider, reviews and approves or rejects applications for requested Data and forwards approved applications to
Data Hosts for delivery of Data, and to PCC to enable access to Metadata. The composition of the ARB is
described below.
Publication Review Board (“PRB”) reviews and comments upon applications from Researchers/Users or
Sponsoring Institutions to publish or otherwise release any study results or other information relating to Data or
Metadata received through PCC. The PRB is empowered to reject applications to publish should the proposed
publication violate the terms associated with the Data, including attribution of the source of the Data, or
applicable laws and regulations governing release of Data, and the proposed author or publisher refuses to amend
the publication to comply with the terms, laws, or regulations. The composition of the PRB is described below.
Data Provider Obligations
1. Data Provider hereby grants to PCC and the Data Host, as its agents, the right and authority to extend to an
approved Researcher/User the right to use Data solely for the purposes described in Researcher/User’s approved
application. Upon notification of approval from PCC, Data Provider will make Data within each approved Data
Category available to approved Data Hosts, for release to approved Researchers/Users under the terms and
conditions for access and use as set forth in Attachment B.
2. Data Provider will provide the PCC with Metadata for the Data within each approved Data Category that it
makes available to PREDICT, as described in Attachment A. The Metadata will be catalogued and available to
persons with an approved PREDICT account with the PCC, including Data Providers, Data Hosts, and approved
Researchers/Users. Data Provider will NOT provide any information other than Data or Metadata, and PCC shall
have no liability to Data Provider for any such non-requested information or any release of same to third parties.
3. Data Provider acknowledges that PCC may compile the Metadata it provides with metadata PCC receives
from other Data Providers or Data Hosts into an evolving Metadata file, which may be released to approved
persons including Researchers/Users.
4. Data Provider will provide terms and conditions for access to and use of the Data within each Data Category
(as described in Attachment B) to include at least the following information:
a.
Identification of Data Category, including attributes of the Data
b.
Any identification, authentication, and authorization requirements for the primary
Researcher/User (the person responsible for the conduct of the research for which the Data is
required) and other persons with access, and the Data Custodian (the person responsible for
control of the Data)
c.
Permitted Uses of Data within the Data Category and any specific restrictions

3

Rev. 2-20-08

d.
e.
f.
g.
h.

Any minimum required safeguards (administrative, technical, physical) to protect the
confidentiality of the Data
Institutional Review Board (IRB) requirements (if applicable)
Procedures for receipt, handling, control, dissemination, and return of Data
Restrictions on publishing or releasing information about the Data
Data Use Agreement to be executed by Researcher/Users and/or Sponsoring Institution with
Provider and/or Host (if applicable).

5. Data Provider acknowledges that this is a research effort, and that the Data it provides will be used for
research purposes for the PREDICT project and will be released to approved Researchers/Users in accordance
with this Agreement.
6. Data Provider shall not supply any Data other than that which is within an approved Data Category. Data
Provider is responsible for the release of the Data, and is solely responsible for reviewing the Data and ensuring
(a) that any Data it releases complies with (i) this Agreement, including any restrictions specified by PCC on
Attachment C, (ii) all requirements of applicable governing or regulating bodies, and (iii) any third party
contractual agreements; and (b) that any Data it releases is consistent with Data Provider’s privacy, security, or
other policies and procedures applicable to the Data. Data Provider shall not supply any information to PCC via a
Data Host which may not be released to Researcher/Users or other persons approved to receive such Data by an
authorized ARB. Data Provider certifies that Data provided for use in the PREDICT program is in compliance
with the foregoing and that the Data has been sanitized, de-identified, or cleaned of any and all information that
would not be in compliance or consistent with Attachments A, B, or C or the preceding sentence.
7. Data Provider will have a representative on both the Application Review Board and the Publication Review
Board. Each Board will consist of at least five representatives, with representation as follows:
ARB: One representative from each of the (1) PCC; (2) DHS; (3) Data Provider; (4) Data Host; and (5)
Ad-hoc representative from the Cyber-defense research community, chosen by DHS and the PCC. The
Data Provider representative shall have absolute veto power over any application for access to its Data.
PRB: One representative from each of the (1) PCC; (2) DHS; (3) Data Provider; (4) Data Host; and (5)
Ad-hoc representative from the Cyber-defense research community, chosen by DHS and the PCC.
8. To the extent permitted by law, Data Provider shall indemnify, defend, and hold harmless RTI, PCC and its
or their employees, officers, directors (“Indemnified Parties), from any loss, damage, liability, claims, costs,
demands, suits, or judgments, including reasonable attorney’s fees and the assumption of the defense and its costs,
as a result of any damage or injury (including death) to Indemnified Parties or injury to the property of
Indemnified Parties, or for any injury (including death) to third persons or their property which is directly or
indirectly caused by the negligence or willful misconduct or violation of statutory or regulatory duties by Data
Provider, its employees, officers, or directors, in the course of performance under this Agreement. Indemnified
Parties will promptly notify Data Provider of any claim against it or a third party of which they become aware and
that is covered by this provision and Data Provider shall, to the extent permitted by law, authorize representatives
to settle or defend any such claim or suit and to represent Indemnified Parties. Data Provider will promptly notify
an Indemnified Party of any claim against it or a third party of which it becomes aware pertaining to Data or this
Agreement and Data Provider shall, to the extent permitted by law, authorize representatives to settle or defend
any such claim or suit and to represent Indemnified Parties in such litigation. An Indemnified Party, in its sole
discretion and at its expense, may provide counsel to assist counsel for Data Provider, or represent said
Indemnified Party. No settlement shall be made on behalf of an Indemnified Party which admits the fault of the
Indemnified Party, without that Party’s written consent, which shall not be unreasonably withheld.
9. Data Provider shall provide all required data security and data protection requirements to the Data Host prior
to transfer of Data and will take reasonably appropriate measures to ensure that such security and protection
policies are followed by Data Host, consistent with the requirements of this Agreement and applicable rules, laws,
and regulations.

4

Rev. 2-20-08

10. To the extent permitted by law, Data Provider shall hold Indemnified Parties harmless from any misuse of
Data or Metadata by a party other than Indemnified Parties and shall not look to the Indemnified Parties as an
agent to protect Data Provider from misuses of its Data by Researchers/Users or Sponsoring Institutions, and the
Indemnified Parties do not agree to serve in that capacity.
PCC Obligations
1. An MOA between the PCC and Data Provider, and between PCC and Data Host will be entered into before
the Data Provider provides Metadata to the PCC or transfers Data to the Data Host.
2.

PCC will notify Data Providers of
a. Applications received for access to and use of their Data
b. Third-party disclosure (publication) review requests from Researchers/Users or Sponsoring Institutions
pertaining to their Data.
c. FOIA or other legal requests PCC receives for access to Data, Metadata or other records pertaining to
Data Provider.

3. The PCC will safeguard the Metadata catalog, taking all reasonably necessary steps to ensure that (1) the
Metadata it holds is adequately protected from unauthorized access; and (2) the Metadata it releases from its
catalog is protected in transmission from unauthorized access.
4. PCC will provide Data and Metadata request statistics on a monthly basis to DHS and the Data Providers and
Data Hosts.
5. If Data Provider provides Data in Attachment A which it deems to be confidential, then Attachment B shall
define specifically what is deemed to be confidential Data (Confidential Data). PCC shall require the members of
the ARB and PRB to sign Non-Disclosure Agreements (NDAs) with the PCC agreeing not to disclose
Confidential Data obtained by virtue of serving on their respective Board and conferring, to the extent permitted
by law, third party rights to seek redress under those NDAs to Data Providers and Data Hosts.
Joint Obligations – Data Provider and PCC
1.
All transfers of Data, under the terms of this Agreement shall at all times be subject to the applicable laws
and regulations of the United States. Each party agrees that it shall not make any disposition, by way of
trans-shipment, re-export, diversion or otherwise, except as said laws and regulation may expressly permit, of
information or data furnished under this Agreement. Each Party shall comply in all respects with applicable U.S.
statutes, regulations, and administrative requirements regarding its relationships and sharing of Data with nonU.S. citizens or non-U.S. governmental and quasi-governmental entities, which may include but are not
necessarily limited to, the export control regulations of the International Traffic in Arms Regulations (“ITAR”)
and the Export Administration Act (“EAA”); the anti-boycott and embargo regulations and guidelines issued
under the EAA; and the regulations of the U.S. Department Of The Treasury, Office of Foreign Assets Control.
2.
The relationship of PCC to Data Provider under this Agreement is that of independent contractors.
Personnel retained or assigned by one Party to perform services or obligations covered by this Agreement will at
all times be considered agents or employees of the Party with whom such personnel have a contractual
relationship, and not agents or employees of the other Party.
3.
Either Party may terminate this Agreement at any time, in whole or in part, by providing written notice of
termination to the other. Except as otherwise mutually agreed, termination shall be effective thirty (30) days from
receipt of the notice. Any such termination shall not affect the obligations of either Party with respect to Data
previously shared by one Party with the other, and such obligations shall continue through the return or
destruction of all such Data.

5

Rev. 2-20-08

4.
In the event of action or inaction by one Party constituting a failure to comply (default) with the provisions
of this Agreement, the non-defaulting Party may, by written notice to the defaulting Party, demand that the
defaulting Party cure such default within ten (10) business days thereof. Should the defaulting Party fail to cure
the default, the non-defaulting Party may terminate this Agreement and the Data held by the other Party shall be
returned to the Data Provider. Termination under this provision shall not affect the obligations of either Party
with respect to Data previously shared by one Party with the other, and such obligations shall continue through
the return or destruction of all such Data.
5.
Failure of either Party to enforce any of its rights hereunder shall not constitute a waiver of such rights. If
any provision herein is, becomes, or is held invalid, illegal, or unenforceable, such provision shall be deemed
modified only to the extent necessary to conform with applicable laws so as to be valid and enforceable. If it
cannot be so amended without materially altering the intent of the Parties as indicated herein, it shall be stricken
and the remainder of this Agreement shall remain in full force and effect and be enforced and construed as if such
provision had not been included.
6.
Neither this Agreement nor any interest herein may be assigned, in whole or in part, by either Party without
the prior written consent of the other Party; provided, however, that without securing such prior consent, either
Party shall have the right to assign this Agreement to any successor of such Party by way of merger or
consolidation or the acquisition of substantially all of the assets of such Party relating to the subject matter of this
Agreement; provided further, that such successor shall expressly assume all of the obligations of such Party under
this Agreement.
7.
This Agreement shall remain in force until July 31, 2009, commencing with the date of latest signature
below. Any Amendments to this Agreement, to be effective, shall be in writing and signed by an authorized
Representative of each Party.
8.

Each party represents that the person signing this Agreement on its behalf has full authority to do so.

RESEARCH TRIANGLE INSTITUTE
PREDICT Coordinating Center

DATA PROVIDER

Signature

Signature

Name

Name

Title

Title

Date

Date

6

Rev. 2-20-08

Attachment A
Description of Data Category
Data Category

Description

Description of Metadata for Each Data Category to be Provided by
Data Provider
Name
Dataset Name

Data Category
Data Host
Short Description
Long Description
Data Structure
Keywords
Measurement Size
Formats

Collection Start Date/Time
Collection End Date/Time
Ongoing Measurement
Checksum Value
Checksum Type
Anonymizations
Metadata Version Date/Time
Availability Start Date/Time
Availability End Date/Time
Request Review Required

Publication Review Required

Private Access Instructions
Public Access Instructions
Access Types

Description
Text name. Required to be unique in combination with a provider
name. Researchers can use these tags for reference purposes and
acknowledgment.
The Data Category to which this measurement belongs.
Identification of a single Data Host for the dataset; probably the
host name.
Brief description of the measurement.
Lengthy description of the measurement
Description of how data are stored.
One or more selections from list. These will eventually hold tokens
like TCP, Header, Netflow, Snort, etc.
Size in bytes of the dataset.
Format(s) available for the dataset. One or more specifications from
a list. These are tokens like text, CSV, Syslog, TCPheader, libpcap,
etc.
Date & time the data collection was begun.
Date & time the data collection ceased.
Boolean flag. Set (true) if the data collection is ongoing.
Checksum of the data set. Not shown in data catalog.
Type of the checksum. One or more values from a list, for
example: crc32, rsa-md4, etc.
Indicates how the measurement is anonymized. One or more
anonymization type specifications from a list.
Date & time this version of the measurement metadata was defined
by the Data Provider; not the date/time it was supplied or recorded.
Date & time the dataset is first available.
Date & time the dataset is no longer available (when it’s scheduled
to be purged).
Flag indicating whether the the Data Provider is required to be
included in the ARB for any dataset request approval involving this
measurement
Flag indicating whether the the Data Provider is required to be
included in the PRB for any publication approval involving this
measurement
Sensitive instructions for access at the data host. Not shown in data
catalog.
Public instructions for access at the data host.
One or more access type specifications from a list, such as items
like HDD, Tape only, downloadable, etc.

Items in blue are to be provided by Data Host; all other items provided by Data Provider.
7

Rev. 2-20-08

Attachment B
Data Provider Terms and Conditions for Access to and Use of Data
Within Each Data Category
Put Data Category Name Here
Specify special terms and conditions for access to and use of data here (if any)
Put Data Category Name Here (delete if not needed)
Specify special terms and conditions for access to and use of data here (if any)
Put Data Category Name Here (delete if not needed)
Specify special terms and conditions for access to and use of data here (if any)

8

Rev. 2-20-08

Attachment C
PCC Privacy or Other Restrictions on Data
Within Each Data Category
Data Category

Restriction

9

Rev. 2-20-08