DHS PREDICT Memorandum of Agreement between PREDICT Coordinating
Center and Data Providers Form
Cover Sheet
1. Department Name: Department of Homeland Security
2. Component/Agency Name: Science and Technology Directorate
3. OMB Control Number: 1640-0012
4. Expiration Date: 08/31/20210
5. Agency Form Number: DHS Form 10036 (12/07)
6. Name of Form: Memorandum of Agreement (MoA) between PREDICT
Coordinating Center (PCC) and Data Providers
7. Purpose of Form: The MoA is required for all applications to be a data host.
The MoA defines the roles of the Data Provider and the PCC
8. How to submit: Sign and fax to the PREDICT Coordinating Center, RTI
International, Attn: Renee Karlsen, 866.835.0255 (toll free).
Cover
Letter Memorandum
of Agreement
Thank you for your interest in joining the PREDICT community. In order for your application to be considered you must execute the attached Memorandum of Agreement. The memo must be received before your application can be considered.
Directions:
Print out the MOA.
Fill in appropriate names.
Complete all Attachments as they pertain to your application
Complete the Contact Information form below with the requested information for the person who is signing this document.
Sign
and fax to the PREDICT Coordinating Center, RTI International, Attn:
Renee Karlsen, at 866.835.0255
(toll free.). You
may also create a PDF of the signed document and email to the PCC
([email protected]). An executed copy will be returned to you
for your files.
Questions regarding your application may be directed to the PCC via email: [email protected]
Contact Information
Name |
|
||||
---|---|---|---|---|---|
Title |
|
||||
Organization |
|
||||
Address |
|
||||
City |
|
State |
|
Zip |
|
|
|||||
Phone |
|
||||
Fax |
|
Memorandum
of Agreement PCC
and Data Provider
This Memorandum of Agreement (MOA) is between ________________________________ (Data Provider) and the RTI International PREDICT Coordinating Center (“PCC” ), (together the “Parties”). PCC supports the Protected Repository for the Defense of Infrastructure against Cyber Threats (PREDICT) project sponsored by the United States Department of Homeland Security (DHS). The PCC facilitates the data flow between PREDICT participants, processes applications from Researchers/Users for access to Data and publication of research results, develops metadata catalogs, and develops protocols (which are subject to DHS approval) to protect the confidentiality and integrity of certain data and direct its proper usage.
It is anticipated that the following eight types of organizations will participate (“Participants”) in project PREDICT:
Department of Homeland Security (DHS) |
Data Providers |
Researchers/Users |
Application Review Board (ARB) |
PCC |
Data Hosts |
Sponsoring Institutions |
Publication Review Board (PRB) |
The definitions of terms used herein and Participants’ roles are as follows:
Data Category is the designation given to a grouping of one or more separate, but similar, files of Data provided to the PREDICT project by the Data Provider, as specified on Attachment A.
Data is the information contained in separate files that comprise a Data Category and which are owned or controlled by the Data Provider and made available to the PREDICT project via a Data Host.
Metadata, as described in Attachment A, is information about the Data within each Data Category (but not the Data itself) which Data Provider and/or Data Host agree to disclose to the PCC and to permit the PCC to compile a catalog with other Metadata which is accessible by Data Providers and Data Hosts via the PREDICT portal, and which PCC may further disclose to approved Researchers/Users in a manner consistent with the terms of this Agreement. The PCC agrees to receive the Metadata, enter the Metadata in the PREDICT data catalog, and facilitate the release of the Metadata to Researchers/Users in accordance with the terms of this Agreement.
DHS will provide funding to the PCC and the Data Hosts for the PREDICT project.
PCC will receive and catalog Metadata about the Data and make the Metadata catalog available to approved Researchers/Users, subject to the terms and conditions in Attachment B. PCC does not store, maintain, or have access to any of the Data.
Data Provider shall mean an entity that provides Data that it owns or has a right to control to the PREDICT project via a Data Host, subject to the terms and conditions of this Agreement. A Data Provider may select a Data Host to receive and host the Data or it may host its own Data, in which case it shall also be deemed a Data Host. If Data Provider selects a third party Data Host to store its Data, Data Provider will provide Data to a Data Host who will host the Data for the benefit of the PREDICT project, subject to terms and conditions in Attachment B. A Data Provider must enter into a Data Provider “Memorandum of Agreement” with PCC.
Data Host shall mean an entity that provides computing infrastructure to store Data received from one or more Data Providers, and provides Researchers/Users access to the Data when the Researcher/User’s application requesting Data has been approved by the Application Review Board. Regardless of whether Data Provider acts as its own Data Host, or has a third party serve as its Data Host, the Data Host must enter into a “Memorandum of Agreement, PCC and Data Host.”
Researcher/User shall mean a person or entity that is a member of the cyber defense research and development community and who completes an official PCC application requesting Data from PREDICT for use in research and is approved by the ARB for access to Data. A Researcher/User which is an entity shall complete the application for itself, identifying an individual employed by the entity to serve as the Data Custodian. An individual Researcher/User must be affiliated with and obtain a letter of support from a Sponsoring Institution as part of his/her PCC application for Data.
Data Custodian shall mean the person with primary responsibility for the receipt, security, oversight, use, and return of Data on behalf of the Researcher/User. An approved individual Researcher/User shall be deemed the Data Custodian for his/her application.
Sponsoring Institutions are organizations that are affiliated with or otherwise sponsor Researchers/Users and validate their research and need for PREDICT data, and which agree to notify PCC in the event of a change in the sponsored Researcher/User’s affiliation with the Sponsoring Institution.
Application Review Board (“ARB”) shall mean an entity that, in conjunction with the PCC and the Data Provider, reviews and approves or rejects applications for requested Data and forwards approved applications to Data Hosts for delivery of Data, and to PCC to enable access to Metadata. The composition of the ARB is described below.
Publication Review Board (“PRB”) reviews and comments upon applications from Researchers/Users or Sponsoring Institutions to publish or otherwise release any study results or other information relating to Data or Metadata received through PCC. The PRB is empowered to reject applications to publish should the proposed publication violate the terms associated with the Data, including attribution of the source of the Data, or applicable laws and regulations governing release of Data, and the proposed author or publisher refuses to amend the publication to comply with the terms, laws, or regulations. The composition of the PRB is described below.
Data Provider Obligations
Data Provider hereby grants to PCC and the Data Host, as its agents, the right and authority to extend to an approved Researcher/User the right to use Data solely for the purposes described in Researcher/User’s approved application. Upon notification of approval from PCC, Data Provider will make Data within each approved Data Category available to approved Data Hosts, for release to approved Researchers/Users under the terms and conditions for access and use as set forth in Attachment B.
2. Data Provider will provide the PCC with Metadata for the Data within each approved Data Category that it makes available to PREDICT, as described in Attachment A. The Metadata will be catalogued and available to persons with an approved PREDICT account with the PCC, including Data Providers, Data Hosts, and approved Researchers/Users. Data Provider will NOT provide any information other than Data or Metadata, and PCC shall have no liability to Data Provider for any such non-requested information or any release of same to third parties.
3. Data Provider acknowledges that PCC may compile the Metadata it provides with metadata PCC receives from other Data Providers or Data Hosts into an evolving Metadata file, which may be released to approved persons including Researchers/Users.
4. Data Provider will provide terms and conditions for access to and use of the Data within each Data Category (as described in Attachment B) to include at least the following information:
a. Identification of Data Category, including attributes of the Data
b. Any identification, authentication, and authorization requirements for the primary Researcher/User (the person responsible for the conduct of the research for which the Data is required) and other persons with access, and the Data Custodian (the person responsible for control of the Data)
c. Permitted Uses of Data within the Data Category and any specific restrictions
d. Any minimum required safeguards (administrative, technical, physical) to protect the confidentiality of the Data
e. Institutional Review Board (IRB) requirements (if applicable)
f. Procedures for receipt, handling, control, dissemination, and return of Data
g. Restrictions on publishing or releasing information about the Data
h. Data Use Agreement to be executed by Researcher/Users and/or Sponsoring Institution with Provider and/or Host (if applicable).
5. Data Provider acknowledges that this is a research effort, and that the Data it provides will be used for research purposes for the PREDICT project and will be released to approved Researchers/Users in accordance with this Agreement.
6. Data Provider shall not supply any Data other than that which is within an approved Data Category. Data Provider is responsible for the release of the Data, and is solely responsible for reviewing the Data and ensuring (a) that any Data it releases complies with (i) this Agreement, including any restrictions specified by PCC on Attachment C, (ii) all requirements of applicable governing or regulating bodies, and (iii) any third party contractual agreements; and (b) that any Data it releases is consistent with Data Provider’s privacy, security, or other policies and procedures applicable to the Data. Data Provider shall not supply any information to PCC via a Data Host which may not be released to Researcher/Users or other persons approved to receive such Data by an authorized ARB. Data Provider certifies that Data provided for use in the PREDICT program is in compliance with the foregoing and that the Data has been sanitized, de-identified, or cleaned of any and all information that would not be in compliance or consistent with Attachments A, B, or C or the preceding sentence.
7. Data Provider will have a representative on both the Application Review Board and the Publication Review Board. Each Board will consist of at least five representatives, with representation as follows:
ARB: One representative from each of the (1) PCC; (2) DHS; (3) Data Provider; (4) Data Host; and (5) Ad-hoc representative from the Cyber-defense research community, chosen by DHS and the PCC. The Data Provider representative shall have absolute veto power over any application for access to its Data.
PRB: One representative from each of the (1) PCC; (2) DHS; (3) Data Provider; (4) Data Host; and (5) Ad-hoc representative from the Cyber-defense research community, chosen by DHS and the PCC.
To the extent permitted by law, Data Provider shall indemnify, defend, and hold harmless RTI, PCC and its or their employees, officers, directors (“Indemnified Parties), from any loss, damage, liability, claims, costs, demands, suits, or judgments, including reasonable attorney’s fees and the assumption of the defense and its costs, as a result of any damage or injury (including death) to Indemnified Parties or injury to the property of Indemnified Parties, or for any injury (including death) to third persons or their property which is directly or indirectly caused by the negligence or willful misconduct or violation of statutory or regulatory duties by Data Provider, its employees, officers, or directors, in the course of performance under this Agreement. Indemnified Parties will promptly notify Data Provider of any claim against it or a third party of which they become aware and that is covered by this provision and Data Provider shall, to the extent permitted by law, authorize representatives to settle or defend any such claim or suit and to represent Indemnified Parties. Data Provider will promptly notify an Indemnified Party of any claim against it or a third party of which it becomes aware pertaining to Data or this Agreement and Data Provider shall, to the extent permitted by law, authorize representatives to settle or defend any such claim or suit and to represent Indemnified Parties in such litigation. An Indemnified Party, in its sole discretion and at its expense, may provide counsel to assist counsel for Data Provider, or represent said Indemnified Party. No settlement shall be made on behalf of an Indemnified Party which admits the fault of the Indemnified Party, without that Party’s written consent, which shall not be unreasonably withheld.
Data Provider shall provide all required data security and data protection requirements to the Data Host prior to transfer of Data and will take reasonably appropriate measures to ensure that such security and protection policies are followed by Data Host, consistent with the requirements of this Agreement and applicable rules, laws, and regulations.
To the extent permitted by law, Data Provider shall hold Indemnified Parties harmless from any misuse of Data or Metadata by a party other than Indemnified Parties and shall not look to the Indemnified Parties as an agent to protect Data Provider from misuses of its Data by Researchers/Users or Sponsoring Institutions, and the Indemnified Parties do not agree to serve in that capacity.
PCC Obligations
An MOA between the PCC and Data Provider, and between PCC and Data Host will be entered into before the Data Provider provides Metadata to the PCC or transfers Data to the Data Host.
PCC will notify Data Providers of
Applications received for access to and use of their Data
Third-party disclosure (publication) review requests from Researchers/Users or Sponsoring Institutions pertaining to their Data.
FOIA or other legal requests PCC receives for access to Data, Metadata or other records pertaining to Data Provider.
The PCC will safeguard the Metadata catalog, taking all reasonably necessary steps to ensure that (1) the Metadata it holds is adequately protected from unauthorized access; and (2) the Metadata it releases from its catalog is protected in transmission from unauthorized access.
PCC will provide Data and Metadata request statistics on a monthly basis to DHS and the Data Providers and Data Hosts.
If Data Provider provides Data in Attachment A which it deems to be confidential, then Attachment B shall define specifically what is deemed to be confidential Data (Confidential Data). PCC shall require the members of the ARB and PRB to sign Non-Disclosure Agreements (NDAs) with the PCC agreeing not to disclose Confidential Data obtained by virtue of serving on their respective Board and conferring, to the extent permitted by law, third party rights to seek redress under those NDAs to Data Providers and Data Hosts.
Joint Obligations – Data Provider and PCC
All transfers of Data, under the terms of this Agreement shall at all times be subject to the applicable laws and regulations of the United States. Each party agrees that it shall not make any disposition, by way of trans‑shipment, re‑export, diversion or otherwise, except as said laws and regulation may expressly permit, of information or data furnished under this Agreement. Each Party shall comply in all respects with applicable U.S. statutes, regulations, and administrative requirements regarding its relationships and sharing of Data with non-U.S. citizens or non-U.S. governmental and quasi-governmental entities, which may include but are not necessarily limited to, the export control regulations of the International Traffic in Arms Regulations (“ITAR”) and the Export Administration Act (“EAA”); the anti-boycott and embargo regulations and guidelines issued under the EAA; and the regulations of the U.S. Department Of The Treasury, Office of Foreign Assets Control.
The relationship of PCC to Data Provider under this Agreement is that of independent contractors. Personnel retained or assigned by one Party to perform services or obligations covered by this Agreement will at all times be considered agents or employees of the Party with whom such personnel have a contractual relationship, and not agents or employees of the other Party.
Either Party may terminate this Agreement at any time, in whole or in part, by providing written notice of termination to the other. Except as otherwise mutually agreed, termination shall be effective thirty (30) days from receipt of the notice. Any such termination shall not affect the obligations of either Party with respect to Data previously shared by one Party with the other, and such obligations shall continue through the return or destruction of all such Data.
In the event of action or inaction by one Party constituting a failure to comply (default) with the provisions of this Agreement, the non-defaulting Party may, by written notice to the defaulting Party, demand that the defaulting Party cure such default within ten (10) business days thereof. Should the defaulting Party fail to cure the default, the non-defaulting Party may terminate this Agreement and the Data held by the other Party shall be returned to the Data Provider. Termination under this provision shall not affect the obligations of either Party with respect to Data previously shared by one Party with the other, and such obligations shall continue through the return or destruction of all such Data.
Failure of either Party to enforce any of its rights hereunder shall not constitute a waiver of such rights. If any provision herein is, becomes, or is held invalid, illegal, or unenforceable, such provision shall be deemed modified only to the extent necessary to conform with applicable laws so as to be valid and enforceable. If it cannot be so amended without materially altering the intent of the Parties as indicated herein, it shall be stricken and the remainder of this Agreement shall remain in full force and effect and be enforced and construed as if such provision had not been included.
Neither this Agreement nor any interest herein may be assigned, in whole or in part, by either Party without the prior written consent of the other Party; provided, however, that without securing such prior consent, either Party shall have the right to assign this Agreement to any successor of such Party by way of merger or consolidation or the acquisition of substantially all of the assets of such Party relating to the subject matter of this Agreement; provided further, that such successor shall expressly assume all of the obligations of such Party under this Agreement.
This Agreement shall remain in force until July 31, 2009, commencing with the date of latest signature below. Any Amendments to this Agreement, to be effective, shall be in writing and signed by an authorized Representative of each Party.
8. Each party represents that the person signing this Agreement on its behalf has full authority to do so.
RESEARCH TRIANGLE INSTITUTE PREDICT Coordinating Center |
|
DATA PROVIDER |
|
|
|
Signature |
|
Signature |
|
|
|
Name |
|
Name |
|
|
|
Title |
|
Title |
|
|
|
Date |
|
Date |
Attachment A
Description of Data Category
Data Category |
Description |
|
|
|
|
|
|
|
|
|
|
|
|
Description of Metadata for Each Data Category to be Provided by Data Provider
Name |
Description |
Dataset Name |
Text name. Required to be unique in combination with a provider name. Researchers can use these tags for reference purposes and acknowledgment. |
Data Category |
The Data Category to which this measurement belongs. |
Data Host |
Identification of a single Data Host for the dataset; probably the host name. |
Short Description |
Brief description of the measurement. |
Long Description |
Lengthy description of the measurement |
Data Structure |
Description of how data are stored. |
Keywords |
One or more selections from list. These will eventually hold tokens like TCP, Header, Netflow, Snort, etc. |
Measurement Size |
Size in bytes of the dataset. |
Formats |
Format(s) available for the dataset. One or more specifications from a list. These are tokens like text, CSV, Syslog, TCPheader, libpcap, etc. |
Collection Start Date/Time |
Date & time the data collection was begun. |
Collection End Date/Time |
Date & time the data collection ceased. |
Ongoing Measurement |
Boolean flag. Set (true) if the data collection is ongoing. |
Checksum Value |
Checksum of the data set. Not shown in data catalog. |
Checksum Type |
Type of the checksum. One or more values from a list, for example: crc32, rsa-md4, etc. |
Anonymizations |
Indicates how the measurement is anonymized. One or more anonymization type specifications from a list. |
Metadata Version Date/Time |
Date & time this version of the measurement metadata was defined by the Data Provider; not the date/time it was supplied or recorded. |
Availability Start Date/Time |
Date & time the dataset is first available. |
Availability End Date/Time |
Date & time the dataset is no longer available (when it’s scheduled to be purged). |
Request Review Required |
Flag indicating whether the the Data Provider is required to be included in the ARB for any dataset request approval involving this measurement |
Publication Review Required |
Flag indicating whether the the Data Provider is required to be included in the PRB for any publication approval involving this measurement |
Private Access Instructions |
Sensitive instructions for access at the data host. Not shown in data catalog. |
Public Access Instructions |
Public instructions for access at the data host. |
Access Types |
One or more access type specifications from a list, such as items like HDD, Tape only, downloadable, etc. |
Items in blue are to be provided by Data Host; all other items provided by Data Provider.
Attachment B
Data Provider Terms and Conditions for Access to and Use of Data
Within Each Data Category
Put Data Category Name Here
Specify special terms and conditions for access to and use of data here (if any)
Put Data Category Name Here (delete if not needed)
Specify special terms and conditions for access to and use of data here (if any)
Put Data Category Name Here (delete if not needed)
Specify special terms and conditions for access to and use of data here (if any)
Attachment C
PCC Privacy or Other Restrictions on Data
Within Each Data Category
Data Category |
Restriction |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Dave Obringer |
File Modified | 0000-00-00 |
File Created | 2021-02-02 |