Narrative of Revisions

Introduction and instructions - reworded

Signature Segment -reworded

“Recitals” Section -Reworded (Table remained same, so not included here) in response to adjustment in the legal wording and editing

“General Terms and Conditions” Section - Reworded/Shortened

“Researcher/User Agreements, Rights and Obligations” Section – Reworded and Shortened. Also word “Agreements” was added to title of the section.

“PREDICT Coordinating Center (PCC) Rights and Obligations” Section – Reworded. Also word “Rights” added into title of the section to make the title more precise in relation to the legal wording.

“Joint Rights and Obligations – Researcher/User and PCC, and Other Provisions” Section – Reworded to place responsibility for publication review on both parties.

Thank you for your interest in joining the PREDICT community. In order for your application to be considered you must execute the attached Memorandum of Agreement. The memo must be received before your application can be considered.

Directions:

1. Print out the MOA.

2. Fill in appropriate names.

3. Complete all Attachments as they pertain to your application

4. Complete the Contact Information form below with the requested information for the person who

is signing this document.

5. Sign and fax to the PREDICT Coordinating Center, RTI International, Attn: Renee Karlsen, at

866.835.0255 (toll free.). An executed copy will be returned to you for your files.

Questions regarding your application may be directed to the PCC via email: [email protected]
-----------------------------------

This Memorandum of Agreement (Agreement) is between _____________________, a _____________

corporation having offices at __________________________________________________________________

or _____________________, with address of ___________________________________ (“Researcher/User”) and Research Triangle Institute (“RTI”), a North Carolina corporation having offices at 3040 Cornwallis Road, Research Triangle Park, NC 27709. RTI serves under contract to the United States Department of Homeland Security (“DHS”) as the operator of the PREDICT Coordinating Center (“PCC”). References throughout this document to “PCC” shall be deemed to refer to RTI.

--------------------------------------------

The PCC supports the Protected Repository for the Defense of Infrastructure against Cyber Threats (PREDICT) project sponsored by the United States Department of Homeland Security (DHS). DHS will provide funding to the PCC and the Data Hosts for the PREDICT Project.

This Agreement consists of the General Terms and Conditions and Attachment A. The provisions of each

Attachment shall be construed so as to be fully consistent with all of the provisions of the General Terms and Conditions and, in the case of any conflict, the General Terms and Conditions shall prevail unless an Attachment is separately executed by both Parties and expressly amends particular provisions of the General Terms and Conditions, in which case the amendments of such Attachment shall prevail over such particular provisions of the General Terms and Conditions.

----------------------------------------------

Researcher/User and PCC agree to the following:

Data shall mean the information described in Attachment A that is owned or controlled by a Data Provider, made available to the PREDICT project via a Data Host, and which is being requested by the Researcher/User. Attachment A shall be incorporated into this Agreement at the time and to the extent that Researcher/User’s application for Data described therein is approved by the Application Review Board (ARB).

Metadata, as described in Attachment A, is information about the Data (but not the Data itself) which Data

Provider and/or Data Host agree to disclose to the PCC and to permit the PCC to compile in a catalog with other

Metadata which is accessible by Data Providers and Data Hosts via the PREDICT portal, and which PCC may further disclose to approved Researchers/Users in a manner consistent with the terms of its Agreements with the Data Provider and Data Host. The PCC agrees to receive the Metadata, enter the Metadata in the PREDICT data catalog, and facilitate the release of the Metadata to Researchers/Users in accordance with the approved terms.

DHS will provide funding to the PCC and the Data Hosts for the PREDICT project via separate agreements entered into individually between DHS and the PCC, and DHS and Data Hosts.

PCC facilitates the data flow between PREDICT participants, processes applications from Researcher/User for access to Data or approval to publish research results, develops Metadata catalogs, and develops protocols (which are subject to DHS approval) to help protect the confidentiality and integrity of data and direct its proper usage. PCC will receive and catalog Metadata about the Data and make the Metadata catalog available to approved Researchers/Users, subject to the terms and conditions of its Agreements with the Data Providers and Data Hosts. PCC does not store, maintain, or have access to any of the Data.

Data Provider shall mean an entity that provides Data that it owns or has a right to control and disclose to the

PREDICT project via a Data Host, subject to the terms and conditions in an MOA between it and PCC. A Data Provider may select a Data Host to receive and host the Data or it may host its own Data, in which case it shall also be deemed a Data Host. If Data Provider selects a third party Data Host to store its Data, Data Provider will provide Data to a Data Host who will host the Data for the benefit of the PREDICT project. A Data Provider must enter into a Data Provider “Memorandum of Agreement” with PCC.

Data Host shall mean an entity that provides computing infrastructure to store Data received from one or more Data Providers, and provides Researchers/Users access to Data when the Researcher/User’s application requesting Data has been approved by the Application Review Board. Data Host may also host its own Data. If Data Host hosts its own Data, it shall also enter into a Data Provider “Memorandum of Agreement” with PCC.

Researcher/User shall mean a person or entity that is a member of the cyber defense research and development community who completes an official PCC application requesting Data from PREDICT for use in research and is approved by the ARB for access to Data. A Researcher/User which is an entity shall complete the application for itself, identifying an individual employed by the entity to serve as the Data Custodian responsible for the security, oversight, use, and return of the Data. An individual Researcher/User must be affiliated with and obtain a letter of support from a Sponsoring Institution as part of his/her PCC application for Data.

Data Custodian shall mean the person with primary responsibility for the receipt, security, oversight, use, and return of Data on behalf of the Researcher/User. An approved individual Researcher/User shall be deemed the Data Custodian for his/her application.

Sponsoring Institution is an organization that is affiliated with or otherwise sponsors Researchers/Users and validate their research and need for PREDICT data, and which agree to notify PCC in the event of a change in the sponsored Researcher/User’s affiliation with the Sponsoring Institution.

Application Review Board (“ARB”) shall mean an entity that reviews and approves or rejects applications for requested Data or Metadata and forwards approved applications to Data Hosts for delivery of Data, and to PCC to enable access to Metadata.

Publication Review Board (“PRB”) shall mean an entity that reviews and comments upon applications from Researchers/Users or Sponsoring Institutions to publish or otherwise release any study results or other information relating to Data or Metadata received through PCC. The PRB is empowered to reject applications to publish should the proposed publication violate the terms associated with the Data, including attribution of the source of the Data, or applicable laws and regulations governing release of Data, and the proposed author or publisher refuses to amend the publication to comply with the terms, laws, or regulations.

Any and all terms and conditions besides those set forth in the General Terms and Conditions of this Agreement concerning permitted access to, handling, storage, disclosure, and use of Data by Researcher/User shall be set forth in Attachment A. Signature on Attachment A is a condition precedent to Researcher/User obtaining any Data under PREDICT.

-----------------------------------------------

By requesting and receiving Data from the PCC, and in consideration of the release to Researcher/User of the

Data described in Attachment A, the Researcher/User agrees to all terms and conditions as follows:

1. Researcher/User has certified that all information contained in Researcher/User’s application for PREDICT Data are accurate and complete, and that such certification is a material term of this Agreement. Should it be determined that such information was false, inaccurate, incomplete, or otherwise designed to conceal material information from the PCC, Data Host, or Data Provider, the PCC may in its sole discretion immediately suspend this Agreement and require additional information from Researcher/User and/or immediately terminate this Agreement and require return of all Data (including any copies thereof) to the entity from which obtained. Researcher further agrees that all information contained in Researcher/User’s application may be shared as necessary to facilitate PCC operations and compliance with PCC operational policies and procedures, including sharing the information with the ARB, PRB, Data Hosts, Data Providers, and, if necessary, DHS.

2. For applications made by Researcher/User and approved by the ARB, PCC hereby grants to Researcher/User, on behalf of Data Provider and/or Data Host, a right to use the Data solely for the purposes described in the Researcher/User’s approved application and in all respects in accordance with the terms and conditions included herein and in Attachment A. Researcher/User shall not use the Data for purposes other than those described in the Researcher/User’s application. Furthermore, Researcher/User shall not transmit, send, export, or use the Data outside of the United States, and Researcher/User shall take steps to ensure that all persons named on Researcher/User’s application are aware of this restriction and do not transmit, send, export, or use the Data outside the United States. Upon receipt of the Data, Data Provider hereby grants to Researcher/User, on behalf of Data Provider (itself) and the Data Host(s), a license to Researcher/User to use the Data solely for the purposes described in the Researcher/User’s application.

3. Use of Data by Researcher/User shall conform to the terms of the license granted, and the terms of this MOA and Attachments. Researcher/User shall not through negligence or willful misconduct violate or infringe existing intellectual property or confidentiality rights of the person(s) or entity(ies) with such rights in the Data. Researcher/User shall not be liable to the property right holder for any such infringement where such infringement results solely from the release by Data Provider or Data Host of the Data to Researcher/User, or results solely from use by Researcher/User in accordance with its approved application and the terms of this MOA, including Attachment A. The Terms and Conditions of this Article are for the primary benefit of PCC and Researcher/User; however, a violation by Researcher/User of these Obligations may create harm to Data Providers and/or Data Hosts of the Data to which Researcher/User is granted access. These Parties are therefore deemed third party beneficiaries under this agreement for only those purposes and Research/User hereby acknowledges the third party beneficiary rights of such Data Providers and Data Hosts provided, however, that if the MOA entered between the PCC and any specific Data Provider or Data Host does not contain a reciprocal third party beneficiary right in favor of Researcher/User, then this Article shall not apply in favor of such Data Provider or Data Host.

4. The Researcher/User will not disclose Data to any persons other than those identified in the approved application which results in researcher/User being granted access to the Data, or such other persons as shall be approved in writing by the PCC (after consultation with the Data Provider or Application Review Board, as required by the terms set by the Data Provider of the Data in question) in response to a written request of Researcher/User.

5. Researcher/User will establish and maintain the appropriate administrative, technical, and physical safeguards to protect the confidentiality of the Data and to prevent unauthorized use or access to the Data, including the use of locked storage facilities and strong passwords for Data accessible electronically. Strong passwords must be at least 6 characters in length, and must include both alpha-numeric characters and symbols.

6. Researcher/User will permit others to use the Data only in accordance with the terms of this Agreement and the procedures in Researcher/User’s approved application. Access to the Data shall be limited to the minimum number of individuals necessary to achieve the purpose stated in Researcher/User’s application, but in no event shall access be granted to persons not identified in the Researcher/User’s approved application or subsequently approved in writing by the PCC.

7. Researcher/User, whether individual or entity and whether or not they are also a Sponsoring Institution, shall notify PCC in writing within thirty (30) days if any approved individual leaves the Sponsoring Institution or the research project or, in the case of a Researcher/User that is an entity, if the controlling ownership (or other controlling entity) of the Researcher/User changes.

8. (a) Researcher/User as an Individual. If Researcher/User is an individual and moves to a different institution after access to Data is granted, Researcher/User’s approval to use or disclose the Data shall immediately be suspended, as shall use by any other individual named in Researcher/User’s application or located at Researcher/User’s Sponsoring Institution. Researcher/User will notify PCC and Researcher/User’s current Sponsoring Institution in writing within thirty (30) days regarding the proposed disposition of all copies of the Data and follow PCC’s directions and researcher/User’s Sponsoring Institution’s guidelines. Continued use of the Data to which Researcher/User had approved access shall be contingent upon the submission and approval of a new application from Researcher/User, complete with a letter of Sponsorship from Researcher/User’s new Sponsoring Institution. Should other individuals at the institution which sponsored Researcher/User’s initial application desire continued access to the Data, a primary Researcher/User at that institution must complete and submit a new application for access to the Data and receive approval from the ARB for such access.

(b) Researcher/User as an Entity. If Researcher/User is an entity and the individual identified as the primary Data Custodian leaves employment with Researcher/User, Researcher/User shall immediately propose an alternate Data Custodian to the PCC for its review and approval. Researcher/User shall provide such information on the proposed new Data Custodian as PCC shall reasonably require, and PCC may consult with the ARB, Data Provider, or Data Host during the review as required by the terms set by the Data Provider and Data Host of the Data in question or, in the absence of such terms, as PCC shall in its sole discretion deem appropriate. PCC shall approve or deny the proposed substitution within five business days, or such longer period as may be required to obtain adequate information from Researcher/User or third parties as is necessary to fully evaluate the proposed Data Custodian’s fitness for the position, or to obtain approval of the ARB or Data Provider or Data Host as the terms associated with the Data require. During the period of review, no individuals other than those previously approved shall have access to the Data pending the PCC decision.

9. No findings, analysis, or information derived from the Data may be released if such findings contain any combination of data elements that might allow for identification or the deduction of a person’s or institution’s identity, unless such identification is both (a) explicitly permitted under the terms governing handling and release of Data incorporated herein and (b) not in violation of applicable U.S. or state law.

10. Researcher/User shall submit any findings, results of analysis, or manuscripts proposed for public release, publication, or any other type of disclosure to persons not listed and approved in this application (e.g., abstracts, presentations (oral or written), publications) to review by a Publications Review Board (PRB) managed by PCC prior to release to assure that data confidentiality is maintained, entities or individuals cannot be identified (except as permitted under Article 9 above), and the terms and conditions attached to the use of the Data have been followed. In addition, Researcher/User shall identify the PREDICT program as the source of Data in all proposed publications, and DHS as the sponsor of PREDICT. Researcher/User shall abide by any decisions made by the PCC and PRB with respect to non-publication or changes necessary to ensure these conditions are met, and will not submit such documents for publication or otherwise publicly release them until receiving the PCC’s approval to do so; provided, PCC may withhold approval to publish on

the results of research only if it reasonably determines that the format of Data presentation is such that it does not meet the terms and conditions for the use of the Data as reflected in this MOA and Attachments or if publication may result in identification of the Data Provider or another institution, organization, or individual or otherwise breach a duty of confidence owed to Data Provider or the subject from whom the Data was collected. A link to or copy of all approved publications shall be provided to the PCC by Researcher/User.

11. Researcher/User will report immediately to PCC any use or disclosure of the Data other than as permitted by this Agreement, and will take all commercially reasonable steps to mitigate the effects of such improper use or disclosure, including cooperating with all reasonable requests of PCC towards that end.

12. Unless re-identification of Data is required and was disclosed and approved in the application by Researcher/User to the ARB, Researcher/User may not attempt to or actually unlock, override, reverse engineer, or otherwise take any steps to defeat any anonymization or obfuscation methods or tools that have been applied to any Data by the Data Provider or Data Host, or otherwise to violate any of the terms of use associated with the Data.

13. Researcher/User agrees that in the event PCC determines or has a reasonable belief that Researcher/User has violated any terms of this Agreement, PCC may terminate this Agreement and require that Researcher/User return the data and all derivative files. PCC may also seek injunctive relief against Researcher/User to prevent any unauthorized disclosure of Data by Researcher/User. Researcher/User understands that as a result of this determination or reasonable belief that a violation of this Agreement has occurred, PCC may also refuse to release further Data to Researcher/User. In addition, PCC may report any misuse or improper disclosure of Data to Data Provider and Data Host and to appropriate authorities as permitted or required by applicable Federal or state law.

14. Upon expiration or termination of this Agreement or an expiration date specified for certain Data in Attachment A, and as directed by PCC, Researcher/User agrees to either destroy all copies of the Data or return such Data to the Data Host per PCC’s instructions. Researcher/User or the Data Custodian shall certify such destruction or return by signing and providing to PCC a Certification of Data Return or Destruction.

15. Researcher/User shall indemnify, defend, and hold PCC and its or their employees, officers, directors, or agents harmless from any loss, damage, liability, claims, costs, demands, suits, or judgments, including reasonable attorney’s fees and the assumption of the defense and its costs, as a result of any damage or injury (including death) to PCC, and its or their employees, officers, directors, or agents, or injury to the property of PCC and its or their employees, officers, directors or agents, or for any injury (including death) to third persons or their property which is directly caused by the gross negligence or willful misconduct of Researcher/User or its agents, in the course of performance or arising out of or connected to any of the Data or related research specified in or arising out of this Agreement. PCC will promptly notify Researcher/User of any claim against it of which PCC becomes aware and that is covered by this provision and Researcher/User shall authorize representatives to settle or defend any such claim or suit and to represent PCC or other indemnified parties in such litigation; provided, PCC may, in its sole discretion and at its expense, provide counsel to represent it or to assist counsel for Researcher/User.

16. Researcher/User will promptly notify PCC of any claim against it or a third party of which it becomes aware pertaining to Data or this Agreement and Researcher/User shall authorize representatives to settle or defend any such claim or suit and to represent PCC or other indemnified parties in such litigation; provided, PCC may, in its sole discretion and at its expense, provide counsel to assist counsel for Researcher/User.

-----------------------------------------------

1. PCC shall notify Researcher/User of

a) FOIA or other legal requests for access to Data

b) Data return or destruction requirements at expiration date for Data specified in Attachment A.

2. Unless otherwise indicated in Attachment A, PCC has obtained from all Data Providers and Data Hosts with rights in the Data acquired by Researcher/User hereunder an agreement containing third-party beneficiary rights in Researcher/User to enable Researcher/User to seek redress against Data Providers and Data Hosts for any claim, suit or proceeding asserted or commenced against Researcher/User by a third party for violation of the rights of that third party where such claim, suit or proceeding arises out of an allegation that Data furnished to Researcher/User hereunder infringes any intellectual property or confidentiality right.



-----------------------------------------------
1. Either party may terminate this Agreement by providing thirty days written notice. Upon any termination or the expiration of this Agreement, Researcher/User will return or destroy all copies of Data or portions thereof in its possession that it has received from Data Host or created (or had others create) using Data that Researcher/User received from any Data Host. Researcher/User will have the Data Custodian certify to Data Host and PCC such destruction or return by signing and providing to each a Certification of Data Return or Destruction.

2. This Agreement shall remain in force for a period of one year commencing with the date of latest signature below, or through the end date of the license in Data granted to Researcher/User, whichever is longer. All obligations or rights which by their nature survive and continue after the end date of this Agreement shall survive and continue, and this shall specifically include the obligation of Researcher/User to seek review by the PCC and PRB prior to publication as noted above. Any Amendments to this Agreement, to be effective, shall be in writing and signed by an authorized Representative of each Party. This Agreement shall be construed and interpreted in accordance with the laws of the state of North Carolina.

3. No rights or licenses under the intellectual property rights of PCC or Researcher/User are granted or implied hereunder. Nothing contained herein shall be construed as conferring by implication, estoppel or otherwise any license or right in favor of either party or any third party in any patents or other intellectual property rights of the other. All intellectual property, technology, information and data provided or disclosed hereunder shall be the sole and exclusive property of its owner or valid licensee and neither party shall use or disclose such intellectual property, technology, information and data except as expressly agreed to in writing by the owning or controlling party.

4. Neither party shall in any manner reference or cause to be referenced the other party, its trade names, trademarks, service marks or any other indicia of origin owned by it, or indicate that its operations are any way sponsored, approved or endorsed by the other. Except with the written consent of Researcher/User, PCC shall not cause to be issued or released for publication, or participate in the publication of, any articles or publicity relating to Researcher/User and the subject matter of this Agreement; provided, however, that PCC may reveal all information supplied by Researcher/User in its applications to the ARB or PRB as necessary for those bodies to act upon such applications, so long as that information is used only for purposes of evaluating those applications and not shared with third parties unless necessary to such review and approved by Researcher/User.

5. Neither this Agreement nor the receipt of Data by Researcher/User shall constitute or imply any promise or intention by Researcher/User to evaluate, process or make use of the Data either now or in the future; provided, Researcher/User shall comply with any requirements of the entity supplying any Data or Metadata to Researcher/User even if they conflict with this provision.

6. NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR INCIDENTAL, INDIRECT, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES OF ANY KIND (INCLUDING LOST REVENUES OR PROFITS, OR LOSS OF BUSINESS) IN ANY WAY RELATED TO THIS AGREEMENT, REGARDLESS OF WHETHER IT WAS ADVISED, HAD

OTHER REASON TO KNOW, OR IN FACT KNEW OF THE POSSIBILITY THEREOF.

7. Any legal action arising in connection with this Agreement must begin within two (2) years after the cause of action arises.

8. This Agreement shall not be considered accepted or effective until signed below by authorized representatives of both of the parties. Each party represents and warrants that the person signing this Agreement on its behalf has full authority to do so. By signing below, each individual warrants that he or she is authorized to bind his or her organization to this Agreement. Neither party may assign all or a portion of its rights and obligations hereunder without the prior written approval of the other party.

9. The Parties may execute two or more copies of this Agreement, each of which shall constitute an original copy of this Agreement. A scanned, imaged, facsimile or photocopy of this Agreement as executed by the Parties shall be deemed to be an original executed copy for all purposes.

Thank you for your interest in using PREDICT datasets. In order for your application for PREDICT datasets to be considered, you must complete and sign the attached Memorandum of Agreement (MOA) and submit it to the PREDICT Coordinating Center (PCC).
Instructions:

Print the MOA.

Fill in requested information and complete Attachment A, as noted.

Complete the Contact Information form below

Sign the MOA and fax it to 866.835.0255 (toll free). An executed copy will be returned to you for your files.

Questions regarding this MOA or your request for PREDICT datasets may be directed to the PCC via email: [email protected].

--------------------------------------

This Memorandum of Agreement (“MOA” or “Agreement”) is between _____________________, a _____________ corporation or entity having offices at __________________________________________________________________ or an individual, _____________________, with address of ___________________________________ (“Researcher/User” for either corporation/entity or individual) and Research Triangle Institute (“RTI”), a North Carolina corporation having offices at 3040 Cornwallis Road, Research Triangle Park, NC 27709, collectively referred to as “the Parties.” RTI serves under contract to the United States Department of Homeland Security (“DHS”) as the operator of the PREDICT Coordinating Center (“PCC”). References throughout this document to “PCC” shall be deemed to refer to RTI. References to the MOA Identification number (“MOA ID”) assigned at the top left of each page of this document shall refer to this Agreement.

------------------------------------------

The PCC supports the Protected Repository for the Defense of Infrastructure against Cyber Threats (PREDICT) project sponsored by the United States Department of Homeland Security (DHS).

This Agreement consists of: the General Terms and Conditions and Attachment A and any subsequent Amendment(s) to Researcher/User Agreement, if executed.

The provisions of Attachment A shall be construed so as to be fully consistent with all of the provisions of the General Terms and Conditions of this Agreement and, in the case of any conflict, the General Terms and Conditions shall prevail unless an Attachment is separately executed by both Parties and expressly amends particular provisions of the General Terms and Conditions, in which case the amendments of such Attachment shall prevail over such particular provisions of the General Terms and Conditions.

-------------------------------------------

Researcher/User and PCC agree to the following:

Data shall mean the datasets described in Attachment A that are owned or controlled by a Data Provider, which are being requested by the Researcher/User.

Metadata is descriptive information about the Data (but not the Data itself) that is inserted in the PREDICT data catalog and serves as a description of the Data.

DHS shall mean the U.S. Department of Homeland Security.

PCC shall mean the Predict Coordinating Center that manages the PREDICT data catalog and operations, processes applications for PREDICT data, and handles requests for approval of publication and other administrative matters. PCC does not store, maintain, or have access to any of the Data.

Data Provider shall mean an entity that provides Data to the PREDICT project that it owns or has a right to control and disclose to the PREDICT project, subject to the terms and conditions in an MOA between it and PCC.

Data Host shall mean an entity that provides computing infrastructure to store Data received from one or more Data Providers, and provides approved Researchers/Users access to Data.

Researcher/User shall mean an approved person or entity that is requesting Data from PREDICT for use in research and who is responsible for the receipt, security, oversight, use, and return of Data.

Data Custodian shall mean the person designated by an entity Researcher/User who has primary responsibility for the receipt, security, oversight, use, and return of Data on behalf of a Researcher/User that is an entity, not an individual.

Sponsoring Institution is an organization that is affiliated with or otherwise sponsors Researchers/Users and validates their research and need for PREDICT data.

Application Review Board (“ARB”) shall mean an entity that reviews and approves or rejects applications for (a) accounts to access the catalog of Metadata and (b) MOAs serving as applications for requested Data.

Publication Review Board (“PRB”) shall mean an entity that reviews and comments upon applications from Researchers/Users to publish or otherwise release any study results or other information relating to research using Data received through PREDICT.

Researcher/User must sign Attachment A as a condition precedent to obtaining any Data under PREDICT.

---------------------------------------------

In consideration of the release to Researcher/User of the Data described in Attachment A, the Researcher/User agrees to the following terms and conditions:

1) Researcher/User certifies that all information provided by Researcher/User in this Agreement is accurate and complete.

2) Researcher/User agrees that all information contained in this Agreement may be shared as necessary to facilitate PCC operations and comply with PCC operational policies and procedures, including the sharing of information in this Agreement with the ARB, PRB, Data Hosts, Data Providers, and, if necessary, DHS.

3) Researcher/User agrees to use the Data solely for the research purpose described in Attachment A and in all respects in accordance with this Agreement (including the terms and terms and conditions specified in Attachment A).

4) Upon receipt of the Data, Data Provider hereby grants to Researcher/User, a license to Researcher/User to use the Data solely for the research purpose described in the Researcher/User’s application.

5) Researcher/User agrees that he/she shall not transmit, send, export, or use the Data outside of the United States, and Researcher/User shall take steps to ensure that all persons named on Researcher/User’s application are aware of this restriction and do not transmit, send, export, or use the Data outside the United States.

6) The Researcher/User shall not allow access to or use of Data to any persons other than those identified in Attachment A of this Agreement. Researcher/User shall initiate an Amendment to this Agreement if individuals other than those identified in Attachment A are to be given access to the Data. Such Amendment must be approved and signed by both the Researcher/User and the PCC prior to any new individuals being given access to any Data.

7) Researcher/User shall establish and maintain the appropriate administrative, technical, and physical safeguards to protect the confidentiality of the Data and to prevent unauthorized use or access to the Data. At a minimum, Researcher/User shall use at least the same degree of care in safeguarding Data he/she uses for his/her own proprietary information, provided such degree of care is reasonably calculated to prevent inadvertent disclosure or unauthorized use.

8) Researcher/User, if an individual, shall notify the PCC in writing within thirty (30) days if he/she leaves the Sponsoring Institution or the research project or, in the case of a Researcher/User that is an entity, if the Data Custodian is no longer serving in this capacity.

9) (a) Researcher/User as an Individual:

If Researcher/User is an individual and (i) moves to a different institution after access to Data is granted, (ii) moves to another area of the Sponsoring Institution or for any other reason is no longer affiliated with the research associated with the Data, or (iii) dies, Researcher/User’s approval to use or disclose the Data shall immediately be suspended, as shall use of Data by any other individual whether or not named in Researcher/User’s application or located at Researcher/User’s Sponsoring Institution. Researcher/User, or designate in the event of death, shall notify the PCC in writing within thirty (30) days of such event regarding the proposed disposition of all copies of the Data and follow PCC’s directions as provided. Continued use of the Data to which Researcher/User had approved access shall be contingent upon the submission and approval of a new application for use of the datasets

(b) Researcher/User as an Entity:

If Researcher/User is an entity and the individual identified as the Data Custodian (i) leaves employment with Researcher/User, (ii) moves to another area of the Sponsoring Institution or for any other reason is no longer affiliated with the research associated with the Data, or (iii) dies, Researcher/User (the entity) shall provide the PCC with an interim point of contact and propose a substitute Data Custodian to the PCC within thirty (30) days of such event via an Amendment to Researcher/User Agreement. PCC shall approve or deny the proposed substitution within five business days, or such longer period as may be required to obtain adequate information and/or approvals from Researcher/User or third parties as is necessary to fully evaluate the proposed Data Custodian’s fitness for the position. During the period of review, no individuals other than those previously approved shall have access to the Data pending the PCC’s decision.

10 ) No findings, analysis, or information derived from the Data may be released if such findings contain any combination of data elements that might allow for identification or the deduction of a person’s or institution’s identity, unless such identification is both (a) explicitly permitted under the terms governing handling and release of Data incorporated herein and (b) not in violation of applicable U.S. or state law.

11) Researcher/User shall submit any findings, results of analysis, or manuscripts proposed for public release, publication, or any other type of disclosure (“Writings”) to persons not listed in Attachment A to the PCC for review and approval by a Publications Review Board (PRB). Researcher/User shall submit such Writings to the PCC at the same time that Researcher/User submits the Writings for conference or journal acceptance or for any other purpose. PRB review is limited to ensuring that data confidentiality is maintained, entities or individuals cannot be identified (except as permitted under Article 11 above), and the terms and conditions attached to the use of the Data have been followed.

12) Researcher/User shall identify the PREDICT program as the source of Data in all Writings and DHS as the sponsor of PREDICT. Researcher/User shall abide by any decisions made by the PCC and PRB with respect to non-publication or changes necessary to ensure the conditions associated with the Data are met. Researcher/User shall not permit publication or otherwise publicly release such Writings until PRB approval has been received from the PCC. PCC may withhold approval to publish on the results of research only if it reasonably determines that the format of Data presentation is such that it does not meet the terms and conditions for the use of the Data as reflected in this MOA and Attachments or if publication of the Writings may result in identification of the Data Provider or another institution, organization, or individual or otherwise breach a duty of confidence owed to Data Provider or the subject from whom the Data was collected. Researcher/User shall provide to the PCC a link to or copy of all published Writings.

13) Researcher/User shall report immediately to PCC any use or disclosure of the Data other than as permitted by this Agreement. Researcher/User shall take all commercially reasonable steps to mitigate the effects of such improper use or disclosure, including cooperating with all reasonable requests of PCC.

14) Unless re-identification of Data is required and was disclosed and approved in the application by Researcher/User to the ARB, Researcher/User shall not attempt to or actually unlock, override, reverse engineer, or otherwise take any steps to defeat any anonymization or obfuscation methods or tools that have been applied to any Data by the Data Provider or Data Host, or otherwise to violate any of the terms of use associated with the Data.

15) Researcher/User agrees that in the event PCC determines or has a reasonable belief that Researcher/User has violated any terms of this Agreement, PCC may terminate this Agreement and require that Researcher/User destroy the Data and all derivative files pursuant to PCC instructions. PCC may also seek injunctive relief against Researcher/User to prevent any unauthorized disclosure of Data by Researcher/User. Researcher/User understands that as a result of this determination or reasonable belief that a violation of this Agreement has occurred, PCC may also refuse to release further Data to Researcher/User. In addition, PCC may report any misuse or improper disclosure of Data to Data Provider and Data Host and to appropriate authorities as permitted or required by applicable Federal or state law.

16) Access to Data ends upon expiration or termination of this Agreement and Researcher/User shall, as directed by PCC, destroy all copies of the Data per PCC’s instructions. Researcher/User or the Data Custodian shall certify such destruction or return by signing and providing to PCC a Certification of Data Destruction.

17) Researcher/User shall be responsible for harm directly caused by the gross negligence or willful misconduct of Researcher/User or its agents, arising out of or connected to the use of any of the Data or research related to this Agreement.

18) Researcher/User shall promptly notify PCC of any claim against it or a third party of which it becomes aware pertaining to Data or research related to this Agreement

---------------------------------------------

1. PCC shall notify Researcher/User of : a) Freedom of Information Act (“FOIA”) or other legal requests for access to data regarding this Agreement; and b) Data destruction requirements at expiration of this Agreement.

2. PCC shall obtain from all Data Providers written agreement that (i) its Data complies with all restrictions specified by the PCC and all requirements of applicable governing or regulating bodies and/or contractual agreements, and (ii) that all Data is consistent with Data Provider’s privacy, security, or other policies and procedures applicable to the Data.

3. PCC may terminate this Agreement upon determination that information provided in this Agreement was false, inaccurate, incomplete, or otherwise designed to conceal material information and require destruction of all Data (and copies thereof) that was provided to Researcher/User.
------------------------------------------
1. Either party may terminate this Agreement by providing thirty (30) days written notice. Upon any termination or the expiration of this Agreement, Researcher/User shall, upon direction from PCC, destroy all copies of Data, or portions thereof, in its possession that it has received from Data Host or created (or had others create). Researcher/User shall certify (or in the case of an entity that is a Researcher/User, the Data Custodian shall certify) to PCC such destruction or return by signing and providing a Certification of Data Destruction.

2. This Agreement shall remain in force for a period of one year commencing with the date of latest signature below, or as amended. All obligations or rights, which by their nature survive and continue after the end date of this Agreement, shall survive and continue, and this shall specifically include the obligation of Researcher/User to seek review by the PCC and PRB prior to publication as noted above. Any Amendments to this Agreement, to be effective, shall be in writing and signed by an authorized Representative of each Party.

3. This Agreement shall be construed and interpreted in accordance with the laws of the state of North Carolina.

4. Nothing contained herein shall be construed as conferring by implication, estoppel or otherwise any license or right in favor of either party or any third party in any patents or other intellectual property rights of the other.

5. Neither Party shall in any manner reference or cause to be referenced the trade names, trademarks, service marks or any other indicia of origin owned by the other Party, or indicate that its operations are any way sponsored, approved or endorsed by the other.

6. Except with the written consent of Researcher/User, PCC shall not cause to be issued or released for publication, or participate in the publication of, any articles or publicity relating to Researcher/User and the subject matter of this Agreement; provided, however, that PCC may reveal all information supplied by Researcher/User in this MOA and its applications to the ARB or PRB, so long as that information is used only for purposes of evaluating those applications.

7. Neither this Agreement nor the receipt of Data by Researcher/User shall constitute or imply any promise or intention by Researcher/User to evaluate, process or make use of the Data either now or in the future.

8. NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR INCIDENTAL, INDIRECT, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES OF ANY KIND (INCLUDING LOST REVENUES OR PROFITS, OR LOSS OF BUSINESS) IN ANY WAY RELATED TO THIS AGREEMENT, REGARDLESS OF WHETHER IT WAS ADVISED, HAD OTHER REASON TO KNOW, OR IN FACT KNEW OF THE POSSIBILITY THEREOF.

9. Any legal action arising in connection with this Agreement must begin within two (2) years after the cause of action arises.

10. The Parties may execute two or more copies of this Agreement, each of which shall constitute an original copy of this Agreement. A scanned, imaged, facsimile or photocopy of this Agreement or amendment to this Agreement as executed by the Parties shall be deemed to be an original executed copy for all purposes.

11. If Researcher/User is an individual, this Agreement shall not be considered accepted or effective until signed below by Researcher/User and the authorized representative of PCC. If Researcher/User is an entity, this Agreement shall not be considered accepted or effective until signed below by authorized representatives of both Parties, and each Party represents and warrants that the person signing this Agreement on its behalf has full authority to bind his or her organization to this Agreement. By signing below, neither Party may assign all or a portion of its rights and obligations hereunder without the prior written approval of the other Party.

Instructions/Introduction – Reworded

Letter – Reworded/reformatted

Thank you for your interest in joining the PREDICT community. In order for your application to be considered you must have your supervisor or other appropriate manager in your organization execute the attached Sponsorship Letter. The person signing the letter should have authority to act on behalf of your organization. Please be sure to provide these instructions along with the letter template when requesting a signature. The completed and signed letter must be received by the PREDICT Coordinating Center before your application for an account as a researcher can be considered.

Directions:

1. You will need to print this letter on your institution’s letterhead. You may do this in two ways: a. Cut and paste the text of the letter into your word processing program so you can fill in the information requested using your institution’s letterhead. Once you have inserted the information, you can save and print the letter. Note: you will need to adjust the formatting for the word processing program you are using. b. Fill in the form within the PDF. The top margin is about 1.5 inches to accommodate letterhead. Print the letter using your institution’s letterhead.

2. Fill in appropriate names, dates, and other information where indicated with the requested information. Do not omit any of the requested information. a. Use one copy of the letter to cover multiple researchers, if needed.

b. Optional: Insert the prefix appropriate to the researcher(s) (Dr., Ms, Miss, Mrs., Mr.)

c. Spell out the name of your company, organization, school and/or department. Do not abbreviate.

3. Print out the letter.

4. Sign and fax to the PREDICT Coordinating Center, RTI International, Attn: Renee Karlsen, 866.835.0255 (toll free). Questions regarding your application may be directed to the PREDICT Coordinating Center, at [email protected]

----------------------------------------
Dear Ms. Karlsen:

I am writing you in regard to an application for access to data under the PREDICT project for which RTI is serving as the PREDICT Coordinating Center (PCC). I understand that a letter of support from a Sponsoring Institution is one of the required elements of a successful application for access to PREDICT data, and this letter is meant to fill that purpose. By this letter, I am confirming on behalf of myself and my organization that: (Fill in all information and sign below):

1. This letter is being sent on behalf of the following staff (Applicant(s)): [Table]

2. Applicant(s) are currently affiliated with our organization, and serve(s) in the Department or Organizational Unit listed in Section 1.

3. Applicant(s) is (are) an employee(s) in good standing with our organization.

4. Applicant(s) has (have) a legitimate need for PCC Data, owing to their Position within their department and role in the proposed PREDICT research, as spelled out in Section 1.

5. Applicant(s) can be anticipated to have a need for this data until this (or similar legitimate work approved by the PREDICT Application Review Board) is completed, according to estimated dates listed in Section 1.

6. I or my successor in my role will inform PCC should any of the Applicants listed in Section 1 leave our institution or otherwise have changed circumstances calling into question their need for the PCC Data or the appropriateness of their having access to the Data. As a member of the cyber-security research community, I appreciate the importance of this work and am delighted to assist PREDICT disseminate these data and results. Should you have need for further information, please contact me.

Thank you for your interest in joining the PREDICT community. All Researchers must have a sponsoring organization in order to obtain a PREDICT account. A PREDICT account enables a Researcher to access the PREDICT catalog of datasets and to request the use of those datasets. A completed and signed sponsorship letter must be received by the PREDICT Coordinating Center before your application for an account as a Researcher can be considered. Sponsorship letters must be signed by a supervisor or manager with authority to act on behalf of your organization.

Definition of Researcher

A Researcher may be an individual or it may be an entity, such as a corporation that desires to have a team of personnel conduct specific cyber security research and development (R&D). If the Researcher is an entity, the entity must name a Data Custodian who is the person designated to have a PREDICT account and request datasets on behalf of that entity. Entities may have more than one Data Custodian, with each person having a PREDICT account. Researchers in an academic environment usually have individual PREDICT accounts and are sponsored as individuals by their institution. An individual Researcher may involve others in the R&D project that he/she plans to conduct using PREDICT datasets.

INSTRUCTIONS

Researchers seeking an individual PREDICT account must submit the attached Sponsorship Letter on the sponsoring organization’s letterhead to the PREDICT Coordinating Center (PCC). Check the box: Sponsorship of Individual as Researcher. The letter must be signed by a supervisor or other appropriate manager from the sponsoring institution who has authority to act on behalf of the organization. Individuals named as Researchers must be employed by or affiliated with the Sponsoring Institution. The completed and signed Sponsorship Letter must be received by the PREDICT Coordinating Center (PCC) before a PREDICT account will be assigned. After the Sponsorship Letter has been accepted by the PCC, the actual application for a PREDICT account is made by the individual Researcher(s) through the PREDICT portal at http://www.predict.org.

Organizations who are seeking to be an entity acting as a Researcher must submit the attached Sponsorship Letter on the sponsoring organization’s letterhead to the PREDICT Coordinating Center (PCC). Check the box: Sponsorship of Entity as Researcher. The letter must be signed by a supervisor or person who has authority to act on behalf of the organization. The Sponsorship Letter must designate a Data Custodian(s) to have a PREDICT account and manage research for the organization. Reminder: a Data Custodian is the individual with primary responsibility for the receipt, security, oversight, use, and return of the Data that is obtained from PREDICT for a particular research effort. The Data Custodian does not have to be an employee of or affiliated with the Sponsoring Institution. After the Sponsorship Letter has been accepted by the PCC, the Data Custodian(s) apply for PREDICT accounts through the PREDICT portal at http://www.predict.org.

INSTRUCTIONS FOR ALL APPLICANTS

Put the text of the Sponsorship letter onto your organization’s letterhead. Fill in appropriate names, dates, and other requested information; do not omit any of the information, as incomplete letters will be returned and the process delayed accordingly. Do not use abbreviations for organization names, schools, departments, etc. Fax the signed (866) 835-0255 (toll free) or email a PDF file of the letter to [email protected]. PCC will notify you of acceptance/rejection of the Sponsorship Letter usually within one week from receipt.

QUESTIONS OR NEED ASSISTANCE?

Contact the PCC for assistance via email at [email protected].

-----------------------------------------

Dear PREDICT Coordinating Center:

I am sending this Sponsorship Letter for Researcher access to PREDICT data by __________________________ (enter name of entity or individual(s) being sponsored). I understand that a Sponsorship Letter is required for access to PREDICT data, and that this letter must be signed by a person who has authority to act on behalf of the sponsoring institution. I have such authority. I understand that a Researcher may be sponsored individually by an organization or an organization may submit a Sponsorship Letter for the entity itself to function as a Researcher, naming one or more Data Custodians as the persons who will apply for PREDICT accounts and be responsible for the research and PREDICT data used by the entity. This letter is (check one):

*Sponsorship of Individual(s) as Researcher (if desired, more than one individual can be listed on a Sponsorship Letter if each Researcher would like to have a PREDICT account).

*Sponsorship of Entity as Researcher (if desired, more than one individual can be listed on a Sponsorship Letter as Data Custodian)

This letter is being sent on behalf of the following individual(s) or on behalf of the following Data Custodian(s) who will apply for PREDICT accounts on behalf of this organization: [Table]

The above named persons have a legitimate need for PREDICT data, owing to their position within their department or business unit, and the responsibilities assigned to them.

If this is a Sponsorship of Individuals as Researcher(s), I hereby confirm that the above individual(s) is/are currently affiliated with this organization, is/are in good standing, and serve in the capacity noted above. I, or any successor in my role, will inform the PCC if any of the above named individual(s) leave our organization or otherwise have changed circumstances calling into question or eliminating their need for PREDICT data.

If this is a Sponsorship of Entity, I hereby confirm that the above named individual(s) will serve as Data Custodian(s) for our organization and are trusted by this organization to be responsible for PREDICT data and research efforts on its behalf. I, or any successor in my role, will inform the PCC if any of the individual(s) named above as a Data Custodian is/are no longer in that role or is/are no longer in charge of the data and associated research effort. At the same time, we will provide information on the Data Custodian(s) who will replace the previous one(s).

This organization appreciates the importance of cyber security and the value of R&D efforts in this area, and we are pleased to support the PREDICT project through this Sponsorship Letter. Please let me know if you need any further information.