StateRAMP Ready Security Review Terms & Conditions

Purchase terms

This Professional Services Contract (“this Contract”), entered into by and between GuideSoft, Inc. dba Knowledge Services (“PMO”) and the Service Provider, is executed pursuant to the terms and conditions set forth herein.  


  1. Duties of PMO. The PMO shall provide a StateRAMP Authorized Review for Service Provider, as follows:


StateRAMP Ready Review: 

  1. System Security Plan (SSP) 
  2. Boundary Diagram 
  3. Control Matrix (includes Control Implementation Summary-CIS)
  4. Security Policy – Access Control (AC) 
  5. Security Policy – Awareness & Training (AT) 
  6. Security Policy – Audit & Accountability (AU) 
  7. Security Policy – Security Assessment & Authorization (CA) 
  8. Security Policy – Configuration Management (CM) 
  9. Security Policy – Contingency Planning (CP) 
  10. Security Policy – Identification & Authentication (IA) 
  11. Security Policy – Incident Response (IR) 
  12. Security Policy – Maintenance (MA) 
  13. Security Policy – Media Protection (MP) 
  14. Security Policy – Personnel Security (PS) 
  15. Security Policy – Physical & Environmental (PE) 
  16. Security Policy – Planning (PL) 
  17. Security Policy – Risk Assessment (RA) 
  18. Security Policy – Systems & Services Acquisition (SA) 
  19. Security Policy – Systems & Communications Protection (SC) 
  20. Security Policy – Systems & Information Integrity (SI) 
  21. Security Procedure – Access Control (AC) 
  22. Security Procedure – Awareness & Training (AT) 
  23. Security Procedure – Audit & Accountability (AU) 
  24. Security Procedure – Security Assessment & Authorization (CA) 
  25. Security Procedure – Configuration Management (CM) 
  26. Security Procedure – Contingency Planning (CP) 
  27. Security Procedure – Identification & Authentication (IA) 
  28. Security Procedure – Incident Response (IR) 
  29. Security Procedure – Maintenance (MA) 
  30. Security Procedure – Media Protection (MP) 
  31. Security Procedure – Personnel Security (PS) 
  32. Security Procedure – Physical & Environmental (PE) 
  33. Security Procedure – Planning (PL) 
  34. Security Procedure – Risk Assessment (RA) 
  35. Security Procedure – Systems & Services Acquisition (SA) 
  36. Security Procedure – Systems & Communications Protection (SC) 
  37. Security Procedure – Systems & Information Integrity (SI) 
  38. User Guide
  39. Digital Identity Worksheet 
  40. Privacy Impact Analysis (Included in SSP)
  41. Rules of Behavior 
  42. Information System Contingency Plan 
  43. Configuration Management Plan 
  44. Incident Response Plan 
  45. Control Implementation Summary(Included in OCM)
  46. FIPS-199
  47. Roles & Permissions Matrix 
  48. Laws and Regulations (Included in OCM)
  49. StateRAMP Inventory Worksheet (Included in OCM)
  50. Continuous Monitoring Plan 
  51. Security Assessment Plan (SAP)
  52. Appendix B – Penetration Testing Plan and Methodology
  53. Appendix C – 3PAO Supplied Deliverables(e.g., Penetration Test
  54. Rules of Engagement and Sampling Methodology)”
  55. Security Assessment Report (SAR)
  56. Appendix A – Risk Exposure Table
  57. Appendix B – Security Test Case Procedures
  58. Appendix C – Infrastructure Scan Results
  59. Appendix D – Database Scan Results
  60. Appendix E – Web Scan Results
  61. Appendix F – Assessment Results
  62. Appendix G – Manual Test Results  – Assessment Results
  63. Appendix H – Documentation Review Findings
  64. Appendix I – Auxiliary Documents (e.g., evidence artifacts)
  65. Appendix J – Penetration Test Report
  66. Scan and Poam associated SAR (if available) 
  67. Continuous Monitoring 30 Days (Scan/inventory/POA&M)
  68. Continuous Monitoring 60 Days(Scan/inventory/POA&M)
  69. Continuous Monitoring 90 Days (Scan/inventory/POA&M)

    2. Duties of the Service Provider.  The Service Provider shall provide all required documentation and fees to the PMO, at which time the PMO will start the StateRAMP Authorized Review.


  1. Consideration.  The Project Management Office (PMO) shall receive a fee for the performance of its duties as outlined in this Contract. The fee will be determined by the annual revenue of the Service Provider, broken down as follows:

    • For an annual revenue up to $1 Million, the fee will be $500
    • For an annual revenue between $1 Million and $5 Million, the fee will be $2,500
    • For an annual revenue exceeding $5 Million, the fee will be $3,750

    The Service Provider is required to pay this fee prior to the commencement of services under this Contract.


  1. Termination.  The parties may terminate this Contract with thirty (30) days’ notice to the other party, provided that payment for the Services herein are nonrefundable once Services have commenced under this Contract.  


  1. Assignment; Successors.  Service Provider binds its successors and assignees to all the terms and conditions of this Contract. Service Provider may assign its right to remit payments to PMO to such third parties as the Service Provider may desire without the prior written consent of PMO, provided that the Service Provider gives written notice (including evidence of such assignment) to PMO thirty (30) days in advance of any payment so assigned. The assignment shall cover all unpaid amounts under this Contract and shall not be made to more than one party.


  1. Changes in Work; Work Standards.  The parties shall not commence any additional work or change the scope of the work until authorized in writing by the signatories hereto. This Contract may only be amended, supplemented, or modified by a written document executed in the same manner as this Contract.   

    The PMO represents that the Services will be performed in a workmanlike and professional manner.  

    Service Provider agrees that the PMO will not be responsible for nonconformities or any errors in deliverables resulting from the PMO’s reliance on inaccurate, inauthentic or incomplete data or information provided by Service Provider.  Service Provider will cooperate with the PMO and take all actions reasonably necessary to enable PMO to perform the Services.  To that end, Service Provider will provide, on a timely basis, all information requested by the PMO to enable the PMO to provide the Services.  

    Service Provider further acknowledges and agrees that (a) any outcome of the Services is limited to a point-in-time examination, (b) the outcome of any review, audits, assessments, and the opinions, advice, recommendations and/or authorization of, PMO does not constitute any form of representation, warranty or guarantee that Service Provider’s systems are secure from every form of attack, and PMO is not making any assertions by provide Services under this Contract, (c) in examining Service Provider’s status, PMO relies upon accurate and complete information provided by Service Provider, and (d) Service Provider is solely responsible for the scope, goals and overall direction of the Services.   

  1. No Implied Warranties.  Other than those expressly contained in this Section, neither Party makes any other representations or warranties, implied, statutory or otherwise, with respect to the Services or Deliverables.  PMO EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

  2. Limitations on Liability. Neither Party nor its employees, officers and directors, on the one hand, nor PMO and its employees, officers and directors will be liable to the other Party under the Contract for commercial loss and lost profits or any consequential, incidental, indirect, punitive or special damages, or any other similar damages under any theory of liability whether in contract, tort or strict liability, however caused and regardless of legal theory or foreseeability, directly or indirectly, arising under this Contract.  In no event shall liability under this Contract of PMO exceed those fees payable to PMO by Service Provider.

  3. Compliance with Laws. The Service Provider shall comply with all applicable federal, state, and local laws, rules, regulations, and ordinances, and all provisions required thereby to be included herein are hereby incorporated by reference. The enactment or modification of any applicable state or federal statute or the promulgation of rules or regulations thereunder after execution of this Contract shall be reviewed by PMO and the Service Provider to determine whether the provisions of this Contract require formal modification.


  1. Confidentiality of Information; Legal Requests.  The parties understand and agree that data, materials, and information disclosed may contain confidential and protected information. The parties covenant that data, material, and information gathered, based upon or disclosed for the purpose of this Contract will not be disclosed to or discussed with third parties without the prior written consent of the disclosing party.

    If either party is requested or required by deposition or written questions, interrogatories, requests for production of documents, subpoena, investigative demand or similar process to disclose any information originating with the other party, the party in receipt of such request or requirement will provide prompt written notice to the other party and will cooperate with the other party’s efforts to obtain an appropriate protective order or other reasonable assurance that such information will be accorded confidential treatment that the other party may deem necessary.


  1. Disputes. Should any disputes arise with respect to this Contract, the Service Provider and PMO agree to act immediately to resolve such disputes. Time is of the essence in the resolution of disputes. PMO agrees that, the existence of a dispute notwithstanding, it will continue without delay to carry out all of its responsibilities under this Contract that are not affected by the dispute. The Service Provider may not withhold payments on disputed items. 


  1. Force Majeure.  In the event that either party is unable to perform any of its obligations under this Contract or to enjoy any of its benefits because of natural disaster or decrees of governmental bodies not the fault of the affected party (hereinafter referred to as a “Force Majeure Event”), the party who has been so affected shall immediately or as soon as is reasonably possible under the circumstances give notice to the other party and shall do everything possible to resume performance.  Upon receipt of such notice, all obligations under this Contract shall be immediately suspended. If the period of nonperformance exceeds thirty (30) days from the receipt of notice of the Force Majeure Event, the party whose ability to perform has not been so affected may, by giving written notice, terminate this Contract.


  1. Governing Law.  This Contract shall be governed, construed, and enforced in accordance with the laws of the State of Indiana, without regard to its conflict of laws rules. Suit, if any, must be brought in the State of Indiana.


  1. Merger; Modification; Waiver of Rights. This Contract constitutes the entire agreement between the parties. No understandings, agreements, or representations, oral or written, not specified within this Contract will be valid provisions of this Contract.  This Contract may not be modified, supplemented, or amended, except by written agreement signed by all necessary parties. No right conferred on either party under this Contract shall be deemed waived, and no breach of this Contract excused, unless such waiver is in writing and signed by the party claimed to have waived such right.

  2. Ownership of Documents and Materials.
    1. Service Provider Materials Provided to PMO; Ownership Remains with the Service Provider. All documents, records, programs, applications, code, data, algorithms, film, tape, articles, memoranda, and other materials delivered to PMO by the Service Provider in the performance of this Contract (the “Service Provider Materials”) shall be and remain the property of the Service Provider. Use of the Service Provider Materials, other than related to contract performance by PMO, without the prior written consent of the Service Provider, is prohibited.  During the performance of this Contract, PMO shall be responsible for any loss of or damage to the Service Provider Materials while the Service Provider Materials are in the possession of PMO.  Any loss or damage thereto shall be restored at PMO’s expense. PMO shall provide the Service Provider full, immediate, and unrestricted access to the Service Provider Materials during the term of this Contract.
    2. PMO Materials Provided to the Service Provider; Ownership Remains with PMO. All documents, records, programs, applications, code, data, algorithms, film, tape, articles, memoranda, and other materials delivered to the Service Provider by PMO in the performance of this Contract (the “PMO Materials”) shall be and remain the property of PMO. Use of the PMO Materials, other than related to contract performance by the Service Provider, without the prior written consent of PMO, is prohibited.  During the performance of this Contract, the Service Provider shall be responsible for any loss of or damage to the PMO Materials while the PMO Materials are in the possession of the Service Provider.  Any loss or damage thereto shall be restored at the Service Provider’s expense. The Service Provider shall provide PMO full, immediate, and unrestricted access to the PMO Materials during the term of this Contract.

  3. Penalties/Interest/Attorney’s Fees.  PMO will in good faith perform its required obligations hereunder and does not agree to pay any penalties, liquidated damages, interest, or attorney’s fees.

  4. Reference to the Service Provider in PMO Marketing.  Service Provider agrees that the PMO may refer to Service Provider in a published list of StateRAMP Authorized service providers.

  5. Timeline/Duration of Engagement. Upon receipt of the outlined signed agreement and fulfilled invoice payment, the StateRAMP PMO (Program Management Office) is responsible for coordinating a Kickoff Meeting and Security Intake Call for all parties involved (estimated time; three business days). Upon completion of Kickoff Meeting and Security Intake Call, full review of the Service Provider’s Security Assessment and awarded Authorized status is estimated to take three to six weeks. The timeline is dependent on timely responses from the Service Provider for any additional questions needed by StateRAMP PMO (Program Management Office) to complete the process.