To: Board of Supervisors
From: Anna Roth, Health Services Director
Report Title: Amendment/Extension #23-507-6 with Black Duck Software, Inc.
☒Recommendation of the County Administrator ☐ Recommendation of Board Committee
RECOMMENDATIONS:
APPROVE and AUTHORIZE the Health Services Director, or designee, to execute on behalf of the County an Amendment to Contract #23-570 with Black Duck Software, Inc., a corporation, to increase the payment limit by $122,378, from $394,000, to a new payment limit of $516,378 and to extend the termination date to August 2, 2025, and for successive (1) year renewal terms thereafter until terminated for software licenses and subscription services for third-party software application security for the Health Services Information Systems Unit.
FISCAL IMPACT:
Approval of this Amendment will result in additional annual expenditures of up to $122,378 and will be funded as budgeted by the department in FY 2024-25, by 100% Hospital Enterprise Fund I. (Rate increase)
BACKGROUND:
This Contract meets the needs of the County by providing third-party application security software as a service. WhiteHat Sentinel is a Software-as-a-Service (SaaS) solution providing application security that assesses code and assists in identifying and remediating vulnerabilities before the code is pushed to production by incorporation of security across the entire software development lifecycle (SDLC) that helps proactively protect CCH’s digital estate against cyber threats. Contra Costa Health’s Information Systems Unit utilizes applications hosted by third-party sites. This software analyzes and minimizes risk before and during the ongoing use of these systems.
In November 2015, the County Administrator approved, and the Purchasing Services Manager executed Contract #23-570 with WhiteHat Security, Inc., to provide software maintenance and support services including, but not limited to, consulting and technical support for the Department’s Information Systems Unit, for the period from August 3, 2015 through August 3, 2016.
On August 16, 2016, the Board of Supervisors approved Contract Amendment/Extension #23-570-1 with WhiteHat Security, Inc, effective August 1, 2017, to increase the payment limit by $100,000 to a new payment limit of $150,000 and to extend the termination date from August 3, 2016 to August 3, 2017 for additional consulting, technical support and training for the Department’s Information Systems.
On August 18, 2017, the Board of Supervisors approved Contract Amendment/Extension #23-570-2 with WhiteHat Security, Inc, effective August 1, 2016, (to amend Contract #23-570, as amended by #23-570-1) to increase the payment limit by $85,000 to a new payment limit of $235,000 and to extend the termination date from August 3, 2017 to August 3, 2018 for additional consulting, technical support and training for the Department’s Information Systems.
On August 15, 2017, the Board of Supervisors approved Contract #23-570-3 with WhiteHat Security, Inc, effective August 1, 2017, to execute Service Orders (under Contract #23-570, as amended by #23-570-1 and 23-570-2) and increase the payment limit by $39,000 to a new payment limit of $274,000 for additional consulting, technical support and training for the Department’s Information Systems with no change in the term.
On August 7, 2018, the Board of Supervisors approved Contract #23-570-4 with WhiteHat Security, Inc, in an amount not to exceed $120,000 for additional consulting, technical support and training for the Department’s Information Systems for the term August 3, 2018 through August 2, 2019.
On August 7, 2018, the Board of Supervisors approved Contract #23-570-4 with WhiteHat Security, Inc, in an amount not to exceed $120,000 for additional consulting, technical support and training for the Department’s Information Systems for the term August 3, 2018 through August 2, 2019.
On August 6, 2019, the Board of Supervisors approved the issuance of Purchase Order #016767 and a Service Order with WhiteHat Security, Inc, in an amount not to exceed $393,976 for additional consulting, technical support and training for the Department’s Information Systems for the term August 3, 2019, through August 2, 2022. In April 2022, Synopsys announced that it signed a definitive agreement to acquire WhiteHat Security.
CCH has been contracting with this vendor since (at least) November 2015 for its services concerning vulnerability scanning software. This Contractor was approved as a sole source contractor by the Public Works Department’s Purchasing Division on April 30, 2024. CCH will monitor measurable service contract deliverables with outcomes required of the Contractor. CCH’s access to subscription services and support will be monitored by the department in compliance with Section III(B)(7) of the Purchasing Policy. This Contract was approved by CCH Personnel to ensure no conflict with labor relations.
This Contract Amendment Agreement, #23-570-6, includes the following: (i) per Section 13.8 (Assignment) of the Agreement, Synopsys (as successor in interest to WhiteHat Security, Inc.) assigns all of its rights, title, and interest in the Agreement to Black Duck, and Black Duck assumes all of the obligations of Synopsys under the Agreement, (ii) a Purchasing Agreement to continue software licenses and subscription services for twelve (12) months from the start date (August 3, 2024) until terminated, and (iii) the First Amendment to Master Software and Services Agreement (Contract #23-570), allowing the Contractor to provide additional consulting, technical support, and training for the Department’s Information Systems through August 2, 2025, and for successive (1) year renewal terms thereafter until terminated.
CONSEQUENCE OF NEGATIVE ACTION:
If this Amendment is not approved, CCH's Information Systems Unit will be unable to maintain the related software licensing and subscription services to receive support and training from this contractor to help mitigate risks associated with externally hosted applications and minimize risks associated with cyberattacks.