To: Board of Supervisors
From: Dr. Grant Colfax, Health Services Director
Report Title: Amendment #23-570-7 with Black Duck Software, Inc.
☒Recommendation of the County Administrator ☐ Recommendation of Board Committee
RECOMMENDATIONS:
APPROVE and AUTHORIZE the Health Services Director, or designee, to execute on behalf of the County Contract Amendment/Extension #23-570-7 with Black Duck Software, Inc., a corporation, effective, August 2, 2025, to amend Contract #23-570 (as amended by County Contract Amendment #23-570-1 through 23-570-4, and 23-570-6), to increase the payment limit by $378,147, from $516,378 to a new payment limit of $894,525, and extend the termination date from August 2, 2025, to August 2, 2028, and for successive one (1) year terms thereafter until terminated, for software and services to identify and remediate network security vulnerabilities for the Health Services Information Systems Unit.
FISCAL IMPACT:
Approval of this Amendment will result in additional annual expenditures of up to $378,147 and will be funded as budgeted by the department in FY’s 2025-28, by 100% Hospital Enterprise Fund I. (Rate increase)
BACKGROUND:
This Contract Amendment/Extension meets the needs of the County by providing third-party application security software as a service. Blackduck Sentinel is a Software-as-Service (SaaS) solution providing application security that assesses code and assists in identifying and remediating vulnerabilities before the code is pushed to production by incorporation of security across the entire software development lifecycle (SDLC) that helps proactively protect Contra Costa Health’s (CCH) digital estate against cyber threats. CCH’s Information Systems Unit utilizes applications hosted by third-party sites. This software analyzes and minimizes risk before and during the ongoing use of these systems.
CCH has been contracting with this vendor since November 2015 for its services concerning vulnerability scanning software. Health Services Personnel approved this Contract to ensure no conflicts, consistent with procedures established by the Labor Relations Division of the County Administrator’s Office. This Contractor was approved by the Public Works Department’s Purchasing Division on August 4, 2025, in compliance with Administrative Bulletin 600.3 requirements. A summary of service contract deliverables, including measurable outcomes required of the Contractor to be monitored by the department in compliance with Section III (B)(7) of the Purchasing Policy include technical support for County’s use of the software under the license grant, and access to maintenance and support.
In November 2015, the County Administrator approved, and the Purchasing Services Manager executed Contract #23-570 with Whitehat Security, Inc., to provide software maintenance and support services including, but not limited to, consulting and technical support for the Department’s Information Systems Unit, for the period from August 3, 2015 through August 3, 2016.
On August 16, 2016, the Board of Supervisors approved Contract Amendment/Extension #23-570-1 with Whitehat Security, Inc, effective August 1, 2016, to increase the payment limit by $100,000 to a new payment limit of $150,000 and to extend the termination date from August 3, 2016 to August 3, 2017 for additional consulting, technical support and training for the Department’s Information Systems.
On August 18, 2017, the Board of Supervisors approved Contract Amendment/Extension #23-570-2 with Whitehat Security, Inc, effective August 1, 2017, to increase the payment limit by $85,000 to a new payment limit of $235,000 and to extend the termination date from August 3, 2017 to August 3, 2018 for additional consulting, technical support and training for the Department’s Information Systems.
On August 15, 2017, the Board of Supervisors approved County Contract Amendment #23-570-3 with Whitehat Security, Inc, effective August 1, 2017, to increase the payment limit by $39,000 to a new payment limit of $274,000 for additional consulting, technical support and training for the Department’s Information Systems with no change in the term.
On August 7, 2018, the Board of Supervisors approved County Contract Amendment/Extension #23-570-4 with Whitehat Security, Inc, to increase the payment limit by $39,000 to a new payment limit of $274,000 for the renewal of software licenses and support services for the Health Services Department’s Information Systems for the term August 3, 2018 through August 2, 2019.
On August 6, 2019, the Board of Supervisors approved the issuance of Purchase Order #016767 and a Service Order with Whitehat Security, Inc, in an amount not to exceed $393,976 for additional consulting, technical support and training for the Department’s Information Systems for the term August 3, 2019, through August 2, 2022. In April 2022, Synopsys announced that it signed a definitive agreement to acquire WhiteHat Security.
On October 8, 2024, the Board of Supervisors approved Contract Amendment/Extension #23-570-6 with Black Duck Software, Inc., for the execution of a Purchasing Agreement to renew the licensed product, subscription services and on-site support, increase the payment limit by $122,378 to an amount not to exceed $516,378, and extend the term through August 2, 2025, and for one-year terms thereafter until terminated under the agreement. Under Contract Amendment /Extension, 23-570-6, per Section 13.8 Assignment of the Agreement, Synopsys assigns all its rights, title, and interest in the Agreement to Black Duck, and Black Duck assumes all of the obligations of Synopsys under the Agreement.
Under this Contract Amendment/Extension #23-570-7 the parties will execute a Purchasing Agreement for thirty-six (36) months of licensed product, subscription services and on-site support services for Contractor to continue to provide its Sentinel Standard and Premium Edition, including business logic assessment SaaS, through August 2, 2028, and for one-year terms thereafter until terminated under the agreement. The division is requesting a retroactive effective date for this renewal due to staff transitions and policy changes.
CONSEQUENCE OF NEGATIVE ACTION:
If this Amendment is not approved, CCH's Information Systems Unit will be unable to maintain the related software licensing and receive support and training from this contractor to help mitigate risks associated with externally hosted applications, minimizing CCH's defense against cyberattacks.