a402-s1 fy 19-22 business intelligence and data … · no final selection has been made on our...

1

A402-S1 FY 19-22 BUSINESS INTELLIGENCE AND DATA WAREHOUSE SERVICES,

ALL MASSPORT FACILITIES, BOSTON, BEDFORD, AND WORCESTER,

MASSACHUSETTS

RESPONSES TO QUESTIONS

12/07/2018 The attention of consultants submitting proposals for the RFQ is called to the following Responses to Questions to the subject RFQ. The items set forth herein, whether of omission, addition, substitution, or clarifications are all to be included in and form a part of the proposal submitted. Responses to Questions:

1. Can we ask for letters of support / recommendation as well to support the RFQ?

No.

2. Can we propose subcontracting collaboration or joint venture model with a leading Madrid-based multinational IT firm which has extensive work in the Data Warehouse system field to collaborate in this RFQ?

Yes, as long as they can agree to the contract terms.

3. What is the contribution of MWBE Certificate to the overall evaluation? And the role of the contribution of the Supplier Diversity Office (SDO) Certificate of the Operational Services Division (OSD) in the overall evaluation?

It is one of the evaluation criteria.

4. Is it enough if the main Consultant provides the “Litigation and Legal Proceedings”? Or should each and every sub Consultant provide the equivalent documentation?

“Litigation and Legal Proceedings” are only required for the prime consultant.

5. How are the different consulting companies expected to collaborate throughout the project? Who will distribute the efforts and responsibilities?

If more than one consultants are selected, it not expected from them to collaborate on a permanent basis. Coordination meetings might be needed, but each consultant will work on their own Scope of Work based on the Work Order assigned to them. Work Orders will be assigned by the Massport Project Manager.

6. What is the expected overall timeframe for the project?

2

There is no set timeframe. After the initial implementation/proof of concept, we anticipate including additional data sources and expanding to more users.

7. How does Massport expect to divide work-orders and list of on-call services between the chosen data consultants?

If more the one consultants are selected, Massport will assign Work Orders based on expertise and qualifications.

8. What is the platform selected for business intelligence and the data warehouse solution?

No final selection has been made on our enterprise-wide data solutions yet. The selected consultant(s) will assist with the final selection of the BI platform, ETL and Data Warehouse solution. The Authority does own Tableau Server and Desktop licenses for a proof of concept we completed and has researched others like Tibco Spotfire, Power BI, and Qlik for BI solutions. We also own Oracle, SQL and Splunk licenses for some existing enterprise solutions and have researched Teradata, Informatica and Cloudera systems for DW solutions.

9. Apart from connecting to Oracle data sources, is the business intelligence solution being built with the Oracle platform or any other platform such as Business Objects?

See 8

10. What tool will be used for the ETL process?

No decision has been made yet. The selected consultant(s) will assist with the selection.

11. How are requirements communicated to the consultant?

Massport will assign a Work Order to the Consultant. Massport and the Consultant will negotiate the Scope of the Work Order.

12. What is the current state of the reporting infrastructure?

Various SQL and Oracle queries.

13. What is the current reporting solution?

There is no reporting solution.

14. What is the volume of data being considered?

The Authority is looking for solutions with Big Data capabilities supporting TBs of data. For instance a recent proof of concept regarding our TNC (uber and lyft) data included 50GB+ of data. However an initial project to be implemented will focus on some of our financial and project management systems estimated at 1000s of tables.

15. Has Massport considered to what extent is the data management system supposed to be consolidated or distributed throughout the various operational procedures?

Yes, we would like to transform our culture into a data driven organization so we would like to develop business relevant analytics using simple tools for front line end users that can optimize or predict business outcomes. We'd like vendor guidance on best ways to achieve these goals.

3

16. What types of information is currently gathered?

Many data are currently collected. The selected Consultant will develop a comprehensive list on their first task.

17. Where will the information be gathered from?

See 16.

18. By what methods will data be captured?

We expect the vendors to assist us with the best way of determining this. We expect a modern ETL solution.

19. Who/which department will use the data on the backend?

Initially Capital Programs/IT but other Departments will have access as the system grows.

20. Who/which department will use the data on the front end?

Initially Capital Programs/IT but other Departments will have access as the system grows.

21. What types of devices does Massport expect to use for this data system?

The front end analytics are expected to be used in desktop and mobile devices (tablets and phones)

22. Regarding the revenue information requested in points 10 and 11 of the SF330-16f form, would it be possible for us to provide that information after submitting our response, if we are on the short-list of the three potential vendors?

No. It has to be part of the submission.

23. Please describe the current BI and Data Warehouse architecture.

See 8.

24. Please describe the existing cloud based systems that are in place.

We have a variety of cloud based systems, most often SAAS modeled systems but a few modern cloud solutions. We would like selected vendors to help us negotiate the necessary access to this system data for analytics purposes if warranted.

25. What is the size of data for initial data migration?

Not sure but most likely less than half a terabyte to start.

26. How many data sources are ingested in the Data Warehouse?

See 16.

27. Do you have a preference for additional/future tools?

No, but we are interested in best of breed products for BI, DW and ETL solutions. Tableau, Tibco, Teradata and Informatica look especially capable to us but we would like to see all of our options by more knowledgeable companies in these spaces.

4

28. It is stated ”the Authority’s standard agreement can be found on the Authority’s web page at www.massport.com” – we could not find the document – can you please send us a copy?

See Appentix A.

29. Is there any available technical documentation of the Massport’s data models and/or databases that describes the structure and/or content that can be provided, either as part of this procurement, or upon contract award?

Yes. Upon contract award. There are however systems without a documented data model.

30. Is there any available technical documentation of the Massport’s relevant IT infrastructure that can be provided, either as part of this procurement, or upon contract award?

Yes. Upon contract award.

31. Are there any relevant IT standards, requirements and/or procedures that the respondent should be aware of?

Yes, we can provide our typical IT Standards Documentation. Some of the standards may not be applicable but it will give you a good understanding of our environment. (See Appendix B)

32. Is there an M/WBE goal for the project?

No, the Consultant should propose one.

33. "It is stated “The Consultant shall also provide one (1) original and six (6) copies of litigation and legal proceedings information, signed under the pains and penalties of perjury, in a separate sealed envelope entitled “Litigation and Legal Proceedings”. See http://www.massport.com/business-with-massport/capital-improvements/resource-center for more details on litigation and legal proceedings history submittal requirements.”

However, the link doesn't direct to the document, can you make this document available or provide it as an attachment?"

https://www.massport.com/media/1151/rfp_litigationl.pdf

34. Is Stellar Services eligible to bid on this proposal?

Yes as they comply with the RFQ Requirements.

35. Has Massport already selected the analytics / integration / MDM software tools it will utilize for this project or is that also an existing need?

No tool has been selected yet. The Consultant is expected to assist with the selection of those tools.

36. If there is a software need as well, should we expect to see a separate RFP to support that process?

The Authority will be responsible for the procurement of the needed software.

37. Should the “experience for similar services…” simply summarize what is contained in F, since they seem to be very similar in nature? On a related note, the Evaluation Criteria indicates that the response in Section H should

5

provide up to 5 examples of previous work, but for Section F, up to 10 projects are allowed. Which is the correct number?

Section F is a summary of ten related projects. Section H should be a more detailed description of five related projects. Those five projects can also be in Section F or be different ones.

38. The RFQ for this project indicates that “Insurance Requirements” are part of the submission. Is it sufficient to attach a copy of our company’s current insurance certificate?

Yes.

39. Regarding submission of this bid, the RFQ requires print copies of all the documentation. However, I wanted to inquire if it would be acceptable to have electronic copies of all the submission documents by the deadline, with the paper copies following shortly thereafter.

No, printed copies by the deadline.

40. For the “on-disk” copy of the proposal, is a thumb drive or similar media acceptable, or must the submission be on a CD-ROM.

Yes, thumb drive is OK.

41. Can you tell us what BI tools you currently have in place?

See 8.

42. Are you using Oracle EBS, PeopleSoft or have Discoverer Reports?

Yes on Oracle EBS Hyperion and PeopleSoft.

43. Will the BI environment be on premises, hosted Infrastructure as a Service (IaaS) or hosted Software as a Service (SaaS)?

Time to market is one the more critical criteria of this important project which most likely necessitates a cloud-based solution but we are open to and typically in favor of on premise solutions if they can meet our business goals. The ability to easily migrate from cloud to on premise based on security requirements is a very attractive capability as well if that capability is out there.

44. Will the Consultant be working with other developers or will it be our responsibility to develop an end to end solution?

See 5.

45. Are you looking for us to train internal staff?

Yes.

46. Will the front-end data visualization software need to be read/write or read-only (data entry or reporting only)?

Read only.

47. Can the visualization software be a hosted SaaS?

See 43.

6

48. Will the Consultant be developing, architecting or installing this software or individual reports?

Yes.

49. Will reporting/data visualizations need to be interactive based on user interaction or just tabular paginated reports?

Both.

50. Are there any specific ETL tools that you are against us using?

No.

51. Are any of the data sources unstructured?

Not at this time but potentially in the future.

52. What other formats or platforms outside of SQL Server databases do the data sources consist of?

Oracle DB, SQl DB, API calls, flat files, etc.

53. What time frame does data need to be refreshed in the data warehouse to reflect the source systems? Are you looking for real-time data analytics?

Real-time analytics is a key criteria being sought after by the authority's leaders as well as predictive analytic capabilities.

54. Are there dev, test and QA environments for agile and phased development of the data warehouse?

We would like the winning vendors to weigh in on this issue based on their previous experience with other companies.

55. Are there native connectors for the cloud-based data?

Unsure.

56. Is any of the cloud-based data a streaming data set (IoT)?

Not at this time but potentially in the future.

57. Would this dashboard be within the same front-end data visualization software?

Yes.

58. Are you looking for a data dictionary and/or technical documents of the sources and processes?

Yes.

59. Are you looking for software or a service to use for master data management and data governance?

Yes.

7

60. Will the Consultant team members be a part of your Data Science team or would it just be requirements to use to vet other vendors or outside people?

The possibility for that exists if the authority decides that is the vendor's strength

61. Will the data science tools be on premises or SaaS?

See 43.

62. Is the project manager required to be a Massachusetts resident? Is he or she required to work on site in your offices?

No for both questions

63. Are additional contractors required to be Massachusetts residents?

No.

64. Do you know often you anticipate holding face-to-face meetings?

Face-to-face meetings might be required for major milestones (kick-off, presentations etc.).

65. The Legal Notice indicates that 3 vendors will be selected, and each awarded an NTE $500K contract for future work orders. The Supplemental Information Package, in the Evaluation Criteria section, indicates that 3 firms will be shortlisted, with a single vendor award. Could Massport kindly clarify the selection process, including next steps following shortlisting?

In the Evaluation Criteria is stated "shortlisting a minimum of three firms". The number of shortlisted firms depends on the number of selected firms, but in any case the minimum is three firms. The Authority's intention is to select 3 consultants, but as stated in the Legal Notice "the Authority reserves the right to select a different number if it is deemed in its best interest to do so.

--------

APPENDIX A

STANDARDWO–NODESIGNLANGUAGE‐CONTRACT

1 MPA CONTRACT NO.

Consultant Checklist: Prior to returning contract to Contract Specialist, please make sure of the following:

Has Exhibit A (Rate Sheet) for Prime Consultant and all Subconsultants been attached/submitted?

Have Insurance Certificates (with coverages as noted under Article 5) been attached/submitted?

Is the Contract signed by Consultant?

Have Exhibits C, D and E been signed by Consultant? Is necessary information requested in

Exhibit D- Certificate of Compliance with Laws -been filled out properly?

Has Consultant prepared three (3) originals for processing?

Cost Multiplier Letter for Prime and Subconsultants who have an approved multiplier higher than 2.7 (to be incorporated by Contract Specialist)


2 MPA CONTRACT NO.

As of (Date) (Consultant’s Name and Address) Attn: (Contact Person) RE: MPA Contract No. & Name of Project Dear Mr. (Contact Name) The Massachusetts Port Authority ("Authority") hereby agrees with ("Consultant") respecting the terms of the Consultant's engagement by the Authority as further described below. Article 1 – Basic Services; Work Order Process. 1.1. Basic Services to Be Performed


3 MPA CONTRACT NO.

Consultant shall provide (short sentence for scope of services) services, as further described in the Scope of Services attached hereto and incorporated herein as Exhibit 1. The Consultant shall perform these services within each individual Work Order executed between the parties, describing the task(s) to be performed, the final product or deliverable, and the budget. Such services shall be performed in accordance with the terms of this Agreement and under the supervision of the Authority’s Project Manager. Consultant shall be solely responsible for the completeness of all contract deliverables prepared under this Agreement. 1.2. Work Order Process. The parties acknowledge the need for a flexible procedure to facilitate the most-timely response to as yet undefined, but reasonably anticipated, needs for consultant services. Work Orders are intended to be discrete working documents that will provide, in summary form, the background and factual context within which a particular task or series of tasks shall be performed by the Consultant. Each Work Order shall include a detailed scope of services, level of effort, schedule, and related costs. Work Orders shall be construed to be in addition to, supplementary to, and consistent with the provisions of the text of this Agreement. The parties agree that the exact scope of services to be performed by Consultant shall depend upon events that develop throughout the term of this Agreement. Therefore, the parties agree to execute the scope of services with Work Orders, which the Consultant shall prepare and submit to the Authority for its review and approval. The Consultant agrees to cooperate with the Authority in the development of detailed, consecutively numbered Work Orders in accordance with the form and guidelines for the preparation of Work Orders attached hereto as Exhibit F. In the event of a conflict between a particular provision of any Work Order and a provision(s) of this Agreement, the provision(s) of this Agreement shall be deemed to take precedence. However, the provisions of a Work Order shall take precedence over Article 1.1 of this Agreement with respect to the exact scope of services to be provided under the Work Order. A Work Order may be amended by the parties by a written instrument referencing the identification number and date of the original Work Order that is being amended. An amendment to a Work Order shall be prepared by the parties jointly and signed by their authorized representatives. Article 2 - Term, Commencement and Completion 2.1. Term. This Agreement shall commence on the effective date recited above and remain in effect until the completion of Consultant’s services, hereunder, unless extended or terminated by the Authority in accordance with this Agreement. Individual Work Orders shall have effective dates for the related scope of services. 2.2. Commencement of Services. The Consultant shall commence services in accordance with individual Work Orders. The Consultant shall not be entitled to any compensation for services performed unless and until it has received a Work Order executed by the Authority authorizing such services. 2.3. Time of the Essence. Time is of the essence for achieving Substantial Completion of a Work Order, and the completion dates under each Work Order may be extended only as provided in this Agreement. Upon receipt of an approved Work Order, Consultant shall perform and complete the


4 MPA CONTRACT NO.

services in accordance with the schedule agreed upon and set forth in the Work Order (if applicable). The Consultant’s services will be provided as expeditiously as is consistent with professional skill and care and the orderly progress of such services. Article 3 - Compensation The overall contract amount for the complete and proper performance of all the services required by this Agreement shall be a sum not to exceed (Contract Amount in Words/Numbers). The parties acknowledge and agree that is it their intention to incorporate in each Work Order under this Agreement the amount and basis of payments to be made to Consultant. Payments will be made on the basis of a lump sum or a "not-to-exceed" price, at the sole discretion of the Authority, for each individual Work Order in accordance with this Article. 3.1. Payments Based on a "Not-to-Exceed" Price For the services described in any Work Order based on a "not-to-exceed" price, the Consultant's sole compensation shall be one or more payments computed as a multiple of actual hourly salary attributable to the time each person actually provides services under the relevant Work Order, the total of which payment(s) shall not exceed the "not-to-exceed" price under said Work Order. For purposes of “not-to-exceed” Work Orders and invoices under this Agreement, the Consultant shall submit to the Authority Exhibit A as follows: Exhibit A shall set forth the Consultant’s personnel (including all subconsultants) who will work or could potentially work under this Agreement. Exhibit A shall include the names, current titles, and actual current rates as of the effective date of this Agreement. An example of Exhibit A is attached hereto. The information in Exhibit A shall be entered into the Consultant Invoice Cover Sheet (Example Attached) and shall be currently dated and submitted to the Authority’s Contract Specialist prior to execution of this Agreement. This Exhibit A shall be in effect for one calendar year from the effective date of this Agreement.

Annual salary increases up to 5% for the categories/classifications set forth in Exhibit A shall not require the Authority’s prior approval, however, new staff assigned to the Project, along with annual salary increases exceeding 5%, shall be proposed in advance to the Authority, accompanied by appropriate supporting documentation, for the Project Manager’s approval. The Authority will not pay any annual salary increase to the extent it exceeds 5% and was not approved in advance by the Authority.

Exhibit B attached hereto is an authorization by the Authority establishing the Consultant’s multiplier, if higher than 2.7. If a different multiplier is approved by the Authority’s Internal Auditor after the effective date of this Agreement, such multiplier may be applied retroactively by the Authority. The following provisions shall govern the calculation of payments based on a "not-to-exceed" price:

3.1.1. Payment to Consultant


5 MPA CONTRACT NO.

Compensation for the Consultant's employees shall be computed at the employee's actual hourly salary times a multiplier. The multiplier for office personnel shall be limited to 2.7, and the multiplier for resident inspectors or other field personnel shall be limited to 2.3, unless the Authority's Internal Auditor determines that a different multiplier is applicable to this Agreement based upon receipt and review of certified audits to be provided by the Consultant. If a different multiplier is approved, the Authority’s Internal Audit Department shall notify the Consultant (or subconsultant) by letter which shall serve as Exhibit B to this Agreement. The multiplier shall constitute full payment for all employee benefits, overhead, general administrative costs, profit, and all other unallocated costs and expenses. 3.1.2. Payments to Consultant for Subconsultants

Compensation for subconsultants shall be in accordance with actual invoices submitted by subconsultants to the Prime Consultant; provided, however, that such subconsultants shall invoice their services in accordance with, and subject to, Article 3.1.1 hereof. The Consultant shall make prompt payments to subconsultants for services satisfactorily performed after receipt by the Consultant of payment from the Authority for such services. 3.1.3. Payment to Consultant for Independent Contractors/Interns/Co-op Students Compensation for independent contractors shall be in accordance with actual invoices submitted to the Consultant with no further markup. Compensation for interns and co-op students shall be computed at their actual hourly salary times the 2.3 field personnel multiplier. The multiplier shall constitute full payment for all employee benefits, overhead, general administrative costs, profit, and all other unallocated costs and expenses.

3.1.4. Payment for Reimbursable Expenses

The Authority may reimburse the Consultant for its expenses which are actually made or incurred in either a not to exceed aggregate amount, and/or for its expenses if identified in a particular Work Order up to the maximum amount referenced under said Work Order. As used in this Agreement and any Work Order under this Agreement, the term “reimbursable expenses” shall mean those actual extraordinary expenditures previously approved by the Authority that are made or incurred by the Consultant directly, and not paid for elsewhere, or covered under the Consultant’s multiplier, in connection with and in the interest of the Authority as per the table below:

Reimbursable Expense Type Allowable

Non‐Allowable Comment

Mileage X

Mileage will only be allowed for personnel billed at the field multiplier (resident inspection), or for special out‐of‐state travel if approved in advance @ IRS Approved Rate.


6 MPA CONTRACT NO.

Tolls X

Tolls will only be allowed for personnel billed at the field multiplier (resident inspection), and for special out‐of‐state travel if approved in advance.

Parking X If approved in advance for meetings not at Massport property with receipt.

Parking Fines X

Leased Vehicles X

Rental Cars X

Rental Cars will be reimbursed for special out of state travel. Massport will only reimburse for mid‐size class or cheaper. Rental Cars should be approved in advance. Receipt is needed.

Hotel X

Hotels will be reimbursed for special out of state travel. Travel to be approved in advance. Per GSA rates (http://www.gsa.gov/portal/category/100120) Receipt is needed.

Flight X

Flight costs will be reimbursed for special out of state travel at actual costs without change fee, unless approved in advance. Economy Class Only. Travel to be approved in advance. Receipt is needed.

Travel insurance, Even More Space Fee, Late Fees, Cancellation Fees, Charges incurred due to indirect travel for personal reasons X

Meals X

Meals will be reimbursed only for special out‐of‐state travel ‐ Per GSA rates (http://www.gsa.gov/portal/category/100120) Travel to be approved in advance. Alcohol will not be reimbursed. Meal receipts are not required.

MPA Security Badge X

Cost of first badge only, receipt needed. Re‐application charges due to applicant mistake on initial application and/or loss of badge will not be reimbursed.

TWIC Badging X TWIC badge remains with the person after the project.

Training for Badging X

Postage X Unless "mass" mailing requested by Massport.

Courier X If approved in advance with receipt.

Photography, film, etc. X Not everyday pictures. Yes, for aerial photography if approved in advance with receipt.

Reproductions X Reproduction costs will be approved with invoice from outside Vendor.

Phone Calls X

Taxi/UBER/Public X

Transportation costs will be reimbursed only for travel necessary for meetings not held at Massport property, and for out‐ of‐ state travel and out‐ of‐ state visitors with receipt.

T Passes X

Job Related Meals X Only If approved in advance , with receipt.


7 MPA CONTRACT NO.

(Luncheons)

Job Related Supplies X Not for office supplies. Yes for laboratory, safety or environmental supplies, with prior approval and receipt.

Job Related Books/Periodicals X If approved in advance with receipt.

All other costs and equipment necessary to support staff functions and services, and incidental Project team coordination costs, including communications, printing, reproduction, mail, and delivery services dealing with internal team functions, are considered overhead and are included in the multiplier. 3.1.5. Overtime The Consultant shall only be reimbursed for overtime at the employee’s actual hourly rate times the Consultant’s approved multiplier. All employees are eligible for overtime except officers which include Associate Vice President, Vice President, Senior Vice President and President classifications. Such overtime expense shall be reimbursed only to the extent that sufficient funds are available under this Agreement or an individual Work Order. 3.1.6. The Use of Field Multiplier vs. Office Multiplier The table below summarizes the distinction between field and office multiplier for various categories and durations.

Personnel Classification Function Duration Multiplier

Resident Engineer Any N/A Field

Inspector Any N/A Field

Designer of Record Design N/A Office

Designer of Record CA at Office N/A Office

Designer of Record CA at Site less than 6 Months Office

Designer of Record CA at Site greater than 6 Months Field

Designer of Record RE / Inspection less than 6 Months Office

Designer of Record RE / Inspection greater than 6 Months Field


8 MPA CONTRACT NO.

3.2. Payments Based on Lump Sum Price For services described in any Work Order based on a lump sum price, the Consultant's sole compensation shall be one or more payments not to exceed the lump sum price set forth in the Work Order. The lump sum price shall constitute full payment for all direct and indirect costs, including employee benefits, overhead, general administrative costs, profit, other unallocated costs and expenses, and reimbursable expenses. The lump sum price may be divided at the discretion of the Authority into phased and/or partial payments based on the progress demonstrated by the Consultant and/or the completion of pre-established events, such as the submission of deliverables or the completion of a phase under the Work Order, as long as work performed by the Consultant is at least proportionate to the phased or partial payment requested. The Consultant shall make prompt payments to subconsultants and independent contractors for services satisfactorily performed after receipt by the Consultant of payment from the Authority for such services. 3.3. Requests for Payment and Documentation The Consultant shall submit invoices to the Authority in accordance with the schedule set forth in Article 3 (if applicable), or the schedule set forth in the fully executed Work Order (if applicable), or shall otherwise invoice on a monthly basis. One (1) original and two (2) copies of monthly invoice are required to be mailed to the Capital Programs Department, and to the attention of Cartya Alexandre. Invoices shall be accompanied by appropriate supporting documentation for the services performed, including without limitation, the Consultant Rate Tracking Sheet (reference example under Exhibits) populated with the names, titles, and hourly rates of the individuals performing the services for the specified invoice period (all of which shall be consistent with the corresponding personnel information set forth in Exhibit A) as well as the Subconsultant Tracking Sheet (reference example under Exhibits), and any additional detail that the Authority may have otherwise required within a Work Order. A copy of the Consultant’s invoice shall also be submitted electronically each month to [email protected]. or uploaded to Massport’s Project Management Information (PMIS) System. Reimbursable Expenses listed in the above table and identified within the executed Work Order shall require receipts. The Authority reserves the right not to accept invoices for services performed or expenses incurred that are older than ninety (90) calendar days. All payments to the Consultant made by the Authority shall be via Electronic Funds Transfer (EFT). Form can be obtained by the Contract Specialist. Should Consultant require additional information, please contact Kim Winer at [email protected] 3.4 Required Use of Internet-Based Compliance Management Software System As part of the Authority’s commitment to assist Consultants to conveniently comply with legal and contractual compliance reporting requirements, the Authority maintains an online Compliance Management Software (CMS) system (System). The System is designed to help reduce Consultant’s administrative costs and to provide various work-flow automation features that improve the required project compliance reporting processes. The System is provided for use by the Consultant and subconsultants at no cost, and System training is also provided at no cost.


9 MPA CONTRACT NO.

The Contractor and all subconsultants shall provide legal and contractually required compliance information and reports using the System. The Authority may require additional information related to contract compliance to be provided electronically through the System at any time before, during or after contract award. If the Authority grants any Consultant or subconsultant a waiver from using the System, the Consultant or subconsultant shall use the paper forms for compliance reporting under the Agreement.

Information regarding Consultant access to the System will be provided to a designated point of contact for each Consultant and subconsultant upon award of the contract. The System is Internet-based and can be accessed at the following Internet address: https://massport.mwdbe.com for the Prompt Payment Reporting Process and the MBE/WBE/DBE and SB Reporting Process. 3.5. Consultant's Accounting Records Consultant shall keep accounts, books and records pertaining to services performed and reimbursable expenses incurred in a true and accurate manner and on the basis of generally accepted accounting principles and in accordance with such reasonable requirements to facilitate review as the Authority may require. Upon seventy-two (72) hours advance notice, the Authority or a representative on behalf of the Authority shall have the right to inspect, review or audit, during normal business hours, in conformity with generally accepted auditing standards, the accounts, books, records and activities of the Consultant necessary to determine compliance by the Consultant with the provisions and requirements of this Agreement, including without limitation the Scope of Services. Consultant shall keep such accounts, books and records as required to be maintained by this Agreement at a location within the metropolitan Boston area or, if the Consultant maintains such accounts, books and records in another location outside the metropolitan Boston area, the Consultant shall make such accounts, books and records available at Consultant’s Boston office or at a site acceptable to the Authority upon reasonable notice from the Authority. The Authority shall have the right to photocopy or otherwise duplicate at Consultant’s expense those accounts, books and records as the Authority determines to be necessary or convenient in connection with its review or audit thereof. If Consultant’s accounts, books or records have been generated from computerized data, Consultant shall provide the Authority or its representative with extracts of the data files in a computer readable format on suitable computer data exchange formats acceptable to the Authority. Consultant shall retain and keep available to the Authority all books and records relating to this Agreement for a period of not less than seven (7) years following the expiration of the Term of this Agreement or, in the event of litigation or claims arising out of or relating to this Agreement, until such litigation or claims are finally adjudicated and all appeal periods have expired. 3.6. Acceptance of Payment The acceptance by the Consultant of its final payment under this Agreement shall operate as a release to the Authority of all claims by and all liability to the Consultant, except for claims Consultant has previously given notice for. No payment, however, final or otherwise, shall operate to release the Consultant from its obligations under this Agreement. 3.7. Payment Not A Waiver


10 MPA CONTRACT NO.

Neither the approval nor the making of any payment to the Consultant by the Authority shall be deemed an acceptance of any services not performed in accordance with this Agreement, or an acknowledgment that such services have been performed in accordance with this Agreement. 3.8. Authority's Right to Withhold Payment The Authority may withhold payment to such extent as it deems necessary as a result of (a) third party claims arising out of the services and made against the Authority; (b) evidence of fraud, overbilling or overpayment discovered upon audit; (c) failure to make prompt payments to subconsultants or independent contractors; (d) a payment request that includes fees for unapproved subconsultants or independent contractors; (e) unsatisfactory performance of services; or (f) any breach of this Agreement. 3.9. Access to Facilities and Use of Equipment The Consultant, during the course of its services, shall coordinate its access to and inspections of the site with the Authority. Interruptions or interference with the tenants' operations shall be allowed only with approval in advance by the Authority. All requested access shall be made a minimum of forty-eight (48) hours in advance. Where the Consultant requires access to secured areas, and where the Authority determines that the Consultant's personnel require security badges, the Consultant shall provide the Authority with written justification for such request, and shall fully cooperate and comply with all Authority requirements, including without limitation those set forth in Exhibit G, attached hereto, as all such Authority requirements may change from time to time. When entering onto the Authority’s property in connection with the Project, the Consultant and any person for whom the Consultant is legally responsible, including without limitation, its employees, subconsultants, suppliers, independent contractors, agents, and the employees of each, shall wear (100% utilization): hard hats, safety glasses with side shields, proper work shoes and proper work clothing. The Consultant shall assess the Project site for existing and potential hazards to which employees and other personnel may be exposed during routine and non-routine work tasks to minimize exposure to hazards and reduce injuries. After performing a Personal Protective Equipment (PPE) assessment, the Consultant shall provide such personal protective equipment and safety equipment for all affected employees and other personnel. Additional items may include: high visibility clothing when exposed to any vehicle traffic, hearing protection devices, respiratory protection devices, fall protection devices, temperature protection equipment, hand protection equipment, life-lines and safety harnesses, full-face protection devices, special illumination equipment, U.S.C.G. approved life jackets when working over/near water or any other special equipment/devices required to be worn in their work. If the Consultant chooses to utilize PPE, the Consultant shall ensure that the equipment is provided, used, and maintained in a sanitary and reliable condition wherever it is necessary, and shall make employees and other personnel aware of how to select appropriate PPE, wear, maintain, and store PPE, and of the limitations of the PPE they are using. If the Consultant requests, and the Authority permits (in its sole discretion), the use of the Authority’s equipment in furtherance of the services under this Agreement, the Consultant shall assume all risk of


11 MPA CONTRACT NO.

loss, damage and injury to the Consultant, any of its employees, agents, subconsultants, independent contractors, or suppliers, and any property of any of the aforesaid, and hereby agrees to release, indemnify, defend, and hold harmless the Authority, its members, officers, and employees from and against all liabilities, claims, losses, damages and expenses against the Authority, its members, officers, or employees for any injury to or death of any person, including the Consultant, and/or damage to any property arising out of the Consultant’s use of said equipment. Nothing herein shall require the Authority to consider or permit the Consultant’s use of the Authority’s equipment in connection with this Agreement. Article 4 - Use of Subconsultants 4.1. Approved Subconsultants. The Authority hereby approves the Consultant's use of the following subconsultants. Notwithstanding such approval, the Authority reserves the right to require the Consultant to employ different subconsultants to perform any type of services required for the successful completion of any services under this Agreement. **(List Subconsultants here)

The Authority expects the Consultant to engage the above subconsultants for the services described above. The Consultant shall immediately notify the Authority in writing of any requested changes. No substitution or elimination of such subconsultants, alteration of the services listed above, or use of additional subconsultants shall be made without prior written request from the Consultant and approval from the Authority. 4.2. Consultant's Personnel, Subconsultants. The Consultant shall employ qualified and competent personnel to perform the services under this Agreement, particularly specification writers, building code experts and professionals experienced in construction cost estimating. The Authority shall have the right to approve such personnel prior to their engagement and to require the removal of any employee of the Consultant, or any employee of the Consultant's subconsultants, who, in the opinion of the Authority, is careless, incompetent, or otherwise unqualified to perform the services hereunder, or whose conduct is in any way considered improper. The Authority’s approval of the Consultant’s personnel shall in no way relieve the Consultant from its obligation to employ qualified and competent personnel to perform services under this Agreement, and shall not be deemed as an acknowledgement by the Authority that such employees have the necessary qualifications and competence to perform such services. Review and acceptance of such qualifications and competence shall be solely the responsibility of the Consultant. 4.3. Consultant's Responsibility for Subconsultants


12 MPA CONTRACT NO.

To the extent applicable, pursuant to Article 4.1 above, the Consultant represents that it has made and will make reasonable investigation of all subconsultants to be utilized in the performance of services under this Agreement to determine that they possess the skill, knowledge and experience necessary to enable them to perform such services. Nothing in this Agreement shall relieve the Consultant of its prime and sole responsibility for the proper performance of the services under this Agreement. Article 5 - Other Terms and Conditions 5.1. The Authority’s Director of Capital Programs and Environmental Affairs is hereby authorized to act on behalf of the Authority with respect to all powers of written approval reserved to the Authority in this Agreement. The authority vested in the Director of Capital Programs and Environmental Affairs may be exercised by a designee or delegate whom he or she shall appoint, or by the Chief Executive Officer of the Authority. 5.2. The Consultant shall maintain in confidence all of the Authority’s business information which becomes available to Consultant in connection with Consultant's services under this Agreement. All data and information developed by Consultant in the performance of this Agreement shall become the property of the Authority and shall not be disclosed by Consultant without the prior express written approval of the Authority. In addition, all right, title and interest, including copyright to all data, files, information and other work product generated or created pursuant to this Agreement, shall be and remain with the Authority. This paragraph shall survive any termination or expiration of this Agreement. 5.3. This Agreement is intended to secure for the Authority the faithful assistance and cooperation of Consultant, and Consultant, therefore, shall not accept engagements in work or business adverse to the interest of the Authority in the subject matter of this Agreement. This paragraph shall survive any termination or expiration of this Agreement. 5.4. The Authority may at any time, by written order to Consultant, make changes in the service tasks within the general scope of this Agreement. If any such change causes an increase or decrease in the cost of, or the time required for, the performance of any part of the services under this Agreement, an equitable adjustment in the price or the delivery schedule, or both, shall be made by the Authority and communicated to Consultant concurrently with said written amendment. Any claim for or contest of adjustment under this clause must be asserted, if at all, within thirty (30) days from the date of receipt by Consultant of said written amendment. 5.5. The Consultant agrees that the services provided hereunder shall conform to the high standards of

professional care and practice exercised by organizations engaged in performing comparable services; that the personnel furnishing said services shall be qualified and competent to perform adequately the services assigned to them; and that the recommendations, guidance and performance of such personnel shall reflect such standards of professional care and practice.

5.6. The Authority may terminate this Agreement as follows: (a) on thirty (30) days’ written notice, without cause; or


13 MPA CONTRACT NO.

(b) on seven (7) days’ written notice if the Agreement or any part thereof shall be assigned without the previous written consent of the Authority; or if the Consultant shall violate any provision of the Agreement, or shall fail to perform services in a timely and workmanlike manner; or shall fail to perform, keep, or observe any of the terms, covenants or conditions herein contained, and such violation or failure is not cured by the Consultant within five (5) days of Consultant’s receipt of written notice from the Authority specifying such violation or failure; or if the Consultant abandons in whole or in part its services, or becomes unable to perform its services; provided, however, that the Consultant shall not be in default if any such failure to perform or make progress arises out of causes beyond the control and without the fault or negligence of the Consultant. In the event of such termination, the Authority may procure, upon such terms and in such manner as it shall deem appropriate, services similar to those so terminated, without prejudice to any other rights and remedies for default that the Authority may have.

In the event of any termination pursuant to the provisions of this Article 5.6, the Consultant shall deliver to the Authority any and all work or work in progress produced under this Agreement prior to its termination, and the Authority shall, upon receipt of said work, pay Consultant the reasonable value of said work less any set-off for damages caused by Consultant in the event that termination is for cause as set forth above. 5.7. The Consultant is engaged under this Agreement as an independent consultant and not as an agent or employee of the Authority, and shall be responsible for its own services. The employees furnished by the Consultant to perform the services described herein shall be deemed to be the Consultant's employees exclusively, and shall be paid by the Consultant for all services in this connection. The Consultant shall be responsible for all obligations and reports covering social security withholding, unemployment insurance, workers' compensation, income tax and other reports and deductions required by any applicable state and federal law for such employees. 5.8. The Consultant covenants that it presently has no interest (to the best of its knowledge after due inquiry), and that it shall not have any interest, direct or indirect, that would conflict in any manner with the performance of services required under this Agreement. During the term of this Agreement, Consultant shall not employ, on either a full-time or part-time basis, any person so long as such person shall be employed by the Authority. 5.9. Any failure by the Authority to assert its rights for or upon any default of this Agreement shall not be deemed a waiver of such rights, nor shall any waiver be implied from the making of any payment hereunder. 5.10. In no event shall liability of the Authority in connection with this Agreement exceed the compensation provided for under Article 3 hereof. In no event shall the Authority be liable to Consultant for damages for loss resulting from causes beyond the reasonable control of the Authority, and in no event shall the Authority be liable for incidental, special or consequential damages, including loss of anticipated revenues or profits, whatever the cause.


14 MPA CONTRACT NO.

5.11. Consultant shall maintain and keep in effect during the performance of services hereunder the following insurance coverages: (a) professional liability insurance for negligent errors and omissions with a minimum limit of $1,000,000; (b) worker’s compensation insurance as required under federal and Massachusetts law; (c) employer’s liability insurance with a minimum limit per accident or disease of $1,000,000; (d) commercial general liability insurance for bodily injury and property damage in the combined single limit of $1,000,000, including blanket contractual liability insurance covering all liabilities assumed hereunder by Consultant; (e) comprehensive automobile liability insurance for bodily injury and property damage in the combined single limit of $1,000,000 covering all owned, hired, and non-owned vehicles; and (f) valuable papers insurance for restoration of plans, drawings, field notes and other documents in the event of their loss or destruction while in the custody of Consultant. All policies of liability insurance described in (d) and (e), above, shall name the Authority as an additional insured, and shall be endorsed with a waiver of subrogation by the insurer as to the Authority. Consultant shall furnish a certificate of insurance for the above-mentioned insurance within ten (10) days of the date hereof, which shall provide that the insurance shall not be subject to cancellation, expiration without renewal, termination, or material change during the term hereof except upon thirty (30) days’ prior written notice to the Authority.

5.12. Consultant, at its expense, shall defend, indemnify, and hold harmless the Authority, its

members, officers, and employees from and against any and all Consultant and third party claims, demands, suits, causes of action, including actions for personal injury or wrongful death, actions for property damage, and any other types of claims, and all losses, damages, and expenses which are the subject thereof, including attorneys’ fees and costs of investigation and litigation, alleging a violation of law or for any other cause arising out of or resulting from any error, omission, or negligent act, or any breach of contractual duties of the Consultant and/or its agents, employees, subconsultants, suppliers, and independent contractors, and the employees of each, in the performance of this Agreement; provided, however, that this obligation to defend, indemnify, and hold harmless shall not apply to claims caused solely by the gross negligence or willful misconduct of the Authority. The foregoing express obligation of indemnification shall not be construed to negate or abridge any other obligation of indemnification running to the Authority which would exist at common law, and the text of this obligation of indemnification shall not be limited by any obligation of or any term or condition of any insurance policy required under this Agreement. In case any action or proceeding is brought against the Authority by reason of any such claim, the Consultant, upon notice from the Authority, shall resist or defend such action or proceeding with counsel reasonably acceptable to the Authority. The Authority shall give the Consultant reasonable written notice of any claims threatened or made or suit instituted against it which could result in a claim of indemnification hereunder, This paragraph shall survive any termination or expiration of this Agreement. 5.13. No member or employee of the Authority shall be charged personally or held contractually liable by or to Consultant under any term or provision of this Agreement, or because of any breach hereof, or because of its execution or attempted execution.

5.14. This Agreement, any duties hereunder, or interest herein may not be assigned or delegated by Consultant without the prior express written consent of the Authority.

5.15. This Agreement shall be governed by and construed under the laws of the Commonwealth of Massachusetts without regard to its principles regarding conflicts of laws. Any dispute arising


15 MPA CONTRACT NO.

between the parties under this Agreement may be decided by any court of competent jurisdiction in the Commonwealth of Massachusetts.

5.16. The parties, by execution of this Agreement, voluntarily and intentionally waive all rights to trial by jury as to all claims, disputes, or other controversies arising out of, or relating to, this Agreement or the performance or breach thereof.

5.17. This Agreement sets forth the entire understanding between the parties as to the subject matter hereof and supersedes all prior or collateral agreements and representations. This Agreement may not be amended or modified except by a writing signed by both parties; provided, however, that the Authority may make changes in the service tasks within the general scope of this Agreement in accordance with the provisions of Article 5.4 hereof; provided, further, that any increase in monies due under this Agreement shall require a writing signed by both parties.

5.18. Consultant shall complete the Consultant’s Certificate, Certificate of Compliance with Laws, and the Consultant’s Truth-in-Negotiations Certificate forms designated as Exhibit C, Exhibit D and Exhibit E, attached hereto and incorporated by reference herein.

5.19. All notices, approvals, requests, consents or other communications that are required or permitted pursuant to this Agreement shall be effective upon receipt if hand delivered, sent by a nationally recognized overnight courier or sent by United States registered mail, return receipt requested, to the Authority addressed to MASSACHUSETTS PORT AUTHORITY, Logan Office Center, One Harborside Drive, Suite 200S, East Boston, 02128, and directed to the attention of the Director of Capital Programs and Environmental Affairs, or to the Consultant addressed to (Consultant’s Name, Address & Contact Person) , or to such other address as either party may specify to the other by notice given as provided herein.

5.20. The Authority shall have the right, at any time and in its sole discretion, to submit for review to consulting engineers or consulting architects engaged by the Authority for that purpose any or all parts of the scope of services performed by the Consultant, and the Consultant shall cooperate fully in such review at the Authority's request. 5.21..All files, records and documents, including without limitation calculations, plans, drawings, and specifications, and all text, electronic and graphic files, prepared pursuant to this Agreement, are property owned by the Authority, shall be clearly marked, identified, in good order, and delivered to the Authority’s Project Manager, with a cover letter, upon the completion of the services, but in no event later than sixty (60) days after the acceptance of the Work or termination of this Agreement, unless such time limit shall be extended in writing by the Authority. The Authority may use all such files, records, and documents as it determines. 5.22. In accordance with policies adopted by the Authority, the Consultant agrees with respect to its exercise of all uses, rights, privileges and obligations granted or required herein as follows: 5.22.1 Consultant shall not discriminate against any person, employee, or applicant for employment

because of that person’s membership in any legally protected class, including but not limited to their race, color, gender, religion, creed, national origin, ancestry, age (40 years and over),


16 MPA CONTRACT NO.

sexual orientation, pregnancy, citizenship, gender expression and identity, handicap, disability, genetic information, or veteran status. Consultant shall not discriminate against any person, employee, or applicant for employment who is a member of, or applies to perform service in, or has an obligation to perform service in, a uniformed military service of the United States, including the National Guard, on the basis of that membership, application, or obligation. Consultant shall undertake affirmative action measures designed to guarantee and effectuate equal employment opportunity for all persons.

5.22.2 Consultant will provide all information and reports pertinent to the Authority's Equal

Employment, Anti-Discrimination and Affirmative Action requirements requested by the Authority and will permit access to its facilities and any books, records, accounts or other sources of information that may be determined by the Authority to affect the Consultant's obligations herein.

5.22.3 Consultant shall comply with all federal and state laws and the Authority’s regulations

pertaining to Civil Rights, Discrimination, and Equal Opportunity, including executive orders and rules and regulations of appropriate federal and state agencies, unless otherwise exempt

therein. 5.22.4 Consultant's non-compliance with the provisions of this Article 5.22 shall constitute a material

breach of this Agreement, for which the Authority may, in its discretion, upon failure to cure said breach within thirty (30) days of written notice thereof, terminate this Agreement upon ten (10) days written notice.

5.22.5 Consultant shall indemnify and hold harmless the Authority from any claims and demands of

third persons resulting from Consultant's non-compliance with any of the provisions of this Article 5.22, and, in case of termination or cancellation of this Agreement pursuant to Paragraph 4 of this Article 5.22, the Consultant shall also indemnify the Authority during the remainder of the original term against any loss or damage suffered by reason of such termination or cancellation.

5.23 The person executing this Agreement represents and certifies that he/she has authority and power to sign on behalf of Consultant and to bind Consultant to the obligations contained herein. 5.24 Upon signing the enclosed copies, please return all executed originals to Massachusetts Port Authority, One Harborside Drive, Suite 209S; East Boston, MA 02128-2909, Attention: Lynne Pignato-Contract Specialist. One fully executed original will be returned to you for your files. IN WITNESS WHEREOF, this Agreement is executed as of the day and year first written above: (Consultant’s Name) Massachusetts Port Authority


17 MPA CONTRACT NO.

By: By:________________________________ Michael A. Grieco Title: Title:_______________________________ Assistant Secretary-Treasurer Date: Date:_______________________________ Exhibits: 1-Consultant’s Scope of Work A- Consultant’s Hourly Rates/Example Consultant Rate Tracking Sheet/Example Subconsultant Tracking Sheet B-Consultant’s Approved Multiplier (if higher than 2.7) C-Consultant’s Certificate D-Certificate of Compliance with Laws E-Consultant’s Truth-in-Negotiations Certificate F-Guidelines for the Preparation of Work Orders G-Consultant’s Security Identification Requirements for Airport Projects


18 MPA CONTRACT NO.

EXHIBIT 1

SCOPE OF WORK

The Scope of Work will include, but not be limited to the following:


19 MPA CONTRACT NO.

(EXAMPLE)

EXHIBIT A CONSULTANT’S HOURLY RATES

This Exhibit A shall establish hourly rates for individuals employed by consultant and subconsultants performing approved services as part of this contract. Refer to example below. Joe Smith Project Manager $42.00 Mary Duffy Engineer $35.00 Paul Black CAD $24.00 Cynthia Long Administrative $18.00 THIS INFORMATION SHALL BE ENTERED ON CONSULANT LETTERHEAD AND INSERTED INTO THE ATTACHED CONSULTANT INVOICE COVER SHEET AND SUBMITTED TO THE CONTRACT SPECIALIST PRIOR TO CONTRACT EXECUTION.


20 MPA CONTRACT NO.

(These forms can be obtained in Excel Format from the Contract Specialist)

Example

Consultant Rate Tracking (Invoice Cover Sheet)


21 MPA CONTRACT NO.

SUBCONSULTANT TRACKING SHEET


22 MPA CONTRACT NO.


23 MPA CONTRACT NO.

EXHIBIT B

Authorization of Consultant’s Multiplier

(Per letter dated November 20, 2018 from Sam Sleiman, all Consultants who currently use a 2.7 or lower office multiplier, shall be authorized to use the 2.7 office multiplier effective December 1, 2018. The field multiplier of 2.3 shall remain the same. The letter for Consultants who have an approved multiplier higher than 2.7 will be attached here.)


24 MPA CONTRACT NO.

Exhibit C

CONSULTANT'S CERTIFICATE

The Consultant named in an agreement with Massachusetts Port Authority numbered MPA CONTRACT NO. / certifies that: a) the Consultant or construction manager has not given, offered or agreed to give any gift,

contribution or offer of employment as an inducement for, or in connection with, the award of the contract for design services;

b) no subconsultant to or subcontractor for the Consultant or construction manager has given,

offered or agreed to give any gift, contribution or offer of employment to the Consultant or construction manager, or to any other person, corporation, or entity as an inducement for, or in connection with, the award to the subconsultant or subcontractor of a contract by the Consultant or construction manager;

c) no person, corporation or other entity, other than a bona fide full-time employee of the

Consultant or construction manager, has been retained or hired to solicit for or in any way assist the Consultant or construction manager in obtaining the contract for design services upon an agreement or understanding that such person, corporation or other entity be paid a fee or other consideration contingent upon the award of the contract to the Consultant; and

d) with respect to contracts which exceed ten thousand dollars, or which are for the design of a

building for which the budgeted or estimated construction costs exceed one hundred thousand dollars, that the Consultant or construction manager has internal accounting controls as required by M.G.L. Chapter 30, Section 39R, and that the Consultant or construction manager will:

(1) retain accurate and detailed books, records, and accounts for a six-year period after the

final payment; (2) file the required statement of management concerning its internal accounting controls; (3) file an annual audited financial statement; and


25 MPA CONTRACT NO.

Exhibit C Page Two (4) submit a statement prepared and signed by an independent certified public accountant stating that such CPA has examined the statement of management on internal accounting controls, and expressing an opinion as to whether management's statement described in (2) above is consistent with the result of management’s evaluation of the system of internal accounting controls, and whether such statement is reasonable with respect to transactions and assets that are material in relation to the Consultant's or construction manager’s financial statements. For the purposes of this Certificate, the terms "consultant" and/or "Construction Manager" shall be synonymous with "Consultant". Consultant: By: ________________________________ duly authorized Print Name: ________________________ Date: ______________________________


26 MPA CONTRACT NO.

EXHIBIT D

CERTIFICATE OF COMPLIANCE WITH LAWS

Massachusetts Employment Security Law Pursuant to G.L. c. 151A, §19A(b), the undersigned hereby certifies* under the penalties of perjury that Consultant, with Division of Unemployment Assistance (D.U.A.) ID Number ___________________, has complied with all laws of the Commonwealth relating to unemployment compensation contributions and payments in lieu of contributions. *Compliance may be certified if Consultant has entered into and is complying with a repayment agreement satisfactory to the Commissioner, or if there is a pending adjudicatory proceeding or court action contesting the amount due pursuant to G.L. c. 151A, §19A(C). or check the following: _______ The undersigned certifies that the Massachusetts Employment Security Law does not apply to it because Consultant does not have any individuals performing services for it within the Commonwealth to the extent that it would be required to make any contributions or payments to the Commonwealth. Massachusetts Child Care Law Pursuant to Chapter 521 of the Massachusetts Acts of 1990, as amended by Chapter 329 of the Massachusetts Acts of 1991, the undersigned hereby certifies that Consultant (check applicable item): 1. _____ employs fewer than fifty (50) full-time employees; or 2. _____ offers either a dependent care assistance program or a cafeteria plan whose benefits include a

dependent care assistance program; or 3. _____ offers child care tuition assistance, or on-site or near-site subsidized child care placements. Revenue Enforcement and Protection Program Pursuant to G.L. c. 62C, §49A, the undersigned hereby certifies under the penalties of perjury that Consultant's Federal Identification No. is (for corporate entities):________________ and that to the best of his/her knowledge and belief Consultant has complied with all laws of the Commonwealth relating to taxes, the reporting of employees and contractors, and withholding and remitting of child support. In order to comply with all laws of the Commonwealth relating to taxes, the undersigned certifies that Consultant (check applicable item): 1. _____ has filed all tax returns and paid all taxes required by law; or 2. _____ has filed a pending application for abatement of such tax; or 3. _____ has a pending petition before the appellate tax board contesting such tax; or 4. _____ does not derive taxable income from Massachusetts Sources such that it is subject to taxation by

the Commonwealth.


27 MPA CONTRACT NO.

Exhibit D Page Two Certification Regarding Companies Doing Business with or in Northern Ireland Pursuant to G.L. c. 7, § 22C, the undersigned hereby certifies under the pains and penalties of perjury that Consultant is not engaged in the manufacture, distribution or sale of firearms, munitions, including rubber or plastic bullets, tear gas, armored vehicles or military aircraft for use or deployment in any activity in Northern Ireland, and that Consultant (check applicable item): 1. _____ does not employ ten or more employees in an office or other facility located in Northern Ireland;

or 2. _____ employs ten or more employees in an office or other facility located in Northern Ireland, but such

office or other facility in Northern Ireland (a) does not discriminate in employment, compensation, or the terms, conditions and privileges of employment on account of religious or political belief; and (b) promotes religious tolerance within the work place, and the eradication of any manifestations of religious and other illegal discrimination.

Signed this day of , 201 . ___________________________________________ Authorized Signature __________________________________________ Print Name ___________________________________________ Title


28 MPA CONTRACT NO.

EXHIBIT E

CONSULTANT'S TRUTH-IN-NEGOTIATIONS CERTIFICATE

The Consultant for design services under MPA Contract No. , whose fee has been negotiated, hereby certifies and agrees to the following:

a) The Consultant certifies that the wage rates and other costs used to support the Consultant’s compensation are accurate, complete, and current at the time of contracting; and

b) The Consultant agrees that the original contract price and any additions to the

contract may be adjusted within one year of completion of the contract to exclude any significant amounts if the Authority determines that the fee was increased by such amounts due to inaccurate, incomplete, or noncurrent wage rates or other costs.

Consultant:

By: _______________________________________ duly authorized

Print Name:_________________________________

Date: _______________________________________


29 MPA CONTRACT NO.

EXHIBIT F

Guidelines for Preparation of Work Orders

Work Orders are intended to be discrete documents that will provide, in detail, the background and factual context within which a particular scope of work, work element or series of work elements will be completed by the Consultant. Work Orders shall be construed to be in addition to, supplementary to and consistent with the provisions of the text of the Agreement. The following guidelines shall be followed in preparing Work Orders for review and approval by the Authority. 1 – SAMPLE FORMAT Work Orders shall be prepared by the Consultant and submitted to the Authority for review and approval in strict accordance with the sample form provided by the Capital Programs and Environmental Department (in Excel Format). Work Orders shall only be numbered sequentially and consultants shall not create their own work order format. The Work Order shall not include a description of the services not being provided by the Consultant. 2 – DETAILED COST BREAKDOWN The Consultant shall attach a detailed cost breakdown in the form of a level of effort matrix which clearly identifies tasks, personnel, manhours, rates and multiplier(s). Reimbursable expenses shall be described within the level of effort matrix. Furthermore, the level of effort matrix shall include a breakdown of costs for each and every subconsultant or vendor. Consultant shall not attach subconsultant or vendor agreements to the Work Order. 3 – WORK ORDER AMENDMENTS Work Orders may be amended utilizing the same work order format. Each amendment shall operate as a separate document and shall not require a review of the original Work Order in order to understand the details of the amendment. Each amendment shall clearly identify what element of the original Work Order has been modified and what, if any, schedule or monetary impacts have resulted from such modifications. If the amendment will increase the overall amount of the Work Order, the Work Order amendment must include a level of effort matrix for the increased amount, as described above. 4 – WORK ORDER CLOSEOUT Upon completion of work or completion of services for a particular Work Order, the Consultant is required to close out the Work Order by completing a Work Order Close-Out Form. The Consultant shall complete and sign the Work Order Close-Out Form and submit it to the Authority for its review and approval. The form identifies what work and monies have been authorized and paid to date including any amendments. Once a Work Order Close-Out Form is signed by the Authority, the Work Order shall be considered closed and no other services may be performed or billed against the particular Work Order. Work Order Close-Out Forms can be obtained from the Project Manager. Consultants should ensure that a separate Work Order Close-Out Form is completed for every work order executed under the Agreement.


30 MPA CONTRACT NO.

[SAMPLE WORK ORDER]


31 MPA CONTRACT NO.

EXHIBIT G

SECURITY MEDIA REQUIREMENTS FOR

BOSTON-LOGAN INTERNATIONAL AIRPORT PROJECTS

The following procedures shall apply to all projects at Boston-Logan International Airport which require a Contractor Responsible Party (as that term is defined below) to be present in a Security Identification Display Area (SIDA), Sterile Area or Public Area. The Contractor is required to be familiar with and comply with all Massachusetts Port Authority (“Authority” or “Massport”) policies, procedures, rules and regulations, including without limitation those set forth herein, and all applicable federal, state and local laws, rules and regulations, as any of the aforesaid may change from time to time.

A. Airport Security Badges

SIDA Badges - The Contractor shall ensure that each of its employees, members, officers, agents, guests, invitees or volunteers and employees, members, officers, agents, guests, invitees or volunteers of its subcontractors of any tier (any of whom may be referred to individually as a “Contractor Responsible Party” and all of whom may be collectively referred to herein as “Contractor Responsible Parties”) who are present in a SIDA, Sterile Area or Public Area are properly displaying security media, in accordance with this Exhibit and all applicable federal and state laws, the rules, regulations and all directives of the Authority and other governmental entities.

The term “SIDA” shall have the meaning ascribed to it by 49 C.F.R. 1540.5, and shall include, without limitation: (1) all ramp and apron areas; (2) all runways and taxiways; (3) perimeter service road; (4) vehicle service road; (5) hangar areas and areas of cargo facilities from which individuals may access any portion of the aerodrome without passing through an access controlled portal; and (6) baggage makeup areas/baggage rooms.

The term “Sterile Area” shall have the meaning ascribed to it by 49 C.F.R. 1540.5, and shall include, without limitation, all areas of the passenger terminals which are accessed through a TSA security checkpoint during their hours of operation, or when the TSA checkpoints are not in operation, those areas of the passenger terminals which are accessible only through a portal controlled by the Access Control System (ACS).

All applicants for an Unescorted Access SIDA badge shall undergo a FBI criminal history records check, as required by 49 C.F.R. 1542.209 and a Transportation Security Administration (TSA) Security Threat Assessment (STA). The Authority will retain control and responsibility for the maintenance and destruction of the criminal history records, in accordance with federal law. Applicants who refuse to be fingerprinted and/or undergo the FBI criminal history records check will be denied an Unescorted Access Badge.

The application process will require the submission of an “Application for SIDA Identification” along with the appropriate documentation from the “List of Acceptable Documents” via the SAFE IDMS, through which the Security Badge Office (SBO) Trusted


32 MPA CONTRACT NO.

Agent will establish lawful status and work authorization. The application will be reviewed by the Massport Project Manager. If approved, the applicant will be required to proceed to the Security Badge Office to have their fingerprints captured (if applicable) and verify their identification. If the applicant is applying for Class II or Class III driving privileges, they will be required to complete additional training offered through the Authority’s Operations Department. If the applicant’s fingerprints and Security Threat Assessment is returned as favorable, then electronic notification will be sent to the Contractor’s Authorized Signatory indicating that the application has been approved. Upon successful completion of a verbal test on the applicable security regulations, the applicant will have their photo taken and biometrics collected in order to complete badge issuance. During each visit to the Security Badge Office the applicant must present the original IDs submitted with the application. If the applicant does not successfully pass the criminal history records check and/or Security Threat Assessment, they will be ineligible to receive an Unescorted Access SIDA badge. All applicants for an Unescorted Access SIDA badge shall complete a minimum of two computer-based training modules (approximately 90 minutes) prior to receiving an initial or renewal Unescorted Access SIDA Badge

SIDA applications will be accepted from the Authorized Signatories (AS) only; each AS must complete the required recurrent training annually, in order to maintain their qualifications. The SIDA must be worn at all times while working. It must be worn on the outmost garment between the neck and the waist. Failure to properly display security media is a violation of Authority regulations and may result in a fine, revocation of the security media, and/or removal of the Contractor Responsible Party from the SIDA or Sterile Area.

SBO business hours for Airport Security Badges (Unescorted Access, TVP, and PSID):

Monday – Friday 0700-1500

All Contractor Responsible Parties who require access to a SIDA or a Sterile Area for more than thirty (30) days over any twelve (12) month period must apply for an Unescorted Access Badge. Any Contractor Responsible Party who requires access to a SIDA or Sterile Area for a period of thirty (30) days or fewer over any twelve (12) month period may apply for a Temporary Visitor Pass (TVP), as described below.

Temporary Visitor Pass (TVP) - TVPs shall only be issued for business purposes. TVPs are issued in-hand only at the Security Badge Office and North/South Gates, and only after presentation of valid government-issued photo identification and satisfactory completion of a criminal background check. A TVP Request Form must be completed accurately and submitted to the SBO, in advance, using SAFE Identity Management System (IDMS). The SBO requires up to four (4) hours advanced notice to issue and process a TVP. Requests for TVPs at the North/South Gates are authorized only when the SBO is closed for TVP issuance, and when access to the airfield is required immediately using the vehicle gates. Otherwise, the North/South Gates will issue TVPs only in emergency situations. This protocol is not to be circumvented because of convenience or late submission of the TVP Request Form.


33 MPA CONTRACT NO.

The Authority reserves the right to limit the number of badges per request (i.e., large “block” requests) at the North/South Gates. Large block requests for TVP badges may be directed to the SBO for processing and pick-up, at the discretion of the Authority. Failure to comply with the TVP policy may impact the Contractor’s privilege to receive TVPs in the future.

A TVP is valid only for the calendar day on which it is issued, except that a Contractor Responsible Party who has filed an application for an Unescorted Access Badge may be issued a TVP that is valid for twenty-one (21) consecutive days (not to exceed 30 days/calendar year), only issued by the SBO after application for an Unescorted Access Badge has been submitted. A person who has been issued a TVP must return it to the Authority before he/she is issued an Unescorted Access Badge. Contractor Responsible Parties who are issued a TVP must be escorted by an individual properly displaying his/her Unescorted Access Badge at all times while in a SIDA or Sterile Area, and both, escort and escortee shall remain within the immediate geographic vicinity of their assigned job site at all times. The TVP holder and his/her escort are jointly and severally responsible for ensuring that proper escorting procedures are followed. Unescorted Access SIDA Badge holders must accompany and monitor a TVP holder at all times to ensure that the escorted party is engaged only in activities for which escorted access was granted.

The TVP must be worn at all times on airport premises, in the secure or sterile area. It must be worn on the outmost garment between the neck and the waist. Failure to properly display security media is a violation of Authority regulations and may result in a fine, revocation of the security media, and/or removal of the Contractor Responsible Party from the SIDA or Sterile Area.

Public Side Identification (PSID) Badges - The PSID will be issued to all employees and/or contractors who do not require a SIDA badge and work exclusively in the public areas of the terminals. The PSID will not authorize a badge holder to enter any Secure Area of the airport, pass through any ACS doors or go through the TSA Security Checkpoint while working. The PSID application process will require the submission of an “Application for Public Side Identification” along with the appropriate documentation from the “List of Acceptable Documents” via the SAFE IDMS, through which the Trusted Agent will establish lawful status and work authorization. Once the PSID application has been submitted the applicant’s information will be submitted to TSA for a Security Threat Assessment. Once the STA has been approved by TSA, the company will be notified and the applicant will be able to pick up their badge in the SBO. During each visit to the Security Badge Office, the applicant must present the original IDs submitted with the application. Any person who does not successfully complete the STA will be ineligible to receive a PSID. The PSID must be worn at all times while working. It must be worn on the outmost garment between the neck and the waist. Failure to properly display security media is a violation of Authority regulations and may result in a fine, revocation of the security media, and/or removal of the Contractor Responsible Party from the SIDA or Sterile Area.

Authorized Signatory (AS) - The Contractor shall appoint an Authorized Signatory(s) who shall be responsible for ensuring that all Contractor Responsible Parties complete all


34 MPA CONTRACT NO.

applicable training and application requirements prior to submitting any application for security media. The Authorized Signatory must attend an annual Authorized Signatory training class before he/she will be authorized to sign off on security media applications. It shall be the Contractor’s responsibility to contact the Security Badge Office for a schedule of required training classes. A listing of all available classes can be found at http://logansecurity.eventbrite.com. The Authority’s Security Badge Office will provide the required training materials and application processing instructions to the Authorized Signatory. The Contractor’s Authorized Signatory shall provide to the Authority documentation confirming that all Contractor Responsible Parties applying for security media have received all applicable training.

The Contractor assumes full responsibility for ensuring that all Security Badge and TVP applications are properly completed and that all security media issued to Contractor Responsible Parties are returned to the Authority upon expiration or termination, as applicable. The Authority may at any time require Contractor, at Contractor’s expense, to verify the accountability of all security media issued to Contractor Responsible Parties. Within twenty-four (24) hours after the expiration of this Agreement or completion of the services under this Agreement, whichever comes first, the Contractor shall return to the Authority’s Security Badge Office all security media issued to all Contractor Responsible Parties in connection with this Agreement. During the term of this Agreement, the Contractor shall immediately return to the Authority’s Security Badge Office any security media issued to any Contractor Responsible Party whose employment has been terminated, or who no longer requires access to a SIDA, Sterile or Public Area, or whose security media has expired.

If the applicant is applying for Class II or Class III driving privileges, they will be required to complete additional training offered through the Authority’s Operations Department. If a review of the applicant’s fingerprints and Security Threat Assessment is returned as favorable, then electronic notification will be sent to the Contractor indicating that the application has been approved. Upon successful completion of a verbal test on the applicable security regulations, the applicant will have their photo taken and biometrics collected in order to complete badge issuance.

All applications for an Unescorted Access Badge must be submitted to the Security Badge Office, with payment of all applicable fees completed during Visit 1, prior to the need for access to the SIDA or Sterile Areas. All applications for a TVP must be submitted to the Security Badge Office at least four (4) hours prior to the visitor’s arrival. The Contractor shall pay the Authority, in accordance with the fee schedule herein, for each Unescorted Access Badge that is unaccounted for, lost, missing, or not returned to the Authority within the applicable time period set forth above. Final payment to the Contractor may be withheld or reduced pending the Contractor’s return of all Unescorted Access Badges to the Authority. All Unescorted Access Badges that cannot be accounted for must be reported immediately to the Authority’s Security Badge Office at (617) 561-1706 during regular business hours and to the Authority’s Operations Department at (617) 561-3304, after hours and during weekends.

Failure to comply with these rules, regulations, policies and requirements set forth herein, including any amendments and/or additions, shall constitute a material breach of this Agreement and/or a violation of the regulations of the Massachusetts Port Authority, the TSA-


35 MPA CONTRACT NO.

approved Boston-Logan International Airport Security Program, or other applicable law, and shall be subject to the applicable penalties for each violation.

Security media issued by the Authority remains property of the Authority, and is subject to revocation at any time without notice or cause.

Additional Terms and Conditions:

1. Except if otherwise expressly set forth elsewhere in Contractor's Agreement with the Authority, Contractor's compliance with this security media program shall be considered incidental to Contractor's work and no further or additional payment will be made therefor by the Authority to the Contractor.

2. In addition to the above requirements, any Contractor performing work in the U.S. Customs and Border Protection Security Area or Federal Inspection Services Area may be required to obtain further authorization as determined by the U.S. Customs and Border Protection Service (USCBP), Officer in Charge. No separate payment will be made to the Contractor for U.S. Customs and Border Protection Service authorization, the costs of which are considered a subsidiary part of this Agreement. See Section E, below, for the USCBP requirements, which are subject to change at the sole discretion of the USCBP.

3. Fees for security media are as follows:

SIDA Badge: $41 per badge Initial Fingerprinting: $39 per badge Renewal Fingerprinting: $23.25 per badge PSID Badge $10 per badge Temporary Visitor Pass $5 per TVP

Penalties for unaccounted for (lost/stolen/not returned to the Authority) Unescorted Access Badges will be assessed in accordance with the Authority’s regulations. Replacement Unescorted Access Badges shall require, at a minimum, a new application and payment of an application fee in addition to any penalty levied. The Contractor must deactivate and return media to the SBO immediately upon learning that an employee will no longer work for the sponsoring employer. Failure to do so will result in issuance of a security violation under the Code of Massachusetts Regulation (CMR), 30.10, to the employee and the Contractor, and the inability of the Contractor to submit additional applications to the SBO. Penalties and application fees are subject to change without notice.

B. Airfield Driver License

One of the following types of driver licenses is available to applicants who have a valid Unescorted Access Badge, and have successfully completed the driver’s training courses required by the Authority:

1. Class I: Restricts operation of a motor vehicle to the Vehicle Service Road (VSR) and the ramp and apron areas immediately around the footprint of the terminal building.


36 MPA CONTRACT NO.

2. Class II: Permits operation of a motor vehicle on the VSR, the Perimeter Road and, in some cases, the inner and outer taxiways.

3. Class III: Permits operation of a motor vehicle on all areas of the Aerodrome, including active aircraft areas, runways and taxiways.

All motor vehicle operators shall be subject to applicable rules and regulations governing the operation of motor vehicles on the Aerodrome. In addition to the SIDA computer-based training, all licensed airfield drivers shall complete the computer-based “Non Movement Driver Training” or “Movement Area Driver Training” module prior to receiving an initial Unescorted Access Badge and each renewal Unescorted Access Badge. Applicants applying for Class II or Class III licenses shall require additional training by the Authority’s Operations Department. Access will be suspended when the driver’s license on file expires and will not be reinstated until the badge holder presents their updated license to the Security Badge Office.

C. Vehicle Aerodrome Permits

All vehicles authorized to access to the Aerodrome shall be equipped with Vehicle Aerodrome Permits issued by the Authority’s Aviation Security Department. A fee shall be charged for each Vehicle Aerodrome Permit. Said fee shall be determined in accordance with the schedule of fees for Vehicle Aerodrome Permits maintained by the Authority’s Department of Aviation Security. To be eligible for a Vehicle Aerodrome Permit, each vehicle must (1) be in a good state of repair, (2) have a valid motor vehicle inspection sticker (plated vehicles only), (3) clearly display company identification on each side, and (4) pass an inspection conducted by the Authority or one of its agents. In addition, satisfactory evidence of required insurance coverage and a copy of the vehicle registration must be submitted with the Vehicle Aerodrome Permit application form, showing limits approved in advance by the Authority’s Risk Management Department.

The Contractor shall forward each Vehicle Aerodrome Permit application to the Authority's Project Manager, who will send it to the Authority’s Aviation Parking Violations Department for processing. Vehicle Aerodrome Permits shall be issued only to the Contractor; therefore, the Contractor must provide sufficient personnel and escort vehicles to comply with the Authority’s rules and regulations. The contractor will be required to provide copies of the following: Massachusetts Vehicle Inspection, vehicle registration and driver insurance. The application must be signed by the Massport Project Manager.

D. ZERO TOLERANCE POLICY

The Authority maintains a ZERO TOLERANCE POLICY with respect to security violations. All violators shall be subject to the penalties set forth in 740 CMR 30 and 31, as applicable, including but not limited to: (1) a fine not to exceed $2,000.00; (2) suspension of and/or disqualification from receiving an Unescorted Access Badge or a TVP; (3) revocation of an Unescorted Access Badge, a TVP, and/or privileges to perform aviation or commercial


37 MPA CONTRACT NO.

services on the airport; (4) removal of the individual from the Sterile Area or SIDA; and/or (5) criminal prosecution.

E. Access to U.S. Customs and Border Protection Security Area

The Contractor shall ensure that all Contractor Responsible Parties working in the USCBP Security Area or Federal Inspection Services area in furtherance of the work hereunder obtain a U.S. Customs access seal issued by the USCBP. Each employee shall be required to openly display an approved USCBP access seal at all times while in the USCBP Security Area (as defined below). Failure to comply with CFR Title 19, Section 122.182 shall constitute a violation, and shall be subject to the penalties set forth therein for each violation. The Contractor, at the conclusion of the work hereunder, shall return to the USCBP all access seals issued to persons performing any work whatsoever hereunder. The Contractor shall pay the USCBP a $1,000.00 (One Thousand Dollar) fine for every access seal not returned to the USCBP at the completion of the work hereunder. Final payment to the Contractor may be withheld or reduced until all access seals are accounted for and/or returned.

1. Definition of “U.S. Customs Security Area” applicable to all badges with a CBP seal.

In accordance with Section 122.181 of the U.S. Customs Regulations, Subpart S (19 CFR 122.181), the term “U.S. Customs Security Area” means the Federal Inspection Services (FIS) area which is designated for processing international passengers, crew, their baggage and effects arriving from or departing to foreign countries. The FIS area includes the aircraft jetways and ramp area, and other restricted areas as designated by the U.S. Customs Port Director. The following describes applicable U.S. Customs Security Zones at Logan International Airport:

ZONE 1 – Encompasses the entire Federal Inspection Service area, including the jetways and aircrafts when international passengers and/or crew are present. (Red seals required/black seals NOT authorized)

ZONE 2 – Encompasses the international ramp area. This includes the jetways and aircrafts only after international passengers and/or crew have deplaned and cleared the jetway. (Red seals or black seals required)

With the exception of Federal, uniformed State and local law enforcement, and aircraft passengers or crew, all persons located at, operating out of, or employed by any airport accommodating international air commerce (including its tenants and/or contractors) must openly display an approved U.S. Customs seal issued by the USCBP Security Office.

If the Contractor or any of its employees, subcontractors, suppliers, agents, vendors, or materialmen fails to comply with any of the USCBP regulations applicable to the U.S. Customs Security Area at Logan International Airport, the principal and surety on the


38 MPA CONTRACT NO.

U.S. Airport Customs Security Area bond may be held liable for liquidated damages in the amount of $1,000 per violation.

2. U.S. Customs Airport Security Bond Provisions

The Contractor shall in accordance with CFR Title 19, Section 122.182 secure an Airport Customs Security Area bond with a surety company holding a certificate of authority acceptable for issuing federal bonds. Each bond shall be secured for a minimum of $25,000.00 (Twenty-Five Thousand Dollars), depending on the number of employees who will require a U.S. Customs access seal. Before the required access seal is issued by the USCBP, the Contractor will be liable for liquidated damages to the USCBP for any violations of the U.S. Customs Security Area requirements. No applications for U.S. Customs access seals, or requests for U.S. Customs temporary badges or seals (described below), will be processed until the Contractor has secured a bond in accordance with the aforementioned requirements.

The Contractor may not seek additional compensation from the Authority or its representatives for any federal bonding requirements, the cost of penalties incurred as a result of failure to return a U.S. Customs access seal, or any charges or losses incurred that are incidental to payment withholding resulting from the above.

3. Temporary U.S. Customs Access Seals

When an approved U.S. Customs access seal is required under 19 CFR 122.182(a), and the U.S. Customs Port Director determines that the application cannot be administratively processed in a reasonable period of time, the Contractor may, upon written request, be issued a temporary U.S. Customs access seal for the employee in question. The Contractor must satisfy the U.S. Customs Port Director that a hardship will result if the request is not granted. Surety on the Airport Customs Security Area bond as required by 19 CFR 122.182(c) may be waived at the discretion of the U.S. Customs Port Director, but only for the period of the temporary U.S. Customs access seal and its renewal period. This seal will be valid for a period deemed necessary, at the discretion of the U.S. Customs Port Director, and may be extended if the circumstances remain the same.

Persons who require temporary access to the U.S. Customs Security Area may obtain a U.S. Customs access seal valid for not more than thirty (30) days. Official visitor access seals will be valid for the day of issuance only. Access seals for both temporary and official visitors are renewable for periods equal to their original periods of validity. Temporary access seals WILL NOT be issued to applicants waiting for permanent seals. The request for temporary access must be made in advance and in writing.

The Contractor will be responsible for the timely return of all temporary U.S. Customs access seals. The applicant may be required to submit fingerprints. If required, the Federal Bureau of Investigation user fee for conducting fingerprint checks and the


39 MPA CONTRACT NO.

U.S. Customs administration-processing fee must be tendered at the time of application.

4. Quarterly Reporting Requirement

In accordance with Subsection 122.184(c), the Contractor shall submit (a) quarterly reports to the USCBP Security Office on the first day of January, April, July and October in the form required under said Subsection, and (b) a separate report setting forth any additions or deletions since the last quarterly report in the form required under said Subsection. The Contractor is responsible for the certification and maintenance of said reports and other documents as required under Subsections 122.181 and 122.189. Failure to submit these reports or to adhere to the aforementioned reporting requirements can result in liquidated damages against the Contractor’s security bond.

5. Additional Information

Additional information concerning access to the U.S. Customs Service Security Area at Logan International Airport, and these and other requirements pertinent thereto, can be obtained from the USCBP Security Seal Coordinators, (617) 568-1810.

APPENDIX B

Appendix K – Information System Security General Standards

EFFECTIVE DATE: 7-21-2011

REVISED ON: 1-28-2014

General

For the purposes of this section - Information System Security – the term information system refers to all of the following:

• Hardware used to host any component of the vendor solution

• Operating system software used in any component of the vendor solution

• Database Management Systems used in any component of the vendor solution

• Application software used in any component of the vendor solution

Security Design

The vendor is responsible for inclusion of security in the design of all information systems:

• The vendor will incorporate industry best practices and standards when developing the security posture of the information system(s)

• The vendor will be responsible for the development of a strong access control methodology that applies the security principle of “least required access” to perform a given function

• The vendor must exercise due diligence to ensure that all components of the information system are appropriately secured to ensure the confidentiality, integrity, and availability of the information they store and process

• Massport recommends the Vendor validate system security design with the Massport security manager before proceeding to build phase.

• Hosted information systems and Software as a Service (SaaS) systems must provide documentation, as it relates specifically to the security posture of the system to the Massport security manager before contract negotiation or system activation.

Secure Authentication

• Massport requires all systems to be secured with credentials for authentication (ID/password). Current Network Password Policy requires passwords to meet the following minimum guidelines:

- Contain at least eight (8) characters or more

- Contain characters from three of the following four character classes:

o Uppercase Alphabetic (i.e., A-Z)

o Lowercase Alphabetic (i.e., a-z)


o Numeric (i.e., 0-9_

o Punctuation and other characters (e.g., !%@*#^()_+|~)

• The password must not be a derivative of the Username

• Password aging: Passwords should be required to be regenerated after a set period of time. Massport is currently requiring this period not to exceed twelve months.

• Browser based system or applications shall be configured to accept only HTTPS connections for authentication purposes.

• Whenever possible, systems should be made part of the massport.com domain. Authentication services for individual systems or applications are best made utilizing MPA’s established Microsoft Active Directory system.

• Vendors with hosted information systems and Software as a Service systems must provide documentation, as it relates specifically to the security posture of the system. Authentication services for these systems are best made utilizing MPA’s established Microsoft Active Directory system when possible.

Security Controls

The vendor is responsible for security controls during the implementation phase until the information system is accepted by, and turned over to, Massport. Security controls must be consistent with industry best practices, including, but not limited to, the following:

• Ensure the latest operating system patches have been applied to all components

• Ensure the latest security-related patches have been applied to all components

• Run only services required to meet desired functionality (disable unused services)

• Enable only required protocols, identify TCP/UDP ports required and disable access to TCP/UDP ports when or where applicable

• Log unauthorized or invalid attempts to access privileged services or functions

• Log all security related events and anomalies

• Establish authentication requirements for access to sensitive data and privileged functions

Vendors with hosted information systems and Software as a Service systems must provide documentation, as it relates specifically to the security controls of the system.

Secure Coding

The vendor is responsible for developing secure application code. Vendors and their development staff must be familiar with security best practices in order to avoid producing systems, applications or modules that contain security related vulnerabilities. Massport recommends the Vendor refer to “The Open Web Application Security Project (OWASP,


http://www.owasp.org/)” for information on developing secure applications.

OWASP is dedicated to finding and fighting the causes of insecure software. OWASP has created a Top 10 project which lists the most serious web application vulnerabilities, discusses how to protect against them, and provides links to more information.

Refer to the Top 10 project main page (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) for additional information.

A1-Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Authentication and

Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3-Cross Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4-Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6-Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7-Missing Function Most web applications verify function level access rights before making

http://www.owasp.org/


Level Access Control that functionality visible in the UI. However, applications need to

perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8-Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9- Using Components with Known

Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10-Unvalidated Redirects and

Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Massport also recommends the Vendor’s development staff be familiar with and adhere to the following if applicable:

• CERT Secure Coding Initiative recommendations

• Microsoft published; “Secure Coding Guidelines for the .NET Framework”

• MSDN (Microsoft Developer Network) Patterns & Practices Guides: “Improving Web Application Security and Building Secure ASP.NET Applications”

The vendor must follow and include in the security document the standard coding conventions and coding practices for the framework being utilized to develop secure application code.

Security Documentation

The vendor is responsible for developing a system security document, which provides an overview of the security requirements and describes the controls in place to meet those requirements. The information system security document will include, but is not limited to:

• An overview of the overall information system security posture


• A full description of the access control methodology

• Full technical details regarding secure coding practices

• Full technical details regarding the information system implementation strategy (documentation or guidelines vendor engineers follow to implement and deliver the information system)

• Full technical details regarding security strategy (e.g., patches applied, operating system hardening steps, services enabled and disabled, TCP/UDP ports opened/closed, authentication requirements, etc).

Security Review

The vendor is responsible for reviewing the intended security configurations with the Massport IT Security Manager:

• The vendor will submit security documentation for review by the IT Security Manager

• The vendor will schedule a security review with the IT Security Manager before beginning acceptance testing

• The vendor will be required to show that the system conforms to all security related industry best practices and is designed and implemented in a fully secure fashion

Security Assessment

A security assessment may be performed to ensure appropriate security controls have been both designed and implemented:

• At the discretion of the IT Security Manager and prior to or immediately after information system deployment, Massport or a third party representing Massport, may conduct a security assessment (vulnerability and penetration testing) of the system prior to final acceptance

• Vendors with hosted information systems and Software as a Service systems that can provide detailed results of independent vulnerability and penetration testing are would not be subject to further testing.

Security Issue(s) Remediation

The vendor is responsible for making the necessary provisions for remediation of security issues as requested by Massport:

• The vendor must immediately remediate vulnerabilities and high-priority security issues identified during a security assessment

• The vendor will be responsible to remediate medium level issues within a reasonable timeframe (or negotiate risk versus functionality with Massport)


• An additional security assessment may be performed after remediation for verification

purposes at the discretion of the IT Security Manager

Information Technology Operations Massport IT System Standards Manager, Systems Operations Revision Date: [07/2013]

.

Page 1 of 4

This document details Massport’s current Information Technology Hardware and Software standards and should be used as a guideline for all future system acquisitions. Proposed solutions that utilize technologies that adhere to our IT standards will be given preferential treatment over those that do not.

Section Component MPA Standard Detailed Information

Section 1 Server Hardware HP Servers and Chassis See attachment: Part A Section 2 Network Hardware Enterasys Switches & Routers See attachment: Part B Section 3 Network Operating System Microsoft Windows Server See attachment: Part C Section 4 Database Software Microsoft SQL Server See attachment: Part D Section 5 SAN Storage Hardware EMC Storage See attachment: Part E Section 6 Virtualization Software VMware ESX 5.5 / vSphere See attachment: Part F Section 7 Desktop & Mobile Devices Dell x86 PCs & Apple iOS devices See attachment: Part G Section 8 HVAC and SCADA

communication BACnet See attachment: Part H

Section 9 Data Analytics Standards DB Replica, Data Dictionary & Map

See attachment: Part I

Section 1: Server Hardware Massport Standard: HP Servers

Overview

Massport IT is committed historically to providing its user community with the best of breed hardware server systems to make the end-user experience as rich, reliable, and seamless as possible. Accordingly, Massport has partnered with Hewlett-Packard (HP) Servers to apply the wealth of HP reliability, experience, and leadership in customer service to our operations. HP servers are the current Massport standard and will be utilized for all future hardware deployments Authority wide. This should be considered an absolute requirement unless a vendor demands, and can clearly demonstrate, that an equivalent HP hardware solution would be deficient for the purpose of the vendors deployment.

See attachment, Part A for additional information.

Section 2: Network Hardware Massport Standard: Enterasys Switches & Routers

Overview

Massport IT has standardized on Enterasys Secure Networks as the network switch vendor. Further, a standard has been developed for the way this equipment to be configured and deployed.

The standardized edge switch and modular configuration is as follows, (1) Enterasys SSA switch part #SSA-T1068-0652, (2) SSA Power Supplies part #SSA-AC-PS-625W, (2) Single Mode Fiber SFP Uplink Modules part # MGBIC-LC09, (1) Enterasys SupportNet Maintenance Contact part #ES-SN-S10. This configuration allows for 48 ports of 10/100/1000 Ethernet access and 2 Gigabit Single Mode uplinks to the core. Two uplinks are utilized on each switch for redundancy -- each uplink terminates in diverse core switch/routers in the data center. This configuration provides redundancy during scheduled and non-scheduled outages, allowing Massport to power down one core switch/router while maintaining connectivity with remainder of the network. For connectivity to the core, (2) Single Mode Fiber SFP Uplink Modules part # MGBIC-LC09 are required.

See attachment, Part B for additional information.

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20A.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20B.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20C.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20D.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20E.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20F.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20G.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20H.docx

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20I.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20A.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20B.doc


.

Page 2 of 4

Section 3: Network Operating System Massport Standard: Microsoft Windows Server

Overview

Massport IT operations will be shifting all newly acquired, and built for purpose systems to utilize the Microsoft Windows 2012 network operating system. This decision has been reached as part of MPA IT Operations overarching strategy to bring the best of breed to technology to bear on the evolving challenges on performance, uptime, and security here at Massport.

As a Microsoft centric organization, Server 2012 will be used by Massport as the primary OS platform for client/server applications for the foreseeable future. Key features of this new OS include: enhanced security, increased network performance, virtualization, and remote application serving. This strategic standardization on the 2012 Server platform may be revisited only in the event that required applications dictate the selection of other platforms (such as Linux distributions or VMWare) as individual circumstances and IT Operations approval warrant.

See attachment, Part C for additional information.

Section 4: Database Software

Massport Standard: Microsoft SQL Server

Overview

Microsoft SQL Server 2008 has been selected as the data management application for new systems requiring a robust database back-end. For systems requiring a redundant clustered hardware environment, SQL Server 2005 Enterprise is the version recommended for deployment (provided that the solution cannot be virtualized to provide High Availability functionality). For database systems not requiring a clustered environment, SQL Server 2005 Standard is the version that will be deployed. In limited circumstances, with specific vendor recommendation and the approval of Massport IT Operations SQL Server Express will be utilized.

Most applications can be installed using a default instance of the selected database server or share resources with other databases on a single physical platform. Given the high acquisition cost of Microsoft SQL and the servers on which they are deployed efforts will be made to ‘stack’ multiple databases onto fewer and more powerful hardware platforms. This means that an application will likely be installed on a database server that runs one or more other production database applications. Therefore, it is imperative that IT Operations be able to predict, during the planning stages of a deployment, the requirements and size of your database over its expected production lifecycle. If you are buying an off-the-shelf product, your vendor or IT Operations personnel will be able to provide you with this information.

See attachment, Part D for additional information.

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20C.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20D.doc


.

Page 3 of 4

Section 5: SAN Storage Hardware Massport Standard: EMC Storage

Overview

Massport has selected EMC Storage as the vendor of choice for SAN storage with the VMAX-40K product line as the new standard for MPA storage needs. The VMAX-40K is a new generation of unified storage that delivers concurrent connectivity for fiber channel, ISCI and NAS host connections with a total capacity of 3.9 PB of usable disk capacity.

Massport IT selected the ExaGrid Disk Library platform featuring the EX13000E Disk Library and Symantec Netbackup environment to conduct Enterprise backups. The Centralized Backup system is located at the Logan Office Center computer room and it is available to systems located within the boundaries of the Office Automation Gigabit network. New systems to be implemented should be integrated into the Centralized Backup environment. Each new system will required a standard Netbackup agent and additional space in the Disk Library for the backups operations to take place. If the new system hosts a database a special agent may be needed to conduct backups in said system. In this case the input of the project manager and vendor will be required to select the appropriate backup agent for the system.

See attachment, Part E for additional information.

Section 6: Virtualization Software

Massport Standard: VMWare ESX

Overview

With the recent emphasis on server consolidation as a method to reduce the high costs of hardware, power, and cooling in the datacenter Massport has taken steps to embrace these trends through virtualization. Virtualization is the practice of running many server operating systems (Windows, UNIX, Linux) instances using software based Hypervisor on a single physical hardware host. This virtual “stacking” of servers on to fewer physical server platforms leads to improved hardware utilization, increased space savings, and decreased power and cooling costs in the datacenter.

Accordingly, Massport IT now maintains, as a matter of policy, that if a server system or group of systems can be virtualized that they should be virtualized at inception. It is recognized however that not all applications or services are ideally suited for virtualization. Therefore the Project Management team will work with IT to make a determination to virtualize a project on a case by case basis.

See attachment, Part F for additional information.

Section 7: Desktop & Mobile Devices

Massport Desktop & Laptop Standard: Dell branded IBM compatible x86 Devices

Overview

Like most organizations Massport has standardized on IBM compatible x86 computers for our Desktops and Laptops since the late 80’s and the 386 processor hit the market. Dell is our primary standard computer hardware manufacturer. Accordingly, we utilize its computer management system, KBox, in our environment. This brand standard is cost-effective for the organization in that it allows for the customer support team to not have to continually train on different hardware platforms, helps them more effectively manage inventory, enables the development of a long-term replacement/upgrade policy and allows us to negotiate better pricing for volume purchases. Secondarily, we utilize Panasonic Toughbooks in instances that require “Ruggedized” laptops such as in vehicles. Any solution requiring workstations or laptops should acquire these types of devices. Different devices may be procured such as in the event that a required application dictates the selection of another platform (such as Mac OSX or Linux distributions) or as circumstances warrant with IT Operations approval.

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20E.doc

http://sharepoint/IT/Public%20Documents/MPA%20IT%20System%20Standards%20Part%20F.doc


.

Page 4 of 4

Massport Mobile Handheld Device Standard: Apple iOS Devices

Overview

Unlike in the desktop world, where for years x86 devices have dominated the landscape, the mobile device market is far more fragmented. Early trials of adopting these various platforms proved challenging and we have made a strategic decision to standardize on a single platform to limit the complexity in managing, supporting and securing these devices. Massport has standardized on Apple’s iOS platform, the iPad, iPad mini and the iPhone handhelds and we utilize the Apple Configurator and McAfee’s Enterprise Mobile Device Management solution in our environment. Any solution requiring mobile handheld devices should acquire these types. Different devices may be procured such as in the event that a required application dictates the selection of another platform (such as Windows or Blackberry handhelds) or as circumstances warrant with IT Operations approval.

See attachment, Part G for additional information.

Section 8: SCADA and HVAC Communication Standard

Massport BACnet Communication Standard: BACnet

Overview

Massport IT has unified communication platform for all SCADA and HVAC device based on BACnet. In attachment, part H details the integration requirement and support provided by Massport IT department. In short, Massport IT assigns BACnet ID and its associated IP address and elements. Any project related to building control system should follow the detail specification provided and to obtain support from Massport IT.

See attachment, Part H for additional information.

Section 9: Data Analytics Standards

DB Replica, Data Dictionary & Map

Overview

Massport is on its way to becoming a data-driven organization. By analyzing data and creating actionable insights, we will better implement effective business strategies, help increase our competitive advantages, guide services and innovation, increase margins, minimize waste, improve customer service and help retain employees.

Accordingly, Massport now demands, as a matter of policy, that all vendors/contractors implementing Information Technology Systems (whether on premise or in the cloud) agree to and implement the following requirements.

A live database replica with full access for massport’s analytic needs a complete data dictionary and a data map of all the information in any databases.

See attachment, Part I for additional information.








.

Page 1 of 2

Part A: HP Server Hardware Standard

Overview

Massport IT has historically been committed to providing its user community with the best of breed hardware server systems to make the end-user experience as rich, reliable, and seamless as possible. Accordingly, Massport has partnered with Hewlett-Packard (HP) Servers to apply the wealth of HP reliability, experience, and customer service leadership to our operations. HP servers are the current Massport standard and will be utilized for all future hardware deployments Authority wide. This should be considered an absolute requirement unless a vendor demands, and can clearly demonstrate, that an equivalent HP hardware solution deficient for the purpose of the vendor’s deployment.

HP Server Hardware Platform Overview

Two form factors of HP servers may be considered for deployment at the Authority: ProLiant C-Class Blade System and ProLiant Rack mounted ProLiant DL systems.

1. C-Class Blade Systems: The HP C-Class Blade System is the de facto standard server deployment for the future of Massport. With a single 10U chassis capable of containing 16 servers, 32 processors, up to 704 cores, and up to 32TB of memory the computation power, management, and efficiency of the C-Class makes it the first choice as a server platform. Optionally storage blades can be added as needed to provide RAID protected storage on demand.

a. Blade Chassis Selection: if adequate slots within an existing operational chassis are not available a new chassis will be procured for the project at the discretion of IT Operations. Preference should be given to the C7000 model (16 slots) over the smaller C3000 (8 slots) chassis to maximize space allocation and power efficiency within the datacenter in which the system is to be deployed.

b. Interconnect Selection: In order to assure interconnectivity between the servers and the network core, chassis interconnects will be acquired. In order to minimize the amount of physical connections to the network, the standard interconnect for Massport is the HPE Virtual Connect FlexFabric-20/40 F8 Module. The number of interconnects will be doubled should redundancy be required in the design. It is recommended that redundancy to be implemented in Production environments.

2. ProLiant DL Systems: These rack mounted models vary from 1U to 7U form factors and should be considered when the C-Class system is not an option. These circumstances may include:

a. Connection Requirements: Blade systems do not possess the ports required to accommodate legacy hardware such as modems or other devices requiring serial or parallel connections.

b. Remote Deployments: In some cases, it will be economically unfeasible to purchase an entire chassis for a limited deployment in an area of operations where little additional demand can be expected. IT will make this determination on a case by case basis.

c. Computational Power or Storage Requirements: In very rare cases, the amount of processor sockets (4) or memory (64GB) or onboard storage (>1 TB) may necessitate the deployment of a DL system in some deployments.


.

Page 2 of 2

Server Cost Breakdown

The cost of server configuration when adding additional components can vary widely depending on options (processors, memory, storage, fiber channel, network cards) added at the time of purchase. The following prices are given to represent a range from the most basic of configurations to the fully configured price of the system in today’s dollars. As a rule, the processing power of a new system will increase over time but the costs of these new systems tend to remain stable.

Platform Price (MSRP) Description

C-Class Blades ( BL260c,

BL460c, BL465c, BL480c)

$1999-$29999 Single or Double height server with up to 4 Physical processors. 64

or 32 bit support. 64 GB memory. 4 HDD

C-Class Storage Blades

(SB40c)

$1599- $5999 Adds storage platform in conjunction with a BL server system.

RAID, 6 -HDD, 256 MB- battery backup write back cache.

ProLiant DL Servers (DL

100, 300, 500, 700)

$949- $69999 1U-7U height. 1-8 processors. 256 GB memory, 16 HDD’s,

HPE Virtual Connect

FlexFabric-20/40 F8

Module

$17000 Item 691367-B21


Page 1 of 1

Part B: Enterasys Networking hardware

Overview

Massport IT has standardized on Extreme Networks as the network switch vendor. Further, a standard has been developed for the way this equipment is to be configured and deployed.

1. Extreme Networks Edge Switch with redundant power supplies

a. SSA-T4068-0252

b. SSA-T1068-0652A

c. (x2) SSA-AC-PS-625W

2. Redundant 10Gb Single Mode Fiber Uplink: (x2) Avago AFCT-701SDZ

3. Extreme Support/Maintenance Contract:

a. SSA-T1068-0652 - 97004-H30573

b. SSA-T4068-0252 – 97004-H30575

This configuration allows for 48 ports of 10/100/1000 Ethernet access and (x2) 10 Gigabit Single Mode uplinks to the core switches. Two uplinks are utilized on each switch for redundancy -- each uplink terminates in diverse core switch/routers in the data center. This configuration provides redundancy during scheduled and non-scheduled outages, allowing Massport to power down one core switch/router while maintaining connectivity with remainder of the network. For connectivity to the core, (x2) Single Mode Fiber SFP Uplink Modules part # Avago AFCT-701SDZ are required.

There are a couple of more requirements in the closet itself which bear consideration for installation. The installation will need to supply sufficient power to connect the UPS, enough wall space upon which to hang the cabinet, and two fiber runs (at a minimum) back to the required core location.


Page 1 of 1

Overview Windows Server 2016 Standard is the current standard for server operating systems for all Massport IT operations. All newly acquired and built for purpose systems will need to utilize this operating system. This decision has been reached as part of MPA IT Operations overarching strategy to bring the best of breed to technology to bear on the evolving challenges on performance, uptime, and security here at Massport. As a Microsoft centric organization, Server 2016 Standard will be used by Massport as the primary OS platform for client/server applications for the foreseeable future. Key features of this OS include: enhanced security, increased network performance, virtualization, and remote application serving. This strategic standardization on the2016 Standard Server platform may be revisited only in the event that required applications dictate the selection of other platforms (such as Linux distributions or VMWare) as individual circumstances and IT Operations approval warrant. Server 2016 Editions Windows Server 2016 was released with three editions but we will only be using two of them here at Massport; Windows Server 2016 Standard and Windows Server 2016 Datacenter. We only support x64 bit server editions. One copy of Windows Server 2016 Datacenter will need to be purchased for every VMware Host that is added into our environment. This copy of Windows Server 2016 Datacenter is allowed to host as many virtual copies of Windows Server 2016 Standard that the host can physically support. Windows Server 2016 Datacenter needs to be purchased through our existing Software Assurance contract with Dell. To purchase Windows Server 2016 Datacenter we request Dell send us a quote. One copy of Windows Server 2016 Standard will need to be purchased for every 'stand-alone' physical server. These servers may or may not need to be placed under our Software Assurance contract. This decision will be made by Massport IT Operations. As with the Datacenter version, Dell will send us a quote upon request.

Server OS Price (Dell) Description Server 2016 Standard ~$1,000 Server with up to 2 Physical processors. More

processors are available at extra cost. 64 bit support. Server 2016 Datacenter ~$7,000 Used as Host, Unlimited Virtualization, Application

virtualization. 2 to 64 processors. 64 bit support.


Page 1 of 2

Part D: Microsoft SQL Server Database Software Standard

Microsoft SQL Server 2016has been selected as the data management application for new systems requiring a robust database back-end. For systems requiring a redundant clustered and Always on hardware environment, SQL Server 2016 Enterprise is the version recommended for deployment (provided that the solution cannot be virtualized to provide High Availability functionality). For database systems not requiring a clustered environment, SQL Server 2016 Standard is the version that will be deployed. In limited circumstances, with specific vendor recommendation and the approval of Massport IT Operations SQL Server Express will be utilized. Most applications can be installed using a default instance of the selected database server or share resources with other databases on a single physical platform. Given the high acquisition cost of Microsoft SQL and the servers on which they are deployed efforts will be made to ‘stack’ multiple databases onto fewer and more powerful hardware platforms. Which means the server will run with one or more other production databases. In some cases, a database application should not be installed in an instance with other production databases. For these applications, we can often install a second, named instance for your application on the same hardware using either the full version of SQL Server or SQL Server Express. If this is not advisable, you should plan to purchase separate server hardware for your system. Production database systems, including those running on SQL Server Express, should never be installed on non-server hardware or reside in non-approved computer rooms. If you intend to do development on your application, please consider installing on one of our test database servers. If you have any questions about how your system should be installed, please contact IT Operations and provide the documentation and any relevant support contacts and telephone numbers and I will try to find the best solution for your application. It is imperative that IT Operations be able to accurately predict, during the planning stages of a deployment, the requirements and size of your database over its expected production lifecycle. If you are buying an off-the-shelf product, your vendor or IT Operations personnel will be able to provide you with this information. Continue on page 2.


Page 2 of 2

Part D: Oracle Database Standard

Oracle 12c Enterprise edition database has been selected as the standard version for the Oracle databases. There are some exceptions to this standard because of the unsupported application to the back-end database. A single, fault-tolerant, clustered and optimized Oracle Database Appliance server specifically designed for databases is the standard server for the Oracle databases. This server comes with pre-installed with Oracle Linux and Oracle appliance manager software, highly available Real Application clustered (RAC) with load balancer and Industry leading Automatic Storage management system (ASM). The Oracle Engineered system can hold multiple databases and support different database homes (different versions of Oracle binaries). According to the database standards, we only host databases on the database servers and the applications should be installed on different servers in order to gain performance and load balancing from different applications. It is imperative that IT Operations be able to accurately predict, during the planning stages of a deployment, the requirements and size of your database over its expected production lifecycle. If you are buying an off-the-shelf product, your vendor or IT Operations personnel will be able to provide you with this information. Linux or Unix is the preferred and standard Operating system for our Oracle database servers. Standard naming conventions for databases The following is the naming standards for our databases as xxxxp0. Example 1: For Maximo Application, the production database name is MAXMP0, MAXMU0 for User Acceptance Test and MAXMI0 for Integrated System Test. Example 2: The FARS production database is FSPRD0, the FARS Development database name is FSDEV0, FSUAT0 for UAT, FSIST0 for IST and FSDMO0 for demo database. Structured File Systems – database Architecture The following is the new standard for all of the Oracle database file systems. This is to standardize the undefined and unstructured old file system to a defined and well-structured file system. /db/xxxxp0 – for a particular Oracle database. /db/xxxxp0/oracle – for Oracle binaries. /db/xxxxp0/admin – for administration. /db/xxxxp0/oradata – for database data files /db/xxxxp0/oradata/ctl – for Oracle control files /db/xxxxp0/oradata/log – for Oracle redo log files /db/xxxxp0/archive – for database archive files and flash recovery area. Examples: Production FARS database /db/fsprd0 – for FARS production Oracle database. /db/fsprd0/oracle – for Oracle binaries. /db/fsprd0/admin – for administration. /db/fsprd0/oradata – for database data files /db/fsprd0/oradata/ctl – for Oracle control files /db/fsprd0/oradata/log – for Oracle redo log files /db/fsprd0/archive – for database archive files and flash recovery area. In this structured file systems, In order to find a data file specific to production FSPRD0, just go to /db/fsprd0/oradata, you can see all the data files.


Page 1 of 2

Part E: Storage Standards

Overview

Massport has selected EMC Storage as the vendor of choice for SAN storage with the VMAX-40K product line as the new standard for MPA storage needs. The VMAX-40K is a new generation of unified storage that delivers concurrent connectivity for fiber channel, ISCI and NAS host connections with a total capacity of 3.9 PB of usable disk capacity.

Guidelines for implementation are as follows:

a. Additional Storage: A single VMAX-40K can contain up to 128 Switched Device Shelves each containing up to 15 drives. Therefore the optimum method for storage expansion will be the addition of fully populated shelves for additional capacity to an existing VMAX-40K.

Massport has selected EMC Storage as the vendor of choice for SAN storage with the VMAX3 – 100K product line as the new standard for MPA Disaster Recovery storage needs. The VMAX3 – 100K is a new generation of unified storage that delivers concurrent connectivity for fiber channel, ISCI and NAS host connections with a total capacity of 500 TB of usable disk capacity.


a. Additional Storage: A single VMAX3 – 100K can contain up to 1440 drives. Therefore the optimum method for storage expansion will be the addition of the required number of drives to match the desired capacity and tolerance until the capacity of the VMAX3 - 100K is reached.

Massport has selected EMC Storage as the vendor of choice for SAN storage with the VNX5300 product line as the new standard for MPA Web systems storage needs. The VNX is a new generation of SAN storage with the capacity to serve 256 hosts at 8GB speed, with a total capacity of 200TB of disk capacity.


a. Additional Storage: A single VNX5300 can contain up to 8 Switched Device Shelves each containing up to 15 drives. Therefore the optimum method for storage expansion will be the addition of additional capacity to an existing VNX5300

b. New Storage: Should the lack of proximity to an existing storage array or the project require physical isolation a new VNX5300 will be provisioned and it is expected that any new array will be centrally managed by IT Ops personnel.

The previous storage standard of Massport IT Operations is the EMC Storage Platform featuring the NS960 Storage Array. The NS960 Storage Array can serve up to 256 hosts and it can be expanded up to 1.2 PB of space. Massport has a NS960 and it is located at the LOC Data Center. New systems to be integrated, requiring storage, must utilize said Storage Array. Special dispensation of this policy may be granted at the sole discretion of Massport IT Operations. In all cases the amount of space required will be determined during the planning stages of a deployment and disk space will be purchased and integrated in the designated Storage Array.


Page 2 of 2

Massport IT selected the ExaGrid Disk Library platform featuring the EX40000E Disk Library and Symantec Netbackup (version 7.7.3) environment to conduct Enterprise backups. The Centralized Backup system is located at the Logan Office Center computer room and it is available to systems located within the boundaries of the Office Automation Gigabit network. New systems to be implemented should be integrated into the Centralized Backup environment. Each new system will required a standard Netbackup agent and additional space in the Disk Library for the backups operations to take place. If the new system hosts a database a special agent may be needed to conduct backups in said system. In this case the input of the project manager and vendor will be required to select the appropriate backup agent for the system.


Page 1 of 1

Part F: VMware ESX Virtualization Software Standard

Overview

With the recent emphasis on server consolidation as a method to reduce the high costs of hardware, power, and cooling in the datacenter, Massport has taken steps to embrace these trends through virtualization. Virtualization is the practice of running many server operating systems (Windows, UNIX, Linux) instances using software based Hypervisor on a single physical hardware host. This virtual “stacking” of servers on to fewer physical server platforms leads to improved hardware utilization, increased space savings, and decreased power and cooling costs in the datacenter.

Accordingly, Massport IT now maintains, as a matter of policy, that if a server system or group of systems can be virtualized then they should be virtualized at inception. It is recognized however that not all applications or services are ideally suited for virtualization. Therefore, the Project Management team will work with IT to make a determination to virtualize a project on a case by case basis.

Virtualization Overview

Massport has standardized on VMware’s ESXi 6.0 U3 vSphere Server Virtualization software and their Horizon v7 Desktop Virtualization software:

1. VMWare : The industry leading virtualization technology, VMware is the most widely adopted and utilized virtualization technology currently in production at Massport. It can be deployed to form high availability services through clustering and achieve automatic load balancing and recovery in the event of a failure of a physical host. For these reasons, it is the only virtualization technology recommended for mission critical information systems requiring high availability at Massport.

Virtualization Price (MSRP) Description VMWare vSphere / ESXi 6.0 Server

$999-$5000 ESXi server is the main component of the VMware virtualization platform. Available in: Foundation, Standard, and Enterprise Editions. Support costs not included.


Page 1 of 2

Part G: Desktop & Mobile Device Standards

Massport Desktop & Laptop Standard: Dell branded IBM compatible x86 Devices

Overview

Massport has standardized on IBM compatible x86 computers for our Desktops and Laptops. Dell is our primary standard computer hardware and sometimes we utilize Panasonic Toughbooks in instances that require “Ruggedized” laptops such as in vehicles. When purchasing these devices please use the following specifications as a minimum system requirements guideline. The Massport Help Desk (617) 568-5699 will be more than happy to provide the latest specs directly from Dell if required.

General Computer Specifications

Dell computers / Model Optiplex 7060 Small Form Factor Case Processor speed, Intel Core i7-8700 (6 Cores/12MB/12T/up to 4.6GHz 16GB (2X8GB) 2666MHz DDR4 UDIMM Non-ECC M.2 128GB SATA Class 20 Solid State Drive 8x DVD+/-RW 9.5mm Optical Disk Drive TPM enabled

Network Interface Card Integrated Ethernet LAN 10/100/1000 Desktop Operating System Windows 10 Professional-64 BIT. Monitor 24-inch Flat Panel Monitor with Sound Bar and 3-Year Warranty Hardware Warranty 3 Year ProSupport Plus Onsite 3 years

CAD Workstation Specifications

Dell Precision Tower 7820 Series Dual Xeon Gold 6128 3.4GHz, 3.7GHz Turbo, 6C, 10.4GT/s 2UPI, 19.25M Cache, HT (115W) DDR4-2666 64GB (4x16GB) 2666MHz DDR4 RDIMM ECC 2TB 3.5 Serial-ATA (7200 RPM) Hard Drive Dell Ultra-Speed Drive Duo: 1x512GBNVMe PCIe M.2 Solid State Drive x8 Card (boot) C40 8x Half-Height BD-RE (Blu-Ray Rewritable) Drive and 8x Slimline DVD +/- RW drive

Video Card NVIDIA Quadro P5000, 16GB, 4 DP, DL-DVI-D (7X20T) Network Interface Card Integrated Ethernet LAN 10/100/1000 Desktop Operating System Windows 10 Professional-64 BIT. Monitor 24-inch Flat Panel Monitor with Sound Bar and 3-Year Warranty Hardware Warranty 3 Year ProSupport Plus Onsite 3 years


Page 2 of 2

Massport Mobile Handheld Device Standard: Apple iOS Devices

Overview

Massport has standardized on Apple’s iOS platform, the iPad, and the iPhone handhelds. Any solution requiring mobile handheld devices should acquire these types. When purchasing these devices please use the following specifications as a minimum system requirements guideline.

Apple iPad Pro 64GB 10.5” Model with WiFi & Cellular Verizon 4G LTE capability Apple iPhone 7 32GB Model with Verizon Cellular 4G LTE capability

Additionally, when investigating mobile software solutions for the Authority, please be aware that there are generally three modes of software compatibility developed for these devices, Native Applications, Browser-based and Hybrid ones. IT highly recommends acquiring Hybrid solutions that both have a native application and can be accessed via a web browser from a workstation or laptop. This will help ensure a high degree of capability, flexibility and compatibility of the system in our environment. The Manager of System Operations (617) 568-5972 will be more than happy to answer any additional questions regarding this.

Information Technology Operations Massport IT System Standards Manager, Systems Operations Revision Date: [10/2018] Manager, Security Operations Revision Date: [10/2018]

- 1 -

Part H (2018): Massport BACnet Internetworks Environment Deployment Standard

Overview Massport IT has established the following in-house standardization for HVAC and SCADA operations.

• To utilize the MOA network as the BACnet infrastructure backbone. Massport IT defines MOA network as the BACnet Internetworks of Massport environment.

• To utilize Massport assigned device level BACnet object standard (see attached framework) • To integrate with the current IT security infrastructure. • To follow additional BACnet property as identifier required by the project.

Massport Capital and Operation Projects

Massport IT infrastructure or IT network Commonly referred to as Massport’s BACnet internetworks. The IT infrastructure has been designed based on a tiered layout with multiple redundancies in place. Each edge switch has IP reservation for SCADA and HVAC devices.

Coordination Please coordinate with the project general contractor and the Massport Capital Program project manager to submit the requested information. Once the submittal has been approved, Massport IT will provide the necessary support to facilitate the integration.

Project Requirement Proposed project must have the software, hardware, licensing, and support contracts established with the manufacturer to complete the project. Proposed devices and software must have an ASHRAE SSPC 135 BI/BTLTM Certification. All BACS hardware and software must be BTL-listed and meet the following requirements:

• B-BC: BACnet—building Controllers • B-AWS, B-OWS: BACS (advanced) operator workstation

Massport IT requires submittal of an Access Request Form, BTL certificate of the software/device, and PICS.

Device and Application Security Requirement Massport IT requires the BACnet software vendor to integrate with the Massport LDAP infrastructure. Massport IT requires logins /passwords to be setup on all BACnet devices.

Protocol Standardization

BACnet Protocol Massport has standardized on the BACnet Protocol for Building Control/Management System. All systems related to building control are required to operate on the ANSI/ASHRAE 135-2016 standard. The following BACnet Network Port Object (NPO) are supported: Ethernet

• Protocol: Supported (see attached Appendix-A, B & C) • Physical layer: Supported

BACnet/IP (Includes BBMD) • Protocol: Supported (see attached Appendix-A, B & C) • Physical layer: Supported • BBMD router: Pending location, Massport IT requires minimum of one BBMD router / gateway

provided by the individual project. ARCNET

• Protocol: Vendor Supported (see attached Appendix-A, B & C)


- 2 -

• Physical layer: BACnet ARCNET physical medium is not supported. o Vendor can design an ARCNET/TP based physical layout if cable distance limitations are an

issue. o Massport IT does not support troubleshooting downstream BACnet/IP-to-ARCNET gateway

physical connectivity issue. • Gateway: Massport IT requires a minimum of one BACnet/IP-to-ARCNET gateway to be downstream

of each ARCNET network. The project must provide a gateway for ARCNET-to-BACnet/IP translation MS/TP

• Protocol: Vendor Supported (see attached Appendix-A, B & C) • Physical layer: BACnet MS/TP (RS-485) physical medium is not supported.

o Vendor can design a MS/TP based physical layout if cable distance limitations are an issue. o Massport IT does not support troubleshooting downstream MS/TP router physical

connectivity issue. • Gateway: Massport IT requires a minimum of one BACnet MS/TP-to-BACnet/IP gateway and or router

within each MS/TP network. The project must provide a gateway for BACnet MS/TP-to-BACnet/IP translation.

MODBUS Protocol Massport IT infrastructure also supports Modbus protocol if BACnet protocol is not available. Utilization of BACnet protocol is preferred.


- 3 -

Appendix

Appendix-A: Standardization of BACnet / Data Link – Infrastructure and IT Support Status

BACnet Datalink Type IT infrastructure Support Status IT BACnet Scheme Support Status BACnet/IP Yes (Preferred)

Yes

Naming/ Scheme standardization managed by IT

Ethernet Yes ARCNET No: Responsible by vender MS/TP No: Responsible by vender PTP No LonTalk No ZigBee No

Appendix-B IT Requirement for BACnet Objects Availability

Modifiable Device-Object Massport IT required settings Control Assignment / Responsibilities

Device-Object Name X Massport IT / Facilities object-identifier X Massport IT / Facilities object-name X Massport IT / Project PM & Facilities location X Project PM / Facilities description X Project PM / Facilities

BACnet Network Layer (NL) X Massport IT / Facilities SNET / SLEN / SADR X Massport IT / Facilities DNET / DLEN / DADR X Massport IT / Facilities


- 4 -

Appendix-C Device Level BACnet Assignment Scheme (Global) The following are the standard involved with BACnet deployment. Additional explanation of each element is listed following.

Element Range, Limitation, Explanation Unique Identifier

Required. Assign by IT

Scheme

Object_identifier (DIN) BACnet Device ID or BACnet Device Instance or

Default 0, range of 1 to 4,194,304. Globally unique number required.

YES, Global based

Yes

BBBNN## BBB (3cha)= Assigned by IT, Massport BLDG & Site number NN (2cha)= Assigned by IT, the 4th Octet Switch IP number ## (2cha)= Assigned by IT, Assigned 4th Octet IP address assigned

Object_Name Device Name

No limit for most of device Manufacturer. YES Suggested: BLDG#-Location–Device Type-## BLDG# (3cha)= Massport BLDG & Site Number Location (Xcha)= Detail room / location DeviceInfo(Xcha)= Use ASHRAE Vendor ID & Device type such as Flow,HVAC, POWER, etc. ## (2cha) = Assigned 4th Octet IP Address

(NL) Network ID Aka (DNET, SNET) For BACnet MS/TP, BACnet/IP, & BACnet Ethernet

BACnet Ethernet, BACnet ARCNET, BACnet MS/TP and BACnet/IP network numbers cannot be duplicated. A network number can range from 1 – 65,534 (with 65,535 reserved for broadcasts). Globally unique number required regardless of technology

YES, Global based

#BB## Default = “######“, # (1cha)= 2=B/Ether, 3=B/IP, 4=B/MS/TP, 5=B/ARCHNET BB (2cha)= Massport BLDG & Site Number ## (2cha)= Default 50, sequentially assigned by IT

MS/TP Speed baud rate set at 38.4 Yes Sequential assignment, 1-127, 32 per segment

ARCHNET “0” = broadcast Yes Sequential assignment, 0-255

BBMD BBMD / BDT Broadcast Distribution Table

Routing Table contains the entries of any other BBMDs located on the network. The OP address and subnet mask of the BBMD to be listed

Config Pending Yes

IP: x.x.x.x Mask: 255.255.255.255, or x.x.x.x

FD configuration BBMD FD way in or BBMD FD way out Config Pending

BBMD Device way-in to server farm

Device Level Configuration Device Web interface Login

Login to the device web page. N/A Yes Login Name: Admin, or Root / Pending Manufacturer Password: Randomly Assigned per project

IP Address 10.0.0.0 private IP range utilized by IT Department network team

Yes Each device assigned by location and its connected switch

Network Security Policy

Massport IT department Security Team designated Network Level security policy designed to work with Massport IT network infrastructure. Based on TCP/UDP based on “implicitly deny unless explicitly allow”

N/A MAC_HVAC_XXX XXX = denomination of the security profile


- 5 -

Appendix-D: Example of Submittal Format

Device Model MAC address BACnet Protocol

BACnet Functions

Physical Location Physical Connection BACnet ID Network # IP related info

Model_Example01 xx-xx-xx-xx-xx-xx B/IP BBMD router Telco rm1 Cat-6 to IT rm, DWG#1 Issue by MPA

Issue by MPA Issue by MPA Model_Example02 11-11-11-11-11-

11 B/IP-to-MS/TP Gateway Tunnel1 Cat-6 to IT rm, DWG#1

Model_Example03 n/a MS/TP Steam Meter1 Tunnel1 RS-485 rm, DWG#1 Model_Example04 22-22-22-22-22-

22 Modbus Steam Meter2 Tunnel2 Cat-6 to IT rm, DWG#1


- 6 -

This page is intentionally left blank


Page 1 of 4

Part I: Data Analytics Standards Massport is on its way to becoming a data-driven organization. By analyzing data and creating actionable insights, we will better implement effective business strategies, help increase our competitive advantages, guide services and innovation, increase margins, minimize waste, improve customer service and help retain employees.

Accordingly, Massport now demands, as a matter of policy, that all vendors/contractors implementing Information Technology Systems (whether on premise or in the cloud) agree to and implement the following requirements.

1.) Live Database Replicas All IT vendors/contractors must also implement and maintain a duplicate live replica of the databases comprising the systems with Massport IT maintaining complete access to for the purposes of connecting, APIs, reporting, integration, extracting, transforming and loading, Business Intelligence and Data Warehousing capabilities if it is not possible to utilize the production databases for such purposes. Also, the frequency of the data refresh and refresh procedure from production to the replica database should be explained.

2.) Data Dictionary : Definitions of data elements and their relationships

All IT vendors/contractors must deliver a complete data dictionary document of all the information in their databases such as all tables, entities, attributes, keys, data types, validation rules, database triggers, stored procedures, domains, and access constraints.

• Table (Entity) Name—MP2 database table. • Field Name (Attribute)—Name of the field in the table. • Field Type—Type of field and domain.

• Field Size – Maximum number of characters, numbers, etc. that the field can hold. • Restrictions – Field constraints. • Referential integrity and the data dependency must be documented. • LOB and BLOB type data if used, should be marked and explained.


Page 2 of 4

• Add key symbol to designate any primary key fields.

3.) Data Map

All IT vendors/contractors must deliver a complete data map of the database and its relationships. (Systems block diagram and data flow diagram) ERD diagram and/or Relational diagram and connectivity.

• Data integration to other systems should be explained and mapped. Example:


Page 3 of 4

4) Internal Model: All IT vendors/contractors must deliver the internal model of the database.


Page 4 of 4

All, in general terms All IT vendors/contractors must provide detailed information on the following items:

• Type of Database: Single-user, multiple-user, by Location (cloud, centralized, distributed), by data type (general-purpose, operational, discipline-specific, analytical).

• Data storage management • Data transformation and presentation(to excel, csv files, text files, reports) • Security management • Multiuser access control • Backup and recovery management • Data integrity management • Query language