NOTICE OF CONTRACT NOTICE OF CONTRACT NO. 171- 180000000806 .

between THE STATE OF MICHIGAN

and

CO

NTR

AC

TOR

Rego Consulting Corporation

STA

TEPr

ogra

mM

anag

er

Rob Surber DTMB

2115 N Main St 517-335-2820

Centerville, UT 84014 SurberR@michigan.gov

George Trainor

Con

tract

Adm

inis

trato

r Michael Breen DTMB

410-465-2708 517-249-0428

george.trainor@regoconsulting.com BreenM@michigan.gov

VS0002241

CONTRACT SUMMARY

DESCRIPTION: Enterprise Project and Portfolio Management (PPM) System INITIAL EFFECTIVE DATE INITIAL EXPIRATION DATE INITIAL AVAILABLE

OPTIONS

EXPIRATION DATE BEFORE CHANGE(S) NOTED BELOW

6/30/2018 9/30/2021 7 Years 9/30/2021 PAYMENT TERMS DELIVERY TIMEFRAME

Net 45 N/A ALTERNATE PAYMENT OPTIONS EXTENDED PURCHASING

☐ P-card ☐ Direct Voucher (DV) ☐ Other ☐ Yes ☒ NoMINIMUM DELIVERY REQUIREMENTS

N/A MISCELLANEOUS INFORMATION

This contract is established from Request for Proposal 171-180000000005.

ESTIMATED CONTRACT VALUE AT TIME OF EXECUTION $6,142,760.00

STATE OF MICHIGAN ENTERPRISE PROCUREMENT Department of Technology, Management, and Budget 525 W. ALLEGAN ST., LANSING, MICHIGAN 48913 P.O. BOX 30026 LANSING, MICHIGAN 48909

1

CONTRACT NO. 171- 180000000806

FOR THE CONTRACTOR:

Company Name

Authorized Agent Signature

Authorized Agent (Print or Type)

Date

FOR THE STATE:

Signature

Name & Title

Agency

Date

2

Rego Consulting Corporation

George Trainor

June 15, 2018

Jarrod Barron, IT Category Specialist

DTMB Central Procurement Services

6/26/2018

This Software as a Service Contract (this “Contract”) is agreed to between the State of Michigan (the “State”) and Rego Consulting Corporation (“Contractor”), a Utah corporation. This Contract is effective on June 30, 2018 (“Effective Date”), and unless earlier terminated, will expire on September 30, 2021 (the “Term”).

This Contract may be renewed for up to seven additional one-year periods. Renewal must be by written notice from the State and will automatically extend the Term of this Contract.

1. Definitions.

“Action” has the meaning set forth in Section 13.1.

“Allegedly Infringing Features” has the meaning set forth in Section 13.3(a)(ii).

“Authorized Users” means all Persons authorized by the State to access and use the Services through the State’s account under this Contract, subject to the maximum number of users specified in the applicable Statement of Work.

“Availability Requirement” has the meaning set forth in Section 5.

“Business Day” means a day other than a Saturday, Sunday or State Holiday.

“Change Notice” has the meaning set forth in Section 2.2.

“Confidential Information” has the meaning set forth in Section 10.1.

“Contract” has the meaning set forth in the preamble.

“Contract Administrator” is the individual appointed by each party to (a) administer the terms of this Contract, and (B) approve and execute any Change Notices under this Contract. Each party’s Contract Administrator will be identified in the Statement of Work.

“Contractor” has the meaning set forth in the preamble.

“Contractor Personnel” means all employees and agents of Contractor, all Subcontractors and all employees and agents of any Subcontractor, involved in the performance of Services.

“Contractor Service Manager” has the meaning set forth in Section 2.5(a).

“Documentation” means all generally available documentation relating to the Services, including all user manuals, operating manuals and other instructions, specifications, documents and materials, in any form or media, that describe any

STATE OF MICHIGAN

CONTRACT TERMS Software as a Service (SaaS)

3

component, feature, requirement or other aspect of the Services, including any functionality, testing, operation or use thereof.

“Effective Date” has the meaning set forth in the preamble.

“Fees” has the meaning set forth in Section 8.1.

“Force Majeure Event” has the meaning set forth in Section17.1.

“Hosted Services” (also referred to as the “SaaS Offering” in Section 2 of the Channel End User Terms: SaaS attached as Schedule B) has the meaning set forth in Section 2.1(a)Error! Reference source not found..

“Hosted Service Provider” means Contractor’s approved subcontractor, CA Technologies, Inc. who provides the Hosted Services.

“Intellectual Property Rights” means any and all rights comprising or relating to: (a) patents, patent disclosures and inventions (whether patentable or not); (b) trademarks, service marks, trade dress, trade names, logos, corporate names and domain names, together with all of the goodwill associated therewith; (c) authorship rights, copyrights and copyrightable works (including computer programs) and rights in data and databases; (d) trade secrets, know-how and other confidential information; and (e) all other intellectual property rights, in each case whether registered or unregistered and including all applications for, and renewals or extensions of, such rights, and all similar or equivalent rights or forms of protection provided by applicable Law in any jurisdiction throughout the world.

“Key Personnel” means any Contractor Personnel identified as key personnel in this Contract or any Statement of Work.

“Law” means any statute, law, ordinance, regulation, rule, code, order, constitution, treaty, common law, judgment, decree or other requirement or rule of any federal, state, local or foreign government or political subdivision thereof, or any arbitrator, court or tribunal of competent jurisdiction.

“Loss” means all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable attorneys’ fees and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers. “Losses” has a correlative meaning.

“Managed Support Services” are optional services that may be purchased to support ongoing enhancements and consulting needed post go-live.

“Person” means an individual, corporation, partnership, joint venture, limited liability company, governmental authority, unincorporated organization, trust, association or other entity.

“Process” means to perform any operation or set of operations on any data, information, material, work, expression or other content, including to (a) collect, receive, input, upload, download, record, reproduce, store, organize, combine, log, catalog, cross-reference, manage, maintain, copy, adapt, alter, translate or make other improvements or derivative works, (b) process, retrieve, output, consult, use, disseminate, transmit, submit, post, transfer, disclose or otherwise provide or make available, or (c) block, erase or destroy. “Processing” and “Processed” have correlative meanings.

“Professional Services” means those all Services, other than the Hosted Services, provided by the Contractor as described in the Statement of Work.

4

“Representatives” means a party’s employees, officers, directors, consultants, legal advisors and, with respect to Contractor, Contractor’s Subcontractors.

“RFP” means the State’s request for proposal designed to solicit responses for Services under this Contract.

“Service Level Agreement” means the service level agreement included in the applicable SaaS Listing attached as Schedule D to this Contract, setting forth Contractor’s obligations with respect to the hosting, management and operation of the Service Software.

“Service Software” means any and all software applications and any third-party or other software, and all new versions, updates, revisions, improvements and modifications of the foregoing, that Contractor provides remote access to and use of as part of the Services.

“Services” has the meaning set forth in Section 2.1.

“Specifications” means the specifications for the Services set forth in the applicable Statement of Work and, to the extent consistent with and not limiting of the foregoing, the Documentation.

“State” has the meaning set forth in the preamble.

“State Data” has the meaning set forth in Section 9.1.

“State Modification” has the meaning set forth in Section 13.2(a).

“State Project Manager” has the meaning set forth in Section 2.8.

“State Systems” means the information technology infrastructure, including the computers, software, databases, electronic systems (including database management systems) and networks, of the State or any of its designees.

“Statement of Work” has the meaning set forth in Section Error! Reference source not found.. The Initial Statement of Work is attached as Schedule A, and subsequent Statements of Work shall be sequentially identified and attached as Schedule A-1, A-2, A-3, etc.

“Subcontractor” means any entity that performs any Services under this Contract and otherwise has the meaning set forth in Section 2.4(a).

“Subscription Term” has the meaning set forth in Section 2.1 of the Channel End User Terms: SaaS.

“Support Services” has the meaning set forth in Section 6.

“Term” has the meaning set forth in the preamble.

“Transition Period” has the meaning set forth in Section 7.3.

“Transition Responsibilities” has the meaning set forth in Section 7.3.

“User Data” means any and all information reflecting the access or use of the Hosted Services by or on behalf of the State or any Authorized User, including any end user profile, visit, session, impression, click-through or click-stream data and any statistical or other analysis, information or data based on or derived from any of the foregoing.

5

2. Services.

2.1 Services. Throughout the Term and at all times in connection with its actual or required performance under this Contract, Contractor will, in accordance with all terms and conditions set forth in this Contract and each applicable Statement of Work, provide to the State and its Authorized Users the following services (“Services”):

(a) the hosting, management and operation of the Service Software and other services for remote electronic access and use by the State and its Authorized Users (“Hosted Services” which Contractor will provide through the Hosted Services Provider in accordance with the terms of the Channel End User Teams: SaaS, attached as Schedule B to this Contract) and the Professional Services as described in one or more written, sequentially numbered, statements of work referencing this Contract, including all Specifications set forth in such statements of work, which, upon their execution will be attached as Schedule A to this Contract and by this reference are incorporated in and made a part of this Contract (each, a “Statement of Work”);

(b) Contractor will comply with the provisions of the SaaS Listing, including the responsibility for obtaining and applying any and all applicable Service Level Credits due the State as if the State were the Customer as that term is defined in the SaaS Listing;

(c) Contractor will provide maintenance and Support Services as set forth in Section 7 of the Channel End User Terms: SaaS, attached as Schedule B; and if ordered by the State, provide the Managed Support Services as set forth in a future Statement of Work;

(d) Contractor will implement and maintain the security requirements set forth in the Channel End User Terms: SaaS;

(e) Contractor will maintain a DR plan as provided for in the SaaS Listing;

(f) Contractor will provide Professional Services which include the installation, configuration, integration, of the Service Software to allow the Hosted Services to be fully operational in accordance with the criteria and timeframes set forth in the Statement of Work;

(g) Performance of Professional Services. Contractor will provide all Professional Services in a timely, professional and workmanlike manner and in accordance with the terms, conditions, and Specifications set forth in this Contract and the Statement of Work;

(h) State Standards: The Contractor must, in performing the Professional Services, adhere to all existing standards as described within the comprehensive listing of the State’s existing technology standards at http://www.michigan.gov/dmb/0,4568,7-150-56355-108233--,00.html. To the extent that Contractor has access to the State’s computer system, Contractor must comply with the State’s Acceptable Use Policy, see http://michigan.gov/cybersecurity/0,1607,7-217-34395_34476---,00.html. All Contractor Personnel will be required, in writing, to agree to the State’s Acceptable Use Policy before accessing the State’s system. The State reserves the right to terminate Contractor’s access to the State’s system if a violation occurs;

(i) Contractor is not authorized to make changes to any State systems without prior written authorization from the State’s Project Manager. Any changes Contractor makes to any State systems with the State’s approval must be done according to applicable State procedures, including security, access, and configuration standards; and

6

(j) Contractor will provide such other services as may be specified in the applicable Statement of Work.

2.2 Change Notices.

(a) Any modifications or changes to the Services under any executed Statement of Work will be effective only if and when memorialized in a mutually agreed written change notice (“Change Notice”) signed by both Parties, provided, however, that for any Services provided on a limited basis (for example, on a per user, server, CPU or named-user basis), the State may, at any time, increase or decrease the number of its licenses hereunder subject to a corresponding forward-going adjustment of the Fees to reflect these changes in accordance with the pricing set forth in the applicable Statement of Work.

(b) In the event the Services are configurable, a more detailed change control process may be specified in the applicable Statement of Work. In such event, the change control process set forth in such Statement of Work shall control.

2.3 Compliance with Laws. Contractor must comply with all applicable Laws as they concern this Contract, including by securing and maintaining all required and appropriate visas, work permits, business licenses and other documentation and clearances necessary for performance of the Services.

2.4 Subcontracting., Contractor will not itself, and will not permit any Person to, subcontract any Services, except for the Hosted Services which are provided by the Hosted Services Provider, in whole or in part, without the State’s prior written consent, which consent may be given or withheld in the State’s sole discretion. Without limiting the foregoing:

(a) Contractor must ensure each Contractor subcontractor (including any subcontractor of a Contractor subcontractor, each, a “Subcontractor”) complies with all relevant terms of this Contract, including all provisions relating to State Data or other Confidential Information of the State;

(b) the State’s consent to any such Subcontractor does not relieve Contractor of its representations, warranties or obligations under this Contract;

(c) Contractor will remain responsible and liable for any and all: (i) performance required hereunder, including the proper supervision, coordination and performance of the Services; and (ii) acts and omissions of each Subcontractor (including, such Subcontractor’s employees and agents, who, to the extent they are involved in providing any Services, are deemed Contractor Personnel) to the same extent as if such acts or omissions were by Contractor;

(d) any noncompliance by any Subcontractor or its employees or agents with the provisions of this Contract or any Statement of Work will constitute a breach by Contractor;

(e) prior to the provision of Services by any Subcontractor, Contractor must obtain from each such proposed Subcontractor:

(i) the identity of such Subcontractor and the location of all its data centers, if any, that will be used in Processing any State Data, which information Contractor shall promptly disclose to the State in writing; and

(ii) except from subcontractors of the Hosted Services Provider, a written confidentiality and restricted use agreement, giving the State rights at least equal to those set forth in Section 9 (State Data), Section 10 (Confidentiality), Section 11 (Security) and Section 12 (Disaster Recovery) and containing the Subcontractor’s acknowledgment of, and agreement to, the provisions of Section 2.5 (Contractor

7

Personnel), a fully-executed copy of which agreement Contractor will promptly provide to the State upon the State’s request.

(iii) With respect to the subcontractor(s) of the Hosted Services Provider (and pursuant to Section 5.2 of the Channel End User Terms: SaaS), the Hosted Services Provider runs security background checks on all production operation staff who may have access to State Data. Security audits, as specified in the SaaS Service Listing, are conducted periodically to certify that security controls are in place and background checks have been conducted. the Hosted Services Provider may utilize subcontractors in the provision of the Hosted Services so long as such subcontractors are bound to contractual terms no less protective of the State’s rights provided hereunder and provided further that any use of subcontractors in the operation of any applicable data center is subject to the same security controls and audits as if performed by the Hosted Services Provider’s employees. The Parties understand and agree that Contractor remains fully liable under the terms of the Agreement for any breach caused by a subcontractor of the Hosted Services Provider.

2.5 Contractor Personnel. Contractor will:

(a) subject to the prior written approval of the State, appoint: (i) a Contractor employee to serve as a primary contact with respect to the Services who will have the authority to act on behalf of Contractor in matters pertaining to the receipt and processing of support requests and the Support Services and optional Managed Support Services (the “Contractor Service Manager”); and (ii) other Key Personnel, who will be suitably skilled, experienced and qualified to perform the Professional Services (to the extent that the State has questions or concerns regarding SaaS security, the submission of a support request to the subcontractor providing SaaS in accordance with the support terms set forth in this agreement is the appropriate and most expedient way to address them);

(b) provide names and contact information for Contractor’s Key Personnel in the Statement of Work;

(c) maintain the same Contractor Service Manager and other Key Personnel throughout the Term and such additional period, if any, as Contractor is required to perform the Services, except for changes in such personnel due to: (i) the State’s request pursuant to Section 2.5(d); or (ii) the death, disability, resignation or termination of such personnel or other circumstances outside Contractor’s reasonable control; and

(d) upon the reasonable written request of the State, promptly replace any Key Personnel of Contractor.

2.6 Management and Payment of Contractor Personnel.

(a) Contractor is solely responsible for the payment of Contractor Personnel, including all fees, expenses and compensation to, by or on behalf of any Contractor Personnel and, if applicable, the withholding of income taxes and payment and withholding of social security and other payroll taxes, unemployment insurance, workers’ compensation insurance payments and disability benefits.

(b) Contractor will ensure that no Person who has been convicted of a felony or any misdemeanor involving, in any way, theft, fraud, or bribery provides any Services or has access to any State Data, State Systems or State facilities. On a case-by-case basis, the State may request that Contractor initiate a background check on any Contractor Personnel before they may have access to State Data, State Systems or State facilities. Any request for a background check shall be initiated by the State and must be reasonably related to the type of work requested. The scope of the background check is at the discretion of the State and the results shall be used solely to determine the eligibility of Contractor Personnel to work with

8

State Data, State Systems or in State facilities. If provided to the State, results of background checks will be promptly returned to Contractor, and will be treated as Confidential Information. All investigations will include a Michigan State Police Background check (ICHAT) and may include a National Crime Information Center (NCIC) Finger Print check. Contractor will present attestation of satisfactory completion of such tests. Contractor is responsible for all costs and expenses associated with such background checks.

2.7 Time is of the Essence. Contractor acknowledges and agrees that time is of the essence with respect to its obligations under this Contract and that prompt and timely performance of all such obligations, including all timetables and other requirements of this Contract and each Statement of Work, is strictly required.

2.8 State Project Manager. The State will appoint and, in its reasonable discretion, replace, a State employee to serve as the primary contact with respect to implementation of the Services (the “State Project Manager”).

3. Use and Restrictions.

3.1 Contractor Use Grant. Contractor hereby grants to the State, exercisable by and through its Authorized Users, a nonexclusive, non-transferable, royalty-free, irrevocable (except as provided herein including the Channel End User Terms: SaaS) right during the Term and such additional periods, if any, as Contractor is required to perform Services under this Contract or any Statement of Work, to:

(a) access and use the Hosted Services in accordance with the Channel End User Terms: SaaS.

(b) as provided in the Statement of Work to access and use the Services for all such non-production uses and applications as may be necessary or useful for the effective use of the Hosted Services hereunder, including for purposes of analysis, development, configuration, integration, testing, training, maintenance, support and repair, which access and use will be without charge and not included for any purpose in any calculation of the State’s or its Authorized Users’ use of the Services, including for purposes of assessing any Fees or other consideration payable to Contractor or determining any excess use of the Hosted Services as described in Section 3.3.

3.2 Use Restrictions. The State will not: (a) rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer or otherwise make the Hosted Services available to any third party, except as expressly permitted by this Contract or in any Statement of Work; or (b) use or authorize the use of the Services or Documentation in any manner or for any purpose that is unlawful under applicable Law.

3.3 Use. The State will pay Contractor the corresponding Fees set forth in the Statement of Work for all Authorized Users access and use of the Service Software. Such Fees will be Contractor’s sole and exclusive remedy for use of the Service Software, including any excess use.

3.4 State License Grant. The State hereby grants to Contractor a limited, non-exclusive, non-transferable license (i) to use the State's (or individual agency’s, department’s or division’s) name, trademarks, service marks or logos, solely in accordance with the State’s specifications, and (ii) to display, reproduce, distribute and transmit in digital form the State’s (or individual agency’s, department’s or division’s) name, trademarks, service marks or logos in connection with promotion of the Services as communicated to Contractor by the State. Use of the State’s (or individual agency’s, department’s or division’s) name, trademarks, service marks or logos will be specified in the applicable Statement of Work.

9

4. Service Preparation, Testing and Acceptance.

4.1 Service Preparation. Promptly upon the parties’ execution of a Statement of Work, Contractor will take all steps necessary to provide the Hosted Services in accordance with the Statement of Work and this Contract, including any applicable milestone date or dates set forth in such Statement of Work. Upon the start of the Subscription Term, the Hosted Services Provider, will send an email to the State’s technical contact providing information to connect and access the Hosted Services and support, as provided for in Section 7 of the Channel End User Terms: SaaS.

4.2 Testing and Acceptance.

Testing and Acceptance shall be as stated in the applicable Statement of Work.

5. Service Availability. Contractor will make the Hosted Services available in accordance with the provisions set forth in the SaaS Listing and the Channel End User Terms: SaaS and the SaaS Listing.(the “Availability Requirement”).

6. Support and Maintenance Services.

(a) Contractor will provide Hosted Service maintenance and support services (collectively, “Support Services”) in accordance with the provisions set forth in the Channel End User Terms: SaaS

(b) If elected by the State, Contractor will provide Managed Support Services in accordance with the provisions set forth in a future Statement of Work.

7. Termination, Expiration and Transition.

7.1 Termination for Cause. In addition to any right of termination set forth elsewhere in this Contract:

(a) Either party may terminate this Contract for cause, in whole or in part, if the other party: (i) becomes insolvent, petitions for bankruptcy court proceedings, or has an involuntary bankruptcy proceeding filed against it by any creditor; or (ii) breaches any of its material duties or obligations under this Contract; provided that the non-breaching party notifies the breaching party in writing of such breach and the breaching party fails to either cure such breach within 30 days (or such other period as mutually agreed by the Parties) from receipt of such notice. Any reference to specific breaches being material breaches within this Contract will not be construed to mean that other breaches are not material.

(b) If the State terminates this Contract under this Section 7.1, the State will issue a termination notice specifying whether Contractor must: (a) cease performance immediately, or (b) continue to perform for a specified period pursuant to the terms of the agreement. If it is later determined that Contractor was not in breach of this Contract, the termination will be deemed to have been a termination for convenience, effective as of the same date, and the rights and obligations of the parties will be limited to those provided in Section 7.2.

(c) The State will only pay for amounts due to Contractor for Services accepted by the State on or before the date of termination, subject to the State’s right to set off any amounts owed by the Contractor for the State’s reasonable costs in terminating this Contract. Contractor must promptly reimburse to the State any Fees prepaid by the State prorated to the date of such termination. Further, Contractor must pay all reasonable costs incurred by the State in terminating this Contract for cause, including administrative costs, attorneys’ fees, court costs, transition costs including any costs to access the State’s data, and any costs the State incurs to procure the Services from other sources.

10

7.2 Termination for Convenience. The State may immediately terminate this Contract in whole or in part, without penalty and for any reason, including but not limited to appropriation or budget shortfalls. The termination notice will specify whether Contractor must: (a) cease performance immediately, or (b) continue to perform in accordance with Section 7.3. If the State terminates this Contract for convenience, the State will pay all fees accrued for products or services delivered prior to the termination date or attributable to the period prior to termination, as well as all reasonable costs, as determined by the State, for State-approved Transition Responsibilities to the extent the funds are available.

7.3 Transition Responsibilities. Upon termination or expiration of this Contract for any reason, Contractor must, for a period of time specified by the State (not to exceed 1 year; the “Transition Period”), provide all reasonable transition assistance requested by the State, to allow for the expired or terminated portion of the Contract to continue without interruption or adverse effect, and to facilitate the orderly transfer of the Services to the State or its designees. Such transition assistance may include but is not limited to: (a) continuing to perform the Services at the established Statement of Work rates; (b) taking all reasonable and necessary measures to transition performance of the work, including all applicable Services to the State or the State’s designee; (c) taking all necessary and appropriate steps, or such other action as the State may direct, to preserve, maintain, protect, or return to the State all State Data; and (d) preparing an accurate accounting from which the State and Contractor may reconcile all outstanding accounts (collectively, the “Transition Responsibilities”). The Term of this Contract is automatically extended through the end of the Transition Period.

Notwithstanding the foregoing, with respect to the Hosted Services, upon termination of the Subscription Term, the State’s access to the Hosted Services will terminate and the State’s data will be deleted from the production and nonproduction environments within one (1) year of the end of the Subscription Term. If the State terminates for Convenience, Contractor will provide access to the data for the first sixty (60) days following termination at no charge. Thereafter, State will pay Contractor a fee of $2,700 per month for each month that the State requires access to the data, not to exceed 12 months from the termination date. State must notify Contractor at least 30 days prior to the end of the Contract of their request to extend the access to data beyond 60 days. For example, if the Contract end date is June 30, State must notify Contractor by May 31 that they require access to data for more than 60 days. Access to data will continue on a month-to-month basis until Contractor receives notice from State that they no longer need access to the data. Such notice must be received at least 30 days prior to the end of the current month-to-month term. For example, if the current month-to-month expiration date for data access is September 30, Contractor must receive notice from State by August 31 that they no longer need access to data after September 30.

7.4 Effect of Termination. Upon and after the termination or expiration of this Contract or one or more Statements of Work for any or no reason:

(a) Contractor will be obligated to perform all Transition Responsibilities specified in Section 7.3.

(b) All licenses granted to Contractor in State Data will immediately and automatically also terminate. Contractor must promptly return to the State all State Data not required by Contractor for its Transition Responsibilities, if any. With respect to Hosted Services, State Data will be deleted from the production and nonproduction environments within 1 year of the end of the Subscription Term in accordance with the terms of the Channel End User Terms: SaaS.

(c) Contractor will (i) return to the State all documents and tangible materials (and any copies) containing, reflecting, incorporating, or based on the State’s Confidential Information; (ii) permanently erase the State’s Confidential Information from its computer systems; and (iii) certify in writing to the State that it has complied with the requirements of this Section 7.4(c), in each case to the extent such materials are not required by Contractor for Transition Responsibilities, if any.

11

With respect to Hosted Services, State Data will be deleted from the production and nonproduction environments within 1 year of the end of the Subscription Term in accordance with the terms of the Channel End User Terms: SaaS.

7.5 Survival. The rights, obligations and conditions set forth in this Section 7.5 and Section 1 (Definitions), Section 7.3 (Effect of Termination; Data Retention), Section 9 (State Data), Section 10 (Confidentiality), Section 11 (Security), Section 13.1 (Indemnification), Section 14 (Limitations of Liability), Section 15 (Representations and Warranties), Section 16 (Insurance) and Section 18 (Effect of Contractor Bankruptcy) and Section 18 (General Provisions), and any right, obligation or condition that, by its express terms or nature and context is intended to survive the termination or expiration of this Contract, survives any such termination or expiration hereof.

8. Fees and Expenses.

8.1 Fees. Subject to the terms and conditions of this Contract, the applicable Statement of Work, and the SaaS Listing, with respect to any applicable credits (“Service Level Credits” as such term is used in the SaaS Listing), the State shall pay the fees set forth in Schedule F Pricing, subject to such increases and adjustments as may be permitted pursuant to Section 8.2 (“Fees”). Contractor will forward all applicable payments and apply all relevant and applicable Service Level Credits (as described in Section 8.10) to the Hosted Services Provider for the Hosted Services used by the State.

8.2 Fees during Option Years. Contractor’s Fees, including all applicable third party/subcontractor subscription or licensing fees, are fixed and not subject to increase(s) or adjustment(s) during the entire 123 month Term (being the Term of the Contract and any and all renewals thereof).

8.3 Responsibility for Costs. Contractor is responsible for all costs and expenses incurred in or incidental to the performance of Services, including all costs of any materials supplied by Contractor, all fees, fines, licenses, bonds, or taxes required of or imposed against Contractor, and all other of Contractor’s costs of doing business.

8.4 Taxes. The State is exempt from State sales tax for direct purchases and may be exempt from federal excise tax, if Services purchased under this Contract are for the State’s exclusive use. Notwithstanding the foregoing, all Fees are inclusive of taxes, and Contractor is responsible for all sales, use and excise taxes, and any other similar taxes, duties and charges of any kind imposed by any federal, state, or local governmental entity on any amounts payable by the State under this Contract.

8.5 Invoices. Contractor will invoice the State for Fees in accordance with the requirements set forth in the Statement of Work, including any requirements that condition the rendering of invoices and the payment of Fees upon the successful completion of Milestones. Contractor must submit each invoice in electronic format, via such delivery means and to such address as are specified by the State in the Statement of Work. Each separate invoice must:

(a) clearly identify the Contract and purchase order number to which it relates, in such manner as is required by the State;

(b) list each Fee item separately;

(c) include sufficient detail for each line item to enable the State to satisfy its accounting and charge-back requirements;

(d) for Fees determined on a time and materials basis, report details regarding the number of hours performed during the billing period, the skill or labor category for such Contractor Personnel and the applicable hourly billing rates;

12

(e) include such other information as may be required by the State as set forth in the Statement of Work; and

(f) Itemized invoices must be submitted to DTMB-Accounts-Payable@michigan.gov.

8.6 Payment Terms. Invoices are due and payable by the State, in accordance with the State’s standard payment procedures as specified in 1984 Public Act no. 279, MCL 17.51, et seq., within forty-five (45) calendar days after receipt, provided the State determines that the invoice was properly rendered.

8.7 State Audits of Contractor.

(a) During the Term, and for four (4) years after, Contractor must maintain complete and accurate books and records regarding its business operations relevant to the calculation of Fees and any other information relevant to Contractor’s compliance with this Section 8. During the Term, and for four (4) years after, upon the State’s request, Contractor must make such books and records and appropriate personnel, including all financial information, available during normal business hours for inspection and audit by the State or its authorized representative, provided that the State: (a) provides Contractor with at least fifteen (15) days prior notice of any audit, and (b) conducts or causes to be conducted such audit in a manner designed to minimize disruption of Contractor’s normal business operations.

(b) The State may take copies and abstracts of materials audited. The State will pay the cost of such audits unless an audit reveals an overbilling or over-reporting of five percent (5%) or more, in which case Contractor shall reimburse the State for the reasonable cost of the audit. Contractor must immediately upon written notice from the State pay the State the amount of any overpayment revealed by the audit, together with any reimbursement payable pursuant to the preceding sentence.

8.8 Payment Does Not Imply Acceptance. The making of any payment or payments by the State, or the receipt thereof by Contractor, will in no way affect the responsibility of Contractor to perform the Services in accordance with this Contract, and will not imply the State’s Acceptance of any Services or the waiver of any warranties or requirements of this Contract, including any right to Service Credits.

8.9 Payment Disputes. The State may withhold from payment any and all payments and amounts the State disputes in good faith, pending resolution of such dispute, provided that the State:

(a) timely renders all payments and amounts that are not in dispute;

(b) notifies Contractor of the dispute prior to the due date for payment, specifying in such notice:

(i) the amount in dispute; and

(ii) the reason for the dispute set out in sufficient detail to facilitate investigation by Contractor and resolution by the parties;

(c) works with Contractor in good faith to resolve the dispute promptly; and

(d) promptly pays any amount determined to be payable by resolution of the dispute.

Contractor shall not withhold or delay any Hosted Services or Support Services or fail to perform any other Services or obligations hereunder by reason of the State's good faith withholding of any payment or amount in accordance with this Section 8.9 or any dispute arising therefrom

13

8.10 Availability and Service Level Credits. Contractor acknowledges and agrees that any Service Level Credits assessed pursuant to the SaaS Listing: (a) are a reasonable estimate of and compensation for the anticipated or actual harm to the State that may arise from not meeting the Availability Requirement, which would be impossible or very difficult to accurately estimate; and (b) may, at the State’s option, be credited or set off against any Fees or other charges payable to Contractor under this Contract or be payable to the State upon demand. Credits may not exceed the total amount of Fees that would be payable for the relevant service period in which the Service Level Credits are assessed and further that any Service Level Credits shall not apply to calculating the limitation of liability cap stated in Section 14.

8.11 Right of Set-off. Without prejudice to any other right or remedy it may have, the State reserves the right to set off at any time any amount then due and owing to it by Contractor against any amount payable by the State to Contractor under this Contract.

9. State Data.

9.1 Ownership. The State’s data (“State Data,” also referred to as “Customer Data” as defined in the Channel End User Terms: SaaS which will be treated by Contractor as Confidential Information) includes: (a) User Data; and (b) the State’s data collected, used, processed, stored, or generated in connection with the Services, including but not limited to (i) personally identifiable information (“PII”) collected, used, processed, stored, or generated as the result of the Services, including, without limitation, any information that identifies an individual, such as an individual’s social security number or other government-issued identification number, date of birth, address, telephone number, biometric data, mother’s maiden name, email address, credit card information, or an individual’s name in combination with any other of the elements here listed. State Data is and will remain the sole and exclusive property of the State and all right, title, and interest in the same is reserved by the State. This Section 9.1 survives termination or expiration of this Contract.

9.2 Contractor Use of State Data. Contractor is provided a limited license to State Data for the sole and exclusive purpose of providing the Services, including a license to collect, process, store, generate, and display State Data only to the extent necessary in the provision of the Services. Contractor must: (a) keep and maintain State Data in strict confidence, using such degree of care as is appropriate and consistent with its obligations as further described in this Contract and applicable law to avoid unauthorized access, use, disclosure, or loss; (b) use and disclose State Data solely and exclusively for the purpose of providing the Services, such use and disclosure being in accordance with this Contract, any applicable Statement of Work, and applicable law; and (c) not use, sell, rent, transfer, distribute, or otherwise disclose or make available State Data for Contractor’s own purposes or for the benefit of anyone other than the State without the State’s prior written consent. This Section 9.2 survives termination or expiration of this Contract.

9.3 Backup and Extraction of State Data. Contractor will conduct, or cause to be conducted periodic back-ups of State Data at a frequency stated in the applicable SaaS Listing. All backed up State Data shall be located in the continental United States.

9.4 Discovery. Contractor shall immediately notify the State upon receipt of any requests which in any way might reasonably require access to State Data or the State's use of the Hosted Services. Contractor shall notify the State Project Manager by the fastest means available and also in writing. In no event shall Contractor provide such notification more than twenty-four (24) hours after Contractor receives the request. Contractor shall not respond to subpoenas, service of process, FOIA requests, and other legal requests related to the State without first notifying the State and obtaining the State’s prior

14

approval of Contractor’s proposed responses. Contractor agrees to provide its completed responses to the State with adequate time for State review, revision and approval.

9.5 Loss or Compromise of Data. In the event that Contractor or the Hosted Services Provider has determined that access to State Data by an unauthorized person or entity (a “Security Breach”) will or is likely to cause harm to the State or an Authorized User, Contractor or the Hosted Services Provider will, as promptly as practicable but in no event later than as required by law or within five (5) working days (whichever is shorter), provide the State with notice of the Security Breach. After initial notification, Contractor and the Hosted Services Provider will keep the State updated at periodic intervals on the steps taken by Contractor or the Hosted Services Provider to investigate the Security Breach including providing a reasonably detailed incident report, including measures to be taken by the State to minimize potential damages. Such report will be provided promptly but no later than thirty (30) days following completion of the report. The Parties understand and agree that if Contractor or the Hosted Services Provider is prevented by law or regulation from providing such notice(s) and/or reports within the time frames, such delay shall be excused.

9.6 ADA Compliance. With regard to the Hosted Services, Contractor acknowledges that the Hosted Services have been evaluated by the Hosted Services Provider, for Section 508 purposes will have a Voluntary Product Accessibility Template (“VPAT"). CA evaluates such licensed programs consistent with the standards of the Information Technology Industry Council (“ITIC”). The Hosted Service Provider’s evaluation of each such licensed program is recorded on the standardized VPAT template developed by ITIC. The VPAT identifies how each evaluated licensed program does or does not meet the Section 508 requirements, or provides functional equivalence (“Functional Equivalence”), as set forth in the Section 508 regulations.

Contractor acknowledges that as part of the post-contract maintenance and support to be provided to its licensees under any agreement, The Hosted Services Provider will provide Section 508 upgrades and enhancements, Section 508 Functional Equivalence or other Section 508 deliverables referenced in any VPAT ("Section 508 Upgrades and Enhancements") on a when and if-available basis, comprised of error-corrections, patches, work-arounds, and additional features and functionality which are within the domain of, and which will not replace, the underlying licensed program.

Further, Contractor acknowledges that, the Hosted Services Provider is not aware of any requirement under Section 508 that governs professional IT services beyond traditional software support. Neither Contractor nor the Hosted Services Provider makes any representation or warranty regarding whether any work they performs under this agreement will affect the accessibility of the Hosted Services. Should the State require Contractor to develop, modify and/or deliver code or other work product in the course of performing under this Agreement, Contractor does not represent or warrant that such code or work product will be independently compliant with Section 508.

10. Confidentiality.

10.1 Meaning of Confidential Information. The term “Confidential Information” means all information and documentation of a party that: (a) has been marked “confidential” or with words of similar meaning, at the time of disclosure by such party; (b) if disclosed orally or not marked “confidential” or with words of similar meaning, was subsequently summarized in writing by the disclosing party and marked “confidential” or with words of similar meaning; and, (c) should reasonably be recognized as confidential information of the disclosing party. The term “Confidential Information” does not include any information or documentation that was or is: (a) in the possession of the State and subject to disclosure under the Michigan Freedom of Information Act (FOIA); (b) already in the possession of the receiving party without an obligation of confidentiality; (c) developed independently by the receiving party, as demonstrated by the receiving party, without violating the disclosing party’s proprietary rights; (d) obtained from a source other than the disclosing party without an obligation of

15

confidentiality; or, (e) publicly available when received, or thereafter became publicly available (other than through any unauthorized disclosure by, through, or on behalf of, the receiving party). Notwithstanding the above, in all cases and for all matters, State Data is deemed to be Confidential Information.

10.2 Obligation of Confidentiality. The parties agree to hold all Confidential Information in strict confidence in the same manner as it treats its own proprietary and/or confidential information, which shall not be less than a reasonable standard of care, and not to copy, reproduce, sell, transfer, or otherwise dispose of, give or disclose such Confidential Information to third parties other than employees, agents, or subcontractors of a party who have a need to know in connection with this Contract or to use such Confidential Information for any purposes whatsoever other than the performance of this Contract. The parties agree to advise and require their respective employees, agents, and subcontractors of their obligations to keep all Confidential Information confidential. Disclosure to the Contractor’s subcontractor is permissible where: (a) the subcontractor is a Permitted Subcontractor; (b) the disclosure is necessary or otherwise naturally occurs in connection with work that is within the Permitted Subcontractor's responsibilities; and (c) Contractor obligates the Permitted Subcontractor in a written contract to maintain the State’s Confidential Information in confidence. At the State’s request, any of the Contractor’s Representatives may be required to execute a separate agreement to be bound by the provisions of this Section 10.2.

10.3 Cooperation to Prevent Disclosure of Confidential Information. Each party must use reasonable efforts to assist the other party in identifying and preventing any unauthorized use or disclosure of any Confidential Information.

10.4 Remedies for Breach of Obligation of Confidentiality. Each party acknowledges that breach of its obligation of confidentiality may give rise to irreparable injury to the other party, which damage may be inadequately compensable in the form of monetary damages. Accordingly, a party may seek and obtain injunctive relief against the breach or threatened breach of the foregoing undertakings, in addition to any other legal remedies which may be available, to include, in the case of the State, at the sole election of the State, the immediate termination, without liability to the State, of this Contract or any Statement of Work corresponding to the breach or threatened breach.

10.5 Surrender of Confidential Information upon Termination. Upon termination or expiration of this Contract or a Statement of Work, in whole or in part, each party must upon request from the other party, within five (5) Business Days from the date of termination, return to the other party any and all Confidential Information received from the other party, or created or received by a party on behalf of the other party, which are in such party’s possession, custody, or control. If Contractor or the State determine that the return of any Confidential Information is not feasible, such party must destroy the Confidential Information and certify the same in writing within five (5) Business Days from the date of termination to the other party.

11. Security. Throughout the Term and at all times in connection with its actual or required performance of the Services, Contractor will maintain and enforce an information security program including safety and physical and technical security policies and procedures with respect to its Processing of the State’s Confidential Information that comply with the provisions of the Channel End User Terms: SaaS and the SaaS Listing.

12. Disaster Recovery and Backup. Throughout the Term and at all times in connection with its actual or required performance of the Services, Contractor will comply with the disaster recovery and backup obligations contained in the applicable SaaS Listing.

13. Indemnification.

16

13.1 General Indemnification, Contractor must defend, indemnify and hold harmless the State, and the State’s agencies, departments, officers, directors, employees, agents, and contractors from and against all Losses arising out of or resulting from any third party claim, suit, action or proceeding (each, an “Action”) that does or is alleged to arise out of or result from:

(a) the Contractor’s breach of any representation, warranty, covenant or obligation of Contractor under this Contract (including, in the case of Contractor, any action or failure to act by any Contractor Personnel that, if taken or not taken by Contractor, would constitute such a breach by Contractor); or

(b) any negligence or more culpable act or omission (including recklessness or willful misconduct) in connection with the performance or nonperformance of any Services or other activity actually or required to be performed by or on behalf of, Contractor (including, in the case of Contractor, any Contractor Personnel) under this Contract, provided that, to the extent that any Action or Losses described in this Section 13.1 arises out of, results from, or alleges a claim that any of the Services does or threatens to infringe, misappropriate or otherwise violate any Intellectual Property Rights or other rights of any third party, Contractor’s obligations with respect to such Action and Losses, if any, shall be subject to the terms and conditions of Section 13.2(a) through Section 13.3(a) and Section 13.3.

13.2 Infringement Indemnification By Contractor. Contractor must indemnify, defend and holdthe State, and the State’s agencies, departments, officers, directors, employees, agents, and contractors harmless from and against all Losses arising out of or resulting from any Action that does or is alleged to arise out of or result from a claim that any of the Services, or the State’s or any Authorized User’s use thereof, actually does or threatens to infringe, misappropriate or otherwise violate any Intellectual Property Right or other right of a third party, provided however, that Contractor shall have no liability or obligation for any Action or Loss to the extent that such Action or Loss arises out of or results from any:

(a) alteration or modification of the Hosted Services or Service Software by or on behalf of the State or any Authorized User without Contractor’s authorization (each, a “State Modification”), provided that no infringement, misappropriation or other violation of third party rights would have occurred without such State Modification and provided further that any alteration or modification made by or for Contractor at the State’s request shall not be excluded from Contractor’s indemnification obligations hereunder unless (i) such alteration or modification has been made pursuant to the State’s written specifications and (ii) the Hosted Services, as altered or modified in accordance with the State’s specifications, would not have violated such third party rights but for the manner in which the alteration or modification was implemented by or for Contractor; and

(b) use of the Hosted Services by the State or an Authorized User pursuant to this Contract in combination with any software or service not provided, authorized or approved by or on behalf of Contractor, if no violation of third party rights would have occurred without such combination and there are no Specifications or Documentation by Contractor specifically authorizing such combination.

(c) failure of the State to use the Hosted Service in accordance with the Channel End User Terms: SaaS,

(d) availability of an update or patch published by the Hosted Services Provider that would avoid or otherwise eliminate the alleged infringement. Provided that Contractor has informed the State of such availability.

13.3 Mitigation.

17

(a) Subject to the exclusions set forth in Section 13.2, if any of the Services or any component or feature thereof is ruled to infringe or otherwise violate the rights of any third party by any court of competent jurisdiction, or if any use of any Services or any component thereof is threatened to be enjoined, or is likely to be enjoined or otherwise the subject of an infringement or misappropriation claim, Contractor may, at Contractor’s option and sole cost and expense:

(i) procure for the State the right to continue to access and use the SaaS Services to the full extent contemplated by this Contract and the Specifications;

(ii) repair, modify or replace all components, features and operations of the Services that infringe or are alleged to infringe (“Allegedly Infringing Features”) to make the Services non-infringing while providing equally or more suitable features and functionality, which modified and replacement services shall constitute Services and be subject to the terms and conditions of this Contract; or

(iii) provide a pro-rated refund of the fees paid for the Services which gave rise to the indemnity calculated against the remainder of the term from the date it is established that Contractor is notified of the third-party claim.

(b) With the exception of the State’s right to be indemnified pursuant to Section 13.1 and Section 13.2, THE FOREGOING PROVISIONS STATE THE ENTIRE LIABILITY AND OBLIGATIONS OF CONTRACTOR REGARDING CLAIMS OF INFRINGEMENT, AND THE EXCLUSIVE REMEDY AVAILABLE TO CUSTOMER WITH RESPECT TO ANY ACTUAL OR ALLEGED INFRINGEMENT OR MISAPPROPRIATION OF ANY INTELLECTUAL PROPERTY OR OTHER PROPRIETARY RIGHTS.

13.4 Indemnification Procedure. The State will promptly notify Contractor in writing if indemnification is sought; however, failure to do so will not relieve Contractor, except to the extent that Contractor is materially prejudiced. The State is entitled to: (i) regular updates on proceeding status and (ii) participate in the defense of the proceeding to the extent required by law; (iii) employ its own counsel; and to (iv) retain control of the defense, at its own expense, if the State deems necessary. Contractor will not, without the State’s prior written consent (not to be unreasonably withheld), settle, compromise, or consent to the entry of any judgment in or otherwise seek to terminate any claim, action, or proceeding. Any litigation activity on behalf of the State or any of its subdivisions, under this Section 13, must be coordinated with the Department of Attorney General. An attorney designated to represent the State may not do so until approved by the Michigan Attorney General and appointed as a Special Assistant Attorney General.

14. Limitations of Liability.

(a) Disclaimer of Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY WILL BE LIABLE, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR BY STATUTE OR OTHERWISE, FOR ANY CLAIM RELATED TO OR ARISING UNDER THIS CONTRACT FOR CONSEQUENTIAL, INCIDENTAL, INDIRECT, PUNITIVE OR SPECIAL DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS, LOST BUSINESS OPPORTUNITIES, DAMAGES RELATING TO MONIES SAVED OR FEES GENERATED BY USE OFTHE Hosted Services, REGARDLESS OF WHETHER A PARTY WAS APPRAISED OF THE POTENTIAL FOR SUCH DAMAGES. THE PARTIES AGREE THAT DAMAGES RESULTING FROM LOSS OF DATA SHALL BE CONSIDERED DIRECT DAMAGES.

18

(b) Limitation of Liability. IN NO EVENT WILL A PARTY’S AGGREGATE LIABILITY UNDER THIS CONTRACT, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR BY STATUTE OR OTHERWISE, FOR ANY CLAIM RELATED TO OR ARISING UNDER THIS CONTRACT, EXCEED THE MAXIMUM AMOUNT OF TWO TIMES THE AGGREGATE TOTAL AMOUNT OF THE AGGREGATE CONTRACT PRICE. As used in this clause “Aggregate Contract Price” means the total price for the Initial Term and all Renewal Terms of this Contract.

(c) Exceptions. Subsections (a) (Disclaimer of Damages) and (b) (Limitation of Liability) above, shall not apply to: (i) Contractor’s obligation to indemnify under Section 13.1 of this Contract; (ii) any loss or claim to the extent the loss or claim is covered by a policy of insurance maintained, or required by this Contract to be maintained, by Contractor; and (iii) damages arising from either party’s recklessness, bad faith, or intentional misconduct.

(d) Nothing herein shall be construed to waive any law regarding sovereign immunity, or any other immunity, restriction, or limitation on recovery provided by law.

15. Contractor Representations and Warranties.

15.1 Authority and Bid Response. Contractor represents and warrants to the State that:

(a) it is duly organized, validly existing, and in good standing as a corporation or other entity as represented under this Contract under the laws and regulations of its jurisdiction of incorporation, organization, or chartering;

(b) it has the full right, power, and authority to enter into this Contract, to grant the rights and licenses granted under this Contract, and to perform its contractual obligations;

(c) the execution of this Contract by its Representative has been duly authorized by all necessary organizational action;

(d) when executed and delivered by Contractor, this Contract will constitute the legal, valid, and binding obligation of Contractor, enforceable against Contractor in accordance with its terms;

(e) the prices proposed by Contractor were arrived at independently, without consultation, communication, or agreement with any other bidder for the purpose of restricting competition; the prices quoted were not knowingly disclosed by Contractor to any other bidder to the RFP; and no attempt was made by Contractor to induce any other Person to submit or not submit a proposal for the purpose of restricting competition;

(f) all written information furnished to the State by or for Contractor in connection with this Contract, including Contractor’s bid response to the RFP, is true, accurate, and complete, and contains no untrue statement of material fact or omits any material fact necessary to make the information not misleading; and

(g) Contractor is not in material default or breach of any other contract or agreement that it may have with the State or any of its departments, commissions, boards, or agencies. Contractor further represents and warrants that it has not been a party to any contract with the State or any of its departments that was terminated by the State within the previous five (5) years for the reason that Contractor failed to perform or otherwise breached an obligation of the contract.

15.2 Software and Service Warranties. Contractor represents and warrants to the State that:

19

(a) Contractor has, and throughout the Term and any additional periods during which Contractor does or is required to perform the Services will have, the unconditional and irrevocable right, power and authority, including all permits and licenses required, to provide the Services and grant and perform all rights and licenses granted or required to be granted by it under this Contract;

(b) neither Contractor’s grant of the rights or licenses hereunder nor its performance of any Services or other obligations under this Contract does or at any time will: (i) conflict with or violate any applicable Law, including any Law relating to data privacy, data security or personal information; (ii) require the consent, approval or authorization of any governmental or regulatory authority or other third party; or (iii) require the provision of any payment or other consideration by the State or any Authorized User to any third party, and Contractor shall promptly notify the State in writing if it becomes aware of any change in any applicable Law that would preclude Contractor’s performance of its material obligations hereunder;

(c) there is no settled, pending or, to Contractor’s knowledge as of the Effective Date, threatened Action, and it has not received any written, oral or other notice of any Action (including in the form of any offer to obtain a license): (i) alleging that any access to or use of the Services or Service Software does or would infringe, misappropriate or otherwise violate any Intellectual Property Right of any third party; (ii) challenging Contractor’s ownership of, or right to use or license, any software or other materials used or required to be used in connection with the performance or receipt of the Services, or alleging any adverse right, title or interest with respect thereto; or (iii) that, if decided unfavorably to Contractor, would reasonably be expected to have an actual or potential adverse effect on its ability to perform the Services or its other obligations under this Contract, and it has no knowledge after reasonable investigation of any factual, legal or other reasonable basis for any such litigation, claim or proceeding;

(d) the Service Software and Hosted Services will in all material respects conform to and perform in accordance with the applicable Documentation subject to the State’s compliance with the Channel End User Terms: SaaS.

(e) all Specifications are, and will be continually updated and maintained so that they continue to be, current, complete and accurate and so that they do and will continue to fully describe the Hosted Services in all material respects such that at no time during the Term or any additional periods during which Contractor does or is required to perform the Services will the Hosted Services have any material undocumented feature;

(f) Contractor will perform all Professional Services in a timely, professional and workmanlike manner with a level of care, skill, practice and judgment consistent with generally recognized industry standards and practices for similar services, using personnel with the requisite skill, experience and qualifications, and will devote adequate resources to meet Contractor’s obligations (including the Availability Requirement) under this Contract;

(g) During the term of this Contract, any audit rights contained in any third-party software license agreement or end user license agreement for third-party software incorporated in or otherwise used in conjunction with the Services, will apply solely to Contractor’s (or its subcontractors) facilities and systems that host the Services (including any disaster recovery site), and regardless of anything to the contrary contained in any third-party software license agreement or end user license agreement, third-party software providers will have no audit rights whatsoever against State systems or networks; and

(h) Contractor acknowledges that the State cannot indemnify any third parties, including but not limited to any third-party software providers that provide software that will be incorporated in or otherwise used in conjunction with the

20

Services, and that notwithstanding anything to the contrary contained in any third-party software license agreement or end user license agreement, the State will not indemnify any third party software provider for any reason whatsoever.

15.3 DISCLAIMER. EXCEPT FOR THE EXPRESS WARRANTIES IN THIS CONTRACT, CONTRACTOR HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE UNDER OR IN CONNECTION WITH THIS CONTRACT OR ANY SUBJECT MATTER HEREOF.

16. Insurance.

16.1 Required Coverage.

(a) Insurance Requirements. Contractor must maintain the insurances identified below and is responsible for all deductibles. All required insurance must: (a) protect the State from claims that may arise out of, are alleged to arise out of, or result from Contractor's or a subcontractor's performance; (b) be primary and non-contributing to any comparable liability insurance (including self-insurance) carried by the State; and (c) be provided by an company with an A.M. Best rating of "A" or better and a financial size of VII or better.

Insurance Type Additional Requirements

Commercial General Liability Insurance

Minimal Limits:

$1,000,000 Each Occurrence Limit

$1,000,000 Personal & Advertising Injury Limit $2,000,000 General Aggregate Limit

$2,000,000 Products/Completed Operations

Deductible Maximum:

$50,000 Each Occurrence

Contractor must have their policy endorsed to add “the State of Michigan, its departments, divisions, agencies, offices, commissions, officers, employees, and agents” as additional insureds using endorsement CG 20 10 11 85, or both CG 2010 07 04 and CG 2037 07 0.

Umbrella or Excess Liability Insurance

Minimal Limits:

$5,000,000 General Aggregate

Contractor must have their policy endorsed to add “the State of Michigan, its departments, divisions, agencies, offices, commissions, officers, employees, and agents” as additional insureds.

Workers' Compensation Insurance

Minimal Limits:

Coverage according to applicable laws governing work activities.

Waiver of subrogation, except where waiver is prohibited by law.

Privacy and Security Liability (Cyber Liability) Insurance 21

Minimal Limits:

$1,000,000 Each Occurrence

$1,000,000 Annual Aggregate

Contractor must have their policy: (1) endorsed to add “the State of Michigan, its departments, divisions, agencies, offices, commissions, officers, employees, and agents” as additional insureds; and (2) cover information security and privacy liability, privacy notification costs, regulatory defense and penalties, and website media content liability.

(b) If Contractor's policy contains limits higher than the minimum limits, the State is entitled to coverage to the extent of the higher limits. The minimum limits are not intended, and may not be construed to limit any liability or indemnity of Contractor to any indemnified party or other persons.

(c) If any of the required policies provide claim-made coverage, the Contractor must: (a) provide coverage with a retroactive date before the effective date of the contract or the beginning of contract work; (b) maintain coverage and provide evidence of coverage for at least three (3) years after completion of the contract of work; and (c) if coverage is canceled or not renewed, and not replaced with another claims-made policy form with a retroactive date prior to the contract effective date, the Contractor must purchase extended reporting coverage for a minimum of three (3) years after completion of work.

(d) Contractor must: (a) provide insurance certificates to the Contract Administrator, containing the agreement or purchase order number, at Contract formation and within 20 calendar days of the expiration date of the applicable policies; (b) require that subcontractors maintain the required insurances contained in this Section; (c) notify the Contract Administrator within 5 business days if any insurance is cancelled; and (d) waive all rights against the State for damages covered by insurance. Failure to maintain the required insurance does not limit this waiver.

16.2 Non-waiver. This Section 16 is not intended to and is not be construed in any manner as waiving, restricting or limiting the liability of either party for any obligations under this Contract (including any provisions hereof requiring Contractor to indemnify, defend and hold harmless the State).

17. Force Majeure.

17.1 Force Majeure Events. Subject to Section 17.2, neither party will be liable or responsible to the other party, or be deemed to have defaulted under or breached this Contract, for any failure or delay in fulfilling or performing any term hereof, when and to the extent such failure or delay is caused by: acts of God, flood, fire or explosion, war, terrorism, invasion, riot or other civil unrest, embargoes or blockades in effect on or after the date of this Contract, national or regional emergency, or any passage of law or governmental order, rule, regulation or direction, or any action taken by a governmental or public authority, including imposing an embargo, export or import restriction, quota or other restriction or prohibition (each of the foregoing, a “Force Majeure Event”), in each case provided that: (a) such event is outside the reasonable control of the affected party; (b) the affected party gives prompt written notice to the other party, stating the period of time the occurrence is expected to continue; (c) the affected party uses diligent efforts to end the failure or delay and minimize the effects of such Force Majeure Event.

17.2 State Performance; Termination. In the event of a Force Majeure Event affecting Contractor’s performance under this Contract, the State may suspend its performance hereunder until such time as Contractor resumes performance. The

22

State may terminate this Contract by written notice to Contractor if a Force Majeure Event affecting Contractor’s performance hereunder continues substantially uninterrupted for a period of five (5) Business Days or more. Unless the State terminates this Contract pursuant to the preceding sentence, any date specifically designated for Contractor’s performance under this Contract will automatically be extended for a period up to the duration of the Force Majeure Event.

17.3 Exclusions; Non-suspended Obligations. Notwithstanding the foregoing or any other provisions of this Contract:

(a) in no event will any of the following be considered a Force Majeure Event:

(i) shutdowns, disruptions or malfunctions of the Contractor Systems or any of Contractor’s telecommunication or internet services other than as a result of general and widespread internet or telecommunications failures that are not limited to the Contractor Systems; or

(ii) the delay or failure of any Contractor Personnel to perform any obligation of Contractor hereunder unless such delay or failure to perform is itself by reason of a Force Majeure Event; and

(b) no Force Majeure Event modifies or excuses Contractor’s obligations under Section Error! Reference source not found. (Availability and Service Level Credits), Section 9 (State Data), Section 10 (Confidentiality), Section 11 (Security), Section 12 (Disaster Recovery) or Section 13 (Indemnification), or any Availability Requirement.

18. General Provisions.

18.1 Further Assurances. Each party will, upon the reasonable request of the other party, execute such documents and perform such acts as may be necessary to give full effect to the terms of this Contract.

18.2 Relationship of the Parties. The relationship between the parties is that of independent contractors. Nothing contained in this Contract is to be construed as creating any agency, partnership, joint venture or other form of joint enterprise, employment or fiduciary relationship between the parties, and neither party has authority to contract for or bind the other party in any manner whatsoever.

18.3 Media Releases. News releases (including promotional literature and commercial advertisements) pertaining to this Contract or project to which it relates must not be made without the prior written approval of the State, and then only in accordance with the explicit written instructions of the State.

18.4 Notices. All notices, requests, consents, claims, demands, waivers and other communications hereunder, other than routine communications having no legal effect, must be in writing and addressed to the parties as follows (or as otherwise specified by a party in a notice given in accordance with this Section):

If to Contractor: 2115 N Main St, Centerville, UT 84014 E-mail: george.trainor@regoconsulting.com Attention: George Trainor Title: Sr. Vice President, Sales Operations If to the State: PO Box 30026, Lansing, MI 48909-7526 E-mail: BreenM@michigan.gov

23

Attention: Michael Breen Title: IT Category Specialist

Notices sent in accordance with this Section 18.4 will be deemed effectively given: (a) when received, if delivered by hand (with written confirmation of receipt); (b) when received, if sent by a nationally recognized overnight courier (receipt requested); (c) on the date sent by e-mail (with confirmation of transmission), if sent during normal business hours of the recipient, and on the next business day, if sent after normal business hours of the recipient; or (d) on the fifth (5th) day after the date mailed, by certified or registered mail, return receipt requested, postage prepaid.

18.5 Headings. The headings in this Contract are for reference only and do not affect the interpretation of this Contract.

18.6 Assignment. Contractor may not assign or otherwise transfer any of its rights, or delegate or otherwise transfer any of its obligations or performance, under this Contract, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without the State’s prior written consent. The State has the right to terminate this Contract in its entirety or any Services or Statements of Work hereunder, pursuant to Section 7.2, if Contractor delegates or otherwise transfers any of its obligations or performance hereunder, whether voluntarily, involuntarily, by operation of law or otherwise, and no such delegation or other transfer will relieve Contractor of any of such obligations or performance. For purposes of the preceding sentence, and without limiting its generality, any merger, consolidation or reorganization involving Contractor (regardless of whether Contractor is a surviving or disappearing entity) will be deemed to be a transfer of rights, obligations, or performance under this Contract for which the State’s prior written consent is required. Any purported assignment, delegation, or transfer in violation of this Section 18.6 is void.

18.7 No Third-party Beneficiaries. This Contract is for the sole benefit of the parties and nothing herein, express or implied, is intended to or will confer on any other person or entity any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this Contract.

18.8 Amendment and Modification; Waiver. This Contract may only be amended, modified or supplemented by an agreement in writing signed by each party’s Contract Administrator. No waiver by any party of any of the provisions hereof is effective unless explicitly set forth in writing and signed by the party so waiving. Except as otherwise set forth in this Contract, no failure to exercise, or delay in exercising, any right, remedy, power or privilege arising from this Contract will operate or be construed as a waiver thereof; nor will any single or partial exercise of any right, remedy, power or privilege hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy, power or privilege.

18.9 Severability. If any term or provision of this Contract is invalid, illegal or unenforceable in any jurisdiction, such invalidity, illegality or unenforceability will not affect any other term or provision of this Contract or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal or unenforceable, the parties hereto will negotiate in good faith to modify this Contract so as to effect the original intent of the parties as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.

18.10 Governing Law. This Contract is governed, construed, and enforced in accordance with Michigan law, excluding choice-of-law principles, and all claims relating to or arising out of this Contract are governed by Michigan law, excluding choice-of-law principles. Any dispute arising from this Contract must be resolved in the applicable state or Federal courts located in Ingham County, Michigan. Contractor waives any objections, such as lack of personal jurisdiction or forum non conveniens. Contractor must appoint agents in Michigan to receive service of process

24

18.11 Equitable Relief. Each party to this Contract acknowledges and agrees that (a) a breach or threatened breach by such party of any of its obligations under this Contract would give rise to irreparable harm to the other party for which monetary damages might not be an adequate remedy and (b) in the event of a breach or a threatened breach by such party of any such obligations, the other party hereto is, in addition to any and all other rights and remedies that may be available to such party at law, at equity or otherwise in respect of such breach, entitled to seek equitable relief, including a temporary restraining order, an injunction, specific performance and any other relief that may be available from a court of competent jurisdiction, without any requirement to post a bond or other security, and without any requirement to prove actual damages or that monetary damages will not afford an adequate remedy.

18.12 Nondiscrimination. Under the Elliott-Larsen Civil Rights Act, 1976 PA 453, MCL 37.2101, et seq., and the Persons with Disabilities Civil Rights Act, 1976 PA 220, MCL 37.1101, et seq., Contractor and its subcontractors agree not to discriminate against an employee or applicant for employment with respect to hire, tenure, terms, conditions, or privileges of employment, or a matter directly or indirectly related to employment, because of race, color, religion, national origin, age, sex, height, weight, marital status, or mental or physical disability. Breach of this covenant is a material breach of this Contract.

18.13 Unfair Labor Practice. Under 1980 PA 278, MCL 423.321, et seq., the State must not award a contract or subcontract to an employer whose name appears in the current register of employers failing to correct an unfair labor practice compiled under MCL 423.322. This information is compiled by the United States National Labor Relations Board. A contractor of the State, in relation to the contract, must not enter into a contract with a subcontractor, manufacturer, or supplier whose name appears in this register. Under MCL 423.324, the State may void any contract if, after award of the contract, the contractor as an employer or the name of the subcontractor, manufacturer or supplier of the contractor appears in the register.

18.14 Schedules All Schedules and Exhibits that are referenced herein and attached hereto are hereby incorporated by reference. The following Schedules are attached hereto and incorporated herein:

Schedule A Statement of Work

Schedule B Channel End User Terms: SaaS

Schedule C Data Security Requirements

Schedule D SaaS Listing

Schedule E Business Specifications

Schedule F Pricing

Schedule G Initial Order

18.15 Counterparts. This Contract may be executed in counterparts, each of which will be deemed an original, but all of which together are deemed to be one and the same agreement and will become effective and binding upon the parties as of the Effective Date at such time as all the signatories hereto have signed a counterpart of this Contract. A signed copy of this Contract delivered by facsimile, e-mail or other means of electronic transmission (to which a signed copy is attached) is deemed to have the same legal effect as delivery of an original signed copy of this Contract.

25

18.16 Entire Agreement. This Contract, including all Statements of Work and other Schedules and Exhibits, constitutes the sole and entire agreement of the parties to this Contract with respect to the subject matter contained herein, and supersedes all prior and contemporaneous understandings and agreements, both written and oral, with respect to such subject matter. In the event of any conflict between the terms of this Contract and those of any Schedule, Exhibit or other document, the following order of precedence governs: (a) first, this Contract and (b) second, the Channel End User Terms: SaaS and (c) third, the SaaS Listing; and (d) fourth the Statement of Work and (e) and fifth, any remaining Exhibits and Schedules to this Contract as of the Effective Date. NO TERMS ON CONTRACTORS INVOICES, WEBSITE, BROWSE-WRAP, SHRINK-WRAP, CLICK-WRAP, CLICK-THROUGH OR OTHER NON-NEGOTIATED TERMS AND CONDITIONS PROVIDED WITH ANY OF THE SERVICES, OR DOCUMENTATION HEREUNDER WILL CONSTITUTE A PART OR AMENDMENT OF THIS CONTRACT OR IS BINDING ON THE STATE OR ANY AUTHORIZED USER FOR ANY PURPOSE. ALL SUCH OTHER TERMS AND CONDITIONS HAVE NO FORCE AND EFFECT AND ARE DEEMED REJECTED BY THE STATE AND THE AUTHORIZED USER, EVEN IF ACCESS TO OR USE OF SUCH SERVICE OR DOCUMENTATION REQUIRES AFFIRMATIVE ACCEPTANCE OF SUCH TERMS AND CONDITIONS.

26

SCHEDULE A STATEMENT OF WORK

MICHIGAN DEPARTMENT OF TECHNOLOGY,

MANAGEMENT AND BUDGET IT SERVICES

STATEMENT OF WORK

Project Title: EPMO – PPM Tool Replacement

Period of Coverage: April 2018 through October 2018

Requesting Department: DTMB Center for Shared Services (CSS) Enterprise Program Management Office (ePMO)

Date: December 21, 2017

DTMB Project Manager: TBD

Phone:

PROJECT OBJECTIVE: The new PPM tool will initially be used to track and support Information Technology (IT) projects for the State of Michigan but will eventually be expanded to track non-IT projects as well. The implementation will include the migration of existing PPM data from the State of Michigan’s current tool, the development and implementation of a strategy to migrate or replicate existing enterprise dashboards and reports, and the development and deployment of an enterprise training strategy for users of the new PPM tool. SCOPE OF WORK: The scope of work includes:

• Provisioning 3 CA PPM SaaS environments • Defining requirements for the implementation of CA PPM SaaS • Configuring CA PPM SaaS to meet State of Michigan requirements • Implementing integrations to external systems • Data migration • Training

By mutual agreement, the parties may also add additional products and services that are reasonably related to this solution. TASKS: Functional and Technical support is required to assist with the following activities and tasks: Enterprise Core:

Activities/Tasks Description / Deliverables Oversight and Kickoff

SaaS Provisioning

Upon execution of the CA PPM SaaS Order Form, Rego will have CA provision one Production and two (2) Sandbox environments for State of Michigan. The two sandbox environments become the Test and Development environments.

Engagement Manager / Project Manager

Coordination, oversight and primary point of contact

Knowledge Transfer and Best Practice

Provide up to 130 hours of ongoing industry best-practice consulting (process and tool) during the implementation.

Pre-Workshop Preparation Document Prep, Demos, Research, Organizing Project Approach

Workshop 3-day workshop with emphasis on Demand, Project Management, Resource Management, and Time Management, and Portfolio Management.

27

Create Configuration High Level Requirements

Build requirements configuration list

Documentation

Create a single Microsoft Word document that details all changes made within the system. Assume this is produced after UAT signoff. Assume no formal requirements or design documentation produced. Contractor shall also produce required SUITE documentation.

Iteration Development (Sprint) 1 - Core Setup of PPM, Security Core Object Configuration Assume configuration of Demand, Project and Resource functionality.

Security Setup Create Groups, Organizational Breakdown Structure (OBS), and Partitions (if required)

Iteration Development (Sprint) 2 - Workflows, Reporting

Workflows

Assumes Rego will develop 10 custom workflows to automate email notifications, time approval, demand intake, or other items as needed. In addition, Rego will load up to 10 RegoXchange workflows (www.regoxchange.com). Rego has standard workflows for time stalking, allocation notifications, etc.

Portlets

Assumes that State of Michigan will require up to 12 custom portlets to meet unique needs. In addition, Rego will load up to 40 RegoXchange portlets to support functions being used (www.regoxchange.com)

Jaspersoft Reports Assumes one (1) custom Jaspersoft report required during the initial implementation.

Integration Development Federated SSO Single Sign On for End Users Microsoft Project Importing/exporting project plans from CA PPM to Microsoft Project Excel Export Data From CA PPM Outlook Outbound Emails From CA PPM Word Attach Documents in CA PPM PDF Attach Document in CA PPM and Export Reports to PDF

SharePoint Integration

§ Project Dashboards: 10 exports per week § Resource Management: 25 exports per month § Project Success: 1 export per month § Agency Overview: 1 export per month

ETL tools Export data to data warehouse using Rego's data extraction tool

Resource Integration (ERP) Leverage Rego's standard inbound integration from Workday for resource creation, deactiviation, updates

Inbound Transaction Integration (ERP)

Leverage Rego's standard inbound integration from PeopleSoft for actual financial transactions

Outbound Time Integration (Payroll System)

Leverage Rego's standard outbound integration to PeopleSoft for labor hours for PTO

Agile Tool (Visual Studio Team Server)

Leverage Rego’s standard bi-directional TFS integration

Agile Tool (JIRA) Leverage Rego's standard bi-directional integration from JIRA for work management

Agile Tool (Rational Team Center)

Implement a bi-directional integration from Rational Team Center to CA PPM for work management

Data Migrations Analysis and Prep Review data needs and alignment to CA PPM functionality

Prepare XLS Template and Import Data

Creation of load files in support of Demands, Projects, Resources

UAT, Migrations to Higher Environments, and Reserved Hours

Migrate Config to UAT and Prod Migration of configurations to UAT and Prod environments (no data migration) UAT Participation Support assistance during UAT. State of Michigan is responsible for running UAT. Reserved Hours for New Scope Allotted hours for new requirements that are established during UAT. Training and Deployment

28

Training Material Customization

Leverage Rego's prebuilt training artifacts (PowerPoint materials, quick reference guides, and videos) with major modifications for the State of Michigan environment. Includes three (3) custom PPT presentations for end user classes and fifteen custom (15) quick reference guides. This work could be done by internal resources.

Technical Training Rego will provide 3 day of technical training on administration. Includes 2 hours for setup and Q&A.

Train the Trainer Sessions Rego will provide 3 days of train the trainer sessions - preparing internal resources to perform end use training.

Wave 1:

Category/Tasks Assumptions / Deliverables Oversight and Kickoff

Engagement Manager / Project Manager

Coordination, oversight and primary point of contact

Knowledge Transfer and Best Practice

A maximum of 26 hours for ongoing industry best-practice consulting (process and tool) during the implementation.

Pre-Workshop Preparation Document Prep, Demos, Research, Organizing Project Approach

Workshop 3-day workshop with emphasis on Demand, Project Management, Resource Management, and Time Management, and Portfolio Management.

Create Configuration High Level Requirements

Build requirement config list

Documentation Create a single word document that details all changes made within the system. Assume this is produced after UAT signoff. Assume no formal requirements or design documentation produced.

Objects, Fields, Security Core Object Configuration Specific field additions for this Wave Security Setup Add Security and update OBS Workflows, Portlets, Reports

Workflows Assumes Rego will develop 3 custom workflow to automate email notifications, time approval, demand intake, or other items as needed.

Portlets Assumes that State of Michigan will require up to 3 custom portlets to meet unique needs. Jaspersoft Reports None in scope Integration Development N/A None in scope Data Migrations Analysis and Prep Review data needs and alignment to CA PPM functionality

Prepare XLS Template and Import Data

Execution of data loads for Agencies targeted in this wave

UAT, Migrations to Higher Environments, and Reserved Hours Migrate to UAT Migration of configurations and data to UAT UAT Participation Remote assistance to resolve UAT issues. Assume UAT run by State of Michigan. Migrate to PROD Migration of configurations and data to PROD

Wave 2

Category/Tasks Assumptions / Deliverables Oversight and Kickoff

Engagement Manager / Project Manager

Coordination, oversight and primary point of contact

Knowledge Transfer and Best Practice

Up to 65 hours for ongoing industry best-practice consulting (process and tool) during the implementation.

Pre-Workshop Preparation Document Prep, Demos, Research, Organizing Project Approach

Workshop 3-day workshop with emphasis on Demand, Project Management, Resource Management, and Time Management, and Portfolio Management.

Create Configuration High Level Requirements

Build requirement config list

Documentation Create a single MS Word document that details all changes made within the system. Assume this is produced after UAT signoff. Assume no formal requirements or design documentation produced.

29

Objects, Fields, Security Core Object Configuration Specific field additions for this Wave Security Setup Add Security and update OBS Workflows, Portlets, Reports

Workflows Rego will develop a maximum of 8 custom workflows to automate email notifications, time approval, demand intake, or other items as needed.

Portlets Develop a maximum of 8 custom portlets to meet unique needs. Jaspersoft Reports Not in scope Integration Development N/A Not in scope Data Migrations Analysis and Prep Review data needs and alignment to CA PPM functionality

Prepare XLS Template and Import Data

Execution of data loads for agencies in this wave

UAT, Migrations to Higher Environments, and Reserved Hours Migrate to UAT Migration of configurations and data to UAT UAT Participation Remote assistance to resolve UAT issues. Assume UAT run by State of Michigan. Migrate to PROD Migration of configurations and data to PROD

Wave 3:

Category/Tasks Assumptions / Deliverables Oversight and Kickoff

Engagement Manager / Project Manager

Coordination, oversight and primary point of contact

Knowledge Transfer and Best Practice

A maximum of 39 hours for ongoing industry best-practice consulting (process and tool) during the implementation.

Pre-Workshop Preparation Document Prep, Demos, Research, Organizing Project Approach

Workshop 3-day workshop with emphasis on Demand, Project Management, Resource Management, and Time Management, and Portfolio Management.

Create Configuration High Level Requirements

Build requirement config list

Documentation Create a single MS Word document that details all changes made within the system. Assume this is produced after UAT signoff. Assume no formal requirements or design documentation produced.

Objects, Fields, Security Core Object Configuration Specific field additions for this Wave Security Setup Add Security and update OBS Workflows, Portlets, Reports

Workflows Rego will develop a maximum of 5 custom workflow to automate email notifications, time approval, demand intake, or other items as needed.

Portlets Rego will develop a maximum of 5 custom portlets to meet unique needs. Jaspersoft Reports Not in scope Integration Development N/A Not in scope Data Migrations Analysis and Prep Review data needs and alignment to CA PPM functionality

Prepare XLS Template and Import Data

Execution of data loads for Agencies included in this wave

UAT, Migrations to Higher Environments, and Reserved Hours Migrate to UAT Migration of configurations and data to UAT UAT Participation Remote assistance to resolve UAT issues. Assume UAT run by State of Michigan. Migrate to PROD Migration of configurations and data to PROD

DELIVERABLES: Deliverables will not be considered complete until the DTMB Project Manager has formally accepted them. Deliverables for this project include:

30

Enterprise Core:

• CA PPM configuration requirements list • 10 custom workflows • 12 custom portlets • 1 custom Jaspersoft report • CA PPM Integrations

o Federated SSO o Microsoft Project o Excel o Outlook o Word o PDF o SharePoint Integration o ETL tools o Resource Integration (ERP) o Inbound Transaction Integration (ERP) o Outbound Time Integration (Payroll System) o Agile Tool (Visual Studio Team Server) o Agile Tool (JIRA) o Rational Team Center Tool

• Demands, Projects and Resources loaded into CA PPM SaaS • Configurations migrated to higher environments • Three(3) custom PowerPoint training presentations • Fifteen (15) custom quick reference guides • 3 days of technical training • 3 days of train-the-trainer training • Microsoft Word document showing all configuration changes made

Wave 1:

• CA PPM configuration requirements list • CA PPM configurations to support requirements list • 3 custom workflows • 3 custom portlets • Demands, Projects and Resources loaded into CA PPM SaaS • Configurations migrated to higher environments • Microsoft Word document showing all configuration changes made

Wave 2: • CA PPM configuration requirements list • CA PPM configurations to support requirements list • 8 custom workflows • 8 custom portlets • Demands, Projects and Resources loaded into CA PPM SaaS • Configurations migrated to higher environments • Microsoft Word document showing all configuration changes made

Wave 3: • CA PPM configuration requirements list • CA PPM configurations to support requirements list • 5 custom workflows • 5 custom portlets • Demands, Projects and Resources loaded into CA PPM SaaS • Configurations migrated to higher environments • Microsoft Word document showing all configuration changes made

31

ACCEPTANCE CRITERIA: Document Deliverables

• Documents are dated and in electronic format, compatible with State of Michigan software. • Documents in accordance with SOM SUTE standards • Any changes to requirements once they are approved will be captured in the change control document and the

revised Work Requests. • Draft documents are not accepted as final deliverables. • The documents will be reviewed and accepted in accordance with the requirements of the Contract and Appendices.

CA PPM SaaS Deliverables - General

• DTMB will review CA PPM SaaS within a mutually agreed upon timeframe for acceptance of functionality, usability, performance, security, standards compliance, backup/recovery, and operation.

o Approvals will be written and signed by both the DTMB Project Manager. o Unacceptable issues will be documented and submitted to the Contractor. o After issues are resolved or waived, the Contractor will resubmit software for approval within 30 days of

receipt. • Final acceptance of the software will depend on the successful completion of User Acceptance Testing (UAT). • Testing will demonstrate the system’s compliance with the requirements of the Contract. At a minimum, the testing

will confirm the following: o Functional - the capabilities of the system with respect to the functions and features described in the

Contract. o Performance - the ability of the system to perform the workload throughput requirements. All problems

should be completed satisfactorily within the allotted time frame. • DTMB will review test software, data, and results within a mutually agreed upon timeframe. In the absence of an

agreed timeframe, existing contract terms will control. o Approvals will be written and signed by both the DTMB Project Manager. o Unacceptable issues will be documented and submitted to the Contractor. o After issues are resolved or waived, the Contractor will resubmit test software, data and results for approval

within 30 days of receipt. • Deliverable approval process outlined in the contract terms has been followed and met.

Project-Specific Acceptance Criteria / Requirements The following acceptance criteria apply to this project’s Scope Items:

• CA PPM SaaS has been configured in 3 environments PROJECT CONTROL AND REPORTS: A bi-weekly progress report must be submitted to the Agency and DTMB Project Managers throughout the life of this project. This report may be submitted with the billing invoice. Each bi-weekly progress report must contain the following:

1. Major Milestones: Indicate major milestones and deliverables, with baseline date, planned completion date, actual completion date, and current status (green/yellow/red or completed).

2. Key Risks/Issues: Indicate key risks or issues that may impact the project. 3. Current Activity Status: Provide a brief summary of the overall project status. 4. Project Budget/Cost: Indicate the initial project budget, revised budget amount, actual project costs to date, and

provide any comments needed to explain the status of the project budget. 5. Accomplishments and Next Steps: Indicate what was worked on and what was completed during the current

reporting period and what the objectives are for the next reporting period. PROJECT SCHEDULE: The preliminary project schedule is shown below. The parties may revise this plan during project kickoff.

Task Name Duration Start Finish Resource Names

Enterprise Core 88 days Mon 10/1/18 Wed 2/13/19

Initiation & Planning 20 days Mon 10/1/18 Fri 10/26/18 32

Award of Contract 0 days Mon 10/1/18 Mon 10/1/18 State

Prep for Kickoff 10 days Mon 10/1/18 Fri 10/12/18 Rego/State

Project Kickoff (Contract + 10) 0 days Fri 10/12/18 Fri 10/12/18 Rego/State

Prep for Workshop & Data Collection 10 days Mon 10/15/18 Fri 10/26/18 Rego/State

Prepare initial PM Deliverables: Plan, Issue Log, Risk Log 3 days Mon 10/15/18 Wed 10/17/18 Rego

Environment Preparation 4 days Mon 10/1/18 Thu 10/4/18

Environment Provisioning 2 days Mon 10/1/18 Tue 10/2/18 CA

Install Rego Base PPM Kit 2 days Wed 10/3/18 Thu 10/4/18 Rego

Requirements Definition 14 days Mon 10/29/18 Thu 11/15/18 Configuration Requirements (Objects, Security, Workflow, Portlets) 14 days Mon 10/29/18 Thu 11/15/18

Requirements/Knowledge Transfer Workshop 4 days Mon 10/29/18 Thu 11/1/18 Rego/State

Validation Sessions Complete (Contract + 60) 0 days Thu 11/1/18 Thu 11/1/18

Document and Estimate Configuration Requirements 10 days Fri 11/2/18 Thu 11/15/18 Rego

Final Requirement Validation (Contract + 60) 0 days Thu 11/15/18 Thu 11/15/18 State

Report Requirements Documents 5 days Fri 11/2/18 Thu 11/8/18 TBD - Detailed Requirements / MockUps for Jaspersoft Reports 5 days Fri 11/2/18 Thu 11/8/18 Rego

Custom Report Requirements Document Signoff 0 days Thu 11/8/18 Thu 11/8/18 State

Integration Requirement Documents 10 days Fri 11/2/18 Thu 11/15/18

SharePoint Integration 10 days Fri 11/2/18 Thu 11/15/18 Rego

ETL tools 10 days Fri 11/2/18 Thu 11/15/18 Rego

Resource Integration (ERP) 10 days Fri 11/2/18 Thu 11/15/18 Rego

Inbound Transaction Integration (ERP) 10 days Fri 11/2/18 Thu 11/15/18 Rego

Outbound Time Integration (Payroll System) 10 days Fri 11/2/18 Thu 11/15/18 Rego

Agile Tool (Visual Studio Team Server) 10 days Fri 11/2/18 Thu 11/15/18 Rego

Agile Tool (JIRA) 10 days Fri 11/2/18 Thu 11/15/18 Rego

Custom Integration Requirements Document Signoffs 0 days Thu 11/15/18 Thu 11/15/18 State

Functional / System Design 15 days Fri 11/2/18 Mon 11/26/18

Approach/Architecture Document 10 days Fri 11/2/18 Thu 11/15/18

Data Migration Approach Document Creation 10 days Fri 11/2/18 Thu 11/15/18 Rego

Test Plan 10 days Fri 11/2/18 Thu 11/15/18 State

Security Architecture Document Creation 10 days Fri 11/2/18 Thu 11/15/18 Rego

Financial Architecture Document Creation 10 days Fri 11/2/18 Thu 11/15/18 Rego

Training Approach Document Creation 10 days Fri 11/2/18 Thu 11/15/18 Rego

Signoff of Approach/Architecture Documents 10 days Fri 11/2/18 Thu 11/15/18 Rego

Cofiguration/ Report Design Document Signoff 0 days Thu 11/15/18 Thu 11/15/18 State

Configuration/Report Design 7 days Fri 11/9/18 Mon 11/19/18

Configuration Design (If needed) 2 days Fri 11/16/18 Mon 11/19/18 Rego

Report Design Document (if needed) 2 days Fri 11/9/18 Mon 11/12/18 Rego

Configuration/Report Document Signoff 0 days Mon 11/19/18 Mon 11/19/18 State

Integration Design Documents 5 days Fri 11/16/18 Mon 11/26/18

SharePoint Integration 5 days Fri 11/16/18 Mon 11/26/18 Rego

ETL tools 5 days Fri 11/16/18 Mon 11/26/18 Rego

Resource Integration (ERP) 5 days Fri 11/16/18 Mon 11/26/18 Rego

Inbound Transaction Integration (ERP) 5 days Fri 11/16/18 Mon 11/26/18 Rego

Outbound Time Integration (Payroll System) 5 days Fri 11/16/18 Mon 11/26/18 Rego 33

Agile Tool (Visual Studio Team Server) 5 days Fri 11/16/18 Mon 11/26/18 Rego

Agile Tool (JIRA) 5 days Fri 11/16/18 Mon 11/26/18 Rego

Custom Integration Design Document Signoffs 0 days Mon 11/26/18 Mon 11/26/18 State

Final Design Document (Contract + 60) 0 days Mon 11/26/18 Mon 11/26/18 State

Final Implementation Document (Contract +60) 0 days Mon 11/26/18 Mon 11/26/18 State

Construction / Configuration 35 days Fri 11/16/18 Thu 1/17/19

Iteration One 15 days Fri 11/16/18 Mon 12/10/18

Development 10 days Fri 11/16/18 Mon 12/3/18 Rego

Review 5 days Tue 12/4/18 Mon 12/10/18 Rego/State

Signoff 0 days Mon 12/10/18 Mon 12/10/18 State

Iteration Two 20 days Tue 12/11/18 Thu 1/17/19

Development 15 days Tue 12/11/18 Thu 1/10/19 Rego

Review 5 days Fri 1/11/19 Thu 1/17/19 Rego/State

Signoff 0 days Thu 1/17/19 Thu 1/17/19 State

Integration(s) Iteration 30 days Tue 11/27/18 Thu 1/17/19

Development 20 days Tue 11/27/18 Thu 1/3/19 Rego

Review 10 days Fri 1/4/19 Thu 1/17/19 Rego/State

Signoff 0 days Thu 1/17/19 Thu 1/17/19 State

Final Solution Signoff (Contact + 90) 0 days Thu 1/17/19 Thu 1/17/19 State

Test Cases 30 days Tue 11/27/18 Thu 1/17/19

Define UAT Test Scripts 10 days Tue 11/27/18 Mon 12/10/18 State

Create Test Cases 20 days Tue 12/11/18 Thu 1/17/19 State

Final Testing Document (Contract + 90) 0 days Thu 1/17/19 Thu 1/17/19 State

Data Load 35 days Fri 11/16/18 Thu 1/17/19

Create Template for Source - CSV or database views 15 days Fri 11/16/18 Mon 12/10/18 State

Create data mapping 10 days Fri 11/16/18 Mon 12/3/18 Rego

Signoff of data mapping 0 days Mon 12/3/18 Mon 12/3/18 State

Load Data to Agreed Source 5 days Tue 12/4/18 Mon 12/10/18 State

Create Data Migration Scripts 10 days Tue 12/11/18 Thu 1/3/19 Rego

First Round Data Load 2 days Fri 1/4/19 Mon 1/7/19 Rego

Data Validation 3 days Tue 1/8/19 Thu 1/10/19 State

Script Adjustment & Re-Load 3 days Fri 1/11/19 Tue 1/15/19 Rego

Data Validation 2 days Wed 1/16/19 Thu 1/17/19 State

Signoff of Load 0 days Thu 1/17/19 Thu 1/17/19 State

Testing & Acceptance 54 days Fri 11/16/18 Wed 2/13/19

Training Materials 45 days Fri 11/16/18 Thu 1/31/19

Create Training Plan 10 days Fri 11/16/18 Mon 12/3/18 Rego/State

Training Plan Signoff 0 days Mon 12/3/18 Mon 12/3/18 State

Review Rego Standard Materials 5 days Tue 12/4/18 Mon 12/10/18 Rego/State

Create Custom Powerpoint and QRG Materials 30 days Tue 12/11/18 Thu 1/31/19 Rego

Final Training Documentation (Contract + 120) 0 days Thu 1/31/19 Thu 1/31/19 State

UAT 17 days Fri 1/18/19 Mon 2/11/19

TEST Migration 2 days Fri 1/18/19 Mon 1/21/19 Rego

UAT 10 days Tue 1/22/19 Mon 2/4/19 Rego/State

Final Test Results Report (Contract + 120) 0 days Mon 2/4/19 Mon 2/4/19 State

34

UAT Modifications 5 days Tue 2/5/19 Mon 2/11/19 Rego

UAT Signoff 0 days Mon 2/11/19 Mon 2/11/19 State

Migration to PROD 2 days Tue 2/12/19 Wed 2/13/19

Migration of Configuration to PROD 2 days Tue 2/12/19 Wed 2/13/19 Rego

Final Acceptance (Contract + 120) 0 days Wed 2/13/19 Wed 2/13/19 State

Wave 1 40 days Mon 2/11/19 Mon 4/8/19

Initiation & Planning 0 days Mon 2/11/19 Mon 2/11/19

Project Kickoff (Contract + 10) 0 days Mon 2/11/19 Mon 2/11/19 Rego/State

Requirements Definition 5 days Tue 2/12/19 Mon 2/18/19 Configuration Requirements (Objects, Security, Workflow, Portlets) 5 days Tue 2/12/19 Mon 2/18/19

Requirements/Knowledge Transfer Workshop 2 days Tue 2/12/19 Wed 2/13/19 Rego/State

Validation Sessions Complete (Contract + 60) 0 days Wed 2/13/19 Wed 2/13/19 State

Document and Estimate Configuration Requirements 3 days Thu 2/14/19 Mon 2/18/19 Rego

Final Requirement Validation (Contract + 60) 0 days Mon 2/18/19 Mon 2/18/19 State

Functional / System Design 2 days Tue 2/19/19 Wed 2/20/19

Configuration/Report Design 2 days Tue 2/19/19 Wed 2/20/19

Configuration Design 2 days Tue 2/19/19 Wed 2/20/19 Rego

Configuration/Report Document Signoff 0 days Wed 2/20/19 Wed 2/20/19 State

Construction / Configuration 19 days Tue 2/19/19 Fri 3/15/19

Iteration One 8 days Tue 2/19/19 Thu 2/28/19

Development 5 days Tue 2/19/19 Mon 2/25/19 Rego

Review 3 days Tue 2/26/19 Thu 2/28/19 Rego/State

Signoff 0 days Thu 2/28/19 Thu 2/28/19 State

Iteration Two 8 days Fri 3/1/19 Tue 3/12/19

Development 5 days Fri 3/1/19 Thu 3/7/19 Rego

Review 3 days Fri 3/8/19 Tue 3/12/19 Rego/State

Signoff 0 days Tue 3/12/19 Tue 3/12/19 State

Final Solution Signoff (Contact + 90) 0 days Tue 3/12/19 Tue 3/12/19 State

Test Cases 10 days Thu 2/21/19 Wed 3/6/19

Define UAT Test Scripts 5 days Thu 2/21/19 Wed 2/27/19 State

Create Test Cases 5 days Thu 2/28/19 Wed 3/6/19 State

Final Testing Document (Contract + 90) 0 days Wed 3/6/19 Wed 3/6/19 State

Data Load 11 days Fri 3/1/19 Fri 3/15/19

Create data mapping 3 days Fri 3/1/19 Tue 3/5/19 Rego

Signoff of data mapping 0 days Tue 3/5/19 Tue 3/5/19 State

Create Data Migration Scripts 3 days Wed 3/6/19 Fri 3/8/19 Rego

First Round Data Load 1 day Mon 3/11/19 Mon 3/11/19 Rego

Data Validation 2 days Tue 3/12/19 Wed 3/13/19 State

Script Adjustment & Re-Load 1 day Thu 3/14/19 Thu 3/14/19 Rego

Data Validation 1 day Fri 3/15/19 Fri 3/15/19 State

Signoff of Load 0 days Fri 3/15/19 Fri 3/15/19 State

Testing & Acceptance 33 days Thu 2/21/19 Mon 4/8/19

Training Materials 16 days Thu 2/21/19 Thu 3/14/19

Create Training Plan 10 days Thu 2/21/19 Wed 3/6/19 State

Training Plan Signoff 0 days Wed 3/6/19 Wed 3/6/19 State

35

Create Custom Powerpoint and QRG Materials 10 days Fri 3/1/19 Thu 3/14/19 State

Final Training Documentation (Contract + 120) 0 days Thu 3/14/19 Thu 3/14/19 State

UAT 5 days Mon 3/18/19 Fri 3/22/19

TEST Migration 1 day Mon 3/18/19 Mon 3/18/19 Rego

UAT 3 days Tue 3/19/19 Thu 3/21/19 State

Final Test Results Report (Contract + 120) 0 days Thu 3/21/19 Thu 3/21/19 State

UAT Modifications 1 day Fri 3/22/19 Fri 3/22/19 Rego

UAT Signoff 0 days Fri 3/22/19 Fri 3/22/19 State

Migration to PROD 2 days Mon 3/25/19 Tue 3/26/19

Migration of Configuration to PROD 2 days Mon 3/25/19 Tue 3/26/19 Rego

Final Acceptance (Contract + 120) 0 days Tue 3/26/19 Tue 3/26/19 State

Implementation 11 days Mon 3/25/19 Mon 4/8/19

Team Member Training 10 days Mon 3/25/19 Fri 4/5/19 Rego/State

Resource/Project Management Training 10 days Mon 3/25/19 Fri 4/5/19 Rego/State

Portfolio Training 5 days Mon 3/25/19 Fri 3/29/19 Rego/State

Data Migration to PROD 1 day Mon 4/8/19 Mon 4/8/19 Rego

Go-Live 0 days Mon 4/8/19 Mon 4/8/19 State

Wave 2 54 days Thu 2/28/19 Wed 5/15/19

Initiation & Planning 0 days Thu 2/28/19 Thu 2/28/19

Project Kickoff (Contract + 10) 0 days Thu 2/28/19 Thu 2/28/19 Rego/State

Requirements Definition 10 days Fri 3/1/19 Thu 3/14/19 Configuration Requirements (Objects, Security, Workflow, Portlets) 10 days Fri 3/1/19 Thu 3/14/19

Requirements/Knowledge Transfer Workshop 4 days Fri 3/1/19 Wed 3/6/19 Rego/State

Validation Sessions Complete (Contract + 60) 0 days Wed 3/6/19 Wed 3/6/19 State

Document and Estimate Configuration Requirements 6 days Thu 3/7/19 Thu 3/14/19 Rego

Final Requirement Validation (Contract + 60) 0 days Thu 3/14/19 Thu 3/14/19 State

Functional / System Design 2 days Fri 3/15/19 Mon 3/18/19

Configuration/Report Design 2 days Fri 3/15/19 Mon 3/18/19

Configuration Design 2 days Fri 3/15/19 Mon 3/18/19 Rego

Configuration/Report Document Signoff 0 days Mon 3/18/19 Mon 3/18/19 State

Construction / Configuration 28 days Fri 3/15/19 Tue 4/23/19

Iteration One 13 days Fri 3/15/19 Tue 4/2/19

Development 10 days Fri 3/15/19 Thu 3/28/19 Rego

Review 3 days Fri 3/29/19 Tue 4/2/19 Rego/State

Signoff 0 days Tue 4/2/19 Tue 4/2/19 State

Iteration Two 13 days Wed 4/3/19 Fri 4/19/19

Development 10 days Wed 4/3/19 Tue 4/16/19 Rego

Review 3 days Wed 4/17/19 Fri 4/19/19 Rego/State

Signoff 0 days Fri 4/19/19 Fri 4/19/19 State

Final Solution Signoff (Contact + 90) 0 days Fri 4/19/19 Fri 4/19/19 State

Test Cases 10 days Tue 3/19/19 Mon 4/1/19

Define UAT Test Scripts 5 days Tue 3/19/19 Mon 3/25/19 State

Create Test Cases 5 days Tue 3/26/19 Mon 4/1/19 State

Final Testing Document (Contract + 90) 0 days Mon 4/1/19 Mon 4/1/19 State

Data Load 15 days Wed 4/3/19 Tue 4/23/19

36

Create data mapping 3 days Wed 4/3/19 Fri 4/5/19 Rego

Signoff of data mapping 0 days Fri 4/5/19 Fri 4/5/19 State

Create Data Migration Scripts 6 days Mon 4/8/19 Mon 4/15/19 Rego

First Round Data Load 1 day Tue 4/16/19 Tue 4/16/19 Rego

Data Validation 3 days Wed 4/17/19 Fri 4/19/19 State

Script Adjustment & Re-Load 1 day Mon 4/22/19 Mon 4/22/19 Rego

Data Validation 1 day Tue 4/23/19 Tue 4/23/19 State

Signoff of Load 0 days Tue 4/23/19 Tue 4/23/19 State

Testing & Acceptance 42 days Tue 3/19/19 Wed 5/15/19

Training Materials 21 days Tue 3/19/19 Tue 4/16/19

Create Training Plan 10 days Tue 3/19/19 Mon 4/1/19 State

Training Plan Signoff 0 days Mon 4/1/19 Mon 4/1/19 State

Create Custom Powerpoint and QRG Materials 10 days Wed 4/3/19 Tue 4/16/19 State

Final Training Documentation (Contract + 120) 0 days Tue 4/16/19 Tue 4/16/19 State

UAT 5 days Wed 4/24/19 Tue 4/30/19

TEST Migration 1 day Wed 4/24/19 Wed 4/24/19 Rego

UAT 3 days Thu 4/25/19 Mon 4/29/19 State

Final Test Results Report (Contract + 120) 0 days Mon 4/29/19 Mon 4/29/19 State

UAT Modifications 1 day Tue 4/30/19 Tue 4/30/19 Rego

UAT Signoff 0 days Tue 4/30/19 Tue 4/30/19 State

Migration to PROD 2 days Wed 5/1/19 Thu 5/2/19

Migration of Configuration to PROD 2 days Wed 5/1/19 Thu 5/2/19 Rego

Final Acceptance (Contract + 120) 0 days Thu 5/2/19 Thu 5/2/19 State

Implementation 11 days Wed 5/1/19 Wed 5/15/19

Team Member Training 10 days Wed 5/1/19 Tue 5/14/19 Rego/State

Resource/Project Management Training 10 days Wed 5/1/19 Tue 5/14/19 Rego/State

Portfolio Training 5 days Wed 5/1/19 Tue 5/7/19 Rego/State

Data Migration to PROD 1 day Wed 5/15/19 Wed 5/15/19 Rego

Go-Live 0 days Wed 5/15/19 Wed 5/15/19 State

Wave 3 44 days Tue 4/2/19 Mon 6/3/19

Initiation & Planning 0 days Tue 4/2/19 Tue 4/2/19

Project Kickoff (Contract + 10) 0 days Tue 4/2/19 Tue 4/2/19 Rego/State

Requirements Definition 5 days Wed 4/3/19 Tue 4/9/19 Configuration Requirements (Objects, Security, Workflow, Portlets) 5 days Wed 4/3/19 Tue 4/9/19

Requirements/Knowledge Transfer Workshop 2 days Wed 4/3/19 Thu 4/4/19 Rego/State

Validation Sessions Complete (Contract + 60) 0 days Thu 4/4/19 Thu 4/4/19 State

Document and Estimate Configuration Requirements 3 days Fri 4/5/19 Tue 4/9/19 Rego

Final Requirement Validation (Contract + 60) 0 days Tue 4/9/19 Tue 4/9/19 State

Functional / System Design 2 days Wed 4/10/19 Thu 4/11/19

Configuration/Report Design 2 days Wed 4/10/19 Thu 4/11/19

Configuration Design 2 days Wed 4/10/19 Thu 4/11/19 Rego

Configuration/Report Document Signoff 0 days Thu 4/11/19 Thu 4/11/19 State

Construction / Configuration 23 days Wed 4/10/19 Fri 5/10/19

Iteration One 8 days Wed 4/10/19 Fri 4/19/19

Development 5 days Wed 4/10/19 Tue 4/16/19 Rego

37

Review 3 days Wed 4/17/19 Fri 4/19/19 Rego/State

Signoff 0 days Fri 4/19/19 Fri 4/19/19 State

Iteration Two 13 days Mon 4/22/19 Wed 5/8/19

Development 10 days Mon 4/22/19 Fri 5/3/19 Rego

Review 3 days Mon 5/6/19 Wed 5/8/19 Rego/State

Signoff 0 days Wed 5/8/19 Wed 5/8/19 State

Final Solution Signoff (Contact + 90) 0 days Wed 5/8/19 Wed 5/8/19 State

Test Cases 10 days Fri 4/12/19 Thu 4/25/19

Define UAT Test Scripts 5 days Fri 4/12/19 Thu 4/18/19 State

Create Test Cases 5 days Fri 4/19/19 Thu 4/25/19 State

Final Testing Document (Contract + 90) 0 days Thu 4/25/19 Thu 4/25/19 State

Data Load 15 days Mon 4/22/19 Fri 5/10/19

Create data mapping 3 days Mon 4/22/19 Wed 4/24/19 Rego

Signoff of data mapping 0 days Wed 4/24/19 Wed 4/24/19 State

Create Data Migration Scripts 6 days Thu 4/25/19 Thu 5/2/19 Rego

First Round Data Load 1 day Fri 5/3/19 Fri 5/3/19 Rego

Data Validation 3 days Mon 5/6/19 Wed 5/8/19 State

Script Adjustment & Re-Load 1 day Thu 5/9/19 Thu 5/9/19 Rego

Data Validation 1 day Fri 5/10/19 Fri 5/10/19 State

Signoff of Load 0 days Fri 5/10/19 Fri 5/10/19 State

Testing & Acceptance 37 days Fri 4/12/19 Mon 6/3/19

Training Materials 16 days Fri 4/12/19 Fri 5/3/19

Create Training Plan 10 days Fri 4/12/19 Thu 4/25/19 State

Training Plan Signoff 0 days Thu 4/25/19 Thu 4/25/19 State

Create Custom Powerpoint and QRG Materials 10 days Mon 4/22/19 Fri 5/3/19 State

Final Training Documentation (Contract + 120) 0 days Fri 5/3/19 Fri 5/3/19 State

UAT 5 days Mon 5/13/19 Fri 5/17/19

TEST Migration 1 day Mon 5/13/19 Mon 5/13/19 Rego

UAT 3 days Tue 5/14/19 Thu 5/16/19 State

Final Test Results Report (Contract + 120) 0 days Thu 5/16/19 Thu 5/16/19 State

UAT Modifications 1 day Fri 5/17/19 Fri 5/17/19 Rego

UAT Signoff 0 days Fri 5/17/19 Fri 5/17/19 State

Migration to PROD 2 days Mon 5/20/19 Tue 5/21/19

Migration of Configuration to PROD 2 days Mon 5/20/19 Tue 5/21/19 Rego

Final Acceptance (Contract + 120) 0 days Tue 5/21/19 Tue 5/21/19 State

Implementation 11 days Mon 5/20/19 Mon 6/3/19

Team Member Training 10 days Mon 5/20/19 Fri 5/31/19 Rego/State

Resource/Project Management Training 10 days Mon 5/20/19 Fri 5/31/19 Rego/State

Portfolio Training 5 days Mon 5/20/19 Fri 5/24/19 Rego/State

Data Migration to PROD 1 day Mon 6/3/19 Mon 6/3/19 Rego

Go-Live 0 days Mon 6/3/19 Mon 6/3/19 State

SPECIFIC DEPARTMENT STANDARDS: Agency standards, if any, in addition to DTMB standards.

38

PAYMENT SCHEDULE: This is a fixed fee, milestone-based SOW. Unused scope (portlets, workflows, reports, and integrations) can be applied to support additional requirements that come up during the project based upon the unused hours in the applicable milestone. Payment will be made on a Satisfactory acceptance of each Milestone basis. DTMB will pay CONTRACTOR upon receipt of properly completed invoice(s) which shall be submitted to the billing address on the State issued purchase order not more often than monthly. DTMB Accounts Payable area will coordinate obtaining Agency and DTMB Project Manager approvals. All invoices should reflect actual work completed by payment date and must be approved by the Agency and DTMB Project Manager prior to payment. The invoices shall describe and document to the State’s satisfaction a description of the work performed, the progress of the project, and fees. When expenses are invoiced, receipts will need to be provided along with a detailed breakdown of each type of expense. Payment shall be considered timely if made by the DTMB within forty-five (45) days after receipt of properly completed invoices. EXPENSES: The State will NOT pay for any travel expenses, including hotel, mileage, meals, parking, etc. PROJECT CONTACTS: The designated Contractor Project Manager is: TBD The designated DTMB Project Manager is:

Bryan Farr DTMB Enterprise Portfolio Management Office (EPMO) Portfolio Management Team Romney Building, Ground Floor 111 S. Capitol Avenue, Lansing, MI 48933 517.335.3360 517.373.0658 farrb@michigan.gov

AGENCY RESPONSIBILITIES: Provide:

• A single point of contact (project manager) to assist with scheduling meetings, owning internal communications, helping to navigate internal resources needed, ensuring decisions are made quickly

• Time to help make decisions on key requirements • Resources to test configurations and perform UAT

LOCATION OF WHERE THE WORK IS TO BE PERFORMED: Consultants will work at Romney Building, 111 S. Capitol Ave, Lansing, Michigan (or other mutually agreed downtown Lansing location) and remotely from Rego offices in the United States, Canada and India (if approved). EXPECTED CONTRACTOR WORK HOURS AND CONDITIONS: Work hours are not to exceed eight (8) hours a day, forty (40) hours a week. Normal working hours of 8:00 am to 5:00 pm are to be observed unless otherwise agreed to in writing. No overtime will be permitted.

39

SCHEDULE B Channel End User Terms: SaaS

1. INTRODUCTION

1.1. By purchasing or using the Software as a Service (“SaaS”) from CA or an Authorized CA Partner, the end user (“Customer”), on behalf of itself and its Authorized Users, agrees to these terms and conditions (“SaaS Terms”) with CA, Inc., located at 520 Madison Avenue, 22nd Floor, New York, NY 10022, Tel: 800 225 5224 (“CA”) to govern Customer’s access and use of the SaaS. Customer and CA each a “Party” and collectively “Parties”. These SaaS Terms shall be deemed in effect at the time that SaaS is made available to Customer pursuant to an order document specifying the applicable CA Software, SaaS Listing and Subscription Term for the applicable SaaS authorized by CA for Customer’s use (Transaction Document”) as entered into by CA and an entity having a valid, current authorization from CA to market, offer and resell to Customer the right to use the CA SaaS Offering (“Authorized CA Partner”) on Customer’s behalf for Customer’s use of SaaS.

2. SAAS OFFERING

2.1. CA provides Customer a non-transferable and non-exclusive right for Customer, its employees, independent contractors and/or any Affiliate or as otherwise defined in the SaaS Listing (collectively, “Authorized Users”), to access and use the online version of the CA software and/or type of online service defined in the Transaction Document and made available to Authorized Users via the Internet (“SaaS Offering”), provided such Authorized Users are bound by terms and conditions no less restrictive than those contained in the Agreement and solely to the extent that they are acting on behalf of Customer or its Affiliates. “Affiliates” shall mean a legal entity which Customer directly or indirectly has ownership or control of greater than fifty percent (50%) of an entity’s shares or control the board of such entity by force of law or contract, or the equivalent. The rights granted herein are for the initial or renewal period of the subscription to the SaaS Offering as set out in the Transaction Document (“Subscription Term”) subject to compliance with these SaaS Terms and any document incorporated expressly therein by reference (the “Agreement”). The SaaS Listing defines the operating parameters, data and data center location(s), applicable audit standards, availability standards and any other details for the specific SaaS Offering as published or made available by CA. SaaS Listings may define provisioning and management processes applicable to the SaaS Offering, types and quantities of system resources (such as storage allotments), functional and technical aspects of the SaaS, as well as a catalogue of available service requests. These listings are available at http://www.ca.com/us/lpg/saas-knowledge-is-power.aspx.

2.2. Customer acknowledges and agrees that in order for Customer to access and use SaaS, Customer is required to maintain minimum requirements such as operating system versions, browsers etc., as stated in the documentation, technical specifications and/or user manuals, published by CA or any entity within CA group of companies (each a CA entity) that is made generally available for SaaS (“Documentation”). If required, information about updates to minimum requirements will be provided to Customer during the Subscription Term.

2.3. If CA provides software to Customer to enable or to optimize SaaS during the Subscription Term, such software will be listed in the Transaction Document. Such software is specifically provided to Customer to help Customer utilize certain applications and web services that may be available through SaaS. In such cases, CA provides Customer, during the Subscription Term, a non-transferable and non-exclusive right to use such software solely in connection with SaaS and for the sole purpose of allowing Customer’s applications or web services to utilize SaaS. The grant of rights for such software is contingent upon Customer’s compliance with the following obligations: Customer agrees, that neither it nor Authorized Users shall: (i) access or use any portion of the software not expressly authorized in the Transaction Document or the Documentation; (ii) cause or permit de-compilation, reverse engineering, or otherwise translate all or any portion of the software; (iii) modify, unbundle, or create derivative works of the software and/or Documentation; (iv) rent, sell, lease, assign, transfer or sublicense the software or use the software to provide hosting, service bureau, on demand or outsourcing services for the benefit of a third party; (v) remove any proprietary notices, labels, or marks on or in any copy or version of the software or Documentation; (vi) use the software beyond the rights granted. Any installation of agents or software of any kind will be required to be removed at the end of the Subscription Term and either returned to CA or Customer will be required to certify destruction or deletion of such items.

40

3. ORDERING AND DELIVERY

3.1. Customer agrees that its authorization to use SaaS is based upon, and subject to, the order made on its behalf by an Authorized CA Partner as reflected by the Transaction Document. The Parties acknowledge and agree that all terms governing the fees, payments, payment schedules, pricing and discounts for the applicable SaaS procured by Customer under this Agreement are solely between Customer and its chosen Authorized CA Partner. The limitation on usage of SaaS as measured by the metric for billing SaaS to Customer as defined in the SaaS Listing (“Billing Metric”) specified in the Transaction Document (“Authorized Use Limitation”) and associated fees shall be as set out on the Transaction Document between CA and Customer’s Authorized CA Partner. CA will make SaaS available to Customer only upon, and in accordance with, CA’s execution of the Transaction Document. Any terms that may appear on a Customer’s purchase order (including without limitation pre-printed terms), or as part of Customer’s order with the Authorized CA Partner, that conflict or vary from the terms and conditions of this Agreement shall not apply to the SaaS and shall be deemed null and void.

3.2. CA reserves the right, on notice to Customer, to request written certification from Customer regarding Customer’s SaaS usage, no more than once per 24 months, unless CA has a good faith reasonable belief that Customer is out of compliance with the Authorized Use Limitation or any other term of this Agreement, in which case CA may request, and Customer will furnish, written certifications related to SaaS usage more frequently than once every 24 months. Customer agrees to respond to any such request within 15 business days. If Customer’s usage is greater than the Authorized Use Limitation, Customer shall be invoiced for any such use and the unpaid fees shall be payable in accordance with the agreement between Customer and the Authorized CA Partner. Payment under this provision shall be CA’s sole and exclusive remedy to cure such issues.

4. CONFIDENTIAL INFORMATION

4.1. The Parties agree any information, maintained in confidence by the disclosing Party, communicated in written or oral form, marked as proprietary, confidential or otherwise so identified, and/or any information that by its form, nature, content or mode of transmission would to a reasonable recipient be deemed confidential or proprietary, including, without limitation, SaaS, Documentation, and any benchmark data and results produced (“Confidential Information”) is comprised of information, maintained in confidence by the disclosing Party, communicated in written or oral form, marked as proprietary, confidential or otherwise so identified, and/or any information that by its form, nature, content or mode of transmission would to a reasonable recipient be deemed confidential or proprietary, including, without limitation, CA Offerings, technical product specifications and/or user manuals, published by CA or any entity within CA group of companies (“Documentation”), and any benchmark data and results produced.

4.2. The Parties agree that when receiving Confidential Information from the disclosing Party, that the receiving Party shall hold it in confidence and shall not disclose or use such information except as permitted under the Agreement. The receiving Party shall treat the disclosing Party’s Confidential Information confidentially and in the same manner as it treats its own proprietary and/or confidential information, which shall not be less than a reasonable standard of care, and the receiving Party shall use Confidential Information only for the purposes described in the Agreement. Confidential Information may be disclosed to receiving Party’s employees, agents, financial advisors, contractors and attorneys on a need-to know basis and the receiving Party shall ensure that such persons maintain such Confidential Information pursuant to the terms of the Agreement.

4.3. The receiving Party shall be permitted to disclose Confidential Information in connection with a judicial or administrative proceeding to the extent that such disclosure is required under applicable law or court order, provided that the receiving Party shall, where reasonably possible, give the disclosing Party prompt and timely written notice of any such proceeding and shall offer reasonable cooperation in any effort of the disclosing Party to obtain a protective order.

4.4. For the purposes of the Agreement, Confidential Information shall exclude: (i) information which the receiving Party has been authorized in writing by the disclosing Party to disclose without restriction; (ii) information which was rightfully in the receiving Party’s possession or rightfully known to it prior to receipt of such information from the disclosing Party; (iii) information which was rightfully disclosed to the receiving Party by a third Party having proper possession of such information, without restriction; (iv) information which is part of or enters the public domain without any breach of the obligations of confidentiality by the receiving Party; and (v) information which is independently developed by the receiving Party without use or reference to the disclosing Party’s Confidential Information.

4.5. Nothing in the Agreement will (i) preclude CA from using the ideas, concepts and know-how which are developed in the course of providing any CA Offerings to Customer or (ii) be deemed to limit CA’s rights to provide similar CA Offerings to

41

other customers. Customer agrees that CA may use any feedback provided by Customer related to any CA Offering for any CA business purpose, without requiring consent including reproduction and preparation of derivative works based upon such feedback, as well as distribution of such derivative works.

4.6. The receiving Party agrees, upon request of the disclosing party, to return to the disclosing Party all Confidential Information in its possession or certify the destruction thereof.

4.7. In the event of a breach of this section, the disclosing Party may not have an adequate remedy at law. The Parties therefore agree that the disclosing Party may be entitled to seek the remedies of temporary and permanent injunction, specific performance or any other form of equitable relief deemed appropriate by a court of competent jurisdiction. For CA software (including code) and Documentation, the material terms of the Agreement, and Customer’s and/or CA’s Confidential Information expressly designated in writing as perpetually confidential, the obligations of this section are perpetual and shall survive termination. For all other Confidential Information, the foregoing obligations shall extend for five (5) years from the date of initial disclosure.

4.8. This section 4 does not apply to the extent that Confidential Information is required to be disclosed by applicable law, including Customer’s public records law. Notwithstanding the foregoing, if Customer receives a request for disclosure of CA Confidential Information, Customer agrees to promptly notify CA in writing and give CA an opportunity to request confidentiality protection for any information to which Customer may deny access under law.

5. CUSTOMER DATA

5.1. Customer exclusively owns all rights, title and interest in and to all information provided by Authorized Users in the course of using the SaaS and stored in connection with SaaS (“Customer Data”) which may include personally identifiable information. Customer Data shall be considered to be Confidential Information under the Agreement. Customer Data will be stored and processed in the geographic region that is served by one or more hosting facilities for CA SaaS. CA Data Center Regions are: Americas, EMEA (Europe, Middle East, Africa) and APJ (Asia-Pacific, Japan) specified in the SaaS Listing. CA shall not access Customer’s user accounts, or Customer Data, except (i) in the course of data center business operations if required, (ii) in response to SaaS or technical issues, or (iii) at Customer’s specific request as reasonably required in the provision and support of SaaS.

5.2. CA runs security background checks on all production operation staff who may have access to Customer Data. Security audits, as specified in the SaaS Service Listing, are conducted periodically to certify that security controls are in place and background checks have been conducted. CA may utilize subcontractors in the provision of SaaS Services so long as such subcontractors are bound to contractual terms no less protective of Customer’s rights provided hereunder and provided further that any use of subcontractors in the operation of any applicable data center is subject to the same security

42

controls and audits as if performed by CA employees. The Parties understand and agree that CA remains fully liable under the terms of the Agreement for any breach caused by a subcontractor of CA.

5.3. CA will collect, modify and analyze meta data and/or operations data which does not contain any Customer Data, such as system log files and transaction counts which relate to system utilization and performance statistics, all as deemed necessary by CA.

5.4. Customer may access reports and/or information through SaaS until the end of the Subscription Term. All reports and other output will be produced in standard readable format (e.g., CSV, XML) and transmitted according to the transmission protocols used by the SaaS Offering for such transmissions. Any specific reports or data requested by Customer at the end of the Subscription Term that is not available through SaaS or produced in customized formats will be charged based on the scope of the request. Such fees will be agreed in writing between Customer and CA.

5.5. In case of an event that arises out of causes beyond a Party’s reasonable control, including, without limitation, war, civil commotion, act of God, strike or other stoppage (whether partial or total) of labor, any law, decree, regulation or order of any government or governmental body (including any court or tribunal) and/or delays or outages caused by an internet service provider or independent (not a Party’s subcontractor) hosting facility (“Force Majeure Event”), Customer acknowledges and agrees that Customer Data may not be fully recoverable beyond the last restoration archive point, the frequency of which is described in the SaaS Listing.

5.6. Customer agrees not to provide any health, payment card or similarly sensitive personal information that imposes specific data security obligations for the processing of such data part unless it is a supported feature in the Documentation of the applicable SaaS Offering.

5.7. Data availability, retention and destruction post expiration or termination of the applicable SaaS Offering will be as follows:

i. Customer Data will be available to Customer during the Subscription Term and may be retained by CA for a period of no more than one (1) year from the effective date of expiration or termination.

ii. A record of Customer Data required to support audits of the billing transactions that occurred during the Subscription Term will be retained in accordance with CA’s data retention policies for such activities and in accordance with the Agreement, including, without limitation, Article 7 (Security) of this Agreement. All other Customer Data will be deleted from all “live” environment of SaaS that Customer uses as their primary business environment (“Production”) and any Customer deployed environment that is not Production such as development, test, staging, demonstration, or training environments (“Non-Production”) Environments within one (1) year days of such date.

6. SECURITY

6.1. CA will maintain and administer a security policy with physical and technical safeguards designed to protect the security, integrity and confidentiality of the Customer Data. CA shall adhere to and subject such policies and practices to an audit under the compliance criteria defined in the applicable SaaS Listing. Upon written request, Customer may review the specific audit reports (such as SSAE 16 report) subject to Customer designating a security officer or similar individual who has executed a security non-disclosure agreement with CA prior to such review.

6.2. In the event of any unauthorized access, alteration, theft or destruction of Customer Data, CA will use commercially reasonable efforts to restore the Customer Data from the most recent back-up. As between Customer and CA restoration of the Customer Data is Customer’s exclusive remedy. CA is not responsible for unauthorized access, alteration, theft or destruction of Customer Data arising from Customer’s own or its Authorized Users’ actions or omissions in contravention of the Documentation.

6.3. In the event that CA has determined that access to Customer Data by an unauthorized person or entity (a “Security Breach”) will or is likely to cause harm to the Customer or an Authorized User, CA will, as promptly as practicable but in no event later than as required by law or within five (5) working days (whichever is shorter), provide Customer with notice of the Security Breach. After initial notification, CA will keep Customer updated at periodic intervals on the steps taken by CA to investigate the Security Breach including providing a reasonably detailed incident report, including measures to be taken by the Customer to minimize potential damages. Such report will be provided promptly but no later than thirty (30) days following completion of the report. The Parties understand and agree that if CA is prevented by law or regulation from providing such notice(s) and/or reports within the time frames, such delay shall be excused.

6.4. During the Subscription Term, CA will permit Customer through an independent third party agreed in advance with CA, to 43

audit CA’s SaaS operations within the applicable data center the SaaS Offering is provided to Customer, solely to verify CA’s compliance with the SaaS Listing concerning security and solely at Customer’s expense. This provision does not mean that Customer owes CA any fees in connection with security audits that CA conducts or commissions in the ordinary course of its business, as described in the SaaS Listing. Any such audit shall be conducted not more than once annually, upon at least thirty (30) days prior written notice and subject to the independent third party having executed a non-disclosure agreement with CA stating the purpose and scope of the request. Such audit shall be conducted during normal business hours in a manner that does not disrupt business operations. In the event an external audit determines that CA fails to meet the standards defined in the SaaS Listing, CA will review and if it agrees with such determination it will have the opportunity to submit a plan to address any issues and CA will do so within thirty (30) days from receipt of notice from the Customer, or if CA does not agree with the determination the Parties will enter into discussions to resolve the issues. If audits require time and operations interruption, then Customer may be required to pay for costs and expenses as mutually agreed by the Parties.

7. SAAS SUPPORT

7.1. Upon the start of the Subscription Term, CA will send an email to Customer's technical contact, identified on the Transaction Document, providing information to connect and access SaaS and SaaS Support.

7.2. The Customer shall be provided with SaaS Support for the SaaS Offering so it operates materially in accordance with the Documentation (“SaaS Support”) during the Subscription Term in accordance with CA’s Support Policies at support.ca.com. To access SaaS Support, Customer may utilize the CA support website, or other site or notification mechanism as CA may designate from time to time.

7.3. Access to SaaS Support is limited to supported versions of the SaaS Offerings, as per the SaaS Upgrade Policy. Extended support agreements for non-supported versions of SaaS Offerings are not offered.

7.4. For any SaaS Support requests, Customer should be prepared to provide to support personnel all pertinent information, in English, including but not limited to, Customer number or site identification number, incident severity, SaaS Offering, SaaS environment (Production or Non-Production), incident description, and a technical contact familiar with Customer’s environment or the problem to be solved. Customer must use reasonable efforts to communicate with CA in order to verify the existence of the problem and provide information about the conditions under which the problem could be re- created.

7.5. Upon receiving Customer’s technical contact information, SaaS Support will be provided in a timely and professional manner by qualified support engineers. SaaS Support shall consist of:

i. Access to CA support website (currently: http://support.ca.com) for 24x7x365 online support and access to CA software product and Documentation, incident severity description with response and resolution objectives listed, global user communities and regional user groups, Frequently Asked Questions, samples, webcast recordings and demos, usage tips, technical updates and HYPER notifications, as such are made available by CA.

ii. Access to CA help desk and the ability to open and manage support incidents via CA support online or by telephone.

iii. Production environment support: 24x7 for severity 1 incidents; normal business hours for severities 2- 4.

iv. If applicable to the SaaS Offering, Non-Production environment support: Normal business hours for incidents of all severities

v. Interactive remote diagnostic support allowing CA support engineers to troubleshoot an incident securely through a real-time browser-based remote control feature for support issues which may be resident in Customer’s software or systems.

7.6 Additional support such as file storage, point in time backup, periodic file refresh and basic reporting may be available at CA’s discretion according to the type of SaaS Offering provided and where indicated on the Transaction Document or in the SaaS Listing. Any additional support requirements are by prior written agreement of CA.

44

7.7 During the Subscription Term, if Customer requests specific scripts, connectors or customizations in order to optimize usage of SaaS, Customer may request CA to provide such services. Such services will be provided through a professional services agreement with CA for a separate fee, or as mutually agreed by the Parties.

8 MAINTENANCE AND UPGRADES

8.1 CA may update, improve, modify or add new functionality to SaaS during the Subscription Term for optimization of SaaS as necessary in order to maintain performance and/or fix any issues during the Subscription Term. In the event any update will materially change either the administrator or user experience, CA will provide Customer reasonable prior notice (not less than 30 days) and will provide a preview site where Customer can observe such changes where applicable, provided however, that CA may make a change with shorter or no notice if the change is required by law or to fix a security vulnerability.

8.2 CA may make changes or updates to the SaaS infrastructure (such as compute infrastructure, storage technology, security, technical configurations, hosting facilities within Data Center Region, etc.) during the Subscription Term including to reflect changes in technology, industry practices, patterns of system use.

8.3 Customer is obligated to stay current on a supported version of the SaaS Offering, as per the CA’s published policy on version and patch upgrades of its SaaS Offerings, (“SaaS Release and Upgrade Policy”). This Policy can be found at http://www.ca.com/us/lpg/saas-knowledge-is-power.aspx.

9 CUSTOMER RESPONSIBILITIES 9.1 Customer is responsible for all activities that occur in, or are related to, user accounts including the

data, information stored or transmitted when accessing SaaS. All applications residing within Customer environment or installed on third party service providers on behalf of Customer that integrate to SaaS shall be managed and supported by Customer. Customer is also responsible for managing components that are downloaded onto their environment such as web browser based software plug-ins that extend SaaS.

9.2 As Customer may integrate or utilize third party links to other software, hardware or other services which are associated with, or otherwise available through the SaaS, Customer agrees that it and/or its Affiliates, its Authorized Users and anyone acting on their behalf shall use such third party links at their sole discretion. CA shall have no responsibility or liability with respect to such third party links used by Customer’s and/or its Affiliates, its Authorized Users or for any act or omission of any such third party provider.

9.3 Customer shall not: (i) make SaaS available to any third party not authorized or as otherwise contemplated by the Agreement; (ii) send or store code that can harm or result in damage to SaaS (including but not limited to malicious code and malware); (iii) willfully interfere with or disrupt the integrity of SaaS or the data contained therein; (iv) attempt to gain unauthorized access to the SaaS or its related system or networks; (v) use SaaS to provide services to third parties except as expressly permitted by the Agreement; (vi) use SaaS in order to cause harm such as overload or create multiple agents for the purpose of disrupting operations of a third party; (vii) remove or modify any program markings or any notice of CA’s or its licensors’ proprietary rights; (viii) perform or disclose any benchmark or performance tests on the SaaS (except as hereby authorized in the implementation and configuration/customization of the SaaS Offering performed by the Authorized CA Partner pursuant to an agreement for such services between Customer and the Authorized CA Partner) ; or (ix) perform or disclose any of the following security testing of the SaaS environments or associated infrastructure: network discovery, port and service identification, vulnerability scanning, password cracking, remote access testing, penetration testing or any other test or procedure not authorized in the Documentation. A breach by the Customer of its obligations under this section shall be considered a material breach of the Agreement.

9.4 CA may temporarily suspend any Customer account, and/or a Customer’s access to or use of the SaaS if the Authorized Users violate any provision within the “SaaS Offering” “Customer Data” or “Customer

45

Responsibilities” sections of this Agreement, or if in CA’s reasonable judgment, the SaaS services or any component thereof are about to suffer a significant threat to security or stability based on any unauthorized use. CA will provide Customer advance notice of any such suspension in CA’s reasonable discretion based on the nature of the circumstances giving rise to the suspension. CA will use reasonable efforts to re-establish the affected SaaS services promptly after CA determines, in its reasonable opinion, that the situation giving rise to the suspension has been cured; however, after any suspension period, CA will make available to you your Customer Data and SaaS as existing in the Production environment on the date of suspension. CA may terminate the SaaS services under an order if any of the foregoing causes of suspension is not cured within 30 days after CA’s initial notice thereof. Any suspension or termination by CA under this paragraph shall not excuse you from your obligation to make payment(s) under this Agreement.

10 TITLE

CA retains all right, title, copyright, patent, trademark, trade secret and all other proprietary interests to all CA Offerings and any derivatives thereof. No title, copyright, patent, trademark, trade secret or other right of intellectual property not expressly granted under the Agreement is exchanged between the Parties.

11 WARRANTY

11.1 Each Party represents and warrants that it has the legal power to enter into the Agreement. 11.2 CA represents and warrants that it owns or otherwise has sufficient rights to grant Customer the rights

defined in any Transaction Document. 11.3 CA warrants that during the Subscription Term, the SaaS shall perform materially in accordance with

the applicable Documentation subject to Customer’s compliance with the Agreement. 11.4 EXCEPT AS EXPRESSLY SET FORTH ABOVE, TO THE EXTENT PERMITTED BY LAW, NO OTHER

WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THIRD PARTY WARRANTIES, IMPLIED WARRANTIES OF MERCHANTABILITY, SUITABILITY OR SATISFACTORY QUALITY, OR THE WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE ARE MADE BY CA.

11.5 Customer warrants that (i) it has the right to transmit Customer Data and any data or information as may be required for the purposes of accessing SaaS, (ii) it is responsible for all activities that occur in user accounts, and (iii) it shall not misuse SaaS by sending spam or otherwise duplicative or unsolicited messages or store infringing, obscene, threatening, or otherwise unlawful material or material that is harmful to children or violates third party privacy rights.

12 WARRANTY REMEDY

If it is established that CA has breached the above warranty, CA may, at its option, (i) use reasonable efforts to cure the defect in the SaaS; (ii) replace the SaaS with SaaS that materially conforms to the specifications in the Documentation; (iii) in the event CA cannot, after commercially practicable attempts to do so, achieve the remedies in (i) or (ii), CA may terminate the subscription to the SaaS and provide a refund of pre-paid, unused fees to Customer’s designated Authorized CA Partner, calculated against the remainder of the Subscription Term as of the effective date of such termination. Customer must report the alleged breach of warranty with reasonable specificity in writing within thirty (30) days of its occurrence to benefit from this warranty and the remedies stated herein. The above warranty remedies are CA’s sole obligation and Customer’s sole and exclusive remedy for breach of the above warranty.

13 SERVICE LEVEL COMMITMENT

13.1 The targeted availability levels measured in the Production environment, as specified in the SaaS Listing which may vary according to each SaaS Offering and its component capabilities (“Service Level Availability” or “SLA”) is measured against reports that CA conducts on a regular basis based on

46

objective criteria. Reports are available to Customer upon request. If Customer cannot access SaaS during the Subscription Term, Customer should contact CA to receive SaaS Support.

13.2 If it is determined by Customer and confirmed by CA that SaaS is unavailable beyond the default threshold identified in the applicable SaaS Listing measured on a monthly basis during three contiguous months, then Customer has the right to elect any of the remedies specified therein.

13.3 The following events shall be excluded from the calculation of Service Level Availability: (i) Force Majeure Event; (ii) outages due to planned downtime of SaaS availability for periodic and required maintenance events, including but not limited to, upgrades and updates to the SaaS and data center infrastructure where CA provides notice to Customer at least 72 hours in advance (“Scheduled Downtime”); (iii) outages based on Customer networks or domain name server issues; (iv) Customer’s configuration, scripting, coding drafted by Customer without CA’s authorization or knowledge; (v) internet outages; (vi) outages requested by Customer; (vii) Customer changes to its environment which hinder SaaS production; (viii) outages to remedy a security vulnerability or as required by law and (ix) inability for Customer to log in to SaaS service because of dependence on non-CA provided services or components (e.g., Lightweight Directory Access Protocol (LDAP) in Customer’s environment).

14 INDEMNIFICATION

14.1 CA will indemnify, defend and/or, at its option, settle (only after first receiving Customer’s written consent to settle) any third party claims that Customer’s use of the specific CA Offering licensed or purchased by Customer under this Agreement infringes any valid US patent or copyright within the jurisdictions where Customer is authorized to use the CA Offering at the time of delivery. CA may, at its option and expense: (i) procure for Customer the right to continue to use the CA Offering; (ii) repair, modify or replace the CA Offering so that it is no longer infringing; or (iii) provide a pro-rated refund of the fees paid for the CA Offering which gave rise to the indemnity calculated against the remainder of the Term from the date it is established that CA is notified of the third party claim. If the CA Offering is CA software, and is licensed on a perpetual basis, an amortization schedule of three (3) years shall be used for the basis of the refund calculation.

14.2 CA shall have no liability: (i) in the event the allegation of infringement is a result of a modification of the CA Offering except a modification by CA, (ii) if the CA Offering is not being used in accordance with CA’s specifications, related documentation and guidelines, (iii) if the alleged infringement would be avoided or otherwise eliminated by the use of a CA published update or patch, (iv) if the alleged infringement is a result of use of the CA Offerings in combination with any third party product, or (v) if the applicable fees due for the specific Transaction Document have not been paid. The indemnifications contained herein shall not apply and CA shall have no liability in relation to any CA Offering produced by CA at the specific direction of Customer. THE FOREGOING PROVISIONS OF SECTIONS 14.1 AND 14.2 STATE THE ENTIRE LIABILITY AND OBLIGATIONS OF CA REGARDING CLAIMS OF INFRINGEMENT, AND THE EXCLUSIVE REMEDY AVAILABLE TO CUSTOMER WITH RESPECT TO ANY ACTUAL OR ALLEGED INFRINGEMENT OR MISAPPROPRIATION OF ANY INTELLECTUAL PROPERTY OR OTHER PROPRIETARY RIGHTS.

14.3 ECA shall indemnify Customer against all damages, fees, (including reasonable attorney’s fees) fines, judgments, costs and expenses finally awarded as a result of a third party action alleging a bodily injury or death which arises under the Agreement, provided that such liabilities are the proximate result of gross negligence or intentional tortuous conduct on the part of CA.

14.4 Notwithstanding the foregoing, Customer reserves the right to control or participate in the defense to the extent required by law. In the event Customer is legally required to control or participate in its own defense, it shall do so in good faith coordination with CA. An attorney designated to represent Customer may not do so until approved by the Michigan Attorney General and appointed as a Special Assistant Attorney General.

47

15 LIMITATION OF LIABILITY

EXCEPT IN THE CASE OF A BREACH OF CONFIDENTIALITY, AND OF THIRD PARTY CLAIMS ARISING UNDER THE INDEMNIFICATION SECTION, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW NEITHER PARTY (INCLUDING ANY OF CA’S SUPPLIERS) SHALL BE LIABLE FOR A) ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES OF ANY NATURE, INCLUDING, BUT NOT NECESSARILY LIMITED TO, LOSS OF PROFIT, DAMAGES RELATING TO MONIES SAVED OR FEES GENERATED AND OR ANY LOSS OF DATA BY USE OF ANY CA OFFERING, REGARDLESS OF WHETHER A PARTY WAS APPRISED OF THE POTENTIAL FOR SUCH DAMAGES; AND B) IN NO EVENT (OTHER THAN WITH REGARD TO THIRD PARTY CLAIMS ARISING UNDER THE INDEMNIFICATION SECTION) WILL A PARTY’S LIABILITY FOR DIRECT DAMAGES, EXCEED TWO TIMES THE FEES PAID AND OR OWED CA FOR THE PRODUCT OR SERVICE THAT GAVE RISE TO THE BREACH.

16 TERM & TERMINATION

16.1 This Agreement shall continue in effect unless otherwise terminated in accordance with this section, while the period during which the CA offering is provided is the Term and is specified in the Transaction Document.

16.2 This Agreement may be terminated by either Party (a) upon a material breach by the other Party, provided that, in each instance of a claimed breach: (i) the non-breaching Party notifies the breaching Party in writing of such breach; and (ii) the breaching Party fails to either cure such breach within thirty (30) days (or such other period as mutually agreed by the Parties) from receipt of such notice; or (b) upon insolvency of the other Party, if permitted by law. This clause applies between or among Parties that are in direct privity of contract with one another.

16.3 This Agreement may be terminated by Customer, in whole or in part, without penalty for Customer’s appropriation or budget shortfalls.

16.4 Termination of this Agreement will not result in termination of any Transaction Document and such terms shall survive until such time the Transaction Document expires or is otherwise terminated.

16.5 Termination does not release either Party from any liability which, at the time of such termination, had

already accrued to the other Party or which is attributable to a period prior to such termination, nor preclude either Party from pursuing any rights or remedies it may have under law or in equity with respect to any breach of this Agreement or the Agreement. Excepting for termination based on CA’s uncured material breach, all fees are non-cancellable and non- refundable. In the event of termination by CA for an uncured material breach by Customer, all fees shall immediately become due and payable.

17 DISPUTE RESOLUTION

17.1 Any dispute, controversy or claim arising out of the Agreement or the interpretation thereof (a "Dispute") shall be resolved as provided in this section. Prior to the initiation of formal dispute resolution procedures, the Parties shall first meet as often, and for such duration and as promptly as the Parties reasonably deem necessary to discuss the Dispute and negotiate in good faith in an effort to resolve the Dispute. If Customer and CA are unable to resolve the Dispute within thirty (30) days after the referral of the Dispute to them, then each Party will appoint one (1) senior executive who is not involved on a day-to-day basis with the subject matter of the Agreement and will negotiate the matter in good faith in an effort to resolve the Dispute without the necessity of any formal proceedings.

17.2 Formal proceedings for the resolution of a Dispute may not be commenced until the earlier of: (i) the good faith determination by the appointed senior executives that amicable resolution through continued negotiation of the matter does not appear likely; or (ii) thirty (30) days following the date that the Dispute was first referred to the appointed senior executives. The provisions of paragraphs (i) and (ii) will not be construed to prevent a Party from instituting formal proceedings to the extent

48

necessary to avoid the expiration of any applicable limitations period or to pursue equitable rights or injunctive remedies deemed reasonable necessary to protect its interests.

18 GENERAL TERMS

18.1 Amendments. The terms of the Agreement may only be amended by mutual written agreement of the Parties.

18.2 Force Majeure. Except for payment obligations and obligations pertaining to non-disclosure, notwithstanding any contrary provision in the Agreement, neither Party will be liable for any action taken, or any failure to take any action required to be taken, in the event and to the extent that the taking of such action or such failure arises out of causes beyond a Party’s control, including, without limitation, war, civil commotion, act of God, strike or other stoppage (whether partial or total) of labor, any law, decree, regulation or order of any government or governmental body (including any court or tribunal).

18.3 Order of Precedence. Any conflict or inconsistency among or between the terms and conditions of the documents comprising the Agreement shall be resolved according to the following order of precedence, from the document with the greatest control to the least: (1) the Transaction Document; (2) this Agreement. Notwithstanding this Order of Precedence, a Customer issued purchase order shall not modify the terms of the documents indicated herein.

18.4 Independent Contractors. The Parties expressly agree that the relationship between them is that of customer- independent contractor.

18.5 Customer Data. If Customer provides CA with personal data, Customer confirms that it is duly authorized to provide such personal data and it does so lawfully in compliance with relevant legislation, and that CA and any entity within the CA group of companies or its subcontractors may process such personal data for the purposes of providing the CA Offering contemplated under the Agreement. CA shall not transfer such personal data except lawfully, in compliance with relevant legislation. Information on CA’s compliance with relevant legislation can be found at http://www.ca.com/us/data-transfers.aspx.

18.6 Assignment. If CA assigns or sells or otherwise transfers its rights to a business or product line or substantially all of its assets and provided such Party agrees to perform the obligations under the Agreement, then CA may transfer its rights and obligations under the Agreement upon written notice to Customer. Except as permitted herein, neither Party may transfer, whether by operation of law or otherwise, the Agreement without prior written consent of the other Party, and consent shall not be unreasonably withheld. Attempts to transfer in contravention of this section shall be deemed null and void. The Agreement shall be binding on the Parties hereto and their respective successors and assigns. Import Export. Customer acknowledges that the CA Offering(s) is subject to control under U.S. law, including the Export Administration Regulations (15 CFR 730-774) and agrees to comply with all applicable import and export laws and regulations. Customer agrees that the CA Offering(s) will not be exported, re-exported or transferred in violation of U.S. law or used for any purpose connected with chemical, biological or nuclear weapons or missile applications, nor be transferred or resold, if Customer has knowledge or reason to know that the CA Offering are intended or likely to be used for such purpose.

18.7 Announcements. Neither Party may issue press releases relating to the Agreement without approving the content with the other Party. Either Party may include the name and logo of the other Party in lists of customers or vendors in accordance with the other Party's standard guidelines.

18.8 Notice. All notices hereunder shall be delivered to the other Party identified in the Agreement either personally, via certified mail, facsimile or overnight courier. If delivered personally, notice shall be deemed effective when delivered; if delivered via facsimile, notice shall be deemed effective upon electronic confirmation; and if delivered via certified mail or overnight courier, notice shall be deemed

49

effective upon confirmation of delivery.

18.9 Headings. The section headings used herein are for information purposes only and shall not affect the interpretation of any provision of this Agreement.

18.10 Validity. In the event any term or provision of the Agreement shall be held to be invalid, the same shall not affect in any respect whatsoever the validity of the remainder of the Agreement.

18.11 Third Parties. This Agreement shall not create any rights in favour of, or any obligations owed by, any third party unless otherwise expressly defined herein. The Parties agree that any action arising from this Agreement shall solely be brought by Customer or CA.

18.12 Choice of Law. The laws of the State of Michigan (excluding its conflict of laws provisions) shall govern the construction and enforceability of the Agreement. The Parties agree that any action arising under or relating to the Agreement shall lie within the exclusive jurisdiction of the Michigan Court of Claims. The United Nations Convention on Contracts for the International Sale of Goods will not apply to the Agreement.

18.13 Survival. Sections pertaining to Confidentiality, Title, Limitation of Liability, Termination, and Import Export shall survive termination of this Agreement.

18.14 Entire Agreement. The Agreement and all documents incorporated by reference therein shall comprise the entire agreement as pertaining to the subject matter thereof and all other prior representations, proposals, and other such information exchanged by the Parties concerning the subject matter is superseded in their entirety by the Agreement. Notwithstanding the foregoing, CA agrees that Customer will not be bound by any terms requiring indemnification by Customer to third parties; consent to arbitration, provisions regarding audits, other than what is specified in Section 3.2 of this Agreement; provisions regarding remote access to the State’s systems; or agreeing to be bound by the laws of another jurisdiction other than Michigan; contained in any other agreements incorporated herein.

50

SCHEDULE C

Data Security Requirements

1. Definitions. For purposes of this Schedule, the following terms have the meanings set forth below. All initial capitalized terms in this Schedule that are not defined in this Section 1 shall have the respective meanings given to them in the Contract.

“Contractor Security Officer” has the meaning set forth in Section 2 of this Schedule.

“Contractor Systems” has the meaning set forth in Section 4 of this Schedule.

“Hosted Services” means the hosting, management and operation of the computing hardware, ancillary equipment, Software, firmware, data, other services (including support services), and related resources for remote electronic access and use by the State and its Authorized Users.

“NIST” means the National Institute of Standards and Technology.

“SSAE” means Statement on Standards for Attestation Engagements.

2. Reserved.

3. Protection of the State’s Confidential Information. Throughout the Term and at all times in connection with its actual or required performance of the Services, Contractor will:

3.1 comply with the security and audit requirements stated in the applicable SaaS Listing. Contractor, including any subcontractor involved in delivering SaaS to the State, represents that it currently complies with the Information Security Practices set forth in Exhibit 1 to this Schedule (“Information Security Practices”). The specific security practices of the subcontractor hosting SaaS are likely to evolve over time and information on current security practices is available at http://support.ca.com. It is the good faith belief of contractor and its SaaS hosting subcontractor that any changes to security practices will consist only of enhancements or improvements and will not involve any reduction in security standards or capabilities. At the request of the State, Contractor and/or subcontractor providing SaaS shall participate in a meeting with the State no less than once per calendar quarter at a mutually agreed-upon time during which Contractor or subcontractor shall present information regarding any changes to subcontractor’s Information Security Practices that has occurred since the contractor award and any prior meeting to discuss security matters and will discuss how those changes affect the SaaS’s compliance with State security requirements.

3.2 ensure that the Software is securely hosted, supported, administered, and accessed in a data center that resides in the continental United States as provided for in the SaaS Listing and the Information Security Practices;

3.3 ensure that personnel of the Contractor or subcontractor providing SaaS must complete a two-factor authentication process via a secure socket layer virtual private network using soft tokens in order to obtain administrative access to any environment in which State data is stored;

51

4. Contractor Systems.CA Offering, including providing and maintaining the infrastructure of the CA Offering, will be provided in accordance with the terms of the Channel End User Terms: SaaS, including the applicable SaaS Listing. The State may access the SaaS through its firewall by establishing PPM SaaS URL-based rules. Establishing such rules is an action the State or its contractor must take, but PPM SaaS supports the use of such rules.

5. Security Audits. During the Term, Contractor will comply with Section 6.4 of the Channel End User Terms: SaaS.

5.1 maintain complete and accurate records relating to its data protection practices, IT security controls, and the security logs of any of the State’s Confidential Information, including any backup, disaster recovery or other policies, practices or procedures relating to State Data, in accordance with the terms and conditions of the Channel End User Terms: Saas.

6. Nonexclusive Remedy for Security Breach.

6.1 CA will not be responsible for any unauthorized access, alteration, theft or destruction of Customer Data, unless caused as a result of CA’s negligence or intentional misconduct, in which case CA’s only obligation and Customer’s exclusive remedy is for CA to use commercially reasonable efforts to restore the Customer Data from the most recent back-up. CA is not responsible for unauthorized access, alteration, theft or destruction of Customer Data arising from Customer’s own or its Authorized Users’ actions or omissions in contravention of the Documentation.

6.2 In the event that CA has determined that access to Customer Data by an unauthorized person or entity (a “Security Breach”) will or is likely to cause harm to the Customer or an Authorized User, CA will, as promptly as practicable but in no event later than as required by law or within five (5) working days (whichever is shorter), provide Customer with notice of the Security Breach. After initial notification, CA will keep Customer updated at periodic intervals on the steps taken by CA to investigate the Security Breach including providing a reasonably detailed incident report, including measures to be taken by the Customer to minimize potential damages. Such report will be provided promptly but no later than 30 days following completion of the report.

52

EXHIBIT 1 TO SCHEDULE C

Information Security Practices

I. SECURITY BY DESIGN

a. Secure Code Development

All CA developers are required to follow CA’s Product Securability Policy and Procedure which provides for securability standards, strategies, and tactics for each phase of the product development lifecycle informed and consistent with industry best practices. The procedure requires product classification based on risk rankings determined by use cases, application of static code analysis tools, and penetration testing.

b. Secure Code Release

Prior to release of any product to CA’s Customers, antivirus/antimalware scanning is performed, and based on the risk profile additional penetration testing may be performed. Any identified vulnerabilities are tracked in the central CA defect tracking system together with an associated risk rating and are not approved by the Securability Center of Excellence unless remediated. Vulnerabilities are ranked using the Common Vulnerability Scoring System (CVSS) in accordance with the NIST Framework to determine their severity and response.

II. HOW A CUSTOMER’S DATACOMES INTO CA AND ITS PROTECTION

a. Access to Customer Data

CA may obtain Customer data in a number of ways, including, through a support ticket, services engagements, or the use of a CA SaaS offering. All files submitted by our customers, regardless of how acquired, is categorized as “Highly Confidential Data” requiring the highest degree of protection. In the event CA’s professional services team is required to be at a Customers’ facility, such individuals are prohibited from downloading any Customer data to their devices and removing them from the Customer’s facility.

b. Physical Security

CA maintains and administers the following physical access controls:

• Employees and contractors are subject to background checks prior to being offered employment or given access to CA’s facilities and systems.

• All facilities require badge access for employees and contractors and intrusion detection alarms at ingress and egress points. Visitor access must be logged in a physical access log and visitors are escorted through restricted areas in the facility.

• All data centers where Customer data is processed or stored ate further protected by security guards and monitoring cameras (e.g., CCTVs) 24/7.

c. CA Authorized User Names, Passwords and Authentication

CA monitors access rights to ensure access adheres to the least privilege principle commensurate with the CA’s user’s job responsibilities, logs all access and security events, and uses software that enables rapid analysis of user activities. CA’s passwords are administered in the following manner:

• Passwords are communicated separately from user IDs • Passwords are not shared • Initial password generation is random • Initial password change is required

53

• Passwords must have minimum length and complexity and must be changed on a regular interval without reuse of recent previous passwords

• CA passwords are encrypted and passwords are never recoverable and can only be securely reset.

Ill. Enterprise Role-Based Access

The logical access procedures define the request, approval, access provisioning and de-provisioning processes. The logical access procedures restrict user access (local or remote) based on user job function for applications and databases (role/profile based appropriate access) for applications, databases and systems to ensure segregation of duties and are reviewed, administered, and documented based on onboarding, resource re-assignment or separation. User access reviews are performed to ensure access is appropriate throughout the year. All CA system administrators are authenticated using multi-factor authentication for system access through privileged access management. In addition, the use of privileged access management enables all system admin sessions and console access to be recorded and CA records all such sessions and access for audit and forensic purposes.

For Customer data entered via a CA SaaS Offering, CA database administrators (DBA5) may be required to access Customer data in the course of various technical operations. Default DBA accounts in the database are expired and locked except when the account is required to be used by the DBAto complete their job. Database access is granted upon formal authorization through a ticket and access is granted only to authorized personnel based on job responsibilities registered in an Active Directory. Where it is not feasible to lock the DBA account, passwords are changed for each access request. All database accesses are logged. Employees’ user access accounts are reviewed on a quarterly basis. Access account reports are generated by a Security Analyst and sent to managers for review and approval. This review and approval are documented in a CA support ticket where any discrepancies and resolutions, if any are listed.

IV. HOW IS DATA TRANSMITTED? NETWORK SECURITY MANAGEMENT

a. Network Controls

CA utilizes firewalls for access control between CA’s networks and the Internet. Firewall access is restricted to a small set of super users/administrators with appropriate approvals. Firewalls are established with minimum rights necessary to accomplish tasks by role and access is authorized on a “deny by default” policy. Periodic network vulnerability scans are performed and any critical vulnerabilities identified are promptly remediated. In addition, penetration tests are also performed by security professionals, both CA employees and third parties.

b. Network/Communication Security Policy/Encryption

Defined Access Control Lists (ACLs) to restrict traffic on routers and/or firewalls are reviewed and approved by network administrators. IP addresses in the ACLs are specific and anonymous connections are prohibited. Customer data is encrypted while in transit over any public network or wireless network (wireless networks are not used in SaaS Offerings) via CA’s Secure File Transfer Protocol (SFTP) to transmit flat files. CA utilizes an information protection and control solution that is designed and administered to minimize the accidental, negligent and malicious misuse of data through email and other communications aimed outside of CA’s firewalls (e.g., a data loss prevention (DLP) solution).

c. Remote Access Administration

The following remote access settings are applicable:

• Unauthorized remote connections from devices (e.g., modems) are disabled as part of standard configuration.

54

• The data flow in the remote connection is encrypted and multi-factor authentication is utilized during the login process.

• Remote connection settings limit the ability of remote users to access both initiating network and remote network simultaneously (no split tunneling).

d. Third Party Remote Access

Dependent third party service provider (i.e., subcontractor) remote access adheres to the same or similar controls, and any subcontractor remote access has valid business justification.

e. Removable Media

Removable media is not in use for the delivery of CA Technologies SaaS offerings. In addition, all laptops and other removable media on which Customer data is stored, such as backup tapes, are encrypted.

V. AUDITS OF CONTROLS AND CERTIFICATIONS

The respective audit criteria (e.g., PCI, SSAE 16 SOC 1, TYPE 2) followed by third party auditors inspecting CA’s security practices with regard to SaaS offerings along with summary reports of the auditors can be found at: http://www.ca.com/us/lpg/saas-summary-audit-report.aspx. In addition, CA’s internal data centers, those which may house Customer data received through support or services interactions, are lSO/IEC 20000 for IT service management and ISO/IEC 27001 for security controls certified.

VI. SECURITY INCIDENTS

CA maintains a highly confidential cybersecurity Incident Response Plan designed to identify, categorize, remove, and remediate cybersecurity incidents. The Plan is reviewed bi-monthly with annual tabletop exercises. The mission of the CA Technologies Cybersecurity Operations is to prepare the organization to identify and respond to information security threats and incidents while containing and restoring normal service operations as quickly and effectively as possible.

In the event CA discovers a security incident, CA has the following target response and remediation time lines:

Security Level Description Examples Target Response

Target Remediation/Escalation

1 Incidents that have a severe impact on CA Technologies or its customers’ business or services

Malicious code attacks

Unauthorized access

Denial of Service (DoS) affecting an entire campus

Compromise of host with sensitive data, including Sensitive Personal Data

1 Hour 2 Hours

55

2 Incidents that have a significant impact, or the potential to have a severe impact on CA Technologies or its customers’ business or services.

Attempts to gain unauthorized access

DOS attack affecting a building or department

Open mail relay

4 Hours 1 Business Day

3 Incidents that have a minimal impact with the potential for significant or severe impact on CA Technologies or its customers’ business or services

Unauthorized network probes or system scans

Isolated virus infections

1 Business Day 2 Business Days

4 Incidents that have a minimal impact with no potential for significant or severe impact on CA Technologies or its customers’ business or services

Improper Usage

Unauthorized software (non-malicious)

Policy Violations

2+ Business Days

2+ Business Days

VII. COMPLIANCE WITH DATA PRIVACY LAWS

a. CA Technologies’ Privacy Statement is posted on our website (www.ca.com/us/privacy), and local websites in other countries, and describes how CA Technologies uses personally identifiable information that it collects on the website as well as data collected off-line.

b. CA Technologies implements processes designed to ensure that we comply with all applicable data privacy and security laws in the US and in all countries in which we do business, including breach notification laws, state and federal privacy-related legislation, and national laws.

c. CA Technologies has several internal Privacy Policies, including an HR Privacy Policy and a Privacy and Data Protection Policy, which mirrors the EU Data Privacy requirements.

d. CA Technologies also maintains a Policy that specifically addresses the handling of customer data and a Written Information Security Plan (WISP) in compliance with the Massachusetts information security regulations and other US laws.

e. In September of 2016, CA self-certified to the EU-US Privacy Shield framework which was designed by the U.S. Department of Commerce and European Commission to provide global companies with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. In April of 2017, CA self-

56

certified to the Swiss-US Privacy Shield framework. CA’s participation in the Privacy Shield means that CA and its U.S. subsidiaries have agreed to comply with the Privacy Shield Framework regarding the collection, use, and retention of EU and Swiss personal data that it uses as a data processor. To learn more about the Privacy Shield Framework, and to view CA’s certification page, please visit https://www. privacyshield.gov/.

f. CA Technologies also holds Binding Corporate Rules for Controllers and this is our method for transferring data globally as a data controller http://ec.europa.eu/iustice/data-protection/international-transfers/binding corporate-rules/bcr cooperation/index en .htm.

g. In addition, CA Technologies has prepared a downloadable data processing agreement (DPA) setting out CA’s commitment to privacy and data protection when processing customer data in connection with the provision of products and services to our customers and partners. This DPA also covers with the transfer of personal data outside of the European Economic Area and Switzerland in connection with the provision of such products and services. The DPA can be found at www.ca.com/us/data-transfers.aspx. If you have any questions, please feel free to send an email to datatransfers@ca.com.

57

SCHEDULE D SaaS Listing

CA PPM SaaS -- Americas

1. Introduction

This document provides standards and features that apply to the CA PPM SaaS offering provided to the Customer and defines the parameters for the offering that pertain to the following:

Billing metric Data location information Service provisioning Security and audit requirements Service Level Availability (SLA) targets and measurement Service level credits Service termination Data backup and storage Disaster recovery

The definitions set out in the Agreement will apply to this SaaS Listing document.

2. Billing Metric

CA identifies and describes the following Billing Metric used as a measure to bill the Customer:

The following is an explanation of “Users” used in defining the billing metric for SaaS: o “Users” means the number of specific individuals designated by Customer to access and use the CA

PPM SaaS offering on behalf of Customer. Users may include the Customer’s employees, Customer’s affiliate’s employees and independent contractors, all of whom have been furnished access to the CA PPM SaaS application solely for the benefit of the Customer and in accordance with the provisions of the Agreement. Types of Users include Full Function Users, Restricted Users, and View Only Users. A User may be reallocated by Customer to another type of User as long as the number of Users of the other type with active status at the time of reallocation does not exceed the Authorized Use Limitation.

o “Full Function Users” means Customer's designated users who have full use of and access to the functions within the CA PPM SaaS products licensed.

o “Restricted Users” means Customer’s designated users who have limited rights to the functions within the CA PPM SaaS products licensed, and may only (i) view data, run regular reports, and run ad hoc reports in all licensed CA PPM SaaS products; (ii) collaboratively participate in processes, discussions and document sharing and receive notifications in all licensed CA PPM SaaS products; (iii) view project tasks and calendars; (iv) report and approve time and project status; and (v) enter and view status of ideas. A regular report is a report that has been pre-designed by CA or Customer’s report writer, who is designated as a Restricted User or a Full Function User, and that may be run by an end user without modification. An ad hoc report is a report that has been designed or modified by an end user, who is designated as a Restricted User or a Full Function User, prior to being run by the end user.

o “View Users” means Customer’s designated users who have limited rights to the functions within the CA PPM SaaS products licensed and may only (i) view data and run regular reports; (ii) originate idea workflows; and (iii) participate in the continuation of those workflows. For avoidance

58

of doubt, a View Only User may not modify the design of any report.

“Production” means an environment for or use to process an organization's daily work on a real-time operation and that is not only for development and testing.

“Non-Production” means an environment or use that does not include processing an organization's daily work on a real-time operation and that only includes use for development and testing.

“Viewer License Pack” means a license for one thousand (1,000) View Only Users to use permitted functions within the CA PPM SaaS products. Customer is entitled to use up to 50 View Only Users per Viewer License Pack concurrently with respect to the CA PPM SaaS products. This limitation is necessary to control application sizing and accommodate CA’s delivery of support; it does not affect the definition of “Users” and is not a license metric and will have no financial impact whether the number of concurrent users is increased up or down (subject to the 1,000 user limitation).

“Near Production Sandbox” is an optional environment to be designed as similar to Production and may be used for user acceptance testing, integration testing, training, and as additional staging

3. Data Location

Americas: All data on deployed systems and in backups reside within the following countries: United

States

4. Service Provisioning

Versions: CA will deploy the customer on the latest version of the service that is generally available. The customer will be upgraded as per the SaaS Release and Upgrade Policy document. CA allows Customers to run on either the latest generally available release or the immediately prior version.

Environments: CA will provision all customers with one Production environment. Customers with subscriptions less than 500 users are provisioned with one small sand box while customers who subscribe to 500 users or more are provisioned with two small sand boxes for a defined period of time. Should the sandbox remain un-used for sixty (60) days, CA reserves the right to disable said sandbox(es).

Small Sandbox: A small sandbox means a Non-Production environment that is to be used by no more

than 5 (five) concurrent users. Concurrent users comprise of users accessing and using the deployed environments at any one point during term of the service.

5. Security and audit requirements

The following audit will be performed at the frequency defined below for the CA PPM SaaS offering covering all aspects of the service such as people and systems:

Type of Audit Frequency SSAE-16 Type II SOC 1 Annual SSAE-16 Type II SOC 2 Annual

Summary audit reports available by clicking here.

6. Service Level Availability (SLA)

59

CA commits to the Service Level Availability for the Production environment as indicated in the table below for the CA PPM SaaS offering during the Subscription Term of the service. In the event that the Service Level Availability committed decreases below the Threshold for Service Availability Default, Minor or Major, Customer may be entitled to take action as outlined in the SaaS Listing.

Components / Capabilities Threshold for “Service

Availability Default - Minor” Threshold for “Service

Availability Default - Major” CA SaaS PPM SaaS Service 99.8% 98.5%

7. Method of Measuring SLA

CA measures Service Level Agreement targets as described below:

CA runs test scripts using application monitoring tools on the Production system to verify that the CA PPM SaaS service is available. Test scripts are run approximately once every ten (10) minutes, twenty- four (24) hours per day, seven days per week, throughout the contracted term of the service.

Planned outage time periods are defined as downtime of the solution availability for periodic and required maintenance events where CA provides notice to Customer.

8. Service Level Credits

In the event of a service availability default as evidenced by the monthly SLA report furnished to the customer from CA, Customer is entitled to a specific number of days of credit of fees based on the annual fees paid and as indicated below. Customer must notify CA within thirty (30) days from the date Customer becomes eligible to receive a service level credit. Failure to comply with this requirement will forfeit Customer’s eligibility to receive the service level credit. Any credits issued to Customer will be applied towards the next billing period applicable to Customer or as otherwise agreed to between Customer and CA.

Default Name Definition Credit Service Level Credit for

Minor Default Service level is below 99.8% but greater than or equal to 98.5%

2 days per

month Service Level Credit for

Major Default Service level is below 98.5% 5 days

per month

9. Service Termination

If it is determined by the customer and confirmed by CA that the service has been unavailable below the major default threshold, measured on a monthly basis during three contiguous months, then the customer has the right to terminate their subscription to SaaS without incurring any additional charges or termination fees. In the event such determination is made, the customer is entitled to a refund of fees which have not yet been applied towards SaaS as of the effective date of termination and CA shall relieve the Customer of their obligation to pay for any fees due for the remainder of the Subscription Term. The waiver by CA of further fees shall be Customer’s sole and exclusive remedy under the SaaS Module for termination due to failure to adhere to Service Level Availability and CA shall have no further liability to the Customer.

60

10. Data Backup and Storage

CA commits to the following data backup and replication during the Subscription Term:

Data Backup: All Customers of the CA PPM SaaS offering shall have their data backed up on a daily basis. Backups are securely replicated to an alternate location for business continuity purposes.

o Daily backups are retained for 7 days o Removable media are not used for data or backup storage o Backups can be used as a point in time restore point

Data Storage: All customers are provided with an initial setup of 40 GB of storage per deployed instance. Additional, incremental storage of 20 GB is made available for each set of 500 users or part thereof, over an initial set of 500 users.

11. Disaster Recovery (DR)

The CA PPM SaaS offering provides a DR site and maintains a plan to switch to the DR site in the event the primary site is rendered inoperable by a force majeure event. The following are the key measures of DR:

Location What is Covered Recovery Time Objective (RTO)

Recovery Point Objective (RPO)

Americas

CA PPM SaaS Service

4 hours

Maximum data loss: 1 hour Data that is uploaded, but not

replicated within the 1 hour may have to be re-entered

Recovery Time Objective or RTO is defined as the duration of time within which a service must be restored after a major interruption or incident.

Recovery Point Objective or RPO is defined as the maximum period in which data might be lost from a service due to a major interruption or incident.

61

SCHEDULE E

BUSINESS SPECIFICATIONS Contractor shall implement the system to ensure it meets the following business specifications:

Business Specification

Number

Business Specification

Current Capability

Requires Configuration

Future Enhancement

Not Available

Explanation of how Contractor will deliver the business specification, including details of any configuration and the impacted risk that may be

caused if configured to meet the business specification.

1.0

Vendor must provide a PPM product that has been generally available and actively marketed for the past four years, without significant company, product, or service disruptions.

X The current version of CA PPM is 15.3 and was released in September of 2017. CA PPM has benefited from more than 25 years of continuous innovation starting as a comprehensive desktop project management application in the 1980’s (now called Open Workbench) and evolving and broadening through the 1990’s before being relaunched as a 100% web-based application in 2001 and referred to as “Clarity”. CA Technologies acquired the application in 2005 and has heavily invested in R&D every year since then. Unlike other PPM applications, CA PPM is part of a stable company (CA Technologies) that has remained independent and has not been acquired by investment or private equity companies.

1.1

Vendor must have acquired at least five (5) new PPM customers (not repeat business) on average, per year, over the past four years

X CA has a deep customer base for the CA PPM solution, with over 1,900 global customers, handling the unique needs of organizations ranging from 100 to more than 85,000 users. As the largest reseller of CA PPM in North America, Rego Consulting has acquired on average more than 10 new PPM customers per year over the past four years. CA PPM continues to be popular in the marketplace. Over the past four years, CA has averaged 60 NEW customers annually.

1.2 Vendor must have at least $10 million in annual revenue or other significant financial backing

X CA Technologies revenues for the last fiscal year (FY2017) ending March 31, 2017, were $4.036 Billion. Rego Consulting Corporation’s FY 2016 revenues were $21.2 Million.

1.3 Vendor must provide upon request, a “sandbox” testing environment to allow limited testing of the PPM product’s overall ease of use and intuitiveness prior to formally

X Rego can provide access to a sandbox to allow limited testing of CA PPM subject to prior agreement on duration and success criteria. Most clients find that speaking with several of the more than 1,900

62

entering into a purchase agreement with the State of Michigan

organizations that currently use CA PPM alleviates any pre-contract concerns.

1.4

Must support a significant number of users at any given time, with potential for scalability (current SOM PPM tool supports 3100 users)

X CA has a deep customer base for the CA PPM solution, with over 1,900 global customers, handling the unique needs of organizations ranging from 100 licenses to over 85,000. CA PPM SaaS has 26 customers today with more than 3,000 users in a SaaS environment, and 11 of those companies have in excess of 5,000 users. Please see section 6 in Exhibit A for more details around CA’s ability to scale the service to support your growth.

1.5 Must support users at multiple locations and time zones

X CA PPM supports global scalability to multiple locations/time zones/currency.

1.6 Must support multiple organizations within the enterprise (i.e. – departments and divisions, program offices, project management offices, etc.)

X CA PPM supports multiple organizations within the solution. For example, marketing can use the solution for management of portfolio/process/projects and IT can use the solution for financials/resource/project management. Both organizations can utilize different terminology and methodologies while still enabling the information to roll-up to the enterprise level.

1.7 Tool must be configurable by the State of Michigan to the needs of our organization

X CA PPM allows customers to configure the solution in a point and click interface. Examples of items that can be point and click configured are attributes, workflows, views, portlets, dashboards, and lookups.

1.8

Tool must be easily reconfigurable by the State of Michigan as the organization changes and evolves

X While the CA PPM solution can be configured by the State of MI in a point and click interface, we can also help by providing the initial configuration during implementation, after which the state can utilize the point and click configuration capabilities of the solution to manage all changes for the life of the solution without the help of an external service partner.

2.0 Must provide the ability to manage active user accounts and maintain individual user information

X CA PPM provides the ability to manage active user accounts and individual user information Out-of-the-Box (OOB). Session logs and user activity portlets are available for auditing by the administrator as well.

2.1 Must provide the ability to enter and update the standard values used in drop-down lists and look-up tables throughout the tool

X CA PPM provides the ability to point and click configure new look-up values/fields as well as modify existing OOB fields. Additionally, any configured attribute can be automatically included (with a checkbox) in the data warehouse for reporting purposes.

63

2.2

Must provide the State of Michigan (SOM) the ability to access and update the underlying databases

X CA PPM on-premise customers can directly access the database, and SaaS customers have many options for getting at their data including a powerful Data Warehouse that can be queried by BI tools such as Tableau, Qlik and PowerBI; integrated Jaspersoft reports; and additional options when working through CA Support. SaaS customers generally do not have any reason to access the underlying database, as the typical reasons for requesting direct database access – reporting, stored procedures, triggers, etc. - can all be accommodated via alternative (SaaS compliant) means without going to the database. In addition, accessing the database directly bypasses business rules in the application and is not a best practice.

2.3 Must provide the ability to maintain separate processing areas for testing, development, and training

X In addition to the production environment, State of Michigan will receive a separate environment for development and a separate environment for testing (dependent on final user counts).

3.0 Must provide the ability to create and maintain workflows to help manage the work

X CA PPM provides a point and click configuration interface for creating and managing workflows throughout the solution.

3.1 Must provide users with the ability to have their passwords reset via an automated request system (generate and send a new random password via e-mail with no manual intervention)

X CA PPM provides automated forced password resets on an organizationally defined cadence. An Administrator can also manually force a password change.

4.0 Must provide the ability to create and maintain programs that are managed independently from the IT Portfolios or IT projects in the system

X CA PPM provides an OOB hierarchy that includes projects/programs/portfolios. Programs are used to roll-up investment details such as resource demand/allocations, project schedules, investment costs, etc. Programs can also be included in the portfolio management interface.

4.1 Must provide the ability to create and maintain groupings of projects and programs to be delivered, factoring in resource constraints (people, skill, financial constraints, etc.)

X CA PPM provides the ability to group like projects into master/sub relationships, programs and portfolios OOB.

4.2 Must allow a designated Program Manager to review and manage a program of work

X CA PPM’s program management interface provides Program Manager attributes OOB. The Program Manager can review his/her programs within the solution via portlets/dashboards, and/or via email with automated program reports.

64

4.3 Must allow a designated Portfolio Manager to review and manage a portfolio of work

X CA PPM’s portfolio management interface provides Portfolio Manager attributes OOB. The Portfolio Manager can review his/her programs within the solution via portlets/dashboards, and/or via email with automated portfolio reports.

4.4 Must provide the ability to associate ideas / proposed projects to multiple programs and portfolios

X CA PPM allows ideas and proposed investments to be associated to multiple programs and portfolios OOB.

4.5 Must provide the ability to tie projects to multiple programs and portfolios

X CA PPM provides the ability to tie projects to multiple programs and portfolios OOB.

4.6 Must provide the ability to track the status of ideas / proposed projects within a program or portfolio

X Status attributes are available OOB on Ideas and other proposed investments within the solution. Values are visible at any level of the hierarchy.

4.7 Must provide the ability to track the business case information for ideas / proposed projects within a program or portfolio

X CA PPM tracks business case fields OOB (such as business alignment and strategy) and it can be configured to match your exact needs.

4.8 Must provide the ability to generate “what if” scenarios for programs and portfolios

X CA PPM's waterline view offers a view of the existing work in a prioritized view. After the existing work flows into the portfolio, a "what-if" scenario can be applied to see the impact of a change.

5.0 Must provide the ability to perform capacity planning on ideas / proposed projects prior to approval

X CA PPM provides the ability to perform capacity planning for both non-labor and labor roles/resources within both ideas and projects OOB.

5.1

Must provide the ability to produce desired “what if” scenarios for ideas / proposed projects and active projects

X CA PPM’s portfolio management capabilities enable this functionality OOB. “What-if” scenarios contain weighted attribute ranking rules as well as budget/resource constraints. When the scenario is run, the solution provides a new ranking of incoming ideas as well as in-flight projects and investments. Portfolio leads can then drag and drop the investments to make give-and-take decisions within the portfolio plan of record, including project start/finish dates.

5.2 Must provide the ability to set and maintain the daily and weekly capacity for each resource

X CA PPM provides an enterprise resource pool with resource and role availability, demand and capacity. Dashboards and views can be aggregated and viewed by FTE and by hours.

65

5.3 Must provide the ability to request or assign resources by name or by roles

X CA PPM provides visibility into Resource Requests and the capability to collaborate with resource managers to ensure the right individual is allocated to the right investment. Collaboration is enabled with notifications and remains a part of the project record.

5.4 Must provide the ability to identify resources as regular employees or contract staff and filter related reports for either group

X CA PPM provides OOB ‘resource type’ fields that enable tracking of employee vs contractor resources. The field is exposed at the resource/role level and is available in resource management views/portlets/ reports for viewing and filtering.

5.5 Must provide the ability to track and manage planned resource hours against resource capacity at the resource, work group, and area/organizational level, across all ideas / planned projects and active projects

X Resource availability at an individual, role or organizational level can be easily viewed while planning projects or proposals.

5.6 Must provide the ability to resource managers to optimize project staffing within a work group or across silos, including the use of “what if” resource scenarios

X CA PPM provides ‘what if’ scenario planning at the resource level OOB.

5.7 Must provide the ability to manage capacity and demand for project resources

X CA PPM offers the ability to quickly determine which roles and resources are over/under capacity in one single view, across projects/investments. Adjustments can be made using copy/paste functions for ease of use.

6.0 Must provide the ability to create new ideas or proposed projects from pre-defined templates

X CA PPM provides the capability to initiate new projects from pre-defined templates. Templates provide Work Breakdown Structure, Resource Estimates, Financial Estimates and documentation OOB.

6.1 Must provide the ability to track all approvals of ideas / proposed projects to become actual projects

X CA PPM provides visibility into approvals of ideas/proposed projects. With OOB workflow capabilities, CA PPM will provide an audit trail of who/when approved the idea and/or proposed unapproved project.

6.2 Must provide the ability to create and utilize standard workflows to control approval routes based on local governance

X CA PPM provides workflow capabilities OOB. Workflow is point and click configurable to match the methodology needs of the organization.

6.3 Must provide the ability to enter and track business case information for

X CA PPM provides the ability to enter business case information (including business alignment, risk

66

ideas or proposed projects, including estimated labor hours, labor costs, cost of goods and services, monetary benefits, value/benefits to be gained, alignment to strategic goals, identified risks, and overall criticality

scoring, priority, resource estimates and financial estimates) on the idea and/or unapproved project OOB. All information then rolls-up to the portfolio level for steering committee decisions.

6.4 Must provide the ability to track the status of ideas or proposed projects, and whether they are approved or rejected by the business owner

X Idea/unapproved project status visibility is provided in multiple portlets/dashboards/reports OOB within the CA PPM. This includes approve/reject decisions by the business owners and stakeholders.

6.5 Must provide the ability to compare and prioritize existing ideas / proposed projects

X CA PPM’s portfolio management interface enables ideas/proposed projects to be compared against in-flight work as well as comparisons to other ideas/proposed projects OOB.

6.6 Must provide functionality to support self-scoring or new ideas or proposed projects, based on the values entered and pre-defined weighting of the responses

X CA PPM provides OOB self-scoring values such as Business Alignment and Risks. The answers to the questions can then be rolled-up to calculated fields to summarize the answers supplied by the end user.

6.7 Must provide the ability to show the dependencies between the new idea / proposed project and existing projects

X Dependencies can be made between new ideas and existing projects OOB.

6.8 Must provide the ability to generate reports of ideas / proposed projects by portfolio, program, department, impacted business/technical area, strategic goal alignment, or criticality

X CA PPM provides 69 reports and 100+ portlets/dashboards OOB. The information provided can contain configured fields as well as OOB fields. Please see the CA PPM 15.2 PMOA Reports.pdf provided in our zip file containing confidential and proprietary information to view all the reports provided OOB.

7.0 Must support both IT and non-IT projects

X CA PPM provides the capability to manage different project types OOB.

7.1 Must be scalable for use with small, simple projects to large, complex projects

X CA PPM provides the ability to manage maintenance stream work, all the way up to major programs/ projects OOB.

7.2 Must support varying project approaches (agile, waterfall, etc.)

X CA PPM provides an OOB interface to manage traditional waterfall work, adaptive project management (typically managed in Excel files or Word) and integrates with market leading Agile

67

solutions such as Agile Central (formerly Rally), Jira and VerizonOne.

7.3 Must provide the ability to create projects using pre-defined best practice templates

X CA PPM provides the capability to create projects using pre-defined templates OOB. Typically, the process is automated where once the idea/proposed project is approved, a workflow process will identify which template is used to create the new project based on the information supplied by the initiator.

7.4 Must support the use of pre-defined template libraries by work type

X This is supported OOB within CA PPM.

7.5 Must provide the ability to create and maintain work breakdown structures

X CA PPM provides online Gantt functionality OOB. Additionally, CA PPM provides an OOB bi-directional integration with Microsoft Project and Open Workbench.

7.6 Must provide the ability to manage all activities between each project’s start and end dates

X CA PPM provides this capability OOB.

7.7 Must provide the ability to manage incoming demand for planned and unplanned projects

X CA PPM provides this capability OOB.

7.8 Must provide the ability to define a project schedule including project tasks with projected start and end dates

X This is standard OOB project management functionality within CA PPM.

7.9 Must provide the ability to assign resources to tasks and allocate hours and projected start and end dates

X This is standard OOB project management functionality within CA PPM.

7.10 Must provide the ability to update and maintain project tasks and resource assignments

X This is standard OOB project management functionality within CA PPM.

7.11 Must provide the ability to deactivate or close project tasks and resource assignments

X This is standard OOB project management functionality within CA PPM.

7.12 Must provide the individual users with the ability to customize their view of the project schedule

X This is standard OOB project management functionality within CA PPM.

68

7.13 Must provide the ability to create, track, revise, and maintain the project budget, including a detailed history of each budget revision

X CA PPM supports budgets and forecasts for investments.

7.14 Must provide the ability to capture and track the actual resource hours and resource costs associated with the project, each project task, and each resource assignment

X CA PPM provides the ability to capture and track actuals across resources and investment work OOB.

7.15 Must provide the ability to capture and maintain the actual cost of materials, goods, and contracted services required to complete the project

X CA PPM provides the ability to track/capture non-labor transactions/cost OOB.

7.16

Must provide the ability to capture, track, and maintain project risks and issues

X CA PPM provides OOB risk/issue/change management capabilities. During business case development and project kick-off, risks can be created and managed. Risks can then be used to create issues and change requests to help with resolution and mitigation. Additionally, all can be associated to tasks, all can be process enabled, and all can have associated action items for approvals and resolution.

7.17 Must provide the ability to temporarily place a project on hold

X CA PPM provides this capability OOB.

7.18 Must provide the ability to formally close a project

X CA PPM provides this capability OOB.

7.19 Must provide the ability to capture, approve, track, and maintain project change requests

X CA PPM provides this capability OOB.

7.20 Must provide the ability to baseline projects or tasks as needed

X CA PPM provides this capability OOB.

7.21 Must provide the ability to control who may view and edit the data in each project

X CA PPM has detailed security/rights/privileges administration capabilities. All objects contain edit/delete/create/view rights for resource security administration.

7.22 Must provide the ability to generate standard project reports, including status reports, risk register, issues list, change requests, schedules, and budgeted versus actual costs

X CA PPM provides 69 reports and 100+ portlets/dashboards OOB. The information provided can contain configured fields as well as OOB fields. Please see the CA PPM 15.2 PMOA Reports.pdf provided in our zip file containing confidential and

69

proprietary information to view all the reports provided OOB.

8.0 Must provide the ability for resources to easily record time worked on both project and non-project tasks each day

X CA PPM provides an easy to use timesheet interface for resources to enter time for both project and non-project work.

8.1 Must provide the ability for users to easily submit their time sheets each week

X CA PPM time management capabilities enable resources to populate their timesheets from the previous time period. This includes options to populate both work and actuals submitted from the last time period. Submittal occurs via a single click.

8.2 Must provide the ability to route project and non-project time entries to the appropriate manager for review and approval (or rejection)

X CA PPM's time management enables a Kanban view for reviewing/approving timesheets for a manager’s team. When interacting with the Kanban view, the resource/project manager(s) can easily identify resources whose timesheets have not been submitted and, with a single click, send a reminder to that resource.

8.3 For rejected time entries, must provide the ability to correct and resubmit a timesheet

X CA PPM allows for approvers to ‘return’ timesheets to the submitter. The submitter is notified of the status change and he/she can make changes and resubmit.

8.4 Upon approval by the appropriate manager, must accumulate the actual hours spent on the corresponding task and/or project

X This is standard OOB project/time management capability of CA PPM.

8.5 Upon approval by the appropriate manager, must calculate and accumulate the actual cost associated with the corresponding task and/or project

X CA PPM allows for actual hours to be converted to dollars based on rates stored in the "rate matrix."

8.6 Must provide the ability to generate standard time conformance reports

X CA PPM provides OOB time compliance reports.

8.7 Must provide the ability to generate standard timesheet reports, including overdue timesheets, rejected timesheets, and lists of timesheets by work group, supervisor, or project

X CA PPM provides OOB views and reports into time management information.

9.0 Must provide standard project dashboards by program, portfolio, strategic initiative, or business

X CA PPM provides 69 reports and 100+ portlets/dashboards OOB. The information provided can contain configured fields as well as OOB fields. Please see the CA PPM 15.2 PMOA Reports.pdf

70

area, that are accessible to the entire organization

provided in our zip file containing confidential and proprietary information to view all the reports provided OOB.

9.1

Must provide standard reporting capability out of the box

X CA PPM provides 69 reports and 100+ portlets/dashboards OOB. The information provided can contain configured fields as well as OOB fields. Please see the CA PPM 15.2 PMOA Reports.pdf provided in our zip file containing confidential and proprietary information to view all the reports provided OOB.

9.2 Must provide ad-hoc reporting capabilities that are intuitive and easily learned

X CA PPM provides a self-service ad hoc reporting interface that enables users to create their own views/reports for sharing via the solution as well as email. Additionally, CA PPM’s data warehouse can be used by outside BI tools such as Tableau and Microsoft Power BI.

9.3 Must provide the ability to schedule reports and deliver them via e-mail

X This is OOB functionality in CA PPM’s reporting interface.

9.4 Must provide real-time reporting X This is OOB functionality in CA PPM’s reporting interface.

9.5 Must provide the ability for selected users to create and deploy new reports as needed

X This is OOB functionality in CA PPM’s reporting interface.

10.0 Screens and reports must have a consistent look and feel

X This is OOB functionality in CA PPM’s reporting interface.

10.1 Must require a minimal number of clicks or actions to perform functions

X This is OOB CA PPM functionality.

10.2 Must provide clean navigation of screens and views without a lot of pop-ups

X This is OOB CA PPM functionality.

10.3 Must provide drag and drop movement of tasks

X This is OOB CA PPM functionality.

10.4 Must provide the ability to easily copy and/or paste text to and from other tools

X This is OOB CA PPM functionality.

11.0 Maintain an active user group that meets regularly (at least annually)

X The CA PPM Community is where PPM users and product experts connect to share questions, ideas and feedback. Here you will find the right people and tools

71

either via the web or at a physical location within the state of Michigan

to help you with every stage of your PPM journey, whether you are just getting started, need help, or want to make the most of your PPM investment. Information on the CA PPM Community is available at https://communities.ca.com/community/ca-ppm.

12.0 Provide the ability to delegate some of the administration functions to local users

X CA PPM provides the ability to have multiple administrators with certain access for each person.

12.1 Provide the ability to perform mass / bulk updating

X CA PPM provides the ability to perform updating via grid editing; however, if mass updates are required, this will generally require a small (one time) services engagement. Rego has not included this in our services proposal.

13.0 Provide the ability to open multiple projects at one time and link items between projects

X CA PPM allows a user to open many projects at the same time, either in browser tabs or multiple browser windows. Several types of links can be made, such as investment level dependencies, task level dependencies, etc.

13.1 Provide the ability to produce a release roadmap showing idea and project dependencies

X CA PPM provides these views.

13.2 Provide the ability to produce waterline reports

X CA PPM provides a waterline view where the waterline constraint can be either financial or resource driven.

13.3 Provide the ability to produce strategic vision pie charts

X CA PPM produces these pie charts OOB.

14.0 Provide resource managers the ability to review and approve resources requested from their local areas or teams

X CA PPM provides the ability for resource managers to review requests. These requests include a social (conversion) element for easy communication.

14.1 Provide the ability to identify and track resource skill sets for use in the resource planning process

X CA PPM offers the capability to track both primary role and a complete list of skills per person. For each skill associated to a resource, both interest level and proficiency level can be identified.

15.0 Provide approvers the ability to delegate the approval decision to another user

X CA PPM provides proxy functionality that delegates workflow approval to another person.

15.1 Provide the ability to submit ideas for proposed projects whether the

X CA PPM provides Viewer bulk licenses that allow for idea creation.

72

requestor is licensed to use or log into the PPM tool or not

15.2 Provide the ability to generate a risk heat map report for ideas / proposed projects

X CA PPM provides out-of-the-box reporting for aggregated risk visibility across projects.

16.0 Provide Sprint Boards for use with Agile Projects

X CA PPM provides Task Board functionality as well as integrating with major agile solutions.

16.1 Provide a repository for project documentation

X CA PPM has full document management functionality, including check-in/check-out.

16.2 Provide the ability to identify sub-projects and roll the planned and actual hours and costs up to the parent project

X CA PPM provides master/subproject functionality to rollup project information.

16.3 Provide the ability to link project tasks using finish-to start, finish-to-finish, start-to start, or start-to-finish relationships

X CA PPM provides all of these options, as well as lead/lag.

16.4 Provide the ability to enter and track the value / benefits realized by the project

X CA PPM allows for planning and tracking of both financial and non-financial project benefits.

16.5 Provide the ability to change a project risk to a project issue and then to a project change request, with journaling capability to track the history of the item

X CA PPM provides out-of-the-box functionality to provide this flow. Each time a new item is created, a link to the historical item is created for traceability.

17.0 Provide the ability to integrate time entered from other systems and reconcile it to the source system

X Rego has extensive experience integrating external time reporting applications into CA PPM. We have standard low-cost connectors that will generally support most use cases for importing time; however, we have not included these in our cost proposal.

17.1 Provide the ability to enter, submit and approve time sheets from mobile devices

X CA PPM provides a support mobile app to both submit and approve time.

18.0 Provide trigger alerts on specific activities (e.g. – projects behind schedule or over budget)

X CA PPM provides over 80 out-of-the-box alerts; however, many customers end up configuring the alerts to support their business process. Rego will provide this assistance upon request; however, we have not included this in our cost estimate.

73

18.1 Provide technical descriptions of all available standard reports

X CA PPM has detailed technical descriptions for all 69 OOB reports.

19.0 Provide the ability to enter, update, and track the various IT applications supported by DTMB

X CA PPM provides out-of-the-box Application Portfolio Management (APM) functionality with the ability to map project to applications for cost, effort and roadmap capabilities.

19.1 Provide the ability to track all project time and costs associated with each IT application

X Time can be tracked directly to an application or time against a project can be rolled up to the application.

19.2 Provide the ability to identify legacy IT applications (those using sunset, frozen, unsupported, or deprecated technologies and architectures)

X CA PPM provides the analytical view to make these retirement decisions.

19.3 Provide the ability to generate standard application reports, including legacy application list, application scorecards, actual support hours by application, and active projects associated with an application

X Yes, CA PPM provides these views.

20.0 Provide the ability to search the underlying database by keywords

X Yes, CA PPM provides this search capability.

20.1 Provide users with the ability to configure / customize their home user interfaces

X CA PPM provides end user configuration. The solution also provides the ability for the administrator to set up different views and homepages for different types of users.

20.2

Provide an integrated on-line help system and product tutorials

X CA PPM includes comprehensive, context sensitive online help. For customers that require customized online help with interactive tutorials that operate “live” within the application, CA Technologies offers the CA Productivity Accelerator (CAPA) which is an optional component and not included as part of Rego’s cost proposal.

CA and Rego each offer an online repository of documentation, videos, tips & tricks, quick reference guides, and other artifacts that support the use of CA PPM. CA’s support site is found at http://support.ca.com and Rego’s repository is found at www.regoxchange.com.

74

20.3 Provide integrated eLearning courses and/or other automated instructions for using the tool

X CA offers Interactive e-learning content, available anytime, anywhere and done in a self-paced approach in their OnDemand WBT platform. These courses have not been included in Rego’s cost proposal; however, they can be added upon request.

75

SCHEDULE F

PRICING Table 1: Assumptions and Volume Price Model

1) Ramp model fbased on an initial order of 50 Full Function and 50 Restricted Function users accessing the CA PPM SaaS instance during first 6 months for implementation purposes.

2) Volume tier pricing discounts and Rego partner discount incentives are reflected in proposed CA PPM SaaS subscription fees.

3) CA PPM SaaS subscription fees include maintenance

support and version upgrades at no additional cost. Version upgrades can be scheduled within 1yr of major version release date.

4) Upon any renewal, CA’s then current published SaaS offering provisions, and pricing structure shall apply

5) Unlimited access to the RegoXchange solution library is included at no cost when purchasing CA PPM SaaS

and expert implementation services from Rego Consulting. The RegoXchange is a non-profit business unit with 100% of all end-client subscription fees used by Rego to develop additional solutions for the expansive RegoXchange community, and anything that the State of Michigan downloads during its subscription term is the State’s to keep - even if the RegoXchange subscription is not renewed.

6) Refer below for a summary of the 3 license types available with CA PPM and the CA PPM user

type matrix attached for detailed descriptions

7) Two-2 Main Event + 1 Tuition Passes to RegoUniversity is included with purchase of CA PPM SaaS and Rego Expert Services

76

The following Volume Pricing Table shall remain in effect for all 123 months of the Contract.

77

√

√ √ √

√

√

√

√

√ √ √

√

√

√

√

√

√

78

√

√

√

√

√ √ √

√

√

√ √ √

√ √ √

√

√

√

√

√

√

√

√

√ √ √

79

√

√

√ √ √ √

√

√

√ √ √

√

√ √ √

√ √ √

√

√

√

√

√ √ √

√

√

√

√

√

80

√

√

√

√

√

√

√

√ √ √

√

√

√

√

√

√

√ √

√ √

√

√

√

√

√ √

81

√

√

√

√

√

√

√ √

√

√

√

√

√ √

√

√

√

√

√

√ √ √

√ √

82

√ √ √

√

√

√

√

√ √ √

√ √ √

√

√

√

√

√

√

√

√ √

√

√

√

83

√

√

√

√

√

√

√

√ √ √

√

√

√

√

√

√ √ √

√ √ √

√

√

84

√ √ √

√

√

√

√ √

√ √ √

√ √ √

√ √ √

√ √ √

√ √ √

√

√ √ √

√ √

√

√

√

√ √ √

√ √

√

√

√ √ √

85

√

√

√

√

√

√

√

√

√

√ √ √

√ √ √

√ √

√

√

√ √ √

√ √ √

√ √ √

√ √ √

√

√

√

86

√

√

√

√

√

√

√

√

√

√ √ √

√

√

√

√

√

√ √

√ √

√

√ √

√ √

87

√

√ √

√ √

√ √ √

√ √ √

√ √ √

√ √

√ √ √

√ √

√ √

√

√

√

√

√

√ √ √

√

√

√

88

√

√ √

√ √ √

√

√

√

√

√

√

√

√

√

89

Table 2: Cost Summary

Project Cost(s) Total Cost ($) Comments

Software Table 3 total.

$2,631,656

Total reflects 5yr CA PPM SaaS subscription term. Includes 2 small sandbox environments for State development and test environments, unlimited access to the RegoXchange and 3 full tuition passes to RegoUniversity 2019. Software subscriptions will be invoiced in quarterly installments.

Implementation Table 6 subtotal.

$498,000

Please refer to optional offerings not included in Implementation subtotal

Training & Documentation Table 6 subtotal.

$66,000 Please refer to optional offerings not included in Training & Documentation subtotal

Total $3,195,656

90

Table 3: Software: Years 1-3

CA PPM OnDemand - 3yr Term

Subscription User Type Qty Term Start Term End Term

List Price with 3-year

Term

Monthly Price with Volume Tier Discount

Partner Incentive Discount

from Rego

Discounted Cost Per Month

Total Discount

Cost for 6/30/18 to

9/29/19

Cost for 9/30/19 to

9/29/20

Cost for 9/30/20 to

9/29/21 39-Month

Total

Full Function (ramp) 50 6/30/2018 9/29/2021 39 49.50 27.00 22% 21.20 57% $ 15,896 $ 12,717 $ 12,717 $ 41,330

Full Function 976 3/31/2019 9/29/2021 30 49.50 27.00 22% 21.20 57% $ 124,118 $ 248,236 $ 248,236 $ 620,590

Restricted Function (ramp) 50 6/30/2018 9/29/2021 39 25.20 16.20 22% 12.717 50% $ 9,538 $ 7,630 $ 7,630 $ 24,798

Restricted Function 2,050 3/31/2019 9/29/2021 30 25.20 16.20 22% 12.717 50% $ 156,419 $ 312,838 $ 312,838 $ 782,096

CA PPM Small Sandbox 2 6/30/2018 9/29/2021 39 0.00 0.00 Bundled 0.00 100% 0.00 0.00 0.00 0.00

regoXchange 1 9/30/2018 9/29/2021 39 30,060 835 100% 0.00 100% $ - $ - $ - $ -

regoUniversity 3 TBD TBD 1 1,500 4,500 100% 0.00 100% $ - $ - $ - $ -

Total $305,971 $ 581,421 $ 581,421 $1,468,814

Payments will be made as follows:

Upon contract signing: $50,000.00

October 1, 2018: $175,971.00

Next 11 Quarterly Payments starting December 31, 2018: $112,986

91

During the first 123 months of the contract, State may order additional users of CA PPM and pay the Discounted Cost per Month shown above for the additional users (or a lower Cost per Month if the Volume Tiers shown in Table 5 are met).

Incremental purchases shall be pro-rated to co-term with the term end date of this initial order.

The following shows the optional stated renewal cost in Months 40 through 123 of the contract: CA PPM OnDemand – Annual Renewal Costs for Period 9/30/2021 – 9/29/2028

Subscription User Type Qty Term Start Term End Term

List Price with 3-year

Term

Monthly Price with Volume Tier Discount

Partner Incentive Discount

from Rego

Discounted Cost Per Month

Total Discount

Optional Renewal Fee (per year) For Months 40 to

123

Quarterly Payment in

Months 40 to 123

Full Function (ramp) 50 9/30/2021 9/29/2028 84 49.50 27.00 22% 21.20 57% $ 12,717

Full Function 976 9/30/2021 9/29/2028 84 49.50 27.00 22% 21.20 57% $ 248,236

Restricted Function (ramp) 50 9/30/2021 9/29/2028 84 25.20 16.20 22% 12.717 50% $ 7,630

Restricted Function 2,050 9/30/2021 9/29/2028 84 25.20 16.20 22% 12.717 50% $ 312,838

CA PPM Small Sandbox 2 9/30/2021 9/29/2028 84 0.00 0.00 Bundled 0.00 100% 0.00

regoXchange 1 9/30/2021 9/29/2028 84 30,060 835 100% 0.00 100% $ -

Total $581,421 $145,355

A minimum order of 25 Full Function or Restricted Function users is required. The annual price will increase if any procurements of products are done under the Future Pricing section by the amount of the optional stated renewal

92

Table 4: Software – Tiered Volume Pricing Full use licenses (3 Year Term)

Base Years Volume Tier Description

Cost ($) Total Cost ($) Year 1 Year 2 Year 3 Year 4 Year 5

Volume Tier 1 50-99 49.50 49.50 49.50 49.50 49.50 $247.50 Volume Tier 2 100-249 36 36 36 36 36 $180.00 Volume Tier 3 250-999 31.50 31.50 31.50 31.50 31.50 $157.50 Volume Tier 4 1,000-3,999 27 27 27 27 27 $135.00 Volume Tier 5 4,000+ 22.50 22.50 22.50 22.50 22.50 $112.50

Total

Renewal Years Year 6 Year 7 Year 8 Year 9 Year 10 Total Volume Tier 1 49.50 49.50 49.50 49.50 49.50 $247.50 Volume Tier 2 36 36 36 36 36 $180.00 Volume Tier 3 31.50 31.50 31.50 31.50 31.50 $157.50 Volume Tier 4 27 27 27 27 27 $135.00 Volume Tier 5 22.50 22.50 22.50 22.50 22.50 $112.50

Total

Restricted use licenses (3 Year Term)

Base Years Volume Tier Description

Cost ($) Total Cost ($) Year 1 Year 2 Year 3 Year 4 Year 5

Volume Tier 1 50-99 25.20 25.20 25.20 25.20 25.20 $126.00 Volume Tier 2 100-249 23.40 23.40 23.40 23.40 23.40 $117.00 Volume Tier 3 250-999 19.80 19.80 19.80 19.80 19.80 $99.00 Volume Tier 4 1,000-3,999 16.20 16.20 16.20 16.20 16.20 $81.00 Volume Tier 5 4,000+ 12.60 12.60 12.60 12.60 12.60 $63.00

Total

Renewal Years Year 6 Year 7 Year 8 Year 9 Year 10 Total Volume Tier 1 25.20 25.20 25.20 25.20 25.20 $126.00 Volume Tier 2 23.40 23.40 23.40 23.40 23.40 $117.00 Volume Tier 3 19.80 19.80 19.80 19.80 19.80 $99.00 Volume Tier 4 16.20 16.20 16.20 16.20 16.20 $81.00 Volume Tier 5 12.60 12.60 12.60 12.60 12.60 $63.00

Total

93

Table 6: Implementation, Training & Documentation

Milestone Event

Associated Milestone

Deliverable(s)

Rego Milestone Enterprise Core Wave 1 Wave 2 Wave 3 TOTAL

Project Planning

Project Kickoff

Official Kickoff

24,000

4,000

4,000

4,000 36,000

Requirements and Design Validation Validation sessions, Final Requirement Validation Document, Final Design Document, Final Implementation Document

Workshop Config List Signoff

24,000

7,000

11,000

7,000 49,000

Interface Design Doc Signoff 21,000 21,000

Configuration of software Final Solution and Testing Document

Base Configuration Signoff in DEV (objects, security)

24,000

7,000

14,000

10,000 55,000

Custom Portlet/Report Signoff

24,000

7,000

14,000

10,000 55,000

Custom Workflow Signoff

24,000

7,000

14,000

10,000 55,000

SharePoint Integration Signoff

24,000

24,000

Data Extraction Interface Signoff

24,000

24,000

ERP/Payroll Interface Signoff

24,000

24,000

Agile Tool Integration Signoff

24,000

24,000

Testing and Acceptance Final Test Results Report, Final Training Documentation, Final Acceptance

UAT Signoff

20,000

6,000

11,000

9,000 46,000

Training Material Signoff 20,000 20,000

Train the Trainer Sessions 20,000 20,000

Go Live 20,000

6,000

10,000

9,000 45,000

Total Base Project

317,000

44,000

78,000

59,000 498,000

Testing and Acceptance Final Test Results Report, Final Training Documentation, Final Acceptance

Optional: End User Training

26,000

19,000

21,000 66,000

94

Milestone Event

Associated Milestone

Deliverable(s)

Rego Milestone Enterprise Core Wave 1 Wave 2 Wave 3 TOTAL

Production Support Services Ongoing after Final Acceptance.

Optional: Post Go-Live Support 40,000 40,000

Total Optional

40,000

26,000

19,000

21,000 106,000

GRAND TOTAL

357,000

70,000

97,000

80,000 604,000

95

Table 8: Rate Card for Future Enhancements The labor rates in the table below represent apply to optional future services purchased during the life of the contract.

Staffing Category Hourly Rate

(Offsite)

Daily Rate (Onsite)*

Project Manager $150 $1,800 Business Analyst $150 $1,800 Software Developer $150 $1,800 Network Engineer $150 $1,800 Programmer $150 $1,800 Trainer $150 $1,800 Technical Writer $150 $1,800 Other: Technical Offshore $110 N/A Other: Support Lead $125 N/A Other: $

*2 day minimum for onsite work. Onsite rate is inclusive of travel.

96

OPTIONAL MANAGED SUPPORT SERVICES

Rego offers ongoing Level 2 and 3 Support for CA PPM, which the State may opt to purchase at the following rates:

Support Lead: $125/hr.

Level 2/3 Support Consultant: $150/hr.

Rego estimates that State of Michigan will require 500 to 1,000 hours of Level 2 and 3 Support during the first year after go-live.

The following shows the typical Level 2 + 3 support tasks:

Rego Level Type of Activity Detailed Activity

Level 2 Support - CA Support Confirm and manage application fixes/updates from 3rd level support

Level 2 Support - CA Support Validate and approve fixes/updates from 3rd level Support

Level 2 Support - Defects Work with client to analyze and rectify complex defects and problems. Escalate appropriate problems or support issues to Level 3

Level 2 Support - Enhancements Architecture design for all new functions and large development items

Level 2 Support - Enhancements Jaspersoft Report Development

Level 2 Support - Enhancements Clarity Crystal and Jaspersoft report configuration

Level 2 Support - Enhancements Clarity Interface development and testing (including upgrade re-testing)

Level 2 Support - Enhancements Clarity query/portlet configuration

Level 2 Support - Enhancements Clarity workflow process configuration

Level 2 Support - Enhancements Create the high-level configuration document from the functional requirements – this includes details of the technical solution as well as the migration plan

Level 2 Support - Enhancements Data uploads through XOG for any large datasets

Level 2 Support - Enhancements Develop and provide test cases as defined in testing plans

Level 2 Support - Enhancements Develop end user guides ad training materials

Level 2 Support - Enhancements Documentation of enhancement requests, including the presentation of implementation options evaluated as required

Level 2 Support - Enhancements Ensure quality with unit and “internal” integration testing, as well as coordination with system testing team

Level 2 Support - Enhancements Migrate Configurations from one environment to another

Level 2 Support - Enhancements Process design, implementation, ownership, and accountability (production acceptance, change management, etc.)

Level 2 Support - Enhancements Process design, implementation, ownership, and accountability (production acceptance, change management, etc.)

Level 2 Support - Enhancements Train end users on Clarity functions - portfolio, project, resource, demand, financial, MSP/OWB

Level 2 Support - Environments Manage the SIT and UAT during releases

Level 2 Support - Issues Resolve problems controlled locally (example: bad data being sent, local pc issues, connectivity, etc.)

Level 2 Support - Questions Response to complex questions regarding Clarity functionality, including Microsoft Project integration

Level 2 Support - Release Management

Assist in prioritizing items within the defect/enhancement queue, explaining the impact of each item on the current environment

Level 2 Support - Release Management Confirm and manage application fixes from Level 3 Support

Level 2 Support - Release Management

Develop overall effort and schedule estimates of all defects and enhancements that will be part of a future release, then get client approval of estimates

Level 2 Support - Release Management Log proper change records prior to a release - following client change management process

97

Level 2 Support - Release Management Manage the prioritization and categorization of defect fixes and enhancements

Level 2 Support - Release Management Project Manage Periodic Releases

Level 2 Support - Training Conduct informal training as requested

Level 2 Support - Upgrade Go-live testing, validation of data issues, missing data, etc.

Level 2 Support - Upgrade Retest of CA resolved defects with new releases

Level 2 Support - Upgrade Review of impacts of CA fix packs and releases (ERQs, Defects, Architecture changes)

Level 2 Support - Upgrade Testing of software fixes from third party vendors

Level 2 Support - Weekly Communication Lead weekly status meetings where all defects/enhancements as well as SLAs are reviewed.

Level 3 Support - Enhancements Resolve application problems escalated from Level 2

Level 3 Support - Enhancements Complex Enhancements

Level 3 Support - Monitoring Proactive Performance tuning of hardware and software for optimal Clarity performance

Level 3 Support - Monitoring Proactive review of server logs for issues

Level 3 Support - Upgrade Technical Application of Upgrades

98