REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF SAN BERNARDINO COUNTY
AND RECORD OF ACTION
September 10, 2024
FROM
LYNN FYHRLUND, Chief Information Officer, Innovation and Technology Department
SUBJECT
Title
Non-Financial Subscriber Agreement and Amendment with Internet Security Research Group for Secure Sockets Layer/Transport Layer Security Certificates
End
RECOMMENDATION(S)
Recommendation
1. Approve non-financial Let’s Encrypt Subscriber Agreement with Internet Security Research Group, including non-standard terms, for Secure Sockets Layer/Transport Layer Security certificates required for verification that a website’s online transactions are processed securely and maintain privacy for users’ information for the period beginning when the County requests that Internet Security Research Group issues a Let’s Encrypt certificate, and continuing while all certificates issued are valid.
2. Approve non-financial Amended Terms for State and Local Governments in the U.S. with Internet Security Research Group amending certain terms of the Let’s Encrypt Subscriber Agreement in Recommendation No. 1 for state and local government subscribers.
3. Authorize the Chief Information Officer, Assistant Chief Information Officer, Chief Information Security Officer, or IT Division Chief to electronically accept the Agreement and Amendment in Recommendations No. 1 and 2, respectively, and future non-substantive amendments, subject to review by County Counsel.
4. Direct the Chief Information Officer, Assistant Chief Information Officer, Chief Information Security Officer, or IT Division Chief to transmit any non-substantive updated terms that are electronically accepted to the Clerk of the Board of Supervisors within 30 days of acceptance or execution.
(Presenter: Lynn Fyhrlund, Chief Information Officer, 388-5501)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Operate in a Fiscally-Responsible and Business-Like Manner.
FINANCIAL IMPACT
Approval of this item will not result in the use of Discretionary General Funding (Net County Cost). The Let’s Encrypt Subscriber Agreement (Agreement) and Amended Terms for State and Local Governments in the U.S. (Amendment) with Internet Security Research Group (ISRG) for free Let’s Encrypt (LE) Secure Sockets Layer/Transport Layer Security certificates (SSL/TLS Certificates) are non-financial in nature and do not commit the County to make any purchases. If future purchases are made under the Agreement and Amendment, the Innovation and Technology Department (ITD) will adhere to County purchasing policies and return to the Board of Supervisors for approval, if necessary.
BACKGROUND INFORMATION
ITD currently manages the lifecycle of SSL/TLS Certificates for multiple County departments including the County Administrative Office, Arrowhead Regional Medical Center (ARMC), Public Health, Sheriff’s Department, and ITD. Several County sites, such as the County’s public-facing landing page, ARMC’s public-facing landing page, the County’s internal Employee Management and Compensation System (EMACS) website, and the County file transfer protocol website use SSL/TLS. SSL/TLS is an encryption-based internet security protocol that protects data exchanges between the web server and the end-user browser from computer hackers and other digital and cyber threats. SSL/TLS Certificates provide authentication that websites use to process online transactions securely and maintain expected levels of privacy for users’ information. Without the SSL/TLS Certificates users often receive a “your connection is not private” notice, that indicates that their information may be exposed and making it likely that the user will not proceed to the website.
LE is a non-profit SSL/TLS Certificate authority run by ISRG that provides free, automated, and open SSL/TLS Certificates for securing websites. ISRG, the provider of the service, is a public benefit organization. LE aims to secure the World Wide Web by offering free SSL/TLS Certificates to promote the widespread adoption of Hypertext Transfer Protocol Secure (HTTPS). HTTPS provides secure communications over a computer network, contributing to a safer and more secure online environment that reduces overall cybersecurity risk. ITD will utilize LE to assist with the renewal and issuance of SSL/TLS certificates to County departments.
The Agreement is ISRG’s standard commercial agreement. The Amendment modifies certain terms specifically for state and local governments. Together, the Agreement and Amendment include terms that differ from the standard County contract and omit certain County standard contract terms. ISRG is unwilling to negotiate these terms. The non-standard and missing terms include the following:
1. ISRG may assign the Agreement without notice to the County and without the County’s approval.
• The County standard contract requires that the County must approve any assignment of the contract.
• Potential Impact: ISRG could assign the Agreement to a third party or business with which the County is legally prohibited from doing business due to issues of Federal debarment or suspension and conflict of interest, without the County’s knowledge. Should this occur, the County could be out of compliance with the law until it becomes aware of the assignment and terminates the Agreement.
2. The Agreement does not require ISRG to indemnify the County, as required by County Policies 11-05 and 11-07, including for intellectual property infringement claims.
• The County standard contract indemnity provision requires the contractor to indemnify, defend, and hold the County harmless from third party claims arising out of the acts, errors or omissions of any person.
• Potential Impact: ISRG is not required to defend, indemnify or hold the County harmless from any claims, including indemnification for claims arising from ISRG’s negligent or intentional acts. If the County is sued for any claim, the County may be solely liable for the costs of defense and damages, which could exceed the total Agreement amount.
3. The County is required to indemnify ISRG against claims arising out of County’s: (i) misrepresentation or omission of material fact, (ii) violation of the Agreement, (iii) any compromise or unauthorized use of certificates or corresponding private key, or (iv) misuse of County’s certificate, except to the extent that applicable law prohibits the County from providing indemnification for another party’s negligence or acts.
• The County standard contract does not include any indemnification or defense by the County of a contractor.
• Potential Impact: By agreeing to indemnify ISRG, the County could be contractually waiving the protection of sovereign immunity. Claims that may otherwise be barred against the County, time limited, or expense limited could be brought against ISRG without such limitations and the County could be responsible to defend and reimburse ISRG for costs, expenses, and damages, which could exceed the total Agreement amount.
4. The Agreement does not require ISRG to meet the County’s insurance standards as required pursuant to County Policies, 11-05, 11-07 and 11-07SP.
• County policy requires contractors to carry appropriate insurance at limits and under conditions determined by the County’s Risk Management Department and as set forth in County policy and in the County standard contract.
• Potential Impact: The County has no assurance that ISRG will be financially responsible for claims that may arise under the Agreement, which could result in expenses to the County that exceed the total Agreement amount.
5. ISRG disclaims all liability to the County.
• The County standard contract does not include a limitation of liability.
• Potential Impact: Claims could exceed the liability cap and the Agreement amount leaving the County financially liable for the excess.
6. ISRG provides the services and/or products “AS IS” and disclaims all warranties of any kind.
• County Policy 11-05 requires a contractor to fully warrant its services and products.
• Potential Impact: The County’s use of the service is solely at its own risk.
ITD recommends approval of ISRG’s Agreement and Amendment, including non-standard terms, to enable County departments to obtain the free SSL/TLS certificates to safeguard data.
PROCUREMENT
ITD researched several SSL/TLS certificates and decided on LE as the best solution to meet the departments’ and the County’s needs. Other SSL/TLS service providers did not have all of the features that the County requires or were based in a country outside of the United States that would require the County to accept agreement terms based on foreign law.
The Agreement and Amendment, including non-standard terms, will be used to accompany future purchases to be approved, as necessary, per County Policy 11-04 Procurement of Goods, Supplies, Equipment and Services, provided that LE does not substantively modify its Agreement and Amendment. The Purchasing Department concurs with the non-competitive procurement of functional specification justification.
REVIEW BY OTHERS
This item has been reviewed County Counsel (Bonnie Uphold, Supervising Deputy County Counsel, 387-5455) on August 6, 2024; Purchasing (Christina Reddix, Buyer III, 387-2060) on August 6, 2024; Risk Management (Gregory Ustaszewski, Staff Analyst II, 386-9008) on August 6, 2024; Finance and Administration (Iliana Rodriguez, Administrative Analyst, 387-4205) on August 16, 2024; and County Finance and Administration (Paloma Hernandez-Barker, Deputy Executive Officer, 387-5423) on August 23, 2024.