REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF SAN BERNARDINO COUNTY
AND RECORD OF ACTION
May 23, 2023
FROM
JAKE CORDOVA, Interim Chief Information Officer, Innovation and Technology Department
SUBJECT
Title
Non-Financial Master Subscription Agreement with KnowBe4, Inc. for Cybersecurity and Information Security Training Software
End
RECOMMENDATION(S)
Recommendation
Approve a non-financial Master Subscription Agreement, including non-standard terms, with KnowBe4, Inc. for cybersecurity and information security awareness training software, for purchase amounts as authorized by County Policy, for the period of May 23, 2023, through May 22, 2028.
(Presenter: Jake Cordova, Interim Chief Information Officer, 388-5501)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Improve County Government Operations.
Operate in a Fiscally-Responsible and Business-Like Manner.
FINANCIAL IMPACT
Approval of this item will not result in the use of Discretionary General Funding (Net County Cost). The Master Subscription Agreement (Agreement) with KnowBe4, Inc. (KnowBe4) is non-financial in nature and does not commit the County to make any purchases. Future purchases for the annual renewal of KnowBe4 cybersecurity and information security awareness training software are planned to be made under the Agreement, and the Innovation and Technology Department (ITD) will adhere to County purchasing policies and return to the Board of Supervisors for approval, if necessary.
BACKGROUND INFORMATION
ITD manages the Countywide Information Security Program (Program) designed to implement effective Information Technology (IT) security solutions and cybersecurity practices. The Program aims to reduce the County’s overall cyber risk by mitigating potential cyberattacks, cyberthreats, and security incidents that target the County’s enterprise network, including mission-critical systems, applications, and infrastructure.
A critical component of the Program is the annual County’s Information Security Awareness Training (CSAT), required for all new and existing employees on an annual basis. The CSAT is used to train employees on information and cybersecurity best practices and increase awareness about potential threats such as phishing. This threat is the fraudulent practice of sending email or other messages appearing to be from trustworthy individuals or companies to induce individuals to reveal personally identifiable information (e.g., password, credit card information). ITD utilizes KnowBe4 software with a range of capabilities and resources used to provide training and simulated phishing tests, to deliver cybersecurity awareness to employees.
KnowBe4 software is offered through various resellers but the use is bound by the Agreement. This software has been in use by ITD since 2018 and continues to benefit the County in terms of delivering relevant and up-to-date cybersecurity and information security content, as well as raising awareness of cyberthreats. Since partnering with KnowBe4, the Purchasing Agent has issued purchase orders for this software according to County Policy.
The Agreement is KnowBe4’s standard government contract, which includes terms that differ from the standard County contract and omits certain County standard contract terms. While the parties negotiated certain contract terms to County standards, KnowBe4 would not agree to all County standard terms. The non-standard and missing terms in the Agreement include the following:
1. KnowBe4 may assign the Agreement without notice to the County and without the County’s approval. If the County terminates the Agreement due to an issue with the assignment, the County remains liable for its payment obligations.
• The County standard contract requires that the County must approve any assignment of the contract.
• Potential Impact: KnowBe4 could assign the Agreement to a third party or business with which the County is legally prohibited from doing business due to issues of Federal debarment or suspension and conflict of interest, without the County’s knowledge. Should this occur, the County would be out of compliance with the law until it becomes aware of the assignment and terminates the Agreement. In addition, if the County terminates the Agreement in compliance with the law, it remains obligated to pay the full Agreement amount, which may result in payment in violation of the law.
2. KnowBe4’s maximum liability to the County is limited to three times the total fees paid or payable for the subscription services, any professional services and any support services as to which the liability relates in the 12 months prior to the event giving rise to the liability.
• The County standard contract does not include a limitation of liability.
• Potential Impact: Claims could exceed the liability cap and the Agreement amount, leaving the County financially liable for the excess.
3. There is no termination for convenience without penalty.
• The County standard contract gives the County the right to terminate the contract, for any reason, with a 30 day written notice of termination without any obligation other than to pay amounts for services rendered and expenses reasonably incurred prior to the effective date of termination.
• Potential Impact: Upon any termination by the County, except for KnowBe4’s uncured breach, the County is required to pay the entire Agreement amount, which could result in payment liability where no funds are available due to lack of allocation or loss of funding.
ITD recommends approval of the Agreement, including non-standard terms, to allow ITD to continue facilitating the CSAT, which increases awareness about potential cyber threats.
PROCUREMENT
The Agreement, including non-standard terms, will be used to accompany future purchase orders to be approved, as necessary, per County Policy 11-04, Procurement of Goods, Supplies, Equipment, and Services.
In 2018, ITD initially reached out to Gartner, Inc. (Gartner), a contracted global research and consulting agency, to determine the best option for countywide cybersecurity and information security training software. Gartner is an industry leader in technological research and consulting services comprised of over 12,000 client organizations in over 100 countries for entities in the IT and government sector working with organizations to develop technology strategies, plans and budgets, as well as selecting the right technologies for their operations.
Gartner research is conducted continuously by ITD to obtain relevant research, comparison, and ranking of cybersecurity and information security awareness training software providers. Gartner continues to rank KnowBe4 as the best option for the County due to KnowBe4's use of artificial intelligence to generate a risk score for individuals, departments, and the County to correlate to their information and cyber security awareness content, along with achieving other content and platform related requirements to ensure our effectiveness and efficiencies are being met.
The KnowBe4 platform continues to meet the County’s needs. Implementing a different cybersecurity training and awareness platform would require significant time, effort, and resources to research, evaluate, select, and deploy. It would also require re-training of employees on a new platform and potentially disrupt established training-related requirements and processes. Additionally, switching to a different platform could potentially result in a temporary decrease in the effectiveness of the County’s information and cyber security training and awareness program, which could leave the County vulnerable to cyber threats during the transition period. ITD recommends that the County continue to use the KnowBe4 platform, which has a proven track record of improving the overall security posture of organizations and has established training-related processes that have been effective and efficient.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Bonnie Uphold, Supervising Deputy County Counsel, 387-5455) on May 1, 2023; Purchasing (Tevan Stremel, Buyer III, 387-2098) on April 24, 2023; Risk Management (Victor Tordesillas, Director, 386-8623) on April 26, 2023; Finance (Ivan Ramirez, Administrative Analyst III, 387-4020) on May 5, 2023; and County Finance and Administration (Paloma Hernandez-Barker, Deputy Executive Officer, 387-5423) on May 6, 2023.