Implementation Details	Examples of contract language for terms and conditions or statements of work
	Applies to these practices: Specify security requirements and assess contractor capability. Determine contractor ability to comply with your organization's security policy. Applicable technologies: not applicable.
	There are a wide range of terms, conditions, and statements of work that may support your organization in including the necessary language in information technology service contracts as it relates to the scope of these practices. Example language from actual contracts is included here for your use. Unfortunately, very few examples were identified that specifically speak to the topics of security requirements and security policy as called out by the referenced practices. These examples are not meant to encompass all the terms and conditions you may need to include in any contract you might construct. If legal advice or other assistance is required, the services of a competent professional person should be sought. In the examples below, all references to "Contractor" are intended to indicate the external organization with whom your organization has contracted. All references to "Customer" refer to your organization. Choices of possible language, placeholders for replacement language, or instructions are indicated by [ ]. "Delivered software" is the code, data, and supporting documentation that the Contractor delivers for installation and operation on your systems. The designators S1-S6 indicate different sources for the example language. Contracts from which these examples derive are all taken from US organizations. The types of work being performed under these contracts are as follows:
	S1 license of software, written from a customer perspective; customer performs research and development S2 license of software, written from a vendor perspective; vendor provides software and services S3 license of software, written from a customer perspective; customer performs research and development S4 contract with an organization that provides IT software and supporting services S5 reference[1] S6 reference[2]
	The examples are organized into the following topic areas: Topic Description Confidentiality and proprietary information information is owned by the parties and disclosed only according to policy or by agreement Contractor support services designation of point of contact for support services Ownership rights designation of who retains rights to the delivered software Performance indicators and specifications means by which Contractor performance is measured Security policy Contractor compliance with Customer's policies Security requirements disclosure of traps, use of special passwords, self-modifying software, encryption Software acceptance conditions under which software is accepted by the Customer (often stated in concert with Warranties) System requirements the operational environment within which the delivered software must execute to perform successfully Termination conditions under which the contract may be terminated Warranties guaranteeing or attesting to the quality, accuracy, or condition (often stated in concert with Software Acceptance) of the delivered software and the skills of those developing it
Confidentiality and proprietary information	Example 1 Contractor acknowledges that Customer's business data and other Customer proprietary information or materials, whether developed by Customer or being used by Customer pursuant to a license agreement with a third party (the foregoing collectively referred to herein as "proprietary information") are confidential and proprietary to Customer; and Contractor agrees to use reasonable care to safeguard the proprietary information and to prevent the unauthorized use or disclosure thereof, which care shall not be less than that used by Contractor to protect its own proprietary information. Contractor recognizes that the goodwill of Customer depends, among other things, up Contractor keeping such proprietary information confidential and that unauthorized disclosure of the same by Contractor could damage Customer, and that by reason of Contractor's duties hereunder, Contractor may come into possession of such proprietary information, even though Contractor does not take any direct part in or furnish the services performed for the creation of said proprietary information. Contractor shall inform its employees of the confidential nature of such proprietary information and shall limit access thereto to employees with a need to such access to perform the services required by this agreement. Contractor shall use such information only for the purpose of performing the said services. (S1) Contractor shall, upon termination of this agreement for any reason, or upon demand by Customer, whichever is earliest, return any and all information provided to Contractor by Customer, including any copies or reproductions, both hardcopy and electronic. (S1) Example 2 The parties agree to hold each other's confidential information in confidence during the term of this contract and for a period of two years after termination of this contract. The parties agree, unless required by law, not to make each others confidential information available in any form to any third party for any purpose other than the execution of this contract. Each party agrees to take a l reasonable steps to ensure that confidential information is not disclosed or distributed by its employees or agents in violation of the terms of this contract. (S2) Example 3 Since the work for which Contractor is engaged may include knowledge and information of a proprietary nature to Customer, Contractor shall receive such knowledge and information in confidence and shall not, except as required in the conduct of Customer's business, or as authorized in writing by Customer, publish or disclose or authorize anyone else to publish, disclose or make use of such information of knowledge unless and until such information or knowledge shall have ceased to be proprietary as evidenced by general public knowledge. This prohibition as to publication and disclosure shall not restrict Contractor in the exercise of its technical skill providing that the exercise of such skill does not involve the disclosure to others of information considered sensitive or proprietary to Customer. Contractor shall, upon demand, promptly surrender any such information to Customer. (S5) Example 4 Contractor agrees not to reveal to third parties any information not generally known concerning computer programs and technical information which may be proprietary to Customer. Contractor further agrees to respect and safeguard in every way practicable the proprietary nature of computer programs and technical information and to ensure that any copies of such programs or information, in whole or in part, in Contractor's possession at termination of this contract, whether in human or machine readable form, are destroyed or returned to Customer. Contractor further agrees not to copy or cause to be copied, any such programs or related information except as may be required for the performance of work assigned to Contractor under this contract. Contractor also agrees to comply with Customer's policies concerning privacy of information and computer files. (S5) The integrity of Customer's data must be maintained. (S4)
Contractor support services	Example 1 Within fourteen days from execution of this contract by the parties, Contractor will designate a point of contact (POC) for Customer. This POC will be Customer's primary interface with Contractor, and will coordinate the delivery of software and services provided for under this contract. The POC will assist Customer in scheduling the tasks to be accomplished during the contract execution period and will provide advice on techniques for software installation and execution. These services will be available to Customer for one year following software delivery. (S3) Example 2 From time to time, Contractor may release new versions of the delivered software. Failure to load and operate these new versions within sixty days of receipt by Customer may result in suspension of Contractor support services. (S3)
Ownership rights	Example 1 The [Customer or Contractor] shall retain all title, copyright, and other proprietary rights in the delivered software. The [Contractor or Customer] does not acquire any rights, express or implied, in the delivered software. (S2)
Performance indicators and specifications	Example 1 Number of security violations. Number of unauthorized and successful accesses to systems or data. Number of software vulnerabilities in Contractor's systems or in Customer's systems caused by installation or upgrade of Contractor systems (S4) The contract should establish specification against which Contractor's performance of services under the contract can be measured. Possible measurements include: Hours each day during which on-line system must be available (may vary depending upon the application. Overall system availability - for any specified period of time, the percentage of time that the system is available to Customer. On-line response times (S5) Contractor's failure to meet performance specifications: Generally will constitute a breach of warranty, but remedy for breach (i.e., cancellation) may not be appropriate unless breach is habitual and materially adversely affects Customer. Consider providing a financial penalty to Contractor if performance specifications are not met over any period. (S5)
Security policy	Example 1 All Contractor security practices and procedures must be compatible with and sufficient to satisfy Customer's [corporate and business unit specific] security policy [attach the policy]. (S4) Contractor shall instruct its employees, agents, and subcontractors that they shall comply with Customer's security, access, and safety requirements for the protection of Customer's facilities and employees while on Customer's premises. (S6)
Security requirements	Example 1 The security management process must be integrated with the configuration management process to ensure security compliance for new hardware and software installations. (S4) The security management process must be integrated with the problem management process to ensure the availability of Customer's systems and data to authorized users 24 hours a day, 7 days a week. (S4) Example 2 If Contractor installs any software traps which are designed to terminate or disrupt the operation of the software at the end of any term, or for failure to install the software on the designated CPU or for any other purpose, Contractor shall give Customer written notification of the existence of such software traps no later than the delivery date for the software. (S6) If Contractor installs in the software any features which can be invoked by the use of special passwords, or which use a supervisor mode, master mode, route, or backdoor means to invoke special features of the software, Contractor shall provide Customer with documentation on the use of such features no later than the delivery date for the software. (S6) If Contractor uses software techniques which self-modify software obtained for use on a given personal computer or microcomputer (PC) so as to prevent that software from being used on another PC, then Contractor shall inform Customer prior to acceptance of an order for that software. (S6) If Contractor offers group encryption to enable transfer of such software from one PC to another, then Contractor shall inform Customer of such offering prior to accepting this license. If Contractor's software uses encryption techniques but Contractor does not offer group encryption, then Contractor shall furnish a mutually agreeable quantity of spare copies of the software. Customer shall erase and return the media containing the software which has been encrypted to a specific PC and which becomes defective. For each copy returned, Contractor will provide a replacement spare copy to Customer's PC maintenance center. (S6)
Software acceptance	Example 1 Customer has 45 days from the completion date to accept the results of software installations and modifications as acceptable. (S1) Example 2 For each version of delivered software, Customer shall have a thirty (30) day acceptance period beginning on the date of software delivery. During the acceptance period, Customer may [cancel the contract, decline the delivered software] by giving written notice to Contractor and returning the delivered software. Unless such notice is given, the delivered software will be deemed accepted by Customer at the end of the acceptance period. (S2) Example 3 Contractor shall certify in writing to Customer when the delivered software is installed. The performance period, 30 consectuive calendar days, shall commence on the first working day following receipt by Customer of certification, at which time operational control becomes the responsibility of Customer. For each of the delivered software [applications, programs, modules, components] ordered by Customer for installation, a separate standard of performance will be established and mutually agreed to by both parties. These standards of performance are as follows: [specify acceptable performance criteria for delivered software including demonstrated satisfaction of security requirements and policy/procedures] (S3) Customer's and Contractor's standard of performance shall be met when the system operates in conformance with [the contract, the statement of work, Contractor's proposed standards or published specifications] at an average level of 97% or more of operational use time for a period of 30 consecutive calendar days or 100 hours, whichever is greater, from the commencement date of the performance period. The average effectiveness level is a percentage figure determined by dividing the total operational use time by the total operational use time plus associated down time. When a system involves remote access, the required effectiveness level shall apply separately to the system and to each item of remote hardware. (S3) Example 4 Updates and/or upgrades to any system or service will not, absent Customer's express written permission, degrade the performance of any services or systems, or any portions thereof, impair Customer's intended use or the functioning of the systems, or impair in any way Customer's ability to support the operation of the systems, or any portions thereof for an unreasonable time. (S5) Example 5 Customer shall have ninety days from the date on which the system is fully operational (defined as performing all functions set forth in [statement of work, other contract attachment or schedule]) in which to rescind this contract if for any reason (such as system's performance, response time, or reliability being unsatisfactory to Customer), such contract is deemed by Customer to be (or to have been) inappropriate. In the event of such rescission, each party shall promptly return to the other any and all items, funds, and property of any sort received. (S5)
System requirements	Example 1 The delivered software is designed to run only on the operating system software at the release level, version, and modification level indicated in [schedule, attachment, other documentation, specified here]. From time to time, new release levels or new versions or new modifications of these operating systems may become available. If so, Contractor may request Customer to operate Contractor delivered software under such new releases, new versions, or new modifications. Failure to do so by Customer within the date specific by Contractor may result in suspension of Contractor support services. Customer much obtain and migrate to the required operating system software at its own expense. (S3)
Termination	Example 1 The [Customer or Contractor] may terminate this contract upon written notice [at any time; if the [Contractor or Customer] materially breaches this contract and fails to correct the breach with 30 days following written notice specifying the breach]. (S2) Example 2 Customer may terminate this contract at any time after system acceptance by giving Contractor five days written notice of such action. In such event, Customer shall be liable only for payment in accordance with the payment provisions of this contract for satisfactory work done and services performed prior to the effective date of the termination. If Contractor terminates, Customer may, at its sole discretion, require that Contractor complete work in progress or any or all specific engagements or projects and such completed work will be subject to approval by Customer before payment therefor is made, said approval not to be unreasonable withheld. (S5) Example 3 All Customer property in the possession or control of Contractor including, but not limited to specifications, documentation, source code, magnetic media, and building entry keys and cards, as well as all material developed or derived by Contractor in performing its duties under this contract will be returned by Contractor to Customer on demand, or at the termination of this contract whichever shall come first. (S5)
Warranties	Example 1 Contractor warrants that its services and software will be of professional quality conforming to generally accepted data processing and consulting practices. Contractor warrants that any software problems discovered in Contractor's software within one year from date of contract completion will be corrected by Contractor at no additional charge. (S1) Example 2 Contractor warrants for a period of one year from the start of this contract that the delivered software will perform the functions described in the [contract, statement of work, supporting documentation]. Contractor does not warrant that the delivered software will operate in combinations other than as specified in the [contract, statement of work, supporting documentation] or that the operation of the delivered software will be uninterrupted or error-free. (S2) For any breach of the warranties, Customer's exclusive remedy, and Contractor's entire liability shall be the correction of errors in the delivered software that cause the breach of the warranty or if Contractor is unable to make the delivered software operate as warranted, Customer shall be entitled to terminate the contract and recover specified fees. (S2) Example 3 Contractor will perform the services specified in a competent and professional workmanlike manner, and in accordance with generally accepted standards. Contractor makes no other warranties whatsoever. (S3) Example 4 Contractor hereby represents and warrants to Customer that all services, work, and deliverables to be performed hereunder shall be performed by qualified personnel in a professional and workmanlike manner, in accordance with the highest industry standards. (S5)
References	[Hancock, ed 97] Model Agreements for Corporate Counsel. Chesterland, OH: Business Laws, Inc., 1997. [Hancock, ed 97] Purchaser's Formbook of Contracts and Agreements. Chesterland, OH: Business Laws, Inc., 1997.

Copyright 1997 Carnegie Mellon University CERT is registered in the U.S. Patent and Trademark Office.