The URL can be used to link to this page

Home My WebLink About20240731IPC to Staff 22c - Supplemental Security Terms CSF028.pdf IDAHO 009 POW R. An IDACORP Company IDAHO POWER COMPANY Supplemental Security Terms In addition to any other Security measures required in the Agreement,Contractor shall comply with all additional Security requirements set forth in these Supplemental Security Terms. 1. General Supplemental Security Obligations of Contractor a) Contractor shall verify the impacts of additional Security features and take commercially reasonable actions not to adversely affect IPC's connectivity,latency,bandwidth,or response time. b) Contractor will provide to IPC the Contractor's cybersecurity policy which shall be consistent with industry standard practices(e.g.,NIST Special Publication 800-53 (Rev.4)as may be amended).Contractor will implement and comply with its established cybersecurity policy. Any changes to Contractor's cybersecurity policy as applied to products and services provided to IPC under this Agreement and IPC Data shall not decrease the protections afforded to IPC or IPC Data and any material changes shall be communicated to the IPC in writing by Contractor prior to implementation. c) All of Contractor's provided software installations shall contain code that is digitally signed to ensure the software has not been altered or corrupted before installation on an IPC network. d) Contractor shall provide summary documentation of the Contractor-delivered solutions("Solution(s)") security features and security-focused instructions on product maintenance,support,and reconfiguration of default settings. e) As requested by IPC,Contractor shall make any of IPC's Data in the possession or control of Contractor available to IPC within 10 business days,unless a different timeframe is specified by IPC. f) For all Solutions provided to IPC,Contractor shall remove all software components that are not required for the operation and/or maintenance of the Solution.If removal is not technically feasible,then the Contractor shall disable software not required for the operation and/or maintenance of the Solution.This removal shall not impede the primary functions of the Solution.If software that is not required cannot be removed or disabled,the Contractor shall document a specific explanation and provide risk mitigating recommendations and/or specific technical justification.Contractor shall provide documentation on what is removed and/or disabled.The software to be removed and/or disabled shall include,but is not limited to: i. Games ii. Device drivers for product components not procured/delivered iii. Messaging services (e.g.,email,instant messenger,peer-to-peer file sharing) iv. Source code V. Software compilers in user workstations and servers vi. Software compilers for programming languages that are not used in the energy delivery system vii. Unused networking and communications protocols viii. Unused administrative utilities,diagnostics,network management,and system management functions ix. Backups of files,databases,and programs used only during system development X. All unused data and configuration files 1 CSF028 (6/1/2020) xi. All"call home"or remote access features of the acquired product unless explicitly requested by Idaho Power g) Contractor shall encrypt electronic information in transit over Contractor's networks and at rest(in storage) on Contractor's information systems where appropriate or required by applicable laws and in the following circumstances: (1)the processing of IPC Data on any mobile device or mobile storage or removable media, including laptop computers,smart phones,USB devices("thumb drives")and tapes/DVDs,and(2)electronic transfers of IPC Data by Contractor outside of its network. 2. Authentication and Password Management a) Contractor shall not permit IPC user credentials to be transmitted or stored in clear text. b) Contractor shall not hardcode passwords into software or scripts. c) Contractor shall only allow access protocols that encrypt or securely transmit login credentials(e.g., tunneling through Secure Shell Terminal Emulation [SSH],Transport Layer Security[TLS]). d) Contractor shall provide a configurable account password management system that allows for IPC to configure the following: i. Changes to passwords (including default passwords) ii. Selection of password length iii. Frequency of change iv. Setting of required password complexity V. Number of login attempts prior to lockout vi. Inactive session logout vii. Screen lock by application e) Contractor shall provide documentation on all user accounts(including,but not limited to,generic and/or default)that need to be active for proper operation of the Solution. f) Contractor shall incorporate general security principles of"separation of duties"and"least privilege"with respect to access to IPC Data,including a process by which Contractor's employee and other user accounts may only be created with proper leadership approval and are timely deleted,with an auditable history of changes,annual review,and remediation for excess access authorization. 3. Controls for Remote Access a) Contractor shall coordinate with IPC on all remote access to IPC's systems and networks,regardless of interactivity,and shall comply with any controls for interactive remote access and system-to-system remote access sessions requested by IPC(e.g.two factor or token). b) Contractors that directly,or through any of their affiliates,subcontractors or service providers,connect to IPC's systems or networks agree to the additional following protective measures: i. Contractor will not access,and will not permit any other person or entity to access,IPC's systems or networks without IPC's written authorization and any such actual or attempted access will be consistent with any such written authorization. ii. Contractor shall implement processes designed to protect credentials as they travel throughout their network and shall ensure that network devices have encryption enabled for network authentication to prevent possible exposure of credentials. iii. Contractor shall ensure Contractor Personnel do not use any virtual private network or other device to simultaneously connect machines on any IPC system or network to any machines on any Contractor or third-party systems,without: 2 CSF028 (6/1/2020) 1. using only a remote access method consistent with IPC's remote access control policies,and 2. providing IPC with the full name of each individual who uses any such remote access method and the phone number and email address at which the individual may be reached while using the remote access method,and 3. ensuring that any computer used by Contractor personnel to remotely access any IPC system or network will not simultaneously access the Internet or any other third-party system or network while logged on to IPC systems or networks. iv. Contractor shall ensure Contractor Personnel accessing IPC networks are uniquely identified and that accounts are not shared between Contractor personnel. 4. Single sign-on(SSO)Requirements a) If SSO is offered,Contractor shall provide the following: i. Documentation on configuring a single-sign-on integration with Contractor,and ii. A secure method of authentication(e.g.,strong two-factor authentication)in any implementation of single sign-on to its suite of applications. b) Contractor shall protect key files and access control lists used by the single-sign-on system from non- administrative user read,write,and delete access.The single-sign-on system must resolve each individual user's credentials,roles,and authorizations to each application. 5. Logging and Auditing a) Contractor shall provide IPC with access to log files via application interfaces accessible by privileged users only,or provide a method for the secure transfer or forwarding of security log files to IPC. b) Contractor security log files shall support IPC's minimum security auditing requirements as listed below,and maintained during the term of the Agreement and for a period of one(1)year after termination or expiration of the Agreement. i. Successful and unsuccessful authentication and access attempts ii. Account changes iii. Privileged use audit trails iv. Time stamps on audit trails and log files v. Application start-up and shutdown vi. Application failures vii. Major application configuration changes c) Contractor shall provide a list of all log management capabilities that the Solution is capable of generating and the format of those logs.This list shall identify which of those logs are enabled by default. 6. Cloud Solution Requirements for Software as a Service and Platform as a Service Solutions a) Contractor shall continuously monitor the security and functionality of the Solution,and respond to any security incidents or failures to comply with the security requirements of this Agreement without waiting for notification by IPC that there is a problem. Without limiting the foregoing,Contractor shall perform the following monitoring activities: i. 24 hour a day,7 day a week,365/366 day a year monitoring of the Contractor-operated components of the Solution. ii. Detect and issue automated alarms with respect to the material degradation or failure of any security safeguard. iii. Automated alarm notification delivery to appropriate IPC personnel. 3 CSF028 (6/1/2020) iv. Error logging and monitoring of key security performance indicators. v. Promptly notify IPC by phone and email of those alarm conditions that Contractor determines in its reasonable judgment,if not corrected in a timely manner,have the potential to lead to a Security Incident. b) Contractor cloud logins shall provide IPC the option to implement MFA(multi-factor authentication)at login for all Contractor-hosted solutions. c) Contractor cloud solutions shall provide IPC the option to implement a mechanism to ensure that all logins for IPC users are denied access by default,unless their originating Internet Protocol ("IP")is coming from IPC's public IPv4 address space and or IPv6 address space. 7. Networking and Communications a) Contractor shall provide a method for managing the network components of the Solution and changing configurations,including hardware and software configurations(e.g.,addressing schemes). b) Contractor shall provide documentation that the network configuration management interface is secured. 8. Penetration Testing and Code Review a) Contractor shall maintain secure product development life cycle initiatives that include standards,practices (including continuous improvement),and development environments(including the use of secure coding practices)used to create or modify Contractor-provided system hardware,software,and firmware.If applicable,Contractor shall conduct OWASP Top 10 or SANS Top 25 most dangerous software errors testing, to ensure that the most critical application security weaknesses are addressed in Contractor's SDLC (System Development Life Cycle). b) Contractor shall communicate security-related technical issues with a single technical point of contact(e.g.,a company support email address or a company support phone number),as specified by IPC.Contractor shall communicate with IPC within 24 hours.This is not intended for nontechnical contract-related issues. c) Contractor shall provide attestation of all input validation testing including,but not limited to,measures for prevention of command injection,Structured Query Language(SQL)injection,directory traversal,Remote File Include,Cross-Site Scripting (XSS),and buffer overflow. 9. Vulnerability Remediation a) Contractor shall implement a vulnerability detection and remediation program. b) Contractor shall develop and implement policies and procedures to address the disclosure and remediation by Contractor of vulnerabilities and material defects related to the products and services provided to IPC under this Agreement,including the following: i. Prior to the delivery of the procured product or service,Contractor shall provide or direct IPC to an available source of summary documentation of publicly disclosed vulnerabilities and material defects in the procured product or services,the potential impact of such vulnerabilities and material defects, the status of Contractor's efforts to mitigate those publicly disclosed vulnerabilities and material defects,and Contractor's recommended corrective actions,compensating security controls, mitigations,and/or procedural workarounds. ii. Contractor shall provide or direct IPC to an available source of summary documentation of vulnerabilities and material defects in the procured product or services within thirty(30) calendar days after such vulnerabilities and material defects become known to Contractor.This includes summary documentation on vulnerabilities that have not been publicly disclosed or have only been identified after the delivery of the product.The summary documentation shall include a description of each vulnerability and material defect and its potential impact,root cause,and recommended corrective actions,compensating security controls,mitigations,and/or procedural workarounds. 4 CSF028 (6/1/2020) iii. Contractor shall disclose the existence of all known methods for bypassing computer authentication in the procured product or services,often referred to as backdoors,and provide written attestation that all such backdoors created by Contractor have been permanently deleted or disabled. iv. Contractor shall implement a vulnerability detection and remediation program consistent with industry standards (e.g.,ISO-27417 Vulnerability Disclosure,NIST Cybersecurity Framework v1.1 Reference RS.AN-5,NIST Special Publication 800-53 Rev.4 RA-5,SA-11,and SI-2,as maybe amended. 10. Disclosure of Vulnerabilities by IPC a) Whether or not publicly disclosed by Contractor and notwithstanding any other limitation in this Agreement,IPC may disclose any vulnerabilities,material defects,and/or other findings related to the products and services provided by Contractor to: i. the Electricity Information Sharing and Analysis Center,the United States Cyber Emergency Response Team,or any equivalent entity or program; ii. to any applicable U.S.governmental entity when necessary to preserve the reliability of the BES as determined by IPC in its sole discretion;or iii. any entity required by applicable law. 11. Viruses,Firmware and Malware a) Contractor will use reasonable efforts to investigate whether computer viruses or malware are present in any software or patches before providing such software or patches to IPC. To the extent Contractor is supplying third-party software or patches,Contractor will use reasonable effort to ensure the third-party investigates whether computer viruses or malware are present in any software or patches prior to providing them to IPC or installing them on IPC's information networks,computer systems,and information systems. b) Contractor warrants that it has no knowledge of any computer viruses or malware coded or introduced into any software or patches,and Contractor will not insert any code which would have the effect of disabling or otherwise shutting down all or a portion of such software or damaging information or functionality. To the extent Contractor is supply third-party software or patches,Contractor will use reasonable efforts to ensure the third-party will not insert any code which would have the effect of disabling or otherwise shutting down all or a portion of such software or damaging information or functionality. c) When install files,scripts,firmware,or other Contractor delivered software solutions (including third- party install files,scripts,firmware,or other software solutions)are flagged as malicious,infected,or suspicious by an anti-virus vendor,Contractor must provide or arrange for the provision of technical justification as to why the"false positive"hit has taken place to ensure their code's supply chain has not been compromised. d) If a virus or other malware is found to have been coded or otherwise introduced as a direct result of Contractor's breach of its obligations under this Agreement,Contractor shall upon written request by IPC and at its own cost: i. Take all necessary remedial action and provide assistance to IPC to eliminate the virus or other malware throughout IPC's information networks,computer systems,and information systems, regardless of whether such systems or networks are operated by or on behalf of IPC;and ii. If the virus or other malware causes a loss of operational efficiency or any loss of data(A)where Contractor is obligated under this Agreement to back up such data,take all steps necessary and provide all assistance required by IPC and its affiliates,and(B)where Contractor is not obligated under this Agreement to back up such data,use commercially reasonable efforts,in each case to mitigate the 5 CSF028 (6/1/2020) loss of or damage to such data and to restore the efficiency of such data. 12. Hardware,Firmware,Software,and Patch Integrity and Authenticity: a) Contractor shall establish,document,and implement risk management practices for supply chain delivery of hardware,software(including patches),and firmware provided under this Agreement.Contractor shall provide documentation on its:chain-of-custody practices,inventory management program(including the location and protection of spare parts),information protection practices,integrity management program for components provided by sub-suppliers,instructions on how to request replacement parts,and commitments to ensure that for 72 months,spare parts shall be made available by Contractor. b) Contractor shall specify how digital delivery for procured products(e.g.,software and data)including patches will be validated and monitored to ensure the digital delivery remains as specified.If IPC deems that it is warranted,Contractor shall apply encryption technology to protect procured products throughout the delivery process. c) If Contractor provides software or patches to IPC,Contractor shall publish or provide a hash conforming to the Federal Information Processing Standard(FIPS) Security Requirements for Cryptographic Modules (FIPS 140-2) or similar standard information on the software and patches to enable IPC to use the hash value as a checksum to independently verify the integrity of the software and patches and avoid downloading the software or patches from Contractor's website that has been surreptitiously infected with a virus or otherwise corrupted without the knowledge of Contractor. d) Contractor shall identify or provide IPC with a method to identify the country(or countries)of origin of the procured Contractor product and its components(including hardware,software,and firmware).Contractor will identify the countries where the development,manufacturing,maintenance,and service for the Contractor product are provided.Contractor will notify IPC of changes in the list of countries where Contractor product maintenance or other services are provided in support of the procured product.This notification in writing shall occur at least 180 days prior to initiating a change in the list of countries. e) Contractor shall use or arrange for the use of trusted channels to ship procured products,such as U.S. registered mail and/or tamper-evident packaging for physical deliveries. f) Contractor shall demonstrate a capability for detecting unauthorized access throughout the delivery process. g) Contractor shall demonstrate chain-of-custody documentation for procured products as determined by IPC in its sole discretion and require tamper-evident packaging for the delivery of this hardware. 13. Patching Governance a) Prior to the delivery of any products and/or services to IPC or any connection of electronic devices,assets or equipment to IPC's electronic equipment,Contractor shall provide documentation regarding the patch management and vulnerability management/mitigation programs and update process (including third- party hardware,software,and firmware)for products,services,and any electronic device,asset,or equipment required by Contractor to be connected to the assets of IPC during the provision of products and services under this Agreement.This documentation shall include information regarding: i. the resources and technical capabilities to sustain this program and process such as the method or recommendation for how the integrity of a patch is validated by IPC;and ii. the approach and capability to remediate newly reported zero-day vulnerabilities for Contractor products. b) Unless otherwise approved by the IPC in writing,the current or supported version of Contractor products and services supplied by Contractor shall not require the use of out-of-date,unsupported,or end-of-life version of third-party components(e.g.,Java,Flash,Python,Web browser,etc.). c) Contractor shall verify and provide documentation that procured products (including third-party hardware,software,firmware,and services)have appropriate updates and patches installed prior to delivery to IPC. 6 CSF028 (6/1/2020) d) In providing the products and services described in this Agreement Contractor shall provide or arrange for the provision of appropriate software and firmware updates to remediate newly discovered vulnerabilities or weaknesses for Contractor products within 30 calendar days.Updates to remediate critical vulnerabilities shall be provided within a shorter period than other updates,within 7 calendar days.If updates cannot be made available by Contractor within these time periods,Contractor shall provide mitigations,methods of exploit detection,and/or workarounds within 30 calendar days. e) When third-party hardware,software(including open-source software),and firmware is provided by Contractor to IPC,Contractor shall provide or arrange for the provision of appropriate hardware,software, and/or firmware updates to remediate newly discovered vulnerabilities or weaknesses,if applicable to the IPC's use of the third-party product in its system environment,within 30 days of availability from the original supplier and/or patching source.Updates to remediate critical vulnerabilities applicable to the Contractor's use of the third-party product in its system environment shall be provided within a shorter period than other updates,within 7 days of availability from the original supplier and/or patching source.If applicable third- party updates cannot be integrated,tested and made available by Contractor within these time periods, Contractor shall provide or arrange for the provision of recommended mitigations and/or workarounds within 30 calendar days. 14. Obligation to Provide Updates to Avoid End of Life Operating Systems a) Contractor delivered solutions will not be allowed to reside on end-of-life operating systems,or any operating system that will go end-of=life 6 months from the date of installation.Contractor shall not store, process,or transmit IPC data on any end-of-life operating system. b) Contractor solutions will support the latest version of operating systems on which Contractor-provided software functions within 24 calendar months from official public release of that operating system version. 15. Wireless Technologies The term 'wireless technologies"refers to any technology(e.g.,radio,microwave,infrared,and ZigBee)that allows analog and digital communication without the use of wires. a) Contractor shall provide documentation on specific protocols and other detailed information required for wireless devices to communicate with the control network,including other wireless equipment that can communicate with Contractor-supplied devices. b) Contractor shall provide documentation on use,capabilities,and limits for any wireless devices provided as part of the Solution. c) Contractor shall provide documentation on the power and frequency requirements of the wireless devices (e.g.,microwave devices meet the frequency requirements of Generic Requirements [GR]-63 Network Equipment Building System [NEBS]and GR-1089). d) Contractor shall provide documentation the range of the wireless devices and verify that the range of communications is minimized to both meet the needs of IPC's proposed deployment and reduce the possibility of signal interception from outside the designated security perimeter. e) Contractor shall attest that the wireless technology and associated devices comply with standard operational and security requirements specified in applicable wireless standard(s)or specifications) (e.g.,applicable IEEE standards,such as 802.11). f) Contractor shall demonstrate—through providing summary test data—that known attacks (e.g.,those documented in the Common Attack Pattern Enumeration and Classification[CAPEC] list,such as malformed packet injection,man-in-the middle attacks,or denial-of-service attacks)do not cause the receiving wireless devices to crash,hang,be compromised,or otherwise malfunction. 16. Cryptographic Requirements a) Contractor shall document how the cryptographic system supporting the Contractor's products and/or services procured under this Agreement protects the confidentiality,data integrity,authentication,and non- 7 CSF028 (6/1/2020) repudiation of devices and data flows in the underlying system.This documentation shall include,but not be limited to,the following: i. The cryptographic methods(hash functions,symmetric key algorithms,or asymmetric key algorithms) and primitives(e.g.,Secure Hash Algorithm [SHA]-256,Advanced Encryption Standard[AES]-128,RSA, and Digital Signature Algorithm[DSA]-2048)that are implemented in the system,and how these methods are to be implemented. ii. The preoperational and operational phases of key establishment,deployment,ongoing validation,and revocation. b) Contractor will use only"approved"cryptographic methods as defined in the FIPS 140-2 Standard when enabling encryption on its products. c) Contractor shall provide or arrange for the provision of an automated remote key-establishment(update) method that protects the confidentiality and integrity of the cryptographic keys. d) Contractor shall ensure that: i. The system implementation includes the capability for configurable cryptoperiods(the life span of cryptographic key usage)in accordance with the Suggested Cryptoperiods for Key Types found in Table 1 of NIST 800-57 Part 1,as maybe amended. ii. The key update method supports remote re-keying of all devices within 90 calendar days as part of normal system operations.Emergency re-keying of all devices can be remotely performed within 30 calendar days. e) Contractor shall provide or arrange for the provision of a method for updating cryptographic primitives or algorithms. 17. Actions Upon Termination of Agreement a) Upon termination of the Agreement by either Party or upon completion of the delivery of the products and services to be provided under this Agreement,or at any time upon IPC request,Contractor will return to IPC all hardware and removable media provided by IPC containing IPC Data.IPC Data in such returned hardware and removable media shall not be removed or altered in any way. The hardware must be physically sealed and returned via a bonded courier or as otherwise directed by IPC.If the hardware or removable media containing IPC Data is owned by Contractor or a third-party,a signed statement detailing the destruction method used and the data sets involved,the date of destruction,and the entity or individual who performed the destruction must be sent by Contractor to a designated IPC security representative within 30 calendar days after completion of the delivery of the products and services to be provided under this Agreement, or at any time upon IPC's request. Contractor's destruction or erasure of IPC Data pursuant to this section shall be in compliance with best industry practices (e.g.,Department of Defense 5220-22-M Standard,as may be amended). b) Upon termination of the Agreement,at no charge to IPC, Contractor shall provide IPC a flat file export of data entered into Contractor systems in a timeframe not to exceed 30 calendar days using a mutually agreeable format.Current(at time of execution of the contract)acceptable formats include CSV,delimiter-separated value text files, or other mutually agreed upon non-proprietary formats. This export shall explicitly exclude the algorithms,logic, design,and coding methodology embodied in the Solution, or website,and all software and technology Contractor uses to provide Services. c) Upon expiration or termination of the Agreement, any IPC network communications links installed by or through Contractor shall be terminated and removed. 18. BES CIP 13-Supplemental Security Terms a) Development and Implementation of Access Control Policy - Contractor shall develop and implement policies and procedures to address the security of Contractor's remote and onsite access to IPC Data, IPC systems and networks, and IPC property that is consistent with the personnel management requirements of industry standard practices (e.g.,NIST Special Publication 800-53 Rev.4 AC-2,PE-2,PS-4,and PS-5 as may be amended)and also meets the following requirements: 8 CSF028 (6/1/2020) b) IPC Authority Over Access- In the course of furnishing products and services to IPC under this Agreement, Contractor shall not access, and shall not permit its employees, agents, contractors, and other personnel or entities within its control ("Contractor Personnel")to access IPC's property,systems,or networks or IPC Data without IPC's prior express written authorization.Such written authorization may subsequently be revoked by IPC at any time in its sole discretion.Further,any Contractor personnel access shall be consistent with,and in no case exceed the scope of, any such approval granted by IPC.All IPC authorized connectivity or attempted connectivity to IPC's systems or networks shall be in conformity with IPC's security policies as may be amended from time to time with notice to the Contractor. c) Contractor Review of Access- Contractor will review and verify Contractor personnel's continued need for access and level of access to IPC Data and IPC systems, networks and property on a quarterly basis and will retain evidence of the reviews for two years from the date of each review. d) Notification and Revocation - Contractor will immediately notify IPC in writing (no later than close of business on the same day as the day of termination or change set forth below) and will immediately take all steps necessary to remove Contractor personnel's access to any IPC Data,systems,networks,or property when: i. any Contractor personnel no longer requires such access in order to furnish the services or products provided by Contractor under this Agreement, ii. any Contractor personnel is terminated or suspended or his or her employment is otherwise ended, iii. Contractor reasonably believes any Contractor personnel poses a threat to the safe working environment at or to any IPC property,including to employees,customers,buildings,assets,systems,networks,trade secrets,confidential data,and/or employee or IPC Data, iv. there are any material adverse changes to any Contractor personnel's background history, including, without limitation,any information not previously known or reported in his or her background report or record, V. any Contractor personnel fails to maintain conduct in accordance with the qualification criteria set forth in IPC's Independent Contractors Request for Unescorted Physical or Electronic Access Form (or equivalent or successor form). vi. any Contractor personnel loses his or her U.S.work authorization vii. Contractor's provision of products and services to IPC under this Agreement is either completed or terminated,so that IPC can discontinue electronic and/or physical access for such Contractor personnel. viii. Contractor will take all steps reasonably necessary to immediately deny such Contractor Personnel electronic and physical access to IPC Data as well as IPC property, systems, or networks, including, but not limited to, removing and securing individual credentials and access badges, multifactor security tokens,and laptops,as applicable,and will return to IPC any IPC-issued property including,but not limited to,IPC photo ID badge,keys,parking pass,documents,or electronic equipment in the possession of such Contractor personnel.Contractor will notify IPC at ICProgram@idahopower.com once access to IPC Data as well as IPC property,systems,and networks has been removed. 18.1 Regulatory Examinations: Contractor agrees that any regulator or other governmental entity with jurisdiction over IPC and its affiliates may examine Contractor's activities relating to the performance of its obligations under this Agreement to the extent such authority is granted to such entities under the law. Contractor shall promptly cooperate with and provide all information reasonably requested by the regulator or other governmental entity in connection with any such examination and provide reasonable assistance and access to all equipment,records,networks,and systems reasonably requested by the regulator or other governmental entity.Contractor agrees to comply with all reasonable recommendations that result from such regulatory examinations within reasonable timeframes at Contractor's sole cost and expense.The foregoing cooperation and assistance will be rendered at Contractor's then-current time and materials rates,subject to IPC's prior written authorization. 9 CSF028 (6/1/2020)