Colorado Department of Education Contract Management System Number 95549 PO Number DAA 2017-0328

CONTRACTAMENDMENTNUMBER7

1. PARTIES

This Amendment to the above-referenced Original Contract (hereinafter called the Contract) is entered into by and between the Board of Regents of the University of Wisconsin System, on behalf of the University of Wisconsin-Madison's Wisconsin Center for Education Research, 1025 W. Johnson Street, Madison, WI 53 706 (hereinafter called Contractor or WIDA or WCER), and the State of Colorado (hereinafter called the State) acting by and through the Colorado Department of Education (hereinafter called COE), 201 East Colfax, Denver, Colorado 80203.

2. EFFECTIVE DATE AND ENFORCEABILITY

This Amendment shall not be effective or enforceable until it is approved and signed by the Colorado State Controller or designee (hereinafter called the Effective Date). The State shall not be liable to pay or reimburse Contractor for any performance hereunder including, but not limited to, costs or expenses incurred, or be bound by any provision hereof prior to the Effective Date.

3. FACTUAL RECITALS

The Parties entered into the Contract to administer and score the Assessing Comprehension and Communication in English State-to-State for English Language Learners,, (ACCESS for ELLs®) in Colorado. The purpose of this amendment is to extend the performance period, add money for the extension, update the statement of work for the renewal, and update the privacy and security language to comply with 22-16-101 et. al., C.R.S.

4. CONSIDERATION-COLORADO SPECIAL PROVISIONS

The Parties acknowledge that the mutual promises and covenants contained herein and other good and valuable consideration are sufficient and adequate to support this Amendment. The Parties agree to replacing the Colorado Special Provisions with the most recent version (if such have been updated since the Contract and any modification thereto were effective) as part consideration for this Amendment.

Page 1 of 19 5. LIMITS OF EFFECT

This Amendment is incorporated by reference into the Contract, and the Contract and all prior amendments thereto, if any, remain in ful) force and effect except as specifically modified herein.

6. MODIFICATIONS

The Amendment and all prior amendments thereto, if any, are modified as follows:

A. Section IV. Definitions, the following definitions are deleted as they are now redefined in Section XI, Education Record Release, Data Use, Student Data Transparency and Security or not used in the Contract: "Covered Information," "Confidential Data," "Personally Identifiable Information (PU)," "Student Data."

B. Section V. Term and Early Termination, Subsection A., Initial Term-Work Commencement shall be amended by extending the performance period through September 30, 2017. The amended section states:

A. Initial Term-Work Commencement

The Parties' respective performances under this Contract shalJ commence on the later of either the Effective Date or September 1, 2012. This Contract shall terminate on September 30, 2017, unless sooner terminated or further extended as specified elsewhere herein.

C. Paragraph VI. Statement of Work, shall continue to apply for the 2016-2017 testing year. The initial sentence in VI.B.3. is hereby amended to read "WCER shall develop, administer and score the ACCESS for ELLs assessment for 2016/17 and future testing years in accordance with the following."

D. Paragraph VI. Statement of Work, Paragraph VI.B.3.a. is hereby deleted in its entirety and replaced with the following:

a. WCER shall provide and administer the assessment online or via paper as chosen by each district/school. WCER shall provide a printed version of the assessment as an accommodation and shall provide a printed version to districts/schools that do not have the required IT infrastructure to administer the online version.

E. Paragraph' VI. Statement of Work, Paragraph VJ.B. shall be amended by adding the following new paragraph VI.B.6. for the 2016-2017 testing year:

6. Consistency in Scoring for Online Versus Paper Assessments

Page 2 of 19 a. WCER shall ensure that the online and paper versions of the assessments, as given for the Consortium of States, are comparable and that neither provides a competitive advantage to a student based on the form of the test.

b. WCER shall train scorers to score assessment results identically and without bias.

c. In the event that there is a discrepancy in online versus paper scores, WCER in consultation with CDE, shall develop additional psychometric procedures to make the resulting scores comparable such that no competitive advantage is given to a student based on the format of the test.

F. Paragraph VI. Statement of Work, Paragraph VI.B. shall be amended by adding the following new paragraph VI.B.7. for the 2016-2017 testing year:

7. Subcontractors

a. In the event that. WCER intends to use a Subcontractor or is using a Subcontractor whose costs will increase the price charged to CDE for the Work under this Contract, WCER shall provide CDE with a copy of the subcontract and requirements documentation for review and approval. CDE at its sole discretion may deny the use of a subcontractor that would result in a price increase to CDE.

b. CDE may demand immediate removal of any of WCER's employees, agents, or Subcontractors from the Work whom the State deems incompetent, careless, insubordinate, unsuitable, or otherwise unacceptable or whose continued relation to this Contract is deemed by the State to be contrary to the public interest or the State's best interest. G. Paragraph VI. Statement of Work, Paragraph VI.B. shall be amended by adding the following new paragraph VI.B.8. for the 2016-2017 testing year:

8. WCER Screener Paper District Kits

a. Contractor shall either procure a qualified WIDA Screener paper vendor or print the WCER Screener Paper District Kits internally at WIDA. Contractor and CDE shall agree, in writing, upon a date by which WIDA Screener Kits will be delivered to the districts. Contractor shall provide two-hundred-five (205) WIDA Screener Paper Grades 1-12 District Kits - USB Option for distribution to districts. WIDA shall ship the kits directly to districts according to instructions provided by CDE to WCER; CDE shall provide shipping addresses and the number of kits to be sent to each district.

H. Paragraph VII. Payments to Contactor, Paragraph A.2. shall be amended by adding the following new paragraphs to VII.A.2.

Page 3 of 19 Colorado's actual test population for the 2015-16 testing year was 105,405 students for ACCESS for ELLs 2.0, and I ,265 students for the Alternate ACCESS. Assuming a 5% increase, Colorado's estimated test population for the 2016-17 testing year is 110,675 students for ACCESS for ELLs 2.0 and 1,325 students for the Alternate ACCESS. There will be an estimated 55,338 students talcing the online version, and 55,337 students taking the paper version.

CDE agrees to pay the yearly ACCESS for ELLs costs as follows:

Testing 2015-16 2016-17 2017-18 2018-19 Year

Online $25 .75 $25.75 Not-to-Exceed $26.25 Not-to-Exceed Price per $27.00 student Paper Price $25.75 $25.75 Not-to-Exceed $28.00 Not-to-Exceed per student $31.00 Alternate $75.00 $75.00 Not-to-Exceed $78.00 Not-to-Exceed Price per $80.00 student Total 112,883 110,675 116,209 122,020 Population Estimate Online 55,877 55,338 58,105 61,010 Population Estimate Paper 55,877 55,337 58,104 61,010 Population Estimate Alternate 1,129 1,325 1,390 1,460 Population Estimate Online $1 ,438,832.75 $1 ,424,953.50 $1,525,256.25 $1,647,270 Cost Estimate Paper Cost $1,438,832.75 $1,424,927.75 $1,626,912 $1,891 ,310 Estimate Alternate $84,675 $99,375 $108,420 $116,800 Cost Estimate Volume ($56,824.50) ($55,500) ($63,898.50) ($72,720) Discount Estimate $160 Estimated 15 Estimated 15 Estimated 18 students = Estimated 21 additional students = students = $2,880 students = $3,360 per student $2,400 $2,400 cost for Braille

Page 4 of 19 Testing 2015-16 2016-17 2017-18 2018-19 Year

ACCESS for ELLs WIDA Estimated = Screener 205 Kits Paper Grades 1- $84 per kit = 12 District $17,220 Kits Shipping 205 kits to be cost for shipped to WIDA 178 districts Screener District Estimated Kits shipping cost = $3,000 Maximum $2,907,916 $2,916,376.25 $3,199,569. 75 $3,586,020 Amount

1. For testing year 2016-17, if more than 75,000 students are tested by CDE, WCER shall discount the price of the online and/or paper test by $1.50 for the number of students tested in excess of 75,000 students. Future volume price discounts will be announced when future ACCESS pricing is determined.

2. WCER shall invoice as follows:

i. Upon WCER administering the ACCESS for ELLs 2.0 and the Alternate ACCESS assessment for 2016-2017, WIDA shall invoice for test development and administration costs of$1A48,078.

ii. Upon CDE confirming that WCER has shipped the WIDA Screener District Kits to the districts, WCER shall submit an invoice listing the number of WIDA Screener District Kits mailed, the shipping costs, the price per Kit, and the total amount owed for the Kits, not to exceed $20,220.

iii. Upon CDE's receipt and acceptance of WCER's scoring and reporting for the ACCESS for ELLs 2.0 and the Alternate ACCESS assessment for 2016-2017, WCER shall invoice for the balance of the cost, based on the actual number of students tested. The final invoice shaU be received no later than June 30, 2017 and CDE will pay within forty-five (45) calendar days.

Page S of19 1. The cost for test development, administration, pre-operational costs, and all other costs related to the Work are included in the price per tested student listed above; therefore, the $1,448,078 is already included in the Maximum amount listed for 2016-2017.

3. WCER will invoice COE for the printing and distribution costs of unused tests ordered, printed and distributed in excess of 115% of the number of actual students tested and CDE shall pay within forty-five (45) calendar days. WCER shall not print or distribute tests that will result in the State incurring a liability that exceeds the 2016-17 Contract Maximum amount shown in the above table ( either from an excess of unused tests or from an underestimation of the number of students to be tested as listed in the above table) until the table has been modified by an amendment to account for the increased liability. In the event that WCER receives an order{s) from a district{s)fschool(s) that would result in WCER printing excess or providing more tests than listed in the above table, WCER shall notify COE of the order.

4. The Daily rate for additional technical assistance or professional learning services will be determined at the time of purchase based on current Consortium member state pricing, WCER shalJ not provide greater than the free eight hours per testing year of technical assistance until the 2016-17 Contract Maximum amount shown in the table above has been modified by an amendment to account for the increased liability.

I. Section XI. EDUCATION RECORD RELEASE AND DATA USE, shall be deleted in its entirety and replaced with Section XI, EDUCATION RECORD RELEASE, DATA USE, STUDENT DATA TRANSPARENCY AND SECURITY as follows:

XI. EDUCATION RECORD RELEASE, DATA USE, STUDENT DATA T RANSPARENCY AND SECURITY

A. General 1. Contractor acknowledges that the unauthorized access to or dissemination of school student records is prohibited under state and federal law. In order to protect the privacy of students and parents, and to prevent the unauthorized disclosure or misuse of State's student personally identifiable infonnation, Contractor agrees to the obligations, assurances and requirements of this section. 2. The Family Education Rights and Privacy Act ("FERPA") allows educational agencies and institutions to discJose student Personally Identifiable Information from the education records of students, without consent of students or parents, to authorized representatives of SEAs in order to evaluate and comply with these federal programs and legal requirements. 20 U.S.C. § 1232g(b)(l)(C) and (b)(3) and 34 C.F.R. § 99.31(a)(3) and§ 99.35.

Page 6 of 19 3. For purpose of this agreement, "Personally Identifiable Information" (hereafter referred to as "PII") is defined as information that is collected, maintained, generated, or inferred and that, alone or in combination, personally identifies an individual student or the student's parent or family. The specific PII collected under this agreement is included in Exhibit B, WIDA State Student Response File Layout. In addition, PII shall include any other data that when combined, could identify an individual student. 4. This Section XI covers services provided by Contractor relating to State's federal requirements under the federal Every Student Succeeds Act of 2015, including, but not limited to the administration, scoring, validation and enhancement of the ACCESS for ELLS English language proficiency assessment ("Evaluation Services"). 5. This Contract, by its terms, establishes Contractor and its subcontractors as authorized representatives of State with respect to the Evaluation Services provided by Contractor. B. Acknowledgment of Release of Confidential Data and Description of Use. 1. The parties acknowledge that State is releasing PII to Contractor for the purposes outlined in this Section XI, and that the release of Pll to Contractor is necessary for the completion of Evaluation Services. The PII to be disclosed is described in the document attached to this agreement as Exhibit B, WIDA State Student Response File Layout. Contractor shall notify State and State shall provide written consent, ifapproved, of any changes to the list of disclosed PII necessary for the provision of Evaluation Services. 2. Contractor will use PII in order to facilitate the administration, scoring and reporting of individual student assessments and to connect student records from year to year in order to establish a longitudinal data set that can be used for the evaluation purposes described in this section. Once student records are connected, only de-identified data and/or aggregated data will be used for evaluation activities. 3. Contractor's collection, use, and sharing of State's PU is strictly limited to the uses specifically authorized under this Contract. Contractor acknowledges that any breach of this Contract that results in the misuse or unauthorized use of State's PD by Contractor or its subcontractor(s), etc., or any other violation of this Education Records Release, Data Use, Student Data Transparency and Security section may be determined to be a material breach of this Contract and grounds for termination. 4. Contractor shall not use PII in a manner or disclose PII to any third party that is materially inconsistent with the Contractor's privacy policy.

Page 7 of 19 5. If Contractor discovers that Subcontractor or any subsequent subcontractor has committed a material breach of the contract between Contractor and Subcontractor that involves the misuse or unauthorized release of PII, Contractor acknowledges that the State may terminate this Contract with Contractor unless Contractor tenninates the contract with Subcontractor as soon as possible after Contractor knows or has reason to know of Subcontractors' or any subsequent subcontractors' material breach.

6. Upon discovering the misuse or unauthorized release of PII (as defined in Section A.3.) held by Contractor, a Subcontractor, or any subsequent Subcontractor, Contractor shall notify COE within one (1) calendar day, regardless of whether the misuse or unauthorized release by the Subcontractor is a result of a material breach of the terms of the Contract or results in "breach" or "high-risk security incident/' as these terms are defined in Contractor's Secure Data Breach Policy, in Exhibit 0, WCER Standard Security Policies and Procedures.

7. Should Contractor not comply with the requirements of this Section and that non­ compliance results in the misuse or unauthorized release of PII by the Contractor, the State may terminate the Contract immediately as provided under this Contract. C. Designation of Authority and State Access to System. 1. State hereby designates Contractor and its subcontractors including and limited to Data Recognition Corporation as authorized representatives of State with respect to the provision of Evaluation Services as stated in this agreement and, specifically, the use of PII disclosed under this Contract. 2. Contractor shall provide State and State's designated personnel with secure access to State's Pll via Contractor's Assessment Management System. D. Receiving Institution Obligations. 1. The undersigned receiving institution, Contractor, agrees to abide by the following guidelines.

a. Contractor shall not share these Pll with anyone, except those employees of Contractor's WIDA Consortium and Contractor's subcontractors, including Data Recognition Corporation ("Authorized Users") that are directly involved and have a legitimate interest in providing Evaluation Services according to the terms of the Contract.

b. Contractor shall comply and require all Authorized Users to comply with all laws and regulations concerning confidentiality of Pll including, but not limited to the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Section 1232g; 34 C.F.R. Part 99 and any other applicable state and federal student privacy laws.

Page 8 of 19 c. Contractor shall require and maintain confidentiality agreements with each Authorized User of PII. The terms of the Authorized User confidentiality agreements shall contain, at a minimum, the terms and conditions of this Section XI. Education Record Release, Data Use, Student Data Transparency and Security and Exhibit D, WCER Standard Security Policies and Procedures. A copy of the current Contractor employee confidentiality agreement is attached to this agreement as Exhibit C. d. Contractor shall notify its agents, employees, Subcontractors, and assigns who may come into contact with PII that each is subject to the confidentiality requirements set forth in this Contract, and shall provide each with a written explanation of such requirements before permitting them to access PII. e. Contractor shall protect PII in a manner that does not permit personal identification of students and their parents by anyone except those bound by this agreement and State. Contractor and its subcontractors subject to this section shall maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of PII. A copy of Contractor's Standard Security Policies and Procedures is attached to this agreement as Exhibit D. In addition to the policies and procedures described in Exhibit D, Contractor shall meet the Data Security Assurances of Subsection G, below. Contractor shall notify State in accordance with the procedures expressed in Exhibit D if it learns of any security breach to Contractor's systems containing the PII or of any disclosure of PII to anyone other than Contractor Authorized Users or the State officials authorized to receive PII. Contractor shall cooperate and take all reasonable means prescribed by State to secure any breaches as soon as practicable. f. Contractor shall determine the cause of any breach and produce a remediation plan to reduce the risk of incurring a similar type of breach in the future and provided it to the State in accordance with the requirements of Exhibit D, WCER Standard Security Policies and Procedures. g. Contractor shall present its analysis and remediation plan to the State in accordance with Exhibit D, WCER Standards Security Policies and Procedures. The State and WIDA agree to collaborate on adjustments to this plan. In the event of a Breach, Contractor shall provide the State or its designated representatives with access to the Contractor's WCER IT Incident Response Team and those Contractor systems and facilities to which the Contractor's Chief Information Officer has access in accordance with Exhibit D, WCER Standards Security Policies and Procedures.

Page 9 of 19 h. Contractor shall not store, process or transfer Confidential Data outside the United States. Contractor shall not maintain or forward PH to or from any other facility or location except for backup and disaster recovery purposes. Any backup or disaster recovery contractor shalJ be considered a Subcontractor that must comply with the Subcontractor requirements in this agreement.

1. Contractor shalJ restrict access to PII solely to Authorized Users and ensure that the Pll is accessed only for the purposes described in this agreement.

J. Contractor shall destroy all PIT within forty-five (45) calendar days after it is no longer needed to perform the Evaluation Services described in this agreement, upon State's request or upon termination of this agreement, whichever occurs first or unless otherwise agreed upon in writing. PII shall not be retained by Contractor or its agents except as permitted in this Contract or approved in writing by the State. Contractor shall provide written notice of the data destruction to State within five (5) calendar days after the data is actually destroyed. State may request, within fifteen (15) calendar days after it is no longer needed to perform the Evaluation Services described in this agreement, a copy of all Pll retained by Contractor or its subcontractor in accordance with the Transfer Protocol section below. "Destroy" means to remove PII from Contractor's systems, paper files, records, databases, and any other media regardless of format so that the Pll is permanently irretrievable in the Contractor's and Subcontractor's normal course of business. During the term of this Contract, if the State requests the destruction of a student's PII collected, generated or inferred as a result of this Contract, the Contractor shall Destroy the information within thirty (30) calendar days after the date of the request. Contractor can retain a student's PII provided that:

I. Contractor obtains the consent of the student (if the student is eighteen or older) or the student's parent or legal guardian (if the student is under eighteen) to retain the student's PII; or

2. The student has transferred to another state and the receiving state has requested that the Contractor retain the student's PII. k. Contractor shall permit State, at State's cost, to audit, upon reasonable request, that Contractor is complying with this Section XI and the Standard Security Policies and Procedures in Exhibit D and/or that it has destroyed the data as verified.

Page 10 of 19 I. Contractor shall collect and use these PIT only for the purpose to help State carry out an audit or evaluation of Federal and State supported education programs and to comply with the Federal legal requirements related to the activities outlined in the Contract, including activities related to the development, administration, scoring and reporting of the annual assessment of student English proficiency, activities related to the evaluation of Federally-supported education programs and activities related to English language instruction, acquisition, assessment and achievement; and the development of accountability measures and models for limited English proficient children that relate to these children's development and attainment of English proficiency while meeting challenging State academic content and student academic achievement standards.

m. Contractor shall obtain prior written approval from State and of the student (if the student is eighteen or older) or the student's parent or legal guardian (if the student is under eighteen) before accessing PU for activities beyond the scope specified in Section J, above, but consistent with State's federal and state requirements.

n. Contractor shall not conduct any research using PII.

o. If Contractor receives any request or demand by a third party for PII, then Contractor shall immediately inform State of the request by forwarding a copy of the request to the State's principal representative. If Contractor becomes legally compelled to disclose any PU to ensure legal or regulatory compliance or to take precautions against liability or to respond or to participate in the judicial process, then Contractor shall use all reasonable efforts to provide State with prior notice before disclosure so that State may seek a protective order or other appropriate remedy to prevent the disclosure and if prior notice is not provided, Contractor shall notify the State within two (2) calendar days of the disclosure of the PII; provided, however, that Contractor will maintain the confidentiality of PTI while in the Contractor's possession. If a protective order or other remedy is not obtained prior to when any legally compelled disclosure is required, Contractor will only disclose that portion of PU that it is legally required to disclosed.

E. Prohibited Uses

Page 11 of 19 I. Contractor shall not sell PII or use PII for purposes of Targeted Advertising to students or any party. Contractor shall not use State's PH to create a personal profile of a student other than supporting the Evaluation Services described in this Contract. "Targeted Advertising" means selecting and sending advertisements to a student based on information obtained or inferred over time from the student's online behavior, use of applications, or PII. Targeted Advertising does not include advertising to a student at an online location based on the student's current visit to that location or in response to the student's request for information or feedback and is without the collection and retention of a student's online activities over time. Targeted Advertising also does not include adaptive learning, personalized learning, or customized education. 2. Contractor shall not measure, capture, record or analyze any biological characteristics as defined by FERPA. Contractor shall provide, on State's request, a copy of any service agreement that it may have for the capturing and processing of student information, whether the student information is personally identifiable or not. 3. Contractor shall contractually require any subcontractor and their subsequent subcontractor to which Contractor discloses PII in accordance with this Contract to comply with the requirements of this Section XI. Education Record Release, Data Use, Student Data Transparency and Security and Exhibit D, WCER Standard Security Policies and Procedures and all applicable state and federal laws. F. Data Security Assurances I . In addition to the Receiving Institution Obligations, Contractor and Contractor's subcontractors shall meet the following data security assurances for all systems and devices that contain or access PII.

a. Contractor shall provide physical and logical protection for all related hardware, software, applications, and data that meet or exceed industry standards and requirements as set forth in this Contract. Contractor shall take full responsibility for the security of all Pil in its possession, and shall hold the State harmless for any damages or liabilities resulting from the unauthorized disclosure or loss thereof. Contractor shall provide for the security of such PII, in a form acceptable to the State, including, without limitation, non-disclosure, use of appropriate technology, security practices, computer access security, data access security, data storage encryption, data transmission encryption, security inspections, network firewalls, intrusion detection (host and network), data security Jogging and monitoring systems, and audits.

Page 12 of 19 b. Contractor shall provide the State or its designated representatives with access, subject to Contractor's reasonable access security requirements, for the purpose of inspecting and monitoring access and use of PII, maintaining State systems, and evaluating physical and logical security control effectiveness. c. Contractor shall perform and cause its subcontractors to perform background checks on all of its employees and agents that are Authorized Users, prior to providing authorized access to PII. All background checks will be performed in accordance with State of Wisconsin/University of Wisconsin background checks for employees and contractors. The background checks must demonstrate the worker has no convictions or pending criminal charges that would render the worker unsuitable for regular contact with children or with PU. Disqualifying convictions or charges include, but are not limited to, sexual offenses, violent offenses, identity theft, fraud, and drug offenses. Additionally, Contractor and its Subcontractors are subject to and shall comply with the University of Wisconsin's Policy on Mandatory Reporting of Child Abuse and Neglect. d. Contractor shall have strong access controls in place. e. Workstations and other data processing devices must automatically lock when not in use, and must be manually locked when left unattended.· f. Contractor shall protect all PII with a complex password. Contractor shall ensure passwords are confidential and prohibit the sharing of passwords. Passwords must not be written down or stored in an unsecure location. Contractor shall periodically change passwords and shall ensure passwords are not reused. Contractor shall have password locks for laptops and mobile devices. g. Contractor shall disable and/or immediately delete unused and terminated user accounts. Contractor shall periodically assess account inactivity for potential stale accounts. h. Contractor shall not share Pll on display screens, during demonstrations or presentations, or when sharing screen shots for troubleshooting or other purposes. If Contractor receives PII via unencrypted methods, Contractor shall Destroy the e-mail and contents and alert the sender of the requirement to send PII via secure methods. i. Contractor shall implement annual intrusion penetration/vulnerability testing.

Page 13 of 19 j. Contractor shall encrypt PU at rest on central computing systems. Contractor shall also encrypt any backup. backup media, removable media, tape, or other copies. In addition, Contractor shall fully encrypt disks and storage for all laptops and mobile devices.

k. Contractor shall provide annual, mandatory security awareness and PII handling training for all of its employees/independent contractors handling PII pursuant to this Contract.

I. Contractor shall install and maintain on computers accessing or processing Pll appropriate endpoint security anti-virus and anti-malware software. Contractor shall ensure all Contractor's data processing systems, servers, laptops, PCs, and mobile devices are regularly scanned and have all security patches applied in a timely manner.

m. Contractor shall use a secure method such as Secure File Transfer Protocol (SFTP) or comparable method to transmit PII. Contractor shall never send PII via email or transport PII on removable media.

n. Contractor shall have physical security in buildings housing PH, along with controlled physical access to buildings and/or data centers.

o. Contractor's devices used to copy or scan hard copies of PII must have encrypted storage. Contractor shall scrub storage devices when equipment is retired. Hard copies containing PII are discouraged and must be physically secured, not left unattended, and physically Destroyed.

p. Contractor shall not store Pll in a cloud environment.

G. Transparency Requirements

I . Contractor acknowledges that the State will pose this Contract to the State's website.

2. Contractor shall facilitate access to and correction of any factually inaccurate student PH in response to a request from a local education provider or from the State. All locaJ education provider requests shall be routed through the State.

3. Contractor shall provide transparency to parents, school districts and the public about its collection and use of PH including posting the following information on its public website:

Page 14 of19 a. Contact information for an individual within Contractor's organization that can provide information on or answer questions related to the use of Pll by Contractor.

b. An explanation of how the PII will be shared with Subcontractors or disclosed to any third party.

c. The types of PII Contractor collects, generates, or uses. This information must include all PII that is collected regardless of whether it is initially collected or ultimately held individually or in the aggregate.

d. An explanation of the PIT, an explanation of how the PII is used, and the learning purpose for which the PII is collected and used.

e. Contractor shall update this information on its website as necessary to maintain accuracy. The Contractor acknowledges that the State will post this information on its public website.

f. Contractor shall send the State a written notice which includes a clear explanation of the proposed changes prior to making a material change to Contractor's privacy policies.

H. Disclosure-Liability 1. Disclosure of PII by Contractor or any Subcontractor for any reason may be cause for legal action by third parties against Contractor, the State or their respective agents. To the extent authorized by Wisconsin Statutes Sections 893.82 and 895.46(1), Contractor shall hold harmless the State, its employees and agents, against any and all claims, damages, liability and court awards, incurred as a result of any negligent act or omission by Contractor, or its employees, agents, Subcontractors, or assignees pursuant to this Section. Contractor, as permitted by the Wisconsin Statutes Sections 893.82 and 895.46(1), agrees to accept the responsibility for injury or damage to any person or persons or property that arise solely out of Contractor's negligent acts or omissions in connection with this project.

I. Disposition of Data 1. The State reserves all right, title and interest, including all intellectual property and proprietary rights, in and to PII. J. Use of Aggregate and De-identified Data. 1. In order to provide Consortium level data and analysis to WIDA consortium member states, Contractor will aggregate State of Colorado data with all other WIDA Consortium member states.

Page 15 of 19 2. Any de-identified or aggregate data must adhere to the following requirements: a) Data that must be aggregated or de-identified shall include not only direct identifiers, such as names, student IDs or social security numbers, but also any other sensitive and non-sensitive infonnation that, alone or combined with other infonnation that is linked or linkable to a specific individual, would allow identification. b) Simple removal of direct identifiers from the data to be released shall not constitute adequate de-identification. c) Contractor shall de-identify data to remove cumulative re-identification risks. d) Contractor shall remove alJ Data that in conjunction with previous data releases and other reasonably available information, including publicly­ available directory information and de-identified data releases from education records and other sources would allow for identification of a particular individual 3. Contractor shall follow the recommended practices outlined in the IES-SLDS Technical Brief Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting, December 2010, Brief 3 NCES 2011-603, including the use of a minimum of 16 students for the reporting subgroup size limitation in Aggregate Reporting. 4. Any aggregate or de-identified data that is not properly de-identified or aggregated and is transferred to a third party without the controls of this Section XI for Subcontractors or publicalJy released will be considered an unauthorized Disclosure of State's Confidential Data. K. Permission to Use data. 1. State acknowledges that by entering this Contract it is approving, in writing, of Contractor's use of these PII within the scope of purposes outlined in this attachment and Section D 1J, above. L. Transfer Protocol. 1. The parties shall work cooperatively to detennine the proper medium and method for the transfer of Confidential Data between each other. The party receiving PII shalJ confirm the transfer of PU and notify the transferring party as soon as practicable of any discrepancies between the actual data transferred and the data described in this attachment. M. Remedies. 1. Contractor acknowledges that the breach of this Attachment on its part may result in irreparable and continuing damage to State for which money damages may not provide adequate relief. In the event of a breach or threatened breach of this Agreement by Contractor, State, in addition to any other rights and remedies available to it at law or in equity, may be entitled to preliminary and pennanent injunctions, enjoining and restraining the breach or threatened breach.

Page 16 of 19 N. Binding Effect and Assignability. l. The rights and obligations of each party under this Attachment shall inure to the benefit of and shall be binding upon that party and its respective successors and assigns. 0. Waiver. 1. The failure by one party to require performance of any provision shall not affect that party's right to require performance at any time thereafter, nor shall a waiver of any breach or default of this Attachment constitute a waiver of any subsequent breach or default or a·waiver of the provision itself. No modification, amendment, waiver or release of any provision of this Agreement or of any right, obligation, claim or cause of action arising from this Attachment shall be valid or binding for any purpose unless in writing and duly executed by the party against whom they are asserted. P. Data Custodians. I. The following individuals are the designated data custodians for their respective entities with respect to this educational record release and data use agreement:

For Contractor

Data custodians for WIDA:

WIDA Consortium - Data Custodian for Data at Rest/Compliance Uses H. Gary Cook Research Director 1025. W Johnson St., MD#23 Madison, WI 53706 Phone: 608-890-0471 Email: [email protected]

WIDA Consortium - Data Custodian for Operational Uses Carsten Wilmes Director of Assessment 1025. W Johnson St., MD#23 Madison, WI 53706 Phone:312-263-5547 Email: [email protected]

For Data Recognition Corporation - Assessment Platform Vendor Karen Jans Sr. Director, Education Programs 13490 Bass Lake Road

Page 17 of 19 Maple Grove, MN 55311 Phone: 763-268-2040 Email: kjans@datarecognitioncor:p.com

J. Exhibit A, WIDA Consortium Board shall be deleted in its entirety and replaced with the updated Exhibit A (Amendment 7), WIDA Consortium Board, attached hereto and incorporated by reference. All references to Exhibit A shall be deemed to reference Exhibit A (Amendment 7).

K. Exhibit B, Exhibit B, WIDA State Student Response File Layout shall be deleted in its entirety and replaced with the updated Exhibit B (Amendment 7), WIDA State Student Response File Layout, attached hereto and incorporated herein by reference. All references to Exhibit B shall be deemed to reference Exhibit B (Amendment 7).

L. Exhibit C, WIDA Consortium Employee Confidentiality Agreement shall be deleted in its entirety and replaced with the updated Exhibit C (Amendment 7), WIDA Consortium Employee Confidentiality Agreement, attached hereto and incorporated herein by reference. All references to Exhibit C shall be deemed to reference Exhibit C (Amendment 7).

M. Exhibit D, WCER's Standard Security Policies and Procedures shall be deleted in its entirety and replaced with the updated Exhibit D (Amendment 7), WCER's Standard Security Policies and Procedures, attached hereto and incorporated herein by reference. All references to Exhibit D shaJl be deemed to reference Exhibit D (Amendment 7).

7. START DATE

This Amendment shall take effect on the later of its Effective Date.

8. ORDER OF PRECEDENCE

Except for the Special Provisions, in the event of any conflict, inconsistency, variance, or contradiction between the provisions of this Amendment and any of the provisions of the Contract, the provisions of this Amendment shall in all respects supersede, govern, and control. The most recent version of the Special Provisions incorporated into the Contract or any amendment shall always control other provisions in the Contract or any amendments.

9. AVAILABLE FUNDS

Financial obligations of the state payable after the current fiscal year are contingent upon funds for that purpose being appropriated, budgeted, or otherwise made available.

Page 18 of 19 THE PARTIES HERETO HAVE EXECUTED THIS AMENDMENT

Persons signing for Contractor hereby swear and affirm that they are authorized to act on Contractor's behalf and acknowledge that the State is relying on their representations to that effect.

CONTRACTOR CDE OF COLORADO The Board of Regents of the University of Wisconsin System, on Behalf of the University of John W. Hickenlooper, GOVERNOR Wisconsin-Madison's Wisconsin Center for Education Research Colorado Department of Education Katy Anthes, Ph.D., Interim Commissioner

By: ---=p~,ci,u, ~ t le---....U-1...... {l...... fh""'"""'d ~-- ~ amcofAutfionzcd Individual Title: 1' Official title of uthorized Individual Date: f 2 )f 1/ /L{J

ALL CONTRACTS REQUIRE APPROVAL by the COE CONTROLLER CRS §24-30-202 requires the State Controller to approve all State Contracts. This Contract is not valid until signed and dated below by the State Controller or delegate. Contractor is not authorized to begin performance until such time. If Contractor begins performing prior thereto, the State of Colorado is not obligated to pay Contractor for such performance or for any goods and/or services provided hereunder.'

CDE CONTROLLER

ros, CPA, MBA, JD

Date: / 2 -// -2&>/6 p

Page 19 of 19 Exhibit A (Amendment 7)

WIDA Consortium Board

I. Definitions. a. SEA - "SEA" means state educational agency and includes each state's education Superintendent. b. LEA - "LEA" means local educational agency and includes any educational agency within a WIDA Consortium Member state subject to the requirements of Titles I and III of ESSA. c. WCER - "WCER" means Wisconsin Center for Education Research at the University of Wisconsin-Madison. d. WIDA Consortium - "WIDA Consortium" means the operational unit of the Wisconsin Center for Education Research at the University of Wisconsin­ Madison, which offers educational services related to language learners and academic language development for pre-kindergarten through grade 12. e. WIDA Consortium Member - "WIDA Consortium Member'' means any state educational agency that approves and/or purchases the Core Package of WIDA Consortium educational services to satisfy the state and local educational agencies requirements of Title I and Title Ill of the Elementary and Secondary Education Act, as amended by the Every Student Succeeds Act (ESSA), which pertain to: the academic assessment of English learners; the academic assessment of language proficiency; the development and meeting of annual measurable achievement objectives for language learners and the building and enhancement of capacity to offer programs that assist language learners in obtaining academic language proficiency. f. WIDA Consortium Board Member - "WIDA Consortium Board Member" means any person appointed to the WIDA Consortium Board according to the Board Member Appointment subsection below, see sec. 3a. g. Core Package • "Core Package" means the multi-state copyright licenses and related educational services offered by WCER under the name WIDA Consortium to WIDA Consortium Members, namely: limited copyright licenses to certain WIDA assessments, including ACCESS for ELLs, Alternate ACCESS for ELLs, the WIDA Online Screener, language development standards and resource guides, instructional and educator training/support materials; technical assistance and professional learning associated with implementing the WIDA ELD Standards; the printing, distributing, scoring and reporting of the ACCESS for ELLs English language test; and educator and technical assistance and professional learning associated with administering and interpreting the ACCESS for ELLs English language test and test results. WIDA Consortium Members all receive the same Core Package of educational services. IndividuaJ member States may contract with WCER to obtain enhancements to the Core Package for additional charges. 2. Purpose. a. Advisory - The WIDA Consortium Board serves as an advisory board to the WIDA Consortium operational leadership. The WIDA Consortium leadership solicits input on and the WIDA Consortium Board offers guidance and support

CDFJ WCER Exhibit A (Amendment 7) 1 on the annual offering of the Core Package of WIDA Consortium educational services. h, Collaborative - The WIDA Consortium Board provides an organized opportunity for SEAs to associate and address common issu~s relating to language learners, the academic language development of pre-kindergarten through grade 12 students and other issues related to SEA and LEA requirements of Titles I and m of ESSA. 3. Structure. a. Board Member Appointment - Each WIDA Consortium Memb~r should appoint one SEA representative to the WIDA Consortium Board. Wisconsin, Illinois and Florida are each entitled to appoint one additional representative to the WIDA Consortium Board. · · b. Term of WIDA Consortium Board Members - Each WIDA Consortium Board Member will serve until replaced by their respective SEA or until their SEA is no longer a WIDA Consortium Member. c. Removal of WIDA' Consortium. Board Members' ~ WIDA Consortium Board Members may only be rempved by their respective SEA. An SEA will appoint a successor member to the WIDA Consortium Board if that SEA removes its appointed member. • -. · . ': · : · d. Compensation - . Mem~ers. of the ·:WIDA · Gorisortium Board do not receive compensation: 4. Operations. a. General - WCER, through the WIDA Consortium will facilitate the activities of the WIDA Consortium Board. WCER will provide the necessary personnel to serve as a liaison between the WIDA Consortium Board Members and the WIDA Consortium. b. Meetings - the WIDA Consortium will hold the following WIDA Consortium Board meetings: i. Annual Meeting - WCER will conduct an annual gathering of.the WIDA Consortium Board. The gathering will be held in late spring. ii. Committee Meetings - WCER will conduct committee meetings of the WIDA Consortium Board as provide below in the Committees subsection below, see sec 5.c. iii. Special Meetings - WCER will conduct special meetings concerning the ongoing development and review of the annual offering of the Core Package of WIDA Consortium educational services as necessary. WCER may hold special meetings either in person or via teleconference. Attendance at special meetings may be held to a limited number of WIDA Consortium Board Members c. Communications i. General - WCER will provide the necessary infrastructure to facilitate the WIDA Consortium Board activities. ii. Meeting Summaries - WCER will maintain meeting notes and provide meeting summaries to the WIDA Consortium Board Members after any · WIDA Consortium Board meeting. d. Costs i. General - WCER will pay the costs associated with operating the WIDA Consortium Board. CDFJ WCBR Exhibit A (Amendment 7) 2 ii. Travel Expenses - WCER will pay for/reimburse WIDA Consortium Board Members' travel expenses incurred in connection with attending a WIDA Consortium Board annual meeting. If any SEA wants to bring up to two additional people to a WIDA Consortium Board annual meeting, that SEA will be responsible for their travel expenses. In the first year an SEA becomes a WIDA Consortium Member WCER will pay for/reimburse the travel costs of one additional person from that state to attend the WIDA Consortium Board annual meeting. All travel expense reimbursements will be made in accordance with State of Wisconsin guidelines. e. Fiscal Impact - The activities of the WIDA Consortium Board will have no direct fiscal impact on individual WIDA Consortium Members without an additional written agreement between the individual WIDA Consortium Members and WCER. IfWIDA Consortium Board Members recommend and the WIDA Consortium adopts any changes to the Core Package of WIDA Consortium educational services that affect the price of the Core Package, then no price change will take effect until the individual WIDA Consortium Members execute written agreements with WCER that reflect these changes. 5. Activities. a. General-The activities of the WIDA Consortium Board include the following: i. Attendance at the annual WIDA Consortium Board meeting; 11. Participation on WIDA Consortium Board committees as determined by this section; and m. Participation at special meetings conducted by the WIDA Consortium b. WIDA Consortium Board Meetings - WCER, through the WIDA Consortium will coordinate the meetings of the WIDA Consortium Board. i. Meeting Agendum - the WIDA Consortium will set the agenda for any WIDA Consortium Board meetings. ii. Meeting Activities I. Presentations - the WIDA Consortium will present updates on WIDA Consortium activities related to the implementation, research and development of the WIDA Consortium Core Package. 2. Discussion and Review Groups - the WIDA Consortium will facilitate discussion groups on targeted topics related to the implementation, research and development of the WIDA Consortium Core Package. The discussion groups are an opportunity for WIDA Consortium Board Members to provide input to the WIDA Consortium and to interact and exchange ideas with other SEAs. 3. Policy Orientation and Priority Setting - the WIDA Consortium may poll the WIDA Consortium Board in order to ascertain the position of WIDA Consortium Board members on issues related to the policy orientation and priorities of the implementation, research and development of the Core Package. Each WIDA Consortium Board Member present will receive one vote. The votes will be recorded by the WIDA Consortium. c. Committees

CDEI WCER Exhibit A (Amendment 7) 3 i. Executive Committee - The Executive Committee is a standing committee: 1. Pumose - The purpose of the Executive Committee is to a. Provide input to WIDA Consortium on setting WIDA Consortium Board meeting agendum, and b. Vet policy and priority issues related to the implementation, research and development of the WIDA Consortium Core Package in greater detail than the full ~ WIDA Consortium Board. " 2. Makeup - Two SEA representatives from each of the four WIDA Consortium Member regions, one representing subgi:oup A states and one representing subgroup B states. One LEA r~presentative will be appointed by the LEA Advisory Committee. SEA representatives from Wisconsin, Illinois and Florida will be permanent members. 3. Te'rm - SEA 'representatives ~HI-· s~rye: a two-year term on a staggered rotation.-2015*17 Executive Committee members will continue their Cun"ent termst art? new members will be appointed on the following·schedule: . . : .a. Supgr!:>UJ5.A for all four Re'gional Groups i. July 2015 - June 2017 ii. July 2017 - June 2019 iii. July 2019 - June 2021 b. Subgroup B for all four Regional Groups i. July 2016-June 2018 ii. July 2018-June 2020 iii. July 2020 - June 2022 c. LEA representatives on the Executive Committee will serve a one-year term on staggered rotation by region; i. June 2016-May 2017 ii. June2017-May2018 iii. June 2018-May 2019 4. WIDA Consortium Member Regions - The WIDA Consortium Member regions are as followed: a. Northeast Regional Group i. Subgroup A - Delaware, District of Columbia, Maine, New Hampshire, Rhode Island, Vermont ii. Subgroup B - Maryland,- Massachusetts, New Jersey, Pennsylvania b. Midwest Regional Group i. Subgroup A - Indiana, Michigan, North Dakota, South Dakota, Wisconsin* ii. Subgroup B - Illinois*, Minnesota, Missouri, Oklahoma c. South Regional Group i. Subgroup A-Alabama, Kentucky, South Carolina, Tennessee, US Virgin Islands

CDEI WCER Exhibit A (Amendment 7) 4 ii. Subgroup B - Bureau of Indian Education, Florida*, Georgia, North Carolina, Virginia d. West Regional Group i. Subgroup A - Alaska, Hawaii, Montana, Northern Mariana Islands, Wyoming ii. Subgroup B - Colorado, Idaho, Nevada, New Mexico, Utah

•Wisconsin, Illinois, and Florida appoint standing members on the Executive Committee and are not eligible to serve as regional representatives 5. Meetings - the Executive Committee will meet every year in late Fall at a place to be determined by the committee. In addition, the WIDA Consortium may request the convening of this committee at another time at a place to be determined by the committee. ii. LEA Advisory Committee - The LEA Advisory Committee is a standing group: 1. Purpose - The purpose of the LEA Advisory Board is to provide WIDA with input, ideas, and feedback from the LEA perspective on a variety of topics that will inform and support the work the WIDA Consortium. 2. Makeup - Each of the four regional groups will have two LEA representatives, one from Subgroup A and one from Subgroup B. LEAs will be nominated by an SEA to represent their respective regional subgroup. 3. Term - LEAs will service a two-year term on a staggered basis a. Subgroup A for all four Regional Groups i. June2015 - May2017 ii. June 2017 - May 2019 iii. June 2019 - May 2021 b. Subgroup B for all four Regional Groups i. June 2016 - May 2018 ii. June 2018 - May 2020 iii. June 2020 - May 2022 4. Meetings - the LEA Committee will meet quarterly via a web conference and face-to-face once a year. iii. Ad Hoc Committees - the WIDA Consortium and the WIDA Consortium Board may form ad hoc committees to address specific issues as necessary.

COE/ WCER Exhibit A (Amendment 7) s 0 ~ Q ...... - " "'" if

1~ ~ ~ . pl .s . .. - .. - •t I l I I I I I I r I I I J I I r I ,'. r I I I ' I I

- -

II i i ;; If a • I N M II u - f f f f f l f I I t I i ,.. ~ II ,• .- -; I 11,;1 11 -- • - u,:I . "' ~~ 'I i 1H' n> n1r1lil'f~ l:Pr' t I t I I t 11 If n II' II' .. .. I rli}i I ,! t ., !t ' ! I I I I I I ~ I I I I I I I I I I I I li!u .. J .. J .. .. I .. .. I ..r hhl J I I I I r r r r ..I J .. J .. l J J J J t t t IIUuu.,I l I l p!•! I I I i;o, ii 1! . l -

.. I ; I I~ - i r I f f I i - - - 1111 iPl(l I T" fl ( I I J r11l1ll ,If 'ill!I l"il =hu1 f l!UljH l!;fnliu ldI} huul I r}Uf ..ii 1.. fn11 ' 1.. 1! }IJ lhl•·:rrt 1J'J1-1 ·1 i~ I 1.. 1 l ;( tUP 1,1 "r 1 I a.r t if 1i 111 I I! 1 .. 1 tut I I i ' i ; II' h I I hl 'l'i I I I I 11 M I I I 111 1~ I I.. "iiu, ! rl "1.. I l r r fi ,,· , I' I F ~!I" J i i J, ,1 i Ji 1M I ~.II ii ------1 u· ·u u· t ! n •u11 11 I I h I t Ill I 5 n I ilt tt 11 IJ t !f I' .. .. I! H.. i tfl; II II r __T - ~ l g li: Ii ,: 11 ~ i G - J}I_! ,. ------.1, i ~ i i i Iii II i. ~ II I - ·- ~ ~ it ~ ... 0 .. .. :Ii ...... • • .. .. H

Ill II ::: 15 ti :t ; . ,:. II' IS ~ ; :; pl • = - 'I if 1, i llj lj 1, f ii i I I 1; J J ) Ie I • J J I t Ie f I I I I I

- - - ~ ~ N ~ - - - - ~ • ;: - ; . u

I f I I I I I J i I I ,f I I I 1 I i 1• ~1 1• -. ii--·1 I~ 'i ,~, 'i ul I~. - H H H,-P H If ,.u I ! l I i I ,.,. u,: n ,...- ,.,.. ,... .-,.r...... ,. Iii ill ,. I> r: r: ,. ,. ,. ,.,.. I l'~ I> I> ,. .. ,. .. ,. I I J f rf i i i !'·· ...... ,.,. ,.,... .. ,. ,... I If I If ,, r ,, r ! i= r: r: r: l r l iliH I I I I I I I I li'i' ..r Itr Uiri J J 11111 ,1111 ,Iii! II I' - I

5 .. .. n II . .. . . ~ w II i I " I I "C( llt",(II .. :I f ;; lff IIIJ iif f ~ !11~ 'ff(,.,. !"'f JI! 1:1111 ~-,n, fifJI! ·1 Hh, 1 1 11 !I~,, ii, " :. i i If 11 rJrpi ~r h1 h1 I • .. 1H pH; IHH i'~ ~ fr1hpi ~ 111hpi ~ I,, ': r r' l i r., ('c I If •tr ·"i ·1, ' .. , • 1, • .. I h!ilr•" ¥1 Jl I I i Ii i Ii i ·ri I i ·ri I .... ,!:,, !Ii h h I g, I IL I '~f I ';;I hfi!r fr !;. la.ffr ;. 'i;. ,uar lfi 't 't I ,1 ,1 111 1to: :Ca. iti;.' l:o. it-: :C... ill':.' z: ... ii I· h I h1 u ;;' IJi;' II iii ,1 Ii I Hz:Hiii: ~,;ti ' H,:I Hz: : r r( i .,, r;. .. ,;. ,. r • :.r; if ii r, fl l : J Jr I ' I I ;t • r r lrlf • if • 11J' lr It !I Jg i ·r I ; lgi i fl i i lg i rg ~ "l I f :1: ~1· ~1· :1.: " ff r r "If "11 I I i i I I Ii 1, lj Ii J J I I ; i i i I I Ii( I 1;1 lu IU II fl 111 ;11 ( :ii. l!I Iii 'ii H II f t ii ~, 111 :, :, f . = -, ., f I ii I = l l l l h !1 h h !I I l i l ~, -, ~, -, : 11-i § l l l r 1.: 'J I i j' i i I a I 1 I I t ! ! !! I ,I i t ~ $ du ' I I It ! I ! i I ! ! I I ! 9 I I II·11 l ( t, 9 le ., g !g I I II' il I g , I & ll l if

~ M Ill lll ti ti ~ Ill II ~ pl a • • • 'I ij If !r I ! I If r i f I i i i I I i.. I 'J I i I i I I I r I I II

u u .; . .. - - - - ~ - - - - u

I I I I f [ I I I I f I I r I i ,. ,. ,. , ,. ill jl!JWb ~;J•Jjll f> ,,,._.J!!J;~Jlii J!iP ,ij-llU I!.• ... ,I~ • • I~ 1a-f i' - I 'tnil,U lili1 ip 'i 1 ~~I "1 I I I I I Iii I I I t ! l I i I t -f If ir i i i i I.. a hiu lilj• r I.. j Uifi nmp111

.,i!il! }i

. . I

I; ...... ,c • ii ...... ~ iii I I - - - ,.. -l!i • f fl~IU ¥ 11i li li"t !f(li!~ !!~ 'i ~~i:; IJ'!~ ?~t ';' '!'~ ::. r ir fl i ':ii '•i f ·1 ·1 ii lljl}f 'i)i 'i H 11 r r I,•1 .. If i.. i.. ..i i.. 1uu11up1p j n Ill h Ja uu11r(111 il'lli 11IUI i I 1 11 I i f 1HJ111•1,I,] l I r i 1.. ,1 I I Jff J i2i ii ir IPJ ,JII 'h' tJe I .. H I l I . . J Ip 'I . , .I Ii l I uf I I I Bl I i.. J I Ii Ia I i r ! t ,t a I i u,;& - - ·- f !f - I( ( ( '=u1 I I ( ' ( • ! • v ~ I ! " " " f t ~ JI • t II ~ i I I • •I 'PI,::'- •I I • l1 •I • • I I 1 .'ft'. tjl • • ' • 'I . i I J l J . ' •r: I IJ li1 II 11 I 12 Ii i$ • II I! It Ill du ,lj• g I! v • I I a 2 If ii It !! • I II - I g . ,: • I II .. • 8 I! I I! I: = ~ I ~ I: = I: • 5 ~ ii I I D II II w ~ Ii 81 I: 1:1 ., !l! w • t:I II I: t.l 1:1 :: pl = " • • 'I r f I I I I I.. f I I 'j 'i I' I' I' I I I'i 'ii 'i i i 'i 'i l'i i i 'i i I I I ... i i ' r I I

w 19 - 5 ;I; - - - - - ~ ------. -.. - u

f f f f f J f f f f f f f f f f f f , I I I 1 1 1 1;;, r,;,; '~ .. 1•. 1• .. I,~,~ I' I • i p;:I 'i JJ~, 'i 1•J;f I I Ii r Ii I r r 'i I l" r r 'i 'i :i ;; r I I f I f ,J lf I I't ir I' I .. I ili:h r l I' l I' l I I I.. I I.. lilu j" j j 11111 l~ 11 11u,•!•! I 111}! •111J

e ~ ! 2 n ...... -< ' n ...... i ~ [ I I I

': I .d . • 'i'i ::1 n ff ii ii HI ~I ~1 ~Pl ii :t ·1 I •fi I' 'J ii • 'i ·1 li Ii •• ·1 llj •• II' i fffffl J if I' ·,I' ·,·,I' If t s H11 • [ 1 I .. .. p It I I [ J I i t' I• I i ' I' i I t.. ; ! I I i tl h r I I l d j I I ! If I i 'I ( I J I 1 i I I I ! I uI ll... I J 1 J B 1l I t I ! J I J I I' I t f I 11 i I I I I I "l[ I I I I I j I ! I : ... r (I (f (I ~ t I (I 11 lj If H 1pu II n f1 n ~ ip (1 i; I !1 ~, 11 a:f i;f i;I i:f I i:f 11 i:f i; r; ,..~ r !I u . .~ I n ~,~d =1 : I : I ; I :, n:, :, : I : I : I =, ; I =1 ., !t J· ~1 J 1· J· J jl t ii J· t· f· J· J· J J fi I·1 t i'. •• .. !!! ; ti: ! !1 I! I!! 16 !! II II I& 18 I& Ii I! l!I l!I II li Ii Ii Iii du• I I ! l!I !! l!I II II 15 II Ill I! l!I I! !!! l!i r r is 12 ,. II ~ ! e .It i' ' I £ i s I I It if

Ill a t: pl • 'I J J J r r I ~ r r r I i f f f I ~ i i.. i I ..g :: ~ . - - ii i i u - -· - I I I 1 I l l f ft,-r iEf i!iH i=f ifiH 'i!f H i!i ' I ,.~."': ,. I• l;..lrolj I;: l ~l::;!i I; It l::;!i ' II 11 ~1~ IJ I ~Ii~ II ·· 11,. I,. 'if If ....'.f.'t .. ll"lDII" .. II' .. ~ II"': .. q .. .. II"': ,.,.'.f.'t r r=r·· I rj 1 ,1 ri r pjh 1 IL. o' .....t.'t 1 1 .. f.'r "'r- ....,. .. HHi C' s> I> ifjt• !;; :"t~ ~~ In ,... - Ii q ;; I thhrn1 , . In i.. ~ l!!H a= il j.111 I I . - Ii' ------Ii =i ". f .. - - l i i- < 1• ..•• IHP:f JI ~f IH~f tr II.. ,nnr iffjf iiifJ-ll EH Ii · If iiiil IHJ Hilj Ii 1 11! 1 111 11 If ...~ I J Jr 11 Ii !i ii ilfr ii •r I II 1 I tr I Ir-, .... i ••11 !, 1 1 1 Cl i p , 11 I, , , 1, 11 1 lllj; r ~ Ir (1 ::. i' 1 I J i Ir (I r r fr f 1 1 r r fr f 1 f f I f 11 I r I I 11 I I I I fl i I . j rl l J i i i ~, f i i ii I -! -! 'I !i !i 'I ! , ii I • • • I

- -- - ,- ---- iu IHU ...... IErfJ !. J lfUfl,...... J f !JCf !!I iiUI·-i rl:H,a>-·Qr f(h!r ' h r1 1 •E .. I !E9·J1 fi II ; ii II du ·;.,, - I II I l!i it 11 - I ,a 13 ·~ R r, e IS !I II I • ' • I: I 11 • ff IS !!! I ;I ,I ,I ., ;i 1:1 ::s .. :;: .I :I • II pl ' 'I I I J f ( I l I J I J I I I I r J J I f I I I I I I I I ! !' ! f I f i i. f. f i i i i i i i.,. I - I i i li

N jj i ; ------§ N N N II

i f f f f I I I f f I t I ,f I r 1 Ii~,..,. r- --r ' ip ! f Ii f 'r· f" Ii"·~r - ir-.- i ir~r i ~1 1( If !! ~~ II n !f I l I l I f 1!: l i ,, I I I I I ~~ :. :. r,. r .. ,. r ,. r1: .... ''J1 .'t."t r l ...... ;. I - r - f'.'t :f.'t :t .'t ilih ,. ; ...... I I .t" .t.t ...t ...t I ,...... n•1· i ; ,.,.'.t.'r ,..'r.'r ,. Uiri t>f' t> t> J E ,..~ :"' :"' r... rr rr,.. .. I" •-- • I I Jiii! 1'!'!;)ii! ii 1•I

I ii I· • • ...... ' Ill: " • .. ~ .. - I I i

...~ - ':'? II :ij': ;'':': JI ;-;; i JI .-:, ff• P· 1•·-: 1:-; I•·· , 11-:: ,-u J ,,. fl•;•:": I 1 1 ... 'fi .. ,. ... fi ... , i .iii .itf,· ~- i,il .1~11u I lHi iif Ui •j ih r· r· r· ·'ti 11, ·'If ufnr ufnr I 1 'l ih •u Iiihr ni n,, u,, .u ii. .uI l ·I I 11r.. 11 i 1 i , tr tr ltf 1i lhi1 th!1 Iha1 th .. iHJ n· i ff i I' I I : l : 1111 ,·1 I t f t I t f ,1 II' :ir I • '! i 1'trf rl... ., rl ill II' I' , , ,.. .. ,1 ,II'. If I"" ... III' 1'If rII' 1'If r If II I i I •..j 1H 1H 1H tH l I rr rr rr . rr I I I I• I} Ii Ii I If I I I II II II II I I I I J S' S' .. I j j i• i

l!I ~ IU Ii) l~J l~J hr .f .;'"I 'U h •j1. h h h tr

! I IS II I! II II ~ !: II I! pl • • • • • • • 't J II J l I I I I I I I I i I i I I I I I r I I i I [ I [ [ I I I I f f f f Ii I t I I t t~ I ~ .. \ I I I ( I I f :1, I J I 1! I I ! i I 11 1 i i II I I I • I Ii ~

...... w w i N N N I u _J I I I I I ' I I I I I I I I I I I t I I i ' •., " Pi lli Pi Pi f li l'E i'I ill r•; Pl 1•1 I p r= i II r1 ''I '"I 11 ,f ih;Ji lili. Uiri 11uiH11i IJJJUUi .. ·, lJ - '

I

~ t: !! 11 ,_" I ~ e " ~ c: IL! I II II I! I .. I

' - : ,nu Hi JI Hijl l!if I Hijl UH un un HU Ui I ! ! 'PU Uhl 1,.hj'PH UH lhJ lhJ lhj 'h I I I UHi HHI ll!=i 1 i I I Ii' ;u~1 l l UlilI' •1r1•• Ii' •,r,IJ Ii' Il J'l'J Ii' •,r,IJ Ii' ' ill fllif I iJf UH Hh Uh Uh • I 1. J I I j 1, .. 11hl !11 I I ldU I 11 1r1 1r1 1r1 f If ' !Hh hUi !Hi1 hlh I fGI I I ' Iii! '1, • I I fhif IF ',, I ,~111 1 1 I t r=I If IC{ 'ijl I I hi it I I , '• i I i::I I =I =1 '=I' I j, IF I i I I lrl. • j 1 I ,1 •I J I ! I IF l I I • I I J • 11 • I i I . I t I I I I i I I I I I i I I ,;I it : l l I • 11 f 11. 11 f it l • • • I l l l l l l l I Ji I 11 I I 1 1 I I ! l i . IF i I IF .. l IF i .. i I I l I " I I " I t I t i I t I I I I I 1 I I I I I l iE iE iE

I I 1: I l I I ! I II I! I I .. I

I I, I I I 1, I : I 1; I !i i i i i i ii i s § - i i i 8 Ii i ii ilu,,- '

I a I i i ! i I ii § § § § i i i i @ ·•, 1, II ' l B !! I II i ~ fj! !i! 8 ~ Iii B R Iii !i? !n !l II if

= ;: ii i w :: ;:: = .. II II !! ll ii i ii ii p! - 'I i i ( 11 11 ... I J I I j I I I I I r r r r i i I I J J I I I i i i i I f i I [ r r I i i i i i i j j j j I i I r r I f i I i f I r I r r [ 'I

=;

v w M w ...... ~ v ~ ...... u

f I I f I f I I I I f f I f I I ' r I I i ,,, 11g 1•,3111i jHili llil I Pl l"I rg l'I iH'I 'p11•1 I Pt r I '"I '"I '"I ''I ''I ''¥ > 11 if n Cl ilili tn lilfl ..o' Ill Ufri ~ I" c:> ti> Iil•li i .. Ii I' r I .. ti> p!•! f ;Iii! II= ., lJ 1

II II II I I II • I I I II I I ~ I 5 I: I: (

,,n 1~(4 1 np 11 ~ l!(i r?p l:!i lli!:li IUH 11~U! Jl ~! li ·1 I ,n1 11:1''I II: • J I u11• 1 II: lfU • I i'i • I II: np• 1 I • J i Hf~'I I HIU 1n1.n i!r f,.r , .. r , .. r· f,., .. , .. r· f,.r 1 .. , .. f' ... , .. f,., .. ,.. ,.. ,,,, 11 1 ll(f 1 ,,,, ,,,, 11 1 ,1 ... '"' 1 ,,,, ,,,, 11 1 Uili iUII iUII UiU !H!f J!hf r~., 1 fi,, Ii.,1r' h.,1 h.,1rf fi,,1r' fi., r! .I Ii.,1 r1 r1 ff ft i~ Iiii., rLf rLf ii ii 19 ii 19 19 18 19 is filh IJHJ IU 11, l'f r,, 11, (irf [irf r,, r,, firf frf r,, hUi J J J J J J J. j u u u II t~hJ,i::I i i::I t I I I I I I f il j ; i i I i . I j r f • r l I

if 1, ! I IIll f !! !11 I ) ' i i i ; .. fi

ii ij ;:: ~ a ij I i ! i ii ~ ii ft B • • ~ i i du ' ' g .,, Ii! I ! i i i D I ft I ft i ! f I i i II l I -2, ;; ;;i jlJ ;:! 8 Ii ;ii ~ .. ;! a :a a 2 !i! Ii i li e !I !I B .. "' if

!,! iii ii ti ii ii ii B El ; ii pl ii = i Ii Ii Iii Ii Ii i ii G ii 'I ! ( i I j f I I I i ( I I • i i J [ I i i I I r I J I I I I I I I II I J I I i i i i II fII) I I f II i j i i t i i J I i j i f I r r r ' I ' t i r r I i

w . A ;; ;; .. ;; ;; ;; ;; w ... .. ======u 1 I [ I I If I I I I f I l I l I I I I I 1 i ' lfJ 'i 'i 'i i 'i .,·i 'I 'i 1.1 'i ., . 'i . i Ii . i Iii 'Iii Pl P'I ''I ill I" I f I f I f I f f ,f ' ' I f I f I f I f ' ili;}i .. l r l r l .. l tt It H B I I I I I I I I l[Ji, ...... J ii ii ii H j j. I Ufri u u u u i i n,u p.r•, .,ilil! li I i I I I ~ I I I I I I I I . "!; I I I I I I I I I I I

iii !'lt( .....~ ,!u Hfl !jHI 1~ 1 ~ n n1 .. til HI l!I ~HI ffH · I Ir I ,n u u H H rr1I '~ il Pl HI , .. .. , .. r f UI Ml Ml ul ij'' 1(1 11•1un 1(' 1=1 r=, r=, 1=, 1111 , .. r· , •!r .. ... !-[ I I[ !-[ J[ 1=1 r1 r1 1 11 1 ,,,, 1H d,r.,, l ilf ., .. il 1h., 1 h., ''r'f~., 'Jr're. I Ii ti fi '1"' l'h,! .,"' '1"' ih ih ih ih Ir J 11 If u If li'f H H H H l1! 1.1 l,1 .,J ·II I( I[ 1( I( 1 .. .. I I .91 H .!. I.. .91- .. ·IJ ·II J ,, f'f f Jf ... r r i r I I 11 I rr ljf j i I J' I' 'iJ' I I I I I ! 11 11 .J I I I I I I ••1 1 "4 1 I I I I I I I I • • • i I I i If II r 11 I I I • ,! ,! ,! ! t ~ I I I J I I I I r . f J II f r r j I l l f l i i i i J j J I I I I 1 1 I, 1 ! • I' r II' .. I I I I r f r r f f 'r ~!f i I I i I : - '-"" 1 1· l I 1p1 I I i HI I I ' I r ii i I I I : [''" !f ,, - I r I I ' .. I 1 i . tl - -· ;:; i Ii i ~ ii i ~ : " i i t ii i ii i ii i !i i i i i 1h• f I ,:i ·- .1, • i i ! ii ~ ; i • i i i i i ii I I I '! i I B I II I ,.. - ExhlbltB ACCESS for ELLs 1.0 Slate Studenl Response Data File· Academic Year 1016. 2017 - -· ..... ,..-r.. ____ ..... __ .... _ ,_ .... I""--··-··-·---~- __... _.. .. __ .., ______.. ._,... __ _,i.i-.·---... -ia,1ot,______...... ,la.J ...... --:to1Wll11 ...... _,,,. ~ !-. -· -~ ------,._.. ~ ,__,,,. .... - ·- 1... .,_._ _ __ !flt 1m IU 10 II - = - 1:1..= CJrinclw T,..IIIN ~ ....==-- 1111 144 .. .. fN .. --=- ·-- __ ... -.....·-----.. - __ ,._ ... _ =- '""""' ,0 R) 1<$ __ u ... ~ ~ - - .,.._..__ .. _... _ - lo ,..... !ISi 1151 ,.. 2 .. Hft·- ~ - ...... dt-....i~CAL._IDI =-'""""' .... Cl,l. ...ll __... _ ..... _ "' "'""' IISI 1111 RI - i-... 1111 l20 k,,,t -·-·- ...... cl~Dl*llal. ... Dt '" l ,;(CAL ...ll--11•_ ... ,._ lffl ffl1 ,.Ill ,.... ---ID, di - 11N - ..... ,,. ~~- .... n ... ' - ,,.. ,u - ...... ,: • .... - fY ~ :_1::. ... i-.-n.-.Ea .... ZISII 21511 ,si i-,D,j ... ,w t i.-- ,~-... ______ZISI Flt t5' t -- - llo-.CSOI-• ..-•._ ____ 1,.. 21N Ill! ~-- ,--.cw,_... _ .. _ ____ -- t -- -- ...- - " _.. __ 1111 2171 ,z 1$1 t ·-- -- ...... 1------.... ca ,,. -- .. .. . iT l'I: - -·: I ·-- ...... ·-•n .... - ,... ae I - .. H~ '"' ·-., *- I - ~··- ~ ' -

ro.,~ot~ World-Class lnstructlonal Design and Assessment Wisconsin Center for Education Research (WCER) University of Wisconsin-Madison W1D~ 1025 West Johnson Street, MD #23 CONSORTIUM Madison, WI 53706 Exhibit C (Amendment 7) .. ,.. ,...,.,...- ...... -.-...... ------·~·--T""··---~- .....-.,......

WIDA Consortium Employee Confidentiality Agreement

The purpose of this agreement is for employees of the Wisconsin Center for Education Research at the University of Wisconsin-Madison ("WCER") to understand and acknowledge their responsibilities to protect and safeguard the restricted use of confidential information to which they have access during their employment.

To perform the responsibilities of my job at WCER, I therefore agree as follows:

1. I understand and acknow]edge that "confidentia] information" inc]udes the fo11owing: a. Education records direct1y related to an individual student, which contain personally identifiable information; b. Secure tests as defined by U.S. copyright law, 37 CFR 202.20(b)(4); and c. Proprietary information of WCER, its employees, and certain third parties with which WCER enters contractual relations, the information, of which, i. derives independent economic value, whether actual or potential, from not being generally known to the public; ii. is not readily ascertainab]e by proper means by other persons who can obtain economic value from its disclosure or use; and iii. is the subject of reasonable efforts by its owner to maintain its secrecy. 2. I understand and acknowledge that "disclosure" means to permit access to or the release, transfer or other communication of confidential information to any party, by any means. 3. I understand and acknowledge that because ofmy employment with WCER that I may have access to confidential information of WCER, its employees and third parties with which WCER enters contractual relations and that but for my employment with WCER, these parties would not disclose to me or authorize my use of their confidential information. 4. I understand and acknowledge that the disclosure and maintenance of education records is subject to University of Wisconsin System policy, and state and federal student privacy laws, including the federal Family Educational Rights and Privacy Act;.that the disclosure of secure tests and their related contents is subject to federal copyright law and state trade secret law; that the disclosure of proprietary information is subject to state trade secret law; and that my employer may enter agreements with third parties that include the obligation of maintaining the confidentiality of confidential information. 5. During my employment and after the termination of my employment, I shall maintain the confidentiality of confidential information and will not reproduce or disclose the contents of any confidential information to any third party and will only use this confidential

Exhibit C (Amendment 7}, Page 1 of 3 information as directed by WCER and solely for purposes authorized within the scope of my employment with WCER. 6. I understand and acknowledge that unauthorized disclosure of confidential information could be highly damaging to WCER, its employees, third parties with which WCER enters contractual relations, and the students and parents of the students to whom this information belongs or pertains; and that disclosure of secure test materials to third parties could adversely affect the validity of the test items~results or the commercial value of the secure test materials. 7. In order to maintain the confidentiality of confidential information: a. I shall take all reasonable precautions and follow all reasonable measures specified by WCER, including the WCER Standard Security Policies and Procedures, to protect confidential information in a manner that does not permit disclosure to anyone except those authorized to receive confidential information, including the safeguarding of WCER IT system passwords and identifications. b. I shall not remove materials containing confidential information from WCER or WCER sanctioned servers unless authorized to do so. c. I shall submit for review by appropriate personnel a copy of any report, article or public statement that concerns the use of confidential information prior to its dissemination in order to assure that no confidential information will be disclosed. d. Upon termination of any project or as requested by my supervisor, I shall return any confidential information and copies to WCER; or, if I destroy any confidential information, either upon request by WCER or the owner of the information or as required by law, I shall create a written record certifying the destruction of the confidential information. e. I shall notify my supervisor if:

1. I learn of any unauthorized or accidental disclosures of confidential information; ii. I am asked to disclose confidential information to a proposed recipient who I am unaware is authorized to receive the information; and iii. I have questions relating to what constitutes confidential information. f. I shall notify WCER Technical Services as soon as I become aware of any potential security incidents, which are defined as follows: i. Any deviations from or non-compliance with the WCER Standard Security Polices or Procedures; and

11. Any incidents of suspicious activities on WCER and University of Wisconsin-Madison computers, IT infrastructure and systems. 8. I understand and acknowledge that WCER, any third parties with which WCER enters contractual relations, or any other party affected by a breach or threatened breach of this agreement by me will be entitled to injunctive and other equitable relief in addition to any available remedy of law. Any unauthorized use or disclosure of confidential information to unauthorized persons may be cause for disciplinary and legal action.

Exhibit C (Amendment 7), Page 2 of 3 r have read this agreement and understand the condition of employment.

Signature of Employee Date

Print Name

Supervisor Date

Exhibit C (Amendment 7), Page 3 of 3 Exhibit D (Amendment 7) - WCER Standard Security Policies and Procedures

Purpose

This document explains the Wisconsin Center for Education Research (WCER) security policies and procedures related to the management of computer systems and data collected or provided to research projects and fee for service groups housed within WCER. Computer systems and data managed by the School of Education outside of WCER are explicitly not governed by these policies. WCER leadership is committed to these security policies to protect information utilized by WCER in the course of fulfilling its mission as a word class education research facility. All WCER faculty, researchers, and staff are required to adhere to the policies described within this document.

Information Technology Asset Management

WCER IT administration personnel set up and uniquely identify each machine managed by WCER with a physical asset number and maintain a database of the type and model of the device, the user to whom the machine was allocated, and the operating system. We scan machines that are connected to the WCER network or the internet during login and determine whether the machine requires security patches. Security patches are managed through a service that runs on a centrally managed server. Apple OS X based systems are monitored for updates on a separate system. This allows technical staff to identify machines at risk for attack based on the presence or absence of updates. All login activity is logged.

WCER IT administration also provides mobile devices and laptops (WCER portable devices) for WCER project personnel use. While not all these devices are joined to the WCER domain, they are configured the same as all machines joined to the WCER domain. Any use of a WCER portable device to access secure information must be approved by supervising personnel and/or the data custodian of the secure information. Approval to use a WCER portable device to access secure information is conditioned on the understanding that the user shall not change WCER IT device configurations. Use of personal portable devices to access secure information for all WCER project systems is strictly prohibited.

In addition to computer hardware, we also maintain a database to track all network hardware. This allows WCER to track down any failed device or compromised system and either repair it or isolate from the rest of the network. Our network topology map displays the center network hardware, e.g. hubs, switches, etc., and how the WCER network connects to the University networking backbone. We monitor this network in real time for outages.

WCER servers are housed within a data center. Access to the data center is restricted to authorized system administration staff. Access to the center is controlled through a key card system and all entries are logged. Vendors and other visitors are escorted at

Exhibit D (Amendment 7), Page 1 of 11 all times by authorized system administration staff. The servers are housed in locked racks and the premises are under constant video surveillance. Physical security is provided by the University of Wisconsin Police. The data center has a backup power generator and backup cooling. The environmental state of the data center is constantly monitored and appropriate system administration staff is notified through email and pager when power, temperature, and humidity are outside of allowable ranges. Servers are monitored for uptime, CPU capacity, RAM, disk space, and the availability of services and system administration staff are notified of any systems or services that are unavailable.

Network Management

WCER has implemented a center wide hardware firewall. WCER system administration staff are responsible for maintaining the firewall, updating policies, and periodically reviewing firewall logs. Any changes to firewall rules are tested and documented. WCER requires host based (software) firewalls on all servers and client machines. Host based firewall rules are managed . The network is segmented into multiple virtual security zones with varying levels of trust and access. The firewall policies and network access have a default policy of deny all unless specifically allowed. We are able to establish virtual private networks to ensure secure access between security zones. The WCER network is monitored by an intrusion detection system. Suspicious traffic is analyzed for potential illegal access. Traffic conforming to known malware signatures are blocked at the network perimeter.

User Authentication and Authorization

User authentication and authorization for devices joined to the WCER domain is managed through active directory. Logan to any computer is limited to named users. All users have a unique active directory account. Users whose machines are not joined to the WCER domain have unique accounts on their individual machines. Users are required to sign a form that acknowledges their understanding of the university's IT Appropriate Use Policy as well as the WCER security policy which outlines the rights and responsibilities of all users as part of the procedure to create an active directory account. Project personnel supervisors and/or data custodians are responsible for providing annual training to all authorized users concerning the adherence to these WCER Standard Security Policies and Procedures.

Users are required to create and use complex passwords . All passwords must be changed periodically and the system does not allow reuse of passwords. Successive unsuccessful login attempts result in locking the user account. User accounts and access authorization rules are centrally managed through active directory. Data access is granted by system administration staff after receiving permission from data owners and WCER project data custodians such as principal investigators. All data access is revoked upon termination of an employee appointment. Data access permissions are reviewed when staff job responsibilities change. Direct access to any server (RDP or SSH) is restricted to system administration staff.

Exhibit D (Amendment 7), Page 2 of 11 Pre-defined default accounts that ship with any hardware or software system are changed before deployment. WCER does not permit remote access to any server or workstation by vendors.

Any remote access to any system on the WCER network must be accomplished through VPN.

The security configuration of all workstations and servers are managed through group policies defined in active directory. These policies are based on best practices for various operating systems (as identified by third party organizations such as SANS or NIST). Specifically, all workstations are configured to lock with inactivity. A password is required to unlock a workstation. Devices that are not joined to the WCER domain are configured in a similar manner.

Security Practices for Sensitive Data

Depending on the sensitivity of the data and the requirements of the data provider, WCER implements additional security policies at the group (organizational unit) or sub­ group level. These policies can be created to restrict access to particular machines or storage areas or can limit the access of particular individuals to meet narrow security requirements. We have supported a number of U.S. Department of Education-funded studies and are familiar with National Center for Education Statistics (NCES) security practices and audit procedures.

In many cases, when working with administrative and other individual student-level data, we follow NCES data security practices and create mapping tables for translating between sensitive identifiers (student or staff IDs, social security numbers, etc.) and internally created identifiers. The sensitive data is kept in encrypted tables and is only accessible by database administrators. These database administrators have no research duties and do not allow research access to the original data. The administrators only view encrypted versions of the original data using typical data management tools. Original media files or other data transport media are kept offline on optical or other media in a lock box in a fireproof tape safe. Only the database administrators have access to this lockbox.

All laptops are configured for full disk encryption prior to distribution to staff. Depending on the sensitivity of the data, WCER can employ additional security measures such as at rest encryption of data files and databases. Backups of all keys used for at rest encryption are stores off line in a fireproof safe.

Use of Anti-virus and Security Update Software

WCER requires that all systems attached to the WCER network use a centrally managed anti-virus software and that they subscribe to appropriate auto-update services. Scans are done periodically on all operating systems for which anti-virus

Exhibit D (Amendment 7), Page 3 of 11 software exists. We also remotely monitor the status of virus definitions on client machines that are attached to our domains to make sure that the update function is working. Systems that are not part of the WCER domain (laptops) use anti-virus software but it is not centrally managed.

All systems attached on the WCER network are scanned on a regular basis for the presence of restricted data (such as social security numbers). A report is generated for the use of the system administrators for further investigation. Any restricted information is either destroyed or encrypted and moved to an appropriately secured system.

Transportation of Data

WCER only transports data in encrypted Zip Archives on either tape, CD-ROM, DVD, Blu-Ray, or USB drives. Network transmission of data from other parties is performed through secure FTP or SSH. All WCER managed external hard drives, USB jump drives, and laptops are configured with full disk encryption regardless of the sensitivity of the data transported.

Data Backup

WCER uses an enterprise backup system. The default policy keeps the last 6 versions of every file on the system. WCER also keeps any deleted file for approximately (until backup tapes are reused) 90 days after it was deleted. In order to improve restore times, we cache the last 2 terabytes of backup on disk to speed restores of recently deleted or overwritten files. We keep a copy of all backup tapes in our online tape library to insure that all files will be readily retrievable. The backup system is located in the data center. The original backup tapes are transferred on a daily basis to a large fire safe in a different building. Backups are tested quarterly to ensure the integrity of the data. An additional disaster recovery safeguard is that other units in the University Wisconsin System use the same system to do its own backup and can provide backup personnel for WCER. Most of WCER servers are virtualized and we have a cooperative agreement in place for use of an alternative data center as a remote recovery site for our virtual machines in the event of catastrophic loss.

Periodic Vulnerability Scanning

WCER IT staff schedule periodic vulnerability scans of all WCER servers connected to the University campus network. The vulnerability scans include selective probes of communication services, operating systems, and applications to identify system weaknesses that could be exploited by intruders to gain access to the network. Responsibility for taking follow-up action to correct vulnerabilities, e.g., applying security patches to operating systems, is assigned to Computer Services support staff.

Potential Security Incident Assessment

Exhibit D (Amendment 7), Page 4 of 1 t WCER defines a potential security incident (PSI) as: (1) any observed deviation by WCER IT staff from these WCER Standard Security Polices or Procedures; (2) any reported incidents of non-compliance with these WCER Standard Security Polices or Procedures or confidentiality obligations by WCER authorized users; (3) any detected suspicious activity observed by WCER IT staff; or (4) any reported incidents by WCER authorized users of suspicious activities.

WCER authorized users of secure WCER IT systems are required to report all PSI to WCER IT staff as soon as they become aware of the PSI. WCER IT staff perform risk assessments of all reported or detected PSI upon learning of the incident. If it is determined that the incident is a low/no risk to WCER secure systems and data, then the incident is recorded and the matter is considered closed. If it is determined that the incident is a high risk to WCER secure systems or that the risk level is undetermined, then the incident is referred to WCER IT Incident Response Team and the matter is considered open until resolved by the WCER IT Incident Response Team according to the WCER Secure Data Breach Policy. If, due to the nature and circumstances of the PSI it is apparent that the PSI poses a high or immediate risk to WCER secure systems, then WCER IT staff will immediately refer the matter to the WCER IT Incident Response Team.

Any suspected data breach, as defined by the WCER Secure Data Breach Policy, will treated as a high risk incident and will be referred to the WCER IT Incident Response Team.

All reported security incidents will be handled as confidential information. Personnel directly involved with/in investigating and responding to the incident will be the only individuals initially informed of the incident.

Exhibit D (Amendment 7), Page S of 11 WCER/WIDA Secure Data Breach Policy

Purpose

The purpose of this policy is:

1. To establish a clear chain of control over the WCER/WJDA responses to all high­ risk security incidents involving WCER/WJDA secure systems, including WIDA operational assessment provided/hosted by WCER vendors, currently Data Recognition Corp and MetriTech, Inc.; 2. To ensure notification to data owner[s] as soon as possible regarding any breaches to WCER/WIDA secure systems and/or their data and involve a designee[s] of the data owner in any incident response as determined necessary; and 3. To outline the roles, responsibilities and procedures to ensure an effective response and resolution to any breaches to WCERM'IDA secure systems and/or their data. Definitions

• Breach - any situation where education records or PII are accessed by someone other than an authorized user or for anything other than an authorized purpose. • Data Owner - The organization or entity from which PII educational records are collected for the purpose of enacting WCER/WIDA's contracted or agreed upon services. • Education records - as defined in current FERPA regulations. • High-risk security incident- any incident that poses an immediate or possible compromise to PII or the integrity of a data system containing PII. Any incident where the exposure to system integrity or PII is unknown shall be deemed a high-risk security incident. • Personally Identifiable Information or PII - as defined in section A.3. of Contract Amendment Number 7.

Scope

This policy covers all education records containing PII that are maintained by WCER/WIDA and its assessment vendors, including DRC and Metn1 ech. It applies to all high-risk security incidents reported to or detected by WCER IT staff and all reported data breaches by WCER assessment vendors.

WCER IT Incident Response and Breach Communication Teams

The WCER IT Incident Response Team

Exhibit D (Amendment 7)t Page 6 of 11 • Composition o University of Wisconsin members • Director of Information Technology, WIDA- Dan Machmeier • Director of Technical Services, WCER - Bob Glover • WCER Network Administrator - Rick Gross • UW-Madison Chief Information Officer (UW-CIO) (if necessary) o WCER Vendor CIO, CSO or Director of IT Security (if breach is to vendor system) o Data Owner[s] Designee, as determined necessary • The WCER IT Incident Response Team shall provide the data owner[s] designee' access to the WCER IT Incident Response Team and affected systems/facilities, as determined necessary according to the facts and circumstances of an incident, including up to 24 hours a day and 7 days a week • Duties and Responsibilities o Gathers and records all pertinent information related to the incident o Oversees/performs investigation of incidents in a timely and diligent manner o Oversees/performs mitigation activities o Preserves logs and any other potential evidence for possible legal action

The WIDA Breach Communication Team consists of the following individuals:

• Composition o Executive Director, WIDA - Tim Boals o Data Custodians, WIDA - Gary Cook or Carsten Wilmes o Director of State Relations .• WIDA - Erin Arango-Escalante o Chief Operating Officer and Data Custodian, WIDA - Jason Cooper • Duties and Responsibilities o Be apprised of the incident circumstances and ongoing incident response developments o In charge of ensuring effective communication with Data Owner[s]

HighRRisk Incident Response Procedures

1. Assess and Validate Breach a. Personnel involved i. Assessment and validation are performed/overseen by the WCER IT Incident Response Team.

Exhibit D (Amendment 7), Page 7 of 11 ii. WCER IT Incident Response Team may appoint and delegate individual assessment and validation tasks to WCER IT staff as response team support staff. iii. Closing any non-breach incident shall be performed by a WCER IT Incident Response Team member only and reviewed by a second member of the WCER IT Incident Response Team. b. Gather, examine, and record incident information i. Identify IT assets/systems involved ii. Identify data at risk iii. Identify method of disclosure (e.g. malicious attack, internal unauthorized use, accidental) iv. Perform initial breach assessment c. If no breach - if upon initial assessment it is determined that no breach has taken place and the system is still secure, then: i. Correct any outstanding vulnerabilities ii. Create record of incident, include the following: 1. Incident information 2. Actions taken, and 3. Personnel involved iii. Close incident d. If breach - if upon initial assessment it is determined that a breach has occurred or is still threatened to occur, then: i. Coordinate WCER IT Incident Response Team and support staff 1. Assign incident manager 2. Assign response tasks ii. Determine status of breach, i.e. post-breach, on-going., threatened iii. Mitigate on-going and threatened breach - (E.g. isolate system, take system offline} iv. Activate secure back-up system to restore services - if any services have been interrupted due to breach, then, as soon as practicable, activate secure back-up system to restore services v. Preserve evidence - if initial assessment shows signs of malicious attack or suspected criminal activity or the incident is likely to result in some legal action vi. Create record of incident and response, include the following: 1. Incident information 2. Actions taken, and 3. Personnel involved vii. Notify the WIDA Breach Communication Team of incident

Exhibit D (Amendment 7), Page 8 of 11 viii. Develop a breach remediation plan in accordance with the section below 2. Investigate extent and circumstances of breach a. Personnel involved - Investigation performed/overseen by the WCER IT Incident Response Team or UW-CIO if necessary. b. Inclusion of UW-CIO - if the incident is likely to result in some legal action, for example, due to suspected criminal activity or a state-law required notification, then the WCER IT Incident Response Team shall immediately inform the UW-CIO office of the incident to determine: i. If the UW-CIO will take over the management of the incident response Team, ii. If additional university policies and procedures are activated, and iii. If outside (of WCERNVIDA) resources/personnel are required to complete investigation. c. Inclusion of UW-Madison legal counsel and law enforcement - the UW­ CIO will coordinate with university legal counsel and law enforcement, as necessary. d. Inclusion of Data Owner Designee[s] as determined necessary, upon notification of data owners, below. e. Determine and record scope and nature of breach i. Identify affected IT assets ii. Interview key personnel iii. Identify, review and preserve available electronic logs and written records applicable to the breach 3. Notification of data owners a. Personnel involved - At least one University of Wisconsin member of WCER IT Incident Response Team and one member of the WIDA Breach Communication Team b. UW-CIO/UW-Madison legal counsel consultation i. If the incident is likely to result in some legal action or inclusion of a Data Owner Designee[s] on the incident response team, then UW­ CIO/UW-Madison legal counsel shall be consulted prior to notifying the affected data owner[s] ii. Notwithstanding the foregoing, timely notification will be provided whether prior consultation with UW-CIO/UW-Madison legal counsel occurs. If no consultation occurs prior to notification, then consultation with UW-CIO/UW-Madison legal counsel shall happen as soon as possible.

Exhibit D (Amendment 7), Page 9 of 11 c. Timing - notification to affected data owner[s] should occur as soon as possible, but no later than by the closing of the next business day after the breach has been validated d. Goals i. Establish clear communication channels between WCER IT Incident Response Team and designated data owner personnel ii. Provide sufficient incident and response information to coordinate mutually-cooperative response to the incident, including designation of data owner personnel to incident response team as determined necessary 4. Resolution actions a. Personnel involved i. WCER IT Incident Response Team ii. UW-CIO/UW-Madison legal counsel iii. Data Owner Designee[s] as determined necessary b. Complete all mitigation activities c. Securing of system/restoration of services i. WCER IT Incident Response Team will certify system security has been restored and may be used for the performance of services d. Notification of affected individuals i. UW-CIO/UW-Madison legal counsel will determine, in consultation with the data owner[s] whether and to what extent, notification of affected individuals is appropriate or required by law ii. UW-CIO/UW-Madison legal counsel will determine, in consultation with the data owner(s] whether and to what extent additional WCER/WIDA will provide other services to mitigate the risk of negative consequences to affected individuals e. Legalactions i. UW-CIO/UW-Madison legal counsel will coordinate with the appropriate parties any legal actions that results from the incident f. Recordkeeping - a clear record of all incident information gathered, actions taken, personnel involved, and review of findings will be maintained for each breach incident. g. Close incident - Closing any breach incident shall be performed by the WCER IT Incident Response Team and reviewed by the UW-CIO. 5. Breach remediation plan a. Purpose and contents - In addition to the other requirements of this policy, the WCER IT Incident Response Team shall provide an ongoing written assessment of a breach to data owners that details the facts and

Exhibit D (Amendment 7), Page 10 of 11 circumstances of the breach and the mitigation efforts to stop the breach and reduce the risk of incurring a similar type of breach in the future b. Timing and updates - the remediation plan shall be made available to data owner[s] within ten (10) calendar days of notifying the data owner[s] of the incident. The plan shall be updated as necessary to reflect additions and changes to the facts and circumstances of the breach or the remediation efforts to be taken by WCER c. Data owner[s] review and comment-the WCER IT Incident Response Team shall collect comments concerning the plan from the data owner[s] and adjust the breach remediation plan as determined appropriate by the parties 6. Review- a. Personnel involved i. WCER IT Incident Response Team ii. UW-CIO/UW-Madison legal counsel b. Goals i. Develop team approach to understanding, avoiding and responding to data security risks ii. Improve existing security practices iii. Minimize risk of future breaches iv. Develop effective incident response procedures c. Change data security policies and procedures as needed d. Update and modify training as needed

Exhibit D (Amendment 7), Page 11 of 11