Resolution approving Modification No. 1 to Professional Services Agreement for Airport Contract No. 50359, for general airport security services, between Covenant Aviation Security, LLC, and the City and County of San Francisco, acting by and through its Airport Commission, to increase the contract amount by $10,500,000 for a total not to exceed amount of $20,300,000 and to extend the contract term for two years from June 30, 2026, for a new contract term of July 1, 2024, through June 30, 2028, with one remaining option to extend for two additional years, pursuant to Charter, Section 9.118(b).

This resolution approves Modification No. 1 to a professional services agreement with Covenant Aviation Security, LLC for general airport security services at San Francisco International Airport (SFO). The modification significantly increases the contract amount and extends its term.

Original Contract (No. 50359): Awarded on May 21, 2024, for $9,800,000 for a two-year term (July 1, 2024 - June 30, 2026), with two options for two-year extensions.

Modification Details:

• The contract amount is increased by $10,500,000, bringing the new total not-to-exceed amount to $20,300,000.
• The term is extended for two years (exercising the first option), establishing a new contract term from July 1, 2024, through June 30, 2028. One two-year option to extend remains.
• This modification requires Board of Supervisors approval because the total contract amount now exceeds $10,000,000.

Service & Security Enhancements:

• The scope of services is updated, including changes to regulated and non-regulated security post positions and hours.
• Insider Threat Random Employee Inspections are increased from approximately 140 man-hours/week to 176 man-hours/week.
• New cybersecurity requirements mandate the contractor to use SFO's VPN, remediate Known Exploitable Vulnerabilities (KEV) per DHS/CISA guidelines (e.g., critical vulnerabilities within 8 hours for internet-facing services), and notify the Airport Chief Information Security Officer of any software vulnerabilities.
• Enhanced data security breach notification requires the contractor to report any data leak within 24 hours (or 12 hours for PII/PHI).

Financial Breakdown: The original contract included $9,000 annually for mobile device wireless plans and $9,000 for iPad monthly fees. Modification No. 1 updates "Other Direct Costs" to include $18,000 for mobile device wireless plans and $172,000 for consumable cards, totaling $190,000 in authorized reimbursables.