Without the requisite analysis, the FDIC cannot be assured that it has appropriately identified and mitigated the existing procurement and operational risks. Contracting Officer prepares contract documents. collection of financial education materials, data tools,
The https:// ensures that you are connecting to
The FDIC requires support across the entire IT application lifecycle including: creation (requirements, design, development, testing, deployment), configuration, integration, migration, enhancement, support, maintenance, operations, decommissioning, and other associated services for all FDIC owned applications, either in use today or deployed DMI Wins $256M FDIC Task Order | WashingtonExec CIO Howard Whyte spoke with FedScoop recently about FDICs work in the cloud to provide a transformational experience for our external customers.. Accordingly, institutions should establish and maintain an effective risk management process for initiating and overseeing outsourced operations. Many of the procurement controls contemplated in the OMB Policy Letter exist within the FDICs current acquisition policies and guidance, without the specific designation of critical functions. Under the FDICs Acquisition Policy Manual (APM), certain functions are so essential to the performance of government responsibilities that they may not be outsourced, namely the performance of inherently governmental functions.3 When contracted services fall short of inherently governmental functions but are closely aligned with them, the FDIC is responsible for building in enhanced controls and management oversight in the design and administration of relevant support contracts. Management Decision: Partially Concur. FDIC Actions Taken to Address Prior OIG Concerns Regarding Blue Canopy Contracts. News | Federal Government Contract Awards - WashingtonExec The Federal Deposit Insurance Corporation (FDIC) is an independent agency The FDIC relies on the results of security control assessments to identify security weaknesses and inform key risk management decisions. Within this report, the OIG recommended that the FDIC [e]stablish requirements to ensure the independence of security control assessors. -]. NASA, USDA, and DOE performed, or considered it a best practice to perform, a cost effectiveness analysis. On November 18, 2021, the Office of the Comptroller of the Currency (the "OCC"), the Board of Governors of the Federal Reserve System (the "Board"), and the Federal Deposit Insurance . As an independent agency, the FDIC routinely looks to the practices of agencies governed by the Federal Acquisition Regulation (FAR), other (non-FAR-based) independent agencies, and private business to inform its acquisition policies. The OIG previously reported on the FDICs implementation of Enterprise Risk Management and concluded that improvements will help ensure that risks across the FDIC are considered, for example, as part of operations support and program management. For example, we considered internal controls standards, and activities, related to (1) the control environment (such as, the organizational structure and assigned responsibility; and, the commitment to recruit, develop, and retain competent individuals); and (2) control activities (such as, documented policies, procedures, techniques, and mechanisms that enforce management directives). To address our objectives, we conducted the following procedures: Analyzed Blue Canopys contracts and contractual services for Critical Functions by comparing and contrasting activities to the following: o Other best practices the OIG identified; and. The contracts contained SLAs that required the contractor to meet FDIC-defined standards. Recommendation 9: Implement periodic reviews for procured Critical Functions, including for the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services. GSA, NASA, USDA, DOE, and OCC have policy and procedures to prevent over-reliance on a contractor, and specific corrective measures to address instances of contractor over-reliance. Although NCUA and CFPB did not have an explicit written policy, they noted the actions/procedures they would take to address an instance of contractor over-reliance. There is no uniform set of best practices that public and private organizations have agreed upon in the subject area of the OIGs report. This will help ensure that the FDIC integrates [Enterprise Risk Management] into its culture, practices, and capabilities so that risks across the enterprise are considered and prioritized as part of operations support, program management, budget decisions, and strategic planning Having well-defined authorities, roles, and responsibilities for [Enterprise Risk Management] will help to ensure that the range of risks facing the Agency and banking sector are properly identified. -]. To assist in performing oversight activities for complex contracts for services, the oversight manager must work with the contracting officer to develop a contract management plan. Identify planned procurement of Critical Functions. Identified weaknesses should be documented and promptly addressed.. Last summer, the agencysinspector general issued a report saying the agency needed to improve itsIT governance practices. bankers, analysts, and other stakeholders. h24R0P04V01R& The official also stated that, in conjunction with the IGCE, the CIOO conducted an analysis to determine whether the FDICs costs associated with Information Security and Privacy support services were in line with other Federal agencies. Following the study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements are needed for the MSSP and SPPS BOAs and task orders beyond those already incorporated. Best Practices: 6. We recognize that the FDIC calculated and presented to the Board the Independent Government Cost Estimates (IGCE)28 that were used to conclude on the reasonableness and feasibility of the proposals received. manages receiverships. : 10; Corrective Action: Taken or Planned - The FDIC plans to address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 11: ; Rec. Managed services and digital transformation company Digital Management, LLC has been awarded a $256 million managed services task order with the Federal Deposit Insurance Corporation. While the Award Profile Reports described the procured services, assessed contractor performance, tracked fund utilization/allocation, and assessed FDIC contract oversight, the FDIC did not identify Blue Canopys procured services as Critical Functions. Reviewed the FDICs policy and procedures, including: o FDIC Acquisition Policy Manual (August 2008); o Acquisition Procedures, Guidance and Information (January 2020) document; and. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. The OIG notes in its report that the FDIC followed its normal contract policies and procedures for the two Blue Canopy contracts. Therefore, the FDIC should have been concerned about Blue Canopys business resumption and contingency plans in regards to its ability to provide back-up or additional resources during an adverse event. Footnote: 2 OMB Policy Letter 11-01 established Executive Branch policy and was addressed to the heads of civilian and Executive Departments and agencies. 526 0 obj
<>stream
The contracts included a number of key performance indicators (KPIs) and operational performance indicators (OPIs), including KPIs related to providing, backfilling, and retaining human resources and key personnel; incident response; root cause analysis; and report delivery. A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. In particular, the FDIC may not ensure that it has an adequate number of employees with the appropriate training, experience, and expertise to oversee the procurements of Critical Functions. An Executive Agency is a Federal agency that is housed under the Executive Office of the President or one of the 15 Cabinet departments within the Executive Branch. The objective of these reviews should address the controls effectiveness in deterring or mitigating the agencys over-reliance on the contractor, and ensuring that the agency maintains control of its mission and operations. Footnote: 7 The Technical Monitor is responsible for assisting the Oversight Manager in monitoring and evaluating contractor performance under an FDIC contract. RJ];g'RFnzq^aeOt8;)jquyhX[
Rs/vR~L4J'2&CG%O+cLXI
E`m
:DNHGu|E[s>vvm@R 0$ sD+n]6+%Iu~0LcW*}a)m%b'+h>5qacKuYk-9YQ8)$.ZkaRU,W]{c(njbp2`R@";ylj0ww*aK1^drkf{+x'K*sVrka{. As noted previously, the contract also did not stipulate that Blue Canopy should have periodically tested its plans and provided the results to the FDIC. This assessment should consider, for example, the sufficiency of the agencys internal capacity and capability to control its mission and operations based on an adequate number of Federal employees with appropriate training, experience, and expertise, and a cost effectiveness analysis to ensure that it is cost effective to contract for the services. In making that determination, the officials shall consider the importance that a function holds for the agency and its mission and operations. The Federal Deposit Insurance Corporation (FDIC) procures goods and services from contractors in support of its mission. supervises financial institutions for safety, soundness, and consumer Critical Functions in FDIC Contracts | Federal Deposit Insurance ) y RYZlgWm : 7; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. No. Appendix 6 Summary of the FDICs Corrective Actions. o The FDICs Enterprise Risk Management Inventory. Program Office and Contracting Officer prepare acquisition documents. September 15, 2021 1 min read Keith Jones Chief Information Officer State Department The State Department and the Federal Deposit Insurance Corp. (FDIC) have adopted new approaches to. In addition, GSA, NASA, USDA, DOE, OCC, NCUA, and CFPB have procedures to oversee the contractors performance and their own personnels oversight of a contractor. From July 2005 to December 2019, the FDIC issued three contracts (or sets of contracts) for information security support services. The services provided under this contract included intrusion monitoring; incident investigation; event escalation; reporting; vulnerability research, analysis, and response; incident detection; incident response; and after-hours support. A CIOO official also stated that the contractor was responsible for ensuring uninterrupted support of services, if the FDIC determined that Blue Canopy provided services essential or critical to the FDIC mission. Corrective Actions: Existing acquisition processes and procedures help limit the likelihood of such an occurrence; however, the FDIC will examine whether additional controls are necessary in conjunction with the study and actions described in our response to Recommendation 1. Keep up with FDIC announcements, read speeches and
Agencies should consider internal controls such as approval authorities, segregation of duties, and independence and non-conflict of interest standards. The OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), noted that while the information in the Award Profile Report was important for the Board of Directors to understand the status of higher risk FDIC acquisitions as of a specific point in time, it does not provide the Board or other senior management officials with a portfolio-wide view or the ability to analyze historical contracting trends across the portfolio, identify anomalies, and perform ad hoc analysis to identify risk or plan for future acquisitions., Within the report, the OIG recommended, in part, that the FDIC [p]rovide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.]. A CIOO official stated that Blue Canopys business resumption and contingency plans were not a concern because Blue Canopy operated within the FDICs information systems and on the FDICs premises. Recommendation 6: Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. Best Practices for Identifying Planned and Procured Critical Functions, 3. Without the identification of procured Critical Functions and its associated risk, the FDIC may not accurately capture and assess the Agencys inherent and residual risk related to its contracts and contractors. Footnote: 19 Our interviews at other Federal agencies included the National Credit Union Administration (NCUA), Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), Federal Reserve Board of Governors (FRB), the OMB, General Services Administration (GSA), National Aeronautics and Space Administration (NASA), Department of Agriculture (USDA), and Department of Energy (DOE). Signature Bank, New York, NY, and Silicon Valley Bank, Santa Clara, CA, FDIC National Survey of Unbanked and Underbanked Households, Quarterly Banking
Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. DIA awards $12.6B enterprise IT contract | FedScoop Footnote: 34 FDIC Financial Institution Letter titled, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). No. Conduct periodic reviews of controls and processes. Phase 1: Procurement Planning - Program Office and DOA Acquisition Services Branch develop a management oversight strategy for the planned acquisition of a Critical Function, which includes determining the contract structure (key provisions). The awards, now in their third year are organised by international engineering federation FIDIC (the International Federation of Consulting Engineers). No. A CIOO official confirmed that Blue Canopy was not required to submit routine financial and operational reports, as noted above. For example, if not managed and supervised prudently, the agency may: Footnote: 1 According to FDIC Directive 1500.6, Continuity of Operations (COOP) Program (November 2019), Essential Functions are a subset of government functions that are determined to be critical activities. (AvaQD%]Lg4Of5AZ0'&qsM}d},K^!ttcti 8\mk x\>-A 'g+k}?L&50#^5w8O>16/CGF:.&&F(r+v\eSVGo;X}N^r[qQg}UTN}n?3E5.\B?? OMB Policy Letter 11-01 requires certain agencies2 to take specific actions, before and after contract award, to prevent contractor performance of Inherently Governmental Functions and to prevent over-reliance on contractors in the performance of Critical Functions. These best practices support the view that the FDIC should develop and implement heightened contract monitoring processes for Critical Functions. 9S=^VJGf+_8B+WV|ir,Ma,VE9*n9iwJzc0}8c0ry` xH
Federal Agencies. Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, and identify and control risks. Some of the risks are associated with the underlying activity itself, similar to the risk faced by an institution directly conducting the activity. As demonstrated by the FDIC and Blue Canopys contractual relationship, the FDICs acquisition and risk management processes did not identify the procurement risk of Critical Functions, nor did the FDIC heighten its management oversight for these procured services. Federal agencies need to ensure proper management and oversight of procured services for Critical Functions in order to prevent over-reliance on the contractor and the loss of control of the agencys mission and operations. https://www.fdicoig.gov/sites/default/files/publications/19-004AUD_0.pdf. The National Geospatial-Intelligence Agency can also award work under the indefinite-delivery, indefinite . In particular, [m]anagement should allocate sufficient qualified staff to monitor significant third-party relationships and provide the necessary oversight The extent of oversight of a particular third-party relationship will depend upon the potential risks and the scope and magnitude of the arrangement.. However, while Blue Canopy operated within the FDICs information systems and facilities, the value that Blue Canopy provided was in its human capital. In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. [Text box - Prior OIG report. The OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), noted that some CIOO Oversight Managers lacked the workload capacity to oversee contracts, and certain Oversight Managers were not properly trained or certified. Table 1: Best Practices for Critical Functions by Source. Based on our review of GAO and industry standards,25 procured services involving contractors result in a greater level of inherent risk than an agency directly performing these services. We expect the guidance to . The oversight manager ensures that the contractor delivers the required goods or performs the work according to the contract and the delivery schedule, monitors the expenditure of funds, and approves invoices. Board Reporting. Further, the FDIC may not maintain control of its mission and operations, and may become over-reliant on contractors. Program Office conducts market research. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). Best practices state that for procured Critical Functions, an agency should periodically monitor the service providers ongoing operations, including its financial condition, information security, and business resumption and continuity plans. GSA, NASA, USDA, DOE, OCC, and CFPB have policy and procedures, or follow OMB guidance, related to Critical Functions. Procurement Planning - Program Office performs a procurement risk assessment for the planned acquisition of a Critical Function, which includes performing a cost effectiveness analysis. The guidance states that [a]n institutions board of directors and senior management are ultimately responsible for identifying and controlling risks arising from [third-party] relationships, to the same extent as if the [contracted] activity were handled within the institution.34 In particular, the FDIC should have routinely reviewed (actively monitored) Blue Canopys financial condition, information security, and business resumption and continuity testing reports to ensure the security, confidentiality, integrity, and availability of FDIC information. Federal government websites often end in .gov or .mil. In addition, the FDICs business resumption and contingency plans rely on Blue Canopys resources being available to continue its services. hMk@c[(hg!b\ZJLn#,o,fAjwgv]Ip,'Vgv8E&r*;|` Additionally, the FDIC needed to routinely test, or review the test results of, those plans to ensure continuity of service. According to the FDICs Financial Institution Letter titled Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), the key to the effective use of a third party in any capacity is for management to appropriately assess, measure, monitor, and control the risks associated with a contractual relationship. Blue Canopy was also assigned duties related to design and/or execution of these controls. Agencies should consider internal controls such as approval authorities, segregation of duties, and independence and non-conflict of interest standards. or https:// means youve safely connected to the .gov website. Figure 4: Best Practices for Implementing a Management Oversight Strategy. No. Table 2 illustrates the services performed by Blue Canopy that we identified as Critical Functions based on National Institute of Standards and Technology Special Publication 800-53, Revision 5 (NIST S.P. The company filed for bankruptcy with approximately $2.23 billion in total debt and approximately $1.76 billion in total assets as of September 2008. : 11; Corrective Action: Taken or Planned - The FDIC will examine whether additional controls are necessary in conjunction with the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 12: ; Rec. In addition, OMB Policy Letter 11-01 established a definition for a Critical Function as "a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. Such actions by contractors create risks that governance and decisions of significant public interest are not made by Government officials who are accountable to the President and bound by laws controlling the conduct and performance of Federal employees. Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. Draeger - FDIC International 2023 When DOAs ASB receives an acquisition request from a Program Office, it assigns the request to a Contracting Officer.8 The Deputy Director of the ASB appoints Contracting Officers with the authority to enter into, administer, and terminate contracts on behalf of the FDIC. The APM and implementing Acquisition Procedures, Guidance, and Information (PGI) address planning considerations for contracts considered essential in the event of an emergency or business continuity event and delineates risks associated with such procurements. The Board authorized a 7 1/2-year term for Security Operations Center and Vulnerability Management Services and a 10-year term for security and privacy professional services. o Perform Periodic Reviews. Minority & Women Outreach Program FDIC encourages the use of minority and women-owned businesses (MWOBs) and small disadvantaged businesses (SDBs) in the acquisition of goods and services, as contractors or subcontractors. The .gov means its official. 66y% o Comparing and contrasting DOA, CIOO, and the Legal Divisions policy and procedures related to management procurement and oversight activities to best practices the OIG identified. By signing up, you agree to the receive emails from WashingtonExec. The Risk Inventory lists risks to the FDICs ability to achieve its goals and objectives. Develop a management oversight strategy. However, we found that the Agency did not document and present to the Board a complete cost effectiveness analysis that evaluated whether a Critical Function should be procured or performed internally.
Mustang Ok Police Shooting,
Cvv Checker Live Or Dead,
Okta Expression Language Tester,
Scaffold Hire Bunnings,
Articles F