7) Revise the management oversight strategy for the procured Critical Functions performed under the BOAs for Managed Security Services Provider and Security and Privacy Professional Services to ensure that the strategy aligns with best practices. No. Submit your announcement of an awarded contract for publication by sending a news release to: newsrelease@targetgov.com . Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. The FDIC did not identify or implement periodic reviews specific to the risks associated with procured services for Critical Functions. In particular, having a business continuity plan in place and testing it helps to continuously improve an organizations ability to successfully recover from various scenarios, whether it be a natural disaster, pandemic, or communications failure. As part of a risk assessment, the institution should analyze the benefits and costs associated with the proposed relationship. Footnote: 10 The FDIC separated the information security support services into two contracts to potentially increase the number of vendors that placed bids and to attract higher quality bids by vendors that specialized in only one set of services. created by the Congress to maintain stability and public confidence in the The objective is to select a contract type and pricing arrangement that results in reasonable contractor risk and provides the contractor with the greatest incentive for efficient and economical performance. No. The FDICs Chief Financial Officer Organization, Office of Risk Management and Internal Controls guidance titled, Enterprise Risk Management Standard Operating Procedure (May 2020), states that the FDIC currently assesses all risks facing the Agency, including inherent and residual risks, and considers existing control mitigations that reduce inherent risks. [Text box - Prior OIG report. Federal government websites often end in .gov or .mil. The contracts contained SLAs that required the contractor to meet FDIC-defined standards. An [alphabetical] two-character identifier uniquely identifies each control family41 (e.g., IR for Incident Response). endstream endobj 519 0 obj <>stream An oversight program will generally include monitoring of the third partys quality of service, risk management practices, financial condition, and applicable controls and reports. This is the accessible text file for FDIC OIG report number Eval-21-002 entitled 'Critical Functions in FDIC Contracts'. FDIC is also placing a greater focus on upfront acquisition planning to make sure contracts are properly structured and have meaningful service level agreements (SLAs), appropriate incentive/disincentive structures, and performance metrics. 3. Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). The GAO report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020), found, in part, that DHS did not consistently plan for the level of Federal oversight needed for certain contracts because there was no guidance on how to document and update the number of Federal personnel needed to conduct oversight. Additionally, the FDIC needed to routinely test, or review the test results of, those plans to ensure continuity of service. The guidance provides, in part, that reports (types and frequency of management information) and business resumption and contingency plans should be considered as a contract is structured, with the applicability of each dependent upon the nature and significance of the third-party relationship. supervises financial institutions for safety, soundness, and consumer As noted previously, the contract also did not stipulate that Blue Canopy should have periodically tested its plans and provided the results to the FDIC. The oversight manager ensures that the contractor delivers the required goods or performs the work according to the contract and the delivery schedule, monitors the expenditure of funds, and approves invoices. Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function. However, the FDIC did not make the determination that Blue Canopy provided essential or critical services, even though the Agency dedicated more than 38 percent of its IT security budget to Blue Canopy services. GAO also found that DHS personnel did not identify specific oversight activities they conducted to mitigate the risk of contractors performing functions in a way that could become inherently governmental. According to the FDICs Financial Institution Letter titled Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), the key to the effective use of a third party in any capacity is for management to appropriately assess, measure, monitor, and control the risks associated with a contractual relationship. In addition, the FDICs Enterprise Risk Management program may not ensure that the FDIC has appropriately identified, measured, monitored, reported, and mitigated the FDICs significant risks for contracts and contractors. To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved.. Estimated Completion Date: March 31, 2022. The following information is regarding awarded contracts that can be used to develop prime contractor, subcontractor and teaming partner relationships on these and other opportunities. As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. Contractor performance evaluations must be completed annually for each award, regardless of dollar value, and at the end of the contract. Further, the official stated that Blue Canopy complied with the FDICs directives governing access to and operations at FDIC offices and facilities. The FDICs Existing Acquisition Process, 2. New FIDIC Green Book short form of contract explained Those contracts could be extended a year after the end of the base ordering period. Therefore, agencies need to ensure a proper internal control environment to oversee and maintain control of their operations. The APM and implementing Acquisition Procedures, Guidance, and Information (PGI) address planning considerations for contracts considered essential in the event of an emergency or business continuity event and delineates risks associated with such procurements. Information Technology services at the FDIC have been identified as critical to the FDIC operations in numerous documents, including the FDICs 2019 Annual Report, Enterprise Risk Management Risk Inventory,20 and National Institute of Standards and Technology (NIST) guidance. stability and public confidence in the nations financial vV7fW/EA'%2 )$BxNg\Hs#m$q_Cr-FbU{O`may+r"A1yq0.@]/;~>q!@;0~}=fn` %t(]/ As a result, the GAO recommended, in part, that DOD should revise existing workforce policies and procedures to address the determination of the appropriate workforce mix. Corrective Action: The existing management oversight strategy for the subject BOAs and task orders includes performance criteria, internal controls, reporting, and contractual requirements that were established during acquisition planning and are detailed in statement of work documents. If the FDIC identified planned and procured Critical Functions, it would be able to provide senior management and the Board with the knowledge, insight, and transparency on planned Critical Function procurements; the volume, depth, and concentration of procured Critical Functions; and the degree of reliance on contractors to perform Critical Functions. The guidance states that [a]n institutions board of directors and senior management are ultimately responsible for identifying and controlling risks arising from [third-party] relationships, to the same extent as if the [contracted] activity were handled within the institution.34 In particular, the FDIC should have routinely reviewed (actively monitored) Blue Canopys financial condition, information security, and business resumption and continuity testing reports to ensure the security, confidentiality, integrity, and availability of FDIC information. Profile, FDIC Academic The SPPS BOA also includes SLAs, which carry monetary penalties when the vendor defaults and include an incentive for the vendor to earn a contract extension by successfully proposing a conversion of their time-and-material work to firm-fixed-priced. The partnership brings new innovations, tools and technologies that will help FDIC drive operational efficiencies, control IT costs and improve the user experience. The FDIC, however, provided no details as to how it plans to do so. 12) Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. endstream endobj 196 0 obj <>stream Management Decision: Partially Concur. However, there was no indication that the CIOO reassessed the reports during the course of the 7-year performance of these contracts. Corrective Action: In addition to current practices, the FDIC plans to address this recommendation through the study and actions described in our response to Recommendation 1, and based on such actions, will assess the need for additional periodic reviews. Browse our extensive research tools and reports. DOA will revise the APM and PGI to reflect any resulting process and control enhancements. The FDIC disagreed with the proposition that the Agencys framework did not meet the third-party risk management principles outlined in the [FDICs Financial Institution Letter, Guidance for Managing Third-Party Risk]. However, while the framework requires reports for contracts deemed to be essential, the FDIC did not make this determination for the Blue Canopy contracts. Compromise the trust (or data) by failing to exercise due care in establishing appropriate controls to protect sensitive information and to identify and mitigate data breaches. Exhibit - FDIC International 2023 2i/y/v&ki35$PRr#{ GsN7?Zv|R@$"'* Footnote: 29 For Contract CORHQ-14-C-0778, the FDICs IGCE estimated that it would cost $26,387,825 to procure the services from a third party versus the estimated cost of $23,834,747 to perform the services internally with Federal employees, a variance of $2,553,077. Share your story and you may be featured in an upcoming USAspending Youtube video! Federal employees must be able to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. Contracting Officer notifies offerors of results. Contracting Officer prepares contract documents. ensH_` p 8_poXg3h|A@OEn=nqCvH)" nh@FMA] h7`520 @6P2/g 510{@z>6@ ou Recommendation 3: Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. : 13; Corrective Action: Taken or Planned - The FDIC will consider additional reporting requirements related to contracts for essential functions or for services necessary during a business continuity event, including where such functions are performed by a single vendor, in conjunction with the study and actions described in response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; 1. independent agency created by the Congress to maintain FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2021 $150 $200 $250 $300 $350 $400 $450 $416.4$342.8 $100 $50 $0 Percent of Total FDIC Awards: $106.5 8(a) $8.6 HubZone $4.7 Veteran Owned $0.9 ServiceDisabledVeteran Owned $105.7 Women Owned $68.5 SmallDisadvantagedBusiness Minority Owned MWOB Risks are identified from various sources and are captured in the risk inventory. An official website of the United States government. PDF FDIC Contracting Awards - Federal Deposit Insurance Corporation Determine contract structure. 7.503), and the examples in Appendix A in OMB 11-01. In addition, following the FDICs study and actions in response to Recommendation 1, the CIOO will assess the need for additional periodic reviews of such contracts and whether additional enhancements are required beyond the controls already incorporated. In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. Footnote: 2 GAO reported that [b]est business practices refer to the processes, practices, and systems identified in public and private organizations that performed exceptionally well and are widely recognized as improving an organizations performance and efficiency in specific areas.. Without the requisite analysis, the FDIC cannot be assured that it has appropriately identified and mitigated the existing procurement and operational risks. Upon completion of the corrective actions and before closing the recommendations, we will review the FDICs actions to ensure that the revised acquisition process includes guidance for identifying planned procurements of Critical Functions and implementing heightened contract monitoring for Critical Functions. We understand that the FDIC may consider implementing a process in order to identify Critical Functions and employ heightened monitoring and controls. The FDIC develops a management oversight strategy for contracts and assigns responsibility to FDIC contracting officers, oversight managers, and technical monitors to oversee contractors based on the risk and complexity of the contract. Moreover, the FDIC determined, in advance of the 2019 contract modifications to increase the contract ceiling on both Blue Canopy contracts, that a new competitive, multi-vendor acquisition strategy should be put in place for the services. Signature Bank, New York, NY, and Silicon Valley Bank, Santa Clara, CA, FDIC National Survey of Unbanked and Underbanked Households, Quarterly Banking . Figure 2 illustrates the best practices for identifying planned and procured Critical Functions during the FDICs acquisition process. Finally, the FDIC needed to assure itself that it was comfortable with the risks posed by Blue Canopy and the procured Critical Functions especially if Blue Canopy had not demonstrated that it was adequately prepared for business continuity, resumption, or crisis readiness. Recommendation 11: Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function. Through competition, the FDIC is able to compare the value of competing technical proposals and prices in order to determine which proposal affords the best value. Critical Functions, on the other hand, are broader and cover all functions that are necessary to the agency being able to effectively perform and maintain control of its mission and operations. Best Practices for Implementing a Management Oversight Strategy, 5. The overall objective of such reviews is to identify, assess, and resolve indications of contractor over-reliance. Gained an understanding of Federal procurement and oversight control processes by reviewing Federal regulations, government-wide guidance, and best practices, including: o Office of Management and Budget Office of Federal Procurement Policy, Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions (September 2011); o OMB Circular A-76, Performance of Commercial Activities (May 2003); o Federal Activities Inventory Reform Act of 1998 (October 1998); and. The FDIC relies on the results of security control assessments to identify security weaknesses and inform key risk management decisions. Within this report, the OIG recommended that the FDIC [e]stablish requirements to ensure the independence of security control assessors. -]. It is key for management to develop a thorough understanding of what the proposed relationship will accomplish for the institution, and why the use of a third party is in its best interests. In addition, we maintain that these circumstances represented a failure in the FDICs controls and procedures. Sep 23 2021. In addition, it should be noted that the OIGs findings and recommendations on the FDICs procurement process for Critical Functions cover all such contracts and is not limited to the Blue Canopy contracts. Over a 4-year period (2015-2019), the FDICs OCISO spent between 35 percent to 44 percent of its operating expenses annually on Blue Canopy services. According to OMB Policy Letter 11-01, in order to meet its fiduciary responsibility to the taxpayers, the agency must have sufficient internal capability to control its mission and operations and must ensure it is cost effective to contract for the services.. Therefore, we had determined in our prior report that Blue Canopy lacked independence in its assessments.4. o FDIC Financial Institution Letter: Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). :U= +=u^Cs;$FZjhE_}~xC^!y*U>}AnxT-Q1]:>le^v9q8i=,3M)L#f2u*SO!BUrD;"j~ d{9H;NN9H8lSa ge?FHU~gK# 3. An official website of the United States government. No. In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Appendix 6 Summary of the FDICs Corrective Actions. The FDICs Legal Division has maintained that OMB Policy Letter 11-01 does not apply to the FDIC, but it may be used for guidance.16 We focused our evaluation on assessing the FDICs procurement of Critical Functions given their importance in achieving the Agencys mission; we did not evaluate Inherently Governmental Functions as part of this review. The FDIC is looking for a vendor partner who will work with the FDIC and commit to guarantee the availability of technology and provide continuous improvements at reduced costs, which it expects to come from the introduction of automation and process improvements, the contract says. Nor did the FDIC require periodic joint testing procedures. hb```f``Rc`b``ebd@ A3G HK!G kTH`j)c changes for banks, and get the details on upcoming In the OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), the OIG reported concerns about CIOO contract oversight. OMB Policy Letter 11-01 requires agencies to identify and ensure that they retain control over Critical Functions that are core to the agencys mission but may be contracted out to the private sector. Reasonable competition also means soliciting a sufficient number of sources to obtain an adequate market response and to analyze the fairness and reasonableness of individual offers. 199 0 obj <>/Filter/FlateDecode/ID[<77FED4795114BEC85C22A732D80A20A1><9AE9ECF25D8FEB44B39BBA9CBBEE63A5>]/Index[192 15]/Info 191 0 R/Length 53/Prev 219738/Root 193 0 R/Size 207/Type/XRef/W[1 2 1]>>stream A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. Best practices recommend that contractors have business resumption and contingency plans in place and tested. Periodic reviews should determine if the agency needs to take corrective measures to address any over-reliance on contractors for Critical Functions.27. history, career opportunities, and more. The FDIC Legal Division concluded in October 2011 that the OMB Policy Letter did not apply because: (1) the FDIC did not fall within the definition of executive agency in the Office of Federal Procurement Policy Act and (2) the FDIC was not funded by congressional appropriations. : 1; Corrective Action: Taken or Planned - The FDIC will consider each of the OIGs recommendations and further study the need for additional risk based controls for essential procurements. Federal Contract Awards > 100.0k 75D30118C02507 Definitive Contract $4.2m / $27.7m Updated Apr 29 2023 Federal Agency CDC Pittsburgh (HHS - CDC) Child Awarded Vendor Idoneous Educational Services, Inc. - VRLMHESN3KP5 Major Defense Program Not listed Award Date Sep 01 2018 Completion Date Aug 31 2020 Set Aside 8 (a) Sole Source NAICS Category 561110 No. According to the Council of the Inspectors General on Integrity and Efficiencys Quality Standards for Inspection and Evaluation, evaluations are systematic and independent assessments of the design, implementation, and results of operations, programs, or policies. 4) Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions.

Reelfoot Lake Fishing Guides, Karen Rohan Kevin Lynch Wedding, Steven Lyon Funeral Home Raleigh Nc Obituaries, Articles F