Management does not concur with the recommendation, but alternative action meets the intent of the recommendation; or. In June 2014, the FDIC Board of Directors authorized senior management to contract for services in support of the information security and privacy program and to increase the prior contract ceiling. FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2021 $150 $200 $250 $300 $350 $400 $450 $416.4$342.8 $100 $50 $0 Percent of Total FDIC Awards: $106.5 8(a) $8.6 HubZone $4.7 Veteran Owned $0.9 ServiceDisabledVeteran Owned $105.7 Women Owned $68.5 SmallDisadvantagedBusiness Minority Owned MWOB Specifically, the FDIC calculated that it would cost the FDIC an additional $2.55 million to procure the services ($26,387,825 versus $23,834,747).29 However, the FDIC did not include this information in the Board Case Package, nor was it discussed with the Board as demonstrated by the corresponding Board minutes. As part of the FDICs Enterprise Risk Management program, after the Divisions and Offices identify their risks, they assess the likelihood of those risks occurring on both an inherent22 and a residual23 basis. important initiatives, and more. As demonstrated by the FDIC and Blue Canopys contractual relationship, the FDICs acquisition and risk management processes did not identify the procurement risk of Critical Functions, nor did the FDIC heighten its management oversight for these procured services. Perform a procurement risk assessment. endstream endobj 519 0 obj <>stream Legal Division. Corrective Action: The FDIC Risk Inventory identifies risks to the FDIC achieving its mission, goals, and objectives and risks to agency operations. The FDIC incorporates those processes or practices that support its unique circumstances, recognizing that what has worked well elsewhere or what other organizations have implemented may not work well for the FDIC or might be counterproductive to performance and efficiency the goal of best business practices. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines.40, Table 2: Procured Blue Canopy Services Deemed to Be Critical Functions of the FDIC. To increase competition and diversity of firms providing information security and privacy services, reduce the FDICs reliance on a single vendor for these services, and improve contract oversight and vendor management, the FDIC sought and received Board approval in October 2019 to initiate two contract actions to replace the existing Blue Canopy contracts with new BOAs and task orders. We note that the definition of a Critical Function as defined by OMB Policy Letter 11-01 is similar to the definition of an Essential Function found in the FDICs Continuity of Operations Program.1 It is also similar to the definition of Critical Functions in the FDIC Chief Information Officer Organization Business Continuity Plan (January 2019) which are defined as business activities or information that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization. For purposes of this report, we will use the term and definition of Critical Function from OMB Policy Letter 11-01 which is widely accepted across the Federal government. In particular, Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC, including continuous monitoring, vulnerability management, internal control reviews, and privacy assessments. endstream endobj 196 0 obj <>stream ) y RYZlgWm testimony on the latest banking issues, learn about policy In July 2020, the FDIC awarded a competitive BOA to one vendor to provide managed support services for all aspects of the Security Operations Center (SOC) under a fixed-price arrangement. The .gov means its official. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. For example, the following agencies noted heightened contracting monitoring, such as: o Identify and Monitor for Critical Functions. Identify planned procurement of Critical Functions. Footnote: 29 For Contract CORHQ-14-C-0778, the FDICs IGCE estimated that it would cost $26,387,825 to procure the services from a third party versus the estimated cost of $23,834,747 to perform the services internally with Federal employees, a variance of $2,553,077. In particular, FDIC management did not present to the Board an analysis that demonstrated whether it was cost effective to procure the desired Critical Functions or to perform those functions internally with Federal employees or some combination of Federal employees and contractor personnel. We recommend that the Deputy to the Chairman and Chief Operating Officer: 1) Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Corrective Action: In addition to current practices, the FDIC plans to address this recommendation through the study and actions described in our response to Recommendation 1. documentation of laws and regulations, information on o The FDICs Implementation of Enterprise Risk Management (EVAL-20-005) July 8, 2020. For one of the Blue Canopy contracts, the IGCE supporting documentation showed that the FDIC calculated that it would be more expensive to procure the services than to perform them internally with FDIC employees. The FDIC, however, has expressed reluctance to incorporate the term, Critical Function, into its process, as that term is used and defined in the OMB Policy Letter 11-01. An FDIC team, including oversight managers, technical monitors, and contract specialists, provided oversight of both contracts. This is the accessible text file for FDIC OIG report number Eval-21-002 entitled 'Critical Functions in FDIC Contracts'. However, in order to mitigate the potential risk of a service providers financial failure, breach of information security protocols, or failure to ensure service continuity, an agency needs to continuously monitor the service providers financial condition and operations. 526 0 obj <>stream In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. As the report demonstrates, no public or private organization follows all of the processes or practices the OIG identified. Successfully identifying and applying best practices can reduce business expenses and improve organizational efficiency.17. Therefore, we had determined in our prior report that Blue Canopy lacked independence in its assessments. The FDIC is proud to be a pre-eminent source of U.S. The FDIC took prompt action to address the OIGs recommendations regarding the lack of independent assessments of Blue Canopys services, and the OIG closed those recommendations in 2019. This example highlights the need for the FDIC to clearly define the terminology related to Critical Functions and incorporate the underlying concepts embodied in Critical Functions, so that it can readily identify Critical Functions in such procurements and take appropriate actions with heightened monitoring and controls. In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Those procedures shall be reviewed by agency management no less than every two years. In addition, agencies should periodically evaluate the effectiveness of their internal management controls for reserving work for Federal employees and identify any material weaknesses, The OMB policy letter also states that [a]gencies should review, on an ongoing basis, the functions being performed by their contractors, paying particular attention to the way in which contractors are performing, and agency personnel are managing, contracts involving critical functions These reviews should be conducted in connection with the development and analysis of inventories of service contracts., In addition, the OMB policy letter states that if the agency determines that internal control of its mission and operations is at risk due to over-reliance on contractors to perform critical functions, requiring activities should work with their human capital office to develop and execute a hiring and/or development plan. In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. sharing sensitive information, make sure youre on a federal Our methodology relied on identifying best practices from various reputable sources, including OMB Policy Letter 11-01, GAO reports, industry standards, and other Federal agencies, and comparing the FDICs acquisition process with these best practices. A prior OIG report, Security Configuration Management of the Windows Server Operating System, (AUD-19-004) (January 2019), found that the FDIC tasked Blue Canopy with both designing security controls and assessing their effectiveness, which impaired the firms ability to conduct an impartial assessment. The GAO report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020), found, in part, that DHS did not consistently plan for the level of Federal oversight needed for certain contracts because there was no guidance on how to document and update the number of Federal personnel needed to conduct oversight. FDIC Contract Portfolio Pricing Arrangements . Footnote: 25 GAO, Standards for Internal Control in the Federal Government (GAO-14-704G) (September 2014); and the FDICs Financial Institution Letter, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). : 13; Corrective Action: Taken or Planned - The FDIC will consider additional reporting requirements related to contracts for essential functions or for services necessary during a business continuity event, including where such functions are performed by a single vendor, in conjunction with the study and actions described in response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; 1. For example, the FDIC provides best practice guidance to financial institutions for monitoring contractor risks. In addition, following the FDICs study and actions in response to Recommendation 1, the CIOO will assess the need for additional periodic reviews of such contracts and whether additional enhancements are required beyond the controls already incorporated. Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Footnote: 16 The FDIC Legal Division concluded that OMB Policy Letter 11-01 did not apply to the FDIC, because (1) the FDIC did not fall within the definition of executive agency in the Office of Federal Procurement Policy Act; and (2) the FDIC was not funded by congressionally appropriated funds. bankers, analysts, and other stakeholders. In addition, OMB Policy Letter 11-01 established a definition for a Critical Function as "a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. A .gov website belongs to an official government organization in the United States. Before In addition, the GSA and OCC report on procurement actions through the Federal Procurement Data System-Next Generation (FPDS-NG),* which includes those designated as Critical Functions.
New Businesses Coming To Amarillo 2021,
What Does Killua Mean,
Articles F
fdic contract awards 2021