When procuring Critical Functions, agencies considered (or, considered as a best practice) cost effectiveness analysis, which included analyzing the appropriate mix of Federal employees and contractors and rebalancing, as needed. An FDIC team, including oversight managers, technical monitors, and contract specialists, provided oversight of both contracts. A CIOO official confirmed that Blue Canopy was not required to submit routine financial and operational reports, as noted above. Taken together, these elements compose the financial institutions risk management analysis of the third-party relationship. Footnote: 2 GAO reported that [b]est business practices refer to the processes, practices, and systems identified in public and private organizations that performed exceptionally well and are widely recognized as improving an organizations performance and efficiency in specific areas.. Phase 2: Solicitation and Award - DOA Acquisition Services Branch reports to the FDIC Board the finalized contract structure and procured Critical Function - on an individual and aggregate basis. According to the FDICs Financial Institution Letter titled Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), the key to the effective use of a third party in any capacity is for management to appropriately assess, measure, monitor, and control the risks associated with a contractual relationship. (LockA locked padlock) The Board approves the execution of contracts with dollar values over $20 million and contract modifications to contracts previously approved by the Board that increase the award amount or period of performance by more than 15 percent. A procurement risk assessment should be performed during the procurement planning phase of the acquisition process. The GAO report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020), found, in part, that DHS did not consistently plan for the level of Federal oversight needed for certain contracts because there was no guidance on how to document and update the number of Federal personnel needed to conduct oversight. Fact Sheets. instruments including, for low dollar non-complex purchases, purchase 66y% endstream endobj 517 0 obj <>stream The FDIC is committed to continually improving its processes and controls and will: (1) survey recognized practices and procedures associated with contracts supporting essential functions or those involving services necessary in a business continuity event, particularly when those contracts are performed by a single vendor; and (2) incorporate enhancements to our existing acquisition planning, approval, reporting, and oversight processes, as warranted by our unique operational needs and management structure. The FDIC took action to address OIG concerns about Blue Canopys independence. 192 0 obj <> endobj RJ];g'RFnzq^aeOt8;)jquyhX[ Rs/vR~L4J'2&CG%O+cLXI E`m :DNHGu|E[s>vvm@R 0$ sD+n]6+%Iu~0LcW*}a)m%b'+h>5qacKuYk-9YQ8)$.ZkaRU,W]{c(njbp2`R@";ylj0ww*aK1^drkf{+x'K*sVrka{. In particular, the FDIC prepared a Contract Management Plan37 for Blue Canopy to document the joint administrative approach agreed upon by the Contracting Officer and Oversight Manager. In planning this procurement, the CIO assessed whether FDIC staff or contractors should perform the work. Although NCUA and CFPB did not have an explicit written policy, they noted the actions/procedures they would take to address an instance of contractor over-reliance. A BOA becomes a binding contract when a task order is issued.. sharing sensitive information, make sure youre on a federal ERM provides transparency and accountability in business practices, reporting, and governance, which can improve stakeholder confidence in the agencys work. Conduct periodic reviews of controls and processes. Management Response: Partially Concur. Footnote: 5 The term critical functions only appears once in the Introduction section of the guidance. Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, and identify and control risks. As discussed in our report, the FDIC could have done more to identify and oversee procured Critical Functions. The official also stated that, in conjunction with the IGCE, the CIOO conducted an analysis to determine whether the FDICs costs associated with Information Security and Privacy support services were in line with other Federal agencies. In order to answer our objectives, we reviewed Blue Canopys two existing contracts, as of May 2020,5 with the FDICs Chief Information Officer Organization (CIOO), and the FDICs acquisition process to identify and manage procured Critical Functions. testimony on the latest banking issues, learn about policy A management oversight strategy considers, for example, the contract structure (including key provisions) for procuring Critical Functions, and oversight tasks personnel can perform. The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version. As it relates to contract structure, the APM states that the contracting officer must select the type of contract and pricing arrangement that represents the most prudent and reasonable relationship with the contractor and minimizes cost and other risks to the FDIC. Recommendation 3: Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. https://www.youtube.com/watch?v=z6mMuFd33qk&list=UULFQpADaPZpDb8HwwScpJ2OPQ, Paravision Names Benji Hutchinson President, COO, Sharon Hays Ready to Explore Innovation with WashingtonExecs CTO Council, Damian DiPippa Named CEO of Newly formed Aretum, BlueHalo Delivers New High-Energy Laser Diagnostic Capability to Navy, Chief Officer Awards Finalist Julian Setian: Contributing to the Broader Social Ecosystem Has Always Been the Most Gratifying Aspect of My Work, Top DOD Execs to Watch in 2023: Airbus Cara Sindir. The contracts include performance criteria, reporting, and contractual requirements to facilitate ongoing assessment and mitigation of risk. The Defense Intelligence Agency selected 144 vendors to participate in its $12.6 billion Solutions for Information Technology Enterprise (SITE III) contract.. In addition, a prior OIG report, Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019) concluded that Blue Canopy lacked independence. In addition, GSA, NASA, USDA, DOE, OCC, NCUA, and CFPB have procedures to oversee the contractors performance and their own personnels oversight of a contractor. FDIC is an independent agency created by Congress to maintain stability and public confidence in the nations financial system. Although not identified within the FDICs Risk Inventory, the Agency relied heavily on Blue Canopy to operate and service the corresponding risk management mitigating controls. This will help ensure that the FDIC integrates [Enterprise Risk Management] into its culture, practices, and capabilities so that risks across the enterprise are considered and prioritized as part of operations support, program management, budget decisions, and strategic planning Having well-defined authorities, roles, and responsibilities for [Enterprise Risk Management] will help to ensure that the range of risks facing the Agency and banking sector are properly identified. -]. Find information for outside counsel engaged by the FDIC. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. An official website of the United States government. Last summer, the agencysinspector general issued a report saying the agency needed to improve itsIT governance practices. In particular, the FDIC may not ensure that it has an adequate number of employees with the appropriate training, experience, and expertise to oversee the procurements of Critical Functions. The Federal Deposit Insurance Corporation (FDIC) is an independent agency A risk/reward analysis should be performed for significant matters, comparing the proposed third-party relationship to other methods of performing the activity or product offering, including the use of other vendors or performing the function in-house. 3501 Fairfax Drive, Room VS-E-9068, Arlington, VA 22226. CFPB Consumer Financial Protection Bureau, CIOO Chief Information Officer Organization, C-SIRT Computer Security Incident Response Team, DRR Division of Resolutions and Receiverships, FAIR Act Federal Activities Inventory Reform Act, FDIC Federal Deposit Insurance Corporation, FISMA Federal Information Security Modernization Act, FPDS-NG Federal Procurement Data System-Next Generation, GAO U.S. Government Accountability Office, IGCE Independent Government Cost Estimate, NASA National Aeronautics and Space Administration, NCUA National Credit Union Administration, NIST National Institute of Standards and Technology, OCC Office of the Comptroller of the Currency, OCISO Office of the Chief Information Security Officer, TO: Terry L. Gibson, Assistant Inspector General for Program Audits and Evaluations, FROM: Brandon L. Milhorn, Deputy to the Chairman, Chief of Staff and Chief Operating Officer, CC: Sylvia W. Burns, CIO, E. Marshall Gentry, CRO, RE: Management Response to OIG Draft Audit Report, Critical Functions in FDIC Contracts (No. Sep 23 2021. The APM includes a discussion and guidance for avoiding performance by contractors of inherently governmental functions. The FDIC took prompt action to address security control testing sufficiency before OIG issued the January 2019 audit report. This contracting approach will increase competition and reduce FDICs reliance on one contractor in these areas. The report concluded that the FDIC needs to establish a clear governance structure, and clearly define authorities, roles, and responsibilities related to [Enterprise Risk Management]. A Critical Function is a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. : 3; Corrective Action: Taken or Planned - The FDIC will review its risk inventory and conduct an assessment to determine if the current risk inventory sufficiently addresses the underlying risks presented in the OIGs report, irrespective of the specific use of the term Critical Function.; Expected Completion Date: May 31, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; Row 4: ; Rec. Figure 4: Best Practices for Implementing a Management Oversight Strategy. The FDIC is proud to be a pre-eminent source of U.S. Footnote: 27 Corrective Measures. In addition, the FDICs business resumption and contingency plans rely on Blue Canopys resources being available to continue its services. h2P0P0T01S04P042Rw/+Q04L)( XTb;;jSbKbC0i&MDs@bQ*P fA24k42P Y@,0"h*@ : We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Every contractor who is awarded an FDIC contract is required to be registered with System for Award Management ( www.SAM.gov ). Specifically, the FDIC calculated that it would cost the FDIC an additional $2.55 million to procure the services ($26,387,825 versus $23,834,747).29 However, the FDIC did not include this information in the Board Case Package, nor was it discussed with the Board as demonstrated by the corresponding Board minutes. However, to meet its fiduciary responsibility to the taxpayers, the agency must ensure it is cost effective to contract for the services.. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. BASE - September 1, 2021 - August 31, 2023 OPTIONs - September 1, 2023 - August 31, 2026 Scope The FDIC is a non-appropriated entity of the Federal Government. Agencies ensured that statements of work recognize the procurement of Critical Functions, and management considered (or, considered as a best practice) contract provisions that specify the agencys rights and the contractors obligations and responsibilities, including, but not limited to, provisions that address contractor performance, financial condition, emergency preparedness, corrective measures to regain/maintain control, and transfer/transition to another entity. Best Practices for Performing a Procurement Risk Assessment, 4. The FDICs acquisition process is divided into four phases: (1) Procurement Planning; (2) Solicitation and Award; (3) Contract Management; and (4) Closeout Award. The Federal Deposit Insurance Corporation (FDIC) procures goods and services from contractors in support of its mission. Browse our extensive research tools and reports. The FDIC, however, provided no details as to how it plans to do so. Experts say US rules for testing commercial drone technology aren't permissive enough, GSA leadership cleans house amid fierce criticism of Login.gov from Congress, NIST launches new trustworthy artificial intelligence resource center, Transportation Security Administration moves ahead with smartphone ID pilot, Why ICAM at the edge is critical to enabling mission success, Federal judge declines to grant DOJ interim injunction in Booz Allen antitrust case, DISA leader shares AI and machine learning strategies to improve warfighter needs, DIA director sees room for improvement in cyber intelligence and support, HHS issues new cyber incident response resources for healthcare sector, IRS acting CIO: Securing software supply chain remains a challenge for agencies, New rule could impose CMMC-like cyber requirements for civilian agency contractors, Enhanced security resilience for government with modern firewalls, Watchdog calls on DHS to clarify when tech acquisitions require cyber risk assessments, NASA awards $814M digital communications and IT services contract, USDA plots departmentwide cloud move with STRATUS contract, Oracle Cerner signs AI contract with FDA focused on improving medicines, Federal Deposit Insurance Corporation (FDIC), Federal Communications Commission launches Space Bureau, GSA announces Presidential Innovation Fellows for 2023, Biden administration announces crackdown on discrimination and bias in AI tools, Code for Americas union negotiations break down, FAA seeks $19.6M to modernize NOTAM system in budget request, CISA issues draft attestation form for government software providers, OPM sets out vision to become premier provider of human capital data services, Commerce Secretary Raimondo: NIST AI framework is gold standard, Watchdog calls for DOJ immigration review office to update data management guidelines, House lawmakers introduce bipartisan VA electronic health record reform bill, Palantir to help Ukraine process data in war crimes investigations, Food and Drug Administration seeks input on digital transformation plan, FDIC prioritizing internal modernization says acting chief innovation officer, Agencies trying to find their dark data face policy, leadership hurdles, FDIC faces a number of challenges and risks in IT governance, FDIC breached more than 50 times between 2015 and 2016, FDIC joins DHS Einstein, hires Booz Allen to raise cyber bar. No. Agencies performed (or, considered as a best practice) periodic reviews of contractor and agency personnel performance, human capital planning, personnel training, risk management strategy, contract requirements, budget/cost justification, attribution of contractor vs. agency work, and over-reliance assessments. Reasonable competition also means soliciting a sufficient number of sources to obtain an adequate market response and to analyze the fairness and reasonableness of individual offers. Best Practices for Critical Functions by Source, 2. 66y% The OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), noted that while the information in the Award Profile Report was important for the Board of Directors to understand the status of higher risk FDIC acquisitions as of a specific point in time, it does not provide the Board or other senior management officials with a portfolio-wide view or the ability to analyze historical contracting trends across the portfolio, identify anomalies, and perform ad hoc analysis to identify risk or plan for future acquisitions., Within the report, the OIG recommended, in part, that the FDIC [p]rovide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.]. Due to the lack of policies and procedures in this area, the FDIC did not identify these Critical Functions by Blue Canopy during its procurement planning phase. hdQK0iAl,H+rFy=Tf^;R6xyua:p@vbfN #iF^B3\xMVewU~~;!#GLCUj'7oN7~ 1!Gb^zB4XdiMVndwx` Xn As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. Through the two contracts, Blue Canopy provided the following services: (1) Information Security and Privacy Support Services for the FDICs Security Operations Center (SOC) and Computer Security Incident Response Team (C-SIRT). We found that the FDIC did not have policies and procedures for identifying Critical Functions in its contracts, as recommended by the best practices in OMB Policy Letter 11-01 and embodied in industry standards. JP Morgan Chase assumes all deposits of First Republic Bank, San Francisco, CA, FDIC Releases Report Detailing Supervision of the Former Signature Bank, New York, New York, FDIC Releases Semiannual Update on Deposit Insurance Fund, FDIC Announces Retention of Financial Advisor to Assist with the Liquidation of Securities of the Former The site is secure. Since then, the FDIC re-organized and placed oversight responsibility within the CIOO OCISO. If so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices. : 7; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. As discussed above, however, the FDICs IGCE did not include the scope and methodology, analyses (both quantitative and qualitative), conclusions, and rationale for the Agencys final procurement decision as suggested by best practices. The Board should be involved in reviewing managements risk assessment, contract structuring, and monitoring reports for procured Critical Functions on an individual and aggregate basis. Within the FDIC 2019 Annual Report, the FDIC recognized that Information technology (IT) is an essential component in virtually all FDIC business processes; and that [t]he FDICs information security program is integral to the agencys ability to carry out its mission of maintaining stability and public confidence in the nations financial system. In particular, the FDIC highlighted its continuing efforts to strengthen its information security functions and progress towards optimizing the Security Operations Center, privacy controls, and information and network security. While identifying and understanding the risks associated with the third party is critical at the outset, the long-term management of the relationship is vital to success., In addition, the guidance noted that [t]he extent of oversight of a particular third-party relationship will depend upon the potential risks and the scope and magnitude of the arrangement.
Google Meet Change Background Missing, What Happens If You Don't Accept Severance Package, 100 Richest Cities In America 2020, Articles F