Oversight Manager and Contracting Officer complete closeout activities. Contracting Officer issues Request for Quotation. Conversely, the FRB stated that they do not contract out Critical Functions. The FDIC will consider each of the OIGs recommendations and further study the need for additional risk based controls for essential procurements. The FDIC relied on Blue Canopy to conduct activities within the FDICs Security Operations Center, Computer Security Incident Response Team, and Information Security and Privacy Program Support, which were recognized within NIST guidance as foundational security controls or protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of systems. Without these foundational security controls, the FDIC could not ensure the security, confidentiality, integrity, and availability of its information thus jeopardizing the Agencys mission and operations. Figure 5: Best Practices for Conducting Periodic Reviews of Controls and Processes. From July 2005 to December 2019, the FDIC issued three contracts (or sets of contracts) for information security support services. Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration. The following information is regarding awarded contracts that can be used to develop prime contractor, subcontractor and teaming partner relationships on these and other opportunities. Estimated Completion Date: March 31, 2022. In 2009 and 2010, the services obtained were overseen by the FDICs Division of Information Technology. Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Appendix 2 Identified Best Practices and Their Sources. Wisconsin Department of Employee Trust Funds PO Box 7931 Madison WI 53707-7931 1-877-533-5020 (toll free) Fax 608 -267 4549 Proposed Amendment to FDIC Bank Option Contract February 9, 2021 Page 2 Staff recommends the Board amend the FDIC bank option contract (ETJ0050) as shown to provide an interest rate floor of 15 basis points. The FDIC Legal Division concluded in October 2011 that the OMB Policy Letter did not apply because: (1) the FDIC did not fall within the definition of executive agency in the Office of Federal Procurement Policy Act and (2) the FDIC was not funded by congressional appropriations. An agency may become over-reliant on a service provider if it does not have the capacity (number of Federal employees) and capability (Federal employees with appropriate training, experience, and expertise) to oversee the contractor properly. Challenge, Quarterly Banking Profile for Fourth Quarter 2022, Quarterly Banking Profile for Third Quarter 2022, FDIC Releases 2021 National Survey of Unbanked and Underbanked Households, Financial Footnote: 26 Contract terminology are specialized words or meanings relating to a particular field, such as the term Critical Function in the Federal acquisition process. Federal Agencies. We also provided Blue Canopy with a draft copy of the report to review for factual accuracy. Management Decision: Partially Concur Corrective Actions: The FDIC currently develops a management oversight strategy to oversee all contractors based on the risk and complexity of the contract. Board approval should be obtained prior to entering into any material third-party arrangements The level of detail in contract provisions will vary with the scope and risks associated with the third-party relationship.. Footnote: 23 According to the FDICs Enterprise Risk Management Standard Operating Procedure (May 2020), Residual Risk is the exposure remaining from an inherent risk after action has been taken to manage it. The contractor successfully performed all required tasks under both contracts, and received excellent and outstanding ratings in annual performance reviews, with the exception of one good rating on one contract for one rating period. In this section, we show which sub-agencies of Federal Deposit Insurance Corporation (FDIC) have issued awards through different types of contracts or financial assistance and how much each sub-agency has obligated (promised to spend). stability and public confidence in the nations financial the official website and that any information you provide is KXcXeX1E"01%(1ED1]Um0^v]o9b. 1 FDIC Business Data Services (FBDS) II Engagement Outline FBDS Overview The Federal Deposit Insurance Corporation (FDIC) has a requirement for FDIC Business Data Services (FBDS) support. Appendix 6 Summary of the FDICs Corrective Actions. testimony on the latest banking issues, learn about policy 7.503), and the examples in Appendix A in OMB 11-01. The GAO report, Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DODs Total Workforce (GAO-13-470) (May 2013) found, in part, that the DODs current policies did not fully reflect federal policy concerning the identification of Critical Functions. 800-53 organized security and privacy controls into 20 families. Additional appendices include acronyms and abbreviations, the Agencys comments on a draft of this report, and a summary of the Agencys corrective actions. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch perform periodic reviews of controls and processes and take corrective measures to address (or mitigate the potential risk of) instances of contractor overreliance for a Critical Function, as necessary. The contract provides various support activities to the Privacy Program. However, there was no indication that the CIOO reassessed the reports during the course of the 7-year performance of these contracts. Contract Oversight Management | Federal Deposit Insurance Corporation OIG Type above and press Enter to search. We found that the FDIC did not have policies and procedures for identifying Critical Functions in its contracts, as recommended by the best practices in OMB Policy Letter 11-01 and embodied in industry standards. This represented a failure of the FDIC to maintain control of its operations. We found that the FDIC did not have policies and procedures for identifying Critical Functions in its contracts, as recommended by the best practices in OMB Policy Letter 11-01 and embodied in industry standards. OMB Policy Letter 11-01 provides guidance on managing the performance of Inherently Governmental and Critical Functions. Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function. Source: OIG analysis of the FDIC Acquisition Policy Manual (August 2008) and the Acquisition Procedures, Guidance and Information (January 2020). The Federal Deposit Insurance Corporation (FDIC) is an Corrective Action: The FDICs existing acquisition policy, as a comprehensive framework, incorporates many of the risk management principles referenced by the OIG in its audit and incorporated in OMB Policy Letter 11 01. : 8; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. Without the requisite analysis, the FDIC cannot be assured that it has appropriately identified and mitigated the existing procurement and operational risks. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. DODs policies and procedures predated the publication of this requirement, and consequently contained no reference to it. In August 2017, a former FDIC senior executive expressed concern with the FDICs contractual relationship with and over-reliance on Blue Canopy. 800-53 provides a comprehensive set of security and privacy safeguarding measures for all types of computing platformsSafeguarding measures include both security and privacy controls to protect the critical and essential operations and assets of organizations and the privacy of individuals. The publication also states, [t]he controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. Further, GAO recommendations and other Federal agencies support that this process should be addressed within policies and procedures. The FDICs OCISO and DOA submitted to the Board, through its established procurement process, a Board Case Package and Award Profile Reports.38 These documents, however, did not identify the procured services that were Critical Functions nor did they present the planned or implemented heightened oversight management activities for the Critical Function procurements. Exhibit - FDIC International 2023 The filing included only the company's U.S. operations. Routine reports may include performance reports, audits, financial reports, security reports, and business resumption testing reports. Contracting Officer notifies offerors of results. In addition, GSA, NASA, USDA, DOE, OCC, NCUA, and CFPB have procedures to oversee the contractors performance and their own personnels oversight of a contractor. Periodic Reviews of Controls and Processes. hMk@c[(hg!b\ZJLn#,o,fAjwgv]Ip,'Vgv8E&r*;|` In order to answer our objectives, we reviewed Blue Canopys two existing contracts, as of May 2020,5 with the FDICs Chief Information Officer Organization (CIOO), and the FDICs acquisition process to identify and manage procured Critical Functions. 518 0 obj <>stream Program Office identifies contracting need. FDIC will consider and further study potential methodologies for assessing contractor overreliance, including how other agencies make such determinations. The FDIC provides a wealth of resources for consumers, A CIOO official stated that Blue Canopys business resumption and contingency plans were not a concern because Blue Canopy operated within the FDICs information systems and on the FDICs premises. %PDF-1.6 % Our evaluation assessed whether Blue Canopy performed Critical Functions as determined by OMB Policy Letter 11-01 and best practices; and if so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices. No. NASA, USDA, and CFPB performed, or considered it a best practice to perform, strategic human capital planning. Agencies performed (or, considered as a best practice) periodic reviews of contractor and agency personnel performance, human capital planning, personnel training, risk management strategy, contract requirements, budget/cost justification, attribution of contractor vs. agency work, and over-reliance assessments. Learn about the FDICs mission, leadership, Best Practices for Conducting Periodic Reviews of Controls and Processes, 6. The OIGs mission is to prevent, deter, and detect waste, fraud, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). Results of oversight activities for material third-party arrangements should be periodically reported to the board of directors or designated committee. Footnote: 6 12 U.S.C. However, to meet its fiduciary responsibility to the taxpayers, the agency must have sufficient internal capability to control its mission and operations Sufficient internal capability(i) generally requires that an agency have an adequate number of positions filled by Federal employees with appropriate training, experience, and expertise to understand the agencys requirements, formulate alternatives, take other appropriate actions to properly manage and be accountable for the work product, and continue critical operations with in-house resources, another contractor, or a combination of the two, in the event of contractor default; and (ii) further requires that an agency have the ability and internal expertise to oversee and manage any contractors used to support the Federal workforce Determinations concerning what constitutes sufficient internal capability must be made on a case-by-case basis taking into account, among other things the: (i) agencys mission; (ii) complexity of the function and the need for specialized skill; (iii) current strength of the agencys in-house expertise; (iv) current size and capability of the agencys acquisition workforce; and (v) effect of contractor default on mission performance. As part of acquisition planning, agencies shall confirm that for the Critical Functions to be procured, the agency has sufficient internal capability to control its mission and operations. Those procedures shall be reviewed by agency management no less than every two years. In addition, agencies should periodically evaluate the effectiveness of their internal management controls for reserving work for Federal employees and identify any material weaknesses, The OMB policy letter also states that [a]gencies should review, on an ongoing basis, the functions being performed by their contractors, paying particular attention to the way in which contractors are performing, and agency personnel are managing, contracts involving critical functions These reviews should be conducted in connection with the development and analysis of inventories of service contracts., In addition, the OMB policy letter states that if the agency determines that internal control of its mission and operations is at risk due to over-reliance on contractors to perform critical functions, requiring activities should work with their human capital office to develop and execute a hiring and/or development plan. Footnote: 36 Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019). Existing Acquisition Procedures for Contract Planning, Oversight, and Reporting. Footnote: 27 Corrective Measures. The interactive forecast dashboard statistically predicts when contracts will be signed. Figure 3: Best Practices for Performing a Procurement Risk Assessment. GSA, NASA, USDA, DOE, and OCC have policy and procedures to prevent over-reliance on a contractor, and specific corrective measures to address instances of contractor over-reliance. Perform a procurement risk assessment. The FDIC annually captures the risks it faces through its Enterprise Risk Management Risk Inventory. Without a proper cost effectiveness analysis, an agency cannot identify, analyze, and determine (on an informed basis) the most cost effective alternative or course of action. profiles, working papers, and state banking performance Best Practices: 4. GAO also found that DHS personnel did not identify specific oversight activities they conducted to mitigate the risk of contractors performing functions in a way that could become inherently governmental. o Contract Oversight Management (EVAL-20-001) October 28, 2019; o The FDIC's Receivership Basic Ordering Agreements for Business Process Operations Services (AUD-14-006) March 31, 2014; o Security Configuration Management of the Windows Server Operating System (AUD-19-004) January 16, 2019; and. As discussed above, however, the FDICs IGCE did not include the scope and methodology, analyses (both quantitative and qualitative), conclusions, and rationale for the Agencys final procurement decision as suggested by best practices. In particular, FDIC management did not present to the Board an analysis that demonstrated whether it was cost effective to procure the desired Critical Functions or to perform those functions internally with Federal employees or some combination of Federal employees and contractor personnel. As noted above, the OIG identified best practices from OMB Guidance, the GAO, industry standards, and several other Federal agencies. According to the GAO, the use of a contractor poses a risk of fraud, waste, and abuse. Over a seven-and-a-half-year term, the contractors will help FDIC's Division of IT deal with operations and maintenance support of its infrastructure while the financial agency looks to improve "productivity and efficiencies to continue to mature between 2020 and 2027," says a new solicitation. These services are critical to ensuring the security and protection of the FDICs Information Technology infrastructure and data. Recommendation 12: Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. The FDIC stated that it partially concurred with the remaining 12 recommendations; however, the FDIC response did not provide specific actions taken or planned. These periodic reviews should be focused on targeted controls or areas of performance (such as personnel performance or human capital planning), and/or performed more broadly (such as a contractor over-reliance assessment). As it relates to contract structure, the APM states that the contracting officer must select the type of contract and pricing arrangement that represents the most prudent and reasonable relationship with the contractor and minimizes cost and other risks to the FDIC. hZ[o\ +z}v[u8E?1bKplRC"")#u@jq&R6 Neither the Board Case Package nor the Board meeting minutes reflected that the FDIC discussed with the Board its procurement risk assessment and management oversight strategy, planned contract structuring, and ongoing monitoring controls and reports for the procured Critical Functions. Footnote: 4 Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019). The FDIC took prompt action to address security control testing sufficiency before OIG issued the January 2019 audit report. : 10; Corrective Action: Taken or Planned - The FDIC plans to address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 11: ; Rec. The FDIC relies on the results of security control assessments to identify security weaknesses and inform key risk management decisions. Within this report, the OIG recommended that the FDIC [e]stablish requirements to ensure the independence of security control assessors. -]. Solicitation and Award: Program Office, DOA Acquisition Services Branch, and Legal Division identify the Critical Function within solicitation and award documents. In addition, routine reviews ensure that both contractor and agency staff know their roles and responsibilities in the event of an unexpected incident, and validate the planned response. - August 10, 2020 - DMI, a leading mobility services and digital transformation company, has won a single-award Blanket Purchase Agreement (BPA) from the Health Resources and Services Administration (HRSA), an agency of the U.S. Department of Health and Human Services, to modernize its Electronic Handbook (EHB) program. In addition, GSA, NASA, USDA, DOE, OCC, NCUA, and CFPB have procedures to oversee the contractors performance and their own personnels oversight of a contractor. Through competition, the FDIC is able to compare the value of competing technical proposals and prices in order to determine which proposal affords the best value. Recommendation 10: Determine when and how to assess for contractor over-reliance as part of the management oversight strategy. The overall objective of such reviews is to identify, assess, and resolve indications of contractor over-reliance. Recommendations for Executive Action Full Report Full Report (10 pages) Accessible PDF (11 pages) GAO Contacts James R. Dalkin Director DalkinJ@gao.gov (202) 512-3133 Office of Public Affairs Chuck Young Managing Director youngc1@gao.gov FDIC: Press Releases 2021 - Federal Deposit Insurance Corporation 1.405(b). USDA, CFPB, and OCC used, or considered it a best practice to have, contract provisions to specify the agencys rights and the contractors obligations and responsibilities surrounding Critical Functions. Contract Awards April 11, 2023 Science Applications International Corp. has been awarded a $102.5 million contract by the U.S. Navy to continue supporting the MK Parsons Snags $164M Army Corps of Engineers Contract for Ammunition Plant Environmental Facility Contract Awards April 9, 2023