Such heightened contract monitoring activities would include: (1) performing a procurement risk assessment, (2) establishing a management oversight strategy, (3) conducting periodic reviews, and (4) providing formal reports to the Board on an individual and aggregate basis. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch implement the management oversight strategy for the acquired Ciritical Function. If so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices. Best Practices for Performing a Procurement Risk Assessment, 4. The criticality of the function depends on the mission and operations, which will differ between agencies and within agencies over time. Corrective Action: See response to Recommendation 12. In particular, the FDIC may not ensure that it has an adequate number of employees with the appropriate training, experience, and expertise to oversee the procurements of Critical Functions. The FDIC did not perform a procurement risk assessment for Critical Functions obtained from Blue Canopy during the procurement planning process. Footnote: 9 The OCISOs mission is to develop and maintain Agency-wide information security and privacy programs that support the mission of the FDIC. The FDIC provides a wealth of resources for consumers, The OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), noted that some CIOO Oversight Managers lacked the workload capacity to oversee contracts, and certain Oversight Managers were not properly trained or certified. Such actions by contractors create risks that governance and decisions of significant public interest are not made by Government officials who are accountable to the President and bound by laws controlling the conduct and performance of Federal employees. The FDIC relied on Blue Canopy to conduct activities within the FDICs Security Operations Center, Computer Security Incident Response Team, and Information Security and Privacy Program Support, which were recognized within NIST guidance as foundational security controls or protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of systems. Without these foundational security controls, the FDIC could not ensure the security, confidentiality, integrity, and availability of its information thus jeopardizing the Agencys mission and operations. For our evaluation, we identified best practices for procuring Critical Functions by reviewing OMB Policy Letter 11-01, GAO reports, industry standards,18 and interviewing officials at several other Federal agencies.19 We compared these best practices with the FDIC's existing procurement process, using Blue Canopy as an example, to determine the extent to which the FDIC incorporated these best practices into its process. Examples of Personally Identifiable Information include an individuals full name, Social Security Number, drivers license, medical information, or home telephone number. DOA and CIOO officials acknowledged that the FDIC had not incorporated OMB Policy Letter 11-01 (September 2011), and related best practices, into the FDICs Acquisition Policy Manual (August 2008), or Acquisition Procedures, Guidance and Information (January 2020). On a quarterly basis, the FDIC submitted Award Profile Reports to the Board that summarized the FDICs contracting activities for the quarter. With respect to the MSSP and SPPS contracts, FDIC contract officers, oversight managers, and technical monitors assigned to the BOAs and task orders will ensure that contractors comply with contract terms and meet performance expectations. Table 1: Best Practices for Critical Functions by Source. The overall objective of such reviews is to identify, assess, and resolve indications of contractor over-reliance. Acquisition Policy Manual (APM) (i.e., the official policy document), data. The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version. A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. DODs policies and procedures predated the publication of this requirement, and consequently contained no reference to it. Appendix 6 Summary of the FDICs Corrective Actions. The FDIC response further disagreed that the weaknesses identified in our prior OIG report regarding the Security Configuration Management of the Windows Server Operating System represent[ed] a failure on the FDICs part to maintain control of its operations. We note that the FDIC previously recognized the problem and took remedial actions to address the independence concern identified in the prior OIG report. Ultimately, as recommended by best practices, a complete cost effectiveness analysis for Critical Functions, clear and distinct from the IGCE, should be performed and presented to the Board for its review and consideration. endstream endobj 516 0 obj <>stream As recommended in OMB Policy Letter 11-01, the APM details pre- and post-award responsibilities to avoid contracts for inherently governmental functions.6 The APM emphasizes the importance of being fully aware of contract terms, contractor performance, and contract administration to ensure that appropriate FDIC control is preserved. As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. The FDIC will consider each of the OIGs recommendations and further study the need for additional risk based controls for essential procurements. The MSSP BOA includes provisions which carry monetary penalties should the vendor default against an SLA and incentives to extend the period of performance by demonstrating sustained excellent performance in meeting all SLAs. An official website of the United States government. September 15, 2021 1 min read Keith Jones Chief Information Officer State Department The State Department and the Federal Deposit Insurance Corp. (FDIC) have adopted new approaches to. The FDIC and Blue Canopys contractual arrangement supported the FDICs internal annual self-assessment, as required by FISMA. The FDIC develops detailed board cases for individual procurements exceeding $20 million that discuss procurement costs, benefits, alternatives considered, management oversight strategy, and other information. As the report demonstrates, no public or private organization follows all of the processes or practices the OIG identified. o FDIC Financial Institution Letter: Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). The awards, now in their third year are organised by international engineering federation FIDIC (the International Federation of Consulting Engineers). The FIL does not separately detail specific procedures applicable to critical functions, but rather provides a general framework to provide appropriate oversight and risk management of significant third-party relationships, including those in which a third party performs critical functions. The FIL recommends increasing levels of control for more complex or higher-risk activities. The contracts include performance criteria, reporting, and contractual requirements to facilitate ongoing assessment and mitigation of risk. Recommendation 11: Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function. ; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 2: ; Rec. We also reviewed documentation and interviewed employees familiar with Blue Canopys work to determine if the FDIC maintained control of its mission and operations. Our attendees visit the exhibition to get a first-hand look at the latest products, technologies and services on the market. However, there was no indication that the CIOO reassessed the reports during the course of the 7-year performance of these contracts. - Program Office provides Statement of Work, and independent cost estimate. Similarly, the Board meeting minutes did not identify the procured services as Critical Functions. The contractor successfully performed all required tasks under both contracts, and received excellent and outstanding ratings in annual performance reviews, with the exception of one good rating on one contract for one rating period. In particular, the official stated that the IGCE included a comparison of the costs to conduct the planned activities internally against the cost for a vendor(s) to perform those same activities. The FDICs acquisition procedures are also consistent with the FDICs Guidance for Managing Third-Party Risk (FIL-44-2008). profiles, working papers, and state banking performance created by the Congress to maintain stability and public confidence in the :U= +=u^Cs;$FZjhE_}~xC^!y*U>}AnxT-Q1]:>le^v9q8i=,3M)L#f2u*SO!BUrD;"j~ d{9H;NN9H8lSa ge?FHU~gK# Submit your announcement of an awarded contract for publication by sending a news release to: newsrelease@targetgov.com . /@ DDGD.ODvDH!e"q9V1%x"xABo'6,,<1XHH8\Gwdra]0:D. hYH[@{4;"2 {oBp,L;rEA,'2 ,g6Hr~r4y-!x"DB$]E4V&:d!DI D$htq9C3HO>RjX2B^T&gQh8IP) s8SSO&#Hce. As part of the procurement risk assessment, include a cost effectiveness analysis. The APM includes a discussion and guidance for avoiding performance by contractors of inherently governmental functions. The FDIC annually captures the risks it faces through its Enterprise Risk Management Risk Inventory. Agencies performed (or, considered as a best practice) periodic reviews of contractor and agency personnel performance, human capital planning, personnel training, risk management strategy, contract requirements, budget/cost justification, attribution of contractor vs. agency work, and over-reliance assessments. FDICs Execution and Oversight of the Blue Canopy Contracts. According to the Government Accountability Office (GAO), the use of a contractor poses a risk of fraud, waste, and abuse. Estimated Completion Date: The guidance issued to Divisions/Offices for the 2021 budget year will include contract oversight as a workload driver. (or sets of contracts) for information security support services. The Program Office is responsible for determining its procurement needs and initiating the acquisition process by submitting a procurement request to DOAs ASB. Consistent with that approach, the FDIC will continue to adopt those portions of the OMB Policy Letter that support its unique operations, while the Policy Letter overall continues to be inapplicable by operation of law. In particular, the reports are intended to provide detailed profiles for those awards and award categories with a value of $20 million or more as well as those that require greater oversight due to the nature of the scope of work and risk to the FDIC. Bethesda, MD. A risk management process would identify, measure, monitor, report, and mitigate the operational and procurement risks for acquired Critical Functions. The Risk Inventory includes an assessment of impact and likelihood, and risks are prioritized and summarized into one of four risk levels: critical, significant, moderate, and low. Over a 4-year period (2015-2019), the FDICs OCISO spent between 35 percent to 44 percent of its operating expenses annually on Blue Canopy services. NASA, USDA, and DOE performed, or considered it a best practice to perform, a cost effectiveness analysis. The FDIC relied on Blue Canopy to develop, operate, and service the Security Operations Center as well as information and network security. Further, the FDIC may not maintain control of its mission and operations, and may become over-reliant on contractors. The FDIC Division of Administration (DOA) awarded 2,633 contracts valued at $2.85 billion over the 5-year period 2017-2021, averaging $570 million annually. Appendix 1 of this report includes additional details on our objective, scope, and methodology. 192 0 obj <> endobj Best Practices: 1. Business Resumption and Contingency Plans.35 As part of the procurement risk assessment, or as a separate management oversight strategy, an agency should identify the contract structure and key contract provisions, such as the review and testing of business resumption and contingency plans. In particular, the policy letter states that [a]gencies shall develop and maintain internal procedures to address the requirements of this guidance. In addition, the policy letter states that agencies should determine the type and level of management attention necessary to ensure that functions that should be reserved for Federal performance are not materially limited by or effectively transferred to contractors and that functions suitable for contractor performance are properly managed. (LockA locked padlock) Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. Federal Agencies. Appendix 1 Objectives, Scope, and Methodology, 1. Footnote: 13 The Federal Information Security Modernization Act of 2014 (FISMA) amended and clarified the Federal Information Security Management Act of 2002. As a result, we consider the remaining 12 recommendations to be unresolved at this time. Federal Agencies. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Develop a Management Oversight Strategy. bankers, analysts, and other stakeholders. In addition, following the FDICs study and actions in response to Recommendation 1, the CIOO will assess the need for additional periodic reviews of such contracts and whether additional enhancements are required beyond the controls already incorporated. OMB: The source identified this item; GAO: The source identified this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; OMB Guidance. We made 13 recommendations to the FDICs Deputy to the Chairman and Chief Operating Officer. encrypted and transmitted securely. The .gov means its official. Procurement Planning - Program Office performs a procurement risk assessment for the planned acquisition of a Critical Function, which includes performing a cost effectiveness analysis. Identified Best Practices and Their Sources, 3. The interactive forecast dashboard statistically predicts when contracts will be signed. CIO Howard Whyte spoke with FedScoop recently about FDICs work in the cloud to provide a transformational experience for our external customers.. A Contract Management Plan must be developed for the acquisition of services having a total estimated value of $1 million and greater. OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. Without a process for identifying planned and procured Critical Functions, the FDIC cannot ensure that it will take appropriate actions based on informed, independent. Federal employees must be able to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. The FDIC is proud to be a pre-eminent source of U.S. In addition, the GSA and OCC report on procurement actions through the Federal Procurement Data System-Next Generation (FPDS-NG),* which includes those designated as Critical Functions. : 5; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 6: ; Rec. Footnote: 5 Contracts CORHQ-14-C-0769 and CORHQ-14-C-0778. Institution Letters, Policy https://www.fdicoig.gov/sites/default/files/publications/19-004AUD_0.pdf. The Board should be involved in reviewing managements risk assessment, contract structuring, and monitoring reports for procured Critical Functions on an individual and aggregate basis. Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC. Before Footnote: 4 Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019). USDA, CFPB, and OCC used, or considered it a best practice to have, contract provisions to specify the agencys rights and the contractors obligations and responsibilities surrounding Critical Functions. Other potential risks arise from or are heightened by the involvement of a third party.. Minority & Women Outreach Program FDIC encourages the use of minority and women-owned businesses (MWOBs) and small disadvantaged businesses (SDBs) in the acquisition of goods and services, as contractors or subcontractors. Footnote: 36 Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019). In particular, [m]anagement should allocate sufficient qualified staff to monitor significant third-party relationships and provide the necessary oversight The extent of oversight of a particular third-party relationship will depend upon the potential risks and the scope and magnitude of the arrangement.. ERM provides transparency and accountability in business practices, reporting, and governance, which can improve stakeholder confidence in the agencys work. Based on our review of GAO and industry standards,25 procured services involving contractors result in a greater level of inherent risk than an agency directly performing these services. Recommendation 2: Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. sharing sensitive information, make sure youre on a federal An official website of the United States government. However, the FDIC did not make the determination that Blue Canopy provided essential or critical services, even though the Agency dedicated more than 38 percent of its IT security budget to Blue Canopy services. endstream endobj 193 0 obj <> endobj 194 0 obj <> endobj 195 0 obj <>stream hTmo0+ib~IB Further, GAO recommendations and other Federal agencies support that this process should be addressed within policies and procedures. So far this year, the federal government plans to spend $3.66 Trillion including $315.45 Billion on Net Interest $129.34 Billion on Veterans Benefits $41.95 Billion on Agriculture See more breakdowns of federal spending Featured Content COVID-19 Spending Track federal spending in response to the COVID-19 pandemic Resources Signature Bank, New York, NY, and Silicon Valley Bank, Santa Clara, CA, FDIC National Survey of Unbanked and Underbanked Households, Quarterly Banking As noted above, the OIG identified best practices from OMB Guidance, the GAO, industry standards, and several other Federal agencies. OMB Policy Letter 11-01 also states that [d]etermining the criticality of a function requires the exercise of informed judgment by agency officials. The official also stated that, in conjunction with the IGCE, the CIOO conducted an analysis to determine whether the FDICs costs associated with Information Security and Privacy support services were in line with other Federal agencies. A Critical Function is a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. FISMA requires each agency to perform an annual self-assessment. The PGI requires the oversight manager, together with the contracting officer, to determine the level of oversight that is necessary to ensure the contractor makes satisfactory progress toward the successful completion of the terms of the contract. Footnote: 23 According to the FDICs Enterprise Risk Management Standard Operating Procedure (May 2020), Residual Risk is the exposure remaining from an inherent risk after action has been taken to manage it. In 2019, these services comprised 38.3 percent ($16.2 million) of the OCISOs annual operating expenses ($42.3 million). o The FDICs Implementation of Enterprise Risk Management (EVAL-20-005) July 8, 2020. ERM provides an enterprise-wide view of challenges that enables agencies to allocate resources, prioritize and proactively manage risk, improve the flow of risk information to decision makers, and work towards successful accomplishment of their missions. Government agencies must ensure that (1) contractors do not perform work that should be reserved for Federal employees; and (2) Federal officials are appropriately managing and overseeing contractor performance. No. As a result, we consider the remaining 12 recommendations to be unresolved at this time. ) y RYZlgWm As it relates to contract structure, the APM states that the contracting officer must select the type of contract and pricing arrangement that represents the most prudent and reasonable relationship with the contractor and minimizes cost and other risks to the FDIC. Further, the official stated that Blue Canopy complied with the FDICs directives governing access to and operations at FDIC offices and facilities. p%{dd3WP}9HR 1++Q'WJ`7;'~\b!8$@ba!=G{A,91Ip9y8%x{Y,xKb\Ib KtK==J_{x4Y'Hw'0{A9Zs9 S{!8d`EL(pF5@&8I; L$p"AdBdI9[i|4abA$23%LeqpXd"b9laW^e8XsC0F{NfIbfJ1q5sdQ,+Q,$.hWXIbFZB!yv+XG8vdR"3TK&VJ7"qnLv_o/nSA~?{+[:/ZReFH-EBjRe(mY(Dn_=~ea.YY'([Ps:%[uuLh1'%]/Bg.`-iQu uAlO;aK~ET;lF1bN:a.1.y+JMHs[o*eb-Z2^MgG(("h6kOn5h". Without these best practices in place, the FDIC cannot be assured that it will provide sufficient management oversight of Blue Canopy or other contractors performing Critical Functions. Footnote: * The FPDS-NG is the current central repository of information on Federal contracting. Successfully identifying and applying best practices can reduce business expenses and improve organizational efficiency.17. Periodic reviews should determine if the agency needs to take corrective measures to address any over-reliance on contractors for Critical Functions.27. Contracting officers and oversight managers are also responsible for evaluating contractor performance. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch report to the FDIC Board on the results of ongoing monitoring reports and planned corrective measures to address (or mitigate the Potential risk of) instances of contractor overreliance for Critical Functions, as necessary. Although NCUA and CFPB did not have an explicit written policy, they noted the actions/procedures they would take to address an instance of contractor over-reliance. Such heightened contract monitoring activities would include: (1) performing a procurement risk assessment, (2) establishing a management oversight strategy, (3) conducting periodic reviews, and (4) providing formal reports to the Board for its review of Critical Functions on an individual and aggregate basis. important initiatives, and more. Awarded Contract Dollars by Division During Calendar Year 2017. The FDIC wants a handful of vendors to join the contract, but just one will get the bulk of the work. Recommendations for Executive Action Full Report Full Report (10 pages) Accessible PDF (11 pages) GAO Contacts James R. Dalkin Director DalkinJ@gao.gov (202) 512-3133 Office of Public Affairs Chuck Young Managing Director youngc1@gao.gov Footnote: 7 The Technical Monitor is responsible for assisting the Oversight Manager in monitoring and evaluating contractor performance under an FDIC contract. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. Ultimately, when an agency is over-reliant on a contractor, the agency potentially jeopardizes its ability to maintain control of its mission and operations by failing to ensure that government actions are taken as a result of informed, independent judgments made by government officials; work products are adequately managed; and the contractors used to support the Federal workforce are appropriately monitored. Table 1 summarizes these best practices. No. Ultimately, this situation represents an increased operational risk to the FDIC and a potential risk management failure where the risk has not been identified, measured, monitored and reported, and mitigated. Source: OIG analysis of identified best practices and the FDICs policy and procedures. This risk-based approach to activities that are closely aligned with inherently governmental functions is consistent with the intent of OMB Policy Letter 11-01. Of particular note, the failure to identify Critical Functions during the procurement planning phase results in a cascading failure throughout the acquisition process. The FDIC publishes regular updates on news and activities. Learn about the FDICs mission, leadership, o Comparing and contrasting DOA, CIOO, and the Legal Divisions policy and procedures related to management procurement and oversight activities to best practices the OIG identified. Best practices indicate that an agency should perform periodic reviews of its controls and processes to ensure that those controls and processes are adhered to and operating as intended, and that the agency maintains control of its mission and operations. Browse our extensive research tools and reports. The 7.5-year task order calls on DMI to provide infrastructure support services, including modernization of data center and network operations, client and cross-functional services, unified communications, service desk, monitoring and event management, and cloud migration. - August 10, 2020 - DMI, a leading mobility services and digital transformation company, has won a single-award Blanket Purchase Agreement (BPA) from the Health Resources and Services Administration (HRSA), an agency of the U.S. Department of Health and Human Services, to modernize its Electronic Handbook (EHB) program. An official website of the United States government. However, as noted in our report, the FDIC did not identify the Blue Canopy contracts as essential, and, therefore, it did not invoke the additional monitoring and oversight procedures. history, career opportunities, and more. The Contract Management Plan addressed general oversight roles and responsibilities, and the evaluation/acceptance of the contractors performance. The FDIC OCISO and DOA submitted a Board Case Package to the Board that requested approval for the authority to contract for services to support the Information Security and Privacy Program. changes for banks, and get the details on upcoming Recommendation 12: Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration.
Accidentally Took Multivitamin Before Colonoscopy,
Robert Newhouse Squat,
Mtg Kamigawa: Neon Dynasty Card List,
Cafe To Rent Leeds,
Nichols College Cheer Roster,
Articles F
fdic contract awards 2021