In particular, the FDIC may not ensure that it has an adequate number of employees with the appropriate training, experience, and expertise to oversee the procurements of Critical Functions. This contracting approach will increase competition and reduce FDICs reliance on one contractor in these areas. Experts say US rules for testing commercial drone technology aren't permissive enough, GSA leadership cleans house amid fierce criticism of Login.gov from Congress, NIST launches new trustworthy artificial intelligence resource center, Transportation Security Administration moves ahead with smartphone ID pilot, Why ICAM at the edge is critical to enabling mission success, Federal judge declines to grant DOJ interim injunction in Booz Allen antitrust case, DISA leader shares AI and machine learning strategies to improve warfighter needs, DIA director sees room for improvement in cyber intelligence and support, HHS issues new cyber incident response resources for healthcare sector, IRS acting CIO: Securing software supply chain remains a challenge for agencies, New rule could impose CMMC-like cyber requirements for civilian agency contractors, Enhanced security resilience for government with modern firewalls, Watchdog calls on DHS to clarify when tech acquisitions require cyber risk assessments, NASA awards $814M digital communications and IT services contract, USDA plots departmentwide cloud move with STRATUS contract, Oracle Cerner signs AI contract with FDA focused on improving medicines, Federal Deposit Insurance Corporation (FDIC), Federal Communications Commission launches Space Bureau, GSA announces Presidential Innovation Fellows for 2023, Biden administration announces crackdown on discrimination and bias in AI tools, Code for Americas union negotiations break down, FAA seeks $19.6M to modernize NOTAM system in budget request, CISA issues draft attestation form for government software providers, OPM sets out vision to become premier provider of human capital data services, Commerce Secretary Raimondo: NIST AI framework is gold standard, Watchdog calls for DOJ immigration review office to update data management guidelines, House lawmakers introduce bipartisan VA electronic health record reform bill, Palantir to help Ukraine process data in war crimes investigations, Food and Drug Administration seeks input on digital transformation plan, FDIC prioritizing internal modernization says acting chief innovation officer, Agencies trying to find their dark data face policy, leadership hurdles, FDIC faces a number of challenges and risks in IT governance, FDIC breached more than 50 times between 2015 and 2016, FDIC joins DHS Einstein, hires Booz Allen to raise cyber bar. FDIC is also placing a greater focus on upfront acquisition planning to make sure contracts are properly structured and have meaningful service level agreements (SLAs), appropriate incentive/disincentive structures, and performance metrics. Therefore, our report correctly concludes that the Blue Canopy contracts provided limited coverage of the contractors obligations and responsibilities similar to those recommended in the FDICs Financial Institution Letter. Best Practices for FDIC Board Reporting, Subject: Critical Functions in FDIC Contracts. Therefore, agencies need to ensure a proper internal control environment to oversee and maintain control of their operations. judgments made by governmental officials21 for all contracts covering Critical Functions. In 2019, these services comprised 38.3 percent ($16.2 million) of the OCISOs annual operating expenses ($42.3 million).
Federal Deposit Insurance Corporation (FDIC) - USAspending The objective of the plan is to ensure that the Contracting Officer, Oversight Manager, and Technical Monitor have a common understanding of both contractor and FDIC obligations under the contract. Since the FDIC did not perform periodic reviews, it did not (1) assess for contractor over-reliance within individual controls and processes or on an aggregate basis; and (2) identify and implement corrective actions needed during the contract management process related to indicators of potential operational/process failures. An official website of the United States government. Procurement Planning: Program Office identifies the Critical Function to be procured within procurement planning documents. Federal Agencies. During the second quarter 2019, DOA provided summary status reports on both contracts after the second contract was modified to increase the contract value above the Boards reporting threshold. Signature Bank, New York, NY, and Silicon Valley Bank, Santa Clara, CA, FDIC National Survey of Unbanked and Underbanked Households, Quarterly Banking
Request for Information on FDIC Official Sign and Advertising For example, CFPB, DOE, and NASA rely upon their annual inventory of service contracts to identify, monitor, and report on procured Critical Functions. In addition, the CIOO official stated they would have considered and reviewed Blue Canopys information security reports at the time of the solicitation and award process. Footnote: 19 Our interviews at other Federal agencies included the National Credit Union Administration (NCUA), Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), Federal Reserve Board of Governors (FRB), the OMB, General Services Administration (GSA), National Aeronautics and Space Administration (NASA), Department of Agriculture (USDA), and Department of Energy (DOE). : 7; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. The Board should be involved in reviewing managements risk assessment, contract structuring, and monitoring reports for procured Critical Functions on an individual and aggregate basis. While Blue Canopy personnel were subject to the FDICs onsite information security protocols, more proactive controls should have been employed to validate that FDIC data had been retained onsite and not transferred to the contractors facilities or systems. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch implement the management oversight strategy for the acquired Ciritical Function. According to the Government Accountability Office (GAO), the use of a contractor poses a risk of fraud, waste, and abuse. To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC. Footnote: 8 The Contracting Officer is responsible for ensuring the performance of all actions necessary for efficient and effective contracting, ensuring compliance with the terms of contracts, and protecting the interests of the FDIC in all of its contractual relationships. We note that the definition of a Critical Function as defined by OMB Policy Letter 11-01 is similar to the definition of an Essential Function found in the FDICs Continuity of Operations Program.1 It is also similar to the definition of Critical Functions in the FDIC Chief Information Officer Organization Business Continuity Plan (January 2019) which are defined as business activities or information that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization. For purposes of this report, we will use the term and definition of Critical Function from OMB Policy Letter 11-01 which is widely accepted across the Federal government. Separate from the prior OIG review, the FDIC also made a management determination to reduce our reliance on a single contractor for information security and privacy services. 3) Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory.
DIA awards $12.6B enterprise IT contract | FedScoop Critical Functions, on the other hand, are broader and cover all functions that are necessary to the agency being able to effectively perform and maintain control of its mission and operations. This assessment should consider, for example, the sufficiency of the agencys internal capacity and capability to control its mission and operations based on an adequate number of Federal employees with appropriate training, experience, and expertise, and a cost effectiveness analysis to ensure that it is cost effective to contract for the services. In addition, following the FDICs study and actions in response to Recommendation 1, the CIOO will assess the need for additional periodic reviews of such contracts and whether additional enhancements are required beyond the controls already incorporated. Institution Letters, Policy
Division of Administration, Acquisition Services Branch. On November 18, 2021, the Office of the Comptroller of the Currency (the "OCC"), the Board of Governors of the Federal Reserve System (the "Board"), and the Federal Deposit Insurance . o FDIC Financial Institution Letter: Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). Procedures, Guidance and Information (PGI). Appendix 1 Objectives, Scope, and Methodology, 1. The FDIC has established risk-based processes and procedures to identify, monitor the performance of, and oversee all contracts, and is committed to improving performance in these areas. Over a 3-year period, from 2017 to 2019, the FDIC awarded nearly 4,000 contracts valued at more than $1.3 billion. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. This represented a failure of the FDIC to maintain control of its operations. It is key for management to develop a thorough understanding of what the proposed relationship will accomplish for the institution, and why the use of a third party is in its best interests. : 5; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 6: ; Rec. Best Practices: 4. With respect to the MSSP and SPPS contracts, FDIC contract officers, oversight managers, and technical monitors assigned to the BOAs and task orders will ensure that contractors comply with contract terms and meet performance expectations. 2i/y/v&ki35$PRr#{ GsN7?Zv|R@$"'* : 10; Corrective Action: Taken or Planned - The FDIC plans to address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 11: ; Rec. Specifically, the acquisition process was initiated in January 2010 and then again in June 2014. Typically, Critical Functions are recurring and long-term in duration. The policy letter recommends that Federal employees should perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. endstream
endobj
516 0 obj
<>stream
Fact Sheets, Key Contacts in Acquisition Services Branch, COVID-19 Safety Protocols for Contractor Employees Accessing FDIC Facilities, Information Technology Application Services (ITAS), Request for Proposal (RFP) for Mission-Driven Bank Funds Financial Advisory Services, Information for Prospective Outside Counsel, Frequently Asked Questions for Outside Counsel on the FDIC's Advanced Legal Information System (ALIS), List of Counsel Available (alpha by Firm Name), List of Counsel Available (alpha by State), Minority- and Women-Owned Law Firms on List of Counsel Available, Personnel Security Process for Candidates, List of Awards and Contractor Contact Information. Market Research and Competition. In fact, Blue Canopy services represented nearly 40 percent of the FDICs annual operating expenses for Information Security ($42.3 million), and the FDIC did not have a sufficient process to identify these Critical Functions and implement heightened monitoring. The system contains detailed information on contract actions over $3,000, since fiscal year 2004. The third party should have appropriate protections for backing up information and also maintain disaster recovery and contingency plans with sufficiently detailed operating procedures. endstream
endobj
528 0 obj
<>stream
OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. The https:// ensures that you are connecting to
Row: 1; Procured Function: Security Operations Center; National Institute of Standards and Technology Guidance: Incident Response (IR)-4 Incident Handling, IR-7 Incident Response Assistance, System and Information Integrity (SI)-4 System Monitoring; Identified as a Critical Function (Yes/No): Yes; Row: 2; Procured Function: Computer Security Incident Response Team; National Institute of Standards and Technology Guidance: IR-5 Incident Monitoring, IR-6 Incident Reporting Risk Assessment (RA)-1 Policy and Procedures, RA-3 Risk Assessment. The FDIC, instead, uses a best value method especially for acquisitions requiring innovative solutions or a high level of technical expertise that allows for the evaluation of technical factors in addition to price and past performance. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. Footnote: 1 The FDICs acquisition procedures are scalable based on the risk and complexity of the procurement and require increased planning, oversight, and monitoring commensurate with a procurements risk and importance. 800-53 provides a comprehensive set of security and privacy safeguarding measures for all types of computing platformsSafeguarding measures include both security and privacy controls to protect the critical and essential operations and assets of organizations and the privacy of individuals. The publication also states, [t]he controls are flexible and customizable and implemented as part of an organization-wide process to manage risk.
Winners announced for 2021 FIDIC Contract Users' Awards In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Figure 1: The FDICs Existing Acquisition Process.
Fdic: Pr-70-2021 08/09/2021 Corrective Action: In addition to current practices, the FDIC plans to address this recommendation through the study and actions described in our response to Recommendation 1, and based on such actions, will assess the need for additional periodic reviews. testimony on the latest banking issues, learn about policy
This potentially jeopardizes the FDICs ability to maintain control of its mission and operations by failing to ensure that government actions are taken as a result of informed, independent judgments made by government officials; work products are adequately managed; and contractors are appropriately monitored. USDA, CFPB, and OCC used, or considered it a best practice to have, contract provisions to specify the agencys rights and the contractors obligations and responsibilities surrounding Critical Functions. Each family contains controls that are related to the specific topic of the family. Figure 2 illustrates the best practices for identifying planned and procured Critical Functions during the FDICs acquisition process. We performed our work from May 2020 through November 2020 at the FDICs offices in Arlington, Virginia and Dallas, Texas. February 23, 2021 FDIC-Insured Institutions Reported Net Income of $59.9 Billion In Fourth Quarter 2020 February 22, 2021 Joint Release/Federal and State Financial Regulatory Agencies Issue Interagency Statement on Supervisory Practices Regarding Financial Institutions Affected by Texas Winter Storms changes for banks, and get the details on upcoming
The Risk Inventory lists risks to the FDICs ability to achieve its goals and objectives. According to the FDIC Financial Institution Letter, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), an effective risk management process should identify, in part, contractual requirements that would be critical to the ongoing assessment and control of specific identified risks. By signing up, you agree to the receive emails from WashingtonExec. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch report to the FDIC Board on the results of ongoing monitoring reports and planned corrective measures to address (or mitigate the Potential risk of) instances of contractor overreliance for Critical Functions, as necessary. along with its implementing and supplementing document entitled
In particular, a loss of control could result in actions and decisions that are not in the public interest, and instead may be focused on the contractors business development, profitability, or unsuitable influences. ; OMB: The source identified this item; GAO: The source did not mention this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; The OMB policy letter also states that [w]here a critical function is not inherently governmental, the agency may appropriately consider filling positions dedicated to the function with both Federal employees and contractors. The FDIC stated that it partially concurred with the remaining 12 recommendations; however, the FDIC response did not provide specific actions taken or planned. For 2019, Blue Canopy services comprised 38.3 percent ($16.2 million) of the FDICs annual operating expenses for Information Security ($42.3 million). However, it did not address how the Contracting Officer and Oversight Manager would assess the FDICs over-reliance on Blue Canopy or identify and implement corrective actions. Figure 2: Best Practices for Identifying Planned and Procured Critical Functions. Therefore, while we determined that Blue Canopy performed Critical Functions at the FDIC, as defined by OMB Policy Letter 11-01 and best practices, the FDIC did not identify these services as Critical Functions during its procurement planning phase. Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, and identify and control risks. The guidance states that [a]n institutions board of directors and senior management are ultimately responsible for identifying and controlling risks arising from [third-party] relationships, to the same extent as if the [contracted] activity were handled within the institution.34 In particular, the FDIC should have routinely reviewed (actively monitored) Blue Canopys financial condition, information security, and business resumption and continuity testing reports to ensure the security, confidentiality, integrity, and availability of FDIC information. Best Practices: 7. Management should periodically evaluate the adherence to and effectiveness of its internal management controls and procedures to address the objectives and requirements of OMB Policy Letter 11-01. Figure 5 illustrates the best practices for periodic reviews for contractor over-reliance and implementation of corrective measures during the FDICs acquisition process. Revise the management oversight strategy for the procured Critical Functions performed under the BOAs for Managed Security Services Provider and Security and Privacy Professional Services to ensure that the strategy aligns with best practices. USAspending.gov | Fiscal Data An official website of the U.S. government Spending Explorer Award Search Profiles Download Resources The Risk Inventory does not identify procured critical functions as a separate and distinct risk. In October 2020, the FDIC awarded BOAs to 10 vendors for Security and Privacy Professional Services (SPPS). In planning this procurement, the CIO assessed whether FDIC staff or contractors should perform the work. hMk1u1@c!fom3nM?~NRr%Kc=GvV4;Ve#'F'VYN/;kXbo,w Rsp /B?~6cVv2}7]Mx,"'O4Vy/bf)e~1
Fiscal Year 2021 - Forecast of Contract Opportunities The FDIC relied on Blue Canopy to develop, operate, and service the Security Operations Center as well as information and network security. Identify planned procurement of Critical Functions. There are numerous risks that may arise from an agencys use of third parties, including performance, monetary, legal, and reputational risks. The GAO report, Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DODs Total Workforce (GAO-13-470) (May 2013) found, in part, that the DODs current policies did not fully reflect federal policy concerning the identification of Critical Functions. Row: 1; Best Practice: Identify planned procurement of Critical Functions; OMB: check mark; GAO: check mark; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 2; Best Practice: Implement heightened contract monitoring processes for Critical Functions; OMB: check mark; GAO: - ; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 3; Best Practice: Perform a procurement risk assessment for Critical Functions; OMB: check mark; GAO: check mark; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 4; Best Practice: Perform a cost effectiveness analysis; Best Practice: ; OMB: check mark; GAO: - ; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 5; Best Practice: Develop a management oversight strategy; OMB: check mark; GAO: check mark; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 6; Best Practice: Determine contract structure; OMB: -; GAO: -; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 7; Best Practice: Conduct periodic reviews of controls and processes; OMB: check mark; GAO: -; Industry Standard: -; Select Federal Agencies: check mark; Row: 8; Best Practice: Report to the Board on procured Critical Functions; OMB: -; GAO: -; Industry Standard: check mark; Select Federal Agencies: -; Source: OIG analysis of OMB guidance, GAO reports, industry standards and guidance, and interview statements from Federal agencies. However, if the agency cannot provide a sufficient number of knowledgeable staff to oversee the contracts, the contractors could inappropriately influence government decision-making. Taken together, these elements compose the financial institutions risk management analysis of the third-party relationship. The FDIC Risk Inventory acknowledged the risks associated with these cybersecurity and privacy support services, including a potential cyber-attack on the FDICs systems and a security incident involving Personally Identifiable Information. According to the FDICs Selection Recommendation Report titled, Security Operations Center and Computer Security Incident Response Team Services (February 2015), the Independent Government Cost Estimate was calculated based on information acquired through historical data from the prior 3 years, as well as projects anticipated over the life of the proposed contract. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Develop a Management Oversight Strategy.