*NIST S.P. The Federal Deposit Insurance Corporation (FDIC) is an Requiring activities should also work with the acquisition office to address the handling of ongoing contracts and the budget and finance offices to secure the necessary funding to support the needed in-house capacity. The GAO report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020), found, in part, that DHS did not consistently plan for the level of Federal oversight needed for certain contracts because there was no guidance on how to document and update the number of Federal personnel needed to conduct oversight. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation; or, 2. Contract Oversight. Considered the following U.S. Government Accountability Office reports: o GAO Report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020); o GAO Report, Support Service Contracts: NNSA Could Better Manage Potential Risks of Contractors Performing Inherently Governmental Functions (GAO-19-608) (September 2019); o GAO Report, Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DODs Total Workforce (GAO-13-470) (May 2013); and. The FDIC provides the following response to the Office of Inspector Generals (OIG) draft evaluation report titled, Critical Functions in FDIC Contracts, dated March 3, 2021. The Risk Inventory includes an assessment of impact and likelihood, and risks are prioritized and summarized into one of four risk levels: critical, significant, moderate, and low. No. 199 0 obj <>/Filter/FlateDecode/ID[<77FED4795114BEC85C22A732D80A20A1><9AE9ECF25D8FEB44B39BBA9CBBEE63A5>]/Index[192 15]/Info 191 0 R/Length 53/Prev 219738/Root 193 0 R/Size 207/Type/XRef/W[1 2 1]>>stream As part of the procurement risk assessment, include a cost effectiveness analysis. : 13; Corrective Action: Taken or Planned - The FDIC will consider additional reporting requirements related to contracts for essential functions or for services necessary during a business continuity event, including where such functions are performed by a single vendor, in conjunction with the study and actions described in response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; 1. Management should also consider mandating exception-based reports that would serve as notification of any changes or problems that could affect the nature of the relationship or pose a risk to the financial institution.. Business Resumption and Contingency Plans.35 As part of the procurement risk assessment, or as a separate management oversight strategy, an agency should identify the contract structure and key contract provisions, such as the review and testing of business resumption and contingency plans. USAspending.gov is looking to share stories of how federal spending data has improved your life or increased your trust in government. Best practices state that for procured Critical Functions, an agency should periodically monitor the service providers ongoing operations, including its financial condition, information security, and business resumption and continuity plans. The Contractor shall provide the necessary qualified personnel and all materials to assist FDIC in conducting the Bidder Qualification process, including, but not limited to the comprehensive review and analysis of potential bidders' Qualification Applications in order to assess the bidder's financial capability and the bidder's experience as an The policy letter adopted the definition of an Inherently Governmental Function based on the established statutory definition in the Federal Activities Inventory Reform Act (FAIR Act),15 and it eliminated variations of this definition found in other documents. The FDIC insures deposits; examines and : 4; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 5: ; Rec. The FDIC has also recently implemented new acquisition initiatives to further improve vendor management, contract oversight, and to reduce the number of non-competitive awards. Many of the procurement controls contemplated in the OMB Policy Letter exist within the FDICs current acquisition policies and guidance, without the specific designation of critical functions. Under the FDICs Acquisition Policy Manual (APM), certain functions are so essential to the performance of government responsibilities that they may not be outsourced, namely the performance of inherently governmental functions.3 When contracted services fall short of inherently governmental functions but are closely aligned with them, the FDIC is responsible for building in enhanced controls and management oversight in the design and administration of relevant support contracts. The FDIC Division of Administration (DOA) awarded 2,633 contracts valued at $2.85 billion over the 5-year period 2017-2021, averaging $570 million annually. Institution Letters, Policy 12) Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. o GAO Report, VA Health Care: Additional Guidance, Training, and Oversight Needed to Improve Clinical Contract Monitoring (GAO-14-54) (October 2013). However, the FDIC awarded both contracts to Blue Canopy, which did not reduce reliance on a single contractor for information security support services. In addition, the CIOO official stated they would have considered and reviewed Blue Canopys information security reports at the time of the solicitation and award process. bankers, analysts, and other stakeholders. Figure 2 illustrates the best practices for identifying planned and procured Critical Functions during the FDICs acquisition process. The SPPS BOA also includes SLAs, which carry monetary penalties when the vendor defaults and include an incentive for the vendor to earn a contract extension by successfully proposing a conversion of their time-and-material work to firm-fixed-priced. Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Such heightened contract monitoring activities would include: (1) performing a procurement risk assessment, (2) establishing a management oversight strategy, (3) conducting periodic reviews, and (4) providing formal reports to the Board on an individual and aggregate basis. :U= +=u^Cs;$FZjhE_}~xC^!y*U>}AnxT-Q1]:>le^v9q8i=,3M)L#f2u*SO!BUrD;"j~ d{9H;NN9H8lSa ge?FHU~gK# Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch report to the FDIC Board on the results of ongoing monitoring reports and planned corrective measures to address (or mitigate the Potential risk of) instances of contractor overreliance for Critical Functions, as necessary. (2) Information Security and Privacy Support Services for outsourced functions. Figure 4 illustrates the best practices for implementing a management oversight strategy as part of the FDICs acquisition process. 3) Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Develop a Management Oversight Strategy. documentation of laws and regulations, information on For example, the following agencies noted heightened contracting monitoring, such as: o Identify and Monitor for Critical Functions. In response to this risk, in September 2011, the Office of Management and Budget (OMB) provided guidance in OMB Policy Letter 11-01 on managing the performance of Inherently Governmental Functions and Critical Functions in order to ensure that government action is taken as a result of informed, independent judgments made by government officials. In addition, the OMB Policy Letter 11-01 defined a Critical Function as a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. No. Footnote: 34 FDIC Financial Institution Letter titled, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). Typically, critical functions are recurring and long-term in duration.. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. hdQK0iAl,H+rFy=Tf^;R6xyua:p@vbfN #iF^B3\xMVewU~~;!#GLCUj'7oN7~ 1!Gb^zB4XdiMVndwx` Xn FDIC puts $487.5 million IT services contract up for bid The FDICs Existing Acquisition Process, 2. Following the FDICs study discussed in response to recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the MSSP and SPPS BOAs and task orders are needed beyond those already incorporated. We performed our work in accordance with the Council of the Inspectors General on Integrity and Efficiencys Quality Standards for Inspection and Evaluation. Best Practices for Critical Functions by Source, 2. conferences and events. As part of a risk assessment, the institution should analyze the benefits and costs associated with the proposed relationship. While identifying and understanding the risks associated with the third party is critical at the outset, the long-term management of the relationship is vital to success., In addition, the guidance noted that [t]he extent of oversight of a particular third-party relationship will depend upon the potential risks and the scope and magnitude of the arrangement. cards. If the FDIC identified planned and procured Critical Functions, it would be able to provide senior management and the Board with the knowledge, insight, and transparency on planned Critical Function procurements; the volume, depth, and concentration of procured Critical Functions; and the degree of reliance on contractors to perform Critical Functions. The contractor successfully performed all required tasks under both contracts, and received excellent and outstanding ratings in annual performance reviews, with the exception of one good rating on one contract for one rating period. USDA, CFPB, and OCC used, or considered it a best practice to have, contract provisions to specify the agencys rights and the contractors obligations and responsibilities surrounding Critical Functions. A prior OIG report, Security Configuration Management of the Windows Server Operating System, (AUD-19-004) (January 2019), found that the FDIC tasked Blue Canopy with both designing security controls and assessing their effectiveness, which impaired the firms ability to conduct an impartial assessment. Federal Deposit Insurance Corporation (FDIC) - USAspending To date, four task orders have been awarded under the BOAs to two different service providers. We found that the FDIC did not have policies and procedures for identifying Critical Functions in its contracts, as recommended by the best practices in OMB Policy Letter 11-01 and embodied in industry standards. Agencies should consider internal controls such as approval authorities, segregation of duties, and independence and non-conflict of interest standards. There is no uniform set of best practices that public and private organizations have agreed upon in the subject area of the OIGs report. Reviewed the FDICs policy and procedures, including: o FDIC Acquisition Policy Manual (August 2008); o Acquisition Procedures, Guidance and Information (January 2020) document; and. However, there was no indication that the CIOO reassessed the reports during the course of the 7-year performance of these contracts. Conversely, the FRB stated that they do not contract out Critical Functions. Figure 6: Best Practices for FDIC Board Reporting. Exhibit - FDIC International 2023 REGISTER NOW BOOK YOUR BOOTH SPACE Exhibit Network face-to-face with thousands of Fire & Rescue professionals from around the world at FDIC International. system. The Blue Canopy Group, LLC (Blue Canopy) performed a range of cybersecurity and privacy support services for the FDIC. The FDIC relied on Blue Canopy to develop, operate, and service the Security Operations Center as well as information and network security. Those contracts could be extended a year after the end of the base ordering period. The FDIC provided detailed information on the acquisition to the Board of Directors in advance of the procurement and quarterly throughout the period of performance. The OIG made 13 recommendations aimed at having the FDIC incorporate provisions of OMB Policy Letter 11 01 into the FDICs policies and procedures, identify critical functions during the procurement process, and implement heightened contract monitoring for critical functions. While OMB Policy Letter 11-01 is inapplicable to the FDIC as a matter of law, the FDICs risk-based acquisition procedures address virtually all of the control factors listed in the Policy Letter and many of these controls were in place for the Blue Canopy contracts. To increase competition and diversity of firms providing information security and privacy services, reduce the FDICs reliance on a single vendor for these services, and improve contract oversight and vendor management, the FDIC sought and received Board approval in October 2019 to initiate two contract actions to replace the existing Blue Canopy contracts with new BOAs and task orders. Without the identification of procured Critical Functions and its associated risk, the FDIC may not accurately capture and assess the Agencys inherent and residual risk related to its contracts and contractors. As a result, the GAO recommended that DHS should (1) develop a risk-based approach for reviewing service requirements to ensure proposed service requirements are clearly defined and reviewed before planning how they are to be procured; (2) update the Inherently Governmental and Critical Functions Analysis to provide guidance for analyzing, documenting, and updating the federal workforce needed to perform or oversee service contracts requiring heightened management attention; and (3) [develop] guidance identifying oversight tasks or safeguards personnel can perform, when needed, to mitigate the risk associated with contracts containing closely associated with inherently governmental functions, special interest functions, or critical functions.. The FDIC relies on contractors to support a range of activities from janitorial to Information Technology support services. FDIC recently competitively awarded seven task orders under the SPPS BOAs resulting in awards to five different vendors. The FDIC annually captures the risks it faces through its Enterprise Risk Management Risk Inventory. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. DOA will revise the APM and PGI to reflect any resulting process and control enhancements. Based on the agencies we interviewed, 75 percent (6 of 8) of Federal agencies had contracting policies, procedures, and controls that address Critical Functions. As demonstrated by the FDIC and Blue Canopys contractual relationship, the FDICs acquisition and risk management processes did not identify the procurement risk of Critical Functions, nor did the FDIC heighten its management oversight for these procured services. The FIDIC bills the 2021 Green Book as a shorter and simpler alternative to its Red and Yellow Books, for projects where parties want to avoid committing significant resources to contract. Bethesda, MD. Best Practices: 8. Ultimately, as recommended by best practices, a complete cost effectiveness analysis for Critical Functions, clear and distinct from the IGCE, should be performed and presented to the Board for its review and consideration. Within the report, the OIG recommended, in part, that the Deputy to the Chairman and Chief Operating Officer [d]etermine the appropriate number of oversight managers needed to manage the Division of Information Technologys (DIT) contract workload in conjunction with DIT, and ensure the Oversight Manager workforce is appropriately staffed. -], Footnote: 32 In February 2009, the FDICs service provider, BearingPoint Inc., a multinational management and technology consulting firm, filed Chapter 11 bankruptcy. FDIC FBDS II Engagement Outline Final.pdf - GovTribe Following the study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements are needed for the MSSP and SPPS BOAs and task orders beyond those already incorporated. A .gov website belongs to an official government organization in the United States. The Contract Management Plan addressed general oversight roles and responsibilities, and the evaluation/acceptance of the contractors performance. The APM also requires program offices to use competition in acquisitions to the maximum extent possible. The contract should define key contract terminology26 and incorporate key provisions necessary to mitigate the risk associated with procuring Critical Functions. FDIC - Information Technology Application Services (ITAS) Next From July 2005 to December 2019, the FDIC issued three contracts (or sets of contracts) for information security support services. Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC. Such heightened contract monitoring activities would include: (1) performing a procurement risk assessment, (2) establishing a management oversight strategy, (3) conducting periodic reviews, and (4) providing formal reports to the Board for its review of Critical Functions on an individual and aggregate basis. We note that the definition of a Critical Function as defined by OMB Policy Letter 11-01 is similar to the definition of an Essential Function found in the FDICs Continuity of Operations Program.1 It is also similar to the definition of Critical Functions in the FDIC Chief Information Officer Organization Business Continuity Plan (January 2019) which are defined as business activities or information that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization. For purposes of this report, we will use the term and definition of Critical Function from OMB Policy Letter 11-01 which is widely accepted across the Federal government. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch perform periodic reviews of controls and processes and take corrective measures to address (or mitigate the potential risk of) instances of contractor overreliance for a Critical Function, as necessary.