The FDIC provides a wealth of resources for consumers, Compromise the trust (or data) by failing to exercise due care in establishing appropriate controls to protect sensitive information and to identify and mitigate data breaches. Nor did the FDIC actively monitor Blue Canopys financial condition, information security, and business resumption and continuity. Any subsequent task orders would be for tech developments issued as standalone projects, worth $112.5 million in total. The FDIC provided detailed information on the acquisition to the Board of Directors in advance of the procurement and quarterly throughout the period of performance. Neither the Board Case Package nor the Board meeting minutes reflected that the FDIC discussed with the Board its procurement risk assessment and management oversight strategy, planned contract structuring, and ongoing monitoring controls and reports for the procured Critical Functions. In particular, the policy letter states that agencies should determine whether their procurement requirements involve the performance of Inherently Governmental Functions, Functions Closely Associated with Inherently Governmental Functions, or Critical Functions. The FDIC will consider each of the OIGs recommendations and further study the need for additional risk based controls for essential procurements. Periodic reviews should identify indicators of potential operational/process failures and conclude on the FDICs ability to retain sufficient management oversight of the procured services to maintain control of its mission and operations. Reasonable competition also means soliciting a sufficient number of sources to obtain an adequate market response and to analyze the fairness and reasonableness of individual offers. :U= +=u^Cs;$FZjhE_}~xC^!y*U>}AnxT-Q1]:>le^v9q8i=,3M)L#f2u*SO!BUrD;"j~ d{9H;NN9H8lSa ge?FHU~gK# )% oYki|Wl{)9hg3(EV{Ih`f=aegasg`c$.hY+ R#@P-0to 1P$C@"WWG5mMsW>ne7#dMyrhkJY-~&tMWkZQG--+d7_#VZ {++Ojb~S+yKoBm#%G8@5p>Wwl)Ng=H]5~,SP"q,1sM/e,1@ vD2Hf3u,2G}H7[]f#[x2 ; Expected Completion Date: June 30, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 9: ; Rec. Based on our study, we will provide guidance to divisions and offices for assessing the potential for contractor overreliance and maintaining federal control of essential functions or those necessary during a business continuity event. (2) Information Security and Privacy Support Services for outsourced functions. Industry Standard. Challenge, Quarterly Banking Profile for Fourth Quarter 2022, Quarterly Banking Profile for Third Quarter 2022, FDIC Releases 2021 National Survey of Unbanked and Underbanked Households, Financial history, career opportunities, and more. Program Office and Contracting Officer prepare acquisition documents. By May 2021, the FDIC expects to transition information security and privacy program services to multiple service providers by awarding additional task orders under the BOAs. Over a 3-year period, from 2017 to 2019, the FDIC awarded nearly 4,000 contracts valued at more than $1.3 billion. The Risk Inventory includes an assessment of impact and likelihood, and risks are prioritized and summarized into one of four risk levels: critical, significant, moderate, and low. Footnote: 2 GAO reported that [b]est business practices refer to the processes, practices, and systems identified in public and private organizations that performed exceptionally well and are widely recognized as improving an organizations performance and efficiency in specific areas.. Such an approach reduces the chances of the FDIC being overly reliant on an individual vendor. However, in order to mitigate the potential risk of a service providers financial failure, breach of information security protocols, or failure to ensure service continuity, an agency needs to continuously monitor the service providers financial condition and operations. : 8; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. Footnote: 24 Personally Identifiable Information is any information about an individual that can be used to distinguish or trace that individual's identity, or any other personal information that is linked or linkable to that individual. sharing sensitive information, make sure youre on a federal Contract Management: Program Office and DOA Acquisition Services Branch ider1tify the Critical 1Fm1ction within contract oversight documents and reports to the FDIC Board. Therefore, we had determined in our prior report that Blue Canopy lacked independence in its assessments. changes for banks, and get the details on upcoming ERM provides transparency and accountability in business practices, reporting, and governance, which can improve stakeholder confidence in the agencys work. Keep up with FDIC announcements, read speeches and 7) Revise the management oversight strategy for the procured Critical Functions performed under the BOAs for Managed Security Services Provider and Security and Privacy Professional Services to ensure that the strategy aligns with best practices. Appendix 1 Objectives, Scope, and Methodology, 1. The Contracting Officer works with the Program Office throughout the acquisition process, and, based on the Program Offices nominations, appoints the Oversight Manager and Technical Monitor(s). These services are critical to ensuring the security and protection of the FDICs Information Technology infrastructure and data. In particular, the FDIC may not ensure that it has an adequate number of employees with the appropriate training, experience, and expertise to oversee the procurements of Critical Functions. Blue Canopy was also assigned duties related to design and/or execution of these controls. This is the accessible text file for FDIC OIG report number Eval-21-002 entitled 'Critical Functions in FDIC Contracts'. February 23, 2021 FDIC-Insured Institutions Reported Net Income of $59.9 Billion In Fourth Quarter 2020 February 22, 2021 Joint Release/Federal and State Financial Regulatory Agencies Issue Interagency Statement on Supervisory Practices Regarding Financial Institutions Affected by Texas Winter Storms DOA will revise the APM and PGI to reflect any resulting process and control enhancements. Further, GAO recommendations and other Federal agencies support that this process should be addressed within policies and procedures. Such actions by contractors create risks that governance and decisions of significant public interest are not made by Government officials who are accountable to the President and bound by laws controlling the conduct and performance of Federal employees. Table 1: Best Practices for Critical Functions by Source. As noted above, when formulating its policies, the FDIC considers what has worked exceptionally well and improved performance and efficiency at FAR-based agencies, other independent agencies, and private organizations. Profile, FDIC Academic [Text box Prior OIG report. As noted previously, the contract also did not stipulate that Blue Canopy should have periodically tested its plans and provided the results to the FDIC. The Blue Canopy Group, LLC (Blue Canopy) performed a range of cybersecurity and privacy support services for the FDIC. The FDICs acquisition process is divided into four phases: (1) Procurement Planning; (2) Solicitation and Award; (3) Contract Management; and (4) Closeout Award. Federal employees must be able to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. 3. Within the FDIC 2019 Annual Report, the FDIC recognized that Information technology (IT) is an essential component in virtually all FDIC business processes; and that [t]he FDICs information security program is integral to the agencys ability to carry out its mission of maintaining stability and public confidence in the nations financial system. In particular, the FDIC highlighted its continuing efforts to strengthen its information security functions and progress towards optimizing the Security Operations Center, privacy controls, and information and network security. Footnote: 23 According to the FDICs Enterprise Risk Management Standard Operating Procedure (May 2020), Residual Risk is the exposure remaining from an inherent risk after action has been taken to manage it. Federal Agencies. Contract Reporting. 2) Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. As discussed in detail below, FDIC acquisition policy requires robust acquisition planning that includes consideration of costs, risks, alternatives, contract type, oversight structure, business continuity, security, performance reporting, Board reporting, and, in some instances, Board approval of contracting actions. Figure 1: The FDICs Existing Acquisition Process. The FDICs Legal Division has maintained that OMB Policy Letter 11-01 does not apply to the FDIC, but it may be used for guidance.16 We focused our evaluation on assessing the FDICs procurement of Critical Functions given their importance in achieving the Agencys mission; we did not evaluate Inherently Governmental Functions as part of this review. Based upon the best practices, these processes should include the following: Procurement Risk Assessment. encrypted and transmitted securely. FDIC Contract Portfolio Pricing Arrangements . CFPB Consumer Financial Protection Bureau, CIOO Chief Information Officer Organization, C-SIRT Computer Security Incident Response Team, DRR Division of Resolutions and Receiverships, FAIR Act Federal Activities Inventory Reform Act, FDIC Federal Deposit Insurance Corporation, FISMA Federal Information Security Modernization Act, FPDS-NG Federal Procurement Data System-Next Generation, GAO U.S. Government Accountability Office, IGCE Independent Government Cost Estimate, NASA National Aeronautics and Space Administration, NCUA National Credit Union Administration, NIST National Institute of Standards and Technology, OCC Office of the Comptroller of the Currency, OCISO Office of the Chief Information Security Officer, TO: Terry L. Gibson, Assistant Inspector General for Program Audits and Evaluations, FROM: Brandon L. Milhorn, Deputy to the Chairman, Chief of Staff and Chief Operating Officer, CC: Sylvia W. Burns, CIO, E. Marshall Gentry, CRO, RE: Management Response to OIG Draft Audit Report, Critical Functions in FDIC Contracts (No. In particular, the FDIC may not ensure that it has an adequate number of employees with the appropriate training, experience, and expertise to oversee the procurements of Critical Functions. In addition, the FDICs Enterprise Risk Management program may not ensure that the FDIC has appropriately identified, measured, monitored, reported, and mitigated the FDICs significant risks for contracts and contractors. For 2019, Blue Canopy services comprised 38.3 percent ($16.2 million) of the FDICs annual operating expenses for Information Security ($42.3 million). Management should also consider mandating exception-based reports that would serve as notification of any changes or problems that could affect the nature of the relationship or pose a risk to the financial institution.. Recommendation 6: Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. The OIG previously reported on the FDICs implementation of Enterprise Risk Management and concluded that improvements will help ensure that risks across the FDIC are considered, for example, as part of operations support and program management. The Program Office is responsible for determining its procurement needs and initiating the acquisition process by submitting a procurement request to DOAs ASB. These plans should have considered the impact of the crisis, for example, on human resources, facilities, hardware, and information security. As part of a risk assessment, the institution should analyze the benefits and costs associated with the proposed relationship. o Determine Contract Structure. @WVQ AP(uS?os&[@(dhdo8#lY; ;|D)|TR\hpnfy6|8uRS Footnote: 3 An agency may be deemed over-reliant on a service provider if it does not have the capacity (number of Federal employees) and capability (Federal employees with appropriate training, experience, and expertise) to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. ) y RYZlgWm Identified Best Practices and Their Sources, 3. The failure to establish or maintain a proper control environment jeopardizes the reasonable assurance that an entitys objectives will be achieved and may affect the ability of an entity to maintain control of its mission and operations. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch report to the FDIC Board on the results of ongoing monitoring reports and planned corrective measures to address (or mitigate the Potential risk of) instances of contractor overreliance for Critical Functions, as necessary. Implement periodic reviews for procured Critical Functions, including for the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services. Market Research and Competition. Conduct periodic reviews of controls and processes. In August 2017, a former FDIC senior executive expressed concern with the FDICs contractual relationship with and over-reliance on Blue Canopy. The FDIC took action to address OIG concerns about Blue Canopys independence. Nevertheless, the comprehensive nature of the risk management framework includes many FDIC functions that might be classified as critical. In response to this recommendation, the FDIC will review its risk inventory and conduct an assessment to determine if the current risk inventory sufficiently addresses the underlying risks presented in the OIGs report, irrespective of the specific use of the term critical function., Recommendation 4: Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. Best Practices: 5. In planning this procurement, the CIO assessed whether FDIC staff or contractors should perform the work. Division of Administration, Acquisition Services Branch. Identified weaknesses should be documented and promptly addressed.. Footnote: 16 The FDIC Legal Division concluded that OMB Policy Letter 11-01 did not apply to the FDIC, because (1) the FDIC did not fall within the definition of executive agency in the Office of Federal Procurement Policy Act; and (2) the FDIC was not funded by congressionally appropriated funds. The FDIC is committed to continually improving its processes and controls and will: (1) survey recognized practices and procedures associated with contracts supporting essential functions or those involving services necessary in a business continuity event, particularly when those contracts are performed by a single vendor; and (2) incorporate enhancements to our existing acquisition planning, approval, reporting, and oversight processes, as warranted by our unique operational needs and management structure. In addition, we determined that Blue Canopy performed Critical Functions at the FDIC, as defined by OMB Policy Letter 11-01 and best practices. Management should periodically evaluate the adherence to and effectiveness of its internal management controls and procedures to address the objectives and requirements of OMB Policy Letter 11-01. So far this year, the federal government plans to spend $3.66 Trillion including $315.45 Billion on Net Interest $129.34 Billion on Veterans Benefits $41.95 Billion on Agriculture See more breakdowns of federal spending Featured Content COVID-19 Spending Track federal spending in response to the COVID-19 pandemic Resources The first step in the risk assessment process should be to ensure that the proposed relationship is consistent with the institutions strategic planning and overall business strategy. For 2019, Blue Canopy services comprised 38.3 percent ($16.2 million) of the FDICs annual operating expenses for Information Security ($42.3 million). The FDIC also did not document a cost effectiveness analysis, as recommended by best practices. Footnote: 18 We considered industry guidance promulgated by the FDIC to financial institutions, such as the FDICs Financial Institution Letter titled, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Recommendation 1: Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). The FPDS-NG system includes reporting fields that capture services designated as Critical Functions. 800-53 provides a comprehensive set of security and privacy safeguarding measures for all types of computing platformsSafeguarding measures include both security and privacy controls to protect the critical and essential operations and assets of organizations and the privacy of individuals. The publication also states, [t]he controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. Footnote: 12 According to the FDICs Acquisition Procedures, Guidance and Information (January 2020), a Basic Ordering Agreement (BOA) is a written instrument of understanding negotiated between the FDIC and a contractor for future delivery of as yet unspecified quantities of goods or services. conferences and events. Award Profile Reports. Board Case Package. In particular, the policy letter states that [a]gencies shall develop and maintain internal procedures to address the requirements of this guidance. These initiatives focus on awarding competitive, multiple-award basic ordering agreements (BOAs) and smaller, more competitive task orders. We also reviewed documentation and interviewed employees familiar with Blue Canopys work to determine if the FDIC maintained control of its mission and operations. Contractors provide a multitude of staff with highly specialized technical skills and knowledge in current industry best practices and regulations. According to the Council of the Inspectors General on Integrity and Efficiencys Quality Standards for Inspection and Evaluation, evaluations are systematic and independent assessments of the design, implementation, and results of operations, programs, or policies. FF A CIOO official also stated that the contractor was responsible for ensuring uninterrupted support of services, if the FDIC determined that Blue Canopy provided services essential or critical to the FDIC mission. hL 2020-005). The FDIC relied on Blue Canopy to develop, operate, and service the Security Operations Center as well as information and network security. Federal agencies implemented heightened contract monitoring processes, such as identifying and monitoring for Critical Functions, developing a management oversight strategy, performing cost effectiveness analysis, determining contract structure and key provisions, and performing periodic reviews. 3. /B?~6cVv2}7]Mx,"'O4Vy/bf)e~1 - August 10, 2020 - DMI, a leading mobility services and digital transformation company, has won a single-award Blanket Purchase Agreement (BPA) from the Health Resources and Services Administration (HRSA), an agency of the U.S. Department of Health and Human Services, to modernize its Electronic Handbook (EHB) program. Monday, August 9, 2021 For Release WASHINGTON - The Federal Deposit Insurance Corporation (FDIC) today requested that four companies submit proposals as part of the next phase of an ongoing Rapid Phased Prototyping Competition (RPP) in order to accelerate the adoption of modern technological tools. A management oversight strategy considers, for example, the contract structure (including key provisions) for procuring Critical Functions, and oversight tasks personnel can perform. Corrective Action: The existing management oversight strategy for the subject BOAs and task orders includes performance criteria, internal controls, reporting, and contractual requirements that were established during acquisition planning and are detailed in statement of work documents. collection of financial education materials, data tools, Recommendation 12: Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. The FDIC reported procurement information to the FDIC Board of Directors quarterly. Best Practices: 4. Agencies performed (or, considered as a best practice) periodic reviews of contractor and agency personnel performance, human capital planning, personnel training, risk management strategy, contract requirements, budget/cost justification, attribution of contractor vs. agency work, and over-reliance assessments. Without the identification of procured Critical Functions and its associated risk, the FDIC may not accurately capture and assess the Agencys inherent and residual risk related to its contracts and contractors. Best Practices for FDIC Board Reporting, Subject: Critical Functions in FDIC Contracts. Other potential risks arise from or are heightened by the involvement of a third party.. p%{dd3WP}9HR 1++Q'WJ`7;'~\b!8$@ba!=G{A,91Ip9y8%x{Y,xKb\Ib KtK==J_{x4Y'Hw'0{A9Zs9 S{!8d`EL(pF5@&8I; L$p"AdBdI9[i|4abA$23%LeqpXd"b9laW^e8XsC0F{NfIbfJ1q5sdQ,+Q,$.hWXIbFZB!yv+XG8vdR"3TK&VJ7"qnLv_o/nSA~?{+[:/ZReFH-EBjRe(mY(Dn_=~ea.YY'([Ps:%[uuLh1'%]/Bg.`-iQu uAlO;aK~ET;lF1bN:a.1.y+JMHs[o*eb-Z2^MgG(("h6kOn5h". Analyzed the FDICs oversight of Blue Canopy to maintain control of the Agencys mission and operations by: o Comparing and contrasting management procurement and oversight activities to best practices the OIG identified; and. hZ]o\+|l3O 'iQ8q E=(F*k}gxr(}H ok @3rI| HJ`3d$nBk . The FDIC has also recently implemented new acquisition initiatives to further improve vendor management, contract oversight, and to reduce the number of non-competitive awards. Before 192 0 obj <> endobj FISMA requires each agency to perform an annual self-assessment. These actions, based on existing FDIC acquisition policies and procedures, were consistent with the spirit of OMB Policy Letter 11-01 and the FDICs Guidance for Managing Third-Party Risk. The FDIC develops detailed board cases for individual procurements exceeding $20 million that discuss procurement costs, benefits, alternatives considered, management oversight strategy, and other information. The guidance states that [a]n institutions board of directors and senior management are ultimately responsible for identifying and controlling risks arising from [third-party] relationships, to the same extent as if the [contracted] activity were handled within the institution.34 In particular, the FDIC should have routinely reviewed (actively monitored) Blue Canopys financial condition, information security, and business resumption and continuity testing reports to ensure the security, confidentiality, integrity, and availability of FDIC information. Over a seven-and-a-half-year term, the contractors will help FDIC's Division of IT deal with operations and maintenance support of its infrastructure while the financial agency looks to improve "productivity and efficiencies to continue to mature between 2020 and 2027," says a new solicitation. On November 18, 2021, the Office of the Comptroller of the Currency (the "OCC"), the Board of Governors of the Federal Reserve System (the "Board"), and the Federal Deposit Insurance . %%EOF As discussed in our report, the FDIC could have done more to identify and oversee procured Critical Functions. The .gov means its official. In June 2014, the FDIC Board of Directors authorized senior management to contract for services in support of the information security and privacy program and to increase the prior contract ceiling. : 6; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 7: ; Rec. In addition, the GAOs Standards for Internal Control in the Federal Government, (GAO-14-704G) (September 2014), states that agencies should implement internal control standards and activities to achieve agency objectives and respond to risks, and should implement these activities through policies. In particular, the FDIC prepared a Contract Management Plan37 for Blue Canopy to document the joint administrative approach agreed upon by the Contracting Officer and Oversight Manager. 9S=^VJGf+_8B+WV|ir,Ma,VE9*n9iwJzc0}8c0ry` xH For our evaluation, we identified best practices for procuring Critical Functions by reviewing OMB Policy Letter 11-01, GAO reports, industry standards,18 and interviewing officials at several other Federal agencies.19 We compared these best practices with the FDIC's existing procurement process, using Blue Canopy as an example, to determine the extent to which the FDIC incorporated these best practices into its process. Although not identified within the FDICs Risk Inventory, the Agency relied heavily on Blue Canopy to operate and service the corresponding risk management mitigating controls. FDIC acquisitions are accomplished in accordance with the The services provided under this contract included intrusion monitoring; incident investigation; event escalation; reporting; vulnerability research, analysis, and response; incident detection; incident response; and after-hours support. A prior OIG report, Security Configuration Management of the Windows Server Operating System, (AUD-19-004) (January 2019), found that the FDIC tasked Blue Canopy with both designing security controls and assessing their effectiveness, which impaired the firms ability to conduct an impartial assessment.
Brian Waldron Broadcaster,
Hobbs High School Website,
Usta National Tournament Schedule 2022,
Abbie Cornish Adel Altamimi Split,
What Bridge Did Andrew Carnegie Build,
Articles F
