While the Award Profile Reports described the procured services, assessed contractor performance, tracked fund utilization/allocation, and assessed FDIC contract oversight, the FDIC did not identify Blue Canopys procured services as Critical Functions. https://www.fdicoig.gov/sites/default/files/publications/19-004AUD_0.pdf. The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version. Determine when and how to assess for contractor over-reliance as part of the management oversight strategy. Corrective Action: The FDIC includes significant information regarding acquisition strategy, contract oversight and performance measures, and other controls in current board cases for contracts or BOAs over $20 million. Reasonable competition also means soliciting a sufficient number of sources to obtain an adequate market response and to analyze the fairness and reasonableness of individual offers. Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, and identify and control risks. GSA, NASA, USDA, DOE, OCC, and CFPB have policy and procedures, or follow OMB guidance, related to Critical Functions. Additionally, according to best practices, the plans and testing reports should be reviewed on a routine, ongoing (proactive) basis, rather than waiting for and reacting to an unexpected event. Requiring activities should also work with the acquisition office to address the handling of ongoing contracts and the budget and finance offices to secure the necessary funding to support the needed in-house capacity. Federal employees must be able to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. The FDIC also did not document a cost effectiveness analysis, as recommended by best practices. Areas of review include contractor and agency personnel performance, and human capital planning. The new acquisition strategy was presented to and approved by the Board in October 2019. (T`'Xf&XbJoVMa''Z&^^ I Best Practices: 4. Footnote: 2 OMB Policy Letter 11-01 established Executive Branch policy and was addressed to the heads of civilian and Executive Departments and agencies. Footnote: 14 The FDICs Privacy Program is a risk-based program that focuses on protecting the privacy rights of individuals by ensuring that Personally Identifiable Information is handled and protected in accordance with applicable Federal and FDIC requirements and industry standards. In particular, we noted the following: The FDIC 2019 Annual Report. The FDIC Did Not Perform a Procurement Risk Assessment for Critical Functions. stability and public confidence in the nations financial Federal agencies have processes to identify, record, monitor, and report on procured Critical Functions. OMB Policy Letter 11-01 also states that [d]etermining the criticality of a function requires the exercise of informed judgment by agency officials. OMB Policy Letter 11-01 requires agencies to identify and ensure that they retain control over Critical Functions that are core to the agencys mission, but may be contracted out to the private sector. FISMA requires each agency to perform an annual self-assessment. Footnote: 25 GAO, Standards for Internal Control in the Federal Government (GAO-14-704G) (September 2014); and the FDICs Financial Institution Letter, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). (Appendix 3 describes the NIST guidance we identified related to procured Critical Functions.). Press Esc to cancel. Procurement Planning - Program Office performs a procurement risk assessment for the planned acquisition of a Critical Function, which includes performing a cost effectiveness analysis. ; OMB: The source identified this item; GAO: The source identified this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; GAO Recommendations. Without the identification of procured Critical Functions and its associated risk, the FDIC may not accurately capture and assess the Agencys inherent and residual risk related to its contracts and contractors. We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. encrypted and transmitted securely. Under the 10-year SITE III contract vehicle, contractors will vie for task orders to support DIA's evolving enterprise IT needs. Based on our review of GAO and industry standards,25 procured services involving contractors result in a greater level of inherent risk than an agency directly performing these services. This is the accessible text file for FDIC OIG report number Eval-21-002 entitled 'Critical Functions in FDIC Contracts'. (vYh/G6y:@G*2/) : 13; Corrective Action: Taken or Planned - The FDIC will consider additional reporting requirements related to contracts for essential functions or for services necessary during a business continuity event, including where such functions are performed by a single vendor, in conjunction with the study and actions described in response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; 1. As noted above, the OIG identified best practices from OMB Guidance, the GAO, industry standards, and Federal agencies. Further, if the agency does not establish and maintain a proper control environment, it may lose control of its mission and operations. : 11; Corrective Action: Taken or Planned - The FDIC will examine whether additional controls are necessary in conjunction with the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 12: ; Rec. profiles, working papers, and state banking performance 3) Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. Those contracts could be extended a year after the end of the base ordering period. prqCG} CD0L@A. GSA, NASA, USDA, DOE, and OCC have policy and procedures to prevent over-reliance on a contractor, and specific corrective measures to address instances of contractor over-reliance. This contracting approach will increase competition and reduce FDICs reliance on one contractor in these areas. Fiscal Year 2021 - Forecast of Contract Opportunities We performed our work from May 2020 through November 2020 at the FDICs offices in Arlington, Virginia and Dallas, Texas. Contracting Officer closes out contract. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch implement the management oversight strategy for the acquired Ciritical Function. The FDIC relies on the results of security control assessments to identify security weaknesses and inform key risk management decisions. Within this report, the OIG recommended that the FDIC [e]stablish requirements to ensure the independence of security control assessors. -]. Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. Fact Sheets. In addition, we determined that Blue Canopy performed Critical Functions at the FDIC, as defined by OMB Policy Letter 11-01 and best practices. hbbd``b` ]$Y\v$ Figure 2 illustrates the best practices for identifying planned and procured Critical Functions during the FDICs acquisition process. Therefore, our report correctly concludes that the Blue Canopy contracts provided limited coverage of the contractors obligations and responsibilities similar to those recommended in the FDICs Financial Institution Letter. DOAs ASB is responsible for issuing the policies governing the contracting program and the procedures for implementing those policies. CIGFO, Congressional, Special Inquiries, Other, 3501 Fairfax Drive Arlington, Virginia 22226, https://www.fdicoig.gov/sites/default/files/publications/19-004AUD_0.pdf, Top Management and Performance Challenges. OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. For more information contact TargetGov. A risk management process would identify, measure, monitor, report, and mitigate the operational and procurement risks for acquired Critical Functions. PDF List of Awards and Contractor Contact Information - May 2022 %%EOF The primary purpose of the Independent Government Cost Estimate is to assess the reasonableness of the price proposals received from contractors against the Agencys estimated procurement cost. The criticality of the function depends on the mission and operations, which will differ between agencies and within agencies over time. FDIC is an independent agency created by Congress to maintain stability and public confidence in the nations financial system. Keep up with FDIC announcements, read speeches and This risk-based approach to activities that are closely aligned with inherently governmental functions is consistent with the intent of OMB Policy Letter 11-01. GAO also found that DHS personnel did not identify specific oversight activities they conducted to mitigate the risk of contractors performing functions in a way that could become inherently governmental. Estimated Completion Date: March 31, 2022. Over a seven-and-a-half-year term, the contractors will help FDICs Division of IT deal with operations and maintenance support of its infrastructure while the financial agency looks to improve productivity and efficiencies to continue to mature between 2020 and 2027, says a new solicitation. According to the FDICs Financial Institution Letter titled Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), the key to the effective use of a third party in any capacity is for management to appropriately assess, measure, monitor, and control the risks associated with a contractual relationship. Management does not concur with the recommendation, but alternative action meets the intent of the recommendation; or. Information Technology services at the FDIC have been identified as critical to the FDIC operations in numerous documents, including the FDICs 2019 Annual Report, Enterprise Risk Management Risk Inventory,20 and National Institute of Standards and Technology (NIST) guidance. FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2020 $80 $90 $90.0 $70 $58.9 $60 $50.1$20 $30 $40 $50 $45.4 $10 $0 Percent of Total FDIC Awards: $4.5 $8.0 8(a) HubZone $10.8$4.1 Veteran OwnedServiceWomen OwnedSmallMinority OwnedMWOBDisabledDisadvantagedVeteran OwnedBusiness Recommendation 1: Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). : 9; Corrective Action: Taken or Planned - The FDIC will complete an annual performance review of the Managed Security Services Provider and Security and Privacy Professional Services contractors. On a quarterly basis, the FDIC submitted Award Profile Reports to the Board that summarized the FDICs contracting activities for the quarter. Reviewed the FDICs policy and procedures, including: o FDIC Acquisition Policy Manual (August 2008); o Acquisition Procedures, Guidance and Information (January 2020) document; and. Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. Anchorage Closes In on FDIC Crypto Custodian Deal, Documents - CoinDesk Program Office. In particular, Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC, including continuous monitoring, vulnerability management, internal control reviews, and privacy assessments. Conduct periodic reviews of controls and processes. In addition, OMB Policy Letter 11-01 established a definition for a Critical Function as "a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. OMB: The source identified this item; GAO: The source identified this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; OMB Guidance. Recommendation 5: Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. 3. important initiatives, and more. To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). Existing Acquisition Procedures for Contract Planning, Oversight, and Reporting. Each quarter, the FDIC provides a contract-specific report to the Board of Directors for complex contracts over $5 million and for all contracts over $20 million. In particular, the FDIC warned its regulated institutions of such risk and, therefore, should assess and address the risk itself. Ultimately, when an agency is over-reliant on a contractor, the agency potentially jeopardizes its ability to maintain control of its mission and operations by failing to ensure that government actions are taken as a result of informed, independent judgments made by government officials; work products are adequately managed; and the contractors used to support the Federal workforce are appropriately monitored. Corrective Action: In addition to current practices, the FDIC plans to address this recommendation through the study and actions described in our response to Recommendation 1. In the first 18 months of contract performance, if the initial vendor is not successfully performing, both the MSSP and SPPS BOAs permit a quick transition to another vendor on the contract without a recompetition. FDIC Contract Awards and Amounts by Year (2013-2017) 2. Management should periodically evaluate the adherence to and effectiveness of its internal management controls and procedures to address the objectives and requirements of OMB Policy Letter 11-01.
