Unlocking Data as a Strategic Asset - Presented by ICF, Driving Cloud-first Strategies in the Public Sector - Presented by AWS, Accelerating Modern Government - Presented by KPMG, 5G-Powered Smart Bases - Presented by Verizon. While the Board Case Package identified the services to be procured, it did not identify or discuss whether the services to be procured were considered to be Critical Functions of the FDIC. In this case, the FDIC terminated the service providers contract because of the providers bankruptcy.32 As a result of the service providers failure, the FDIC compressed the procurement planning and solicitation and award processes, and Blue Canopy assumed the previous contract and began providing support services to the FDIC in May 2009 3 months after the companys failure.33 In addition to having limited time to find a replacement contractor, the companys distressed financial condition and ultimate bankruptcy could have impaired or compromised the quality of services provided over an extended period of time as the contractors senior management and employees focused on their companys financial turmoil at the expense of the services provided. The policy letter adopted the definition of an Inherently Governmental Function based on the established statutory definition in the Federal Activities Inventory Reform Act (FAIR Act),15 and it eliminated variations of this definition found in other documents. Table 2 illustrates the services performed by Blue Canopy that we identified as Critical Functions based on National Institute of Standards and Technology Special Publication 800-53, Revision 5 (NIST S.P. Federal Agencies. Federal Agencies. Institution Letters, Policy The FDIC acknowledged that it is engaged in efforts to improve its acquisition services and oversight management programs. The FDIC's contract Award Values, for these services, increased from the initial modified Award . Corrective Action: The existing management oversight strategy for the subject BOAs and task orders includes performance criteria, internal controls, reporting, and contractual requirements that were established during acquisition planning and are detailed in statement of work documents. Phase 2: Solicitation and Award - DOA Acquisition Services Branch reports to the FDIC Board the finalized contract structure and procured Critical Function - on an individual and aggregate basis. Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. These initiatives focus on awarding competitive, multiple-award basic ordering agreements (BOAs) and smaller, more competitive task orders. Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. Recommendations for Executive Action Full Report Full Report (10 pages) Accessible PDF (11 pages) GAO Contacts James R. Dalkin Director DalkinJ@gao.gov (202) 512-3133 Office of Public Affairs Chuck Young Managing Director youngc1@gao.gov DODs policies and procedures predated the publication of this requirement, and consequently contained no reference to it. In addition, the FDICs Enterprise Risk Management program may not ensure that the FDIC has appropriately identified, measured, monitored, reported, and mitigated the FDICs significant risks for contracts and contractors. The FDIC requires support across the entire IT application lifecycle including: creation (requirements, design, development, testing, deployment), configuration, integration, migration, enhancement, support, maintenance, operations, decommissioning, and other associated services for all FDIC owned applications, either in use today or deployed In particular, an over-reliance assessment should be performed regularly, on an independent basis, to validate the agencys compliance with and the effectiveness of established controls. The FDICs acquisition process is divided into four phases: (1) Procurement Planning; (2) Solicitation and Award; (3) Contract Management; and (4) Closeout Award. Reviewed the FDICs policy and procedures, including: o FDIC Acquisition Policy Manual (August 2008); o Acquisition Procedures, Guidance and Information (January 2020) document; and. The FDIC stated that it partially concurred with the remaining 12 recommendations; however, the FDIC response did not provide specific actions taken or planned. supervises financial institutions for safety, soundness, and consumer To assist in performing oversight activities for complex contracts for services, the oversight manager must work with the contracting officer to develop a contract management plan. The Federal Deposit Insurance Corporation (FDIC) procures goods and services from contractors in support of its mission. Specifically, the acquisition process was initiated in January 2010 and then again in June 2014. Management should also consider mandating exception-based reports that would serve as notification of any changes or problems that could affect the nature of the relationship or pose a risk to the financial institution.. As noted above, the OIG identified best practices from OMB Guidance, the GAO, industry standards, and several other Federal agencies. The FDIC Risk Inventory acknowledged the risks associated with these cybersecurity and privacy support services, including a potential cyber-attack on the FDICs systems and a security incident involving Personally Identifiable Information. These essential functions are then used to identify supporting tasks and resources that must be included in the organizations continuity planning process. Footnote: 29 For Contract CORHQ-14-C-0778, the FDICs IGCE estimated that it would cost $26,387,825 to procure the services from a third party versus the estimated cost of $23,834,747 to perform the services internally with Federal employees, a variance of $2,553,077. Recommendation 7: Revise the management oversight strategy for the procured Critical Functions performed under the BOAs for Managed Security Services Provider and Security and Privacy Professional Services to ensure that the strategy aligns with best practices. According to the FDICs Financial Institution Letter titled Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), the key to the effective use of a third party in any capacity is for management to appropriately assess, measure, monitor, and control the risks associated with a contractual relationship. The FIDIC bills the 2021 Green Book as a shorter and simpler alternative to its Red and Yellow Books, for projects where parties want to avoid committing significant resources to contract. . Taken together, these elements compose the financial institutions risk management analysis of the third-party relationship. OMB Policy Letter 11-01 requires agencies to identify and ensure that they retain control over Critical Functions that are core to the agencys mission but may be contracted out to the private sector. Enterprise Risk Management Risk Inventory. Ultimately, this situation represents an increased operational risk to the FDIC and a potential risk management failure where the risk has not been identified, measured, monitored and reported, and mitigated. A BOA becomes a binding contract when a task order is issued.. These planning discussions should consider the resources and the expertise required to perform the functions and manage the procurement. Best Practices for Implementing a Management Oversight Strategy, 5. According to OMB Policy Letter 11-01, in order to meet its fiduciary responsibility to the taxpayers, the agency must have sufficient internal capability to control its mission and operations and must ensure it is cost effective to contract for the services.. Within the FDIC 2019 Annual Report, the FDIC recognized that Information technology (IT) is an essential component in virtually all FDIC business processes; and that [t]he FDICs information security program is integral to the agencys ability to carry out its mission of maintaining stability and public confidence in the nations financial system. In particular, the FDIC highlighted its continuing efforts to strengthen its information security functions and progress towards optimizing the Security Operations Center, privacy controls, and information and network security. These services are critical to ensuring the security and protection of the FDICs Information Technology infrastructure and data. The FDICs Legal Division has maintained that OMB Policy Letter 11-01 does not apply to the FDIC, but it may be used for guidance.16 We focused our evaluation on assessing the FDICs procurement of Critical Functions given their importance in achieving the Agencys mission; we did not evaluate Inherently Governmental Functions as part of this review. Footnote: 25 GAO, Standards for Internal Control in the Federal Government (GAO-14-704G) (September 2014); and the FDICs Financial Institution Letter, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). Blue Canopy was founded in 2001 and is an information technology advisor and service provider that offers mission support, cybersecurity, technology and systems development, data analytics, and cloud and mobility solutions to Government and commercial clients. The FDIC insures deposits; examines and These elements are essential components of the heightened review and oversight process for procurements of Critical Functions. We recognize that the FDIC calculated and presented to the Board the Independent Government Cost Estimates (IGCE)28 that were used to conclude on the reasonableness and feasibility of the proposals received. : 8; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. 800-53). Federal Contract Awards > 100.0k 75D30118C02507 Definitive Contract $4.2m / $27.7m Updated Apr 29 2023 Federal Agency CDC Pittsburgh (HHS - CDC) Child Awarded Vendor Idoneous Educational Services, Inc. - VRLMHESN3KP5 Major Defense Program Not listed Award Date Sep 01 2018 Completion Date Aug 31 2020 Set Aside 8 (a) Sole Source NAICS Category 561110 (2) Information Security and Privacy Support Services for outsourced functions. Footnote: 31 According to FIL-44-2008, for reports, [t]he contract should specify the type and frequency of management information reports to be received from the third party. Our methodology relied on identifying best practices from various reputable sources, including OMB Policy Letter 11-01, GAO reports, industry standards, and other Federal agencies, and comparing the FDICs acquisition process with these best practices. profiles, working papers, and state banking performance FDIC is also placing a greater focus on upfront acquisition planning to make sure contracts are properly structured and have meaningful service level agreements (SLAs), appropriate incentive/disincentive structures, and performance metrics. Figure 4: Best Practices for Implementing a Management Oversight Strategy. As a result, we consider the remaining 12 recommendations to be unresolved at this time. The GAO report, Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DODs Total Workforce (GAO-13-470) (May 2013), found, in part, that DODs current policies did not fully reflect federal policy concerning the identification of Critical Functions. ; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 2: ; Rec. Over a 3-year period, from 2017 to 2019, the FDIC awarded nearly 4,000 contracts valued at more than $1.3 billion. 7.503), and the examples in Appendix A in OMB 11-01. The .gov means its official. The FDIC awarded both procurements competitively utilizing a best value approach. Corrective Actions: The CIOO and the Acquisition Services Branch considered both internal controls and contractual requirements during acquisition planning for the subject BOAs and task orders and included them in the statement of work documents. FDIC acquires goods and services through the use of various contractual The FDIC response indicated that its planned corrective actions will include surveying recognized practices and procedures associated with contracts supporting essential functions. ; OMB: The source did not mention this item; GAO: The source did not mention this item; Industry Standard: The source identified this item; Select Federal Agencies: The source did not mention this item; Industry Standard. The first step in the risk assessment process should be to ensure that the proposed relationship is consistent with the institutions strategic planning and overall business strategy. The Guide provides tools for implementing the IT acquisition life cycle, with objectives to: develop scalable solutions that promote competition; deliver fast, reliable, responsive, and innovative services; The FDIC has also established a 2021 corporate performance goal and interdivisional work team to strengthen our contract oversight management program by increasing the independence and professionalism of our oversight managers and technical monitors. The objective is to select a contract type and pricing arrangement that results in reasonable contractor risk and provides the contractor with the greatest incentive for efficient and economical performance. Identified Best Practices and Their Sources, 3. Learn about the FDICs mission, leadership, The FDIC Did Not Develop a Management Oversight Strategy for Critical Functions. collection of financial education materials, data tools, A risk/reward analysis should be performed for significant matters, comparing the proposed third-party relationship to other methods of performing the activity or product offering, including the use of other vendors or performing the function in-house. system. The FDIC provides a wealth of resources for consumers, Corrective Action: The FDICs existing acquisition policy, as a comprehensive framework, incorporates many of the risk management principles referenced by the OIG in its audit and incorporated in OMB Policy Letter 11 01. As a result, the GAO recommended, in part, that the DOD should revise existing workforce policies and procedures to address the identification of critical functions.. Agencies need to establish a proper internal control environment to oversee and maintain control of their operations. To increase competition and diversity of firms providing information security and privacy services, reduce the FDICs reliance on a single vendor for these services, and improve contract oversight and vendor management, the FDIC sought and received Board approval in October 2019 to initiate two contract actions to replace the existing Blue Canopy contracts with new BOAs and task orders. %PDF-1.6 % The OCISO is comprised of four sections: Governance, Risk and Compliance; Privacy; Security Architecture; and Security Operations. No. OMB Policy Letter 11-01 provides guidance on managing the performance of Inherently Governmental and Critical Functions. Oversight Manager and Contracting Officer complete closeout activities. As part of the procurement risk assessment, include a cost effectiveness analysis. The FDIC acknowledged the importance of the procured function in the Board Case, contract statement of work, and acquisition plansthe latter stating that services were critical to ensuring the security and protection of FDICs IT infrastructure and data.. o Perform Periodic Reviews. The partnership brings new innovations, tools and technologies that will help FDIC drive operational efficiencies, control IT costs and improve the user experience. FDIC will consider and further study potential methodologies for assessing contractor overreliance, including how other agencies make such determinations. The website for each awardee is also provided. No. The contract provides various support activities to the Privacy Program. According to a CNN news article titled, BearingPoint files for bankruptcy (February 2009), [t]he McLean, Virginia-based company, which began as the consulting arm of KPMG LLP and later struggled with accounting problems and a U.S. Securities and Exchange Commission probe, has been laboring under heavy debt exacerbated by an acquisition spree between 1999 and 2002.. Learn about the FDICs mission, leadership, 9S=^VJGf+_8B+WV|ir,Ma,VE9*n9iwJzc0}8c0ry` xH ; Expected Completion Date: June 30, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 8: ; Rec. The FDIC did not conduct periodic reviews of controls and processes for Critical Functions obtained from Blue Canopy during the contract management process, even though the Agency dedicated more than 38 percent of its Information Technology security budget to Blue Canopy services in 2019.
?>