Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. Requiring activities should also work with the acquisition office to address the handling of ongoing contracts and the budget and finance offices to secure the necessary funding to support the needed in-house capacity. An agency may become over-reliant on a service provider if it does not have the capacity (number of Federal employees) and capability (Federal employees with appropriate training, experience, and expertise) to oversee the contractor properly. Some of the risks are associated with the underlying activity itself, similar to the risk faced by an institution directly conducting the activity. Typically, critical functions are recurring and long-term in duration.. This example highlights the need for the FDIC to clearly define the terminology related to Critical Functions and incorporate the underlying concepts embodied in Critical Functions, so that it can readily identify Critical Functions in such procurements and take appropriate actions with heightened monitoring and controls. Moreover, the FDIC determined, in advance of the 2019 contract modifications to increase the contract ceiling on both Blue Canopy contracts, that a new competitive, multi-vendor acquisition strategy should be put in place for the services. This will help ensure that the FDIC integrates [Enterprise Risk Management] into its culture, practices, and capabilities so that risks across the enterprise are considered and prioritized as part of operations support, program management, budget decisions, and strategic planning Having well-defined authorities, roles, and responsibilities for [Enterprise Risk Management] will help to ensure that the range of risks facing the Agency and banking sector are properly identified. -]. Based on our review, we found that the Blue Canopy contracts provided limited coverage of the contractors obligations and responsibilities for the following:30. While not discussed in detail in the report, we note that the policies and procedures the FDIC followed with respect to the Blue Canopy contracts provided a sound basis for vendor oversight and performance management. Recommendation 6: Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. As a result, we consider the remaining 12 recommendations to be unresolved at this time. In particular, the policy letter states that agencies should determine the type and level of management attention necessary to ensure that functions that should be reserved for Federal performance are not materially limited by or effectively transferred to contractors and that functions suitable for contractor performance are properly managed. Successfully identifying and applying best practices can reduce business expenses and improve organizational efficiency.17. These actions are in addition to the standard controls and processes that agencies follow in procuring goods and services. Corrective Action: The existing management oversight strategy for the subject BOAs and task orders includes performance criteria, internal controls, reporting, and contractual requirements that were established during acquisition planning and are detailed in statement of work documents. Appendix 6 Summary of the FDICs Corrective Actions. Although NCUA and CFPB did not have an explicit written policy, they noted the actions/procedures they would take to address an instance of contractor over-reliance. Best Practices: 8. FF The FDIC Did Not Develop a Management Oversight Strategy for Critical Functions. The FDIC will also complete an annual performance review of MSSP and SPPS contractors. However, it did not address how the Contracting Officer and Oversight Manager would assess the FDICs over-reliance on Blue Canopy or identify and implement corrective actions. The OIGs mission is to prevent, deter, and detect waste, fraud, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency. Past event Registration date: 1 November, 2021 - 08:30 to 9 December, 2021 - 10:30 The FIDIC Contract Users' Awards aim to recognise excellence in the use of FIDIC contract forms for project delivery and to showcase examples of good practice through collaboration from across the world. government site. By May 2021, the FDIC expects to transition information security and privacy program services to multiple service providers by awarding additional task orders under the BOAs. In addition, the FDICs Enterprise Risk Management program may not ensure that the FDIC has appropriately identified, measured, monitored, reported, and mitigated the FDICs significant risks for contracts and contractors. The Federal Deposit Insurance Corporation (FDIC) procures goods and services from contractors in support of its mission. The awards, now in their third year are organised by international engineering federation FIDIC (the International Federation of Consulting Engineers). A CIOO official confirmed that Blue Canopy was not required to submit routine financial and operational reports, as noted above. A lock The Blue Canopy Group, LLC (Blue Canopy) performed a range of cybersecurity and privacy support services for the FDIC. Specifically, the FDIC did not discuss with the Board its procurement risk assessment, management oversight strategy, contract structuring, and ongoing monitoring reports for the procured Critical Functions. hWr6}WS The OIG evaluated two FDIC procurements with Blue Canopy Group, LLC (Blue Canopy) against provisions of OMB Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions, September 12, 2011. Recommendations for Executive Action Full Report Full Report (10 pages) Accessible PDF (11 pages) GAO Contacts James R. Dalkin Director DalkinJ@gao.gov (202) 512-3133 Office of Public Affairs Chuck Young Managing Director youngc1@gao.gov [Text box - Prior OIG report. o Determine Contract Structure. Row: 1; Procured Function: Security Operations Center; National Institute of Standards and Technology Guidance: Incident Response (IR)-4 Incident Handling, IR-7 Incident Response Assistance, System and Information Integrity (SI)-4 System Monitoring; Identified as a Critical Function (Yes/No): Yes; Row: 2; Procured Function: Computer Security Incident Response Team; National Institute of Standards and Technology Guidance: IR-5 Incident Monitoring, IR-6 Incident Reporting Risk Assessment (RA)-1 Policy and Procedures, RA-3 Risk Assessment. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. The FDIC Did Not Perform a Procurement Risk Assessment for Critical Functions. On a quarterly basis, the FDIC submitted Award Profile Reports to the Board that summarized the FDICs contracting activities for the quarter. The FDICs contract Award Values, for these services, increased from the initial modified Award Value of $27.6 million to $56.3 million, and then to $101.3 million for a total increase of 267 percent (101.3 million $27.6 million) / $27.6 million). For example, if not managed and supervised prudently, the agency may: Footnote: 1 According to FDIC Directive 1500.6, Continuity of Operations (COOP) Program (November 2019), Essential Functions are a subset of government functions that are determined to be critical activities. created by the Congress to maintain stability and public confidence in the Corrective Action: In addition to current practices, the FDIC plans to address this recommendation through the study and actions described in our response to Recommendation 1, and based on such actions, will assess the need for additional periodic reviews. Recommendation 5: Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. As previously noted, Blue Canopys services represented a significant percentage of the OCISOs annual operating expenses. : 7; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. In particular, FDIC management did not present to the Board an analysis that demonstrated whether it was cost effective to procure the desired Critical Functions or to perform those functions internally with Federal employees or some combination of Federal employees and contractor personnel. As such, we have concurred or partially concurred with all of the OIG recommendations. Ultimately, when an agency is over-reliant on a contractor, the agency potentially jeopardizes its ability to maintain control of its mission and operations by failing to ensure that government actions are taken as a result of informed, independent judgments made by government officials; work products are adequately managed; and the contractors used to support the Federal workforce are appropriately monitored. Figure 5: Best Practices for Conducting Periodic Reviews of Controls and Processes. Browse our extensive research tools and reports. In making that determination, the officials shall consider the importance that a function holds for the agency and its mission and operations. Footnote: 26 Contract terminology are specialized words or meanings relating to a particular field, such as the term Critical Function in the Federal acquisition process. The Risk Inventory lists risks to the FDICs ability to achieve its goals and objectives. 2020-005). In addition to existing requirements for oversight management, the FDIC remains committed to the use of SLAs and other controls to manage vendor performance and is considering additional controls to ensure the independence, training, and professionalism of oversight managers. encrypted and transmitted securely. Unlocking Data as a Strategic Asset - Presented by ICF, Driving Cloud-first Strategies in the Public Sector - Presented by AWS, Accelerating Modern Government - Presented by KPMG, 5G-Powered Smart Bases - Presented by Verizon. Specific relevant items within the risk inventory currently include risks related to cybersecurity, privacy, protection of sensitive information, potential cyberattacks, management and oversight of contracts, adequacy of staffing, and succession planningwhich involves having a sufficient number of the right people with the right skills to meet mission responsibilities. In particular, the official stated that the IGCE included a comparison of the costs to conduct the planned activities internally against the cost for a vendor(s) to perform those same activities. data. - All deliverables delivered and accepted. According to the GAO, the use of a contractor poses a risk of fraud, waste, and abuse. We also reviewed documentation and interviewed employees familiar with Blue Canopys work to determine if the FDIC maintained control of its mission and operations. Federal government websites often end in .gov or .mil. Federal Agencies. Request for Information on FDIC Official Sign and Advertising The FDICs Existing Acquisition Process, 2. The FDIC will consider additional reporting requirements related to contracts for essential functions or for services necessary during a business continuity event, including where such functions are performed by a single vendor, in conjunction with the study and actions described in response to Recommendation 1. The FDIC will consider each of the OIGs recommendations and further study the need for additional risk based controls for essential procurements. Specifically, the acquisition process was initiated in January 2010 and then again in June 2014. ERM provides transparency and accountability in business practices, reporting, and governance, which can improve stakeholder confidence in the agencys work. Recommendation 11: Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function. In addition, the contract did not stipulate that Blue Canopy should already have had the appropriate protections for backing up information, and maintaining disaster recovery and contingency plans with sufficiently detailed operating procedures. FDIC Contract Portfolio Pricing Arrangements . Management Decision: Partially Concur Corrective Actions: The FDIC currently develops a management oversight strategy to oversee all contractors based on the risk and complexity of the contract. As such, OMB Policy Letter 11-01 defined an Inherently Governmental Function as a function that is so intimately related to the public interest as to require performance by Federal Government employees The term includes functions that require either the exercise of discretion in applying Federal Government authority or the making of value judgments in making decisions for the Federal Government, including judgments relating to monetary transactions and entitlements. OMB Policy Letter 11-01 requires certain Federal agencies to ensure that contractors do not perform Inherently Governmental Functions. The FDICs acquisition process is divided into four phases: (1) Procurement Planning; (2) Solicitation and Award; (3) Contract Management; and (4) Closeout Award. The Federal Deposit Insurance Act authorizes the FDIC to acquire services and to establish policies and procedures to achieve its mission and operations.6 The FDICs acquisition process involves a number of organizations within the Agency, including the Program Office that initiates a procurement to obtain the services or goods it needs, the Division of Administrations (DOA) Acquisition Services Branch (ASB), the Legal Division, and the FDIC Board of Directors (Board). These services are important for the FDIC to maintain security, confidentiality, integrity, and availability of data; and, the trust and confidence of the public in the financial industry. endstream endobj 527 0 obj <>stream Contract Planning. The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version. In applying acquisition policies and guidance, the FDIC takes a risk-based approach that may apportion greater responsibility to contractors when requirements are well understood, less sensitive, or less likely to change over time. As noted previously, in October 2019, the FDIC changed its procurement strategy for these Critical Functions from two contracts to two BOAs and included multiple service providers on the BOAs. Industry Standard. Blue Canopy was founded in 2001 and is an information technology advisor and service provider that offers mission support, cybersecurity, technology and systems development, data analytics, and cloud and mobility solutions to Government and commercial clients. Additionally, the FDIC needed to routinely test, or review the test results of, those plans to ensure continuity of service. GSA, NASA, USDA, DOE, and OCC have policy and procedures to prevent over-reliance on a contractor, and specific corrective measures to address instances of contractor over-reliance. ". The FIL does not separately detail specific procedures applicable to critical functions, but rather provides a general framework to provide appropriate oversight and risk management of significant third-party relationships, including those in which a third party performs critical functions. The FIL recommends increasing levels of control for more complex or higher-risk activities. OMB Policy Letter 11-01 provides guidance on managing the performance of Inherently Governmental and Critical Functions. In its response, the FDIC stated that it is committed to continually improving its contracting processes and controls. Appendix 1 of this report includes additional details on our objective, scope, and methodology. hZ]o\+|l3O 'iQ8q E=(F*k}gxr(}H ok @3rI| HJ`3d$nBk For example, according to the FDICs Financial Institution Letter, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), [t]here are numerous risks that may arise from use of third parties. FDIC FBDS II Engagement Outline Final.pdf - GovTribe endstream endobj 520 0 obj <>stream However, in order to mitigate the potential risk of a service providers financial failure, breach of information security protocols, or failure to ensure service continuity, an agency needs to continuously monitor the service providers financial condition and operations. Best Practices for Conducting Periodic Reviews of Controls and Processes, 6. Identified weaknesses should be documented and promptly addressed.. Acquisition Policy Manual (APM) (i.e., the official policy document), Procedures, Guidance and Information (PGI). DMI Wins $256M FDIC Task Order | WashingtonExec However, it did not document and present to the Board a cost effectiveness analysis that included the scope and methodology, assumptions, quantitative and qualitative analyses, conclusions, and rationale for the Agencys final procurement decision. According to the FDICs Selection Recommendation Report titled, Security Operations Center and Computer Security Incident Response Team Services (February 2015), the Independent Government Cost Estimate was calculated based on information acquired through historical data from the prior 3 years, as well as projects anticipated over the life of the proposed contract. The evaluations scope included our review of Blue Canopys two existing contracts39 with the FDICs Chief Information Officer Organization to determine if Blue Canopy performed Critical Functions within the FDICs operations; and, if so, whether the FDIC sufficiently oversaw Blue Canopy to maintain control of the Agencys mission and operations. This potentially jeopardizes the FDICs ability to maintain control of its mission and operations by failing to ensure that government actions are taken as a result of informed, independent judgments made by government officials; work products are adequately managed; and contractors are appropriately monitored. In addition, GSA, NASA, USDA, DOE, OCC, NCUA, and CFPB have procedures to oversee the contractors performance and their own personnels oversight of a contractor. Interviewed officials at other Federal agencies (independent financial regulatory agencies, other independent agencies, and executive branch agencies) to understand their procurement and oversight contractual arrangements for the performance of Critical Functions. When procuring Critical Functions, agencies considered (or, considered as a best practice) cost effectiveness analysis, which included analyzing the appropriate mix of Federal employees and contractors and rebalancing, as needed. ; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 2: ; Rec. In order to implement heightened management oversight, the FDIC needs to (1) identify the risk in a risk assessment; (2) identify the control(s) needed to oversee the contractor within a management oversight strategy; (3) establish the control(s) and a process for reviewing the control(s) within the contract structure; (4) implement the control(s) during the management oversight process; and (5) periodically review the FDIC and contractors performance or, implementation of the control(s). OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. o Develop a Management Oversight Strategy. Corrective Actions: Existing acquisition processes and procedures help limit the likelihood of such an occurrence; however, the FDIC will examine whether additional controls are necessary in conjunction with the study and actions described in our response to Recommendation 1. Appendix 2 contains a description of the best practices related to procured Critical Functions. Estimated Completion Date: The guidance issued to Divisions/Offices for the 2021 budget year will include contract oversight as a workload driver. DMI Wins a Five-Year HRSA Single-Award Contract with Projected Value of However, as noted in our report, the FDIC did not identify the Blue Canopy contracts as essential, and, therefore, it did not invoke the additional monitoring and oversight procedures. The winners have been unveiled of the annual awards for the users of FIDIC contracts. Over a 3-year period, from 2017 to 2019, the FDIC awarded nearly 4,000 contracts valued at more than $1.3 billion. Our evaluation assessed whether Blue Canopy performed Critical Functions as determined by OMB Policy Letter 11-01 and best practices; and if so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices. So far this year, the federal government plans to spend $3.66 Trillion including $315.45 Billion on Net Interest $129.34 Billion on Veterans Benefits $41.95 Billion on Agriculture See more breakdowns of federal spending Featured Content COVID-19 Spending Track federal spending in response to the COVID-19 pandemic Resources However, we found that the Agency did not document and present to the Board a complete cost effectiveness analysis that evaluated whether a Critical Function should be procured or performed internally. However, in relation to overseeing contractors who perform Critical Functions on behalf of the FDIC, the Agency procedures fell short in several important respects, including with respect to conducting periodic reviews to assess for over-reliance on the contractor. system. Therefore, while we determined that Blue Canopy performed Critical Functions at the FDIC, as defined by OMB Policy Letter 11-01 and best practices, the FDIC did not identify these services as Critical Functions during its procurement planning phase. 192 0 obj <> endobj Figure 4: Best Practices for Implementing a Management Oversight Strategy. We found that the FDIC did not have policies and procedures for identifying Critical Functions in its contracts, as recommended by the best practices in OMB Policy Letter 11-01 and embodied in industry standards. stability and public confidence in the nations financial NASA, USDA, and DOE performed, or considered it a best practice to perform, a cost effectiveness analysis. ; OMB: The source did not mention this item; GAO: The source did not mention this item; Industry Standard: The source identified this item; Select Federal Agencies: The source did not mention this item; Industry Standard. Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. These best practices support the view that the FDIC should establish and document a process for identifying procurements of Critical Functions. The FDIC Board of Directors. %PDF-1.6 % The FDICs Legal Division has maintained that OMB Policy Letter 11-01 does not apply to the FDIC, but it may be used for guidance.16 We focused our evaluation on assessing the FDICs procurement of Critical Functions given their importance in achieving the Agencys mission; we did not evaluate Inherently Governmental Functions as part of this review. Separate from the prior OIG review, the FDIC also made a management determination to reduce our reliance on a single contractor for information security and privacy services. Phase 2: Solicitation and Award - DOA Acquisition Services Branch, in consultation with the Program Office and the Legal Division, solicit and finalize the contract structure (key provisions) for the acquisition of a Critical Function with the selected service provider. An Executive Agency is a Federal agency that is housed under the Executive Office of the President or one of the 15 Cabinet departments within the Executive Branch. While identifying and understanding the risks associated with the third party is critical at the outset, the long-term management of the relationship is vital to success., In addition, the guidance noted that [t]he extent of oversight of a particular third-party relationship will depend upon the potential risks and the scope and magnitude of the arrangement. Division of Administration, Acquisition Services Branch. Contract Awards April 11, 2023 Science Applications International Corp. has been awarded a $102.5 million contract by the U.S. Navy to continue supporting the MK Parsons Snags $164M Army Corps of Engineers Contract for Ammunition Plant Environmental Facility Contract Awards April 9, 2023 Board Reporting. hb```f``Rc`b``ebd@ A3G HK!G kTH`j)c The partnership brings new innovations, tools and technologies that will help FDIC drive operational efficiencies, control IT costs and improve the user experience. The Board should be involved in reviewing managements risk assessment, contract structuring, and monitoring reports for procured Critical Functions on an individual and aggregate basis. Fail to control the agencys mission and operations; Compromise trust (or data) by failing to exercise due care in establishing appropriate controls to protect sensitive information and to identify and mitigate data breaches. According to a CNN news article titled, BearingPoint files for bankruptcy (February 2009), [t]he McLean, Virginia-based company, which began as the consulting arm of KPMG LLP and later struggled with accounting problems and a U.S. Securities and Exchange Commission probe, has been laboring under heavy debt exacerbated by an acquisition spree between 1999 and 2002.. According to the Council of the Inspectors General on Integrity and Efficiencys Quality Standards for Inspection and Evaluation, evaluations are systematic and independent assessments of the design, implementation, and results of operations, programs, or policies. endstream endobj 515 0 obj <>stream Examples of Personally Identifiable Information include an individuals full name, Social Security Number, drivers license, medical information, or home telephone number. Footnote: 12 According to the FDICs Acquisition Procedures, Guidance and Information (January 2020), a Basic Ordering Agreement (BOA) is a written instrument of understanding negotiated between the FDIC and a contractor for future delivery of as yet unspecified quantities of goods or services. : 6; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 7: ; Rec. An official website of the United States government. (2) Information Security and Privacy Support Services for outsourced functions. PDF FDIC Contracting Awards - Federal Deposit Insurance Corporation
Chanteclair Restaurant,
Castleton Wrestling Roster,
Articles F