Signature Bank, New York, NY, and Silicon Valley Bank, Santa Clara, CA, FDIC National Survey of Unbanked and Underbanked Households, Quarterly Banking
Phase 2: Solicitation and Award - DOA Acquisition Services Branch reports to the FDIC Board the finalized contract structure and procured Critical Function - on an individual and aggregate basis. The FDIC, instead, uses a best value method especially for acquisitions requiring innovative solutions or a high level of technical expertise that allows for the evaluation of technical factors in addition to price and past performance. The FDIC is committed to continually improving its processes and controls and will: (1) survey recognized practices and procedures associated with contracts supporting essential functions or those involving services necessary in a business continuity event, particularly when those contracts are performed by a single vendor; and (2) incorporate enhancements to our existing acquisition planning, approval, reporting, and oversight processes, as warranted by our unique operational needs and management structure. %PDF-1.6
%
Analyzed the FDICs oversight of Blue Canopy to maintain control of the Agencys mission and operations by: o Comparing and contrasting management procurement and oversight activities to best practices the OIG identified; and. Figure 4 illustrates the best practices for implementing a management oversight strategy as part of the FDICs acquisition process. Moreover, the FDIC determined, in advance of the 2019 contract modifications to increase the contract ceiling on both Blue Canopy contracts, that a new competitive, multi-vendor acquisition strategy should be put in place for the services. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. Figure 4: Best Practices for Implementing a Management Oversight Strategy. Wisconsin Department of Employee Trust Funds PO Box 7931 Madison WI 53707-7931 1-877-533-5020 (toll free) Fax 608 -267 4549 Proposed Amendment to FDIC Bank Option Contract February 9, 2021 Page 2 Staff recommends the Board amend the FDIC bank option contract (ETJ0050) as shown to provide an interest rate floor of 15 basis points. A procurement risk assessment should be performed during the procurement planning phase of the acquisition process. We performed our work in accordance with the Council of the Inspectors General on Integrity and Efficiencys Quality Standards for Inspection and Evaluation. The Blue Canopy Group, LLC (Blue Canopy) performed a range of cybersecurity and privacy support services for the FDIC. Identified Best Practices and Their Sources, 3. ; OMB: The source did not mention this item; GAO: The source did not mention this item; Industry Standard: The source identified this item; Select Federal Agencies: The source did not mention this item; Industry Standard. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch implement the management oversight strategy for the acquired Ciritical Function. FDIC is also placing a greater focus on upfront acquisition planning to make sure contracts are properly structured and have meaningful service level agreements (SLAs), appropriate incentive/disincentive structures, and performance metrics. Therefore, the FDIC did not identify the Information Technology services performed by Blue Canopy as Critical Functions during the procurement planning phase, solicitation and award phase, or contract management phase of the acquisition process. The FDIC and Blue Canopys Contractual Relationship, Inherently Governmental Functions and Critical Functions, Best Practices for Procuring Critical Functions, The FDIC Did Not Implement Heightened Monitoring for Critical Functions, 2. The FDIC, however, has expressed reluctance to incorporate the term, Critical Function, into its process, as that term is used and defined in the OMB Policy Letter 11-01. independent agency created by the Congress to maintain
In addition, the FDICs business resumption and contingency plans rely on Blue Canopys resources being available to continue its services. The GAO report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020), found, in part, that DHS did not consistently plan for the level of Federal oversight needed for certain contracts because there was no guidance on how to document and update the number of Federal personnel needed to conduct oversight. : 11; Corrective Action: Taken or Planned - The FDIC will examine whether additional controls are necessary in conjunction with the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 12: ; Rec. In addition, we maintain that these circumstances represented a failure in the FDICs controls and procedures. The Federal Deposit Insurance Corporation (FDIC) procures goods and services from contractors in support of its mission.
New FIDIC Green Book short form of contract explained Exhibit - FDIC International 2023 The FDIC took action to address OIG concerns about Blue Canopys independence. manages receiverships. The awards, now in their third year are organised by international engineering federation FIDIC (the International Federation of Consulting Engineers). Appendix 1 Objectives, Scope, and Methodology, 1. Appendix 2 Identified Best Practices and Their Sources. DOAs ASB is responsible for issuing the policies governing the contracting program and the procedures for implementing those policies. judgments made by governmental officials21 for all contracts covering Critical Functions. The guidance states that [a]n institutions board of directors and senior management are ultimately responsible for identifying and controlling risks arising from [third-party] relationships, to the same extent as if the [contracted] activity were handled within the institution.34 In particular, the FDIC should have routinely reviewed (actively monitored) Blue Canopys financial condition, information security, and business resumption and continuity testing reports to ensure the security, confidentiality, integrity, and availability of FDIC information. The OIG found that the FDIC implemented its established procurement process with respect to the two procurements, including reporting to the FDIC Board of Directors. To assist in performing oversight activities for complex contracts for services, the oversight manager must work with the contracting officer to develop a contract management plan. The OIGs report, Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019), noted that the FDIC hired [Blue Canopy] to assess certain security controls, including configuration management controls, for which the FDIC had also assigned the firm duties related to design and/or execution. Industry Standard. The FDIC began working with Blue Canopy in May 2009 when the FDICs CIOO, Office of the Chief Information Security Officer (OCISO), and DOA,9 procured the services of Blue Canopy to provide Information Security Support Services to the FDIC after the initial contractor filed for bankruptcy. Based on its study, the FDIC will provide guidance to divisions and offices for assessing the potential for contractor overreliance and maintaining federal control of essential functions or those necessary during a business continuity event. 800-53). The recommendation was to contract for the services due to the available experience of the private sector and its ability to scale resources more quickly than the FDIC. OMB: The source identified this item; GAO: The source identified this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; OMB Guidance. FDIC Contract Awards and Amounts by Year (2013-2017) 2. Any subsequent task orders would be for tech developments issued as standalone projects, worth $112.5 million in total. We considered Blue Canopys informal feedback before finalizing the report. o Develop a Management Oversight Strategy. The FDIC will also complete an annual performance review of MSSP and SPPS contractors. profiles, working papers, and state banking performance
Compromise the trust (or data) by failing to exercise due care in establishing appropriate controls to protect sensitive information and to identify and mitigate data breaches. The FDIC is an independent federal agency with a mission of maintaining stability and public confidence in the nation's financial system by insuring bank deposits, examining and supervising financial institutions for safety and soundness and consumer protection, making large and complex financial institutions resolvable, and managing receiverships. The OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), noted that while the information in the Award Profile Report was important for the Board of Directors to understand the status of higher risk FDIC acquisitions as of a specific point in time, it does not provide the Board or other senior management officials with a portfolio-wide view or the ability to analyze historical contracting trends across the portfolio, identify anomalies, and perform ad hoc analysis to identify risk or plan for future acquisitions., Within the report, the OIG recommended, in part, that the FDIC [p]rovide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.]. The FDIC publishes regular updates on news and activities. A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Perform a Cost Effectiveness Analysis. The solicitations for the new contracts occurred in November 2019 and April 2020. Management concurred with 1 of the 13 recommendations, and plans to complete corrective action by May 31, 2021. Challenge, Quarterly Banking Profile for Fourth Quarter 2022, Quarterly Banking Profile for Third Quarter 2022, FDIC Releases 2021 National Survey of Unbanked and Underbanked Households, Financial
Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. Recommendation 6: Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. h250R0P050V01R& Following the study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements are needed for the MSSP and SPPS BOAs and task orders beyond those already incorporated. The FDICs contract Award Values, for these services, increased from the initial modified Award Value of $27.6 million to $56.3 million, and then to $101.3 million for a total increase of 267 percent (101.3 million $27.6 million) / $27.6 million). Contracting Officer issues Request for Quotation. OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. The Program Office is responsible for determining its procurement needs and initiating the acquisition process by submitting a procurement request to DOAs ASB. The PGI requires the oversight manager, together with the contracting officer, to determine the level of oversight that is necessary to ensure the contractor makes satisfactory progress toward the successful completion of the terms of the contract. Due to the lack of policies and procedures in this area, the FDIC did not identify these Critical Functions by Blue Canopy during its procurement planning phase. With this approach in mind, the FDIC will consider the processes, practices, and systems that the OIG identified among others to enhance our existing policies. Periodic Reviews of Controls and Processes. Recommendation 5: Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. NASA, USDA, and CFPB performed, or considered it a best practice to perform, strategic human capital planning. An agency may become over-reliant on a service provider if it does not have the capacity (number of Federal employees) and capability (Federal employees with appropriate training, experience, and expertise) to oversee the contractor properly. 199 0 obj
<>/Filter/FlateDecode/ID[<77FED4795114BEC85C22A732D80A20A1><9AE9ECF25D8FEB44B39BBA9CBBEE63A5>]/Index[192 15]/Info 191 0 R/Length 53/Prev 219738/Root 193 0 R/Size 207/Type/XRef/W[1 2 1]>>stream
No. testimony on the latest banking issues, learn about policy
Each family contains controls that are related to the specific topic of the family. A CIOO official stated that the IGCE represented a cost effectiveness analysis. On a quarterly basis, the FDIC submitted Award Profile Reports to the Board that summarized the FDICs contracting activities for the quarter. DOA will revise the APM and PGI to reflect any resulting process and control enhancements. Specific relevant items within the risk inventory currently include risks related to cybersecurity, privacy, protection of sensitive information, potential cyberattacks, management and oversight of contracts, adequacy of staffing, and succession planningwhich involves having a sufficient number of the right people with the right skills to meet mission responsibilities.
Federal Awards | Advanced Search | USAspending The FDIC provides a wealth of resources for consumers,
Request for Information on FDIC Official Sign and Advertising Since then, the FDIC re-organized and placed oversight responsibility within the CIOO OCISO. %PDF-1.6
%
hbbd``b`
]$Y\v$
This will help ensure that the FDIC integrates [Enterprise Risk Management] into its culture, practices, and capabilities so that risks across the enterprise are considered and prioritized as part of operations support, program management, budget decisions, and strategic planning Having well-defined authorities, roles, and responsibilities for [Enterprise Risk Management] will help to ensure that the range of risks facing the Agency and banking sector are properly identified. -]. Best Practices: 5. However, as noted in our report, the FDIC did not identify the Blue Canopy contracts as essential, and, therefore, it did not invoke the additional monitoring and oversight procedures. Both the Managed Security Services Provider (MSSP) and SPPS BOAs include incentives for vendors to provide superior performance. However, to meet its fiduciary responsibility to the taxpayers, the agency must have sufficient internal capability to control its mission and operations Sufficient internal capability(i) generally requires that an agency have an adequate number of positions filled by Federal employees with appropriate training, experience, and expertise to understand the agencys requirements, formulate alternatives, take other appropriate actions to properly manage and be accountable for the work product, and continue critical operations with in-house resources, another contractor, or a combination of the two, in the event of contractor default; and (ii) further requires that an agency have the ability and internal expertise to oversee and manage any contractors used to support the Federal workforce Determinations concerning what constitutes sufficient internal capability must be made on a case-by-case basis taking into account, among other things the: (i) agencys mission; (ii) complexity of the function and the need for specialized skill; (iii) current strength of the agencys in-house expertise; (iv) current size and capability of the agencys acquisition workforce; and (v) effect of contractor default on mission performance. As part of acquisition planning, agencies shall confirm that for the Critical Functions to be procured, the agency has sufficient internal capability to control its mission and operations. The FDIC relies on contractors to support a range of activities from janitorial to Information Technology support services.
News | Federal Government Contract Awards - WashingtonExec Management Report: Improvements Needed in FDIC's Internal Control over : 2; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 3: ; Rec. No. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation; or, 2. As noted above, the OIG identified best practices from OMB Guidance, the GAO, industry standards, and several other Federal agencies. In addition, the GAOs Standards for Internal Control in the Federal Government, (GAO-14-704G) (September 2014), states that agencies should implement internal control standards and activities to achieve agency objectives and respond to risks, and should implement these activities through policies. how the contract is to be administered, including how inspection and acceptance corresponding to the statement of work or statement of objectives performance criteria is to be enforced. Footnote: 3 See APM 1.405(a). Develop a management oversight strategy. As previously noted, the FDIC and Blue Canopys contractual arrangement allowed Blue Canopy to assess certain security controls, including configuration management controls.