; Expected Completion Date: June 30, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 8: ; Rec. In the first 18 months of contract performance, if the initial vendor is not successfully performing, both the MSSP and SPPS BOAs permit a quick transition to another vendor on the contract without a recompetition. Best Practices for Performing a Procurement Risk Assessment, 4. The FDIC acknowledged the importance of the procured function in the Board Case, contract statement of work, and acquisition plansthe latter stating that services were critical to ensuring the security and protection of FDICs IT infrastructure and data.. Bethesda, MD. The FDIC will also complete an annual performance review of MSSP and SPPS contractors. As part of the procurement risk assessment, include a cost effectiveness analysis. or https:// means youve safely connected to the .gov website. In applying acquisition policies and guidance, the FDIC takes a risk-based approach that may apportion greater responsibility to contractors when requirements are well understood, less sensitive, or less likely to change over time. FDIC Contract Portfolio Pricing Arrangements . Management does not concur with the recommendation, but alternative action meets the intent of the recommendation; or. requirements that contractors flow emergency preparedness and continuity requirements to essential subcontracts; and. Both the Managed Security Services Provider (MSSP) and SPPS BOAs include incentives for vendors to provide superior performance. Periodic Reviews of Controls and Processes. important initiatives, and more. 4) Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. We made 13 recommendations to the FDICs Deputy to the Chairman and Chief Operating Officer. The Board approves the execution of contracts with dollar values over $20 million and contract modifications to contracts previously approved by the Board that increase the award amount or period of performance by more than 15 percent. Footnote: 22 According to the FDICs Enterprise Risk Management Standard Operating Procedure (May 2020), Inherent Risk is the exposure arising from a specific risk before any action has been taken to manage it beyond normal operations. Further, the official stated that Blue Canopy complied with the FDICs directives governing access to and operations at FDIC offices and facilities. hMk1u1@c!fom3nM?~NRr%Kc=GvV4;Ve#'F'VYN/;kXbo,w Rsp Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. Footnote: 4 See id. Legal Division. Footnote: 28 According to the FDICs Acquisition Procedures, Guidance and Information (January 2020), the Independent Government Cost Estimate is the FDICs estimated cost for the acquisition. Program Office and Contracting Officer prepare acquisition documents. Federal Agencies. Enterprise Risk Management Risk Inventory. The definition of essential functions as used by the FDIC is restricted to those functions that impact continuity of operations planning. Federal Agencies. Without the requisite analysis, the FDIC cannot be assured that it has appropriately identified and mitigated the existing procurement and operational risks. While Blue Canopy personnel were subject to the FDICs onsite information security protocols, more proactive controls should have been employed to validate that FDIC data had been retained onsite and not transferred to the contractors facilities or systems. DMI said it will bring digital transformation tools that usher in a new managed services model, focused on service delivery optimization. The FDIC develops detailed board cases for individual procurements exceeding $20 million that discuss procurement costs, benefits, alternatives considered, management oversight strategy, and other information. This represented a failure of the FDIC to maintain control of its operations. The recommendation was to contract for the services due to the available experience of the private sector and its ability to scale resources more quickly than the FDIC. The APM and implementing Acquisition Procedures, Guidance, and Information (PGI) address planning considerations for contracts considered essential in the event of an emergency or business continuity event and delineates risks associated with such procurements. In this section, we show which sub-agencies of Federal Deposit Insurance Corporation (FDIC) have issued awards through different types of contracts or financial assistance and how much each sub-agency has obligated (promised to spend). JP Morgan Chase assumes all deposits of First Republic Bank, San Francisco, CA, FDIC Releases Report Detailing Supervision of the Former Signature Bank, New York, New York, FDIC Releases Semiannual Update on Deposit Insurance Fund, FDIC Announces Retention of Financial Advisor to Assist with the Liquidation of Securities of the Former Footnote: 36 Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019). A .gov website belongs to an official government organization in the United States. Notably, the FDIC stated in its response that if the FDIC determines contract services are essential in the event of an emergency or business continuity event, the statement of work or statement of objectives must include: business continuity requirements, requirements that contractors flow emergency preparedness and continuity requirements to essential subcontracts; and requirements for contractors to have emergency plans for providing services to FDIC in the event of a disruption of normal operations, and participation in FDIC business continuity testing, training, and exercises.. (T`'Xf&XbJoVMa''Z&^^ I We identified the following commonly acknowledged best practices from selected sources. CIGFO, Congressional, Special Inquiries, Other, 3501 Fairfax Drive Arlington, Virginia 22226, https://www.fdicoig.gov/sites/default/files/publications/19-004AUD_0.pdf, Top Management and Performance Challenges. Federal agencies need to ensure proper management and oversight of procured services for Critical Functions in order to prevent over-reliance on the contractor and the loss of control of the agencys mission and operations. Estimated Completion Date: March 31, 2022. However, the FDIC did not make the determination that Blue Canopy provided essential or critical services, even though the Agency dedicated more than 38 percent of its IT security budget to Blue Canopy services. Additionally, the FDIC needed to routinely test, or review the test results of, those plans to ensure continuity of service. The FDIC stated that it partially concurred with the remaining 12 recommendations; however, the FDIC response did not provide specific actions taken or planned. We work to ensure the fair inclusion and use of minorities, women, and minority- and women-owned businesses, law firms, and investors in contracting and investment opportunities. The interactive forecast dashboard statistically predicts when contracts will be signed. For example, according to the FDICs Financial Institution Letter, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), [t]here are numerous risks that may arise from use of third parties. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Perform Periodic Reviews. The contract is part of the recent government announcements concerning the supply of masks. No. Nor did the FDIC require periodic joint testing procedures. As it relates to contract structure, the APM states that the contracting officer must select the type of contract and pricing arrangement that represents the most prudent and reasonable relationship with the contractor and minimizes cost and other risks to the FDIC. The FDIC took prompt action to address the OIGs recommendations regarding the lack of independent assessments of Blue Canopys services, and the OIG closed those recommendations in 2019. Find information for outside counsel engaged by the FDIC. Agencies performed (or, considered as a best practice) periodic reviews of contractor and agency personnel performance, human capital planning, personnel training, risk management strategy, contract requirements, budget/cost justification, attribution of contractor vs. agency work, and over-reliance assessments. Footnote: 33 In comparison, the FDICs procurement planning and solicitation and award processes for contract CORHQ-14-C-0769 took 9 months (from March 2014 to December 2014), and contract CORHQ-14-C-0778 took 12 months (from March 2014 to March 2015). As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. Contracting officers and oversight managers are also responsible for evaluating contractor performance. Government agencies must ensure that (1) contractors do not perform work that should be reserved for Federal employees; and (2) Federal officials are appropriately managing and overseeing contractor performance. Contracting Officer closes out contract. The guidance states that [a]n institutions board of directors and senior management are ultimately responsible for identifying and controlling risks arising from [third-party] relationships, to the same extent as if the [contracted] activity were handled within the institution.34 In particular, the FDIC should have routinely reviewed (actively monitored) Blue Canopys financial condition, information security, and business resumption and continuity testing reports to ensure the security, confidentiality, integrity, and availability of FDIC information. Such an approach reduces the chances of the FDIC being overly reliant on an individual vendor. Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. The GAO report, Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DODs Total Workforce (GAO-13-470) (May 2013), found, in part, that DODs current policies did not fully reflect federal policy concerning the identification of Critical Functions. As a result, the GAO recommended, in part, that DOD should revise existing workforce policies and procedures to address the determination of the appropriate workforce mix. However, if the agency cannot provide a sufficient number of knowledgeable staff to oversee the contracts, the contractors could inappropriately influence government decision-making. When procuring Critical Functions, agencies considered strategic human capital planning analyzing agency staff resources, internal capability and capacity, and cost. Fail to control the agencys mission and operations; Compromise trust (or data) by failing to exercise due care in establishing appropriate controls to protect sensitive information and to identify and mitigate data breaches. how the contract is to be administered, including how inspection and acceptance corresponding to the statement of work or statement of objectives performance criteria is to be enforced. /B?~6cVv2}7]Mx,"'O4Vy/bf)e~1 (vYh/G6y:@G*2/) Agencies should consider internal controls such as approval authorities, segregation of duties, and independence and non-conflict of interest standards. The Program Office is also responsible for nominating the Oversight Manager and Technical Monitor(s).7. In particular, the policy letter states that [a]gencies shall develop and maintain internal procedures to address the requirements of this guidance. In addition, the policy letter states that agencies should determine the type and level of management attention necessary to ensure that functions that should be reserved for Federal performance are not materially limited by or effectively transferred to contractors and that functions suitable for contractor performance are properly managed. changes for banks, and get the details on upcoming endstream endobj 517 0 obj <>stream In July 2020, the FDIC awarded a competitive BOA to one vendor to provide managed support services for all aspects of the Security Operations Center (SOC) under a fixed-price arrangement. Perform a procurement risk assessment. As discussed above, however, the FDICs IGCE did not include the scope and methodology, analyses (both quantitative and qualitative), conclusions, and rationale for the Agencys final procurement decision as suggested by best practices. The more important the function, the more important that the agency have internal capability to maintain control of its mission and operations., GAO Recommendations. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Perform a Cost Effectiveness Analysis. Recommendation 11: Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function. In addition, OMB Policy Letter 11-01 established a definition for a Critical Function as "a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. Footnote: 31 According to FIL-44-2008, for reports, [t]he contract should specify the type and frequency of management information reports to be received from the third party. Oversight Manager and Contracting Officer develop Contract Management Plan. In addition, following the FDICs study and actions in response to Recommendation 1, the CIOO will assess the need for additional periodic reviews of such contracts and whether additional enhancements are required beyond the controls already incorporated. In particular, we noted the following: The FDIC 2019 Annual Report. Past event Registration date: 1 November, 2021 - 08:30 to 9 December, 2021 - 10:30 The FIDIC Contract Users' Awards aim to recognise excellence in the use of FIDIC contract forms for project delivery and to showcase examples of good practice through collaboration from across the world. [Text box Prior OIG report. These planning discussions should consider the resources and the expertise required to perform the functions and manage the procurement. hZ[o\ +z}v[u8E?1bKplRC"")#u@jq&R6 : 10; Corrective Action: Taken or Planned - The FDIC plans to address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 11: ; Rec. The FDIC Legal Division concluded in October 2011 that the OMB Policy Letter did not apply because: (1) the FDIC did not fall within the definition of executive agency in the Office of Federal Procurement Policy Act and (2) the FDIC was not funded by congressional appropriations. However, while Blue Canopy operated within the FDICs information systems and facilities, the value that Blue Canopy provided was in its human capital. The FDIC relies on contractors to support a range of activities from janitorial to Information Technology support services. Upon completion of the corrective actions and before closing the recommendations, we will review the FDICs actions to ensure that the revised acquisition process includes guidance for identifying planned procurements of Critical Functions and implementing heightened contract monitoring for Critical Functions. Additional information on contract and contractor performance is provided in quarterly reports to the FDIC Board. Gained an understanding of Federal procurement and oversight control processes by reviewing Federal regulations, government-wide guidance, and best practices, including: o Office of Management and Budget Office of Federal Procurement Policy, Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions (September 2011); o OMB Circular A-76, Performance of Commercial Activities (May 2003); o Federal Activities Inventory Reform Act of 1998 (October 1998); and. Additional appendices include acronyms and abbreviations, the Agencys comments on a draft of this report, and a summary of the Agencys corrective actions. National Institute of Standards and Technology Guidance. To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC. We recognize that the FDIC calculated and presented to the Board the Independent Government Cost Estimates (IGCE)28 that were used to conclude on the reasonableness and feasibility of the proposals received. Best Practices: 2. Figure 5: Best Practices for Conducting Periodic Reviews of Controls and Processes. %%EOF Browse our extensive research tools and reports. The contractor successfully performed all required tasks under both contracts, and received excellent and outstanding ratings in annual performance reviews, with the exception of one good rating on one contract for one rating period. The Board authorized a 7 1/2-year term for Security Operations Center and Vulnerability Management Services and a 10-year term for security and privacy professional services. In 2019, the services provided by Blue Canopy comprised 38.3 percent ($16.2 million) of the OCISOs annual operating expenses ($42.3 million). A lock [Text box - Prior OIG report. In 2019, these services comprised 38.3 percent ($16.2 million) of the OCISOs annual operating expenses ($42.3 million). Footnote: 16 The FDIC Legal Division concluded that OMB Policy Letter 11-01 did not apply to the FDIC, because (1) the FDIC did not fall within the definition of executive agency in the Office of Federal Procurement Policy Act; and (2) the FDIC was not funded by congressionally appropriated funds. Appendix 2 contains a detailed description of the best practices related to procured Critical Functions. Footnote: 1 The FDICs acquisition procedures are scalable based on the risk and complexity of the procurement and require increased planning, oversight, and monitoring commensurate with a procurements risk and importance. history, career opportunities, and more. The contracts contained SLAs that required the contractor to meet FDIC-defined standards. 2) Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. Periodic reviews should identify indicators of potential operational/process failures and conclude on the FDICs ability to retain sufficient management oversight of the procured services to maintain control of its mission and operations. FDIC is also placing a greater focus on upfront acquisition planning to make sure contracts are properly structured and have meaningful service level agreements (SLAs), appropriate incentive/disincentive structures, and performance metrics. Appendix 1 Objectives, Scope, and Methodology, 1. These actions, based on existing FDIC acquisition policies and procedures, were consistent with the spirit of OMB Policy Letter 11-01 and the FDICs Guidance for Managing Third-Party Risk. The OCISO is comprised of four sections: Governance, Risk and Compliance; Privacy; Security Architecture; and Security Operations. The Defense Intelligence Agency selected 144 vendors to participate in its $12.6 billion Solutions for Information Technology Enterprise (SITE III) contract.. The FDICs OCISO and DOA submitted to the Board, through its established procurement process, a Board Case Package and Award Profile Reports.38 These documents, however, did not identify the procured services that were Critical Functions nor did they present the planned or implemented heightened oversight management activities for the Critical Function procurements. If the FDIC does not manage the risks associated with Critical Functions prudently, it may: Become over-reliant on a third party to achieve its mission and conduct operations; Fail to control the Agencys mission and operations; Create inefficiencies through increased cost and decreased operational effectiveness; Fail to identify and evaluate alternative courses of action; Fail to provide independent judgments and informed oversight; and.
St Leonard Centerville Ohio Jobs,
Best Electronic Darts Scorer,
Iowa Dnr Officer Death,
Is Weathershield Windows Still In Business,
Articles F
French 
English