However, the OIG concluded that the FDIC did not have policies and procedures for identifying critical functions in its contracts and did not implement heightened monitoring activities for the Blue Canopy contracts consistent with the requirements of OMB Policy Letter 11-01. To address our objectives, we conducted the following procedures: Analyzed Blue Canopys contracts and contractual services for Critical Functions by comparing and contrasting activities to the following: o Other best practices the OIG identified; and. A risk/reward analysis should be performed for significant matters, comparing the proposed third-party relationship to other methods of performing the activity or product offering, including the use of other vendors or performing the function in-house. The FDIC disagreed with the proposition that the Agencys framework did not meet the third-party risk management principles outlined in the [FDICs Financial Institution Letter, Guidance for Managing Third-Party Risk]. However, while the framework requires reports for contracts deemed to be essential, the FDIC did not make this determination for the Blue Canopy contracts. We performed our work from May 2020 through November 2020 at the FDICs offices in Arlington, Virginia and Dallas, Texas. The FDIC Risk Inventory acknowledged the risks associated with these cybersecurity and privacy support services, including a potential cyber-attack on the FDICs systems and a security incident involving Personally Identifiable Information. %%EOF Figure 4: Best Practices for Implementing a Management Oversight Strategy. Management should periodically evaluate the adherence to and effectiveness of its internal management controls and procedures to address the objectives and requirements of OMB Policy Letter 11-01. Footnote: 8 The Contracting Officer is responsible for ensuring the performance of all actions necessary for efficient and effective contracting, ensuring compliance with the terms of contracts, and protecting the interests of the FDIC in all of its contractual relationships. Management concurred with 1 of the 13 recommendations, and plans to complete corrective action by May 31, 2021. As a result, the reports did not identify for the Board information on the procurement and oversight of procured Critical Functions on an individual and aggregate contract basis as suggested by best practices. State Department, FDIC Working on New User Technologies Using Novel Board Case Package. stability and public confidence in the nations financial The Federal Deposit Insurance Corporation (FDIC) is an independent agency This potentially jeopardizes the FDICs ability to maintain control of its mission and operations by failing to ensure that government actions are taken as a result of informed, independent judgments made by government officials; work products are adequately managed; and contractors are appropriately monitored. Nevertheless, the comprehensive nature of the risk management framework includes many FDIC functions that might be classified as critical. In response to this recommendation, the FDIC will review its risk inventory and conduct an assessment to determine if the current risk inventory sufficiently addresses the underlying risks presented in the OIGs report, irrespective of the specific use of the term critical function., Recommendation 4: Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. %PDF-1.6 % Footnote: 37 A Contract Management Plan is a plan developed by the Contracting Officer and the Oversight Manager that documents the joint administration approach to performing oversight activities for complex contracts for services. Based on the agencies we interviewed, 75 percent (6 of 8) of Federal agencies had contracting policies, procedures, and controls that address Critical Functions. The 7.5-year task order calls on DMI to provide infrastructure support services, including modernization of data center and network operations, client and cross-functional services, unified communications, service desk, monitoring and event management, and cloud migration. By May 2021, the FDIC expects to transition information security and privacy program services to multiple service providers by awarding additional task orders under the BOAs. (or sets of contracts) for information security support services. Although NCUA and CFPB did not have an explicit written policy, they noted the actions/procedures they would take to address an instance of contractor over-reliance. A management oversight strategy considers, for example, the contract structure (including key provisions) for procuring Critical Functions, and oversight tasks personnel can perform. However, if the agency cannot provide a sufficient number of knowledgeable staff to oversee the contracts, the contractors could inappropriately influence government decision-making. Moreover, the FDIC determined, in advance of the 2019 contract modifications to increase the contract ceiling on both Blue Canopy contracts, that a new competitive, multi-vendor acquisition strategy should be put in place for the services. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. A Contract Management Plan must be developed for the acquisition of services having a total estimated value of $1 million and greater. data. The Federal Deposit Insurance Corporation (FDIC) procures goods and services from contractors in support of its mission. 9S=^VJGf+_8B+WV|ir,Ma,VE9*n9iwJzc0}8c0ry` xH Fdic: Pr-70-2021 08/09/2021 2. From July 2005 to December 2019, the FDIC issued three contracts (or sets of contracts) for information security support services. In addition, GSA, NASA, USDA, DOE, OCC, NCUA, and CFPB have procedures to oversee the contractors performance and their own personnels oversight of a contractor. protection; makes large and complex financial institutions resolvable; and OIGs may also use evaluations to share best practices and approaches. We expect the guidance to . The GAO report, Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DODs Total Workforce (GAO-13-470) (May 2013) found, in part, that the DODs current policies did not fully reflect federal policy concerning the identification of Critical Functions. Typically, Critical Functions are recurring and long-term in duration. The policy letter recommends that Federal employees should perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. Appendix 2 contains a description of the best practices related to procured Critical Functions. The FPDS-NG system includes reporting fields that capture services designated as Critical Functions. The FDIC and Blue Canopys contractual arrangement supported the FDICs internal annual self-assessment, as required by FISMA. PDF List of Awards and Contractor Contact Information - May 2022 ensH_` p 8_poXg3h|A@OEn=nqCvH)" nh@FMA] h7`520 @6P2/g 510{@z>6@ ou The FDIC develops detailed board cases for individual procurements exceeding $20 million that discuss procurement costs, benefits, alternatives considered, management oversight strategy, and other information. encrypted and transmitted securely. independent agency created by the Congress to maintain This assessment should consider, for example, the sufficiency of the agencys internal capacity and capability to control its mission and operations based on an adequate number of Federal employees with appropriate training, experience, and expertise, and a cost effectiveness analysis to ensure that it is cost effective to contract for the services. The OMB policy letter also states that [w]here a critical function is not inherently governmental, the agency may appropriately consider filling positions dedicated to the function with both Federal employees and contractors. These task orders will transfer work from the Blue Canopy contract in the first and second quarters of 2021. There are numerous risks that may arise from an agencys use of third parties, including performance, monetary, legal, and reputational risks. While the Board Case Package identified the services to be procured, it did not identify or discuss whether the services to be procured were considered to be Critical Functions of the FDIC. The FDIC will also complete an annual performance review of MSSP and SPPS contractors. Further, the FDIC may not maintain control of its mission and operations, and may become over-reliant on contractors. A CIOO official stated that Blue Canopys business resumption and contingency plans were not a concern because Blue Canopy operated within the FDICs information systems and on the FDICs premises. According to a CNN news article titled, BearingPoint files for bankruptcy (February 2009), [t]he McLean, Virginia-based company, which began as the consulting arm of KPMG LLP and later struggled with accounting problems and a U.S. Securities and Exchange Commission probe, has been laboring under heavy debt exacerbated by an acquisition spree between 1999 and 2002.. scJB/[]T"/7H. However, the FDIC awarded both contracts to Blue Canopy, which did not reduce reliance on a single contractor for information security support services. h24R0P04V01R& banking industry research, including quarterly banking The Board authorized a 7 1/2-year term for Security Operations Center and Vulnerability Management Services and a 10-year term for security and privacy professional services. The FDIC concurred with 1 of the 13 recommendations, and plans to complete corrective action by May 31, 2021. Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration. News | Federal Government Contract Awards - WashingtonExec Ultimately, as recommended by best practices, a complete cost effectiveness analysis for Critical Functions, clear and distinct from the IGCE, should be performed and presented to the Board for its review and consideration. On November 18, 2021, the Office of the Comptroller of the Currency (the "OCC"), the Board of Governors of the Federal Reserve System (the "Board"), and the Federal Deposit Insurance . This example highlights the need for the FDIC to clearly define the terminology related to Critical Functions and incorporate the underlying concepts embodied in Critical Functions, so that it can readily identify Critical Functions in such procurements and take appropriate actions with heightened monitoring and controls. Program Office conducts market research. FDIC agreed with GAO's two recommendations and described planned actions to address each recommendation. important initiatives, and more. Agencies should consider internal controls such as approval authorities, segregation of duties, and independence and non-conflict of interest standards. The FDIC relies on the results of security control assessments to identify security weaknesses and inform key risk management decisions. Within this report, the OIG recommended that the FDIC [e]stablish requirements to ensure the independence of security control assessors. -]. conferences and events. - Program Office provides Statement of Work, and independent cost estimate. The FDIC did not have a process for identifying Critical Functions in procurements at the outset, and this gap created a cascading effect of shortfalls in overseeing Critical Functions. To assist in performing oversight activities for complex contracts for services, the oversight manager must work with the contracting officer to develop a contract management plan. Interviewed officials at other Federal agencies (independent financial regulatory agencies, other independent agencies, and executive branch agencies) to understand their procurement and oversight contractual arrangements for the performance of Critical Functions. In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. In order to answer our objectives, we reviewed Blue Canopys two existing contracts, as of May 2020,5 with the FDICs Chief Information Officer Organization (CIOO), and the FDICs acquisition process to identify and manage procured Critical Functions. Best Practices: 3. Further, the official stated that Blue Canopy complied with the FDICs directives governing access to and operations at FDIC offices and facilities. In addition, agencies developed an exit strategy from the contractual arrangement and/or described that they would take the following actions if it was determined that the agency was over reliant on contractors to perform Critical Functions: (1) review and adjust what the contractor accomplishes for the agency, (2) reassess human capital needs (staff and funding) and make Full Time Employee adjustments; (3) in-source the function; (4) review the contracting process from beginning to end to understand how the agency lost control (retrospective review of the contracting process); (5) reestablish controls over contractor responsibilities (by strengthening oversight, insourcing the work through the timely development and execution of hiring plans, refraining from exercising options under the contract, or terminating all or part of the contract). The BOAs have a total Award Value of $398 million. In addition, routine reviews ensure that both contractor and agency staff know their roles and responsibilities in the event of an unexpected incident, and validate the planned response. Legal Division. The FDIC acknowledged the importance of the procured function in the Board Case, contract statement of work, and acquisition plansthe latter stating that services were critical to ensuring the security and protection of FDICs IT infrastructure and data.. Footnote: 2 GAO reported that [b]est business practices refer to the processes, practices, and systems identified in public and private organizations that performed exceptionally well and are widely recognized as improving an organizations performance and efficiency in specific areas.. Federal Agencies. b Recommendations will be closed when the OIG confirms that corrective actions have been completed and are responsive. Revise the management oversight strategy for the procured Critical Functions performed under the BOAs for Managed Security Services Provider and Security and Privacy Professional Services to ensure that the strategy aligns with best practices. Footnote: 17 GAO Report, Best Practices Methodology: A New Approach for Improving Government Operations (GAO/NSIAD-95-154) (May 1995). In addition, we maintain that these circumstances represented a failure in the FDICs controls and procedures. 800-53 organized security and privacy controls into 20 families. The guidance states that [a]n institutions board of directors and senior management are ultimately responsible for identifying and controlling risks arising from [third-party] relationships, to the same extent as if the [contracted] activity were handled within the institution.34 In particular, the FDIC should have routinely reviewed (actively monitored) Blue Canopys financial condition, information security, and business resumption and continuity testing reports to ensure the security, confidentiality, integrity, and availability of FDIC information. RA-5 Vulnerability Monitoring and Scanning, Assessment, Authorization, and Monitoring (CA)-5 Plan of Action and Milestones, Program Management (PM)-4 Plan of Action and Milestones Process, PM-6 Information Security Measures of Performance PM-9 Risk Management Strategy; Identified as a Critical Function (Yes/No): Yes; Row: 3; Procured Function: Technical Security Assessment; National Institute of Standards and Technology Guidance: RA-5 Vulnerability Monitoring and Scanning; Identified as a Critical Function (Yes/No): Yes; Row: 4; Procured Function: Vulnerability Management; National Institute of Standards and Technology Guidance: RA-5 Vulnerability Monitoring and Scanning; Identified as a Critical Function (Yes/No): Yes; Row: 5; Procured Function: Continuous Controls Assessment Program; National Institute of Standards and Technology Guidance: CA-2 Control Assessments, Configuration Management (CM)-4 Impact Analyses; Identified as a Critical Function (Yes/No): Yes; Row: 6; Procured Function: Privacy Program; National Institute of Standards and Technology Guidance: Program Management (PM)-18 Privacy Program Plan; Identified as a Critical Function (Yes/No): Yes; Row: 7; Procured Function: Testing of Internal Controls; National Institute of Standards and Technology Guidance: CA-2 Control Assessments; Identified as a Critical Function (Yes/No): Yes; Source: OIG analysis of FDICs procured services from Blue Canopy against NIST guidance. Since then, the FDIC re-organized and placed oversight responsibility within the CIOO OCISO. OMB Policy Letter 11-01 defines the terms Inherently Governmental Function and Critical Function as follows: An Inherently Governmental Function is a function that is so intimately related to the public interest as to require performance by Federal Government employees. The term includes functions that require either the exercise of discretion in applying Federal Government authority or the making of value judgments in making decisions for the Federal Government, including judgments relating to monetary transactions and entitlements. Best Practices for Identifying Planned and Procured Critical Functions, 3. Gained an understanding of Federal procurement and oversight control processes by reviewing Federal regulations, government-wide guidance, and best practices, including: o Office of Management and Budget Office of Federal Procurement Policy, Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions (September 2011); o OMB Circular A-76, Performance of Commercial Activities (May 2003); o Federal Activities Inventory Reform Act of 1998 (October 1998); and. In 2009 and 2010, the services obtained were overseen by the FDICs Division of Information Technology. With respect to the MSSP and SPPS contracts, FDIC contract officers, oversight managers, and technical monitors assigned to the BOAs and task orders will ensure that contractors comply with contract terms and meet performance expectations. Additionally, according to best practices, the plans and testing reports should be reviewed on a routine, ongoing (proactive) basis, rather than waiting for and reacting to an unexpected event. As such, OMB Policy Letter 11-01 defined an Inherently Governmental Function as a function that is so intimately related to the public interest as to require performance by Federal Government employees The term includes functions that require either the exercise of discretion in applying Federal Government authority or the making of value judgments in making decisions for the Federal Government, including judgments relating to monetary transactions and entitlements. OMB Policy Letter 11-01 requires certain Federal agencies to ensure that contractors do not perform Inherently Governmental Functions. Contract Management: Program Office and DOA Acquisition Services Branch ider1tify the Critical 1Fm1ction within contract oversight documents and reports to the FDIC Board. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. Corrective Action: The FDIC Risk Inventory identifies risks to the FDIC achieving its mission, goals, and objectives and risks to agency operations. Identify missing or insufficient controls in the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services, and implement appropriate corrective actions or compensating controls. The FDIC requires support across the entire IT application lifecycle including: creation (requirements, design, development, testing, deployment), configuration, integration, migration, enhancement, support, maintenance, operations, decommissioning, and other associated services for all FDIC owned applications, either in use today or deployed In July 2020, the FDIC awarded a competitive BOA to one vendor to provide managed support services for all aspects of the Security Operations Center (SOC) under a fixed-price arrangement. No. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). No. As previously noted, the FDIC and Blue Canopys contractual arrangement allowed Blue Canopy to assess certain security controls, including configuration management controls. Unlocking Data as a Strategic Asset - Presented by ICF, Driving Cloud-first Strategies in the Public Sector - Presented by AWS, Accelerating Modern Government - Presented by KPMG, 5G-Powered Smart Bases - Presented by Verizon. The importance of the FDIC reviewing financial and audit reports and periodically monitoring the contractors operations was demonstrated by the FDICs experience with Blue Canopys predecessor. No. Oversight Manager and Contracting Officer develop Contract Management Plan. Footnote: 20 Enterprise Risk Management (ERM) is an agency-wide approach to addressing internal and external risks facing an agency. Source: OIG analysis of OMB guidance, GAO reports, Industry guidance, and interview statements from Federal agencies. 514 0 obj <>stream A .gov website belongs to an official government organization in the United States. An official website of the United States government. SlVl&!MDs@bQ*P fA24k42P %c : The FDICs procedures do not separately designate certain contracts as related to critical functions., FDIC Consideration of the OMB Policy Letter and Certain OIG-Identified Practices, The FDIC takes seriously its responsibility to maintain control of its operations and to ensure that it has sufficient and knowledgeable federal staff to oversee contractors, particularly those performing services essential to the FDICs mission. Under the 10-year SITE III contract vehicle, contractors will vie for task orders to support DIA's evolving enterprise IT needs. However, while Blue Canopy operated within the FDICs information systems and facilities, the value that Blue Canopy provided was in its human capital. Additionally, the FDIC needed to routinely test, or review the test results of, those plans to ensure continuity of service. Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. The Department of Treasury Forecast of Contract Opportunities includes projections of all anticipated contract actions above $150k that small businesses may be able to perform under direct contracts with Treasury, or perform part of the effort through subcontract arrangements with the Department's large business prime contracts. In addition, following the FDICs study and actions in response to Recommendation 1, the CIOO will assess the need for additional periodic reviews of such contracts and whether additional enhancements are required beyond the controls already incorporated. DRRs contract with Blue Canopy was beyond the scope of this review. Share your story and you may be featured in an upcoming USAspending Youtube video! In addition, if the FDIC determines contract services are essential in the event of an emergency or business continuity event, the statement of work or statement of objectives must include: Footnote: 6 The APM includes a descriptive list of inherently governmental functions and services and actions that are not inherently governmental functions. This list of inherently governmental functions is derived from the FAR (48 C.F.R. No. changes for banks, and get the details on upcoming Procurement Planning: Program Office identifies the Critical Function to be procured within procurement planning documents. Footnote: 6 12 U.S.C. Best Practices for Critical Functions by Source, 2. Since then, the procured services have been re-competed and re-issued twice. the official website and that any information you provide is endstream endobj 193 0 obj <> endobj 194 0 obj <> endobj 195 0 obj <>stream 7.503), and the examples in Appendix A in OMB 11-01. ) y RYZlgWm Develop a management oversight strategy. Figure 1: The FDICs Existing Acquisition Process. No. In addition, OMB Policy Letter 11-01 established a definition for a Critical Function as "a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. Recommendation 1: Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). profiles, working papers, and state banking performance The FDIC took action to address OIG concerns about Blue Canopys independence. The OIG notes in its report that the FDIC followed its normal contract policies and procedures for the two Blue Canopy contracts. The report concluded that the FDIC needs to establish a clear governance structure, and clearly define authorities, roles, and responsibilities related to [Enterprise Risk Management].
All Of The Following Are Technology Considerations Except,
Does Jerry Stackhouse Have A Ring,
Articles F