fdic contract awards 2021

The Federal Deposit Insurance Act authorizes the FDIC to acquire services and to establish policies and procedures to achieve its mission and operations.6 The FDICs acquisition process involves a number of organizations within the Agency, including the Program Office that initiates a procurement to obtain the services or goods it needs, the Division of Administrations (DOA) Acquisition Services Branch (ASB), the Legal Division, and the FDIC Board of Directors (Board). Industry Standard. endstream endobj 520 0 obj <>stream hMk1c[(1. An oversight program will generally include monitoring of the third partys quality of service, risk management practices, financial condition, and applicable controls and reports. Challenge, Quarterly Banking Profile for Fourth Quarter 2022, Quarterly Banking Profile for Third Quarter 2022, FDIC Releases 2021 National Survey of Unbanked and Underbanked Households, Financial In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers have appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Recommendation 6: Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. Source: OIG analysis of identified best practices and the FDICs policy and procedures. Appendix 2 contains a detailed description of the best practices related to procured Critical Functions. Further, the official stated that Blue Canopy complied with the FDICs directives governing access to and operations at FDIC offices and facilities. The FDIC did not develop a management oversight strategy for Critical Functions obtained from Blue Canopy during the procurement planning process, as part of the procurement risk assessment. endstream endobj 528 0 obj <>stream (LockA locked padlock) [!=/&s''. }9 No FDIC Process for Identifying Critical Functions. (AvaQD%]Lg4Of5AZ0'&qsM}d},K^!ttcti 8\mk x\>-A 'g+k}?L&50#^5w8O>16/CGF:.&&F(r+v\eSVGo;X}N^r[qQg}UTN}n?3E5.\B?? As part of the procurement risk assessment, include a cost effectiveness analysis. DOA will revise the APM and PGI to reflect any resulting process and control enhancements. NASA, USDA, and CFPB performed, or considered it a best practice to perform, strategic human capital planning. An Executive Agency is a Federal agency that is housed under the Executive Office of the President or one of the 15 Cabinet departments within the Executive Branch. As demonstrated by the FDIC and Blue Canopys contractual relationship, the FDICs acquisition and risk management processes did not identify the procurement risk of Critical Functions, nor did the FDIC heighten its management oversight for these procured services. The FDIC also did not identify the contract structure as recommended by best practices. While OMB Policy Letter 11-01 does not apply to FDIC procurements as a matter of law, the FDIC envisions developing (as an added component of our existing risk-based system) criteria for identifying a subset of contracts supporting essential FDIC functions or those that provide services in a business continuity event that will further enhance FDIC contract management consistent with the spirit the Policy Letter. There are numerous risks that may arise from an agencys use of third parties, including performance, monetary, legal, and reputational risks. Conduct periodic reviews of controls and processes. ; Expected Completion Date: June 30, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 9: ; Rec. hb```f``Rc`b``ebd@ A3G HK!G kTH`j)c Federal agencies implemented heightened contract monitoring processes, such as identifying and monitoring for Critical Functions, developing a management oversight strategy, performing cost effectiveness analysis, determining contract structure and key provisions, and performing periodic reviews. PDF List of Awards and Contractor Contact Information - May 2022 Federal Contract Awards - GovTribe Footnote: 17 GAO Report, Best Practices Methodology: A New Approach for Improving Government Operations (GAO/NSIAD-95-154) (May 1995). USDA, CFPB, and OCC used, or considered it a best practice to have, contract provisions to specify the agencys rights and the contractors obligations and responsibilities surrounding Critical Functions. Over a seven-and-a-half-year term, the contractors will help FDIC's Division of IT deal with operations and maintenance support of its infrastructure while the financial agency looks to improve "productivity and efficiencies to continue to mature between 2020 and 2027," says a new solicitation. Corrective Actions: The CIOO and the Acquisition Services Branch considered both internal controls and contractual requirements during acquisition planning for the subject BOAs and task orders and included them in the statement of work documents. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. Procedures, Guidance and Information (PGI). In particular, the FDIC should have a process for ensuring that specific expectations and obligations of both parties are outlined in a written contract prior to entering into the arrangement. According to this guidance, a [r]isk assessment is fundamental to the initial decision of whether or not to enter into a third-party relationship. The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version. o Contract Oversight Management (EVAL-20-001) October 28, 2019; o The FDIC's Receivership Basic Ordering Agreements for Business Process Operations Services (AUD-14-006) March 31, 2014; o Security Configuration Management of the Windows Server Operating System (AUD-19-004) January 16, 2019; and. Based on its study, the FDIC will provide guidance to divisions and offices for assessing the potential for contractor overreliance and maintaining federal control of essential functions or those necessary during a business continuity event. The FDIC is an independent federal agency with a mission of maintaining stability and public confidence in the nation's financial system by insuring bank deposits, examining and supervising financial institutions for safety and soundness and consumer protection, making large and complex financial institutions resolvable, and managing receiverships. A risk management process would identify, measure, monitor, report, and mitigate the operational and procurement risks for acquired Critical Functions. Those procedures shall be reviewed by agency management no less than every two years. In addition, agencies should periodically evaluate the effectiveness of their internal management controls for reserving work for Federal employees and identify any material weaknesses, The OMB policy letter also states that [a]gencies should review, on an ongoing basis, the functions being performed by their contractors, paying particular attention to the way in which contractors are performing, and agency personnel are managing, contracts involving critical functions These reviews should be conducted in connection with the development and analysis of inventories of service contracts., In addition, the OMB policy letter states that if the agency determines that internal control of its mission and operations is at risk due to over-reliance on contractors to perform critical functions, requiring activities should work with their human capital office to develop and execute a hiring and/or development plan. Specifically, the FDIC did not discuss with the Board its procurement risk assessment, management oversight strategy, contract structuring, and ongoing monitoring reports for the procured Critical Functions. Program Office and Contracting Officer jointly develop acquisition plan. supervises financial institutions for safety, soundness, and consumer The FDIC is proud to be a pre-eminent source of U.S. The FDIC Risk Inventory acknowledged the risks associated with these cybersecurity and privacy support services, including a potential cyber-attack on the FDICs systems and a security incident involving Personally Identifiable Information. The FDIC relies on contractors to support a range of activities from janitorial to Information Technology support services. In particular, the guidance states that [a]fter selecting a third party, management should ensure that the specific expectations and obligations of both the financial institution and the third party are outlined in a written contract prior to entering into the arrangement. The FDIC relies on the results of security control assessments to identify security weaknesses and inform key risk management decisions. Within this report, the OIG recommended that the FDIC [e]stablish requirements to ensure the independence of security control assessors. -]. Recommendation 13: Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration. Program Office identifies contracting need. The guidance provides, in part, the following topics that should be considered as a contract is structured, with the applicability of each dependent upon the nature and significance of the third-party relationship: scope (rights/responsibilities of each party), cost/compensation, performance standards, reports (types and frequency of management information), audit (of contractor), confidentiality and security (prohibit contractor from using or disclosing agencys information), customer complaints, business resumption and contingency plans, default and termination (of contractor), dispute resolution, ownership and license, indemnification, and limits on liability. %PDF-1.6 % The FDIC and Blue Canopys contractual arrangement supported the FDICs internal annual self-assessment, as required by FISMA. The contract should define key contract terminology26 and incorporate key provisions necessary to mitigate the risk associated with procuring Critical Functions. Existing Acquisition Procedures for Contract Planning, Oversight, and Reporting. For example, according to the FDICs Financial Institution Letter, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), [t]here are numerous risks that may arise from use of third parties. One contractor, The Blue Canopy Group, LLC (Blue Canopy), performed services in support of the FDICs information security and privacy program. The FDIC has also recently implemented new acquisition initiatives to further improve vendor management, contract oversight, and to reduce the number of non-competitive awards. Footnote: 3 An agency may be deemed over-reliant on a service provider if it does not have the capacity (number of Federal employees) and capability (Federal employees with appropriate training, experience, and expertise) to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. Agencies should consider internal controls such as approval authorities, segregation of duties, and independence and non-conflict of interest standards. For this report, risks must be considered in regard to procurement operations and IT services for Critical Functions. Figure 6: Best Practices for FDIC Board Reporting. Although the contracts required Blue Canopy to submit certain management reports, the contracts did not require Blue Canopy to submit financial reports, audit reports, security reports, business resumption testing reports, and exception-based reports of Blue Canopys operations. FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2022 $300 $250 $200 $150 $100 $50 $0 Percent of Total FDIC Awards: Other Agencys'Percentage: $281.1 $197.6 $139.4 $104.3 $49.1 $8.3$2.3$0.5 8(a) HubZoneVeteran OwnedServiceWomen OwnedSmallMinority OwnedMWOBDisabledDisadvantagedVeteran OwnedBusiness Recommendation 3: Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. As such, we have concurred or partially concurred with all of the OIG recommendations. Fiscal Year 2021 - Forecast of Contract Opportunities The Program Office is responsible for determining its procurement needs and initiating the acquisition process by submitting a procurement request to DOAs ASB. The third party should have appropriate protections for backing up information and also maintain disaster recovery and contingency plans with sufficiently detailed operating procedures. In particular, the official stated that the IGCE included a comparison of the costs to conduct the planned activities internally against the cost for a vendor(s) to perform those same activities. OMB: The source identified this item; GAO: The source identified this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; OMB Guidance. Combined with the SLAs, performance metrics, incentives, and penalties, the FDIC has also assigned an experienced oversight manager and a team of technical monitors that have the capacity and capability to oversee these vendors properly and mitigate any risk to FDIC operations associated with inadequate vendor performance. 7) Revise the management oversight strategy for the procured Critical Functions performed under the BOAs for Managed Security Services Provider and Security and Privacy Professional Services to ensure that the strategy aligns with best practices. In its response, the FDIC stated that it is committed to continually improving its contracting processes and controls. /B?~6cVv2}7]Mx,"'O4Vy/bf)e~1 Corrective Action: The FDIC currently considers the appropriate contract structure based on the goods or services being procured and any associated risks for all contracts during acquisition planning. A risk/reward analysis should be performed for significant matters, comparing the proposed third-party relationship to other methods of performing the activity or product offering, including the use of other vendors or performing the function in-house. The FDIC is proud to be a pre-eminent source of U.S. A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. Recommendation 9: Implement periodic reviews for procured Critical Functions, including for the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services. 514 0 obj <>stream The APM and implementing Acquisition Procedures, Guidance, and Information (PGI) address planning considerations for contracts considered essential in the event of an emergency or business continuity event and delineates risks associated with such procurements. OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. 526 0 obj <>stream Program Office conducts market research. In response to this risk, in September 2011, the Office of Management and Budget (OMB) provided guidance in OMB Policy Letter 11-01 on managing the performance of Inherently Governmental Functions and Critical Functions in order to ensure that government action is taken as a result of informed, independent judgments made by government officials. In addition, the OMB Policy Letter 11-01 defined a Critical Function as a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. The GAO report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020), found, in part, that DHS did not consistently plan for the level of Federal oversight needed for certain contracts because there was no guidance on how to document and update the number of Federal personnel needed to conduct oversight. As the OIG acknowledged in its draft report, OMB Policy Letter 11-01 does not apply to the FDIC. In addition, GSA, NASA, USDA, DOE, OCC, NCUA, and CFPB have procedures to oversee the contractors performance and their own personnels oversight of a contractor. No. government site. Footnote: 19 Our interviews at other Federal agencies included the National Credit Union Administration (NCUA), Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), Federal Reserve Board of Governors (FRB), the OMB, General Services Administration (GSA), National Aeronautics and Space Administration (NASA), Department of Agriculture (USDA), and Department of Energy (DOE). Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation; or, 2. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch perform periodic reviews of controls and processes and take corrective measures to address (or mitigate the potential risk of) instances of contractor overreliance for a Critical Function, as necessary. According to the GAO, the use of a contractor poses a risk of fraud, waste, and abuse. 66y% To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC. Estimated Completion Date: The guidance issued to Divisions/Offices for the 2021 budget year will include contract oversight as a workload driver. Request for Information on FDIC Official Sign and Advertising In this case, the FDIC terminated the service providers contract because of the providers bankruptcy.32 As a result of the service providers failure, the FDIC compressed the procurement planning and solicitation and award processes, and Blue Canopy assumed the previous contract and began providing support services to the FDIC in May 2009 3 months after the companys failure.33 In addition to having limited time to find a replacement contractor, the companys distressed financial condition and ultimate bankruptcy could have impaired or compromised the quality of services provided over an extended period of time as the contractors senior management and employees focused on their companys financial turmoil at the expense of the services provided. RA-5 Vulnerability Monitoring and Scanning, Assessment, Authorization, and Monitoring (CA)-5 Plan of Action and Milestones, Program Management (PM)-4 Plan of Action and Milestones Process, PM-6 Information Security Measures of Performance PM-9 Risk Management Strategy; Identified as a Critical Function (Yes/No): Yes; Row: 3; Procured Function: Technical Security Assessment; National Institute of Standards and Technology Guidance: RA-5 Vulnerability Monitoring and Scanning; Identified as a Critical Function (Yes/No): Yes; Row: 4; Procured Function: Vulnerability Management; National Institute of Standards and Technology Guidance: RA-5 Vulnerability Monitoring and Scanning; Identified as a Critical Function (Yes/No): Yes; Row: 5; Procured Function: Continuous Controls Assessment Program; National Institute of Standards and Technology Guidance: CA-2 Control Assessments, Configuration Management (CM)-4 Impact Analyses; Identified as a Critical Function (Yes/No): Yes; Row: 6; Procured Function: Privacy Program; National Institute of Standards and Technology Guidance: Program Management (PM)-18 Privacy Program Plan; Identified as a Critical Function (Yes/No): Yes; Row: 7; Procured Function: Testing of Internal Controls; National Institute of Standards and Technology Guidance: CA-2 Control Assessments; Identified as a Critical Function (Yes/No): Yes; Source: OIG analysis of FDICs procured services from Blue Canopy against NIST guidance. Such an approach reduces the chances of the FDIC being overly reliant on an individual vendor. Previously, we found that the FDIC had hired Blue Canopy to assess the same IT security controls that it had designed and executed. Profile, FDIC Academic Our evaluation assessed whether Blue Canopy performed Critical Functions as determined by OMB Policy Letter 11-01 and best practices; and if so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices. o Perform Periodic Reviews. cards. No. Best Practices: 6. Examples of Personally Identifiable Information include an individuals full name, Social Security Number, drivers license, medical information, or home telephone number. In addition, routine reviews ensure that both contractor and agency staff know their roles and responsibilities in the event of an unexpected incident, and validate the planned response. system. The Board should be involved in reviewing managements risk assessment, contract structuring, and monitoring reports for procured Critical Functions on an individual and aggregate basis. This will help ensure that the FDIC integrates [Enterprise Risk Management] into its culture, practices, and capabilities so that risks across the enterprise are considered and prioritized as part of operations support, program management, budget decisions, and strategic planning Having well-defined authorities, roles, and responsibilities for [Enterprise Risk Management] will help to ensure that the range of risks facing the Agency and banking sector are properly identified. -]. Footnote: 27 Corrective Measures. Corrective Action: The existing management oversight strategy for the subject BOAs and task orders includes performance criteria, internal controls, reporting, and contractual requirements that were established during acquisition planning and are detailed in statement of work documents. The FDICs acquisition process is divided into four phases: (1) Procurement Planning; (2) Solicitation and Award; (3) Contract Management; and (4) Closeout Award. Corrective Action: The FDIC includes significant information regarding acquisition strategy, contract oversight and performance measures, and other controls in current board cases for contracts or BOAs over $20 million. Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, and identify and control risks. Additionally, according to best practices, the plans and testing reports should be reviewed on a routine, ongoing (proactive) basis, rather than waiting for and reacting to an unexpected event. However, there was no indication that the CIOO reassessed the reports during the course of the 7-year performance of these contracts. DMI Wins $256M FDIC Task Order | WashingtonExec Footnote: 37 A Contract Management Plan is a plan developed by the Contracting Officer and the Oversight Manager that documents the joint administration approach to performing oversight activities for complex contracts for services. As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. When procuring Critical Functions, agencies considered strategic human capital planning analyzing agency staff resources, internal capability and capacity, and cost. Further, the FDICs Risk Inventory did not recognize the specific risks related to Blue Canopy performing such a large percentage of the FDICs IT security budget. %%EOF The Guide provides tools for implementing the IT acquisition life cycle, with objectives to: develop scalable solutions that promote competition; deliver fast, reliable, responsive, and innovative services; The FDIC has also established a 2021 corporate performance goal and interdivisional work team to strengthen our contract oversight management program by increasing the independence and professionalism of our oversight managers and technical monitors. As an independent agency, the FDIC routinely looks to the practices of agencies governed by the Federal Acquisition Regulation (FAR), other (non-FAR-based) independent agencies, and private business to inform its acquisition policies. Figure 3 illustrates the best practices for performing a procurement risk assessment during the FDICs acquisition process. For example, CFPB, DOE, and NASA rely upon their annual inventory of service contracts to identify, monitor, and report on procured Critical Functions. Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Corrective Actions: Existing acquisition processes and procedures help limit the likelihood of such an occurrence; however, the FDIC will examine whether additional controls are necessary in conjunction with the study and actions described in our response to Recommendation 1. FIDIC Contract Users' Awards 2021 We found that the FDIC did not have policies and procedures for identifying Critical Functions in its contracts, as recommended by the best practices in OMB Policy Letter 11-01 and embodied in industry standards. National Institute of Standards and Technology Guidance. Phase 3: Contract Management - Program Office and DOA Acquisition Services Branch report to the FDIC Board on the results of ongoing monitoring reports and planned corrective measures to address (or mitigate the Potential risk of) instances of contractor overreliance for Critical Functions, as necessary. Due to the dollar value of these procurements, the FDIC submitted and briefed a Board Case to the FDIC Board of Directors to receive authority to award the contracts. In particular, Federal employees must be able to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. The winners have been announced for the 2021 FIDIC Contract Users' Awards. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. In particular, an over-reliance assessment should be performed regularly, on an independent basis, to validate the agencys compliance with and the effectiveness of established controls. 1.405(b). 4) Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. Row 1: ; Rec.

Robert Bigelow Family, Ww2 German Daggers, Oaks Christian Football Coach, How Do Land Animals Create Methane Gizmo, Wingstop Payroll Number, Articles F