The FDIC develops detailed board cases for individual procurements exceeding $20 million that discuss procurement costs, benefits, alternatives considered, management oversight strategy, and other information. Program Office identifies contracting need. While the Award Profile Reports described the procured services, assessed contractor performance, tracked fund utilization/allocation, and assessed FDIC contract oversight, the FDIC did not identify Blue Canopys procured services as Critical Functions. FDIC Contract Portfolio Pricing Arrangements . Following the FDICs study discussed in response to recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the MSSP and SPPS BOAs and task orders are needed beyond those already incorporated. The evaluations scope included our review of Blue Canopys two existing contracts39 with the FDICs Chief Information Officer Organization to determine if Blue Canopy performed Critical Functions within the FDICs operations; and, if so, whether the FDIC sufficiently oversaw Blue Canopy to maintain control of the Agencys mission and operations. Typically, critical functions are recurring and long-term in duration.. /B?~6cVv2}7]Mx,"'O4Vy/bf)e~1 FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2022 $300 $250 $200 $150 $100 $50 $0 Percent of Total FDIC Awards: Other Agencys'Percentage: $281.1 $197.6 $139.4 $104.3 $49.1 $8.3$2.3$0.5 8(a) HubZoneVeteran OwnedServiceWomen OwnedSmallMinority OwnedMWOBDisabledDisadvantagedVeteran OwnedBusiness Footnote: 27 Corrective Measures. However, we found that the Agency did not document and present to the Board a complete cost effectiveness analysis that evaluated whether a Critical Function should be procured or performed internally. GAO also found that DHS personnel did not identify specific oversight activities they conducted to mitigate the risk of contractors performing functions in a way that could become inherently governmental. Implement periodic reviews for procured Critical Functions, including for the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services. Contractor performance evaluations must be completed annually for each award, regardless of dollar value, and at the end of the contract. DODs policies and procedures predated the publication of this requirement, and consequently contained no reference to it. Without the identification of procured Critical Functions and its associated risk, the FDIC may not accurately capture and assess the Agencys inherent and residual risk related to its contracts and contractors. The FDIC also did not identify the contract structure as recommended by best practices. OMB Policy Letter 11-01 provides guidance on managing the performance of Inherently Governmental and Critical Functions. Awarded Contracts 2021 - TargetGov TargetGov Both the Managed Security Services Provider (MSSP) and SPPS BOAs include incentives for vendors to provide superior performance. The FDIC is committed to continually improving its processes and controls and will: (1) survey recognized practices and procedures associated with contracts supporting essential functions or those involving services necessary in a business continuity event, particularly when those contracts are performed by a single vendor; and (2) incorporate enhancements to our existing acquisition planning, approval, reporting, and oversight processes, as warranted by our unique operational needs and management structure. FF Results of oversight activities for material third-party arrangements should be periodically reported to the board of directors or designated committee. New FIDIC Green Book short form of contract explained However, the FDIC did not make the determination that Blue Canopy provided essential or critical services, even though the Agency dedicated more than 38 percent of its IT security budget to Blue Canopy services. Blue Canopy was also assigned duties related to design and/or execution of these controls. The FDIC began working with Blue Canopy in May 2009 when the FDICs CIOO, Office of the Chief Information Security Officer (OCISO), and DOA,9 procured the services of Blue Canopy to provide Information Security Support Services to the FDIC after the initial contractor filed for bankruptcy. Ultimately, as recommended by best practices, a complete cost effectiveness analysis for Critical Functions, clear and distinct from the IGCE, should be performed and presented to the Board for its review and consideration. Federal government websites often end in .gov or .mil. Each quarter, the FDIC provides a contract-specific report to the Board of Directors for complex contracts over $5 million and for all contracts over $20 million. Specifically, the FDIC did not discuss with the Board its procurement risk assessment, management oversight strategy, contract structuring, and ongoing monitoring reports for the procured Critical Functions. The company filed for bankruptcy with approximately $2.23 billion in total debt and approximately $1.76 billion in total assets as of September 2008. The FDIC provides a wealth of resources for consumers, o Develop a Management Oversight Strategy. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Develop a Management Oversight Strategy. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. Moreover, the FDIC determined, in advance of the 2019 contract modifications to increase the contract ceiling on both Blue Canopy contracts, that a new competitive, multi-vendor acquisition strategy should be put in place for the services. According to the FDICs Financial Institution Letter titled Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), the key to the effective use of a third party in any capacity is for management to appropriately assess, measure, monitor, and control the risks associated with the relationship. The FDICs OCISO and DOA submitted to the Board, through its established procurement process, a Board Case Package and Award Profile Reports.38 These documents, however, did not identify the procured services that were Critical Functions nor did they present the planned or implemented heightened oversight management activities for the Critical Function procurements. As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. As part of the FDICs Enterprise Risk Management program, after the Divisions and Offices identify their risks, they assess the likelihood of those risks occurring on both an inherent22 and a residual23 basis. The FDIC response further disagreed that the weaknesses identified in our prior OIG report regarding the Security Configuration Management of the Windows Server Operating System represent[ed] a failure on the FDICs part to maintain control of its operations. We note that the FDIC previously recognized the problem and took remedial actions to address the independence concern identified in the prior OIG report. Appendix 2 Identified Best Practices and Their Sources. The FDIC Did Not Conduct Periodic Reviews of Controls and Processes for Critical Functions. As noted previously, in October 2019, the FDIC changed its procurement strategy for these Critical Functions from two contracts to two BOAs and included multiple service providers on the BOAs. endstream endobj 196 0 obj <>stream Information Technology services at the FDIC have been identified as critical to the FDIC operations in numerous documents, including the FDICs 2019 Annual Report, Enterprise Risk Management Risk Inventory,20 and National Institute of Standards and Technology (NIST) guidance. We expect the guidance to . In addition, the GAOs Standards for Internal Control in the Federal Government, (GAO-14-704G) (September 2014), states that agencies should implement internal control standards and activities to achieve agency objectives and respond to risks, and should implement these activities through policies. However, while Blue Canopy operated within the FDICs information systems and facilities, the value that Blue Canopy provided was in its human capital. No. Agencies ensured that statements of work recognize the procurement of Critical Functions, and management considered (or, considered as a best practice) contract provisions that specify the agencys rights and the contractors obligations and responsibilities, including, but not limited to, provisions that address contractor performance, financial condition, emergency preparedness, corrective measures to regain/maintain control, and transfer/transition to another entity. FDIC will consider and further study potential methodologies for assessing contractor overreliance, including how other agencies make such determinations. endstream endobj 517 0 obj <>stream The Program Office is also responsible for nominating the Oversight Manager and Technical Monitor(s).7. As it relates to contract structure, the APM states that the contracting officer must select the type of contract and pricing arrangement that represents the most prudent and reasonable relationship with the contractor and minimizes cost and other risks to the FDIC. The Contractor shall provide the necessary qualified personnel and all materials to assist FDIC in conducting the Bidder Qualification process, including, but not limited to the comprehensive review and analysis of potential bidders' Qualification Applications in order to assess the bidder's financial capability and the bidder's experience as an The services provided under this contract included an annual technical security assessment, vulnerability management, annual Federal Information Security Modernization Act of 2014 (FISMA) self-assessment,13 continuous controls assessment, privacy program (support services),14 security engineering and technical assistance, and internal controls. USAspending.gov | Fiscal Data An official website of the U.S. government Spending Explorer Award Search Profiles Download Resources For more information contact TargetGov. Requiring activities should also work with the acquisition office to address the handling of ongoing contracts and the budget and finance offices to secure the necessary funding to support the needed in-house capacity. Figure 5: Best Practices for Conducting Periodic Reviews of Controls and Processes. NASA, USDA, and DOE performed, or considered it a best practice to perform, a cost effectiveness analysis. Our methodology relied on identifying best practices from various reputable sources, including OMB Policy Letter 11-01, GAO reports, industry standards, and other Federal agencies, and comparing the FDICs acquisition process with these best practices. The FDIC implemented its established procurement process, but that process did not include an analysis of the underlying services in order to identify the risks and to determine the need for heightened oversight procedures and controls for the procured Critical Functions. In applying acquisition policies and guidance, the FDIC takes a risk-based approach that may apportion greater responsibility to contractors when requirements are well understood, less sensitive, or less likely to change over time.
Sarah Isgur Chad Flores,
How To Zero Out Accounts Payable In Quickbooks Desktop,
Sage Steele Husband Jonathan Bailey,
Articles F