The OIGs mission is to prevent, deter, and detect waste, fraud, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency. The OIG made 13 recommendations aimed at having the FDIC incorporate provisions of OMB Policy Letter 11 01 into the FDICs policies and procedures, identify critical functions during the procurement process, and implement heightened contract monitoring for critical functions. While OMB Policy Letter 11-01 is inapplicable to the FDIC as a matter of law, the FDICs risk-based acquisition procedures address virtually all of the control factors listed in the Policy Letter and many of these controls were in place for the Blue Canopy contracts. Due to the dollar value of these procurements, the FDIC submitted and briefed a Board Case to the FDIC Board of Directors to receive authority to award the contracts. | The source did not mention this item. We note that the definition of a Critical Function as defined by OMB Policy Letter 11-01 is similar to the definition of an Essential Function found in the FDICs Continuity of Operations Program.1 It is also similar to the definition of Critical Functions in the FDIC Chief Information Officer Organization Business Continuity Plan (January 2019) which are defined as business activities or information that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization. For purposes of this report, we will use the term and definition of Critical Function from OMB Policy Letter 11-01 which is widely accepted across the Federal government. The OIG evaluated two FDIC procurements with Blue Canopy Group, LLC (Blue Canopy) against provisions of OMB Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions, September 12, 2011. While engaging another entity may assist management and the board in achieving strategic goals, such an arrangement reduces managements direct control and introduces risks. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Determine Contract Structure. The Blue Canopy Group, LLC (Blue Canopy) performed a range of cybersecurity and privacy support services for the FDIC. Footnote: 9 The OCISOs mission is to develop and maintain Agency-wide information security and privacy programs that support the mission of the FDIC. Contractor performance evaluations must be completed annually for each award, regardless of dollar value, and at the end of the contract. sharing sensitive information, make sure youre on a federal To assist in performing oversight activities for complex contracts for services, the oversight manager must work with the contracting officer to develop a contract management plan. As part of a risk assessment, the institution should analyze the benefits and costs associated with the proposed relationship. Industry Standard. Perform a procurement risk assessment. encrypted and transmitted securely. Ongoing efforts to improve the FDICs acquisition services and oversight management programs will incorporate additional structure and discipline around certain contracts that support essential functions or involve services needed in a business continuity event, consistent with the recommendations in the OIG report. By signing up, you agree to the receive emails from WashingtonExec. In particular, having a business continuity plan in place and testing it helps to continuously improve an organizations ability to successfully recover from various scenarios, whether it be a natural disaster, pandemic, or communications failure. cards. The FDICs contract Award Values, for these services, increased from the initial modified Award Value of $27.6 million to $56.3 million, and then to $101.3 million for a total increase of 267 percent (101.3 million $27.6 million) / $27.6 million). Signature Bank, New York, NY, and Silicon Valley Bank, Santa Clara, CA, FDIC National Survey of Unbanked and Underbanked Households, Quarterly Banking Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. In August 2017, a former FDIC senior executive expressed concern with the FDICs contractual relationship with and over-reliance on Blue Canopy. The FDIC also did not document a cost effectiveness analysis, as recommended by best practices. For example, if not managed and supervised prudently, the agency may: Footnote: 1 According to FDIC Directive 1500.6, Continuity of Operations (COOP) Program (November 2019), Essential Functions are a subset of government functions that are determined to be critical activities. Browse our Without a process for identifying planned and procured Critical Functions, the FDIC cannot ensure that it will take appropriate actions based on informed, independent. Such an approach reduces the chances of the FDIC being overly reliant on an individual vendor. IRS announces use of Projected Contract Award Date web app that In its response, the FDIC stated that it is committed to continually improving its contracting processes and controls. To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). o Comparing and contrasting DOA, CIOO, and the Legal Divisions policy and procedures related to management procurement and oversight activities to best practices the OIG identified. Procedures, Guidance and Information (PGI). Contract Awards April 11, 2023 Science Applications International Corp. has been awarded a $102.5 million contract by the U.S. Navy to continue supporting the MK Parsons Snags $164M Army Corps of Engineers Contract for Ammunition Plant Environmental Facility Contract Awards April 9, 2023 In order to implement heightened management oversight, the FDIC needs to (1) identify the risk in a risk assessment; (2) identify the control(s) needed to oversee the contractor within a management oversight strategy; (3) establish the control(s) and a process for reviewing the control(s) within the contract structure; (4) implement the control(s) during the management oversight process; and (5) periodically review the FDIC and contractors performance or, implementation of the control(s). News | Federal Government Contract Awards - WashingtonExec Business Resumption and Contingency Plans.35 As part of the procurement risk assessment, or as a separate management oversight strategy, an agency should identify the contract structure and key contract provisions, such as the review and testing of business resumption and contingency plans. Federal Agencies. The official also stated that, in conjunction with the IGCE, the CIOO conducted an analysis to determine whether the FDICs costs associated with Information Security and Privacy support services were in line with other Federal agencies. testimony on the latest banking issues, learn about policy The FDICs acquisition procedures and practices are also consistent with the FDIC Financial Institution Letter (FIL), Guidance for Managing Third-Party Risk (FIL-44-2008), which the OIG also used as criteria for the evaluation. endstream endobj 517 0 obj <>stream : 3; Corrective Action: Taken or Planned - The FDIC will review its risk inventory and conduct an assessment to determine if the current risk inventory sufficiently addresses the underlying risks presented in the OIGs report, irrespective of the specific use of the term Critical Function.; Expected Completion Date: May 31, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; Row 4: ; Rec. Corrective Action: Existing acquisition planning procedures require consideration and discussion of risks associated with all procurements. PvCKNB|H!A+wvR:'1`D G/dK^?(AI ehDgea@. Neither the Board Case Package nor the Board meeting minutes reflected that the FDIC discussed with the Board its procurement risk assessment and management oversight strategy, planned contract structuring, and ongoing monitoring controls and reports for the procured Critical Functions. While identifying and understanding the risks associated with the third party is critical at the outset, the long-term management of the relationship is vital to success., In addition, the guidance noted that [t]he extent of oversight of a particular third-party relationship will depend upon the potential risks and the scope and magnitude of the arrangement. As discussed above, however, the FDICs IGCE did not include the scope and methodology, analyses (both quantitative and qualitative), conclusions, and rationale for the Agencys final procurement decision as suggested by best practices. In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. Solicitation and Award: Program Office, DOA Acquisition Services Branch, and Legal Division identify the Critical Function within solicitation and award documents. Corrective Action: In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. Figure 1: The FDICs Existing Acquisition Process. By May 2021, the FDIC expects to transition information security and privacy program services to multiple service providers by awarding additional task orders under the BOAs. The OIG report, The FDICs Implementation of Enterprise Risk Management (EVAL-20-005) (July 2020), assessed the FDICs implementation of Enterprise Risk Management against relevant criteria and best practices. As part of the procurement risk assessment, include a cost effectiveness analysis. In addition, agencies developed an exit strategy from the contractual arrangement and/or described that they would take the following actions if it was determined that the agency was over reliant on contractors to perform Critical Functions: (1) review and adjust what the contractor accomplishes for the agency, (2) reassess human capital needs (staff and funding) and make Full Time Employee adjustments; (3) in-source the function; (4) review the contracting process from beginning to end to understand how the agency lost control (retrospective review of the contracting process); (5) reestablish controls over contractor responsibilities (by strengthening oversight, insourcing the work through the timely development and execution of hiring plans, refraining from exercising options under the contract, or terminating all or part of the contract). FDIC recently competitively awarded seven task orders under the SPPS BOAs resulting in awards to five different vendors. No. Footnote: 28 According to the FDICs Acquisition Procedures, Guidance and Information (January 2020), the Independent Government Cost Estimate is the FDICs estimated cost for the acquisition. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporations comments, are provided but may not exactly duplicate the presentation or format of the printed version. (LockA locked padlock) New FIDIC Green Book short form of contract explained h24R0P04V01R& Typically, critical functions are recurring and long-term in duration.. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Perform a Cost Effectiveness Analysis. In June 2014, the FDIC Board of Directors authorized senior management to contract for services in support of the information security and privacy program and to increase the prior contract ceiling. : 12; Corrective Action: Taken or Planned - The FDIC will consider additional reporting requirements related to contracts for essential functions or for services necessary during a business continuity event, including where such functions are performed by a single vendor, in conjunction with the study and actions described in response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 13: ; Rec. or https:// means youve safely connected to the .gov website. The failure to establish or maintain a proper control environment jeopardizes the reasonable assurance that an entitys objectives will be achieved, and may affect the ability of an entity to maintain control of it mission and operations. Finally, when evaluating quotations from firms, cost is not the only factor that the FDIC considers. endstream endobj 527 0 obj <>stream Risks are identified from various sources and are captured in the risk inventory. Division and office directors are responsible for determining their human resource needs, using contractors appropriately, and maintaining control of their respective mission and operational responsibilities. According to the FDIC Legal Division, the FDIC does not fall within the definition of executive agency in the [Office of Federal Procurement Policy] Act., Become over-reliant on a third-party contractor to achieve its mission and conduct operations;3. %PDF-1.6 % Footnote: 23 According to the FDICs Enterprise Risk Management Standard Operating Procedure (May 2020), Residual Risk is the exposure remaining from an inherent risk after action has been taken to manage it. Federal agencies implemented heightened contract monitoring processes, such as identifying and monitoring for Critical Functions, developing a management oversight strategy, performing cost effectiveness analysis, determining contract structure and key provisions, and performing periodic reviews. DIA awards $12.6B enterprise IT contract | FedScoop Footnote: 7 The Technical Monitor is responsible for assisting the Oversight Manager in monitoring and evaluating contractor performance under an FDIC contract. The partnership brings new innovations, tools and technologies that will help FDIC drive operational efficiencies, control IT costs and improve the user experience. Recommendation 5: Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. Best Practices for Performing a Procurement Risk Assessment, 4. While the Award Profile Reports described the procured services, assessed contractor performance, tracked fund utilization/allocation, and assessed FDIC contract oversight, the FDIC did not identify Blue Canopys procured services as Critical Functions. Under the 10-year SITE III contract vehicle, contractors will vie for task orders to support DIA's evolving enterprise IT needs. FDIC is an independent agency created by Congress to maintain stability and public confidence in the nations financial system. Best practices recommend that contractors have business resumption and contingency plans in place and tested. The contractor successfully performed all required tasks under both contracts, and received excellent and outstanding ratings in annual performance reviews, with the exception of one good rating on one contract for one rating period. supervises financial institutions for safety, soundness, and consumer Identified weaknesses should be documented and promptly addressed.. Appendix 6 Summary of the FDICs Corrective Actions. Agencies need to establish a proper internal control environment to oversee and maintain control of their operations. A .gov website belongs to an official government organization in the United States. Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process.