fdic contract awards 2021

Procured Critical Functions Not on FDIC Risk Inventory. The FDIC also did not document a cost effectiveness analysis, as recommended by best practices. OIGs use evaluations to determine the efficiency, effectiveness, impact, and sustainability of operations, programs, or policies. Footnote: 11 The FDIC Division of Resolutions and Receiverships (DRR) also has a contract with Blue Canopy for an approximate Award Value of $1 million, and a 5-year term. Proposals reviewed by Cont racting Officer and Technical Panel. Federal employees must be able to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Develop a Management Oversight Strategy. 206 0 obj <>stream Based on our review, we found that the Blue Canopy contracts provided limited coverage of the contractors obligations and responsibilities for the following:30. The site is secure. Blue Canopy performed Critical Functions as determined by OMB Policy Letter 11-01 and best practices; and. The OIGs mission is to prevent, deter, and detect waste, fraud, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency. (2) Information Security and Privacy Support Services for outsourced functions. The GAO report, Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DODs Total Workforce (GAO-13-470) (May 2013), found, in part, that DODs current policies did not fully reflect federal policy concerning the identification of Critical Functions. According to NIST guidance, this arrangement limited the firms independence and impaired the firms ability to conduct impartial security control assessments. We made 13 recommendations to the FDICs Deputy to the Chairman and Chief Operating Officer. These periodic reviews should be focused on targeted controls or areas of performance (such as personnel performance or human capital planning), and/or performed more broadly (such as a contractor over-reliance assessment). In order to answer our objectives, we reviewed Blue Canopys two existing contracts, as of May 2020,5 with the FDICs Chief Information Officer Organization (CIOO), and the FDICs acquisition process to identify and manage procured Critical Functions. Corrective Action: Existing acquisition planning procedures require consideration and discussion of risks associated with all procurements. Report to the Board planned and procured Critical Functions on an individual and aggregate basis. Challenge, Quarterly Banking Profile for Fourth Quarter 2022, Quarterly Banking Profile for Third Quarter 2022, FDIC Releases 2021 National Survey of Unbanked and Underbanked Households, Financial Fail to control the agencys mission and operations; Compromise trust (or data) by failing to exercise due care in establishing appropriate controls to protect sensitive information and to identify and mitigate data breaches. Award Profile Reports. WASHINGTON The Internal Revenue Service's Office of the Chief Procurement Officer today announced the successful development of a web app called Projected Contract Award Date. The FDIC Board of Directors. The Blue Canopy contracts provided that if the contractor: [I]s determined by the FDIC (at its sole discretion) to provide services essential or critical to the FDIC mission the contractor shall take immediate and effective measures to ensure the availability or use of back-up or redundant services and/or system(s) support to deal with such emergency. DMI said it will bring digital transformation tools that usher in a new managed services model, focused on service delivery optimization. Row 1: ; Rec. Sep 23 2021. The OIG evaluated two FDIC procurements with Blue Canopy Group, LLC (Blue Canopy) against provisions of OMB Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions, September 12, 2011. 1.405(b). The FDIC Did Not Develop a Management Oversight Strategy for Critical Functions. The objective of these reviews should address the controls effectiveness in deterring or mitigating the agencys over-reliance on the contractor, and ensuring that the agency maintains control of its mission and operations. 800-53). Experts say US rules for testing commercial drone technology aren't permissive enough, GSA leadership cleans house amid fierce criticism of Login.gov from Congress, NIST launches new trustworthy artificial intelligence resource center, Transportation Security Administration moves ahead with smartphone ID pilot, Why ICAM at the edge is critical to enabling mission success, Federal judge declines to grant DOJ interim injunction in Booz Allen antitrust case, DISA leader shares AI and machine learning strategies to improve warfighter needs, DIA director sees room for improvement in cyber intelligence and support, HHS issues new cyber incident response resources for healthcare sector, IRS acting CIO: Securing software supply chain remains a challenge for agencies, New rule could impose CMMC-like cyber requirements for civilian agency contractors, Enhanced security resilience for government with modern firewalls, Watchdog calls on DHS to clarify when tech acquisitions require cyber risk assessments, NASA awards $814M digital communications and IT services contract, USDA plots departmentwide cloud move with STRATUS contract, Oracle Cerner signs AI contract with FDA focused on improving medicines, Federal Deposit Insurance Corporation (FDIC), Federal Communications Commission launches Space Bureau, GSA announces Presidential Innovation Fellows for 2023, Biden administration announces crackdown on discrimination and bias in AI tools, Code for Americas union negotiations break down, FAA seeks $19.6M to modernize NOTAM system in budget request, CISA issues draft attestation form for government software providers, OPM sets out vision to become premier provider of human capital data services, Commerce Secretary Raimondo: NIST AI framework is gold standard, Watchdog calls for DOJ immigration review office to update data management guidelines, House lawmakers introduce bipartisan VA electronic health record reform bill, Palantir to help Ukraine process data in war crimes investigations, Food and Drug Administration seeks input on digital transformation plan, FDIC prioritizing internal modernization says acting chief innovation officer, Agencies trying to find their dark data face policy, leadership hurdles, FDIC faces a number of challenges and risks in IT governance, FDIC breached more than 50 times between 2015 and 2016, FDIC joins DHS Einstein, hires Booz Allen to raise cyber bar. The OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), noted that some CIOO Oversight Managers lacked the workload capacity to oversee contracts, and certain Oversight Managers were not properly trained or certified. endstream endobj 528 0 obj <>stream The FDIC and Blue Canopys contractual arrangement supported the FDICs internal annual self-assessment, as required by FISMA. Agencies should consider internal controls such as approval authorities, segregation of duties, and independence and non-conflict of interest standards. Periodic reviews should determine if the agency needs to take corrective measures to address any over-reliance on contractors for Critical Functions.27. NASA, USDA, and CFPB performed, or considered it a best practice to perform, strategic human capital planning. Such an approach reduces the chances of the FDIC being overly reliant on an individual vendor. Profile, FDIC Academic Footnote: 7 The Technical Monitor is responsible for assisting the Oversight Manager in monitoring and evaluating contractor performance under an FDIC contract. The winners have been announced for the 2021 FIDIC Contract Users' Awards. However, in relation to overseeing contractors who perform Critical Functions on behalf of the FDIC, the Agency procedures fell short in several important respects, including with respect to conducting periodic reviews to assess for over-reliance on the contractor. Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, and identify and control risks. Fact Sheets, Key Contacts in Acquisition Services Branch, COVID-19 Safety Protocols for Contractor Employees Accessing FDIC Facilities, Information Technology Application Services (ITAS), Request for Proposal (RFP) for Mission-Driven Bank Funds Financial Advisory Services, Information for Prospective Outside Counsel, Frequently Asked Questions for Outside Counsel on the FDIC's Advanced Legal Information System (ALIS), List of Counsel Available (alpha by Firm Name), List of Counsel Available (alpha by State), Minority- and Women-Owned Law Firms on List of Counsel Available, Personnel Security Process for Candidates, List of Awards and Contractor Contact Information. The services provided under this contract included intrusion monitoring; incident investigation; event escalation; reporting; vulnerability research, analysis, and response; incident detection; incident response; and after-hours support. In particular, the official stated that the IGCE included a comparison of the costs to conduct the planned activities internally against the cost for a vendor(s) to perform those same activities. We found that the FDIC did not have policies and procedures for identifying Critical Functions in its contracts, as recommended by the best practices in OMB Policy Letter 11-01 and embodied in industry standards. Procured Blue Canopy Services Deemed to Be Critical Functions of the FDIC, 1. Find information for outside counsel engaged by the FDIC. Best Practices: 6. Footnote: * The FPDS-NG is the current central repository of information on Federal contracting. In 2009 and 2010, the services obtained were overseen by the FDICs Division of Information Technology. However, the FDIC did not make the determination that Blue Canopy provided essential or critical services, even though the Agency dedicated more than 38 percent of its IT security budget to Blue Canopy services. However, we found that the Agency did not document and present to the Board a complete cost effectiveness analysis that evaluated whether a Critical Function should be procured or performed internally. No. Solicitation and Award: Program Office, DOA Acquisition Services Branch, and Legal Division identify the Critical Function within solicitation and award documents. endstream endobj 517 0 obj <>stream Contracting Officer closes out contract. This table presents managements response to the recommendations in the report and the status of the recommendations as of the date of report issuance. The .gov means its official. The OCISO is comprised of four sections: Governance, Risk and Compliance; Privacy; Security Architecture; and Security Operations. While OMB Policy Letter 11-01 does not apply to FDIC procurements as a matter of law, the FDIC envisions developing (as an added component of our existing risk-based system) criteria for identifying a subset of contracts supporting essential FDIC functions or those that provide services in a business continuity event that will further enhance FDIC contract management consistent with the spirit the Policy Letter. Industry Standard. However, if the agency cannot provide a sufficient number of knowledgeable staff to oversee the contracts, the contractors could inappropriately influence government decision-making. Implement heightened contract monitoring processes for Critical Functions. Program Office. According to the GAO, best management practices: [R]efer to the processes, practices, and systems identified in public and private organizations that performed exceptionally well and are widely recognized as improving an organizations performance and efficiency in specific areas. No. Recommendation 6: Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. National Institute of Standards and Technology Guidance. Footnote: 24 Personally Identifiable Information is any information about an individual that can be used to distinguish or trace that individual's identity, or any other personal information that is linked or linkable to that individual. Contract Planning. Ongoing efforts to improve the FDICs acquisition services and oversight management programs will incorporate additional structure and discipline around certain contracts that support essential functions or involve services needed in a business continuity event, consistent with the recommendations in the OIG report. Procurement Planning - Program Office performs a procurement risk assessment for the planned acquisition of a Critical Function, which includes performing a cost effectiveness analysis. o The FDICs Implementation of Enterprise Risk Management (EVAL-20-005) July 8, 2020. Following the FDICs study discussed in response to recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the MSSP and SPPS BOAs and task orders are needed beyond those already incorporated. Although NCUA and CFPB did not have an explicit written policy, they noted the actions/procedures they would take to address an instance of contractor over-reliance. Over a 4-year period (2015-2019), the FDICs OCISO spent between 35 percent to 44 percent of its operating expenses annually on Blue Canopy services. These task orders will transfer work from the Blue Canopy contract in the first and second quarters of 2021. As the OIG acknowledged in its draft report, OMB Policy Letter 11-01 does not apply to the FDIC. Before DOA will revise the APM and PGI to reflect any resulting process and control enhancements. Identify missing or insufficient controls in the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services, and implement appropriate corrective actions or compensating controls. vV7fW/EA'%2 )$BxNg\Hs#m$q_Cr-FbU{O`may+r"A1yq0.@]/;~>q!@;0~}=fn` %t(]/ A prior OIG report, Security Configuration Management of the Windows Server Operating System, (AUD-19-004) (January 2019), found that the FDIC tasked Blue Canopy with both designing security controls and assessing their effectiveness, which impaired the firms ability to conduct an impartial assessment. banking industry research, including quarterly banking The failure to establish or maintain a proper control environment jeopardizes the reasonable assurance that an entitys objectives will be achieved, and may affect the ability of an entity to maintain control of it mission and operations. In response to this risk, in September 2011, the Office of Management and Budget (OMB) provided guidance in OMB Policy Letter 11-01 on managing the performance of Inherently Governmental Functions and Critical Functions in order to ensure that government action is taken as a result of informed, independent judgments made by government officials. In addition, the OMB Policy Letter 11-01 defined a Critical Function as a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. In June 2014, the FDIC Board of Directors authorized senior management to contract for services in support of the information security and privacy program and to increase the prior contract ceiling. requirements for contractors to have emergency plans for providing services to FDIC in the event of a disruption of normal operations, and participation in FDIC business continuity testing, training, and exercises. changes for banks, and get the details on upcoming Further, the FDIC may not maintain control of its mission and operations, and may become over-reliant on contractors. The Board of Directors must approve all contract actions over $20 million. In addition, it should be noted that the OIGs findings and recommendations on the FDICs procurement process for Critical Functions cover all such contracts and is not limited to the Blue Canopy contracts. Previously, we found that the FDIC had hired Blue Canopy to assess the same IT security controls that it had designed and executed. The FDIC documented and presented to the Board a qualitative justification for procuring Blue Canopy services. ) y RYZlgWm In fact, Blue Canopy services represented nearly 40 percent of the FDICs annual operating expenses for Information Security ($42.3 million), and the FDIC did not have a sufficient process to identify these Critical Functions and implement heightened monitoring. 2) Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. The BOAs have a total Award Value of $398 million. Recommendation 1: Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Recommendation 9: Implement periodic reviews for procured Critical Functions, including for the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services. Footnote: 29 For Contract CORHQ-14-C-0778, the FDICs IGCE estimated that it would cost $26,387,825 to procure the services from a third party versus the estimated cost of $23,834,747 to perform the services internally with Federal employees, a variance of $2,553,077. The FDIC provides the following response to the Office of Inspector Generals (OIG) draft evaluation report titled, Critical Functions in FDIC Contracts, dated March 3, 2021. Footnote: 36 Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019). SlVl&Ds@bQ*H9 fA2h4h1BC,0$h*@ 9 The FDIC has established risk-based processes and procedures to identify, monitor the performance of, and oversee all contracts, and is committed to improving performance in these areas. : 10; Corrective Action: Taken or Planned - The FDIC plans to address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 11: ; Rec. government site. Fact Sheets. In the OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), the OIG reported concerns about CIOO contract oversight. Those procedures shall be reviewed by agency management no less than every two years. In addition, agencies should periodically evaluate the effectiveness of their internal management controls for reserving work for Federal employees and identify any material weaknesses, The OMB policy letter also states that [a]gencies should review, on an ongoing basis, the functions being performed by their contractors, paying particular attention to the way in which contractors are performing, and agency personnel are managing, contracts involving critical functions These reviews should be conducted in connection with the development and analysis of inventories of service contracts., In addition, the OMB policy letter states that if the agency determines that internal control of its mission and operations is at risk due to over-reliance on contractors to perform critical functions, requiring activities should work with their human capital office to develop and execute a hiring and/or development plan. The controls and control enhancements within each family are in numerical order (e.g., IR-4 Incident Handling). ) y RYZlgWm In particular, Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC, including continuous monitoring, vulnerability management, internal control reviews, and privacy assessments. (Appendix 3 describes the NIST guidance we identified related to procured Critical Functions.). Figure 2 illustrates the best practices for identifying planned and procured Critical Functions during the FDICs acquisition process. According to the Board memorandum, Request for Authority to Contract for Services in Support of the Information Security and Privacy Program and to Increase the Current Contract Ceiling (June 2014), and the FDIC memorandum, Justification for Non-Competitive Procurement (March 2019), these increased procurement costs were mainly due to the expansion of Federal information security standards and corresponding services. For example, CFPB, DOE, and NASA rely upon their annual inventory of service contracts to identify, monitor, and report on procured Critical Functions. Footnote: 33 In comparison, the FDICs procurement planning and solicitation and award processes for contract CORHQ-14-C-0769 took 9 months (from March 2014 to December 2014), and contract CORHQ-14-C-0778 took 12 months (from March 2014 to March 2015). This arrangement lacked independence and represents a failure on the FDICs part to maintain control of its operations.36 In addition, the absence of heightened contract monitoring processes, such as a procurement risk assessment and periodic reviews of controls and processes for Critical Functions allowed this internal control weakness to remain undetected. In addition, routine reviews ensure that both contractor and agency staff know their roles and responsibilities in the event of an unexpected incident, and validate the planned response. Bethesda, MD. Although not identified within the FDICs Risk Inventory, the Agency relied heavily on Blue Canopy to operate and service the corresponding risk management mitigating controls. An official website of the United States government. The FDIC OCISO and DOA submitted a Board Case Package to the Board that requested approval for the authority to contract for services to support the Information Security and Privacy Program. Therefore, the FDIC needed proper oversight of the Critical Functions performed by Blue Canopy to ensure such a breach or disruption of service did not occur. Based upon the best practices, these processes should include the following: Procurement Risk Assessment. b Recommendations will be closed when the OIG confirms that corrective actions have been completed and are responsive. For 2019, Blue Canopy services comprised 38.3 percent ($16.2 million) of the FDICs annual operating expenses for Information Security ($42.3 million). data. Contracting Officer issues Request for Quotation. The FDIC develops a management oversight strategy for contracts and assigns responsibility to FDIC contracting officers, oversight managers, and technical monitors to oversee contractors based on the risk and complexity of the contract. Federal Agencies. Without a process for identifying planned and procured Critical Functions, the FDIC cannot ensure that it will take appropriate actions based on informed, independent. The services provided under this contract included an annual technical security assessment, vulnerability management, annual Federal Information Security Modernization Act of 2014 (FISMA) self-assessment,13 continuous controls assessment, privacy program (support services),14 security engineering and technical assistance, and internal controls. Additional information on contract and contractor performance is provided in quarterly reports to the FDIC Board. The OIG made 13 recommendations aimed at having the FDIC incorporate provisions of OMB Policy Letter 11 01 into the FDICs policies and procedures, identify critical functions during the procurement process, and implement heightened contract monitoring for critical functions. While OMB Policy Letter 11-01 is inapplicable to the FDIC as a matter of law, the FDICs risk-based acquisition procedures address virtually all of the control factors listed in the Policy Letter and many of these controls were in place for the Blue Canopy contracts. Federal Agencies. According to this guidance, a [r]isk assessment is fundamental to the initial decision of whether or not to enter into a third-party relationship. the official website and that any information you provide is Without the identification of procured Critical Functions and its associated risk, the FDIC may not accurately capture and assess the Agencys inherent and residual risk related to its contracts and contractors. The more important the function, the more important that the agency have internal capability to maintain control of its mission and operations., GAO Recommendations. )% oYki|Wl{)9hg3(EV{Ih`f=aegasg`c$.hY+ R#@P-0to 1P$C@"WWG5mMsW>ne7#dMyrhkJY-~&tMWkZQG--+d7_#VZ {++Ojb~S+yKoBm#%G8@5p>Wwl)Ng=H]5~,SP"q,1sM/e,1@ vD2Hf3u,2G}H7[]f#[x2 GAO also found that DHS personnel did not identify specific oversight activities they conducted to mitigate the risk of contractors performing functions in a way that could become inherently governmental. RA-5 Vulnerability Monitoring and Scanning, Assessment, Authorization, and Monitoring (CA)-5 Plan of Action and Milestones, Program Management (PM)-4 Plan of Action and Milestones Process, PM-6 Information Security Measures of Performance PM-9 Risk Management Strategy; Identified as a Critical Function (Yes/No): Yes; Row: 3; Procured Function: Technical Security Assessment; National Institute of Standards and Technology Guidance: RA-5 Vulnerability Monitoring and Scanning; Identified as a Critical Function (Yes/No): Yes; Row: 4; Procured Function: Vulnerability Management; National Institute of Standards and Technology Guidance: RA-5 Vulnerability Monitoring and Scanning; Identified as a Critical Function (Yes/No): Yes; Row: 5; Procured Function: Continuous Controls Assessment Program; National Institute of Standards and Technology Guidance: CA-2 Control Assessments, Configuration Management (CM)-4 Impact Analyses; Identified as a Critical Function (Yes/No): Yes; Row: 6; Procured Function: Privacy Program; National Institute of Standards and Technology Guidance: Program Management (PM)-18 Privacy Program Plan; Identified as a Critical Function (Yes/No): Yes; Row: 7; Procured Function: Testing of Internal Controls; National Institute of Standards and Technology Guidance: CA-2 Control Assessments; Identified as a Critical Function (Yes/No): Yes; Source: OIG analysis of FDICs procured services from Blue Canopy against NIST guidance. hMk@c[(hg!b\ZJLn#,o,fAjwgv]Ip,'Vgv8E&r*;|` Of particular note, the failure to identify Critical Functions during the procurement planning phase results in a cascading failure throughout the acquisition process. Management does not concur with the recommendation, but alternative action meets the intent of the recommendation; or. In particular, the policy letter states that [a]gencies shall develop and maintain internal procedures to address the requirements of this guidance. Accordingly, institutions should establish and maintain an effective risk management process for initiating and overseeing outsourced operations. In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. system. KXcXeX1E"01%(1ED1]Um0^v]o9b. Learn about the FDICs mission, leadership, As previously noted, Blue Canopys services represented a significant percentage of the OCISOs annual operating expenses.