Read Report. The FDICs OCISO and DOA submitted to the Board, through its established procurement process, a Board Case Package and Award Profile Reports.38 These documents, however, did not identify the procured services that were Critical Functions nor did they present the planned or implemented heightened oversight management activities for the Critical Function procurements. As noted previously, in October 2019, the FDIC changed its procurement strategy for these Critical Functions from two contracts to two BOAs and included multiple service providers on the BOAs. ) y RYZlgWm OMB Policy Letter 11-01 defines the terms Inherently Governmental Function and Critical Function as follows: An Inherently Governmental Function is a function that is so intimately related to the public interest as to require performance by Federal Government employees. The term includes functions that require either the exercise of discretion in applying Federal Government authority or the making of value judgments in making decisions for the Federal Government, including judgments relating to monetary transactions and entitlements. : 7; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. USDA, CFPB, and OCC used, or considered it a best practice to have, contract provisions to specify the agencys rights and the contractors obligations and responsibilities surrounding Critical Functions. Best Practices: 7. According to the FDICs Financial Institution Letter titled Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), the key to the effective use of a third party in any capacity is for management to appropriately assess, measure, monitor, and control the risks associated with a contractual relationship. Federal Contract Awards > 100.0k 75D30118C02507 Definitive Contract $4.2m / $27.7m Updated Apr 29 2023 Federal Agency CDC Pittsburgh (HHS - CDC) Child Awarded Vendor Idoneous Educational Services, Inc. - VRLMHESN3KP5 Major Defense Program Not listed Award Date Sep 01 2018 Completion Date Aug 31 2020 Set Aside 8 (a) Sole Source NAICS Category 561110 According to NIST guidance, this arrangement limited the firms independence and impaired the firms ability to conduct impartial security control assessments. Fdic: Pr-70-2021 08/09/2021 : 1; Corrective Action: Taken or Planned - The FDIC will consider each of the OIGs recommendations and further study the need for additional risk based controls for essential procurements. To accomplish this mission, FDIC insures deposits; examines and supervises financial institutions for safety, soundness, and consumer protection; makes large and complex financial institutions resolvable; and manages receiverships. The FDIC did not perform a procurement risk assessment for Critical Functions obtained from Blue Canopy during the procurement planning process. data. 0 Institution Letters, Policy | The source did not mention this item. : 9; Corrective Action: Taken or Planned - The FDIC will complete an annual performance review of the Managed Security Services Provider and Security and Privacy Professional Services contractors. Analyzed the FDICs oversight of Blue Canopy to maintain control of the Agencys mission and operations by: o Comparing and contrasting management procurement and oversight activities to best practices the OIG identified; and. It is key for management to develop a thorough understanding of what the proposed relationship will accomplish for the institution, and why the use of a third party is in its best interests. However, while Blue Canopy operated within the FDICs information systems and facilities, the value that Blue Canopy provided was in its human capital. 199 0 obj <>/Filter/FlateDecode/ID[<77FED4795114BEC85C22A732D80A20A1><9AE9ECF25D8FEB44B39BBA9CBBEE63A5>]/Index[192 15]/Info 191 0 R/Length 53/Prev 219738/Root 193 0 R/Size 207/Type/XRef/W[1 2 1]>>stream Anchorage Closes In on FDIC Crypto Custodian Deal, Documents - CoinDesk In addition, the FDICs Enterprise Risk Management program may not ensure that the FDIC has appropriately identified, measured, monitored, reported, and mitigated the FDICs significant risks for contracts and contractors. We made 13 recommendations to the FDICs Deputy to the Chairman and Chief Operating Officer. According to the FDIC Legal Division, the FDIC does not fall within the definition of executive agency in the [Office of Federal Procurement Policy] Act., Become over-reliant on a third-party contractor to achieve its mission and conduct operations;3. However, if the agency cannot provide a sufficient number of knowledgeable staff to oversee the contracts, the contractors could inappropriately influence government decision-making. Procured Blue Canopy Services Deemed to Be Critical Functions of the FDIC, 1. Such heightened contract monitoring activities would include: (1) performing a procurement risk assessment, (2) establishing a management oversight strategy, (3) conducting periodic reviews, and (4) providing formal reports to the Board for its review of Critical Functions on an individual and aggregate basis. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Minority & Women Outreach Program FDIC encourages the use of minority and women-owned businesses (MWOBs) and small disadvantaged businesses (SDBs) in the acquisition of goods and services, as contractors or subcontractors. Next, management should analyze the benefits, costs, legal aspects, and the potential risks associated with the third party under consideration It is key for management to develop a thorough understanding of what the proposed relationship will accomplish for the institution, and why the use of a third party is in its best interests. These essential functions are then used to identify supporting tasks and resources that must be included in the organizations continuity planning process. prqCG} CD0L@A. The FDICs Legal Division provides legal advice and counsel to Contracting Officers to ensure that acquisitions and other contract actions are conducted in accordance with governing laws and FDIC policy. The FDIC has also recently implemented new acquisition initiatives to further improve vendor management, contract oversight, and to reduce the number of non-competitive awards. Periodic reviews should determine if the agency needs to take corrective measures to address any over-reliance on contractors for Critical Functions.27. The MSSP BOA includes provisions which carry monetary penalties should the vendor default against an SLA and incentives to extend the period of performance by demonstrating sustained excellent performance in meeting all SLAs. Neither the Board Case Package nor the Board meeting minutes reflected that the FDIC discussed with the Board its procurement risk assessment and management oversight strategy, planned contract structuring, and ongoing monitoring controls and reports for the procured Critical Functions. Over a 3-year period, from 2017 to 2019, the FDIC awarded nearly 4,000 contracts valued at more than $1.3 billion. Footnote: 16 The FDIC Legal Division concluded that OMB Policy Letter 11-01 did not apply to the FDIC, because (1) the FDIC did not fall within the definition of executive agency in the Office of Federal Procurement Policy Act; and (2) the FDIC was not funded by congressionally appropriated funds. We also reviewed documentation and interviewed employees familiar with Blue Canopys work to determine if the FDIC maintained control of its mission and operations. In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. The FDIC re-competed and re-issued these services to Blue Canopy under two new contracts with a total Award Value of $101.3 million.10 Both contracts had 7-year terms (a 3-year base period and four 1-year options), and one became effective in December 2014, and the second one in March 2015.11. 1 FDIC Business Data Services (FBDS) II Engagement Outline FBDS Overview The Federal Deposit Insurance Corporation (FDIC) has a requirement for FDIC Business Data Services (FBDS) support. 2. However, it did not address how the Contracting Officer and Oversight Manager would assess the FDICs over-reliance on Blue Canopy or identify and implement corrective actions. Through the two contracts, Blue Canopy provided the following services: (1) Information Security and Privacy Support Services for the FDICs Security Operations Center (SOC) and Computer Security Incident Response Team (C-SIRT). According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. According to the GSA, the Federal government uses the reported data to measure and assess the impact of Federal procurement on the nations economy, learn how awards are made to businesses in various socioeconomic categories, understand the impact of full and open competition on the acquisition process, and address changes to procurement policy. Corrective Action: The existing management oversight strategy for the subject BOAs and task orders includes performance criteria, internal controls, reporting, and contractual requirements that were established during acquisition planning and are detailed in statement of work documents. For example, CFPB, DOE, and NASA rely upon their annual inventory of service contracts to identify, monitor, and report on procured Critical Functions. Over a seven-and-a-half-year term, the contractors will help FDICs Division of IT deal with operations and maintenance support of its infrastructure while the financial agency looks to improve productivity and efficiencies to continue to mature between 2020 and 2027, says a new solicitation. FF In addition, the FDIC did not perform a procurement risk assessment and develop a management oversight strategy for procured Critical Functions (identifying heightened controls and processes, and appropriate internal capacity and capability of internal resources) that would have informed the analysis of cost and assured the Agency it could control its own mission and operations. Recommendation 3: Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. Program Office and Contracting Officer jointly develop acquisition plan. The Risk Inventory does not identify procured critical functions as a separate and distinct risk. bankers, analysts, and other stakeholders. An oversight program will generally include monitoring of the third partys quality of service, risk management practices, financial condition, and applicable controls and reports. : 6; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 7: ; Rec. @WVQ AP(uS?os&[@(dhdo8#lY; ;|D)|TR\hpnfy6|8uRS Federal agencies need to ensure proper management and oversight of procured services for Critical Functions in order to prevent over-reliance on the contractor and the loss of control of the agencys mission and operations.
Sonicwall Policy Is Inactive Due To Geoip License,
Articles F