6) Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. The Guide provides tools for implementing the IT acquisition life cycle, with objectives to: develop scalable solutions that promote competition; deliver fast, reliable, responsive, and innovative services; The FDIC has also established a 2021 corporate performance goal and interdivisional work team to strengthen our contract oversight management program by increasing the independence and professionalism of our oversight managers and technical monitors. With respect to the MSSP and SPPS contracts, FDIC contract officers, oversight managers, and technical monitors assigned to the BOAs and task orders will ensure that contractors comply with contract terms and meet performance expectations. If so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices. The FDIC, however, provided no details as to how it plans to do so. USAspending.gov | Fiscal Data An official website of the U.S. government Spending Explorer Award Search Profiles Download Resources The company filed for bankruptcy with approximately $2.23 billion in total debt and approximately $1.76 billion in total assets as of September 2008. The FDIC relied on Blue Canopy to develop, operate, and service the Security Operations Center as well as information and network security. While the Board Case Package identified the services to be procured, it did not identify or discuss whether the services to be procured were considered to be Critical Functions of the FDIC. Results of testing of these plans should be provided to the financial institution.. As a result, the GAO recommended that DHS should (1) develop a risk-based approach for reviewing service requirements to ensure proposed service requirements are clearly defined and reviewed before planning how they are to be procured; (2) update the Inherently Governmental and Critical Functions Analysis to provide guidance for analyzing, documenting, and updating the federal workforce needed to perform or oversee service contracts requiring heightened management attention; and (3) [develop] guidance identifying oversight tasks or safeguards personnel can perform, when needed, to mitigate the risk associated with contracts containing closely associated with inherently governmental functions, special interest functions, or critical functions.. Corrective Action: In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. The guidance provides, in part, that reports (types and frequency of management information) and business resumption and contingency plans should be considered as a contract is structured, with the applicability of each dependent upon the nature and significance of the third-party relationship. 2i/y/v&ki35$PRr#{ GsN7?Zv|R@$"'* In response to this risk, in September 2011, the Office of Management and Budget (OMB) provided guidance in OMB Policy Letter 11-01 on managing the performance of Inherently Governmental Functions and Critical Functions in order to ensure that government action is taken as a result of informed, independent judgments made by government officials. In addition, the OMB Policy Letter 11-01 defined a Critical Function as a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. The solicitations for the new contracts occurred in November 2019 and April 2020. profiles, working papers, and state banking performance Management Decision: Partially Concur. The FDIC will consider each of the OIGs recommendations and further study the need for additional risk based controls for essential procurements. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. CIO Howard Whyte spoke with FedScoop recently about FDICs work in the cloud to provide a transformational experience for our external customers.. Ultimately, if an agency fails to ensure proper management and oversight of procured Critical Functions, contractors may take actions that are not based on informed, independent judgments made by Government officials. The FDIC develops detailed board cases for individual procurements exceeding $20 million that discuss procurement costs, benefits, alternatives considered, management oversight strategy, and other information. Anchorage Closes In on FDIC Crypto Custodian Deal, Documents - CoinDesk system. An agency may become over-reliant on a service provider if it does not have the capacity (number of Federal employees) and capability (Federal employees with appropriate training, experience, and expertise) to oversee the contractor properly. CIGFO, Congressional, Special Inquiries, Other, 3501 Fairfax Drive Arlington, Virginia 22226, https://www.fdicoig.gov/sites/default/files/publications/19-004AUD_0.pdf, Top Management and Performance Challenges. To date, four task orders have been awarded under the BOAs to two different service providers. 800-53 organized security and privacy controls into 20 families. The report concluded that the FDIC needs to establish a clear governance structure, and clearly define authorities, roles, and responsibilities related to [Enterprise Risk Management]. In addition, the GSA and OCC report on procurement actions through the Federal Procurement Data System-Next Generation (FPDS-NG),* which includes those designated as Critical Functions. To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC. However, in relation to overseeing contractors who perform Critical Functions on behalf of the FDIC, the Agency procedures fell short in several important respects, including with respect to conducting periodic reviews to assess for over-reliance on the contractor. This guidance document recommends that FDIC-supervised institutions take a risk-based approach to ensuring that appropriate controls, acquisition planning, and oversight are in place to manage services provided by third parties. Figure 5: Best Practices for Conducting Periodic Reviews of Controls and Processes. In addition, a prior OIG report, Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019) concluded that Blue Canopy lacked independence. Following the study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements are needed for the MSSP and SPPS BOAs and task orders beyond those already incorporated. 24 In addition, the FDIC Risk Inventory recognized the risk associated with managing contracts throughout the contract lifecycle, including the potential for increased costs for goods and services, increased contractor claims, and delivery of inferior goods and services to support the FDIC mission. PDF List of Awards and Contractor Contact Information - May 2022 However, the FDIC awarded both contracts to Blue Canopy, which did not reduce reliance on a single contractor for information security support services. Since the FDIC relied on Blue Canopy to provide human capital (staffing) in key areas of information security and privacy, the FDIC needed to supervise and manage how Blue Canopy would continue to provide its services in the event that Blue Canopys human capital was impaired or negatively impacted by significant events. Notably, the FDIC stated in its response that if the FDIC determines contract services are essential in the event of an emergency or business continuity event, the statement of work or statement of objectives must include: business continuity requirements, requirements that contractors flow emergency preparedness and continuity requirements to essential subcontracts; and requirements for contractors to have emergency plans for providing services to FDIC in the event of a disruption of normal operations, and participation in FDIC business continuity testing, training, and exercises.. An oversight program will generally include monitoring of the third partys quality of service, risk management practices, financial condition, and applicable controls and reports. GAO also found that DHS personnel did not identify specific oversight activities they conducted to mitigate the risk of contractors performing functions in a way that could become inherently governmental. Over a seven-and-a-half-year term, the contractors will help FDIC's Division of IT deal with operations and maintenance support of its infrastructure while the financial agency looks to improve "productivity and efficiencies to continue to mature between 2020 and 2027," says a new solicitation. No. or https:// means youve safely connected to the .gov website. This arrangement lacked independence and represents a failure on the FDICs part to maintain control of its operations.36 In addition, the absence of heightened contract monitoring processes, such as a procurement risk assessment and periodic reviews of controls and processes for Critical Functions allowed this internal control weakness to remain undetected. Footnote: 28 According to the FDICs Acquisition Procedures, Guidance and Information (January 2020), the Independent Government Cost Estimate is the FDICs estimated cost for the acquisition. A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. The FDIC Did Not Develop a Management Oversight Strategy for Critical Functions. Exhibit - FDIC International 2023 In particular, a loss of control could result in actions and decisions that are not in the public interest, and instead may be focused on the contractors business development, profitability, or unsuitable influences. banking industry research, including quarterly banking The report summarizes general contracting-related information and details pending awards and award profiles. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. Procurement Planning: Program Office identifies the Critical Function to be procured within procurement planning documents. Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC. Existing Acquisition Procedures for Contract Planning, Oversight, and Reporting. According to a CNN news article titled, BearingPoint files for bankruptcy (February 2009), [t]he McLean, Virginia-based company, which began as the consulting arm of KPMG LLP and later struggled with accounting problems and a U.S. Securities and Exchange Commission probe, has been laboring under heavy debt exacerbated by an acquisition spree between 1999 and 2002.. Bethesda, MD. The FDIC is committed to recruiting and retaining the most qualified employees in the labor market, and maintaining diversity in management, employment, and business activities. o Determine Contract Structure. However, it did not address how the Contracting Officer and Oversight Manager would assess the FDICs over-reliance on Blue Canopy or identify and implement corrective actions. documentation of laws and regulations, information on State Department, FDIC Working on New User Technologies Using Novel Find information for outside counsel engaged by the FDIC. OMB Policy Letter 11-01 defines the terms Inherently Governmental Function and Critical Function as follows: An Inherently Governmental Function is a function that is so intimately related to the public interest as to require performance by Federal Government employees. The term includes functions that require either the exercise of discretion in applying Federal Government authority or the making of value judgments in making decisions for the Federal Government, including judgments relating to monetary transactions and entitlements. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation; or, 2. Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. Compromise the trust (or data) by failing to exercise due care in establishing appropriate controls to protect sensitive information and to identify and mitigate data breaches. The FDIC documented and presented to the Board a qualitative justification for procuring Blue Canopy services. There is no uniform set of best practices that public and private organizations have agreed upon in the subject area of the OIGs report. Accordingly, institutions should establish and maintain an effective risk management process for initiating and overseeing outsourced operations. Figure 4: Best Practices for Implementing a Management Oversight Strategy. The definition of essential functions as used by the FDIC is restricted to those functions that impact continuity of operations planning. Press Esc to cancel. Monetary benefits are considered resolved as long as management provides an amount. p%{dd3WP}9HR 1++Q'WJ`7;'~\b!8$@ba!=G{A,91Ip9y8%x{Y,xKb\Ib KtK==J_{x4Y'Hw'0{A9Zs9 S{!8d`EL(pF5@&8I; L$p"AdBdI9[i|4abA$23%LeqpXd"b9laW^e8XsC0F{NfIbfJ1q5sdQ,+Q,$.hWXIbFZB!yv+XG8vdR"3TK&VJ7"qnLv_o/nSA~?{+[:/ZReFH-EBjRe(mY(Dn_=~ea.YY'([Ps:%[uuLh1'%]/Bg.`-iQu uAlO;aK~ET;lF1bN:a.1.y+JMHs[o*eb-Z2^MgG(("h6kOn5h". Our attendees visit the exhibition to get a first-hand look at the latest products, technologies and services on the market. Legal Division. The Federal Deposit Insurance Corp. is looking for IT vendors to provideinfrastructure support services as part of a new multiple-award contract worth up to $487.5 million. KXcXeX1E"01%(1ED1]Um0^v]o9b. The FDIC requires support across the entire IT application lifecycle including: creation (requirements, design, development, testing, deployment), configuration, integration, migration, enhancement, support, maintenance, operations, decommissioning, and other associated services for all FDIC owned applications, either in use today or deployed Recommendation 6: Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. These actions are in addition to the standard controls and processes that agencies follow in procuring goods and services. These laws are intended to protect the public and ensure the proper use of governmental funds. In addition, we maintain that these circumstances represented a failure in the FDICs controls and procedures. FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2020 $80 $90 $90.0 $70 $58.9 $60 $50.1$20 $30 $40 $50 $45.4 $10 $0 Percent of Total FDIC Awards: $4.5 $8.0 8(a) HubZone $10.8$4.1 Veteran OwnedServiceWomen OwnedSmallMinority OwnedMWOBDisabledDisadvantagedVeteran OwnedBusiness Through competition, the FDIC is able to compare the value of competing technical proposals and prices in order to determine which proposal affords the best value. Management should consider, in part, the following corrective measures for identified instances of contractor over-reliance: (1) reviewing and adjusting contractor services; (2) reassessing and adjusting human capital needs (staff and funding); (3) in-sourcing all or part of the function; (4) reviewing the contracting process from beginning to end to understand how the agency lost control; and (5) reestablishing or strengthening controls over contractor responsibilities. We applied internal control principles promulgated by the GAO (the Green Book) to guide our work and to supplement and support the best practices that we identified, when appropriate. The FDIC, however, has expressed reluctance to incorporate the term, Critical Function, into its process, as that term is used and defined in the OMB Policy Letter 11-01. Due to the dollar value of these procurements, the FDIC submitted and briefed a Board Case to the FDIC Board of Directors to receive authority to award the contracts. We recommend that the Deputy to the Chairman and Chief Operating Officer: 1) Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020).
Deer Valley School District Salary Schedule,
Blotchy Face After Crying,
Articles F