According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. DMI Wins $256M FDIC Task Order | WashingtonExec Existing Acquisition Procedures for Contract Planning, Oversight, and Reporting. The FDIC Did Not Perform a Procurement Risk Assessment for Critical Functions. We identified the following commonly acknowledged best practices from selected sources. Consistent with that approach, the FDIC will continue to adopt those portions of the OMB Policy Letter that support its unique operations, while the Policy Letter overall continues to be inapplicable by operation of law. The FDICs acquisition procedures are also consistent with the FDICs Guidance for Managing Third-Party Risk (FIL-44-2008). Oversight Manager and Contracting Officer complete closeout activities. Federal Agencies. Any subsequent task orders would be for tech developments issued as standalone projects, worth $112.5 million in total. 800-53 organized security and privacy controls into 20 families. FF The FDIC and Blue Canopys Contractual Relationship, Inherently Governmental Functions and Critical Functions, Best Practices for Procuring Critical Functions, The FDIC Did Not Implement Heightened Monitoring for Critical Functions, 2. However, in relation to overseeing contractors who perform Critical Functions on behalf of the FDIC, the Agency procedures fell short in several important respects, including with respect to conducting periodic reviews to assess for over-reliance on the contractor. These best practices support the view that the FDIC should develop and implement heightened contract monitoring processes for Critical Functions. OIGs may also use evaluations to share best practices and approaches. 3) Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. Additional appendices include acronyms and abbreviations, the Agencys comments on a draft of this report, and a summary of the Agencys corrective actions. The FDIC publishes regular updates on news and activities. Figure 5: Best Practices for Conducting Periodic Reviews of Controls and Processes. Nor did the FDIC require periodic joint testing procedures. Federal government websites often end in .gov or .mil. In addition, the FDIC will consider and further study potential methodologies for assessing contractor overreliance, including how other agencies make such determinations. To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). %PDF-1.6 % Browse our extensive research tools and reports. The FDIC is proud to be a pre-eminent source of U.S. Row: 1; Procured Function: Security Operations Center; National Institute of Standards and Technology Guidance: Incident Response (IR)-4 Incident Handling, IR-7 Incident Response Assistance, System and Information Integrity (SI)-4 System Monitoring; Identified as a Critical Function (Yes/No): Yes; Row: 2; Procured Function: Computer Security Incident Response Team; National Institute of Standards and Technology Guidance: IR-5 Incident Monitoring, IR-6 Incident Reporting Risk Assessment (RA)-1 Policy and Procedures, RA-3 Risk Assessment. The FDIC is committed to recruiting and retaining the most qualified employees in the labor market, and maintaining diversity in management, employment, and business activities. Procured Blue Canopy Services Deemed to Be Critical Functions of the FDIC, 1. profiles, working papers, and state banking performance In particular, the FDIC should have routinely reviewed (on an ongoing and proactive basis) Blue Canopys business resumption and continuity plans (specific to human capital) to ensure security, confidentiality, integrity, and availability of FDIC information, as well as the continuity of service and performance by Blue Canopy. ". Best Practices: 4. A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. However, there was no indication that the CIOO reassessed the reports during the course of the 7-year performance of these contracts. The FDIC's contract Award Values, for these services, increased from the initial modified Award . Best Practices for Performing a Procurement Risk Assessment, 4. In order to implement heightened management oversight, the FDIC needs to (1) identify the risk in a risk assessment; (2) identify the control(s) needed to oversee the contractor within a management oversight strategy; (3) establish the control(s) and a process for reviewing the control(s) within the contract structure; (4) implement the control(s) during the management oversight process; and (5) periodically review the FDIC and contractors performance or, implementation of the control(s). In addition, the GSA and OCC report on procurement actions through the Federal Procurement Data System-Next Generation (FPDS-NG),* which includes those designated as Critical Functions. (or sets of contracts) for information security support services. This risk-based approach to activities that are closely aligned with inherently governmental functions is consistent with the intent of OMB Policy Letter 11-01. along with its implementing and supplementing document entitled Over a 4-year period (2015-2019), the FDICs OCISO spent between 35 percent to 44 percent of its operating expenses annually on Blue Canopy services. The contracts contained SLAs that required the contractor to meet FDIC-defined standards. Contractors provide a multitude of staff with highly specialized technical skills and knowledge in current industry best practices and regulations. Footnote: 9 The OCISOs mission is to develop and maintain Agency-wide information security and privacy programs that support the mission of the FDIC. Institution Letters, Policy The https:// ensures that you are connecting to According to the FDIC Financial Institution Letter, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), an effective risk management process should identify, in part, contractual requirements that would be critical to the ongoing assessment and control of specific identified risks. Federal Deposit Insurance Corporation (FDIC) - USAspending DMI said it will bring digital transformation tools that usher in a new managed services model, focused on service delivery optimization. FISMA requires each agency to perform an annual self-assessment. sharing sensitive information, make sure youre on a federal The FDIC annually captures the risks it faces through its Enterprise Risk Management Risk Inventory. Given the existing contractual controls in the Blue Canopy contracts (such as SLAs and other performance metrics), remedial actions taken to address the independence concern identified by the OIG, and the subsequent revision of the acquisition strategy associated with the services previously procured under the Blue Canopy contracts, the FDIC disagrees with the OIGs determination that the contract represent[ed] a failure on the FDICs part to maintain control of its operations. Blue Canopys performance under the contracts, which included detailed performance metrics, was regularly reviewed and received high marks from the FDIC. On a quarterly basis, the FDIC submitted Award Profile Reports to the Board that summarized the FDICs contracting activities for the quarter. So far this year, the federal government plans to spend $3.66 Trillion including $315.45 Billion on Net Interest $129.34 Billion on Veterans Benefits $41.95 Billion on Agriculture See more breakdowns of federal spending Featured Content COVID-19 Spending Track federal spending in response to the COVID-19 pandemic Resources Interviewed FDIC personnel in DOA, CIOO, and the Legal Division who had responsibility for procurement processes related to Critical Functions. h24R0P04V01R& The guidance provides, in part, the following topics that should be considered as a contract is structured, with the applicability of each dependent upon the nature and significance of the third-party relationship: scope (rights/responsibilities of each party), cost/compensation, performance standards, reports (types and frequency of management information), audit (of contractor), confidentiality and security (prohibit contractor from using or disclosing agencys information), customer complaints, business resumption and contingency plans, default and termination (of contractor), dispute resolution, ownership and license, indemnification, and limits on liability.