Best Practices for FDIC Board Reporting, Subject: Critical Functions in FDIC Contracts. When procuring Critical Functions, agencies considered strategic human capital planning analyzing agency staff resources, and internal capability and capacity. ; OMB: The source identified this item; GAO: The source identified this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; OMB Guidance. If the FDIC does not manage the risks associated with Critical Functions prudently, it may: Become over-reliant on a third party to achieve its mission and conduct operations; Fail to control the Agencys mission and operations; Create inefficiencies through increased cost and decreased operational effectiveness; Fail to identify and evaluate alternative courses of action; Fail to provide independent judgments and informed oversight; and. Recommendation 11: Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function. One of the risk management processs four main elements is contract structuring and review. The FDIC publishes regular updates on news and activities. In July 2020, the FDIC awarded a competitive BOA to one vendor to provide managed support services for all aspects of the Security Operations Center (SOC) under a fixed-price arrangement. Corrective Action: The FDIC includes significant information regarding acquisition strategy, contract oversight and performance measures, and other controls in current board cases for contracts or BOAs over $20 million. The contracts contained SLAs that required the contractor to meet FDIC-defined standards. As the OIG acknowledged in its draft report, OMB Policy Letter 11-01 does not apply to the FDIC. hb```f``Rc`b``ebd@ A3G HK!G
kTH`j)c PvCKNB|H!A+wvR:'1`D G/dK^?(AI
ehDgea@. The awards, now in their third year are organised by international engineering federation FIDIC (the International Federation of Consulting Engineers). Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. DMI said it will bring digital transformation tools that usher in a new managed services model, focused on service delivery optimization. Further, if the agency does not establish and maintain a proper control environment, it may lose control of its mission and operations. In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers have appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Figure 4: Best Practices for Implementing a Management Oversight Strategy. The FDIC relies on the results of security control assessments to identify security weaknesses and inform key risk management decisions. Within this report, the OIG recommended that the FDIC [e]stablish requirements to ensure the independence of security control assessors. -]. Without the requisite analysis, the FDIC cannot be assured that it has appropriately identified and mitigated the existing procurement and operational risks. Source: OIG analysis of OMB guidance, GAO reports, Industry guidance, and interview statements from Federal agencies. We note that the definition of a Critical Function as defined by OMB Policy Letter 11-01 is similar to the definition of an Essential Function found in the FDICs Continuity of Operations Program.1 It is also similar to the definition of Critical Functions in the FDIC Chief Information Officer Organization Business Continuity Plan (January 2019) which are defined as business activities or information that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization. For purposes of this report, we will use the term and definition of Critical Function from OMB Policy Letter 11-01 which is widely accepted across the Federal government. The new acquisition strategy was presented to and approved by the Board in October 2019. However, it did not address how the Contracting Officer and Oversight Manager would assess the FDICs over-reliance on Blue Canopy or identify and implement corrective actions. DRRs contract with Blue Canopy was beyond the scope of this review. Board approval should be obtained prior to entering into any material third-party arrangements The level of detail in contract provisions will vary with the scope and risks associated with the third-party relationship.. DHS also lacked guidance on what these oversight tasks could entail. In particular, the policy letter states that agencies should determine whether their procurement requirements involve the performance of Inherently Governmental Functions, Functions Closely Associated with Inherently Governmental Functions, or Critical Functions. FF Oversight Manager and Contracting Officer develop Contract Management Plan. Industry Standard. ; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 2: ; Rec. Results of testing of these plans should be provided to the financial institution.. Experts say US rules for testing commercial drone technology aren't permissive enough, GSA leadership cleans house amid fierce criticism of Login.gov from Congress, NIST launches new trustworthy artificial intelligence resource center, Transportation Security Administration moves ahead with smartphone ID pilot, Why ICAM at the edge is critical to enabling mission success, Federal judge declines to grant DOJ interim injunction in Booz Allen antitrust case, DISA leader shares AI and machine learning strategies to improve warfighter needs, DIA director sees room for improvement in cyber intelligence and support, HHS issues new cyber incident response resources for healthcare sector, IRS acting CIO: Securing software supply chain remains a challenge for agencies, New rule could impose CMMC-like cyber requirements for civilian agency contractors, Enhanced security resilience for government with modern firewalls, Watchdog calls on DHS to clarify when tech acquisitions require cyber risk assessments, NASA awards $814M digital communications and IT services contract, USDA plots departmentwide cloud move with STRATUS contract, Oracle Cerner signs AI contract with FDA focused on improving medicines, Federal Deposit Insurance Corporation (FDIC), Federal Communications Commission launches Space Bureau, GSA announces Presidential Innovation Fellows for 2023, Biden administration announces crackdown on discrimination and bias in AI tools, Code for Americas union negotiations break down, FAA seeks $19.6M to modernize NOTAM system in budget request, CISA issues draft attestation form for government software providers, OPM sets out vision to become premier provider of human capital data services, Commerce Secretary Raimondo: NIST AI framework is gold standard, Watchdog calls for DOJ immigration review office to update data management guidelines, House lawmakers introduce bipartisan VA electronic health record reform bill, Palantir to help Ukraine process data in war crimes investigations, Food and Drug Administration seeks input on digital transformation plan, FDIC prioritizing internal modernization says acting chief innovation officer, Agencies trying to find their dark data face policy, leadership hurdles, FDIC faces a number of challenges and risks in IT governance, FDIC breached more than 50 times between 2015 and 2016, FDIC joins DHS Einstein, hires Booz Allen to raise cyber bar. In particular, the FDIC prepared a Contract Management Plan37 for Blue Canopy to document the joint administrative approach agreed upon by the Contracting Officer and Oversight Manager. To assist in performing oversight activities for complex contracts for services, the oversight manager must work with the contracting officer to develop a contract management plan. However, as noted in our report, the FDIC did not identify the Blue Canopy contracts as essential, and, therefore, it did not invoke the additional monitoring and oversight procedures. No. National Institute of Standards and Technology Guidance. CFPB Consumer Financial Protection Bureau, CIOO Chief Information Officer Organization, C-SIRT Computer Security Incident Response Team, DRR Division of Resolutions and Receiverships, FAIR Act Federal Activities Inventory Reform Act, FDIC Federal Deposit Insurance Corporation, FISMA Federal Information Security Modernization Act, FPDS-NG Federal Procurement Data System-Next Generation, GAO U.S. Government Accountability Office, IGCE Independent Government Cost Estimate, NASA National Aeronautics and Space Administration, NCUA National Credit Union Administration, NIST National Institute of Standards and Technology, OCC Office of the Comptroller of the Currency, OCISO Office of the Chief Information Security Officer, TO: Terry L. Gibson, Assistant Inspector General for Program Audits and Evaluations, FROM: Brandon L. Milhorn, Deputy to the Chairman, Chief of Staff and Chief Operating Officer, CC: Sylvia W. Burns, CIO, E. Marshall Gentry, CRO, RE: Management Response to OIG Draft Audit Report, Critical Functions in FDIC Contracts (No. On November 18, 2021, the Office of the Comptroller of the Currency (the "OCC"), the Board of Governors of the Federal Reserve System (the "Board"), and the Federal Deposit Insurance . Phase 1: Procurement Planning - Program Office and DOA Acquisition Services Branch develop a management oversight strategy for the planned acquisition of a Critical Function, which includes determining the contract structure (key provisions). Further, the official stated that Blue Canopy complied with the FDICs directives governing access to and operations at FDIC offices and facilities. As a result, the GAO recommended, in part, that the DOD should revise existing workforce policies and procedures to address the identification of critical functions.. These initiatives focus on awarding competitive, multiple-award basic ordering agreements (BOAs) and smaller, more competitive task orders. Perform a procurement risk assessment. However, we found that the Agency did not document and present to the Board a complete cost effectiveness analysis that evaluated whether a Critical Function should be procured or performed internally. Within the report, the OIG recommended, in part, that the Deputy to the Chairman and Chief Operating Officer [d]etermine the appropriate number of oversight managers needed to manage the Division of Information Technologys (DIT) contract workload in conjunction with DIT, and ensure the Oversight Manager workforce is appropriately staffed. -], Footnote: 32 In February 2009, the FDICs service provider, BearingPoint Inc., a multinational management and technology consulting firm, filed Chapter 11 bankruptcy. This requirement will be a private invitation for bid and will result in a single-award Basic Ordering Agreement ("BOA"). An [alphabetical] two-character identifier uniquely identifies each control family41 (e.g., IR for Incident Response). According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. Therefore, while we determined that Blue Canopy performed Critical Functions at the FDIC, as defined by OMB Policy Letter 11-01 and best practices, the FDIC did not identify these services as Critical Functions during its procurement planning phase. 13) Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration. Before
Over a seven-and-a-half-year term, the contractors will help FDICs Division of IT deal with operations and maintenance support of its infrastructure while the financial agency looks to improve productivity and efficiencies to continue to mature between 2020 and 2027, says a new solicitation. Additionally, according to best practices, the plans and testing reports should be reviewed on a routine, ongoing (proactive) basis, rather than waiting for and reacting to an unexpected event. The GAO report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020), found, in part, that DHS did not consistently plan for the level of Federal oversight needed for certain contracts because there was no guidance on how to document and update the number of Federal personnel needed to conduct oversight.
One contractor, The Blue Canopy Group, LLC (Blue Canopy), performed services in support of the FDICs information security and privacy program. Corrective Action: In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. Nevertheless, the comprehensive nature of the risk management framework includes many FDIC functions that might be classified as critical. In response to this recommendation, the FDIC will review its risk inventory and conduct an assessment to determine if the current risk inventory sufficiently addresses the underlying risks presented in the OIGs report, irrespective of the specific use of the term critical function., Recommendation 4: Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. Footnote: 4 Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019). Our methodology relied on identifying best practices from various reputable sources, including OMB Policy Letter 11-01, GAO reports, industry standards, and other Federal agencies, and comparing the FDICs acquisition process with these best practices. Agencies should consider internal controls such as approval authorities, segregation of duties, and independence and non-conflict of interest standards. In particular, the guidance states that [a]fter selecting a third party, management should ensure that the specific expectations and obligations of both the financial institution and the third party are outlined in a written contract prior to entering into the arrangement. Blue Canopy was founded in 2001 and is an information technology advisor and service provider that offers mission support, cybersecurity, technology and systems development, data analytics, and cloud and mobility solutions to Government and commercial clients. The FDIC Board of Directors. The OCISO is comprised of four sections: Governance, Risk and Compliance; Privacy; Security Architecture; and Security Operations. Specific relevant items within the risk inventory currently include risks related to cybersecurity, privacy, protection of sensitive information, potential cyberattacks, management and oversight of contracts, adequacy of staffing, and succession planningwhich involves having a sufficient number of the right people with the right skills to meet mission responsibilities. Therefore, our report correctly concludes that the Blue Canopy contracts provided limited coverage of the contractors obligations and responsibilities similar to those recommended in the FDICs Financial Institution Letter. GSA, NASA, USDA, DOE, and OCC have policy and procedures to prevent over-reliance on a contractor, and specific corrective measures to address instances of contractor over-reliance. Management Oversight Strategy. The FIL does not separately detail specific procedures applicable to critical functions, but rather provides a general framework to provide appropriate oversight and risk management of significant third-party relationships, including those in which a third party performs critical functions. The FIL recommends increasing levels of control for more complex or higher-risk activities. The recommendation was to contract for the services due to the available experience of the private sector and its ability to scale resources more quickly than the FDIC. An FDIC team, including oversight managers, technical monitors, and contract specialists, provided oversight of both contracts.