fdic contract awards 2021clarksville basketball
Our methodology relied on identifying best practices from various reputable sources, including OMB Policy Letter 11-01, GAO reports, industry standards, and other Federal agencies, and comparing the FDICs acquisition process with these best practices. profiles, working papers, and state banking performance The FDIC documented and presented to the Board a qualitative justification for procuring Blue Canopy services. Inherently Governmental and Critical Functions. As such, OMB Policy Letter 11-01 defined an Inherently Governmental Function as a function that is so intimately related to the public interest as to require performance by Federal Government employees The term includes functions that require either the exercise of discretion in applying Federal Government authority or the making of value judgments in making decisions for the Federal Government, including judgments relating to monetary transactions and entitlements. OMB Policy Letter 11-01 requires certain Federal agencies to ensure that contractors do not perform Inherently Governmental Functions. The PGI requires the oversight manager, together with the contracting officer, to determine the level of oversight that is necessary to ensure the contractor makes satisfactory progress toward the successful completion of the terms of the contract. The guidance states that [a]n institutions board of directors and senior management are ultimately responsible for identifying and controlling risks arising from [third-party] relationships, to the same extent as if the [contracted] activity were handled within the institution.34 In particular, the FDIC should have routinely reviewed (actively monitored) Blue Canopys financial condition, information security, and business resumption and continuity testing reports to ensure the security, confidentiality, integrity, and availability of FDIC information. The third party should have appropriate protections for backing up information and also maintain disaster recovery and contingency plans with sufficiently detailed operating procedures. OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. Conduct periodic reviews of controls and processes. ) y RYZlgWm 800-53 organized security and privacy controls into 20 families. Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration. In particular, the FDIC may not ensure that it has an adequate number of employees with the appropriate training, experience, and expertise to oversee the procurements of Critical Functions. Phase 2: Solicitation and Award - DOA Acquisition Services Branch reports to the FDIC Board the finalized contract structure and procured Critical Function - on an individual and aggregate basis. If so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices. Develop a management oversight strategy. SlVl&!MDs@bQ*P fA24k42P %c : Appendix 1 Objectives, Scope, and Methodology, 1. p%{dd3WP}9HR 1++Q'WJ`7;'~\b!8$@ba!=G{A,91Ip9y8%x{Y,xKb\Ib KtK==J_{x4Y'Hw'0{A9Zs9 S{!8d`EL(pF5@&8I; L$p"AdBdI9[i|4abA$23%LeqpXd"b9laW^e8XsC0F{NfIbfJ1q5sdQ,+Q,$.hWXIbFZB!yv+XG8vdR"3TK&VJ7"qnLv_o/nSA~?{+[:/ZReFH-EBjRe(mY(Dn_=~ea.YY'([Ps:%[uuLh1'%]/Bg.`-iQu uAlO;aK~ET;lF1bN:a.1.y+JMHs[o*eb-Z2^MgG(("h6kOn5h". Footnote: 10 The FDIC separated the information security support services into two contracts to potentially increase the number of vendors that placed bids and to attract higher quality bids by vendors that specialized in only one set of services. Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC. The FDIC response indicated that its planned corrective actions will include surveying recognized practices and procedures associated with contracts supporting essential functions. how the contract is to be administered, including how inspection and acceptance corresponding to the statement of work or statement of objectives performance criteria is to be enforced. Ultimately, the GAO concluded that without guidance for documenting and updating the planned Federal oversight personnel needed, and identifying oversight tasks, DHS cannot mitigate the risks associated with service contracts in need of heightened management attention. The FDIC publishes regular updates on news and activities. Program Office. endstream endobj 521 0 obj <>stream As previously noted, Blue Canopys services represented a significant percentage of the OCISOs annual operating expenses. Corrective Action: The FDIC includes significant information regarding acquisition strategy, contract oversight and performance measures, and other controls in current board cases for contracts or BOAs over $20 million. The FDIC will also complete an annual performance review of MSSP and SPPS contractors. Nevertheless, the comprehensive nature of the risk management framework includes many FDIC functions that might be classified as critical. In response to this recommendation, the FDIC will review its risk inventory and conduct an assessment to determine if the current risk inventory sufficiently addresses the underlying risks presented in the OIGs report, irrespective of the specific use of the term critical function., Recommendation 4: Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. %PDF-1.6 % In addition, the contract did not stipulate that Blue Canopy should already have had the appropriate protections for backing up information, and maintaining disaster recovery and contingency plans with sufficiently detailed operating procedures. For example, if not managed and supervised prudently, the agency may: Footnote: 1 According to FDIC Directive 1500.6, Continuity of Operations (COOP) Program (November 2019), Essential Functions are a subset of government functions that are determined to be critical activities. As such, we have concurred or partially concurred with all of the OIG recommendations. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. Monetary benefits are considered resolved as long as management provides an amount. Based on our review of GAO and industry standards,25 procured services involving contractors result in a greater level of inherent risk than an agency directly performing these services. Results of oversight activities for material third-party arrangements should be periodically reported to the financial institutions board of directors or designated committee.. NIST S.P. Best Practices: 8. The objective of these reviews should address the controls effectiveness in deterring or mitigating the agencys over-reliance on the contractor, and ensuring that the agency maintains control of its mission and operations. Based upon the best practices, these processes should include the following: Procurement Risk Assessment. Contracting Officer prepares contract documents. /@ DDGD.ODvDH!e"q9V1%x"xABo'6,,<1XHH8\Gwdra]0:D. hYH[@{4;"2 {oBp,L;rEA,'2 ,g6Hr~r4y-!x"DB$]E4V&:d!DI D$htq9C3HO>RjX2B^T&gQh8IP) s8SSO&#Hce. history, career opportunities, and more. No. The FDIC insures deposits; examines and instruments including, for low dollar non-complex purchases, purchase A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. In addition, it should be noted that the OIGs findings and recommendations on the FDICs procurement process for Critical Functions cover all such contracts and is not limited to the Blue Canopy contracts. The GAO report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020), found, in part, that DHS did not consistently plan for the level of Federal oversight needed for certain contracts because there was no guidance on how to document and update the number of Federal personnel needed to conduct oversight. Previously, we found that the FDIC had hired Blue Canopy to assess the same IT security controls that it had designed and executed. In particular, a loss of control could result in actions and decisions that are not in the public interest, and instead may be focused on the contractors business development, profitability, or unsuitable influences. GAO Recommendations. An effective third-party risk management process has four elements: o Due diligence in selecting a third-party service provider. important initiatives, and more. 13) Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration. Results of testing of these plans should be provided to the financial institution.. Those designated contracts would then be subject to a risk assessment process to ensure the FDIC maintains control over the function for which services are being procured, has an appropriate contract oversight structure, and includes contract provisions commensurate with risks. For this report, risks must be considered in regard to procurement operations and IT services for Critical Functions. The partnership brings new innovations, tools and technologies that will help FDIC drive operational efficiencies, control IT costs and improve the user experience. : 12; Corrective Action: Taken or Planned - The FDIC will consider additional reporting requirements related to contracts for essential functions or for services necessary during a business continuity event, including where such functions are performed by a single vendor, in conjunction with the study and actions described in response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 13: ; Rec. Footnote: 13 The Federal Information Security Modernization Act of 2014 (FISMA) amended and clarified the Federal Information Security Management Act of 2002. GAO also found that DHS personnel did not identify specific oversight activities they conducted to mitigate the risk of contractors performing functions in a way that could become inherently governmental. Best Practices for Conducting Periodic Reviews of Controls and Processes, 6. 2020-005). Figure 1: The FDICs Existing Acquisition Process. According to this guidance, a [r]isk assessment is fundamental to the initial decision of whether or not to enter into a third-party relationship. In particular, the guidance states that [a]fter selecting a third party, management should ensure that the specific expectations and obligations of both the financial institution and the third party are outlined in a written contract prior to entering into the arrangement. Wisconsin Department of Employee Trust Funds PO Box 7931 Madison WI 53707-7931 1-877-533-5020 (toll free) Fax 608 -267 4549 Proposed Amendment to FDIC Bank Option Contract February 9, 2021 Page 2 Staff recommends the Board amend the FDIC bank option contract (ETJ0050) as shown to provide an interest rate floor of 15 basis points. Signature Bank, New York, NY, and Silicon Valley Bank, Santa Clara, CA, FDIC National Survey of Unbanked and Underbanked Households, Quarterly Banking We identified the following commonly acknowledged best practices from selected sources. The FDIC incorporates those processes or practices that support its unique circumstances, recognizing that what has worked well elsewhere or what other organizations have implemented may not work well for the FDIC or might be counterproductive to performance and efficiency the goal of best business practices. /B?~6cVv2}7]Mx,"'O4Vy/bf)e~1 To accomplish this mission, FDIC insures deposits; examines and supervises financial institutions for safety, soundness, and consumer protection; makes large and complex financial institutions resolvable; and manages receiverships. Share sensitive information only on official, secure websites. In addition, GSA, NASA, USDA, DOE, OCC, NCUA, and CFPB have procedures to oversee the contractors performance and their own personnels oversight of a contractor. OMB: The source identified this item; GAO: The source identified this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; OMB Guidance. On March 26, 2021, the FDICs Deputy to the Chairman, Chief of Staff, and Chief Operating Officer provided a written response to a draft of this report (FDIC Response), which is presented in its entirety in Appendix 5. collection of financial education materials, data tools, To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). Industry Standard. If the FDIC does not manage the risks associated with Critical Functions prudently, it may: Become over-reliant on a third party to achieve its mission and conduct operations; Fail to control the Agencys mission and operations; Create inefficiencies through increased cost and decreased operational effectiveness; Fail to identify and evaluate alternative courses of action; Fail to provide independent judgments and informed oversight; and. Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, to the same extent as if the services were performed internally. The Board approves the execution of contracts with dollar values over $20 million and contract modifications to contracts previously approved by the Board that increase the award amount or period of performance by more than 15 percent. Management concurred with 1 of the 13 recommendations, and plans to complete corrective action by May 31, 2021. The evaluations scope included our review of Blue Canopys two existing contracts39 with the FDICs Chief Information Officer Organization to determine if Blue Canopy performed Critical Functions within the FDICs operations; and, if so, whether the FDIC sufficiently oversaw Blue Canopy to maintain control of the Agencys mission and operations. Gained an understanding of Federal procurement and oversight control processes by reviewing Federal regulations, government-wide guidance, and best practices, including: o Office of Management and Budget Office of Federal Procurement Policy, Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions (September 2011); o OMB Circular A-76, Performance of Commercial Activities (May 2003); o Federal Activities Inventory Reform Act of 1998 (October 1998); and. 206 0 obj <>stream Recommendation 5: Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. Specifically, the FDIC did not discuss with the Board its procurement risk assessment, management oversight strategy, contract structuring, and ongoing monitoring reports for the procured Critical Functions. OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. ; OMB: The source identified this item; GAO: The source identified this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; GAO Recommendations. Ultimately, the GAO concluded that without guidance for documenting and updating the planned Federal oversight personnel needed, and identifying oversight tasks, DHS cannot mitigate the risks associated with service contracts in need of heightened management attention. Footnote: 6 12 U.S.C. The FDICs Legal Division provides legal advice and counsel to Contracting Officers to ensure that acquisitions and other contract actions are conducted in accordance with governing laws and FDIC policy. Determine when and how to assess for contractor over-reliance as part of the management oversight strategy. The FDIC also did not document a cost effectiveness analysis, as recommended by best practices. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Determine Contract Structure. The FDIC did not perform a procurement risk assessment for Critical Functions obtained from Blue Canopy during the procurement planning process. The FDIC, however, has expressed reluctance to incorporate the term, Critical Function, into its process, as that term is used and defined in the OMB Policy Letter 11-01. Due to the dollar value of these procurements, the FDIC submitted and briefed a Board Case to the FDIC Board of Directors to receive authority to award the contracts. The Federal Deposit Insurance Corporation (FDIC) procures goods and services from contractors in support of its mission. : 2; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 3: ; Rec. A CIOO official also stated that the contractor was responsible for ensuring uninterrupted support of services, if the FDIC determined that Blue Canopy provided services essential or critical to the FDIC mission. Implement periodic reviews for procured Critical Functions, including for the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services. FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2020 $80 $90 $90.0 $70 $58.9 $60 $50.1$20 $30 $40 $50 $45.4 $10 $0 Percent of Total FDIC Awards: $4.5 $8.0 8(a) HubZone $10.8$4.1 Veteran OwnedServiceWomen OwnedSmallMinority OwnedMWOBDisabledDisadvantagedVeteran OwnedBusiness However, as explained above, the FDIC did not deem Blue Canopy to provide services essential or critical to the FDIC mission so this is a moot point. ; OMB: The source did not mention this item; GAO: The source did not mention this item; Industry Standard: The source identified this item; Select Federal Agencies: The source did not mention this item; Industry Standard. While the Award Profile Reports described the procured services, assessed contractor performance, tracked fund utilization/allocation, and assessed FDIC contract oversight, the FDIC did not identify Blue Canopys procured services as Critical Functions. We recommend that the Deputy to the Chairman and Chief Operating Officer: 1) Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Determine contract structure. One of the risk management processs four main elements is contract structuring and review. Every contractor who is awarded an FDIC contract is required to be registered with System for Award Management ( www.SAM.gov ). Critical Functions, on the other hand, are broader and cover all functions that are necessary to the agency being able to effectively perform and maintain control of its mission and operations. NASA, USDA, and CFPB performed, or considered it a best practice to perform, strategic human capital planning. While Blue Canopy personnel were subject to the FDICs onsite information security protocols, more proactive controls should have been employed to validate that FDIC data had been retained onsite and not transferred to the contractors facilities or systems. Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. system. To address our objectives, we conducted the following procedures: Analyzed Blue Canopys contracts and contractual services for Critical Functions by comparing and contrasting activities to the following: o Other best practices the OIG identified; and. Ongoing efforts to improve the FDICs acquisition services and oversight management programs will incorporate additional structure and discipline around certain contracts that support essential functions or involve services needed in a business continuity event, consistent with the recommendations in the OIG report. However, the OIG concluded that the FDIC did not have policies and procedures for identifying critical functions in its contracts and did not implement heightened monitoring activities for the Blue Canopy contracts consistent with the requirements of OMB Policy Letter 11-01. The following information is regarding awarded contracts that can be used to develop prime contractor, subcontractor and teaming partner relationships on these and other opportunities. Corrective Action: In addition to current practices, the FDIC plans to address this recommendation through the study and actions described in our response to Recommendation 1. To assist in performing oversight activities for complex contracts for services, the oversight manager must work with the contracting officer to develop a contract management plan. The Federal Deposit Insurance Corporation (FDIC) is an independent agency We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. The .gov means its official. . These periodic reviews should be focused on targeted controls or areas of performance (such as personnel performance or human capital planning), and/or performed more broadly (such as a contractor over-reliance assessment). Within the FDICs Enterprise Risk Management Risk Inventory (October 2019), the FDIC recognized that the Agency was subject to significant risk related to a cyber-attack and/or data breach resulting in the loss of Personally Identifiable Information, and disruptions in system operations and data availability. For example, the following agencies noted heightened contracting monitoring, such as: o Identify and Monitor for Critical Functions. Best Practices: 2. 2) Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. Procurement Planning: Program Office identifies the Critical Function to be procured within procurement planning documents. The FDIC develops a management oversight strategy for contracts and assigns responsibility to FDIC contracting officers, oversight managers, and technical monitors to oversee contractors based on the risk and complexity of the contract. Based on our review, we found that the Blue Canopy contracts provided limited coverage of the contractors obligations and responsibilities for the following:30. However, while Blue Canopy operated within the FDICs information systems and facilities, the value that Blue Canopy provided was in its human capital. In particular, the Federal Deposit Insurance Act authorizes the FDIC [t]o make contracts, [t]o appoint such officers and employees to define their duties, and [t]o prescribe, by its Board of Directors, bylaws regulating the manner in which its general business may be conducted.. h250R0P050V01R& An official website of the United States government. Existing Acquisition Procedures for Contract Planning, Oversight, and Reporting. In particular, the board should be involved in the following stages of an effective third-party risk management program for procured critical functions: o Risk assessment. The criticality of the function depends on the mission and operations, which will differ between agencies and within agencies over time. Program Office and Contracting Officer prepare acquisition documents. Specifically, the FDIC calculated that it would cost the FDIC an additional $2.55 million to procure the services ($26,387,825 versus $23,834,747).29 However, the FDIC did not include this information in the Board Case Package, nor was it discussed with the Board as demonstrated by the corresponding Board minutes. A Risk Inventory is a list of the risks facing the agency. Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). government site. These services are critical to ensuring the security and protection of the FDICs Information Technology infrastructure and data. Such an approach reduces the chances of the FDIC being overly reliant on an individual vendor. Footnote: 14 The FDICs Privacy Program is a risk-based program that focuses on protecting the privacy rights of individuals by ensuring that Personally Identifiable Information is handled and protected in accordance with applicable Federal and FDIC requirements and industry standards. In particular, the policy letter states that agencies should determine whether their procurement requirements involve the performance of Inherently Governmental Functions, Functions Closely Associated with Inherently Governmental Functions, or Critical Functions. An oversight program will generally include monitoring of the third partys quality of service, risk management practices, financial condition, and applicable controls and reports. The FDIC wants a handful of vendors to join the contract, but just one will get the bulk of the work. Over a 3-year period, from 2017 to 2019, the FDIC awarded nearly 4,000 contracts valued at more than $1.3 billion. In 2019, the services provided by Blue Canopy comprised 38.3 percent ($16.2 million) of the OCISOs annual operating expenses ($42.3 million). The FDIC did not have a process for identifying Critical Functions in procurements at the outset, and this gap created a cascading effect of shortfalls in overseeing Critical Functions. For more information contact TargetGov. As noted above, the OIG identified best practices from OMB Guidance, the GAO, industry standards, and Federal agencies. Industry Standard. Summary of the FDICs Corrective Actions, 1. The FIL does not separately detail specific procedures applicable to critical functions, but rather provides a general framework to provide appropriate oversight and risk management of significant third-party relationships, including those in which a third party performs critical functions. The FIL recommends increasing levels of control for more complex or higher-risk activities. According to the Council of the Inspectors General on Integrity and Efficiencys Quality Standards for Inspection and Evaluation, evaluations are systematic and independent assessments of the design, implementation, and results of operations, programs, or policies. Signature Bank, New York, NY, and Silicon Valley Bank, Santa Clara, CA, FDIC National Survey of Unbanked and Underbanked Households, Quarterly Banking ensH_` p 8_poXg3h|A@OEn=nqCvH)" nh@FMA] h7`520 @6P2/g 510{@z>6@ ou An official website of the United States government. Best practices recommend that contractors have business resumption and contingency plans in place and tested. The https:// ensures that you are connecting to Our evaluation assessed whether Blue Canopy performed Critical Functions as determined by OMB Policy Letter 11-01 and best practices; and if so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices.