In particular, the official stated that the IGCE included a comparison of the costs to conduct the planned activities internally against the cost for a vendor(s) to perform those same activities. DOA will revise the APM and PGI to reflect any resulting process and control enhancements. Contract Oversight. KXcXeX1E"01%(1ED1]Um0^v]o9b. Estimated Completion Date: March 31, 2022. Ultimately, if an agency fails to ensure proper management and oversight of procured Critical Functions, contractors may take actions that are not based on informed, independent judgments made by Government officials. Conduct periodic reviews of controls and processes. Neither the Board Case Package nor the Board meeting minutes reflected that the FDIC discussed with the Board its procurement risk assessment and management oversight strategy, planned contract structuring, and ongoing monitoring controls and reports for the procured Critical Functions. Contract Management: Program Office and DOA Acquisition Services Branch ider1tify the Critical 1Fm1ction within contract oversight documents and reports to the FDIC Board. The FDIC provides a wealth of resources for consumers, Agencies need to establish a proper internal control environment to oversee and maintain control of their operations. Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Further, if the agency does not establish and maintain a proper control environment, it may lose control of its mission and operations. Develop a management oversight strategy. Results of oversight activities for material third-party arrangements should be periodically reported to the board of directors or designated committee. The GAO report, Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DODs Total Workforce (GAO-13-470) (May 2013), found, in part, that DODs current policies did not fully reflect federal policy concerning the identification of Critical Functions. Federal Contract Awards > 100.0k 75D30118C02507 Definitive Contract $4.2m / $27.7m Updated Apr 29 2023 Federal Agency CDC Pittsburgh (HHS - CDC) Child Awarded Vendor Idoneous Educational Services, Inc. - VRLMHESN3KP5 Major Defense Program Not listed Award Date Sep 01 2018 Completion Date Aug 31 2020 Set Aside 8 (a) Sole Source NAICS Category 561110 The FDIC acknowledged the importance of the procured function in the Board Case, contract statement of work, and acquisition plansthe latter stating that services were critical to ensuring the security and protection of FDICs IT infrastructure and data.. The FDIC relies on the results of security control assessments to identify security weaknesses and inform key risk management decisions. Within this report, the OIG recommended that the FDIC [e]stablish requirements to ensure the independence of security control assessors. -]. The FDIC did not have a process for identifying Critical Functions in procurements at the outset, and this gap created a cascading effect of shortfalls in overseeing Critical Functions. Further, the FDICs Risk Inventory did not recognize the specific risks related to Blue Canopy performing such a large percentage of the FDICs IT security budget. However, as explained above, the FDIC did not deem Blue Canopy to provide services essential or critical to the FDIC mission so this is a moot point. In addition, the contract did not stipulate that Blue Canopy should already have had the appropriate protections for backing up information, and maintaining disaster recovery and contingency plans with sufficiently detailed operating procedures. The MSSP BOA includes provisions which carry monetary penalties should the vendor default against an SLA and incentives to extend the period of performance by demonstrating sustained excellent performance in meeting all SLAs. As a result, the reports did not identify for the Board information on the procurement and oversight of procured Critical Functions on an individual and aggregate contract basis as suggested by best practices. OIGs use evaluations to determine the efficiency, effectiveness, impact, and sustainability of operations, programs, or policies. Anchorage Closes In on FDIC Crypto Custodian Deal, Documents - CoinDesk - All deliverables delivered and accepted. Awarded Contracts 2021 - TargetGov TargetGov In addition, the FDIC will consider and further study potential methodologies for assessing contractor overreliance, including how other agencies make such determinations. Federal agencies have processes to identify, record, monitor, and report on procured Critical Functions. Phase 2: Solicitation and Award - DOA Acquisition Services Branch, in consultation with the Program Office and the Legal Division, solicit and finalize the contract structure (key provisions) for the acquisition of a Critical Function with the selected service provider. Industry Standard. Corrective Action: The FDICs existing acquisition policy, as a comprehensive framework, incorporates many of the risk management principles referenced by the OIG in its audit and incorporated in OMB Policy Letter 11 01. The objective of these reviews should address the controls effectiveness in deterring or mitigating the agencys over-reliance on the contractor, and ensuring that the agency maintains control of its mission and operations. Therefore, the FDIC did not identify the Information Technology services performed by Blue Canopy as Critical Functions during the procurement planning phase, solicitation and award phase, or contract management phase of the acquisition process. Table 2 illustrates the services performed by Blue Canopy that we identified as Critical Functions based on National Institute of Standards and Technology Special Publication 800-53, Revision 5 (NIST S.P. SlVl&!MDs@bQ*P fA24k42P %c : The FDIC awarded both procurements competitively utilizing a best value approach. Management should identify performance criteria, internal controls, reporting needs, and contractual requirements that would be critical to the ongoing assessment and control of risk in contracts containing Critical Functions. When procuring Critical Functions, agencies considered strategic human capital planning analyzing agency staff resources, internal capability and capacity, and cost. Contract Awards April 11, 2023 Science Applications International Corp. has been awarded a $102.5 million contract by the U.S. Navy to continue supporting the MK Parsons Snags $164M Army Corps of Engineers Contract for Ammunition Plant Environmental Facility Contract Awards April 9, 2023 Our evaluation assessed whether Blue Canopy performed Critical Functions as determined by OMB Policy Letter 11-01 and best practices; and if so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices. banking industry research, including quarterly banking The FDIC Division of Administration (DOA) awarded 2,633 contracts valued at $2.85 billion over the 5-year period 2017-2021, averaging $570 million annually. We recognize that the FDIC calculated and presented to the Board the Independent Government Cost Estimates (IGCE)28 that were used to conclude on the reasonableness and feasibility of the proposals received. : 10; Corrective Action: Taken or Planned - The FDIC plans to address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 11: ; Rec. Conversely, the FRB stated that they do not contract out Critical Functions. One of the risk management processs four main elements is contract structuring and review. Our attendees visit the exhibition to get a first-hand look at the latest products, technologies and services on the market. Best Practices: 8. The OIG previously reported on the FDICs implementation of Enterprise Risk Management and concluded that improvements will help ensure that risks across the FDIC are considered, for example, as part of operations support and program management. The FDIC, instead, uses a best value method especially for acquisitions requiring innovative solutions or a high level of technical expertise that allows for the evaluation of technical factors in addition to price and past performance. ; OMB: The source identified this item; GAO: The source did not mention this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; The OMB policy letter also states that [w]here a critical function is not inherently governmental, the agency may appropriately consider filling positions dedicated to the function with both Federal employees and contractors. The APM requires FDIC program offices and the contracting officer to work together to conduct market research to support all acquisition planning. NIST S.P. As discussed in our report, the FDIC could have done more to identify and oversee procured Critical Functions. The GAO report, DHS Service Contracts: Increased Oversight Needed to Reduce the Risk Associated with Contractors Performing Certain Functions (GAO-20-417) (May 2020), found, in part, that DHS did not consistently plan for the level of Federal oversight needed for certain contracts because there was no guidance on how to document and update the number of Federal personnel needed to conduct oversight. independent agency created by the Congress to maintain Federal Agencies. Through competition, the FDIC is able to compare the value of competing technical proposals and prices in order to determine which proposal affords the best value. Program Office and Contracting Officer jointly develop acquisition plan. o Perform a Cost Effectiveness Analysis. Analyzed the FDICs oversight of Blue Canopy to maintain control of the Agencys mission and operations by: o Comparing and contrasting management procurement and oversight activities to best practices the OIG identified; and. The FDIC requires support across the entire IT application lifecycle including: creation (requirements, design, development, testing, deployment), configuration, integration, migration, enhancement, support, maintenance, operations, decommissioning, and other associated services for all FDIC owned applications, either in use today or deployed Management should consider, in part, the following corrective measures for identified instances of contractor over-reliance: (1) reviewing and adjusting contractor services; (2) reassessing and adjusting human capital needs (staff and funding); (3) in-sourcing all or part of the function; (4) reviewing the contracting process from beginning to end to understand how the agency lost control; and (5) reestablishing or strengthening controls over contractor responsibilities. : 8; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. changes for banks, and get the details on upcoming As previously noted, Blue Canopys services represented a significant percentage of the OCISOs annual operating expenses. Wisconsin Department of Employee Trust Funds PO Box 7931 Madison WI 53707-7931 1-877-533-5020 (toll free) Fax 608 -267 4549 Proposed Amendment to FDIC Bank Option Contract February 9, 2021 Page 2 Staff recommends the Board amend the FDIC bank option contract (ETJ0050) as shown to provide an interest rate floor of 15 basis points. RJ];g'RFnzq^aeOt8;)jquyhX[ Rs/vR~L4J'2&CG%O+cLXI E`m :DNHGu|E[s>vvm@R 0$ sD+n]6+%Iu~0LcW*}a)m%b'+h>5qacKuYk-9YQ8)$.ZkaRU,W]{c(njbp2`R@";ylj0ww*aK1^drkf{+x'K*sVrka{. Contract Planning. However, the FDIC did not make the determination that Blue Canopy provided essential or critical services, even though the Agency dedicated more than 38 percent of its IT security budget to Blue Canopy services. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. It is an independent government corporation created by Congress to maintain stability and public confidence in the nation's banking system. Market Research and Competition. banking industry research, including quarterly banking Corrective Action: The FDIC includes significant information regarding acquisition strategy, contract oversight and performance measures, and other controls in current board cases for contracts or BOAs over $20 million. This potentially jeopardizes the FDICs ability to maintain control of its mission and operations by failing to ensure that government actions are taken as a result of informed, independent judgments made by government officials; work products are adequately managed; and contractors are appropriately monitored. Last summer, the agencysinspector general issued a report saying the agency needed to improve itsIT governance practices. Best Practices: 1. Appropriate legal counsel should also review significant contracts prior to finalization. Ongoing monitoring. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Perform Periodic Reviews. Therefore, the FDIC needed proper oversight of the Critical Functions performed by Blue Canopy to ensure such a breach or disruption of service did not occur. Ultimately, as recommended by best practices, a complete cost effectiveness analysis for Critical Functions, clear and distinct from the IGCE, should be performed and presented to the Board for its review and consideration. In particular, the policy letter states that agencies should determine whether their procurement requirements involve the performance of Inherently Governmental Functions, Functions Closely Associated with Inherently Governmental Functions, or Critical Functions. OIGs may also use evaluations to share best practices and approaches. In particular, the board should be involved in the following stages of an effective third-party risk management program for procured critical functions: o Risk assessment. Identify planned procurement of Critical Functions. Footnote: 25 GAO, Standards for Internal Control in the Federal Government (GAO-14-704G) (September 2014); and the FDICs Financial Institution Letter, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008). The FIDIC bills the 2021 Green Book as a shorter and simpler alternative to its Red and Yellow Books, for projects where parties want to avoid committing significant resources to contract. - August 10, 2020 - DMI, a leading mobility services and digital transformation company, has won a single-award Blanket Purchase Agreement (BPA) from the Health Resources and Services Administration (HRSA), an agency of the U.S. Department of Health and Human Services, to modernize its Electronic Handbook (EHB) program. The Federal Deposit Insurance Act authorizes the FDIC to acquire services and to establish policies and procedures to achieve its mission and operations.6 The FDICs acquisition process involves a number of organizations within the Agency, including the Program Office that initiates a procurement to obtain the services or goods it needs, the Division of Administrations (DOA) Acquisition Services Branch (ASB), the Legal Division, and the FDIC Board of Directors (Board). To increase competition and diversity of firms providing information security and privacy services, reduce the FDICs reliance on a single vendor for these services, and improve contract oversight and vendor management, the FDIC sought and received Board approval in October 2019 to initiate two contract actions to replace the existing Blue Canopy contracts with new BOAs and task orders.