FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2020 $80 $90 $90.0 $70 $58.9 $60 $50.1$20 $30 $40 $50 $45.4 $10 $0 Percent of Total FDIC Awards: $4.5 $8.0 8(a) HubZone $10.8$4.1 Veteran OwnedServiceWomen OwnedSmallMinority OwnedMWOBDisabledDisadvantagedVeteran OwnedBusiness Perform a procurement risk assessment. As a result, the GAO recommended that DHS should (1) develop a risk-based approach for reviewing service requirements to ensure proposed service requirements are clearly defined and reviewed before planning how they are to be procured; (2) update the Inherently Governmental and Critical Functions Analysis to provide guidance for analyzing, documenting, and updating the federal workforce needed to perform or oversee service contracts requiring heightened management attention; and (3) [develop] guidance identifying oversight tasks or safeguards personnel can perform, when needed, to mitigate the risk associated with contracts containing closely associated with inherently governmental functions, special interest functions, or critical functions.. Read Report. The https:// ensures that you are connecting to data. No. An effective third-party risk management process has four elements: o Due diligence in selecting a third-party service provider. FDIC agreed with GAO's two recommendations and described planned actions to address each recommendation. Exhibit - FDIC International 2023 REGISTER NOW BOOK YOUR BOOTH SPACE Exhibit Network face-to-face with thousands of Fire & Rescue professionals from around the world at FDIC International. A risk/reward analysis should be performed for significant matters, comparing the proposed third-party relationship to other methods of performing the activity or product offering, including the use of other vendors or performing the function in-house. protection; makes large and complex financial institutions resolvable; and endstream endobj 515 0 obj <>stream Recommendation 6: Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. Footnote: 30 The FDIC has warned its regulated institutions to identify contractual requirements critical to the ongoing assessment and control of risks and, therefore, the FDIC should do the same in its contracts. Industry Standard. A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. The FDICs acquisition procedures are also consistent with the FDICs Guidance for Managing Third-Party Risk (FIL-44-2008). As noted above, the OIG identified best practices from OMB Guidance, the GAO, industry standards, and Federal agencies. %%EOF The FDIC did not conduct periodic reviews of controls and processes for Critical Functions obtained from Blue Canopy during the contract management process, even though the Agency dedicated more than 38 percent of its Information Technology security budget to Blue Canopy services in 2019. Based on the agencies we interviewed, 75 percent (6 of 8) of Federal agencies had contracting policies, procedures, and controls that address Critical Functions. Browse our extensive research tools and reports. The FDIC acknowledged that it is engaged in efforts to improve its acquisition services and oversight management programs. 1.405(b). vV7fW/EA'%2 )$BxNg\Hs#m$q_Cr-FbU{O`may+r"A1yq0.@]/;~>q!@;0~}=fn` %t(]/ However, the FDICs Risk Inventory did not recognize procured Critical Functions as a separate and distinct risk, or as an analytical factor in determining inherent or residual risk related to the risks associated with cybersecurity and privacy support services. An official website of the United States government. The Risk Inventory includes an assessment of impact and likelihood, and risks are prioritized and summarized into one of four risk levels: critical, significant, moderate, and low. According to a CNN news article titled, BearingPoint files for bankruptcy (February 2009), [t]he McLean, Virginia-based company, which began as the consulting arm of KPMG LLP and later struggled with accounting problems and a U.S. Securities and Exchange Commission probe, has been laboring under heavy debt exacerbated by an acquisition spree between 1999 and 2002.. Of particular note, the failure to identify Critical Functions during the procurement planning phase results in a cascading failure throughout the acquisition process. The FDIC Division of Administration (DOA) awarded 2,633 contracts valued at $2.85 billion over the 5-year period 2017-2021, averaging $570 million annually. hL Brian Whittaker says the FDIC will reorient itself to become better prepared internally to supervise fintech companies. In particular, the FDIC should have a process for ensuring that specific expectations and obligations of both parties are outlined in a written contract prior to entering into the arrangement. Footnote: 7 The Technical Monitor is responsible for assisting the Oversight Manager in monitoring and evaluating contractor performance under an FDIC contract. endstream endobj 521 0 obj <>stream Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. As previously noted, the FDIC and Blue Canopys contractual arrangement allowed Blue Canopy to assess certain security controls, including configuration management controls. In particular, Federal employees must be able to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. or https:// means youve safely connected to the .gov website. No. JP Morgan Chase assumes all deposits of First Republic Bank, San Francisco, CA, FDIC Releases Report Detailing Supervision of the Former Signature Bank, New York, New York, FDIC Releases Semiannual Update on Deposit Insurance Fund, FDIC Announces Retention of Financial Advisor to Assist with the Liquidation of Securities of the Former Consistent with that approach, the FDIC will continue to adopt those portions of the OMB Policy Letter that support its unique operations, while the Policy Letter overall continues to be inapplicable by operation of law. Footnote: 16 The FDIC Legal Division concluded that OMB Policy Letter 11-01 did not apply to the FDIC, because (1) the FDIC did not fall within the definition of executive agency in the Office of Federal Procurement Policy Act; and (2) the FDIC was not funded by congressionally appropriated funds. GAO also found that DHS personnel did not identify specific oversight activities they conducted to mitigate the risk of contractors performing functions in a way that could become inherently governmental. The FDIC did not develop a management oversight strategy for Critical Functions obtained from Blue Canopy during the procurement planning process, as part of the procurement risk assessment. Additional appendices include acronyms and abbreviations, the Agencys comments on a draft of this report, and a summary of the Agencys corrective actions. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. Over a 3-year period, from 2017 to 2019, the FDIC awarded nearly 4,000 contracts valued at more than $1.3 billion. Institution Letters, Policy Appendix 6 Summary of the FDICs Corrective Actions. Previously, we found that the FDIC had hired Blue Canopy to assess the same IT security controls that it had designed and executed. Further, if the agency does not establish and maintain a proper control environment, it may lose control of its mission and operations. Without the requisite analysis, the FDIC cannot be assured that it has appropriately identified and mitigated the existing procurement and operational risks. In particular, the policy letter states that [a]gencies shall develop and maintain internal procedures to address the requirements of this guidance. Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. The FDICs acquisition procedures and practices are also consistent with the FDIC Financial Institution Letter (FIL), Guidance for Managing Third-Party Risk (FIL-44-2008), which the OIG also used as criteria for the evaluation. However, if the agency cannot provide a sufficient number of knowledgeable staff to oversee the contracts, the contractors could inappropriately influence government decision-making. Solicitation and Award: Program Office, DOA Acquisition Services Branch, and Legal Division identify the Critical Function within solicitation and award documents. 9S=^VJGf+_8B+WV|ir,Ma,VE9*n9iwJzc0}8c0ry` xH To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). The FDIC stated that it partially concurred with the remaining 12 recommendations; however, the FDIC response did not provide specific actions taken or planned. Upon completion of the corrective actions and before closing the recommendations, we will review the FDICs actions to ensure that the revised acquisition process includes guidance for identifying planned procurements of Critical Functions and implementing heightened contract monitoring for Critical Functions. As a result, the GAO recommended, in part, that DOD should revise existing workforce policies and procedures to address the determination of the appropriate workforce mix. The contractor successfully performed all required tasks under both contracts, and received excellent and outstanding ratings in annual performance reviews, with the exception of one good rating on one contract for one rating period. OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. Contracting Officer with help of oversight Manager and Technical Monitor manage contract and contractor performance. Footnote: 23 According to the FDICs Enterprise Risk Management Standard Operating Procedure (May 2020), Residual Risk is the exposure remaining from an inherent risk after action has been taken to manage it. In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Footnote: 20 Enterprise Risk Management (ERM) is an agency-wide approach to addressing internal and external risks facing an agency. NASA, USDA, and CFPB performed, or considered it a best practice to perform, strategic human capital planning. As noted previously, in October 2019, the FDIC changed its procurement strategy for these Critical Functions from two contracts to two BOAs and included multiple service providers on the BOAs. Through the two contracts, Blue Canopy provided the following services: (1) Information Security and Privacy Support Services for the FDICs Security Operations Center (SOC) and Computer Security Incident Response Team (C-SIRT). With this approach in mind, the FDIC will consider the processes, practices, and systems that the OIG identified among others to enhance our existing policies. DOA will revise the APM and PGI to reflect any resulting process and control enhancements.

Property For Sale In Fayette County, Illinois, The Isle Evrima Map Coordinates, Articles F