Separate from the prior OIG review, the FDIC also made a management determination to reduce our reliance on a single contractor for information security and privacy services. Federal Awards | Advanced Search | USAspending The official also stated that, in conjunction with the IGCE, the CIOO conducted an analysis to determine whether the FDICs costs associated with Information Security and Privacy support services were in line with other Federal agencies. Best Practices: 2. Following the FDICs study discussed in response to recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the MSSP and SPPS BOAs and task orders are needed beyond those already incorporated. In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Periodic reviews should determine if the agency needs to take corrective measures to address any over-reliance on contractors for Critical Functions.27. The FDIC also did not identify the contract structure as recommended by best practices. The FDIC is an independent federal agency with a mission of maintaining stability and public confidence in the nation's financial system by insuring bank deposits, examining and supervising financial institutions for safety and soundness and consumer protection, making large and complex financial institutions resolvable, and managing receiverships. Corrective Actions: Existing acquisition processes and procedures help limit the likelihood of such an occurrence; however, the FDIC will examine whether additional controls are necessary in conjunction with the study and actions described in our response to Recommendation 1. This text file was formatted by the FDIC OIG to be accessible to users with visual impairments. New FIDIC Green Book short form of contract explained GSA, NASA, USDA, DOE, and OCC have policy and procedures to prevent over-reliance on a contractor, and specific corrective measures to address instances of contractor over-reliance. Row 1: ; Rec. Footnote: 23 According to the FDICs Enterprise Risk Management Standard Operating Procedure (May 2020), Residual Risk is the exposure remaining from an inherent risk after action has been taken to manage it. Management should also ensure that the statement of work recognizes the procurement of Critical Functions. A management oversight strategy considers, for example, the contract structure (including key provisions) for procuring Critical Functions, and oversight tasks personnel can perform. In planning this procurement, the CIO assessed whether FDIC staff or contractors should perform the work. The FDIC also did not document a cost effectiveness analysis, as recommended by best practices. Footnote: 31 According to FIL-44-2008, for reports, [t]he contract should specify the type and frequency of management information reports to be received from the third party. sharing sensitive information, make sure youre on a federal
3501 Fairfax Drive, Room VS-E-9068, Arlington, VA 22226. Monday, August 9, 2021 For Release WASHINGTON - The Federal Deposit Insurance Corporation (FDIC) today requested that four companies submit proposals as part of the next phase of an ongoing Rapid Phased Prototyping Competition (RPP) in order to accelerate the adoption of modern technological tools. In addition, routine reviews ensure that both contractor and agency staff know their roles and responsibilities in the event of an unexpected incident, and validate the planned response. As discussed in detail below, FDIC acquisition policy requires robust acquisition planning that includes consideration of costs, risks, alternatives, contract type, oversight structure, business continuity, security, performance reporting, Board reporting, and, in some instances, Board approval of contracting actions. The Board approves the execution of contracts with dollar values over $20 million and contract modifications to contracts previously approved by the Board that increase the award amount or period of performance by more than 15 percent. This assessment should consider, for example, the sufficiency of the agencys internal capacity and capability to control its mission and operations based on an adequate number of Federal employees with appropriate training, experience, and expertise, and a cost effectiveness analysis to ensure that it is cost effective to contract for the services. While the Award Profile Reports described the procured services, assessed contractor performance, tracked fund utilization/allocation, and assessed FDIC contract oversight, the FDIC did not identify Blue Canopys procured services as Critical Functions. Results of testing of these plans should be provided to the financial institution.. These best practices support the view that the FDIC should establish and document a process for identifying procurements of Critical Functions. created by the Congress to maintain stability and public confidence in the The contract should define key contract terminology26 and incorporate key provisions necessary to mitigate the risk associated with procuring Critical Functions. Corrective Action: In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation; or, 2. 9S=^VJGf+_8B+WV|ir,Ma,VE9*n9iwJzc0}8c0ry` xH
the official website and that any information you provide is
An Executive Agency is a Federal agency that is housed under the Executive Office of the President or one of the 15 Cabinet departments within the Executive Branch. Industry Standard. DOA and CIOO officials acknowledged that the FDIC had not incorporated OMB Policy Letter 11-01 (September 2011), and related best practices, into the FDICs Acquisition Policy Manual (August 2008), or Acquisition Procedures, Guidance and Information (January 2020). We also reviewed documentation and interviewed employees familiar with Blue Canopys work to determine if the FDIC maintained control of its mission and operations. Board Reporting. The OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), noted that some CIOO Oversight Managers lacked the workload capacity to oversee contracts, and certain Oversight Managers were not properly trained or certified. GAO Recommendations. Management Report: Improvements Needed in FDIC's Internal Control over In 2019, these services comprised 38.3 percent ($16.2 million) of the OCISOs annual operating expenses ($42.3 million). data. Recommendation 2: Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. Best practices recommend that contractors have business resumption and contingency plans in place and tested. The Defense Intelligence Agency selected 144 vendors to participate in its $12.6 billion Solutions for Information Technology Enterprise (SITE III) contract.. Figure 4: Best Practices for Implementing a Management Oversight Strategy. /@ DDGD.ODvDH!e"q9V1%x"xABo'6,,<1XHH8\Gwdra]0:D. hYH[@{4;"2 {oBp,L;rEA,'2
,g6Hr~r4y-!x"DB$]E4V&:d!DI D$htq9C3HO>RjX2B^T&gQh8IP) s8SSO&#Hce. Blue Canopy performed Critical Functions as determined by OMB Policy Letter 11-01 and best practices; and. Oversight Manager and Contracting Officer complete closeout activities. ; OMB: The source identified this item; GAO: The source identified this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; GAO Recommendations. - August 10, 2020 - DMI, a leading mobility services and digital transformation company, has won a single-award Blanket Purchase Agreement (BPA) from the Health Resources and Services Administration (HRSA), an agency of the U.S. Department of Health and Human Services, to modernize its Electronic Handbook (EHB) program. Based on its study, the FDIC will provide guidance to divisions and offices for assessing the potential for contractor overreliance and maintaining federal control of essential functions or those necessary during a business continuity event. Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. The FDIC will consider additional reporting requirements related to contracts for essential functions or for services necessary during a business continuity event, including where such functions are performed by a single vendor, in conjunction with the study and actions described in response to Recommendation 1. We made 13 recommendations to the FDICs Deputy to the Chairman and Chief Operating Officer. The primary purpose of the Independent Government Cost Estimate is to assess the reasonableness of the price proposals received from contractors against the Agencys estimated procurement cost. The Federal Deposit Insurance Corp. is looking for IT vendors to provideinfrastructure support services as part of a new multiple-award contract worth up to $487.5 million. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. Best Practices: 6. 66y% OMB Policy Letter 11-01 requires certain agencies2 to take specific actions, before and after contract award, to prevent contractor performance of Inherently Governmental Functions and to prevent over-reliance on contractors in the performance of Critical Functions. Official websites use .gov According to the Council of the Inspectors General on Integrity and Efficiencys Quality Standards for Inspection and Evaluation, evaluations are systematic and independent assessments of the design, implementation, and results of operations, programs, or policies. As part of the procurement risk assessment, include a cost effectiveness analysis. o Develop a Management Oversight Strategy. The FDICs OCISO and DOA submitted to the Board, through its established procurement process, a Board Case Package and Award Profile Reports.38 These documents, however, did not identify the procured services that were Critical Functions nor did they present the planned or implemented heightened oversight management activities for the Critical Function procurements. Keep up with FDIC announcements, read speeches and
Footnote: 22 According to the FDICs Enterprise Risk Management Standard Operating Procedure (May 2020), Inherent Risk is the exposure arising from a specific risk before any action has been taken to manage it beyond normal operations. The PGI requires the oversight manager, together with the contracting officer, to determine the level of oversight that is necessary to ensure the contractor makes satisfactory progress toward the successful completion of the terms of the contract. While the solicitation targets three vendors to join the basic ordering agreement, under which the FDIC would issue individual task orders for work needed, the agency says one of the vendors will get the bulk of the work through an initial order for Managed Services to support the FDIC IT infrastructure environment. That task order alone will be worth $250 million over five years, with extensions possible for two and a half years, which could bump the ceiling up to $375 million. requirements for contractors to have emergency plans for providing services to FDIC in the event of a disruption of normal operations, and participation in FDIC business continuity testing, training, and exercises. As noted previously, in October 2019, the FDIC changed its procurement strategy for these Critical Functions from two contracts to two BOAs and included multiple service providers on the BOAs. FDIC puts $487.5 million IT services contract up for bid Management does not concur with the recommendation, but alternative action meets the intent of the recommendation; or. hMk1c[(1. Conversely, the FRB stated that they do not contract out Critical Functions. : 11; Corrective Action: Taken or Planned - The FDIC will examine whether additional controls are necessary in conjunction with the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 12: ; Rec. The FDIC annually captures the risks it faces through its Enterprise Risk Management Risk Inventory. USAspending.gov is looking to share stories of how federal spending data has improved your life or increased your trust in government. A CIOO official also stated that the contractor was responsible for ensuring uninterrupted support of services, if the FDIC determined that Blue Canopy provided services essential or critical to the FDIC mission. National Institute of Standards and Technology Guidance. The solicitations for the new contracts occurred in November 2019 and April 2020. We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2022 $300 $250 $200 $150 $100 $50 $0 Percent of Total FDIC Awards: Other Agencys'Percentage: $281.1 $197.6 $139.4 $104.3 $49.1 $8.3$2.3$0.5 8(a) HubZoneVeteran OwnedServiceWomen OwnedSmallMinority OwnedMWOBDisabledDisadvantagedVeteran OwnedBusiness The FDIC develops a management oversight strategy for contracts and assigns responsibility to FDIC contracting officers, oversight managers, and technical monitors to oversee contractors based on the risk and complexity of the contract. The OIG evaluated two FDIC procurements with Blue Canopy Group, LLC (Blue Canopy) against provisions of OMB Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions, September 12, 2011. o Contract Oversight Management (EVAL-20-001) October 28, 2019; o The FDIC's Receivership Basic Ordering Agreements for Business Process Operations Services (AUD-14-006) March 31, 2014; o Security Configuration Management of the Windows Server Operating System (AUD-19-004) January 16, 2019; and.