Anchorage Closes In on FDIC Crypto Custodian Deal, Documents - CoinDesk vV7fW/EA'%2 )$BxNg\Hs#m$q_Cr-FbU{O`may+r"A1yq0.@]/;~>q!@;0~}=fn` %t(]/ Without the identification of procured Critical Functions and its associated risk, the FDIC may not accurately capture and assess the Agencys inherent and residual risk related to its contracts and contractors. Industry Standard. Source: OIG analysis of the FDIC Acquisition Policy Manual (August 2008) and the Acquisition Procedures, Guidance and Information (January 2020). In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Risks are identified from various sources and are captured in the risk inventory. A Critical Function is a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. Footnote: 5 Contracts CORHQ-14-C-0769 and CORHQ-14-C-0778. The new acquisition strategy was presented to and approved by the Board in October 2019. documentation of laws and regulations, information on As such, Blue Canopy should have had crisis readiness plans in place and should have tested those plans to ensure that it could continue to provide Critical Functions uninterrupted to the FDIC. Those designated contracts would then be subject to a risk assessment process to ensure the FDIC maintains control over the function for which services are being procured, has an appropriate contract oversight structure, and includes contract provisions commensurate with risks. Request for Information on FDIC Official Sign and Advertising The FDIC Did Not Conduct Periodic Reviews of Controls and Processes for Critical Functions. With this approach in mind, the FDIC will consider the processes, practices, and systems that the OIG identified among others to enhance our existing policies. This text file was formatted by the FDIC OIG to be accessible to users with visual impairments. Corrective Action: Existing acquisition planning procedures require consideration and discussion of risks associated with all procurements. Ultimately, the GAO concluded that without guidance for documenting and updating the planned Federal oversight personnel needed, and identifying oversight tasks, DHS cannot mitigate the risks associated with service contracts in need of heightened management attention. Analysis of National Institute of Standards and Technology Guidance, 6. Given the existing contractual controls in the Blue Canopy contracts (such as SLAs and other performance metrics), remedial actions taken to address the independence concern identified by the OIG, and the subsequent revision of the acquisition strategy associated with the services previously procured under the Blue Canopy contracts, the FDIC disagrees with the OIGs determination that the contract represent[ed] a failure on the FDICs part to maintain control of its operations. Blue Canopys performance under the contracts, which included detailed performance metrics, was regularly reviewed and received high marks from the FDIC. Last summer, the agencysinspector general issued a report saying the agency needed to improve itsIT governance practices. Best Practices: 5. The OCISO is comprised of four sections: Governance, Risk and Compliance; Privacy; Security Architecture; and Security Operations. FDIC - Information Technology Application Services (ITAS) Next Procured Critical Functions Not on FDIC Risk Inventory. No. PDF FDIC Contracting Awards - Federal Deposit Insurance Corporation The objective of the plan is to ensure that the Contracting Officer, Oversight Manager, and Technical Monitor have a common understanding of both contractor and FDIC obligations under the contract. In addition, following the FDICs study and actions in response to Recommendation 1, the CIOO will assess the need for additional periodic reviews of such contracts and whether additional enhancements are required beyond the controls already incorporated. To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC. NASA, USDA, and CFPB performed, or considered it a best practice to perform, strategic human capital planning. The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version. Table 1: Best Practices for Critical Functions by Source. DOAs ASB is responsible for issuing the policies governing the contracting program and the procedures for implementing those policies. The OIG made 13 recommendations aimed at having the FDIC incorporate provisions of OMB Policy Letter 11 01 into the FDICs policies and procedures, identify critical functions during the procurement process, and implement heightened contract monitoring for critical functions. While OMB Policy Letter 11-01 is inapplicable to the FDIC as a matter of law, the FDICs risk-based acquisition procedures address virtually all of the control factors listed in the Policy Letter and many of these controls were in place for the Blue Canopy contracts. Corrective Actions: Existing acquisition processes and procedures help limit the likelihood of such an occurrence; however, the FDIC will examine whether additional controls are necessary in conjunction with the study and actions described in our response to Recommendation 1. We expect the guidance to . The APM and implementing Acquisition Procedures, Guidance, and Information (PGI) address planning considerations for contracts considered essential in the event of an emergency or business continuity event and delineates risks associated with such procurements. Periodic Reviews of Controls and Processes. The FDIC publishes regular updates on news and activities. Critical Functions in FDIC Contracts | Federal Deposit Insurance A CIOO official stated that Blue Canopys business resumption and contingency plans were not a concern because Blue Canopy operated within the FDICs information systems and on the FDICs premises. Accordingly, institutions should establish and maintain an effective risk management process for initiating and overseeing outsourced operations. The Program Office is also responsible for nominating the Oversight Manager and Technical Monitor(s).7. Management concurred with 1 of the 13 recommendations, and plans to complete corrective action by May 31, 2021. Therefore, the FDIC did not identify the Information Technology services performed by Blue Canopy as Critical Functions during the procurement planning phase, solicitation and award phase, or contract management phase of the acquisition process. The FDIC and Blue Canopys Contractual Relationship, Inherently Governmental Functions and Critical Functions, Best Practices for Procuring Critical Functions, The FDIC Did Not Implement Heightened Monitoring for Critical Functions, 2. Recommendation 10: Determine when and how to assess for contractor over-reliance as part of the management oversight strategy. As discussed above, however, the FDICs IGCE did not include the scope and methodology, analyses (both quantitative and qualitative), conclusions, and rationale for the Agencys final procurement decision as suggested by best practices. The Federal Deposit Insurance Act authorizes the FDIC to acquire services and to establish policies and procedures to achieve its mission and operations.6 The FDICs acquisition process involves a number of organizations within the Agency, including the Program Office that initiates a procurement to obtain the services or goods it needs, the Division of Administrations (DOA) Acquisition Services Branch (ASB), the Legal Division, and the FDIC Board of Directors (Board). Recommendation 3: Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. DMI Wins a Five-Year HRSA Single-Award Contract with Projected Value of In 2019, these services comprised 38.3 percent ($16.2 million) of the OCISOs annual operating expenses ($42.3 million). These laws are intended to protect the public and ensure the proper use of governmental funds. The report concluded that the FDIC needs to establish a clear governance structure, and clearly define authorities, roles, and responsibilities related to [Enterprise Risk Management]. The FDIC took prompt action to address the OIGs recommendations regarding the lack of independent assessments of Blue Canopys services, and the OIG closed those recommendations in 2019. The FDIC response indicated that its planned corrective actions will include surveying recognized practices and procedures associated with contracts supporting essential functions. Phase 1: Procurement Planning - Program Office and DOA Acquisition Services Branch report to the FDIC Board the planned acquisition of a Critical Function, and provide a procurement risk assessment and management oversight strategy (including planned contract structure and cost effectiveness analysis). This guidance document recommends that FDIC-supervised institutions take a risk-based approach to ensuring that appropriate controls, acquisition planning, and oversight are in place to manage services provided by third parties. OMB Policy Letter 11-01 requires certain agencies2 to take specific actions, before and after contract award, to prevent contractor performance of Inherently Governmental Functions and to prevent over-reliance on contractors in the performance of Critical Functions. A breach or disruption in these services could impact the security, confidentiality, integrity, and availability of FDIC information. Fiscal Year 2021 - Forecast of Contract Opportunities The FDIC also completed annual performance reports on Blue Canopy. From July 2005 to December 2019, the FDIC issued three contracts (or sets of contracts) for information security support services. Award Profile Reports. https://www.youtube.com/watch?v=z6mMuFd33qk&list=UULFQpADaPZpDb8HwwScpJ2OPQ, Paravision Names Benji Hutchinson President, COO, Sharon Hays Ready to Explore Innovation with WashingtonExecs CTO Council, Damian DiPippa Named CEO of Newly formed Aretum, BlueHalo Delivers New High-Energy Laser Diagnostic Capability to Navy, Chief Officer Awards Finalist Julian Setian: Contributing to the Broader Social Ecosystem Has Always Been the Most Gratifying Aspect of My Work, Top DOD Execs to Watch in 2023: Airbus Cara Sindir. Therefore, the FDIC needed proper oversight of the Critical Functions performed by Blue Canopy to ensure such a breach or disruption of service did not occur. This represented a failure of the FDIC to maintain control of its operations. 6) Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. The services provided under this contract included intrusion monitoring; incident investigation; event escalation; reporting; vulnerability research, analysis, and response; incident detection; incident response; and after-hours support. Through the two contracts, Blue Canopy provided the following services: (1) Information Security and Privacy Support Services for the FDICs Security Operations Center (SOC) and Computer Security Incident Response Team (C-SIRT). These periodic reviews should be focused on targeted controls or areas of performance (such as personnel performance or human capital planning), and/or performed more broadly (such as a contractor over-reliance assessment). We considered Blue Canopys informal feedback before finalizing the report. NASA, USDA, and DOE performed, or considered it a best practice to perform, a cost effectiveness analysis. In this section, we show which sub-agencies of Federal Deposit Insurance Corporation (FDIC) have issued awards through different types of contracts or financial assistance and how much each sub-agency has obligated (promised to spend). Figure 6: Best Practices for FDIC Board Reporting. In addition to existing requirements for oversight management, the FDIC remains committed to the use of SLAs and other controls to manage vendor performance and is considering additional controls to ensure the independence, training, and professionalism of oversight managers. Typically, critical functions are recurring and long-term in duration.. ; OMB: The source did not mention this item; GAO: The source did not mention this item; Industry Standard: The source did not mention this item; Select Federal Agencies: The source identified this item; OMB Guidance. The Program Office is responsible for determining its procurement needs and initiating the acquisition process by submitting a procurement request to DOAs ASB. The OIG notes in its report that the FDIC followed its normal contract policies and procedures for the two Blue Canopy contracts. 66y% Report to the Board planned and procured Critical Functions on an individual and aggregate basis. the official website and that any information you provide is The guidance provides, in part, the following topics that should be considered as a contract is structured, with the applicability of each dependent upon the nature and significance of the third-party relationship: scope (rights/responsibilities of each party), cost/compensation, performance standards, reports (types and frequency of management information), audit (of contractor), confidentiality and security (prohibit contractor from using or disclosing agencys information), customer complaints, business resumption and contingency plans, default and termination (of contractor), dispute resolution, ownership and license, indemnification, and limits on liability. In particular, the board should be involved in the following stages of an effective third-party risk management program for procured critical functions: o Risk assessment. We also provided Blue Canopy with a draft copy of the report to review for factual accuracy. endstream endobj startxref For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). Program Office and Contracting Officer prepare acquisition documents. Based on our study, we will provide guidance to divisions and offices for assessing the potential for contractor overreliance and maintaining federal control of essential functions or those necessary during a business continuity event. WASHINGTON The Internal Revenue Service's Office of the Chief Procurement Officer today announced the successful development of a web app called Projected Contract Award Date. This arrangement lacked independence and represents a failure on the FDICs part to maintain control of its operations.36 In addition, the absence of heightened contract monitoring processes, such as a procurement risk assessment and periodic reviews of controls and processes for Critical Functions allowed this internal control weakness to remain undetected. To increase competition and diversity of firms providing information security and privacy services, reduce the FDICs reliance on a single vendor for these services, and improve contract oversight and vendor management, the FDIC sought and received Board approval in October 2019 to initiate two contract actions to replace the existing Blue Canopy contracts with new BOAs and task orders. While the Award Profile Reports described the procured services, assessed contractor performance, tracked fund utilization/allocation, and assessed FDIC contract oversight, the FDIC did not identify Blue Canopys procured services as Critical Functions. hL For such matters, the analysis should be considered integral to the banks overall strategic planning, and should thus be performed by senior management and reviewed by the board or an appropriate committee., o Contract structuring and review.
Students Have Been Assigned A Series Of Math Problems,
Brenda Blethyn Husband Michael Mayhew,
Check Personalized Plate Availability Michigan,
What Is The Prevailing Wind Direction In Brisbane,
Articles F