(AvaQD%]Lg4Of5AZ0'&qsM}d},K^!ttcti 8\mk x\>-A 'g+k}?L&50#^5w8O>16/CGF:.&&F(r+v\eSVGo;X}N^r[qQg}UTN}n?3E5.\B?? When procuring Critical Functions, agencies considered strategic human capital planning analyzing agency staff resources, internal capability and capacity, and cost. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Determine Contract Structure. The FDIC did not conduct periodic reviews of controls and processes for Critical Functions obtained from Blue Canopy during the contract management process, even though the Agency dedicated more than 38 percent of its Information Technology security budget to Blue Canopy services in 2019. OMB Policy Letter 11-01 requires agencies to identify and ensure that they retain control over Critical Functions that are core to the agencys mission, but may be contracted out to the private sector. Those procedures shall be reviewed by agency management no less than every two years. In addition, agencies should periodically evaluate the effectiveness of their internal management controls for reserving work for Federal employees and identify any material weaknesses, The OMB policy letter also states that [a]gencies should review, on an ongoing basis, the functions being performed by their contractors, paying particular attention to the way in which contractors are performing, and agency personnel are managing, contracts involving critical functions These reviews should be conducted in connection with the development and analysis of inventories of service contracts., In addition, the OMB policy letter states that if the agency determines that internal control of its mission and operations is at risk due to over-reliance on contractors to perform critical functions, requiring activities should work with their human capital office to develop and execute a hiring and/or development plan. The failure to establish or maintain a proper control environment jeopardizes the reasonable assurance that an entitys objectives will be achieved and may affect the ability of an entity to maintain control of its mission and operations. To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). Over a 3-year period, from 2017 to 2019, the FDIC awarded nearly 4,000 contracts valued at more than $1.3 billion. Typically, critical functions are recurring and long-term in duration.. BASE - September 1, 2021 - August 31, 2023 OPTIONs - September 1, 2023 - August 31, 2026 Scope The FDIC is a non-appropriated entity of the Federal Government. Recommendation 10: Determine when and how to assess for contractor over-reliance as part of the management oversight strategy. Existing Acquisition Procedures for Contract Planning, Oversight, and Reporting. endstream endobj 515 0 obj <>stream 1819(a). Taken together, these elements compose the financial institutions risk management analysis of the third-party relationship. When procuring Critical Functions, agencies considered (or, considered as a best practice) cost effectiveness analysis, which included analyzing the appropriate mix of Federal employees and contractors and rebalancing, as needed. Footnote: 11 The FDIC Division of Resolutions and Receiverships (DRR) also has a contract with Blue Canopy for an approximate Award Value of $1 million, and a 5-year term. The FDIC provides the following response to the Office of Inspector Generals (OIG) draft evaluation report titled, Critical Functions in FDIC Contracts, dated March 3, 2021. The OIG report, The FDICs Implementation of Enterprise Risk Management (EVAL-20-005) (July 2020), assessed the FDICs implementation of Enterprise Risk Management against relevant criteria and best practices. The FDIC implemented its established procurement process, but that process did not include an analysis of the underlying services in order to identify the risks and to determine the need for heightened oversight procedures and controls for the procured Critical Functions. This represented a failure of the FDIC to maintain control of its operations. We also reviewed documentation and interviewed employees familiar with Blue Canopys work to determine if the FDIC maintained control of its mission and operations. For example, the following agencies noted heightened contracting monitoring, such as: o Identify and Monitor for Critical Functions. Appendix 2 contains a detailed description of the best practices related to procured Critical Functions. : 13; Corrective Action: Taken or Planned - The FDIC will consider additional reporting requirements related to contracts for essential functions or for services necessary during a business continuity event, including where such functions are performed by a single vendor, in conjunction with the study and actions described in response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; 1. : 1; Corrective Action: Taken or Planned - The FDIC will consider each of the OIGs recommendations and further study the need for additional risk based controls for essential procurements. Wisconsin Department of Employee Trust Funds PO Box 7931 Madison WI 53707-7931 1-877-533-5020 (toll free) Fax 608 -267 4549 Proposed Amendment to FDIC Bank Option Contract February 9, 2021 Page 2 Staff recommends the Board amend the FDIC bank option contract (ETJ0050) as shown to provide an interest rate floor of 15 basis points. The .gov means its official. The FDIC is committed to recruiting and retaining the most qualified employees in the labor market, and maintaining diversity in management, employment, and business activities. 3. In the first 18 months of contract performance, if the initial vendor is not successfully performing, both the MSSP and SPPS BOAs permit a quick transition to another vendor on the contract without a recompetition. Corrective Action: The FDIC includes significant information regarding acquisition strategy, contract oversight and performance measures, and other controls in current board cases for contracts or BOAs over $20 million. o Comparing and contrasting DOA, CIOO, and the Legal Divisions policy and procedures related to management procurement and oversight activities to best practices the OIG identified. 7) Revise the management oversight strategy for the procured Critical Functions performed under the BOAs for Managed Security Services Provider and Security and Privacy Professional Services to ensure that the strategy aligns with best practices. Federal government websites often end in .gov or .mil. The FDIC is an independent federal agency with a mission of maintaining stability and public confidence in the nation's financial system by insuring bank deposits, examining and supervising financial institutions for safety and soundness and consumer protection, making large and complex financial institutions resolvable, and managing receiverships. These planning discussions should consider the resources and the expertise required to perform the functions and manage the procurement. Figure 5 illustrates the best practices for periodic reviews for contractor over-reliance and implementation of corrective measures during the FDICs acquisition process. Determine when and how to assess for contractor over-reliance as part of the management oversight strategy. The FDIC Board of Directors. Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, and identify and control risks. The overall objective of such reviews is to identify, assess, and resolve indications of contractor over-reliance. Although the contracts required Blue Canopy to submit certain management reports, the contracts did not require Blue Canopy to submit financial reports, audit reports, security reports, business resumption testing reports, and exception-based reports of Blue Canopys operations. Institution Letters, Policy Best Practices: 4. Every contractor who is awarded an FDIC contract is required to be registered with System for Award Management ( www.SAM.gov ). Such heightened contract monitoring activities would include: (1) performing a procurement risk assessment, (2) establishing a management oversight strategy, (3) conducting periodic reviews, and (4) providing formal reports to the Board for its review of Critical Functions on an individual and aggregate basis. endstream endobj 196 0 obj <>stream Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function. endstream endobj 519 0 obj <>stream The Federal Deposit Insurance Corporation (FDIC) is an As a result, the GAO recommended, in part, that the DOD should revise existing workforce policies and procedures to address the identification of critical functions.. By signing up, you agree to the receive emails from WashingtonExec. Previously, we found that the FDIC had hired Blue Canopy to assess the same IT security controls that it had designed and executed. Footnote: 29 For Contract CORHQ-14-C-0778, the FDICs IGCE estimated that it would cost $26,387,825 to procure the services from a third party versus the estimated cost of $23,834,747 to perform the services internally with Federal employees, a variance of $2,553,077. Contract Oversight. A CIOO official confirmed that Blue Canopy was not required to submit routine financial and operational reports, as noted above. DODs policies and procedures predated the publication of this requirement, and consequently contained no reference to it. CIGFO, Congressional, Special Inquiries, Other, 3501 Fairfax Drive Arlington, Virginia 22226, https://www.fdicoig.gov/sites/default/files/publications/19-004AUD_0.pdf, Top Management and Performance Challenges. In particular, the policy letter states that [a]gencies shall develop and maintain internal procedures to address the requirements of this guidance. In addition, the policy letter states that agencies should determine the type and level of management attention necessary to ensure that functions that should be reserved for Federal performance are not materially limited by or effectively transferred to contractors and that functions suitable for contractor performance are properly managed. The FDIC provides a wealth of resources for consumers, The FDIC response indicated that its planned corrective actions will include surveying recognized practices and procedures associated with contracts supporting essential functions. Fact Sheets, Key Contacts in Acquisition Services Branch, COVID-19 Safety Protocols for Contractor Employees Accessing FDIC Facilities, Information Technology Application Services (ITAS), Request for Proposal (RFP) for Mission-Driven Bank Funds Financial Advisory Services, Information for Prospective Outside Counsel, Frequently Asked Questions for Outside Counsel on the FDIC's Advanced Legal Information System (ALIS), List of Counsel Available (alpha by Firm Name), List of Counsel Available (alpha by State), Minority- and Women-Owned Law Firms on List of Counsel Available, Personnel Security Process for Candidates, List of Awards and Contractor Contact Information. Periodic Reviews of Controls and Processes. Phase 1: Procurement Planning - Program Office and DOA Acquisition Services Branch develop a management oversight strategy for the planned acquisition of a Critical Function, which includes determining the contract structure (key provisions). On March 26, 2021, the FDICs Deputy to the Chairman, Chief of Staff, and Chief Operating Officer provided a written response to a draft of this report (FDIC Response), which is presented in its entirety in Appendix 5. Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, to the same extent as if the services were performed internally. Best Practices for Identifying Planned and Procured Critical Functions, 3. To increase competition and diversity of firms providing information security and privacy services, reduce the FDICs reliance on a single vendor for these services, and improve contract oversight and vendor management, the FDIC sought and received Board approval in October 2019 to initiate two contract actions to replace the existing Blue Canopy contracts with new BOAs and task orders. NASA, USDA, and CFPB performed, or considered it a best practice to perform, strategic human capital planning. Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration. In order to implement heightened management oversight, the FDIC needs to (1) identify the risk in a risk assessment; (2) identify the control(s) needed to oversee the contractor within a management oversight strategy; (3) establish the control(s) and a process for reviewing the control(s) within the contract structure; (4) implement the control(s) during the management oversight process; and (5) periodically review the FDIC and contractors performance or, implementation of the control(s). Federal Contract Awards > 100.0k 75D30118C02507 Definitive Contract $4.2m / $27.7m Updated Apr 29 2023 Federal Agency CDC Pittsburgh (HHS - CDC) Child Awarded Vendor Idoneous Educational Services, Inc. - VRLMHESN3KP5 Major Defense Program Not listed Award Date Sep 01 2018 Completion Date Aug 31 2020 Set Aside 8 (a) Sole Source NAICS Category 561110 Press Esc to cancel. The Board should be involved in reviewing managements risk assessment, contract structuring, and monitoring reports for procured Critical Functions on an individual and aggregate basis. The FDIC develops a management oversight strategy for contracts and assigns responsibility to FDIC contracting officers, oversight managers, and technical monitors to oversee contractors based on the risk and complexity of the contract. FDIC Contract Awards and Amounts by Year (2013-2017) 2. This example highlights the need for the FDIC to clearly define the terminology related to Critical Functions and incorporate the underlying concepts embodied in Critical Functions, so that it can readily identify Critical Functions in such procurements and take appropriate actions with heightened monitoring and controls. OMB Policy Letter 11-01 defines the terms Inherently Governmental Function and Critical Function as follows: An Inherently Governmental Function is a function that is so intimately related to the public interest as to require performance by Federal Government employees. The term includes functions that require either the exercise of discretion in applying Federal Government authority or the making of value judgments in making decisions for the Federal Government, including judgments relating to monetary transactions and entitlements. /@ DDGD.ODvDH!e"q9V1%x"xABo'6,,<1XHH8\Gwdra]0:D. hYH[@{4;"2 {oBp,L;rEA,'2 ,g6Hr~r4y-!x"DB$]E4V&:d!DI D$htq9C3HO>RjX2B^T&gQh8IP) s8SSOHce. In 2009 and 2010, the services obtained were overseen by the FDICs Division of Information Technology. The FDIC relies on contractors to support a range of activities from janitorial to Information Technology support services. hL Browse our extensive research tools and reports. Federal agencies need to ensure proper management and oversight of procured services for Critical Functions in order to prevent over-reliance on the contractor and the loss of control of the agencys mission and operations. Interviewed FDIC personnel in DOA, CIOO, and the Legal Division who had responsibility for procurement processes related to Critical Functions. Figure 5: Best Practices for Conducting Periodic Reviews of Controls and Processes. The policy letter adopted the definition of an Inherently Governmental Function based on the established statutory definition in the Federal Activities Inventory Reform Act (FAIR Act),15 and it eliminated variations of this definition found in other documents. FDIC will consider and further study potential methodologies for assessing contractor overreliance, including how other agencies make such determinations. Contracting Officer prepares contract documents. FDIC is an independent agency created by Congress to maintain stability and public confidence in the nations financial system. The FDIC and Blue Canopys Contractual Relationship, Inherently Governmental Functions and Critical Functions, Best Practices for Procuring Critical Functions, The FDIC Did Not Implement Heightened Monitoring for Critical Functions, 2. GSA, NASA, USDA, DOE, and OCC have policy and procedures to prevent over-reliance on a contractor, and specific corrective measures to address instances of contractor over-reliance. The FDIC also completed annual performance reports on Blue Canopy. %PDF-1.6 % For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Develop a Management Oversight Strategy. hMk1c[(1. According to the FDICs Financial Institution Letter titled Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), the key to the effective use of a third party in any capacity is for management to appropriately assess, measure, monitor, and control the risks associated with a contractual relationship. As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. independent agency created by the Congress to maintain Recommendation 3: Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. Federal Agencies. Specifically, the acquisition process was initiated in January 2010 and then again in June 2014. We work to ensure the fair inclusion and use of minorities, women, and minority- and women-owned businesses, law firms, and investors in contracting and investment opportunities. As demonstrated by the FDIC and Blue Canopys contractual relationship, the FDICs acquisition and risk management processes did not identify the procurement risk of Critical Functions, nor did the FDIC heighten its management oversight for these procured services. Figure 1: The FDICs Existing Acquisition Process. Phase 1: Procurement Planning - Program Office and DOA Acquisition Services Branch report to the FDIC Board the planned acquisition of a Critical Function, and provide a procurement risk assessment and management oversight strategy (including planned contract structure and cost effectiveness analysis). Footnote: 14 The FDICs Privacy Program is a risk-based program that focuses on protecting the privacy rights of individuals by ensuring that Personally Identifiable Information is handled and protected in accordance with applicable Federal and FDIC requirements and industry standards. The guidance provides, in part, the following topics that should be considered as a contract is structured, with the applicability of each dependent upon the nature and significance of the third-party relationship: scope (rights/responsibilities of each party), cost/compensation, performance standards, reports (types and frequency of management information), audit (of contractor), confidentiality and security (prohibit contractor from using or disclosing agencys information), customer complaints, business resumption and contingency plans, default and termination (of contractor), dispute resolution, ownership and license, indemnification, and limits on liability. vV7fW/EA'%2 )$BxNg\Hs#m$q_Cr-FbU{O`may+r"A1yq0.@]/;~>q!@;0~}=fn` %t(]/ Challenge, Quarterly Banking Profile for Fourth Quarter 2022, Quarterly Banking Profile for Third Quarter 2022, FDIC Releases 2021 National Survey of Unbanked and Underbanked Households, Financial The recommendations include incorporating provisions of the OMB Policy Letter 11-01 into the FDICs policies and procedures, identifying Critical Functions during the procurement process, and implementing heightened contract monitoring for Critical Functions.