fdic contract awards 2021

9S=^VJGf+_8B+WV|ir,Ma,VE9*n9iwJzc0}8c0ry` xH The FDIC provides a wealth of resources for consumers, The Defense Intelligence Agency selected 144 vendors to participate in its $12.6 billion Solutions for Information Technology Enterprise (SITE III) contract.. Critical Functions, on the other hand, are broader and cover all functions that are necessary to the agency being able to effectively perform and maintain control of its mission and operations. ; OMB: The source did not mention this item; GAO: The source did not mention this item; Industry Standard: The source did not mention this item; Select Federal Agencies: The source identified this item; OMB Guidance. Recommendation 8: Identify missing or insufficient controls in the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services, and implement appropriate corrective actions or compensating controls. Every contractor who is awarded an FDIC contract is required to be registered with System for Award Management ( www.SAM.gov ). Row 1: ; Rec. GAO Recommendations. In addition, we maintain that these circumstances represented a failure in the FDICs controls and procedures. A management oversight strategy considers, for example, the contract structure (including key provisions) for procuring Critical Functions, and oversight tasks personnel can perform. or https:// means youve safely connected to the .gov website. The more important the function, the more important that the agency have internal capability to maintain control of its mission and operations., GAO Recommendations. OMB Policy Letter 11-01 requires certain agencies2 to take specific actions, before and after contract award, to prevent contractor performance of Inherently Governmental Functions and to prevent over-reliance on contractors in the performance of Critical Functions. Corrective Action: In addition to current practices, the FDIC plans to address this recommendation through the study and actions described in our response to Recommendation 1, and based on such actions, will assess the need for additional periodic reviews. Therefore, while we determined that Blue Canopy performed Critical Functions at the FDIC, as defined by OMB Policy Letter 11-01 and best practices, the FDIC did not identify these services as Critical Functions during its procurement planning phase. Since then, the FDIC re-organized and placed oversight responsibility within the CIOO OCISO. The guidance states that [a]n institutions board of directors and senior management are ultimately responsible for identifying and controlling risks arising from [third-party] relationships, to the same extent as if the [contracted] activity were handled within the institution.34 In particular, the FDIC should have routinely reviewed (actively monitored) Blue Canopys financial condition, information security, and business resumption and continuity testing reports to ensure the security, confidentiality, integrity, and availability of FDIC information. The APM requires FDIC program offices and the contracting officer to work together to conduct market research to support all acquisition planning. Ultimately, if an agency fails to ensure proper management and oversight of procured Critical Functions, contractors may take actions that are not based on informed, independent judgments made by Government officials. Appendix 2 contains a detailed description of the best practices related to procured Critical Functions. Board approval should be obtained prior to entering into any material third-party arrangements The level of detail in contract provisions will vary with the scope and risks associated with the third-party relationship.. Agencies need to establish a proper internal control environment to oversee and maintain control of their operations. According to the FDIC Legal Division, the FDIC does not fall within the definition of executive agency in the [Office of Federal Procurement Policy] Act., Become over-reliant on a third-party contractor to achieve its mission and conduct operations;3. In particular, the FDIC should have routinely reviewed (on an ongoing and proactive basis) Blue Canopys business resumption and continuity plans (specific to human capital) to ensure security, confidentiality, integrity, and availability of FDIC information, as well as the continuity of service and performance by Blue Canopy. Following the FDICs study and actions in response to Recommendation 1, the CIOO will assess the need for additional periodic reviews of such contracts and whether additional enhancements are required beyond the controls already incorporated. Conduct periodic reviews of controls and processes. Institution Letters, Policy As a result, the reports did not identify for the Board information on the procurement and oversight of procured Critical Functions on an individual and aggregate contract basis as suggested by best practices. Accordingly, institutions should establish and maintain an effective risk management process for initiating and overseeing outsourced operations. Similarly, the Board meeting minutes did not identify the procured services as Critical Functions. hWr6}WS h24R0P04V01R& Share sensitive information only on official, secure websites. Recommendation 1: Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). For example, if not managed and supervised prudently, the agency may: Footnote: 1 According to FDIC Directive 1500.6, Continuity of Operations (COOP) Program (November 2019), Essential Functions are a subset of government functions that are determined to be critical activities. Draeger - FDIC International 2023 conferences and events. important initiatives, and more. As demonstrated by the FDIC and Blue Canopys contractual relationship, the FDICs acquisition and risk management processes did not identify the procurement risk of Critical Functions, nor did the FDIC heighten its management oversight for these procured services. While OMB Policy Letter 11-01 does not apply to FDIC procurements as a matter of law, the FDIC envisions developing (as an added component of our existing risk-based system) criteria for identifying a subset of contracts supporting essential FDIC functions or those that provide services in a business continuity event that will further enhance FDIC contract management consistent with the spirit the Policy Letter. While the Award Profile Reports described the procured services, assessed contractor performance, tracked fund utilization/allocation, and assessed FDIC contract oversight, the FDIC did not identify Blue Canopys procured services as Critical Functions. These plans should have considered the impact of the crisis, for example, on human resources, facilities, hardware, and information security. Table 2 illustrates the services performed by Blue Canopy that we identified as Critical Functions based on National Institute of Standards and Technology Special Publication 800-53, Revision 5 (NIST S.P. These best practices support the view that the FDIC should develop and implement heightened contract monitoring processes for Critical Functions. Phase 2: Solicitation and Award - DOA Acquisition Services Branch reports to the FDIC Board the finalized contract structure and procured Critical Function - on an individual and aggregate basis. The failure to establish or maintain a proper control environment jeopardizes the reasonable assurance that an entitys objectives will be achieved and may affect the ability of an entity to maintain control of its mission and operations. The FDIC did not identify or implement periodic reviews specific to the risks associated with procured services for Critical Functions. Without a proper cost effectiveness analysis, an agency cannot identify, analyze, and determine (on an informed basis) the most cost effective alternative or course of action. Such an approach reduces the chances of the FDIC being overly reliant on an individual vendor. The FDIC, however, provided no details as to how it plans to do so. DMI Wins $256M FDIC Task Order | WashingtonExec Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Program Office and Contracting Officer prepare acquisition documents. According to the Government Accountability Office (GAO), the use of a contractor poses a risk of fraud, waste, and abuse. This contracting approach will increase competition and reduce FDICs reliance on one contractor in these areas. We performed our work in accordance with the Council of the Inspectors General on Integrity and Efficiencys Quality Standards for Inspection and Evaluation. In particular, having a business continuity plan in place and testing it helps to continuously improve an organizations ability to successfully recover from various scenarios, whether it be a natural disaster, pandemic, or communications failure. SlVl&Ds@bQ*H9 fA2h4h1BC,0$h*@ 9 Since the FDIC did not perform periodic reviews, it did not (1) assess for contractor over-reliance within individual controls and processes or on an aggregate basis; and (2) identify and implement corrective actions needed during the contract management process related to indicators of potential operational/process failures. The objective of these reviews should address the controls effectiveness in deterring or mitigating the agencys over-reliance on the contractor, and ensuring that the agency maintains control of its mission and operations. FDICs Execution and Oversight of the Blue Canopy Contracts. Inherently Governmental and Critical Functions. Footnote: 4 See id. Figure 5: Best Practices for Conducting Periodic Reviews of Controls and Processes. DMI Wins a Five-Year HRSA Single-Award Contract with Projected Value of It is an independent government corporation created by Congress to maintain stability and public confidence in the nation's banking system. system. h250R0P050V01R& A risk/reward analysis should be performed for significant matters, comparing the proposed third-party relationship to other methods of performing the activity or product offering, including the use of other vendors or performing the function in-house. In particular, the FDIC prepared a Contract Management Plan37 for Blue Canopy to document the joint administrative approach agreed upon by the Contracting Officer and Oversight Manager. Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function. Recommendation 5: Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. Since the FDIC relied on Blue Canopy to provide human capital (staffing) in key areas of information security and privacy, the FDIC needed to supervise and manage how Blue Canopy would continue to provide its services in the event that Blue Canopys human capital was impaired or negatively impacted by significant events. Management should identify performance criteria, internal controls, reporting needs, and contractual requirements that would be critical to the ongoing assessment and control of risk in contracts containing Critical Functions. changes for banks, and get the details on upcoming 2) Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process. A Contract Management Plan must be developed for the acquisition of services having a total estimated value of $1 million and greater. DOA will revise the APM and PGI to reflect any resulting process and control enhancements. The overall objective of such reviews is to identify, assess, and resolve indications of contractor over-reliance. There are numerous risks that may arise from an agencys use of third parties, including performance, monetary, legal, and reputational risks. 2021 FDIC Contract Revisions RE Rate Reset - etf.wi.gov As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. The FDIC relied on Blue Canopy to conduct activities within the FDICs Security Operations Center, Computer Security Incident Response Team, and Information Security and Privacy Program Support, which were recognized within NIST guidance as foundational security controls or protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of systems. Without these foundational security controls, the FDIC could not ensure the security, confidentiality, integrity, and availability of its information thus jeopardizing the Agencys mission and operations. The FDIC and Blue Canopys contractual arrangement supported the FDICs internal annual self-assessment, as required by FISMA. Board Reporting. :U= +=u^Cs;$FZjhE_}~xC^!y*U>}AnxT-Q1]:>le^v9q8i=,3M)L#f2u*SO!BUrD;"j~ d{9H;NN9H8lSa ge?FHU~gK# Phase 1: Procurement Planning - Program Office and DOA Acquisition Services Branch develop a management oversight strategy for the planned acquisition of a Critical Function, which includes determining the contract structure (key provisions). government site. To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC. OIGs may also use evaluations to share best practices and approaches. As previously noted, the FDIC and Blue Canopys contractual arrangement allowed Blue Canopy to assess certain security controls, including configuration management controls. 3) Assess whether the FDICs Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDICs Risk Inventory. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. Share your story and you may be featured in an upcoming USAspending Youtube video! According to a CNN news article titled, BearingPoint files for bankruptcy (February 2009), [t]he McLean, Virginia-based company, which began as the consulting arm of KPMG LLP and later struggled with accounting problems and a U.S. Securities and Exchange Commission probe, has been laboring under heavy debt exacerbated by an acquisition spree between 1999 and 2002.. FDIC FBDS II Engagement Outline Final.pdf - GovTribe The contractor successfully performed all required tasks under both contracts, and received excellent and outstanding ratings in annual performance reviews, with the exception of one good rating on one contract for one rating period. The guidance provides, in part, the following topics that should be considered as a contract is structured, with the applicability of each dependent upon the nature and significance of the third-party relationship: scope (rights/responsibilities of each party), cost/compensation, performance standards, reports (types and frequency of management information), audit (of contractor), confidentiality and security (prohibit contractor from using or disclosing agencys information), customer complaints, business resumption and contingency plans, default and termination (of contractor), dispute resolution, ownership and license, indemnification, and limits on liability.

Macro Ethics In Healthcare, Leewood Country Club Membership Fees, California Fish Grill Dynamite Sauce Ingredients, Articles F