o The FDICs Implementation of Enterprise Risk Management (EVAL-20-005) July 8, 2020. testimony on the latest banking issues, learn about policy In addition, agencies developed an exit strategy from the contractual arrangement and/or described that they would take the following actions if it was determined that the agency was over reliant on contractors to perform Critical Functions: (1) review and adjust what the contractor accomplishes for the agency, (2) reassess human capital needs (staff and funding) and make Full Time Employee adjustments; (3) in-source the function; (4) review the contracting process from beginning to end to understand how the agency lost control (retrospective review of the contracting process); (5) reestablish controls over contractor responsibilities (by strengthening oversight, insourcing the work through the timely development and execution of hiring plans, refraining from exercising options under the contract, or terminating all or part of the contract). Best practices recommend that contractors have business resumption and contingency plans in place and tested. Footnote: 13 The Federal Information Security Modernization Act of 2014 (FISMA) amended and clarified the Federal Information Security Management Act of 2002. The FDIC is proud to be a pre-eminent source of U.S. The guidance provides, in part, that reports (types and frequency of management information) and business resumption and contingency plans should be considered as a contract is structured, with the applicability of each dependent upon the nature and significance of the third-party relationship. In order to close these recommendations, we would expect that the FDIC implement a process to assess contractor over-reliance at the Agency and take the following actions: Identify contracts requiring heightened monitoring and controls during the procurement planning, award, and contract management phases of the acquisition process; Conduct procurement risk assessments for its contracts, including a cost-effectiveness analysis; Implement a management oversight strategy for contracts requiring heightened monitoring and controls; Implement periodic reviews for contracts requiring heightened monitoring and controls; Incorporate enhancements to the FDICs existing acquisition planning, approval, reporting, and oversight processes; Conduct an assessment to determine whether FDICs current Risk Inventory sufficiently addresses the underlying risks presented in the OIGs report; and. Official websites use .gov In particular, the FDIC warned its regulated institutions of such risk and, therefore, should assess and address the risk itself. By May 2021, the FDIC expects to transition information security and privacy program services to multiple service providers by awarding additional task orders under the BOAs. A risk/reward analysis should be performed for significant matters, comparing the proposed third-party relationship to other methods of performing the activity or product offering, including the use of other vendors or performing the function in-house. No. In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers had appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. endstream endobj 519 0 obj <>stream Although NCUA and CFPB did not have an explicit written policy, they noted the actions/procedures they would take to address an instance of contractor over-reliance. According to a CNN news article titled, BearingPoint files for bankruptcy (February 2009), [t]he McLean, Virginia-based company, which began as the consulting arm of KPMG LLP and later struggled with accounting problems and a U.S. Securities and Exchange Commission probe, has been laboring under heavy debt exacerbated by an acquisition spree between 1999 and 2002.. As demonstrated by the FDIC and Blue Canopys contractual relationship, the FDICs acquisition and risk management processes did not identify the procurement risk of Critical Functions, nor did the FDIC heighten its management oversight for these procured services. Legal Division. NASA, USDA, and DOE performed, or considered it a best practice to perform, a cost effectiveness analysis. In its response, the FDIC stated that it is committed to continually improving its contracting processes and controls. Each quarter, the FDIC provides a contract-specific report to the Board of Directors for complex contracts over $5 million and for all contracts over $20 million. 800-53). CIO Howard Whyte spoke with FedScoop recently about FDICs work in the cloud to provide a transformational experience for our external customers.. Award Profile Reports. The OIG also concluded the FDIC needed a formal process for reviewing security control assessment reports to ensure that Blue Canopy performed sufficient security control testing. USDA, CFPB, and OCC used, or considered it a best practice to have, contract provisions to specify the agencys rights and the contractors obligations and responsibilities surrounding Critical Functions. %PDF-1.6 % judgments made by governmental officials21 for all contracts covering Critical Functions. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation; or, 2. Figure 4: Best Practices for Implementing a Management Oversight Strategy. Figure 2 illustrates the best practices for identifying planned and procured Critical Functions during the FDICs acquisition process. Interviewed FDIC personnel in DOA, CIOO, and the Legal Division who had responsibility for procurement processes related to Critical Functions. Management concurred with 1 of the 13 recommendations, and plans to complete corrective action by May 31, 2021. Existing Acquisition Procedures for Contract Planning, Oversight, and Reporting. In particular, the policy letter states that agencies should determine the type and level of management attention necessary to ensure that functions that should be reserved for Federal performance are not materially limited by or effectively transferred to contractors and that functions suitable for contractor performance are properly managed. Footnote: 2 GAO reported that [b]est business practices refer to the processes, practices, and systems identified in public and private organizations that performed exceptionally well and are widely recognized as improving an organizations performance and efficiency in specific areas.. In particular, Federal employees must be able to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. 6) Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. Best Practices for Implementing a Management Oversight Strategy, 5. Best Practices: 4. The FDICs OCISO and DOA submitted to the Board, through its established procurement process, a Board Case Package and Award Profile Reports.38 These documents, however, did not identify the procured services that were Critical Functions nor did they present the planned or implemented heightened oversight management activities for the Critical Function procurements. To resolve these 12 recommendations, we would expect that the FDIC provide a clear indication of the specific actions within the next 6 months, and we will determine whether the recommendations may be converted to being resolved at that time, or whether they will remain as unresolved.. Our methodology relied on identifying best practices from various reputable sources, including OMB Policy Letter 11-01, GAO reports, industry standards, and other Federal agencies, and comparing the FDICs acquisition process with these best practices. In particular, the policy letter states that [a]gencies shall develop and maintain internal procedures to address the requirements of this guidance. In addition, the policy letter states that agencies should determine the type and level of management attention necessary to ensure that functions that should be reserved for Federal performance are not materially limited by or effectively transferred to contractors and that functions suitable for contractor performance are properly managed. As a result, the GAO recommended that the DHS should (1) develop a risk-based approach for reviewing service requirements to ensure proposed service requirements are clearly defined and reviewed before planning how they are to be procured; (2) update the Inherently Governmental and Critical Functions Analysis to provide guidance for analyzing, documenting, and updating the federal workforce needed to perform or oversee service contracts requiring heightened management attention; and (3) [develop] guidance identifying oversight tasks or safeguards personnel can perform, when needed, to mitigate the risk associated with contracts containing closely associated with inherently governmental functions, special interest functions, or critical functions., As part of an institutions risk assessment, the institution should also identify performance criteria, internal controls, reporting needs, and contractual requirements that would be critical to the ongoing assessment and control of specific identified risks in other words, a management oversight strategy that allows for assessment of performance, as well as mid-course corrections. The guidance also noted that [a]fter completing the general assessment of risks, particularly relative to the institutions overall strategic plan, management should review its ability to provide adequate oversight and management of the proposed third-party relationship on an ongoing basis. Further, the FDIC may not maintain control of its mission and operations, and may become over-reliant on contractors. The FDIC provides a wealth of resources for consumers, 199 0 obj <>/Filter/FlateDecode/ID[<77FED4795114BEC85C22A732D80A20A1><9AE9ECF25D8FEB44B39BBA9CBBEE63A5>]/Index[192 15]/Info 191 0 R/Length 53/Prev 219738/Root 193 0 R/Size 207/Type/XRef/W[1 2 1]>>stream According to the FDIC Financial Institution Letter titled, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), for business resumption and contingency plans, [t]he contract should address the third partys responsibility for continuation of services provided for in the contractual arrangement in the event of an operational failure, including both man-made and natural disasters. Solicitation and Award: Program Office, DOA Acquisition Services Branch, and Legal Division identify the Critical Function within solicitation and award documents. While the FDIC does not plan to explicitly adopt the critical functions framework from OMB Policy Letter 11-01 or each of the compiled practices set out by the OIG in its report, the FDIC will conduct a survey to identify cost-effective, risk-based controls appropriate for the FDICs unique mission and statutory responsibilities related to essential functions or for services necessary in a business continuity event, particularly when the services may be provided by a single vendor. No. Before In particular, the FDIC should have routinely reviewed (on an ongoing and proactive basis) Blue Canopys business resumption and continuity plans (specific to human capital) to ensure security, confidentiality, integrity, and availability of FDIC information, as well as the continuity of service and performance by Blue Canopy. Table 1 summarizes these best practices. In particular, the guidance states that [a]fter selecting a third party, management should ensure that the specific expectations and obligations of both the financial institution and the third party are outlined in a written contract prior to entering into the arrangement. A Contract Management Plan must be developed for the acquisition of services having a total estimated value of $1 million and greater. The FDIC provided detailed information on the acquisition to the Board of Directors in advance of the procurement and quarterly throughout the period of performance. From July 2005 to December 2019, the FDIC issued three contracts (or sets of contracts) for information security support services. In addition, we maintain that these circumstances represented a failure in the FDICs controls and procedures. ; OMB: The source identified this item; GAO: The source did not mention this item; Industry Standard: The source identified this item; Select Federal Agencies: The source identified this item; The OMB policy letter also states that [w]here a critical function is not inherently governmental, the agency may appropriately consider filling positions dedicated to the function with both Federal employees and contractors. waverly hills murders, marlboro cigarette pack dimensions,

Celebrities That Live In Jupiter Florida, Articles F