Therefore, the FDIC did not identify the Information Technology services performed by Blue Canopy as Critical Functions during the procurement planning phase, solicitation and award phase, or contract management phase of the acquisition process. We understand that the FDIC may consider implementing a process in order to identify Critical Functions and employ heightened monitoring and controls. As demonstrated by the FDIC and Blue Canopys contractual relationship, the FDICs acquisition and risk management processes did not identify the procurement risk of Critical Functions, nor did the FDIC heighten its management oversight for these procured services. As such, Blue Canopy should have had crisis readiness plans in place and should have tested those plans to ensure that it could continue to provide Critical Functions uninterrupted to the FDIC. Source: OIG analysis of OMB guidance, GAO reports, Industry guidance, and interview statements from Federal agencies. The contractor successfully performed all required tasks under both contracts, and received excellent and outstanding ratings in annual performance reviews, with the exception of one good rating on one contract for one rating period. ; Expected Completion Date: June 30, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 8: ; Rec. No. Those contracts could be extended a year after the end of the base ordering period. The importance of the FDIC reviewing financial and audit reports and periodically monitoring the contractors operations was demonstrated by the FDICs experience with Blue Canopys predecessor. Official websites use .gov While identifying and understanding the risks associated with the third party is critical at the outset, the long-term management of the relationship is vital to success., In addition, the guidance noted that [t]he extent of oversight of a particular third-party relationship will depend upon the potential risks and the scope and magnitude of the arrangement. Contract Oversight. Based on our review, we found that the Blue Canopy contracts provided limited coverage of the contractors obligations and responsibilities for the following:30. Industry Standard. In particular, the policy letter states that [a]gencies shall develop and maintain internal procedures to address the requirements of this guidance. In addition, the policy letter states that agencies should determine the type and level of management attention necessary to ensure that functions that should be reserved for Federal performance are not materially limited by or effectively transferred to contractors and that functions suitable for contractor performance are properly managed. NASA, USDA, and DOE performed, or considered it a best practice to perform, a cost effectiveness analysis. No FDIC Process for Identifying Critical Functions. : 8; Corrective Action: Taken or Planned - Following the FDICs study discussed in response to Recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the Managed Security Services Provider and Security and Privacy Professional Services BOAs and task orders are needed beyond those already incorporated. ". Footnote: 37 A Contract Management Plan is a plan developed by the Contracting Officer and the Oversight Manager that documents the joint administration approach to performing oversight activities for complex contracts for services. OMB Policy Letter 11-01 requires agencies to identify and ensure that they retain control over Critical Functions that are core to the agencys mission but may be contracted out to the private sector. hD@WIufAyJ{wg:[M(3/!r)
;VQ.>6\&3EGQ\4s+S FDIC acquisitions are accomplished in accordance with the
Program Office conducts market research. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Row: 1; Procured Function: Security Operations Center; National Institute of Standards and Technology Guidance: Incident Response (IR)-4 Incident Handling, IR-7 Incident Response Assistance, System and Information Integrity (SI)-4 System Monitoring; Identified as a Critical Function (Yes/No): Yes; Row: 2; Procured Function: Computer Security Incident Response Team; National Institute of Standards and Technology Guidance: IR-5 Incident Monitoring, IR-6 Incident Reporting Risk Assessment (RA)-1 Policy and Procedures, RA-3 Risk Assessment. In addition, NASA considered internal capability when procuring a Critical Function, and CFPB ensured that Contract Officers have appropriate backgrounds, such as Information Technology expertise for procured Information Technology services. Interviewed FDIC personnel in DOA, CIOO, and the Legal Division who had responsibility for procurement processes related to Critical Functions. Footnote: 36 Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019). As part of the procurement risk assessment, include a cost effectiveness analysis. Further, if the agency does not establish and maintain a proper control environment, it may lose control of its mission and operations. o The FDICs Implementation of Enterprise Risk Management (EVAL-20-005) July 8, 2020. Submit your announcement of an awarded contract for publication by sending a news release to: newsrelease@targetgov.com . While the Award Profile Reports described the procured services, assessed contractor performance, tracked fund utilization/allocation, and assessed FDIC contract oversight, the FDIC did not identify Blue Canopys procured services as Critical Functions. The Risk Inventory includes an assessment of impact and likelihood, and risks are prioritized and summarized into one of four risk levels: critical, significant, moderate, and low. On November 18, 2021, the Office of the Comptroller of the Currency (the "OCC"), the Board of Governors of the Federal Reserve System (the "Board"), and the Federal Deposit Insurance . The Federal Deposit Insurance Act authorizes the FDIC to acquire services and to establish policies and procedures to achieve its mission and operations.6 The FDICs acquisition process involves a number of organizations within the Agency, including the Program Office that initiates a procurement to obtain the services or goods it needs, the Division of Administrations (DOA) Acquisition Services Branch (ASB), the Legal Division, and the FDIC Board of Directors (Board). The FDIC Risk Inventory acknowledged the risks associated with these cybersecurity and privacy support services, including a potential cyber-attack on the FDICs systems and a security incident involving Personally Identifiable Information. In particular, the board should be involved in the following stages of an effective third-party risk management program for procured critical functions: o Risk assessment. The FDIC response further disagreed that the weaknesses identified in our prior OIG report regarding the Security Configuration Management of the Windows Server Operating System represent[ed] a failure on the FDICs part to maintain control of its operations. We note that the FDIC previously recognized the problem and took remedial actions to address the independence concern identified in the prior OIG report. Under the 10-year SITE III contract vehicle, contractors will vie for task orders to support DIA's evolving enterprise IT needs. The FDIC documented and presented to the Board a qualitative justification for procuring Blue Canopy services. To date, four task orders have been awarded under the BOAs to two different service providers. A prior OIG report, Security Configuration Management of the Windows Server Operating System, (AUD-19-004) (January 2019), found that the FDIC tasked Blue Canopy with both designing security controls and assessing their effectiveness, which impaired the firms ability to conduct an impartial assessment. The Board authorized a 7 1/2-year term for Security Operations Center and Vulnerability Management Services and a 10-year term for security and privacy professional services. The OIG found that the FDIC implemented its established procurement process with respect to the two procurements, including reporting to the FDIC Board of Directors. Over a seven-and-a-half-year term, the contractors will help FDIC's Division of IT deal with operations and maintenance support of its infrastructure while the financial agency looks to improve "productivity and efficiencies to continue to mature between 2020 and 2027," says a new solicitation. In its response, the FDIC stated that it is committed to continually improving its contracting processes and controls. For this report, risks must be considered in regard to procurement operations and IT services for Critical Functions. Contracting Officer closes out contract. : 1; Corrective Action: Taken or Planned - The FDIC will consider each of the OIGs recommendations and further study the need for additional risk based controls for essential procurements. : 2; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 3: ; Rec. ; Expected Completion Date: June 30, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 10: ; Rec. hdQK0iAl,H+rFy=Tf^;R6xyua:p@vbfN
#iF^B3\xMVewU~~;!#GLCUj'7oN7~ 1!Gb^zB4XdiMVndwx` Xn
Implement periodic reviews for procured Critical Functions, including for the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services. Legend: check mark The source identified this item. The FDIC awarded both procurements competitively utilizing a best value approach. The Blue Canopy Group, LLC (Blue Canopy) performed a range of cybersecurity and privacy support services for the FDIC. Agencies should consider internal controls such as approval authorities, segregation of duties, and independence and non-conflict of interest standards. important initiatives, and more. In particular, a loss of control could result in actions and decisions that are not in the public interest, and instead may be focused on the contractors business development, profitability, or unsuitable influences. The Blue Canopy contracts provided that if the contractor: [I]s determined by the FDIC (at its sole discretion) to provide services essential or critical to the FDIC mission the contractor shall take immediate and effective measures to ensure the availability or use of back-up or redundant services and/or system(s) support to deal with such emergency. Reviewed the FDICs policy and procedures, including: o FDIC Acquisition Policy Manual (August 2008); o Acquisition Procedures, Guidance and Information (January 2020) document; and. However, in order to mitigate the potential risk of a service providers financial failure, breach of information security protocols, or failure to ensure service continuity, an agency needs to continuously monitor the service providers financial condition and operations. No. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation; or, 2. While OMB Policy Letter 11-01 does not apply to FDIC procurements as a matter of law, the FDIC envisions developing (as an added component of our existing risk-based system) criteria for identifying a subset of contracts supporting essential FDIC functions or those that provide services in a business continuity event that will further enhance FDIC contract management consistent with the spirit the Policy Letter. Find information for outside counsel engaged by the FDIC. This example highlights the need for the FDIC to clearly define the terminology related to Critical Functions and incorporate the underlying concepts embodied in Critical Functions, so that it can readily identify Critical Functions in such procurements and take appropriate actions with heightened monitoring and controls. Best Practices: 5. Browse our extensive research tools and reports. A BOA becomes a binding contract when a task order is issued.. RA-5 Vulnerability Monitoring and Scanning, Assessment, Authorization, and Monitoring (CA)-5 Plan of Action and Milestones, Program Management (PM)-4 Plan of Action and Milestones Process, PM-6 Information Security Measures of Performance PM-9 Risk Management Strategy; Identified as a Critical Function (Yes/No): Yes; Row: 3; Procured Function: Technical Security Assessment; National Institute of Standards and Technology Guidance: RA-5 Vulnerability Monitoring and Scanning; Identified as a Critical Function (Yes/No): Yes; Row: 4; Procured Function: Vulnerability Management; National Institute of Standards and Technology Guidance: RA-5 Vulnerability Monitoring and Scanning; Identified as a Critical Function (Yes/No): Yes; Row: 5; Procured Function: Continuous Controls Assessment Program; National Institute of Standards and Technology Guidance: CA-2 Control Assessments, Configuration Management (CM)-4 Impact Analyses; Identified as a Critical Function (Yes/No): Yes; Row: 6; Procured Function: Privacy Program; National Institute of Standards and Technology Guidance: Program Management (PM)-18 Privacy Program Plan; Identified as a Critical Function (Yes/No): Yes; Row: 7; Procured Function: Testing of Internal Controls; National Institute of Standards and Technology Guidance: CA-2 Control Assessments; Identified as a Critical Function (Yes/No): Yes; Source: OIG analysis of FDICs procured services from Blue Canopy against NIST guidance. No. encrypted and transmitted securely. FDIC recently competitively awarded seven task orders under the SPPS BOAs resulting in awards to five different vendors. Footnote: 33 In comparison, the FDICs procurement planning and solicitation and award processes for contract CORHQ-14-C-0769 took 9 months (from March 2014 to December 2014), and contract CORHQ-14-C-0778 took 12 months (from March 2014 to March 2015). In order to implement heightened management oversight, the FDIC needs to (1) identify the risk in a risk assessment; (2) identify the control(s) needed to oversee the contractor within a management oversight strategy; (3) establish the control(s) and a process for reviewing the control(s) within the contract structure; (4) implement the control(s) during the management oversight process; and (5) periodically review the FDIC and contractors performance or, implementation of the control(s). Our evaluation assessed whether Blue Canopy performed Critical Functions as determined by OMB Policy Letter 11-01 and best practices; and if so, whether the FDIC retained sufficient management oversight of Blue Canopy to maintain control of its mission and operations in accordance with best practices. The Board should be involved in reviewing managements risk assessment, contract structuring, and monitoring reports for procured Critical Functions on an individual and aggregate basis. Through the two contracts, Blue Canopy provided the following services: (1) Information Security and Privacy Support Services for the FDICs Security Operations Center (SOC) and Computer Security Incident Response Team (C-SIRT). In particular, the FDIC should have a process for ensuring that specific expectations and obligations of both parties are outlined in a written contract prior to entering into the arrangement. Management concurred with 1 of the 13 recommendations, and plans to complete corrective action by May 31, 2021. IR-2021-102, May 5, 2021. February 23, 2021 FDIC-Insured Institutions Reported Net Income of $59.9 Billion In Fourth Quarter 2020 February 22, 2021 Joint Release/Federal and State Financial Regulatory Agencies Issue Interagency Statement on Supervisory Practices Regarding Financial Institutions Affected by Texas Winter Storms In addition, routine reviews ensure that both contractor and agency staff know their roles and responsibilities in the event of an unexpected incident, and validate the planned response. As an independent agency, the FDIC routinely looks to the practices of agencies governed by the Federal Acquisition Regulation (FAR), other (non-FAR-based) independent agencies, and private business to inform its acquisition policies. With this approach in mind, the FDIC will consider the processes, practices, and systems that the OIG identified among others to enhance our existing policies. Best Practices: 3. hMk1u1@c!fom3nM?~NRr%Kc=GvV4;Ve#'F'VYN/;kXbo,w Rsp Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporations comments, are provided but may not exactly duplicate the presentation or format of the printed version. For such matters, the analysis should be considered integral to the banks overall strategic planning, and should thus be performed by senior management and reviewed by the board or an appropriate committee., o Contract structuring and review. To assist in performing oversight activities for complex contracts for services, the oversight manager must work with the contracting officer to develop a contract management plan. %%EOF
The APM requires FDIC program offices and the contracting officer to work together to conduct market research to support all acquisition planning. Footnote: 2 OMB Policy Letter 11-01 established Executive Branch policy and was addressed to the heads of civilian and Executive Departments and agencies. h24R0P04V01R& In August 2017, a former FDIC senior executive expressed concern with the FDICs contractual relationship with and over-reliance on Blue Canopy. GAO also found that DHS personnel did not identify specific oversight activities they conducted to mitigate the risk of contractors performing functions in a way that could become inherently governmental. To increase competition and diversity of firms providing information security and privacy services, reduce the FDICs reliance on a single vendor for these services, and improve contract oversight and vendor management, the FDIC sought and received Board approval in October 2019 to initiate two contract actions to replace the existing Blue Canopy contracts with new BOAs and task orders. Without these best practices in place, the FDIC cannot be assured that it will provide sufficient management oversight of Blue Canopy or other contractors performing Critical Functions. The FDIC has also recently implemented new acquisition initiatives to further improve vendor management, contract oversight, and to reduce the number of non-competitive awards. Best Practices for Identifying Planned and Procured Critical Functions, 3. Last summer, the agencysinspector general issued a report saying the agency needed to improve itsIT governance practices. The Guide provides tools for implementing the IT acquisition life cycle, with objectives to: develop scalable solutions that promote competition; deliver fast, reliable, responsive, and innovative services; The FDIC has also established a 2021 corporate performance goal and interdivisional work team to strengthen our contract oversight management program by increasing the independence and professionalism of our oversight managers and technical monitors. history, career opportunities, and more. [Text box - Prior OIG report. The https:// ensures that you are connecting to
In addition, OMB Policy Letter 11-01 established a definition for a Critical Function as "a function that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. Board approval should be obtained prior to entering into any material third-party arrangements The level of detail in contract provisions will vary with the scope and risks associated with the third-party relationship.. In particular, the policy letter states that agencies should determine the type and level of management attention necessary to ensure that functions that should be reserved for Federal performance are not materially limited by or effectively transferred to contractors and that functions suitable for contractor performance are properly managed. As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. In making that determination, the officials shall consider the importance that a function holds for the agency and its mission and operations. The FDIC Did Not Conduct Periodic Reviews of Controls and Processes for Critical Functions. In particular, the Federal Deposit Insurance Act authorizes the FDIC [t]o make contracts, [t]o appoint such officers and employees to define their duties, and [t]o prescribe, by its Board of Directors, bylaws regulating the manner in which its general business may be conducted.. hMk1c[(1. Industry Standard. The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version. The .gov means its official. The Federal Deposit Insurance Corporation (FDIC) is an
These essential functions are then used to identify supporting tasks and resources that must be included in the organizations continuity planning process. FDIC Actions Taken to Address Prior OIG Concerns Regarding Blue Canopy Contracts. Best Practices for Critical Functions by Source, 2. The evaluations scope included our review of Blue Canopys two existing contracts39 with the FDICs Chief Information Officer Organization to determine if Blue Canopy performed Critical Functions within the FDICs operations; and, if so, whether the FDIC sufficiently oversaw Blue Canopy to maintain control of the Agencys mission and operations. Develop a management oversight strategy. As previously noted, the FDIC and Blue Canopys contractual arrangement allowed Blue Canopy to assess certain security controls, including configuration management controls. Therefore, the FDIC should have been concerned about Blue Canopys business resumption and contingency plans in regards to its ability to provide back-up or additional resources during an adverse event. Ongoing efforts to improve the FDICs acquisition services and oversight management programs will incorporate additional structure and discipline around certain contracts that support essential functions or involve services needed in a business continuity event, consistent with the recommendations in the OIG report.