fdic contract awards 2021

Moreover, the FDIC determined, in advance of the 2019 contract modifications to increase the contract ceiling on both Blue Canopy contracts, that a new competitive, multi-vendor acquisition strategy should be put in place for the services. We made 13 recommendations to the FDICs Deputy to the Chairman and Chief Operating Officer. The OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), noted that some CIOO Oversight Managers lacked the workload capacity to oversee contracts, and certain Oversight Managers were not properly trained or certified. 2i/y/v&ki35$PRr#{ GsN7?Zv|R@$"'* In August 2017, a former FDIC senior executive expressed concern with the FDICs contractual relationship with and over-reliance on Blue Canopy. The FDIC and Blue Canopys contractual arrangement supported the FDICs internal annual self-assessment, as required by FISMA. This potentially jeopardizes the FDICs ability to maintain control of its mission and operations by failing to ensure that government actions are taken as a result of informed, independent judgments made by government officials; work products are adequately managed; and contractors are appropriately monitored. Market Research and Competition. As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as stated in OMBs Policy Letter 11-01, and best practices identified and used by other government agencies. 66y% Since then, the FDIC re-organized and placed oversight responsibility within the CIOO OCISO. @WVQ AP(uS?os&[@(dhdo8#lY; ;|D)|TR\hpnfy6|8uRS Last summer, the agencysinspector general issued a report saying the agency needed to improve itsIT governance practices. hWr6}WS The FPDS-NG system includes reporting fields that capture services designated as Critical Functions. For this report, risks must be considered in regard to procurement operations and IT services for Critical Functions. In the OIG report, Contract Oversight Management (EVAL-20-001) (October 2019), the OIG reported concerns about CIOO contract oversight. : 5; Corrective Action: Taken or Planned - The FDIC plans to further address this recommendation through the study and actions described in its response to Recommendation 1.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: No; Open or Closed-b: Closed; Row 6: ; Rec. The FDIC relies on contractors to support a range of activities from janitorial to Information Technology support services. As noted above, the OIG identified best practices from OMB Guidance, the GAO, industry standards, and several other Federal agencies. For the 12 unresolved recommendations, the FDIC plans to consider and further study the issues and does not intend to implement corrective actions for another year (between March 31 and June 30, 2022). In order to answer our objectives, we reviewed Blue Canopys two existing contracts, as of May 2020,5 with the FDICs Chief Information Officer Organization (CIOO), and the FDICs acquisition process to identify and manage procured Critical Functions. the official website and that any information you provide is Each quarter, the FDIC provides a contract-specific report to the Board of Directors for complex contracts over $5 million and for all contracts over $20 million. instruments including, for low dollar non-complex purchases, purchase Over a seven-and-a-half-year term, the contractors will help FDICs Division of IT deal with operations and maintenance support of its infrastructure while the financial agency looks to improve productivity and efficiencies to continue to mature between 2020 and 2027, says a new solicitation. Challenge, Quarterly Banking Profile for Fourth Quarter 2022, Quarterly Banking Profile for Third Quarter 2022, FDIC Releases 2021 National Survey of Unbanked and Underbanked Households, Financial Best practices recommend that an agency implement heightened contract monitoring for procured Critical Functions, to the same extent as if the services were performed internally. For our evaluation, we identified best practices for procuring Critical Functions by reviewing OMB Policy Letter 11-01, GAO reports, industry standards,18 and interviewing officials at several other Federal agencies.19 We compared these best practices with the FDIC's existing procurement process, using Blue Canopy as an example, to determine the extent to which the FDIC incorporated these best practices into its process. The FDIC took action to address OIG concerns about Blue Canopys independence. 1819(a). No. The report concluded that the FDIC needs to establish a clear governance structure, and clearly define authorities, roles, and responsibilities related to [Enterprise Risk Management]. On November 18, 2021, the Office of the Comptroller of the Currency (the "OCC"), the Board of Governors of the Federal Reserve System (the "Board"), and the Federal Deposit Insurance . Contract Awards April 11, 2023 Science Applications International Corp. has been awarded a $102.5 million contract by the U.S. Navy to continue supporting the MK Parsons Snags $164M Army Corps of Engineers Contract for Ammunition Plant Environmental Facility Contract Awards April 9, 2023 The contract is part of the recent government announcements concerning the supply of masks. Contract Management: Program Office and DOA Acquisition Services Branch ider1tify the Critical 1Fm1ction within contract oversight documents and reports to the FDIC Board. For evaluation purposes, the OIG considers this guidance a best practice. Agencies performed (or, considered as a best practice) periodic reviews of contractor and agency personnel performance, human capital planning, personnel training, risk management strategy, contract requirements, budget/cost justification, attribution of contractor vs. agency work, and over-reliance assessments. Each family contains controls that are related to the specific topic of the family. hL Footnote: 14 The FDICs Privacy Program is a risk-based program that focuses on protecting the privacy rights of individuals by ensuring that Personally Identifiable Information is handled and protected in accordance with applicable Federal and FDIC requirements and industry standards. In particular, Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC, including continuous monitoring, vulnerability management, internal control reviews, and privacy assessments. The Board approves the execution of contracts with dollar values over $20 million and contract modifications to contracts previously approved by the Board that increase the award amount or period of performance by more than 15 percent. The FDIC is proud to be a pre-eminent source of U.S. endstream endobj 193 0 obj <> endobj 194 0 obj <> endobj 195 0 obj <>stream Best Practices for Implementing a Management Oversight Strategy, 5. The following information is regarding awarded contracts that can be used to develop prime contractor, subcontractor and teaming partner relationships on these and other opportunities. Best Practices: 1. RJ];g'RFnzq^aeOt8;)jquyhX[ Rs/vR~L4J'2&CG%O+cLXI E`m :DNHGu|E[s>vvm@R 0$ sD+n]6+%Iu~0LcW*}a)m%b'+h>5qacKuYk-9YQ8)$.ZkaRU,W]{c(njbp2`R@";ylj0ww*aK1^drkf{+x'K*sVrka{. Federal Agencies. As part of the procurement risk assessment, include a cost effectiveness analysis. No. Fact Sheets, Key Contacts in Acquisition Services Branch, COVID-19 Safety Protocols for Contractor Employees Accessing FDIC Facilities, Information Technology Application Services (ITAS), Request for Proposal (RFP) for Mission-Driven Bank Funds Financial Advisory Services, Information for Prospective Outside Counsel, Frequently Asked Questions for Outside Counsel on the FDIC's Advanced Legal Information System (ALIS), List of Counsel Available (alpha by Firm Name), List of Counsel Available (alpha by State), Minority- and Women-Owned Law Firms on List of Counsel Available, Personnel Security Process for Candidates, List of Awards and Contractor Contact Information. As recommended in OMB Policy Letter 11-01, the APM details pre- and post-award responsibilities to avoid contracts for inherently governmental functions.6 The APM emphasizes the importance of being fully aware of contract terms, contractor performance, and contract administration to ensure that appropriate FDIC control is preserved. Recommendation 13: Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration. In particular, the FDIC may not ensure that it has an adequate number of employees with the appropriate training, experience, and expertise to oversee the procurements of Critical Functions. Typically, Critical Functions are recurring and long-term in duration. The policy letter recommends that Federal employees should perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. Best Practices: 4. In particular, FDIC management did not present to the Board an analysis that demonstrated whether it was cost effective to procure the desired Critical Functions or to perform those functions internally with Federal employees or some combination of Federal employees and contractor personnel. DOAs ASB is responsible for issuing the policies governing the contracting program and the procedures for implementing those policies. The FIL does not separately detail specific procedures applicable to critical functions, but rather provides a general framework to provide appropriate oversight and risk management of significant third-party relationships, including those in which a third party performs critical functions. The FIL recommends increasing levels of control for more complex or higher-risk activities. The APM and implementing Acquisition Procedures, Guidance, and Information (PGI) address planning considerations for contracts considered essential in the event of an emergency or business continuity event and delineates risks associated with such procurements. Following the FDICs study discussed in response to recommendation 1, the CIOO will assess whether any additional enhancements to the management oversight strategy for the MSSP and SPPS BOAs and task orders are needed beyond those already incorporated. Source: OIG analysis of OMB guidance, GAO reports, Industry guidance, and interview statements from Federal agencies. According to the FDICs Legal Division, OMB Policy Letter 11-01 does not directly apply to the Agency but it may be used for guidance. Develop a management oversight strategy. [Text box - Prior OIG report. According to a CNN news article titled, BearingPoint files for bankruptcy (February 2009), [t]he McLean, Virginia-based company, which began as the consulting arm of KPMG LLP and later struggled with accounting problems and a U.S. Securities and Exchange Commission probe, has been laboring under heavy debt exacerbated by an acquisition spree between 1999 and 2002.. The FDIC Board of Directors. The FDICs acquisition process is divided into four phases: (1) Procurement Planning; (2) Solicitation and Award; (3) Contract Management; and (4) Closeout Award. Acquisition Initiatives to Improve Competition, Oversight, and Performance. However, the FDICs Risk Inventory did not recognize procured Critical Functions as a separate and distinct risk, or as an analytical factor in determining inherent or residual risk related to the risks associated with cybersecurity and privacy support services. To address our objectives, we conducted the following procedures: Analyzed Blue Canopys contracts and contractual services for Critical Functions by comparing and contrasting activities to the following: o Other best practices the OIG identified; and. In addition, we determined that Blue Canopy performed Critical Functions at the FDIC, as defined by OMB Policy Letter 11-01 and best practices. The Blue Canopy Group, LLC (Blue Canopy) performed a range of cybersecurity and privacy support services for the FDIC. Interviewed FDIC personnel in DOA, CIOO, and the Legal Division who had responsibility for procurement processes related to Critical Functions. stability and public confidence in the nations financial The APM includes a discussion and guidance for avoiding performance by contractors of inherently governmental functions. Legend: check mark The source identified this item. In particular, having a business continuity plan in place and testing it helps to continuously improve an organizations ability to successfully recover from various scenarios, whether it be a natural disaster, pandemic, or communications failure. %%EOF o The FDICs Implementation of Enterprise Risk Management (EVAL-20-005) July 8, 2020. Footnote: 35 The FDIC has warned its regulated institutions to address in its contractual arrangements, the third parties responsibility for continuation of services and, therefore, the FDIC should do the same in its contracts. The FDIC concurred with 1 of the 13 recommendations, and plans to complete corrective action by May 31, 2021. Oversight Manager and Contracting Officer develop Contract Management Plan. In addition, we maintain that these circumstances represented a failure in the FDICs controls and procedures. No. The objective of these reviews should address the controls effectiveness in deterring or mitigating the agencys over-reliance on the contractor, and ensuring that the agency maintains control of its mission and operations. According to NIST guidance, this arrangement limited the firms independence and impaired the firms ability to conduct impartial security control assessments. By May 2021, the FDIC expects to transition information security and privacy program services to multiple service providers by awarding additional task orders under the BOAs. Given the existing contractual controls in the Blue Canopy contracts (such as SLAs and other performance metrics), remedial actions taken to address the independence concern identified by the OIG, and the subsequent revision of the acquisition strategy associated with the services previously procured under the Blue Canopy contracts, the FDIC disagrees with the OIGs determination that the contract represent[ed] a failure on the FDICs part to maintain control of its operations. Blue Canopys performance under the contracts, which included detailed performance metrics, was regularly reviewed and received high marks from the FDIC. According to the FDIC Legal Division, the FDIC does not fall within the definition of executive agency in the [Office of Federal Procurement Policy] Act., Become over-reliant on a third-party contractor to achieve its mission and conduct operations;3. bankers, analysts, and other stakeholders. Official websites use .gov The FDIC did not perform a procurement risk assessment for Critical Functions obtained from Blue Canopy during the procurement planning process. The FDICs OCISO and DOA submitted to the Board, through its established procurement process, a Board Case Package and Award Profile Reports.38 These documents, however, did not identify the procured services that were Critical Functions nor did they present the planned or implemented heightened oversight management activities for the Critical Function procurements. Row: 1; Best Practice: Identify planned procurement of Critical Functions; OMB: check mark; GAO: check mark; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 2; Best Practice: Implement heightened contract monitoring processes for Critical Functions; OMB: check mark; GAO: - ; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 3; Best Practice: Perform a procurement risk assessment for Critical Functions; OMB: check mark; GAO: check mark; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 4; Best Practice: Perform a cost effectiveness analysis; Best Practice: ; OMB: check mark; GAO: - ; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 5; Best Practice: Develop a management oversight strategy; OMB: check mark; GAO: check mark; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 6; Best Practice: Determine contract structure; OMB: -; GAO: -; Industry Standard: check mark; Select Federal Agencies: check mark; Row: 7; Best Practice: Conduct periodic reviews of controls and processes; OMB: check mark; GAO: -; Industry Standard: -; Select Federal Agencies: check mark; Row: 8; Best Practice: Report to the Board on procured Critical Functions; OMB: -; GAO: -; Industry Standard: check mark; Select Federal Agencies: -; Source: OIG analysis of OMB guidance, GAO reports, industry standards and guidance, and interview statements from Federal agencies. hTmo0+ib~IB Procurement Planning: Program Office identifies the Critical Function to be procured within procurement planning documents. 5) Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions. We performed our work from May 2020 through November 2020 at the FDICs offices in Arlington, Virginia and Dallas, Texas. This ongoing oversight of the Blue Canopy contracts and the reconsideration of the underlying acquisition strategy for the services are key components of the procedures highlighted as best practices by the OIG in its audit and demonstrate the control asserted and maintained by the FDIC over these services. NASA, USDA, and DOE performed, or considered it a best practice to perform, a cost effectiveness analysis. Footnote: 2 OMB Policy Letter 11-01 established Executive Branch policy and was addressed to the heads of civilian and Executive Departments and agencies. encrypted and transmitted securely. The FDIC did not have a process for identifying Critical Functions in procurements at the outset, and this gap created a cascading effect of shortfalls in overseeing Critical Functions. Contractor performance evaluations must be completed annually for each award, regardless of dollar value, and at the end of the contract. Figure 1 shows the four phases of the FDICs acquisition process and provides an overview of the activities within each phase. DMI said it will bring digital transformation tools that usher in a new managed services model, focused on service delivery optimization. OMB Policy Letter 11-01 requires certain agencies2 to take specific actions, before and after contract award, to prevent contractor performance of Inherently Governmental Functions and to prevent over-reliance on contractors in the performance of Critical Functions. While agencies often rely upon third-party contractors to perform a wide variety of services and other activities, there are numerous risks that may arise from an agencys use of third-party contractors, including performance, monetary, legal, and reputational risks. A CIOO official also stated that the contractor was responsible for ensuring uninterrupted support of services, if the FDIC determined that Blue Canopy provided services essential or critical to the FDIC mission. National Institute of Standards and Technology Guidance. DODs policies and procedures predated the publication of this requirement, and consequently contained no reference to it. A lock A Contract Management Plan must be developed for the acquisition of services having a total estimated value of $1 million and greater. No. conferences and events. Industry Standard. Management Decision: Partially Concur. Program Office identifies contracting need. Footnote: 7 The Technical Monitor is responsible for assisting the Oversight Manager in monitoring and evaluating contractor performance under an FDIC contract. Ultimately, absent specific policies and procedures on this process, DOD may lack assurance that it retains enough government employees to maintain control over these important functions. No. Footnote: 28 According to the FDICs Acquisition Procedures, Guidance and Information (January 2020), the Independent Government Cost Estimate is the FDICs estimated cost for the acquisition. FF Blue Canopy was also assigned duties related to design and/or execution of these controls. endstream endobj startxref Contracting officers and oversight managers are also responsible for evaluating contractor performance. The OIG report, The FDICs Implementation of Enterprise Risk Management (EVAL-20-005) (July 2020), assessed the FDICs implementation of Enterprise Risk Management against relevant criteria and best practices. sharing sensitive information, make sure youre on a federal As a result, we consider the remaining 12 recommendations to be unresolved at this time. Due to the lack of policies and procedures in this area, the FDIC did not identify these Critical Functions by Blue Canopy during its procurement planning phase. Identified weaknesses should be documented and promptly addressed.. Estimated Completion Date: March 31, 2022. Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020). Footnote: 4 Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019). Those contracts could be extended a year after the end of the base ordering period. Corrective Actions: The CIOO and the Acquisition Services Branch considered both internal controls and contractual requirements during acquisition planning for the subject BOAs and task orders and included them in the statement of work documents. OMB Policy Letter 11-01 advises certain agencies that they should ensure that Federal employees perform and/or manage Critical Functions to the extent necessary for the agency to operate effectively and maintain control of its mission and operations. Specifically, the FDIC did not discuss with the Board its procurement risk assessment, management oversight strategy, contract structuring, and ongoing monitoring reports for the procured Critical Functions. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency. FDIC is an independent agency created by Congress to maintain stability and public confidence in the nations financial system. Secure .gov websites use HTTPS For more information contact TargetGov. In addition to current practices, the FDIC plans to further address this recommendation through the study and actions described in our response to Recommendation 1. The FDIC began working with Blue Canopy in May 2009 when the FDICs CIOO, Office of the Chief Information Security Officer (OCISO), and DOA,9 procured the services of Blue Canopy to provide Information Security Support Services to the FDIC after the initial contractor filed for bankruptcy. Footnote: 11 The FDIC Division of Resolutions and Receiverships (DRR) also has a contract with Blue Canopy for an approximate Award Value of $1 million, and a 5-year term. FDIC Total Awards by Socio Economic Categories January 1 -December 31, 2021 $150 $200 $250 $300 $350 $400 $450 $416.4$342.8 $100 $50 $0 Percent of Total FDIC Awards: $106.5 8(a) $8.6 HubZone $4.7 Veteran Owned $0.9 ServiceDisabledVeteran Owned $105.7 Women Owned $68.5 SmallDisadvantagedBusiness Minority Owned MWOB OMB Policy Letter 11-01 provides guidance on managing the performance of Inherently Governmental and Critical Functions. Reviewed articles and Congressional Research regarding Federal procurement and oversight control processes. Identify planned procurement of Critical Functions. Federal employees must be able to understand the agencys requirements, formulate alternatives, manage the work product, monitor the contractors used to support the Federal workforce, and adequately mitigate the potential impact on mission performance if contractors were to default on their obligations. The importance of the FDIC reviewing financial and audit reports and periodically monitoring the contractors operations was demonstrated by the FDICs experience with Blue Canopys predecessor. Such actions by contractors create risks that governance and decisions of significant public interest are not made by Government officials who are accountable to the President and bound by laws controlling the conduct and performance of Federal employees. h250R0P050V01R& These actions, based on existing FDIC acquisition policies and procedures, were consistent with the spirit of OMB Policy Letter 11-01 and the FDICs Guidance for Managing Third-Party Risk. Ongoing efforts to improve the FDICs acquisition services and oversight management programs will incorporate additional structure and discipline around certain contracts that support essential functions or involve services needed in a business continuity event, consistent with the recommendations in the OIG report. 13) Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration. However, to meet its fiduciary responsibility to the taxpayers, the agency must have sufficient internal capability to control its mission and operations Sufficient internal capability(i) generally requires that an agency have an adequate number of positions filled by Federal employees with appropriate training, experience, and expertise to understand the agencys requirements, formulate alternatives, take other appropriate actions to properly manage and be accountable for the work product, and continue critical operations with in-house resources, another contractor, or a combination of the two, in the event of contractor default; and (ii) further requires that an agency have the ability and internal expertise to oversee and manage any contractors used to support the Federal workforce Determinations concerning what constitutes sufficient internal capability must be made on a case-by-case basis taking into account, among other things the: (i) agencys mission; (ii) complexity of the function and the need for specialized skill; (iii) current strength of the agencys in-house expertise; (iv) current size and capability of the agencys acquisition workforce; and (v) effect of contractor default on mission performance. As part of acquisition planning, agencies shall confirm that for the Critical Functions to be procured, the agency has sufficient internal capability to control its mission and operations. Fail to control the agencys mission and operations; Compromise trust (or data) by failing to exercise due care in establishing appropriate controls to protect sensitive information and to identify and mitigate data breaches. 800-53). According to the Government Accountability Office (GAO), the use of a contractor poses a risk of fraud, waste, and abuse. These actions are in addition to the standard controls and processes that agencies follow in procuring goods and services. However, it did not address how the Contracting Officer and Oversight Manager would assess the FDICs over-reliance on Blue Canopy or identify and implement corrective actions. Appendix 2 Identified Best Practices and Their Sources. Both the Managed Security Services Provider (MSSP) and SPPS BOAs include incentives for vendors to provide superior performance. The site is secure. The GAO report, Human Capital: Additional Steps Needed to Help Determine the Right Size and Composition of DODs Total Workforce (GAO-13-470) (May 2013), found, in part, that DODs current policies did not fully reflect federal policy concerning the identification of Critical Functions. Footnote: 17 GAO Report, Best Practices Methodology: A New Approach for Improving Government Operations (GAO/NSIAD-95-154) (May 1995). Footnote: 33 In comparison, the FDICs procurement planning and solicitation and award processes for contract CORHQ-14-C-0769 took 9 months (from March 2014 to December 2014), and contract CORHQ-14-C-0778 took 12 months (from March 2014 to March 2015). FISMA requires each agency to perform an annual self-assessment. o GAO Report, VA Health Care: Additional Guidance, Training, and Oversight Needed to Improve Clinical Contract Monitoring (GAO-14-54) (October 2013). The FDICs acquisition procedures are also consistent with the FDICs Guidance for Managing Third-Party Risk (FIL-44-2008). hMk@c[(hg!b\ZJLn#,o,fAjwgv]Ip,'Vgv8E&r*;|` o Comparing and contrasting DOA, CIOO, and the Legal Divisions policy and procedures related to management procurement and oversight activities to best practices the OIG identified. Management should consider, in part, the following corrective measures for identified instances of contractor over-reliance: (1) reviewing and adjusting contractor services; (2) reassessing and adjusting human capital needs (staff and funding); (3) in-sourcing all or part of the function; (4) reviewing the contracting process from beginning to end to understand how the agency lost control; and (5) reestablishing or strengthening controls over contractor responsibilities. (vYh/G6y:@G*2/) Ultimately, the GAO concluded that without guidance for documenting and updating the planned Federal oversight personnel needed, and identifying oversight tasks, DHS cannot mitigate the risks associated with service contracts in need of heightened management attention.
King County Vacation Accrual, Army Brigadier General Promotion List 2021, What Did Sam Kinison Say At Death, Private Rent Caerphilly, Memphis Gators Prep Football Division, Articles F