Information Technology services at the FDIC have been identified as critical to the FDIC operations in numerous documents, including the FDICs 2019 Annual Report, Enterprise Risk Management Risk Inventory,20 and National Institute of Standards and Technology (NIST) guidance. Although the contracts required Blue Canopy to submit certain management reports, the contracts did not require Blue Canopy to submit financial reports, audit reports, security reports, business resumption testing reports, and exception-based reports of Blue Canopys operations. For example, as noted above, the following agencies noted heightened contracting monitoring, such as: o Develop a Management Oversight Strategy. testimony on the latest banking issues, learn about policy Footnote: 10 The FDIC separated the information security support services into two contracts to potentially increase the number of vendors that placed bids and to attract higher quality bids by vendors that specialized in only one set of services. The FDIC, instead, uses a best value method especially for acquisitions requiring innovative solutions or a high level of technical expertise that allows for the evaluation of technical factors in addition to price and past performance. In particular, the FDIC should have routinely reviewed (on an ongoing and proactive basis) Blue Canopys business resumption and continuity plans (specific to human capital) to ensure security, confidentiality, integrity, and availability of FDIC information, as well as the continuity of service and performance by Blue Canopy. hb```f``Rc`b``ebd@ A3G HK!G kTH`j)c ; OMB: The source did not mention this item; GAO: The source did not mention this item; Industry Standard: The source did not mention this item; Select Federal Agencies: The source identified this item; OMB Guidance. The FDICs Legal Division provides legal advice and counsel to Contracting Officers to ensure that acquisitions and other contract actions are conducted in accordance with governing laws and FDIC policy. Of particular note, the failure to identify Critical Functions during the procurement planning phase results in a cascading failure throughout the acquisition process. According to the FDICs Financial Institution Letter titled Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), the key to the effective use of a third party in any capacity is for management to appropriately assess, measure, monitor, and control the risks associated with a contractual relationship. Neither the Board Case Package nor the Board meeting minutes reflected that the FDIC discussed with the Board its procurement risk assessment and management oversight strategy, planned contract structuring, and ongoing monitoring controls and reports for the procured Critical Functions. o Contract Oversight Management (EVAL-20-001) October 28, 2019; o The FDIC's Receivership Basic Ordering Agreements for Business Process Operations Services (AUD-14-006) March 31, 2014; o Security Configuration Management of the Windows Server Operating System (AUD-19-004) January 16, 2019; and. The recommendations include incorporating provisions of the OMB Policy Letter 11-01 into the FDICs policies and procedures, identifying Critical Functions during the procurement process, and implementing heightened contract monitoring for Critical Functions. Ultimately, if an agency fails to ensure proper management and oversight of procured Critical Functions, contractors may take actions that are not based on informed, independent judgments made by Government officials. protection; makes large and complex financial institutions resolvable; and In this case, the FDIC terminated the service providers contract because of the providers bankruptcy.32 As a result of the service providers failure, the FDIC compressed the procurement planning and solicitation and award processes, and Blue Canopy assumed the previous contract and began providing support services to the FDIC in May 2009 3 months after the companys failure.33 In addition to having limited time to find a replacement contractor, the companys distressed financial condition and ultimate bankruptcy could have impaired or compromised the quality of services provided over an extended period of time as the contractors senior management and employees focused on their companys financial turmoil at the expense of the services provided.
Tucker's Raw Dog Food Recall, Articles F