According to the FDIC Financial Institution Letter titled, Third-Party Risk Guidance for Managing Third-Party Risk (FIL-44-2008) (June 2008), for business resumption and contingency plans, [t]he contract should address the third partys responsibility for continuation of services provided for in the contractual arrangement in the event of an operational failure, including both man-made and natural disasters. (AvaQD%]Lg4Of5AZ0'&qsM}d},K^!ttcti 8\mk x\>-A 'g+k}?L&50#^5w8O>16/CGF:.&&F(r+v\eSVGo;X}N^r[qQg}UTN}n?3E5.\B?? CFPB Consumer Financial Protection Bureau, CIOO Chief Information Officer Organization, C-SIRT Computer Security Incident Response Team, DRR Division of Resolutions and Receiverships, FAIR Act Federal Activities Inventory Reform Act, FDIC Federal Deposit Insurance Corporation, FISMA Federal Information Security Modernization Act, FPDS-NG Federal Procurement Data System-Next Generation, GAO U.S. Government Accountability Office, IGCE Independent Government Cost Estimate, NASA National Aeronautics and Space Administration, NCUA National Credit Union Administration, NIST National Institute of Standards and Technology, OCC Office of the Comptroller of the Currency, OCISO Office of the Chief Information Security Officer, TO: Terry L. Gibson, Assistant Inspector General for Program Audits and Evaluations, FROM: Brandon L. Milhorn, Deputy to the Chairman, Chief of Staff and Chief Operating Officer, CC: Sylvia W. Burns, CIO, E. Marshall Gentry, CRO, RE: Management Response to OIG Draft Audit Report, Critical Functions in FDIC Contracts (No. According to the FDICs Selection Recommendation Report titled, Security Operations Center and Computer Security Incident Response Team Services (February 2015), the Independent Government Cost Estimate was calculated based on information acquired through historical data from the prior 3 years, as well as projects anticipated over the life of the proposed contract. Management should also ensure that the statement of work recognizes the procurement of Critical Functions. FIDIC Contract Users' Awards 2021 In addition, a prior OIG report, Security Configuration Management of the Windows Server Operating System (AUD-19-004) (January 2019) concluded that Blue Canopy lacked independence. The FDIC re-competed and re-issued these services to Blue Canopy under two new contracts with a total Award Value of $101.3 million.10 Both contracts had 7-year terms (a 3-year base period and four 1-year options), and one became effective in December 2014, and the second one in March 2015.11. These elements are essential components of the heightened review and oversight process for procurements of Critical Functions. Procurement Planning - Program Office performs a procurement risk assessment for the planned acquisition of a Critical Function, which includes performing a cost effectiveness analysis. In addition, routine reviews ensure that both contractor and agency staff know their roles and responsibilities in the event of an unexpected incident, and validate the planned response. The Chief Information Officer Organization (CIOO) recently issued an Acquisition Planning Guide that outlines the contracting process from start to finish for customers in need of IT goods and services, and provides clear and consistent expectations for stakeholders. the official website and that any information you provide is DHS also lacked guidance on what these oversight tasks could detail. As part of a risk assessment, the institution should analyze the benefits and costs associated with the proposed relationship. The FDIC requires support across the entire IT application lifecycle including: creation (requirements, design, development, testing, deployment), configuration, integration, migration, enhancement, support, maintenance, operations, decommissioning, and other associated services for all FDIC owned applications, either in use today or deployed Compromise the trust (or data) by failing to exercise due care in establishing appropriate controls to protect sensitive information and to identify and mitigate data breaches. Best Practices for Critical Functions by Source, 2. Phase 1: Procurement Planning - Program Office and DOA Acquisition Services Branch report to the FDIC Board the planned acquisition of a Critical Function, and provide a procurement risk assessment and management oversight strategy (including planned contract structure and cost effectiveness analysis). Ultimately, as recommended by best practices, a complete cost effectiveness analysis for Critical Functions, clear and distinct from the IGCE, should be performed and presented to the Board for its review and consideration. In order to close these recommendations, we would expect that the FDIC implement a process to assess contractor over-reliance at the Agency and take the following actions: Identify contracts requiring heightened monitoring and controls during the procurement planning, award, and contract management phases of the acquisition process; Conduct procurement risk assessments for its contracts, including a cost-effectiveness analysis; Implement a management oversight strategy for contracts requiring heightened monitoring and controls; Implement periodic reviews for contracts requiring heightened monitoring and controls; Incorporate enhancements to the FDICs existing acquisition planning, approval, reporting, and oversight processes; Conduct an assessment to determine whether FDICs current Risk Inventory sufficiently addresses the underlying risks presented in the OIGs report; and. 6) Determine the contract structure during the solicitation and award process for the procurement of a Critical Function. Winners announced for 2021 FIDIC Contract Users' Awards Of particular note, the failure to identify Critical Functions during the procurement planning phase results in a cascading failure throughout the acquisition process. In particular, Blue Canopy performed a range of cybersecurity and privacy support services for the FDIC, including continuous monitoring, vulnerability management, internal control reviews, and privacy assessments.