The Office of Inspector General at the Federal Deposit Insurance Corporation (FDIC) has issued its report on Critical Functions in FDIC Contracts. Like other Federal agencies, the FDIC relies on contractors to support a wide range of activities. Our Office conducted an evaluation to determine whether one of the FDIC’s contractors was performing Critical Functions as defined by guidance issued by the Office of Management and Budget (OMB); and if so, whether the FDIC provided sufficient management oversight of the contractor performing such functions.
If agencies do not effectively oversee their contracts and establish strong control environments, contractors could inappropriately influence government decision-making and an agency could lose control of its mission and operations. In response to this risk, in September 2011, OMB provided guidance. This guidance focuses on managing the performance of Inherently Governmental Functions and Critical Functions in order “to ensure that government action is taken as a result of informed, independent judgments made by government officials.” OMB defines a Critical Function as one “that is necessary to the agency being able to effectively perform and maintain control of its mission and operations. Typically, critical functions are recurring and long-term in duration.”
The contractor that was the main focus of our review performed services in support of the FDIC’s information security and privacy program. We considered these services to fit the OMB definition of Critical Functions. For 2019, this contractor’s services comprised 38.3 percent ($16.2 million) of the FDIC’s annual operating expenses for information security and privacy ($42.3 million).
We determined that the FDIC did not have policies and procedures for identifying Critical Functions in its contracts, as recommended by OMB and embodied in industry standards. Therefore, while we determined that the contractor performed Critical Functions at the FDIC, the FDIC did not identify these services as Critical Functions during its procurement planning phase.
As a result, the FDIC also did not implement heightened contract monitoring activities for Critical Functions as outlined in OMB guidance and best practices identified and used by other government agencies. Such heightened contract monitoring activities would include: (1) performing a procurement risk assessment, (2) establishing a management oversight strategy, (3) conducting periodic reviews, and (4) providing formal reports to the FDIC Board of Directors on an individual and aggregate basis.
Without these best practices in place, the FDIC could not be assured that it would provide sufficient management oversight of this contractor or other contractors performing Critical Functions. In particular, the FDIC may not ensure that it has an adequate number of employees with the appropriate training, experience, and expertise to oversee the procurements of Critical Functions.
We made 13 recommendations in this report. The recommendations include incorporating provisions of OMB guidance into the FDIC’s policies and procedures, identifying Critical Functions during the procurement process, and implementing heightened contract monitoring for Critical Functions.