The Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued its report on The FDIC’s Implementation of Supply Chain Risk Management (SCRM).
The FDIC awarded more than $2 billion via 483 contracts in 2021, procuring products and services from many types of vendors, contractors, and subcontractors. The supply chain for each vendor, contractor, or subcontractor may present unique risks to the FDIC, including the installation of counterfeit hardware and software in the FDIC environment, or reliance on a malicious or unqualified provider. Supply chain threats could compromise the FDIC’s Information Technology and data on its information systems and provide adversaries a means to exfiltrate sensitive information such as confidential bank examination information.
Therefore, the FDIC must implement a robust SCRM Program to identify and mitigate supply chain risks that threaten its ability to fulfill its mission, goals, and objectives; protect its sensitive and nonpublic information; and maintain the integrity of its operations. We conducted an evaluation to determine whether the FDIC developed and implemented its SCRM Program in alignment with the Agency’s objectives and best practices.
We found that the FDIC had not implemented several objectives outlined in its SCRM Implementation Project Charter (November 2019) and was not conducting supply chain risk assessments in accordance with best practices. For example, the FDIC had not:
- Identified and documented known risks to the Agency’s supply chain;
- Defined a risk management framework to evaluate risks to non-Information Technology procurements; or
- Established metrics and indicators related to continuous monitoring and evaluation of supply chain risks.
We also found that the FDIC did not conduct supply chain risk assessments during its procurement process for Chief Information Officer Organization and other Division and Office contracts. In addition, the FDIC had not ensured that its Enterprise Risk Management processes fully capture supply chain risks. Further, FDIC Contracting Officers did not maintain contract documents in the Contract Electronic File system, as required.
We made nine recommendations to the FDIC to address the findings in our report.