The Office of Inspector General at the Federal Deposit Insurance Corporation (FDIC) has issued an evaluation report on the FDIC’s Personnel Security and Suitability Program (PSSP). The effectiveness of the FDIC’s PSSP is critically important to ensure that FDIC employees and contractor personnel are properly screened and investigated prior to being granted access to systems and entrusted with sensitive, confidential, or, in some cases, classified information.
Before individuals can be hired by the FDIC, they must meet minimum standards for employment with the FDIC. Contractor personnel must meet minimum standards of integrity and fitness. Determining whether an individual meets the FDIC’s minimum employment or integrity and fitness standards is accomplished by way of a preliminary background investigation (PBI). Federal regulations also require that a background investigation (BI) be conducted on each Federal employee and contractor.
We found that the FDIC’s PSSP was not fully effective in ensuring that: (1) PBIs were completed in a timely manner; (2) BIs were ordered and adjudicated commensurate with position risk designations; and (3) re-investigations were ordered within required timeframes. Specifically, after analyzing PSSP-related data for all employees and contractor personnel with access to the FDIC’s information technology systems as of December 2, 2019, we determined that:
- The FDIC did not remove multiple contractors with unfavorable background investigation adjudications in a timely manner;
- The FDIC did not follow its Insider Threat protocols and conducted limited risk assessments for the contractors with unfavorable adjudications;
- The FDIC did not initiate and order numerous required periodic reinvestigations in a timely manner;
- Data on contractor position risks were unreliable;
- Employee background investigations were sometimes not commensurate with position risk;
- Some of the FDIC files were missing certain PBI data; and
- The FDIC was not meeting its goals for completing PBIs within a specified timeframe.
Importantly, the results of our evaluation led us to conclude that the risks within the FDIC’s PSSP were not fully reflected in the FDIC’s Risk Inventory as a component of its Enterprise Risk Management program. This risk analysis is particularly important now as the FDIC begins contingency planning for surge staffing in the event that the current pandemic negatively impacts the banking sector. The FDIC’s Operating Committee, as the Risk Management Council, must ensure that the Division of Administration is satisfactorily addressing the risks associated with the PSSP.
We made 21 recommendations aimed at strengthening the PSSP’s controls and ensuring that the FDIC is in full compliance with Federal requirements. The FDIC concurred with all 21 recommendations.