The Office of Inspector General at the Federal Deposit Insurance Corporation (FDIC) issued an audit report that highlights weaknesses related to the FDIC’s actions to implement a new mobile device management (MDM) solution. The FDIC relies heavily on smartphones and tablets to support its business operations and communications. The FDIC uses a cloud-based MDM solution to secure and manage these mobile devices.
In August 2019, the FDIC decided to replace its MDM solution with a new MDM solution (hereinafter, proposed MDM solution) which offered greater functionality. On October 4, 2019, the FDIC awarded a contract valued at $965,000 for the proposed MDM solution. However, in November 2019, the FDIC decided to terminate the contract because the FDIC could not validate whether the proposed MDM solution would satisfy the FDIC’s security requirements. In addition to the FDIC’s internal and contractor resources expended on the project, the FDIC compensated the vendor $343,533 for the proposed MDM solution. Notwithstanding the payment to the vendor, the FDIC never used the solution for which it had signed a contract to purchase.
The objective of the audit was to assess the adequacy of the FDIC's governance over the proposed MDM solution. The audit focused on the FDIC’s actions to evaluate, procure, authorize, and subsequently terminate its contract for the proposed MDM solution.
We found that the FDIC’s Chief Information Officer Organization (CIOO) did not:
- Identify elevated and growing risks associated with the proposed MDM solution in reports describing the health and status of the project provided to CIOO Executives and other FDIC stakeholders;
- Resolve security concerns identified by the Office of the Chief Information Security Officer prior to procuring the proposed MDM solution; or
- Establish roles and responsibilities in its procedures for managing the use of Limited Authorizations to Operate.
In addition, the FDIC’s Acquisition Services Branch did not engage the Legal Division to review the procurement of the proposed MDM solution, consistent with FDIC guidance.
Our report contains five recommendations intended to strengthen the FDIC’s processes and governance for evaluating, authorizing, and procuring new technologies. In addition, we identified $361,533 of funds put to better use. FDIC management concurred with all of the recommendations.