Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Unimplemented Recommendations

The FDIC OIG’s Report on Unimplemented Recommendations, provided at the link below, contains information about recommendations from our audits and evaluations that the OIG has not closed because our office has not determined that the FDIC has fully implemented recommended corrective actions.

Our listing omits recommendations that we determined to be of a sensitive nature, and therefore unsuitable for public release. The status of each recommendation is subject to change due to the FDIC’s ongoing efforts to implement them, and the OIG’s independent review of information about those efforts. Specifically, a recommendation identified as unimplemented in this report may fall into one of several categories:

  • within targeted time frames,
  • under OIG review, or
  • overdue.

Further, the OIG may have subsequently closed a recommendation listed in this report after the date of its issuance.

For each Unimplemented Recommendation listed, we provide the report title, along with a link to the full report if available; the date of report issuance; and a brief description of the recommendation.
 
Our Unimplemented Recommendations listing will be updated monthly.

Overall Status of Recommendations

Graphic depicting the overall status of OIG recommendations from fiscal year 2017 to fiscal year 2021. In Fiscal year 2017, there were 65 OIG Recommendations made, 1 is still unimplemented and 64 closed.  In Fiscal Year 2018 there were 62 OIG recommendations, all 62 recommendations are closed.  In Fiscal year 2019 there were 50 OIG recommendations, all  50 are closed. In fiscal year 2020, there were 81 OIG recommendations, 17 are unimplemented and 64 are closed. In Fiscal year 2021, OIG has made 69 recommendations, 33 are unimplemented and 36 are closed. In FY2022, there are 9 recommendations. Nine are unimplemented and zero are closed. From Fiscal Year 2017 to Fiscal year 2022, the OIG has made 336 recommendations.  Of those 336 recommendations, 60 remain unimplemented and 276 are closed.

FDIC OIG Unimplemented Recommendations as of November 15, 2021

#

OIG Report No.

Report Title

Rec

No.

Recommendation

Issued Date

1

AEC-21-002

The FDIC's Management of Employee Talent

1

Develop and implement defined, objective, quantifiable, and measurable goals related to retention management at the FDIC.

9/1/2021

2

AEC-21-002

The FDIC's Management of Employee Talent

2

Develop and implement a process to collect and analyze the relevant data regarding employee retention across the FDIC and provide the data and analyses to Divisions and Offices.

9/1/2021

3

AEC-21-002

The FDIC's Management of Employee Talent

3

Develop metrics and indicators to assess the effectiveness of the FDIC’s employee retention activities and to determine if the FDIC’s retention activities are achieving their desired results and outcomes.

9/1/2021

4

AUD-17-001

Audit of the FDIC's Information Security Program - 2016

5

Non-public report.

11/2/2016

5

AUD-20-001

The FDIC's Information Security Program - 2019

2

Monitor employee and contractor compliance with policy requirements for properly safeguarding sensitive electronic and hardcopy information.

10/23/2019

6

AUD-20-003

The FDIC's Privacy Program

3

Develop and approve privacy plans for all information systems containing personally identifiable Information consistent with Office of Management and Budget (OMB) Circular A-130.

12/18/2019

7

AUD-20-003

The FDIC's Privacy Program

5

Update policies and/or procedures to reflect the current organizational structure of the Privacy Program and responsibilities of agency personnel and component offices that support the FDIC’s Privacy Program.

12/18/2019

8

AUD-20-003

The FDIC's Privacy Program

8

Develop and implement controls to ensure that personally identifiable Information stored in network shared drives and in hard copy is regularly monitored and reviewed for compliance with privacy laws, regulations, policy, and guidelines.

12/18/2019

9

AUD-21-001

The FDIC's Information Security Program-2020

3

Remediate incomplete and out-of-date baseline configurations.

10/27/2020

10

AUD-21-001

The FDIC's Information Security Program-2020

4

Assess the effectiveness of the FDIC’s controls for managing Administrative Accounts and implement control improvements.

10/27/2020

11

AUD-21-001

The FDIC's Information Security Program-2020

5

Implement a process to ensure that all outsourced information systems are subject to the National Institute of Standards and Technology (NIST) Risk Management Framework as prescribed by Office of Management and Budget (OMB) policy.

10/27/2020

12

AUD-21-001

The FDIC's Information Security Program-2020

6

Ensure that the FDIC’s cloud-based information systems are subject to annual security and privacy control assessments.

10/27/2020

13

AUD-21-002

Governance of the Mobile Device Management Solution

1

Reinforce guidance and provide training on the need for effective identification and assessment of information technology project risks, and the prompt and accurate reporting of such risks.

12/21/2020

14

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

2

Implement the National Institute of Standards and Technology (NIST) Risk Management Framework for systems supporting critical building services.

3/29/2021

15

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

3

Modify the Facilities Management Contract to define security requirements for systems that support critical building services in FDIC-owned facilities.

3/29/2021

16

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

5

Ensure that Oversight Managers assigned to other FDIC contracts have obtained signed Confidentiality Agreements for all contractor and subcontractor personnel required to sign such agreements.

3/29/2021

17

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

9

Ensure that Oversight Managers assigned to other FDIC contracts have verified the completion of Information Security and Privacy Awareness Training and Insider Threat and Counterintelligence Awareness Training for contractor and subcontractor personnel without network access.

3/29/2021

18

AUD-21-004

Security and Management of Mobile Devices

1

Perform a documented assessment of risks associated with Bring Your Own Device and the personal use of Corporate Owned Personally Enabled devices, including the installation and use of mobile applications, text messaging, and audio and video capabilities.

8/3/2021

19

AUD-21-004

Security and Management of Mobile Devices

2

Establish mobile device policies and guidance that align with National Institute of Standards and Technology and Government Accountability Office recommended practices. The policies and guidance should (a) reflect the FDIC’s current business practices for mobile devices and (b) be based on the documented assessment of risks in Recommendation 1.

8/3/2021

20

AUD-21-004

Security and Management of Mobile Devices

3

Require users of Bring Your Own Devices to consent to rules of behavior in a mobile device security agreement.

8/3/2021

21

AUD-21-004

Security and Management of Mobile Devices

4

Define and document roles, responsibilities, and procedures for reviewing audit logs generated by the Mobile Device Management solution.

8/3/2021

22

AUD-21-004

Security and Management of Mobile Devices

5

Separate responsibilities for performing systems administration from conducting reviews of audit logs generated by the Mobile Device Management solution.

8/3/2021

23

AUD-21-004

Security and Management of Mobile Devices

6

Develop and implement awareness training to address risks and security practices related to the use of mobile devices.

8/3/2021

24

AUD-21-004

Security and Management of Mobile Devices

7

Implement a process to routinely report usage information for mobile devices and MiFi devices to business units in the FDIC’s Divisions and Offices.

8/3/2021

25

AUD-21-004

Security and Management of Mobile Devices

8

Require the FDIC’s Divisions and Offices to provide End User Computing Section with documentation to support the continued business need for zero usage devices and take action to suspend or terminate unnecessary devices and services.

8/3/2021

26

AUD-21-004

Security and Management of Mobile Devices

9

Develop and implement written policies and/or procedures that define roles, responsibilities, and requirements for testing mobile device software updates and documenting the associated results before users are permitted to download and install them.

8/3/2021

27

AUD-22-001

The FDIC's Information Security Program - 2021

1

Develop and implement Supply Chain Risk Management (SCRM) processes and procedures in accordance with the Supply Chain Risk Management Program Directive and applicable government guidance.

10/27/2021

28

AUD-22-001

The FDIC's Information Security Program - 2021

2

Begin tracking completion of Identity, Credential, and Access Management (ICAM) milestones of its revised ICAM Roadmap.

10/27/2021

29

AUD-22-001

The FDIC's Information Security Program - 2021

3

Complete implementation of the Privacy Continuous Monitoring (PCM) process to include updating Privacy Impact Assessments (PIAs) for all required systems.

10/27/2021

30

AUD-22-001

The FDIC's Information Security Program - 2021

4

Implement Document Labeling Guide requirements across the entire organization as dictated by business needs.

10/27/2021

31

AUD-22-001

The FDIC's Information Security Program - 2021

5

Perform an analysis of the feasibility of applying the Document Labeling Guide for documents that were created before the issuance of the directive.

10/27/2021

32

AUD-22-001

The FDIC's Information Security Program - 2021

6

Ensure that the FDIC’s in-house and contractor managed information systems are subject to a formal authorization process as defined in the Risk Management Framework.

10/27/2021

33

AUD-22-002

The FDIC's Compliance under the Digital Accountability and Transparency Act of 2014

1

Coordinate with the Office of Management and Budget and the Department of the Treasury to obtain a written determination on whether the FDIC must include Treasury Account Symbols 4065 and 4067 in its future DATA Act submissions and the data elements that must be reported, if applicable.

11/03/2021

34

AUD-22-002

The FDIC's Compliance under the Digital Accountability and Transparency Act of 2014

2

Include Treasury Account Symbols 4065 and 4067 in the FDIC’s future DATA Act submissions in accordance with DATA Act reporting requirements until such time that the FDIC receives written guidance from the Office of Management and Budget and the Department of the Treasury on whether the FDIC must include the Treasury Account Symbols in its DATA Act submissions.

11/03/2021

35

AUD-22-002

The FDIC's Compliance under the Digital Accountability and Transparency Act of 2014

3

Update the FDIC’s DATA Act reporting procedures and quality assurance processes to include tasks and documents needed to produce and review theDATA Act submission for all Treasury Account Symbols reflected in the FDIC’s Government-wide Treasury Account Symbol Adjusted Trial Balance SF-133.

11/03/2021

36

EVAL-20-001

Contract Oversight Management

2

Provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.

10/28/2019

37

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

1

Establish, document, and implement policy and procedures for conducting cost benefit analyses, including when and how the cost benefit analyses will be performed.

2/4/2020

38

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

2

Establish, document, and implement policy and procedures that clearly define the roles and responsibilities for the Regulatory Analysis Section (RAS), and early involvement for the RAS in participating in and framing the initial policy direction of a rule.

2/4/2020

39

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

3

Establish, document, and implement policy and procedures that clearly define the Chief Economist’s roles and responsibilities for reviewing and concurring on cost benefit analyses performed.

2/4/2020

40

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

4

Establish, document, and implement policy and procedures that address how cost benefit analyses and supporting information, such as scope and methodology, analyses, conclusions, and reconciliation to the Agency’s final policy decision will be documented and published in the Federal Register to ensure transparency.

2/4/2020

41

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

5

Establish, document, and implement policy and procedures for conducting retrospective cost benefit analyses on existing rules, including a regulatory risk assessment, as well as roles and responsibilities for the Driver Divisions, Chief Economist, and Division of Insurance and Research (DIR)/ Regulatory Analysis Section (RAS).

2/4/2020

42

EVAL-20-004

The FDIC's Readiness for Crises

5

Establish and implement Agency-wide hazard-specific readiness plans, as needed, to identify and integrate FDIC readiness plans and activities unique to specific hazards impacting insured depository institutions.

4/7/2020

43

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

2

Train examiners on the importance of understanding and documenting the independence and qualifications of internal auditor(s), and reviewing internal audit work papers and results.

9/30/2020

44

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

3

Train examiners on the importance of adequate annual external financial audit coverage, and under what circumstances and with what justifications banks may obtain reviews in place of audits.

9/30/2020

45

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

5

Train examiners on the importance of ensuring that information system user access controls be adequately tested.

9/30/2020

46

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

6

Enhance case study training to incorporate the lessons learned from Enloe State Bank in regard to performing additional procedures related to the bank’s loan related activity.

9/30/2020

47

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

7

Train examiners to perform additional procedures to determine the likelihood of fraud once a dominant official designation is made at a bank with a weak internal control environment.

9/30/2020

48

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

8

Train examiners on indicators of fraud and how individual issues identified during an examination should be considered holistically to facilitate fraud detection.

9/30/2020

49

EVAL-21-002

Critical Functions in FDIC Contracts

1

Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020).

3/31/2021

50

EVAL-21-002

Critical Functions in FDIC Contracts

2

Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process.

3/31/2021

51

EVAL-21-002

Critical Functions in FDIC Contracts

4

Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. As part of the procurement risk assessment, include a cost effectiveness analysis.

3/31/2021

52

EVAL-21-002

Critical Functions in FDIC Contracts

5

Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions.

3/31/2021

53

EVAL-21-002

Critical Functions in FDIC Contracts

6

Determine the contract structure during the solicitation and award process for the procurement of a Critical Function.

3/31/2021

54

EVAL-21-002

Critical Functions in FDIC Contracts

7

Revise the management oversight strategy for the procured Critical Functions performed under the BOAs for Managed Security Services Provider and Security and Privacy Professional Services to ensure that the strategy aligns with best practices.

3/31/2021

55

EVAL-21-002

Critical Functions in FDIC Contracts

8

Identify missing or insufficient controls in the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services, and implement appropriate corrective actions or compensating controls.

3/31/2021

56

EVAL-21-002

Critical Functions in FDIC Contracts

9

Implement periodic reviews for procured Critical Functions, including for the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services.

3/31/2021

57

EVAL-21-002

Critical Functions in FDIC Contracts

10

Determine when and how to assess for contractor over-reliance as part of the management oversight strategy.

3/31/2021

58

EVAL-21-002

Critical Functions in FDIC Contracts

11

Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function.

3/31/2021

59

EVAL-21-002

Critical Functions in FDIC Contracts

12

Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration.

3/31/2021

60

EVAL-21-002

Critical Functions in FDIC Contracts

13

Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration.

3/31/2021

Print Print
Close