Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Unimplemented Recommendations

The FDIC OIG’s Report on Unimplemented Recommendations, provided at the link below, contains information about recommendations from our audits and evaluations that the OIG has not closed because our office has not determined that the FDIC has fully implemented recommended corrective actions.

Our listing omits recommendations that we determined to be of a sensitive nature, and therefore unsuitable for public release. The status of each recommendation is subject to change due to the FDIC’s ongoing efforts to implement them, and the OIG’s independent review of information about those efforts. Specifically, a recommendation identified as unimplemented in this report may fall into one of several categories:

  • within targeted time frames,
  • under OIG review, or
  • overdue.

Further, the OIG may have subsequently closed a recommendation listed in this report after the date of its issuance.

For each Unimplemented Recommendation listed, we provide the report title, along with a link to the full report if available; the date of report issuance; and a brief description of the recommendation.
 
Our Unimplemented Recommendations listing will be updated monthly.

Overall Status of Recommendations

Graphic depicting the overall status of OIG recommendations from fiscal year 2017 to fiscal year 2021. In Fiscal year 2017, there were 65 OIG Recommendations made, 1 is still unimplemented and 64 closed.  In Fiscal Year 2018 there were 62 OIG recommendations, all 62 recommendations are closed.  In Fiscal year 2019 there were 50 OIG recommendations, all  50 are closed. In fiscal year 2020, there were 81 OIG recommendations, 40 are unimplemented and 41 are closed. In Fiscal year 2021, OIG has made 57 recommendations, 38 are unimplemented and 19 are closed. From Fiscal Year 2017 to Fiscal year 2021, the OIG has made 315 recommendations.  Of those 315 recommendations, 79 remain unimplemented and 236 are closed.

FDIC OIG Unimplemented Recommendations as of May 14, 2021

#

OIG Report No.

Report Title

Rec

No.

Recommendation

1

AUD-17-001

Audit of the FDIC's Information Security Program - 2016

5

Non-public report.

2

AUD-20-001

The FDIC's Information Security Program - 2019

2

Monitor employee and contractor compliance with policy requirements for properly safeguarding sensitive electronic and hardcopy information.

3

AUD-20-003

The FDIC's Privacy Program

3

Develop and approve privacy plans for all information systems containing personally identifiable Information consistent with Office of Management and Budget (OMB) Circular A-130.

4

AUD-20-003

The FDIC's Privacy Program

 

 

 

 

 

4

Implement a Privacy Continuous Monitoring (PCM) program to regularly assess the effectiveness of privacy controls.

5

AUD-20-003

The FDIC's Privacy Program

5

Update policies and/or procedures to reflect the current organizational structure of the Privacy Program and responsibilities of agency personnel and component

offices that support the FDIC’s Privacy Program.

6

AUD-20-003

The FDIC's Privacy Program

8

Develop and implement controls to ensure that personally identifiable Information stored in network shared drives and in hard copy is regularly monitored and reviewed for compliance with

privacy laws, regulations, policy, and guidelines.

7

AUD-20-003

The FDIC's Privacy Program

11

Generate reports to monitor and audit compliance with the FDIC’s records retention and disposition requirements.

8

AUD-21-001

The FDIC's Information Security Program-2020

1

Ensure that risk acceptance decisions are reassessed in accordance with FDIC guidance to determine whether they remain valid and are at an acceptable level.

9

AUD-21-001

The FDIC's Information Security Program-2020

2

Implement control improvements to prevent the unauthorized installation of software on the FDIC network.

10

AUD-21-001

The FDIC's Information Security Program-2020

3

Remediate incomplete and out-of-date baseline configurations.

11

AUD-21-001

The FDIC's Information Security Program-2020

4

Assess the effectiveness of the FDIC’s controls for managing Administrative Accounts and implement control improvements.

12

AUD-21-001

The FDIC's Information Security Program-2020

5

Implement a process to ensure that all outsourced information systems are subject to the National Institute of Standards and Technology (NIST) Risk Management Framework as prescribed by Office of Management and Budget (OMB) policy.

13

AUD-21-001

The FDIC's Information Security Program-2020

6

Ensure that the FDIC’s cloud-based information systems are subject to annual security and privacy control assessments.

14

AUD-21-001

The FDIC's Information Security Program-2020

7

Update FDIC’s directive(s) related to contingency planning to reflect current business processes, requirements, and government-wide security policy and guidance.

15

AUD-21-001

The FDIC's Information Security Program-2020

8

Incorporate additional scenarios involving operational challenges into the FDIC’s information technology (IT) contingency plan testing exercises.

16

AUD-21-002

Governance of the Mobile Device Management Solution

1

Reinforce guidance and provide training on the need for effective identification and assessment of information technology project risks, and the prompt and accurate reporting of such risks.

17

AUD-21-002

Governance of the Mobile Device Management Solution

2

Establish and implement a control that requires the concurrence of security and privacy officials prior to submitting a procurement package for new technologies to the Acquisition Services Branch. [Estimated funds put to better use of $361,533.]

18

AUD-21-002

Governance of the Mobile Device Management Solution

3

Clarify and communicate the roles and responsibilities of Security and Enterprise Architecture Technical Advisory Board and Governance Risk and Compliance Section with respect to security requirements for new technologies.

19

AUD-21-002

Governance of the Mobile Device Management Solution

4

Clarify roles and responsibilities for authorizing the use of Limited Authorization to Operates and the associated security control tailoring. ^

20

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

1

Include systems supporting critical building services in FDIC-owned facilities in the FDIC’s systems inventory.

21

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

2

Implement the National Institute of Standards and Technology (NIST) Risk Management Framework for systems supporting critical building services.

22

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

3

Modify the Facilities Management Contract to define security requirements for systems that support critical building services in FDIC-owned facilities.

23

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

5

Ensure that Oversight Managers assigned to other FDIC contracts have obtained signed Confidentiality Agreements for all contractor and subcontractor personnel required to sign such agreements.

24

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

6

Provide training to Oversight Managers to ensure that Confidentiality Agreements are consistently executed and maintained as required by FDIC policy.

25

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

8

Conduct training to ensure that all Oversight Managers understand the requirement for contractor and subcontractor personnel to complete Information Security and Privacy Awareness Training and Insider Threat and Counterintelligence Awareness Training.

26

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

9

Ensure that Oversight Managers assigned to other FDIC contracts have verified the completion of Information Security and Privacy Awareness Training and Insider Threat and Counterintelligence Awareness Training for contractor and subcontractor personnel without network access.

27

AUD-21-003

Security of Critical Building Services at FDIC-owned Facilities

10

Include a provision in future contracts requiring contractor and subcontractor personnel to complete Insider Threat and Counterintelligence Awareness Training.

28

EVAL-20-001

Contract Oversight Management

2

Provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.

29

EVAL-20-001

Contract Oversight Management

8

In conjunction with the Division of Information Technology, develop controls around access to information contained within Contract Electronic File to ensure that Personally Identifiable Information is appropriately protected, or identify an alternative to Contract Electronic File that can serve as a secure repository for all contract documents.

30

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

1

Establish, document, and implement policy and procedures for conducting cost benefit analyses, including when and how the cost benefit analyses will

be performed.

31

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

2

Establish, document, and implement policy and procedures that clearly define the roles and responsibilities for the Regulatory Analysis Section

(RAS), and early involvement for the RAS in participating in and framing the initial policy direction of a rule.

32

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

3

Establish, document, and implement policy and procedures that clearly define the Chief Economist’s roles and responsibilities for reviewing and concurring

on cost benefit analyses performed.

33

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

4

Establish, document, and implement policy and procedures that address how cost benefit analyses and supporting information, such as scope and

methodology, analyses, conclusions, and reconciliation to the Agency’s final policy decision will be documented and published in the Federal Register to ensure transparency.

34

EVAL-20-003

Cost Benefit Analysis Process for Rulemaking

5

Establish, document, and implement policy and procedures for conducting retrospective cost benefit analyses on existing rules, including a regulatory

risk assessment, as well as roles and responsibilities for the Driver Divisions, Chief Economist, and Division of Insurance and Research (DIR)/ Regulatory Analysis Section (RAS).

35

EVAL-20-004

The FDIC's Readiness for Crises

1

Establish and implement a policy providing senior management’s crisis readiness directives.

36

EVAL-20-004

The FDIC's Readiness for Crises

2

Establish a committee to guide and oversee FDIC crisis readiness planning.

37

EVAL-20-004

The FDIC's Readiness for Crises

3

Establish and implement procedures supporting an Agency-wide process for crisis readiness planning.

38

EVAL-20-004

The FDIC's Readiness for Crises

4

Establish and implement an Agency-wide all-hazards readiness plan that identifies and integrates FDIC readiness activities common to all crises impacting

insured depository institutions.

39

EVAL-20-004

The FDIC's Readiness for Crises

5

Establish and implement Agency-wide hazard-specific readiness plans, as needed, to identify and integrate FDIC readiness plans and activities unique to

specific hazards impacting insured depository institutions.

40

EVAL-20-004

The FDIC's Readiness for Crises

6

Establish and implement a process for ensuring periodic training of responsible personnel on their task-related responsibilities in executing readiness plans.

41

EVAL-20-004

The FDIC's Readiness for Crises

7

Establish and implement a process for regularly documenting readiness plan exercise results and related recommendations, and retaining that documentation

for use in readiness improvement activities.

42

EVAL-20-004

The FDIC's Readiness for Crises

8

Establish and implement a monitoring process for lessons learned that prioritizes and tracks recommendations to improve readiness activities

43

EVAL-20-004

The FDIC's Readiness for Crises

9

Establish and implement a process to ensure that the FDIC reviews and updates readiness plans on a recurring basis.

44

EVAL-20-004

The FDIC's Readiness for Crises

10

Establish and maintain a central repository of up-to-date readiness plans.

45

EVAL-20-004

The FDIC's Readiness for Crises

11

Establish and implement a process to assess and report regularly on the state of the FDIC’s Agency-wide readiness to address crises impacting insured depository institutions.

46

EVAL-20-005

The FDIC’s Implementation of Enterprise Risk Management

2

Define the roles and responsibilities of the Board with respect to enterprise risk management, including its role in endorsing the risk appetite statement.

47

EVAL-20-005

The FDIC’s Implementation of Enterprise Risk Management

3

Develop and implement enterprise risk management communication protocols to the Board.

48

EVAL-20-006

Preventing and Addressing Sexual Harassment

8

Develop and implement a tracking system for sexual harassment misconduct allegations handled by the Anti-Harassment Program to ensure that relevant information is centralized, complete, accurate, and updated timely.

49

EVAL-20-006

Preventing and Addressing Sexual Harassment

9

Track data elements for misconduct allegations, including original allegation date; misconduct classification; date investigation concluded; name of investigator; names of complainant, alleged harasser, and witnesses; whether the allegation was substantiated or unsubstantiated; and date of written notification to complainant and alleged harasser regarding completion of the investigation.

50

EVAL-20-006

Preventing and Addressing Sexual Harassment

12

Develop and implement procedures to ensure that supervisors take consistent disciplinary actions for substantiated sexual harassment, in line with Federal government law on imposing disciplinary actions. ^

51

EVAL-20-006

Preventing and Addressing Sexual Harassment

13

Develop and implement a comprehensive, centralized database of disciplinary actions, including those associated with sexual harassment.

52

EVAL-20-006

Preventing and Addressing Sexual Harassment

14

Enhance employee and supervisor training on identifying and reporting sexual harassment, to include the training content recommended by the Equal Employment Opportunity Commission.

53

EVAL-20-006

Preventing and Addressing Sexual Harassment

15

Develop oversight mechanisms to assess the effectiveness of the FDIC’s sexual harassment prevention efforts and determine whether the FDIC is addressing sexual harassment allegations in a prompt and effective manner.

54

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

1

Clarify criteria the examiners should use to identify an official as dominant.

55

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

2

Train examiners on the importance of understanding and documenting the independence and qualifications of internal auditor(s), and reviewing internal audit work papers and results.

56

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

3

Train examiners on the importance of adequate annual external financial audit coverage, and under what circumstances and with what justifications banks may obtain reviews in place of audits.

57

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

4

Implement guidance and train personnel on monitoring and following up on State-issued Matters Requiring Board Attention.

58

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

5

Train examiners on the importance of ensuring that information system user access controls be adequately tested.

59

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

6

Enhance case study training to incorporate the lessons learned from Enloe State Bank in regard to performing additional procedures related to the bank’s loan related

activity.

60

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

7

Train examiners to perform additional procedures to determine the likelihood of fraud once a dominant official designation is made at a bank with a weak internal control environment.

61

EVAL-20-007

In-Depth Review of Enloe State Bank, Cooper, Texas

8

Train examiners on indicators of fraud and how individual issues identified during an examination should be considered holistically to facilitate fraud detection.

62

EVAL-21-001

The FDIC's Personnel Security and Suitability Program

6

Evaluate and document the Risk Assessment of completing Background Investigations for contractor personnel in high-risk positions before they begin work at the FDIC.

63

EVAL-21-001

The FDIC's Personnel Security and Suitability Program

8

Establish procedures that require the scope and duration of the Data Loss Prevention (DLP) review process to correspond with the risk associated with the individual being removed due to an unfavorable adjudication. ^

64

EVAL-21-001

The FDIC's Personnel Security and Suitability Program

12

Conduct a comprehensive review to validate risk designation information for all contractors, and update risk designations based on the results of the review.

65

EVAL-21-001

The FDIC's Personnel Security and Suitability Program

15

Review and update FDIC systems of record to reflect correct position risk information.

66

EVAL-21-001

The FDIC's Personnel Security and Suitability Program

16

Provide training to program office officials of their responsibilities to notify Security and Emergency Preparedness Section (SEPS) of any changes to employee position risk designations.

67

EVAL-21-002

Critical Functions in FDIC Contracts

1

Incorporate the provisions of OMB Policy Letter 11-01 guidance into the FDIC Acquisition Policy Manual (August 2008) and Acquisition Procedures, Guidance and Information document (January 2020).

68

EVAL-21-002

Critical Functions in FDIC Contracts

2

Identify Critical Functions during the procurement planning, award, and contract management phases of the acquisition process.

69

EVAL-21-002

Critical Functions in FDIC Contracts

3

Assess whether the FDIC’s Enterprise Risk Management program should identify the impact of procured Critical Functions, and procurement risk related to contractors performing Critical Functions, within the FDIC’s Risk Inventory.

70

EVAL-21-002

Critical Functions in FDIC Contracts

4

Conduct a procurement risk assessment for Critical Functions during the procurement planning process, for each contract involving Critical Functions. As part of the procurement risk assessment, include a cost effectiveness analysis.

71

EVAL-21-002

Critical Functions in FDIC Contracts

5

Develop and implement a management oversight strategy for Critical Functions during the procurement planning process, for each contract involving Critical Functions.

72

EVAL-21-002

Critical Functions in FDIC Contracts

6

Determine the contract structure during the solicitation and award process for the procurement of a Critical Function.

73

EVAL-21-002

Critical Functions in FDIC Contracts

7

Revise the management oversight strategy for the procured Critical Functions performed under the BOAs for Managed Security Services Provider and Security and Privacy Professional Services to ensure that the strategy aligns with best practices.

74

EVAL-21-002

Critical Functions in FDIC Contracts

8

Identify missing or insufficient controls in the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services, and implement appropriate corrective actions or compensating controls.

75

EVAL-21-002

Critical Functions in FDIC Contracts

9

Implement periodic reviews for procured Critical Functions, including for the BOAs and task orders for Managed Security Services Provider and Security and Privacy Professional Services.

76

EVAL-21-002

Critical Functions in FDIC Contracts

10

Determine when and how to assess for contractor over-reliance as part of the management oversight strategy.

77

EVAL-21-002

Critical Functions in FDIC Contracts

11

Implement corrective actions when the FDIC determines it is over-reliant on a contractor for a procured Critical Function.

78

EVAL-21-002

Critical Functions in FDIC Contracts

12

Report to the Board about the Procurement Risk Assessments, Management Oversight Strategies, and contract provisions that address identified risks for planned Critical Functions during the procurement planning phase of the acquisition, for its consideration.

79

EVAL-21-002

Critical Functions in FDIC Contracts

13

Report to the Board about the Award Profile Reports and corresponding status reports for procured Critical Functions during the contract management phase of the acquisition process on an individual and aggregate contract basis, for its consideration.

Print Print
Close