FDICís Contract Planning and Management for Business Continuity

March 2007
Report No. 07-009

AUDIT REPORT

FDIC OIG, Office of Audits

Background and Purpose of Audit


The Federal Emergency Management Agency issued Federal Preparedness Circular 65 (FPC 65), providing guidance for agencies to use in developing continuity of operations plans. The FDICís Emergency Preparedness Program establishes the FDICís business continuity policy and requires Business Continuity Plans (BCP) to be established in the FDICís Washington Area Headquarters Offices and in each of the regional offices. The BCPs include procedures for relocating essential personnel; resuming and restoring FDIC critical business processes; and recovering and reconstituting supporting information technology systems. Identifying essential contracts and ensuring that contracts provide for services in the event of a BCP scenario are critical to FDIC operations.

The objective of this audit was to determine whether the FDIC has planned for essential contract services to be provided in the event of an emergency that requires implementation of the FDICís BCP.

FDIC, Federal Deposit Insurance Corporation


Results of Audit


The FDIC has planned to ensure contract services are provided in the event of an emergency and is continuing to improve contract management for business continuity. The FDIC has identified most essential contracts for business continuity purposes and modified many of those contracts to include emergency preparedness clauses. Also, the FDIC has a process to update its list of essential contracts in the BCP annually. The FDIC could further improve its contract planning and management for business continuity by:

  • enhancing BCP procedures and the Business Impact Analysis questionnaire to require documentation of all essential contracts, including detailed information about each contract;
  • requiring program offices to include emergency preparedness clauses in the Statement of Work for essential contracts and subcontracts to ensure that business continuity is considered in the procurement process; and
  • amending acquisition policy and procedures and BCP policy to require that essential contractors (a) have emergency plans for providing services to the FDIC in the event of a disruption of normal operations and (b) participate in the FDICís business continuity testing, training, and exercise activities.

Additional guidance in the FDICís Acquisition Policy Manual and BCP policy and procedures would help to ensure that contractor activities are fully integrated into FDIC business continuity planning to enhance the FDICís readiness to continue essential operations in emergency situations.

Recommendations and Management Response

We made three recommendations to strengthen the FDICís contract planning and management for business continuity. DOA concurred with our recommendations and has completed corrective actions.


TABLE OF CONTENTS

BACKGROUND
FDIC Emergency Preparedness
Business Impact Analysis
Business Continuity Planning
BCP Testing, Training, and Exercise
RESULTS OF AUDIT
BUSINESS IMPACT ANALYSIS
Use of Emergency Preparedness Clauses
Recommendation
BUSINESS CONTINUITY PLANNING
Contracting Procedures for Essential Services
Contracting Procedures for Subcontractors
Recommendation
BCP PROCEDURES FOR CONTRACTOR TESTING, TRAINING, AND EXERCISES
Testing, Training, and Exercises
Recommendation
CORPORATION COMMENTS AND OIG EVALUATION
APPENDIXES
APPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY
APPENDIX II: CORPORATION COMMENTS
APPENDIX III: MANAGEMENT RESPONSE TO RECOMMENDATIONS
TABLE
Summary of Results of Audit


ACRONYMS

APM Acquisition Policy Manual
ASB Acquisition Services Branch
BCP Business Continuity Plan
BIA Business Impact Analysis
COOP Continuity of Operations Plan
DOA Division of Administration
DITDivision of Information Technology
EPP Emergency Preparedness Program
ERP Emergency Response Plan
FEMA Federal Emergency Management Agency
FFIEC Federal Financial Institutions Examination Council
FPC Federal Preparedness Circular
GSAGeneral Services Administration
GPRAGovernment Performance and Results Act
ISC Infrastructure Services Contract
IT Information Technology
ITAS Information Technology Applications Systems
NIST National Institute of Standards and Technology
OIG Office of Inspector General
SEPS Security and Emergency Preparedness Section
SRA SRA International, Inc.


FDIC, Federal Deposit Insurance Corporation, Office of Inspector General, 3501 Fairfax Drive, Arlington, VA 22226-3500
DATE: March 30, 2007
 
MEMORANDUM TO:Arleas Upton Kea, Director
Division of Administration
 
FROM:Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]
Assistant Inspector General for Audits
 
SUBJECT:FDICís Contract Planning and Management for Business Continuity (Report No. 07-009)
 
This report presents the results of our audit of the FDICís Contract Planning and Management for Business Continuity. As of December 31, 2006, the FDIC had eight contracts valued at more than $800 million that were deemed essential to its critical business processes. The objective of this audit was to determine whether the FDIC has planned for essential contract services to be provided in the event of an emergency that requires the implementation of the FDICís Business Continuity Plan (BCP).[ 1 ] Additional details on our objective, scope, and methodology are provided in Appendix I.

BACKGROUND

In June 2004, the Federal Emergency Management Agency (FEMA) revised Federal Preparedness Circular (FPC) 65, Federal Executive Branch Continuity of Operations,[ 2 ] to assist Federal Executive Branch departments, agencies and independent organizations in developing contingency plans and programs for the continuity of operations (COOP)[ 3 ] and to identify elements of a viable COOP capability.

FPC 65 states that COOP planning includes the activities of individual departments and agencies and their subcomponents to ensure that their essential functions are performed during any emergency or situation that may disrupt normal operations. FPC 65 further states that COOP planning (1) is part of the fundamental mission of federal agencies as responsible and reliable public institutions and (2) requires a comprehensive program to ensure the continuity of essential federal functions.

Elements of a Viable COOP Capability

  • Essential Functions
  • Plans and Procedures
  • Orders of Succession
  • Delegations of Authority
  • Alternate Facilities
  • Redundant Emergency Communications
  • Vital Records
  • Testing, Training, and Exercises
Source: FPC 65.

FDIC Emergency Preparedness

FDIC Circular 1500.5, FDIC Emergency Preparedness Program, dated January 30, 2007, serves as the official policy for FDIC Headquarters and regional offices in developing, implementing, and maintaining an FDIC Emergency Preparedness Program (EPP) to safeguard personnel and continue critical business processes during emergencies. The circular was updated during our audit, and the OIG provided comments during the revision process. FDIC Circular 1500.5 states that the EPP supports emergency preparedness planning guidance as outlined in FPC 65, as well as industry-recognized emergency preparedness best practices. Three components comprise the EPP: the Emergency Response Plan (ERP), a BCP, and any other plans necessary to prepare for an emergency. The ERP documents the procedures and structure for a coordinated response to an emergency and focuses on mitigating injuries and loss of life to FDIC personnel, contractors, and visitors at FDIC locations. The BCP documents the procedures for relocating essential personnel; resuming and restoring FDIC critical business processes; and recovering and reconstituting supporting information technology (IT) systems. The BCP is composed of individual division and office continuity plans, which identify critical business functions; how soon those functions must be operational in emergency situations; and the personnel, equipment, and systems resources needed to operate those functions during an emergency. The FDIC updates its BCP annually, as discussed below.

Business Impact Analysis

FPC 65 provides that planning requirements for a viable COOP capability must include the development, maintenance, and annual review of agency COOP capabilities using a multi-year strategy and program management plan. The FDIC addresses this requirement in the EPP by requiring an annual Business Impact Analysis (BIA). The BIA is a tool that enables full characterization of system requirements, processes, and interdependencies to determine contingency requirements and priorities. The BIAís purpose is to correlate specific system components with the critical services they provide, and based on that information, to characterize the consequences of a disruption to the system components.

During the BIA, critical business function requirements and critical IT applications are reviewed, validated, added, or removed. The Division of Administration (DOA) is responsible for conducting an annual BIA with the FDICís divisions and offices. The BIA serves as the basis for updating the corporate BCP and, as required, BCPs for the FDICís divisions, offices, and regions.

Business Impact Analysis Objectives

  • Identifying and prioritizing essential functions, business processes, and mission-critical applications
  • Defining the criticality criteria
  • Determining the disaster cost impact on business processes
  • Identifying critical application interdependencies
  • Defining recovery windows for critical applications
Source: FDIC Circular 1500.5.

Each year, the Directors of DOA and the Division of Information Technology (DIT) issue a BIA letter and BIA questionnaire to each FDIC division and office, informing them that BCPs will be updated based on completion of the annual BIA. The BIA letter notifies the divisions that DOAís Security and Emergency Preparedness Section (SEPS) and DIT security personnel will be meeting with them to obtain updated information on their critical business functions and resources requirements to accomplish these critical functions.

The BIA questionnaire obtains information on the: resources, assets, and applications that are critical to the divisions and offices and to the mission of the FDIC. During BIA meetings, SEPS and DIT personnel obtain additional detailed information on the functions the divisions and offices would require in an emergency, such as personnel, equipment, facilities, records, systems, interdependencies, and essential contracts and points of contact. The divisions and offices return the completed questionnaires to SEPS and DIT which, together with the results of the BIA meetings, are used in updating BCPs.

Business Continuity Planning

According to FDIC Circular 1500.5, the BCPs are the components of the EPP that document the procedures for relocating essential personnel, resuming and restoring FDIC critical business processes, and recovering and reconstituting supporting IT systems. The FDICís division and office Directors, Regional Directors, and Managers are required to develop BCPs that can facilitate the resumption of critical business processes within 12 hours of plan activation and are capable of sustaining operations for up to 30 days. These BCPs are included in the corporate BCP. Each BCP must be reviewed by the Assistant Director, SEPS, for final approval by the FDIC Chairman or designee. The current corporate BCP was revised during 2006 and was issued on February 12, 2007.

The Headquarters BCP has identified a primary and secondary alternate facility for critical personnel if the FDIC Headquarters in Washington, D.C., is inaccessible or uninhabitable. Also, each regional office has a designated alternate worksite for relocating critical personnel if the vicinity surrounding a regional office becomes inaccessible or uninhabitable.

Key Elements of the FDICís Business Continuity Plan

  • Continuity Roles and Responsibilities
  • Orders of Succession
  • Plan Activation Criteria
  • Alert and Notification Procedures
  • Alternate Operating Facility Designation
  • Prioritized list of Essential Functions
  • Identification of Key Contractors
  • Interoperable Emergency Communications
  • Training and Exercise Events
Source: FDIC Circular 1500.5.

Identification of Essential Contracts. FDIC Circular 1500.5 states that BCPs should identify key contractors needed to operate during an emergency. Such contractors provide essential services in support of the FDICís business processes. For example, the FDIC relies on contractors to support its designated alternate locations in the event of an emergency. The FDIC conducted a review of contracts during 2005 to identify those considered essential for business continuity. Specifically, contracts for IT support and maintenance, security services, call center operations, fuel and facilities, shuttle services, cafeteria operations, and others were identified as essential. Once essential contracts had been identified, the FDICís Legal Division worked with DOAís Acquisition Services Branch (ASB)[ 4 ] to draft emergency preparedness clauses to be added as modifications to the FDICís essential contracts in accordance with the acquisition process outlined in the FDICís Acquisition Policy Manual (APM),[ 5 ] which governs contracting activities. The list of essential contracts and emergency points of contact were then added to the FDICís Headquarters BCP. The FDIC plans to use the annual BIA process to update the list of essential contracts used in BCPs. The Assistant Director, SEPS, stated that although SEPS is responsible for preparing the corporate BCP, the divisions are responsible for determining those contracts they consider essential and for ensuring that ASB adds contract clauses addressing business continuity to the essential contracts.

BCP Testing, Training, and Exercise

FDIC Circular 1500.5 identifies the linkage
of the processes for BIAs; BCPs; and
testing, training, and exercise designed to
maintain a viable emergency response
capability

FPC 65 states that testing, training, and exercise are essential to demonstrating, assessing, and improving the ability of agencies to execute their COOP plans. FDIC Circular 1500.5 identifies the linkage of the processes for BIAs; BCPs; and testing, training, and exercise designed to maintain a viable emergency response capability. The BCPs at FDIC Headquarters and the regional offices are tested annually through table-top[ 6 ] and situation room[ 7 ] exercises to validate information in the BCP. Lessons learned from these exercises are then incorporated into the plans accordingly.

In addition, Headquarters and the regional office staff plan to participate in local exercises sponsored by various agencies, including the FEMA and the Federal Executive Councils located in major U.S. cities. SEPS advised us that it does not perform testing of essential contractor emergency response activities, and such testing is not currently required by the FDICís Circular 1500.5. However, SEPS is responsible for the Security Guard contract, which supports all corporate components and has verified that the contractor has a plan that will provide guards in an emergency situation.

RESULTS OF AUDIT

The FDIC has planned for essential contract services to be provided in the event of an emergency that requires implementation of the FDICís corporate BCP. The FDIC established a process for performing BIAs; business continuity planning; and testing, training, and exercise activities that considers essential contract services. Also, the FDIC has identified most of its essential contracts for business continuity purposes and modified many of those contracts to include emergency preparedness clauses and plans to update FDIC essential contracts during the Corporationís 2007 BIA process. However, as summarized in the table below, the FDIC could further improve its contract planning and management for business continuity by including additional controls in the FDICís EPP and APM related to essential contractors and subcontractors. These improvements will help to ensure that essential contractors are more fully integrated into the FDICís business continuity activities to provide services in emergency situations.

Summary of Results of Audit
FDIC Process FDIC Procedures for Essential Contractors Improvement Needed
Business Impact Analysis Essential functions are reviewed and updated during the annual BIA process. The BIA questionnaire does not solicit key information on essential contractors and subcontractors.
Business Continuity Planning Emergency preparedness clauses are included in essential contracts. The APM does not include a requirement for contracts to be evaluated to determine whether emergency preparedness clauses should be included for prime contractors and subcontractors during preparation of the contract Statements of Work.
Testing, Training, and Exercise The EPP requires regularly-scheduled training and exercise events such as table-top and functional exercises and personnel recall roster tests.* Essential contractors are not required to submit their emergency plans for FDIC functions for review and incorporation, as appropriate, into the FDICís BCPs.

Essential contractors do not participate in FDIC BCP testing, training, and exercises.

* Recall rosters list essential FDIC senior management and personnel who are notified by electronic means to report to a designated location in the event of an emergency or implementation of the FDICís BCP.

BUSINESS IMPACT ANALYSIS

Although SEPS and DIT have identified most of the FDICís essential contracts, the current BIA questionnaire does not solicit key information on these contracts. The FDICís EPP was revised in January 2007 to include procedures for identifying essential contractors. However, the procedures for conducting the BIA, dated November 19, 2003, do not contain provisions dealing with essential contractorsí support such as contractor emergency plans; essential subcontracts; and testing, training, and exercise requirements. As a result, the FDICís BIA process may not fully document or consider information that can be useful in planning for essential contract services in an emergency.

Use of Emergency Preparedness Clauses

FDIC Circular 1500.5 focuses attention on business continuity planning as the means for resuming and restoring critical business processes during an emergency. The FDIC uses the BIA to make annual updates to the BCPs. The FDIC relies extensively on contractors; therefore, contractor support is a key component of the BIA and business continuity planning.

We also reviewed the best practices for financial institutions as described in the Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning IT Examination Handbook, issued in March 2003. The FFIEC provides guidance to financial institutions and examiners on evaluating financial institution and service provider risk management processes, including guidance on conducting the BIA. The focus is on business continuity planning, whereby financial institutions ensure the maintenance or recovery of operations when confronted with adverse events, such as natural disasters, technological failures, human error, or terrorism.

The FFIEC recommends that financial institutions ensure that key contractors/service providers are identified and backup arrangements are stipulated in contracts for services. The FFIEC also recommends that the BIA should solicit the critical outsourced relationships and dependencies and that each department should document the mission-critical functions performed by these outsourced relationships. Further, the FFIEC recommends that personnel responsible for the BIA consider developing uniform interview and inventory questions that can be used on an enterprise-wide basis. Uniformity can improve the consistency of responses and help personnel involved in the BIA phase to compare and evaluate business process requirements. The FFIEC handbook indicates that the BIA should solicit the critical outsourced relationships and dependencies.

The SEPS and DIT personnel who conducted the BIA provided us with a detailed description of the process and told us that although the BIA procedures and questionnaire do not include questions on essential contracts, SEPS and DIT plan to discuss essential contracts during their BIA meetings with the divisions and offices. SEPS stated that the name of the contract and the contractor key points of contact are included in the BCP.

To help ensure that critical information on essential contractors is obtained during the BIA and a standard procedure is used for updating essential contractor information in the BCP, the FDICís policy and procedures for conducting the BIA and the BIA questionnaire could be amended to solicit additional information about essential contracts such as:

  • the purpose of the contract;
  • how the contractor may need to alter operations for the FDIC in an emergency;
  • the critical services required from contractor personnel and potential disaster cost impact;
  • the timeframes during which the services would be required and system recovery windows;
  • whether the contractor is required to have an emergency plan that addresses FDIC activities and to submit the plan to the FDIC for review;
  • whether the contract includes an emergency preparedness clause;
  • essential subcontracts; and
  • testing, training, and exercise requirements for the contractorsí support provided to the FDIC.

Obtaining responses to these questions and others determined to be important in the BIA questionnaire would result in more complete information for the FDICís business planning activities, consistency and uniformity in information obtained, and assistance to program managers in identifying essential contracts and subcontracts. This information would also facilitate the consideration of contractor support in testing, training, and exercise activities.

Recommendation

  1. We recommend that the Director, DOA, amend, as appropriate, the BIA procedures and questionnaire for obtaining additional information on essential contracts and for using the contractor-related responses in the BCP.

BUSINESS CONTINUITY PLANNING

The FDIC could improve its contract planning for business continuity to ensure all essential contractors and subcontractors are required to provide services for the FDIC in an emergency. The EPP includes requirements for the identification of essential contractors needed to operate during an emergency. However, APM contracting procedures do not require that program officials determine whether a contract is essential for business continuity when preparing a Statement of Work for the contract. In 2005, DOA completed a review of essential contracts and modified them to include an emergency preparedness clause. However, contracts awarded since the DOA contract review that may be essential to the FDICís mission had been awarded without an emergency preparedness clause. Also, the FDIC has not established procedures to ensure that key subcontractors on the FDICís essential contracts are prepared to provide essential services in an emergency. As a result, essential contractors and subcontractors may not be routinely identified as part of the procurement process for purposes of business continuity planning activities, and the scope of their emergency responsibilities may not be well defined.

Contracting Procedures for Essential Services

During 2005, SEPS and DIT determined that eight contracts were essential for business continuity. Because DOA had not established a procedure for evaluating whether contracts were essential for business continuity when originally awarded, these contracts did not include an emergency preparedness clause. Instead, partly in response to an FDIC OIG report, FDICís Business Continuity Plan (Report No. 04-029, dated August 9, 2004), SEPS and DIT determined which contracts were essential and then modified those contracts to include an emergency preparedness clause as follows.

If, at any time during the performance of this contract, the FDIC requires services essential or critical to its mission due to an actual or threatened emergency situation as declared by the federal, state, or local authority, the contractor shall provide all resources necessary to support these services. If an actual or threatened emergency exists, the contractor shall take immediate and effective measures to ensure the availability or use of back-up or redundant services to support the emergency situation without any disruption. Any needed back-up or redundant services shall be provided for as long as the actual or threatened emergency situation exists.

Any costs associated with providing back-up or redundant services shall be reimbursed at the previously negotiated labor rates. After receipt of the FDICís notification requiring services essential or critical to its mission, the contractor shall submit an equitable adjustment proposal for the back-up or redundant services. The equitable adjustment proposal shall include, as a minimum, a breakdown of the labor categories involved, the total estimated hours for each labor category, the negotiated labor rate, and the total cost/price.

The APM does not require the routine identification of essential contracts. Therefore, new contracts may not include emergency preparedness requirements. For example, DITís Information Technology Applications Systems (ITAS) contract, which totals $554.8 million for IT systems development and maintenance, was not awarded until after the 2005 identification process had been completed and was not modified to include the emergency preparedness clause.

While SEPS and DIT personnel plan to include questions about essential contracts in their future BIA interviews, the BIA was not conducted during 2006 because of the FDICís move to Virginia Square. As of February 1, 2007, the ITAS contract had been in effect for 19 months without an emergency preparedness clause.

The ITAS contract is a multi-vendor contract with 4 contractors and 18 current task orders. According to DIT, some of the task orders provide essential support to DIT and should include the emergency preparedness clauses. If FDIC contracting procedures had required that program officials include emergency preparedness clauses in contracts and task orders that provide essential support, program officials would be on notice of such a requirement and could have taken the steps necessary to ensure that the contractors were prepared to provide such critical services for FDICís IT systems. The FDICís ability to maintain critical operations during an emergency could be improved by ensuring that all essential contracts include the appropriate emergency preparedness/business continuity clauses. This can be accomplished by including emergency preparedness provisions in the Statement of Work for essential contracts as part of the solicitation process for contractor proposals.

Contracting Procedures for Subcontractors

The FDIC has not established procedures or taken action to ensure that key subcontracts for the FDICís essential contracts include emergency preparedness clauses. As discussed earlier, the FDIC has identified eight contracts that are considered essential to maintain the FDICís critical functions in the event of an emergency or business continuity scenario. Two of these eight contracts are critical to the FDICís IT systems and have multiple subcontractors. The FDIC has not required the prime contractors to ensure that subcontracts for work on essential FDIC contracts have emergency preparedness requirements. Therefore, the FDIC does not have full assurance that the prime contractor will be able to perform in cases where subcontractors provide critical support to essential prime contractors.

The following examples illustrate the need for consideration of subcontractor emergency preparedness requirements. DIT has an Interagency Agreement with the General Services Administration (GSA), through which a task order, the Infrastructure Services Contract (ISC) was awarded to SRA International, Inc. (SRA). This contract was awarded in September 2004 and was modified in May 2006 to include the emergency preparedness clause that had been added to the FDIC contracts that had previously been identified as being essential for business continuity. The SRA contract has an expenditure ceiling totaling $341 million and includes services provided by three SRA subcontractors. Subcontracted services included work for helpdesk and client support, mainframe operations, and telecommunications support services that may be essential for business continuity. In addition, SRA used some short-term labor contracts related to IT security and mainframe support. However, according to the DITís Oversight Manager for the contract, none of the SRAís subcontracts had been amended to include the emergency preparedness clause when the overall contract was modified in 2006.

Also, as previously discussed, DITís ITAS contract does not contain the emergency preparedness clause, and it is a multi-vendor contract with 4 contractors and 18 current task orders. As a result of our audit work, the DIT Oversight Manager advised us that he was going to request that ASB modify the ITAS contract to include the emergency preparedness clause. However, the FDIC does not have a policy or procedures for ensuring that the prime contractors include the clause in their subcontracts or to provide for other arrangements to ensure that subcontractors fulfill their responsibilities in providing services. Because the SRA and the ITAS contractors have not included the emergency preparedness clause in their essential subcontracts, the FDICís ability to fully provide services in an emergency may be compromised.

Recommendation

  1. We recommend that the Director, DOA, amend the procedures in the Acquisition Policy Manual, or other procedures as appropriate, to require that Statements of Work for contracts and task orders under contracts contain:
    • business continuity requirements if contracted services are deemed essential in the event of an emergency or business continuity event,
    • requirements that essential contractors include emergency preparedness and business continuity provisions in essential subcontracts.

BCP PROCEDURES FOR CONTRACTOR TESTING, TRAINING, AND EXERCISES

The FDIC has not established procedures requiring essential contractors to provide the FDIC with evidence of their emergency plans for FDIC critical business functions or for participation in the FDICís BCP testing, training, and exercises. According to SEPS, ASB, and Legal Division personnel, the FDICís practices for ensuring that essential contractors provide services in an emergency are limited to the inclusion of an emergency preparedness clause in the contract. This clause is intended to put contractors on notice that the services they provide are critical to the FDICís mission and that the FDIC would require the continuation or expansion of these services in an emergency. However, without verifying contractorsí emergency plans for FDIC critical functions and including contractors in FDIC BCP testing, training and exercises, the FDIC does not have adequate assurance that essential contractors will be able to provide the FDIC the service coverage that may be required during a business continuity scenario.

Testing, Training, and Exercises

FDIC Circular 1500.5 requires that the Assistant Director, SEPS, coordinate and facilitate emergency preparedness training and exercise events. Specifically, the circular requires that the Assistant Director develop strategies for maintaining a viable emergency response capability that includes training and exercise activities and milestones, coordinating with senior FDIC management on these activities, and identifying and resolving resulting issues and concerns. The circular also refers to testing with respect to the use of recall rosters. Since the FDIC relies extensively on essential contractors, contractor support is a key component of the FDICís emergency response capability.

In addition to reviewing the requirements of FDIC Circular 1500.5, we reviewed the best practices for financial institutions described in the FFIEC Business Continuity Planning, IT Handbook. The FFIEC recommends that financial institutions obtain a copy of vendorsí BCPs and incorporate them into their business continuity plans. The FFIEC also recommends that contracts address the service providersí responsibilities for maintenance and testing of disaster recovery and contingency plans and that, if possible, respective institutions should consider participating in their service providersí testing process. While the FDIC is not required to follow the FFIEC guidance, industry best practices recommend that essential contracts be identified and their business continuity plans be tested to ensure the continuity of operations.

Although the FDIC has conducted business continuity exercises to test the FDICís BCPs, the FDIC has not included contractorsí business continuity activities in any of these events. Further, the FDIC does not have policies and procedures in its APM to address contractorsí emergency planning and the verification of the contractorsí operational capacities through testing, training, and exercises to determine whether the contractors have the ability to provide services expected by the FDIC in the event of an emergency.

For most of the contracts identified as essential, DOA has submitted an emergency preparedness clause to the contractor for concurrence and inclusion in a contract modification. Nevertheless, with the exception of one essential contract related to the FDICís Call Center,[ 8 ] the FDIC has not requested that the other essential contractors provide their emergency plans for FDIC review or required that essential contractors affirm that their organization has a business continuity or emergency preparedness plan. The one contract that does require the contractor to provide its emergency plan resulted from the initiative of the individual contract manager and not in response to FDICís policies or procedures.

According to SEPS and Legal Division personnel, including contractors in emergency preparedness testing, training, and exercises has not been discussed or recommended to FDIC senior management. Also, Circular 1500.5 does not specifically refer to including contractors in these activities. However, as part of fulfilling its overall responsibilities for testing, training, and exercises of business continuity planning, the FDIC could more fully consider its reliance on essential contractors and the need to assess their capabilities, including those of their essential subcontractors, to respond in the event of an emergency. Doing so will help ensure available emergency response capability.

Recommendation

  1. We recommend that the Director, DOA, amend:
    • procedures in the Acquisition Policy Manual, or other procedures as appropriate, to provide that Statements of Work for essential contracts and task orders ensure that contractors have emergency plans for providing services to the FDIC in the event of a disruption of normal operations and participate in the FDICís business continuity testing, training, and exercises.
    • Circular 1500.5, FDICís Emergency Preparedness Program, to include essential contractors in FDICís BCP planning and testing, training, and exercises.

CORPORATION COMMENTS AND OIG EVALUATION

The Director, DOA, provided a written response, dated March 30, 2007, to a draft of this report. DOAís response is presented in its entirety in Appendix II. DOA concurred with each of the three recommendations and has taken the following corrective actions:

  • revised the BIA questionnaire for immediate use. The questionnaire includes the identification of critical contractor/subcontractor staff and whether they have an Emergency Plan which can be incorporated into the FDIC Business Continuity Plan.
  • updated the Requirements Package Checklist in the APM to include the requirement that any Statement of Work for essential services contain business continuity requirements as well as emergency preparedness and business continuity provisions in essential subcontracts. Additionally, the checklist was updated to require that essential contractors participate in the FDICís business continuity planning, testing, training, and exercises.
  • revised Circular 1500.5, entitled FDICís Emergency Preparedness Program to include essential contractors in FDICís BCP planning, testing, training, and exercises.

DOAís actions effectively address the recommendations, and we consider all the recommendations closed. Appendix III presents a summary of DOAís responses to our recommendations and the corrective actions taken


APPENDIX I

OBJECTIVE, SCOPE, AND METHODOLOGY

Our objective was to determine whether the FDIC has planned for essential contract services to be provided in the event of an emergency that requires the implementation of the BCP. Our scope was limited to the contracts identified by SEPS and the DIT Security Section as essential for business continuity and that are included in the FDICís Headquarters BCP as of December 1, 2006. We conducted the audit from November 2006 through January 2007 in accordance with generally accepted government auditing standards.

To accomplish our objective, our methodology included reviewing the following documents:

  • FDIC Circular 1500.5, FDIC Emergency Preparedness Program, dated December 28, 2004, and the revised Circular 1500.5, dated January 30, 2007. (The provisions outlined in this circular serve as the official policy for FDIC Headquarters and regional offices in developing, implementing, and maintaining a BCP.)
  • FEMA FPC 65 Federal Executive Branch Continuity of Operations.
  • GSAís Occupant Emergency Program Guide.
  • National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Contingency Planning Guide for Information Technology Systems.
  • FFIECís Business Continuity Planning IT Examination Handbook, issued March 2003.
  • Certified Information Systems Auditor Review Manual 2006, Business Continuity and Disaster Recovery.
  • Appendix III to the U.S. Office of Management and Budget Circular No. A-130, Security of Federal Automated Information Resources.
  • FDICís Procedure for Conducting a Business Impact Analysis, dated November 19, 2003.
  • FDIC OIGís Evaluation Report, Number 04-029 entitled, FDICís Business Continuity Plan, dated August 9, 2004; and FDIC OIGís Evaluation Report, Number 03-042 entitled, Business Continuity Planning at FDIC-Supervised Institutions, dated September 25, 2003.

To identify FDIC procedures and practices for contract planning and management for business continuity, we obtained information from the following FDIC officials:

  • Assistant Director, Security and Emergency Preparedness Section, DOA
  • Chief, Transportation and Emergency Response Unit, DOA
  • Assistant Director, IT Contracting Section, DOA
  • Assistant Director, ASB, DOA
  • Procurement Analyst, ASB, DOA
  • Contract Oversight Manager, DIT
  • Chief Oversight Support Section, DIT
  • Supervisory IT Specialist, Security Section, DIT
  • Senior IT Specialist, Security Section, DIT
  • Senior Counsel, Legal Division

Our methodology did not include a review of the FDICís BCP, which was being revised during our audit.

Internal Management Controls

We evaluated the effectiveness of controls in place for identifying essential contracts for business continuity and ensuring emergency preparedness clauses had been included in contracts deemed essential for business continuity. These controls included the policies and procedures for conducting a BIA and BCP. In the absence of written policies, we relied on interviews and information obtained from the Assistant Director, SEPS, who is responsible for the FDICís BCP, and other DOA and DIT officials.

Compliance With Laws and Regulations

We coordinated reviews of laws, directives, and plans with the OIGís Office of Counsel to determine applicability to the FDIC and to gain an understanding of applicable laws and regulations. We found no instances where the FDIC was not in compliance with applicable laws and regulations.

Government Performance and Results Act, Computer-Processed Data, and Fraud or Illegal Acts

We reviewed DOAís performance measures under the Government Performance and Results Act, Public Law 103-62 (GPRA). We reviewed the FDICís 2006 Annual Performance Plan and the FDICís Strategic Plan for 2005-2010 to determine whether the FDIC has established goals related to contract planning and management for business continuity. Neither plan includes goals, objectives, or indicators specifically related to the subject of our audit.

We did not rely on computer-processed data to support our significant conclusions, findings, and recommendations, and, as a result, did not perform work to determine the reliability of such data.

Our audit program included steps for providing reasonable assurance of detecting fraud or illegal acts, and none came to our attention.



APPENDIX II

CORPORATION COMMENTS

FDIC, Federal Deposit Insurance Corporation, Division of Administration,3501 Fairfax Drive, Arlington, VA 22226-3500
DATE: March 29, 2007
 
MEMORANDUM TO:Russell A. Rau
Assistant Inspector General for Audits
 
FROM: Arleas Upton Kea [Electronically produced version; original signed by Arleas Upton Kea]
Director, Division of Administration
 
SUBJECT: Management Response to the Draft OIG Audit Report Entitled, FDICís Contract Planning and Management for Business Continuity (Assignment No. 2007-003)
 

This is in response to the subject Draft Office of Inspector General (OIG) Report issued February 26, 2007. In its report, the OIG identified three recommendations.

We appreciate that the OIG noted that the FDIC has planned for essential contract services to be provided in the event of an emergency but recognize that some improvements can be made in contract planning and management for business continuity. This response outlines our planned corrective actions for each of the recommendations cited in the OIGís Report.

MANAGEMENT DECISION

Finding: Business Impact Analysis

Condition: By not soliciting key information on FDIC essential contracts on the BIA questionnaire, the BIA process may not fully document or consider information that can be useful in planning for essential contract services in an emergency.

Recommendation 1: That the Director, Division of Administration (DOA), amend, as appropriate, the BIA procedures and questionnaire for obtaining additional information on essential contracts and for using the contractor-related responses in the BCP.

Management Response 1: DOA concurs with this recommendation. The DOA, Security and Emergency Preparedness Section revised the BIA questionnaire. The questionnaire includes the identification of critical contractor/subcontractor staff and whether they have an Emergency Plan which can be incorporated into the FDIC Business Continuity Plan. This questionnaire was revised March 13, 2007, for immediate use.

Finding: Contracting Procedures for Essential Services

Condition: Essential contractors and subcontractors may not be routinely identified as part of the procurement process for purposes of business continuity planning activities.

Recommendation 2: That the Director, DOA, amend the procedures in the Acquisition Policy Manual (APM), or other procedures as appropriate, to require that Statements of Work for contracts and task orders under contracts contain:

  • A) Business continuity requirements if contractor services are deemed essential in the event of an emergency or business continuity event,
  • B) Requirements that essential contractors include emergency preparedness and business continuity provisions in essential subcontracts.

Management Response 2: DOA concurs with this recommendation. DOAís Acquisition Services Branch updated the Requirements Package Checklist in the APM. The manual includes the requirement that any statement of work for essential services contain business continuity requirements as well as emergency preparedness and business continuity provisions in essential subcontracts. The updated checklist was issued through Interim Acquisition Policy Memo #2007-1 on March 21, 2007.

Finding: Testing, Training, and Exercises

Condition: Without verifying contractorsí emergency plans for FDIC critical functions and including contractors in FDIC BCP testing, training and exercises, the FDIC does not have adequate assurance that essential contractors will be able to provide the FDIC the service coverage required during a business continuity scenario.

Recommendation 3: That the Director, DOA, amend:

  • A) Procedures in the Acquisition Policy Manual, or other procedures as appropriate, to provide that Statements of Work for essential contracts and task orders ensure that contractors have emergency plans for providing services to the FDIC in the event of a disruption of normal operations and participate in the FDICís business continuity testing, training, and exercises.
  • B) Circular 1500.5, FDICís Emergency Preparedness Program, to include essential contractors in FDICís BCP planning and testing, training, and exercises.

Management Response 3A: DOA concurs with this recommendation. DOAís Acquisition Services Branch updated the Requirements Package Checklist in the APM to include the requirement that any statement of work for essential services contain requirements for the contractor to have emergency plans for providing services to the FDIC in the event of a disruption of normal operations and participate in the FDICís business continuity planning, testing, training, and exercises. The updated checklist was issued through Interim Acquisition Policy Memo #2007-1 on March 21, 2007.

Management Response 3B: DOA concurs with this recommendation. DOAís Security and Emergency Preparedness Section revised Circular 1500.5, entitled FDICís Emergency Preparedness Program on March 13, 2007; to include essential contractors in FDICís BCP planning, testing, training, and exercises.

If you have any questions regarding this response, FDICís point of contact for this matter is William Gately. Mr. Gately can be reached at (703) 562-2118.

cc:Michael J. Rubino
Trisha M. Bursey
William A. Kmetz
James H. Angel, Jr.


APPENDIX IV

MANAGEMENT RESPONSE TO RECOMMENDATIONS

This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report issuance.

Rec.
Number
Corrective Action: Taken or Planned/Status Expected
Completion Date
Monetary Benefits Resolved: [ a ] Yes or No
Open or Closed [ b ]

1

DSC will remind examiners Revised the BIA questionnaire to include identification of critical contractor/subcontractor staff and whether they have an Emergency Plan which can be incorporated into the FDIC BCP.

 March 13, 2007   N/A   Yes   Closed

2

Updated the Requirements Package Checklist in the APM to require that any Statement of Work for essential services contain business continuity provisions as well as emergency and business continuity provisions in essential subcontracts.

 March 21, 2007   N/A   Yes   Closed

3

Updated the Requirements Package Checklist in the APM to require that any Statement of Work for essential services contain requirements for the contractor to have emergency plans for providing services to the FDIC in the event of a disruption of normal operations and to participate in the FDICís business continuity planning, testing, training, and exercises.

 March 21, 2007   N/A   Yes   Closed

Revised Circular 1500.5 to include essential contractors in FDICís BCP planning, testing, training, and exercises.

 March 13, 2007   N/A   Yes   Closed
a  Resolved Ė (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.
b  Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.

Last updated 04/27/2007