Agency failed to ID, list known risks to its supply chain, report charges

Deficiencies in the supply chain risk management (SCRM) activity at the federal insurer of bank deposits – including that the agency failed to identify and list known risks to its chain – are outlined in a report issued Wednesday.

The inspector general for the Federal Deposit Insurance Corp. (FDIC), in its “Implementation of Supply Chain Risk Management” report for the agency, listed three areas in which the FDIC has not implemented several objectives in its SCRM implementation project charter, which was adopted in November 2019. Specifically, the OIG report stated, the FDIC has not:

  • Identified and documented known risks to its supply chain;
  • Defined a risk management framework to evaluate risks to non-information technology (IT) procurements; or
  • Established metrics and indicators related to continuous monitoring and evaluation of supply chain risks.

“The FDIC should continue its efforts to fulfill these SCRM Implementation Project Charter objectives to identify, evaluate, and monitor supply chain risks,” the OIG report states. “Otherwise, it may be exposed to SCRM threats such as the use of counterfeit components or installation of malicious code.”

The report states that these threats could compromise the FDIC’s information technology and the data on its information systems, thus providing adversaries a means to steal sensitive information such as confidential bank examination information.

The report also asserts that if the agency does not effectively monitor and evaluate supply chain risks, disruptions to the FDIC’s supply chain could compromise the products, services, and facilities that enable the FDIC to perform its mission.

“We also found that the FDIC is not conducting supply chain risk assessments during its procurement process for Chief Information Officer Organization and other Division and Office contracts,” the report states. Nor has the agency integrated agency-wide supply chain risks into its ERM processes, and contracting officers did not maintain contract documents in Contract Electronic File (CEFile), as required, the report states.

The OIG report recommends that the agency identify, document, and monitor supply chain risks and conduct supply chain risk assessments of suppliers and vendors. “We also recommended that the FDIC’s Enterprise Risk Management Program articulate the extent and significance of supply chain risks. Lastly, we recommended an improvement to the FDIC’s efforts to maintain contract documents in its filing system,” the OIG said.

The report notes that the FDIC concurred with all nine recommendations in the report and plans to complete corrective action by Nov. 30.

The FDIC’s Implementation of Supply Chain Risk Management