OMB Number: 3064-0127
Expiration Date: 06-30-2020
Burden Statement
Public reporting burden for this collection of information is estimated to average 60 minutes per response, including the time for reviewing instructions, searching existing data sources, gathering and maintain the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to, the Paper Reduction Act Clearance Officer, Legal Division, Federal Deposit Insurance Corporation, 550 17th St. NW, Washington, D.C. 20429; and to the Office of Management and Budget, Paperwork Reduction Project (3064-0127), Washington, D.C. 20503. An agency may not conduct or sponsor, and a person is not required to respond to, a collection unless it displays a currently valid OMB control.
DRR IT Security Clause Outreach Survey
How has the restriction on off-shoring of FDIC data [Contract Clause 7.4.2-2(b), Off-site Processing and Storing of FDIC Information, Control of Information] prompted a change in the way you manage data for the solution you provide to the FDIC?
How does the above restriction compare with your other contracts? Please specify whether the contracts are with government (public) or non-government (private) agencies/companies.
What (if any) staffing challenges have you encountered due to the requirements that only US Citizens may work under contract position designations or functions determined to have a high risk rating by the FDIC? [Contract Clause 7.5.2-8(c), Risk Level Designation (Functional Responsibility) or 7.5.2-10, Risk Level Designation (Labor Category)
How do FDIC requirements for data retention and destruction at the end of the contract affect the solution that you deliver to the FDIC? [Contract Clause 7.6.3-2(c.1), Contractor Return, Destruction and Retention of FDIC Information]
Are the requirements of Contract Clause 7.6.3-2(c.1), [Contractor Return, Destruction and Retention of FDIC Information] substantially different than those for your other customers?
Given the Federal Government’s evolving adoption for NIST Special Publication Standards, (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf) how would implementation by the FDIC of requiring a NIST SP 800-171 assessment for outsourced information systems affect your current work with the FDIC?
Has your company undergone a NIST 800-171 based assessment, or created a System Security Plan using the NIST controls?
Have you or are you planning on creating a NIST 171 System Security Plan and having it 3rd party verified?
Have you commissioned an independent third party penetration test?
Do you have any industry best practice or other recommendations for assessing the cybersecurity of service providers?
What level of monitoring by the FDIC do you believe would be adequate to ensure that outsourced service providers maintain appropriate security controls and why?
How would adoption of the NIST System Security Plan requirements and existing outsourcing and staffing requirements mentioned above and mandated by the FDIC affect your response to future solicitations from the FDIC?
FDIC 7000/01 (3/18)
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Pangburn, Chris |
| File Modified | 0000-00-00 |
| File Created | 2021-01-21 |