WIXLIB

IntroductionCongress created the FDIC in the Banking Act of 1933 tomaintain stability and public confidence in the nation’sbanking system. The statute provided a federalgovernment guarantee of deposits in U.S. depositoryinstitutions so that consumers’ funds, within certain limits,would be safe and available to them in the event of afinancial institution failure. In addition to its role as insurer,the FDIC is the primary federal regulator of federallyinsured state-chartered banks that are not members of theFederal Reserve System. In this capacity, the FDICexamines and supervises financial institutions for safetyand soundness and consumer protection. The FDIC alsoacts as receiver for insured depository institutions (IDIs)that fail and has resolution planning responsibilities(jointly with the Federal Reserve Board) for large andcomplex financial companies. The FDIC carries out itsmission through three major programs: insurance,supervision, and receivership management.FDIC VisionThe FDIC is a recognized leader in promoting sound publicpolicies, addressing risks in the nation's financial system,and carrying out its insurance, supervisory, consumerprotection, resolution planning, and receivershipmanagement responsibilities.FDIC ValuesThe FDIC and its employees have a tradition ofdistinguished public service. Six core values guide us inaccomplishing our mission: Integrity—We adhere to the highest ethical andprofessional standards. Competence—We are a highly skilled, dedicated, anddiverse workforce that is empowered to achieveoutstanding results. Teamwork—We communicate and collaborateeffectively with one another and with other regulatoryagencies. Effectiveness—We respond quickly and successfullyto risks in insured depository institutions and thefinancial system. Accountability—We are accountable to each otherand to our stakeholders to operate in a financiallyresponsible and operationally effective manner. Fairness—We respect individual viewpoints and treatone another and our stakeholders with impartiality,dignity, and trust.Information Technology (IT) is a key enabler in ensuringthe success of FDIC’s core programs. The FDIC mustensure that strong security and privacy controls protectthe information used in the course of carrying out itsresponsibilities. The FDIC’s IT needs to be scalable and ITservices need to be delivered efficiently and effectively. ITmust be aligned with business needs, including access andmobility for all authorized users.Representatives from the CIOO and the FDIC’s businessdivisions contributed their insight and knowledge of ITchallenges and opportunities with the anchoring principlesFDIC IT VISIONthat IT service delivery is secure, affordable, forwardthinking, and better equips the FDIC to carry out itsmission. This plan is intended to address many of thefoundational issues affecting the cost and quality of ITservices in support of the business. Guidelines laid out inTo provide scalable, efficient technology that enablescontinuous access to data securely from any place atany time.this plan provide strategic direction, but this document isnot a comprehensive implementation plan. The FDIC's ITVision statement summarizes the outcomes this planintends to reach.FDIC IT Strategic Plan1

FDIC Business ChallengesThe accelerating pace of technological change hasauthority to review and approve applications for depositimpacted the way the financial industry and federalinsurance from new institutions and other applicationsagencies achieve their missions. As a result, the FDIC hasfrom IDIs, regardless of the chartering authority.an opportunity to examine and move forward with newThe FDIC carries out its supervision programs through afoundational ways of delivering IT services.geographically dispersed workforce and in closeInformation Securitycollaboration with other agencies and institutions. TheCybersecurity breaches are a growing threat todepends upon the availability of various IT platforms.consumers, banks, other businesses, and financial marketBetter collaboration through systems, processes, andutilities, as well as government agencies, including thetools; systems enhancements; better connectivity; andFDIC. The FDIC maintains sensitive financial, supervisory,increased amounts of secure data storage capacity areand personal information in the conduct of its mission.needed to ensure the continued availability and integrityThe FDIC must continue to enhance its responsiveness toof these IT platforms.the increasing number of threats to the security, privacy,The FDIC maintains large collections of confidentialand integrity of its large holdings of sensitive data. ThereFDIC's ability to carry out its supervision programssupervisory information and data. The FDIC's ability toare opportunities to strengthen and merge physicalcarry out its supervision programs depends on thesecurity with enhanced data security where traditionalsecurity and integrity of this information and data.authentication is insufficient to keep up with dynamicEnhanced system and database security and protectionthreats. This requires strong partnerships betweenof confidential supervisory information are needed tosecurity and business operations to develop new andensure the security and integrity of this information andinnovative approaches to securing data.data.SupervisionFinally, the FDIC must be able to ensure continuity ofThe FDIC exercises broad supervisory responsibility forContinuity of the supervision program operations is keyall IDIs in the United States, although it is the primaryto supporting the FDIC's mission of maintaining stabilityfederal supervisor only for state-chartered banks andand public confidence in the nation's financial system,savings institutions that are not members of the Federaland its strategic goals of ensuring that FDIC-insuredReserve System. The FDIC’s roles as an insurer andinstitutions are safe and sound and consumers' rights areprimary supervisor are complementary, and manyprotected. Infrastructure and business continuityactivities undertaken by the FDIC support both theprocesses need to be strengthened to ensure theinsurance and supervision programs. Through review ofcontinuity of the FDIC's supervision programs.operations to carry out its supervision programs.examination reports, use of off-site monitoring tools toanalyze large sets of data, and participation inexaminations conducted by other federal regulators(either through agreements with these regulators or, inlimited circumstances, under the exercise of the FDIC’sauthority to conduct special (backup) examinationactivities), the FDIC regularly monitors potential risks atall insured institutions, including those for which it is notthe primary federal supervisor. The FDIC also takes intoaccount supervisory considerations in the exercise of itsFDIC IT Strategic Plan2

FDIC Business ChallengesInsuranceDeposit insurance is a fundamental component of theFDIC’s role in maintaining stability and public confidencein the U.S. financial system. By promoting industry andconsumer awareness of deposit insurance, the FDICpromotes confidence in banks and savings associationsof all sizes. To keep pace with the evolving bankingindustry and sustain its readiness to protect insureddepositors, the FDIC prepares and keeps currentcontingency plans that promptly address a variety of IDIfailures and conducts large-scale simulations to test itsplans.When IDIs fail, the FDIC ensures that the financialinstitution’s customers have timely access to theirinsured deposits and other services. Continuity ofoperations is critical to achieving the FDIC's mission ofmaintaining public confidence in the financial systemand its strategic goal of providing depositors with timelyaccess to insured funds and financial services.Infrastructure and business continuity processes need tobe strengthened to enable the FDIC to continue toprovide mission essential functions, systems, andoperations without interruption.The FDIC, in cooperation with the other primary federalregulators, proactively identifies and evaluates the riskand financial condition of individual IDIs. It alsoidentifies broader economic and financial risk factorsthat affect all insured institutions. It accomplishes theseobjectives through a wide variety of activities, includingthe following: A risk-based deposit insurance assessment systemwhereby institutions that pose greater risk to theDeposit Insurance Fund (DIF) pay higher premiums. A strong examination and enforcement program. Collection and publication of detailed banking dataand statistics. A vigorous research program. An off-site monitoring system that analyzes andassesses changes in banking profiles, activities, andrisk factors. A comprehensive ongoing analysis of the risks infinancial institutions with more than 10 billion inassets through the Large Insured DepositoryInstitution Program. Thorough review of deposit insurance applicationsand other applications from IDIs.Enhanced data collection and analytic capability isneeded to enable the FDIC to keep pace with anevolving financial industry and to proactively identityand evaluate risks.The FDIC also ensures that the public and insureddepository institutions have access to accurate and easilyunderstood information about federal deposit insurancecoverage. As mobile banking and information sharingbecome more prevalent among consumers and theindustry, the FDIC has a need for enhanced mobileinformation delivery to ensure easy public accessibility.Resolutions and ReceivershipsWhen an IDI fails, the FDIC is ordinarily appointedreceiver under the Federal Deposit Insurance Act. In thatcapacity, it assumes responsibility for efficientlyrecovering the maximum amount possible from thedisposition of the receivership’s assets and the pursuit ofthe receivership’s claims. Funds that are collected fromthe sale of assets and the disposition of valid claims aredistributed to the receivership’s creditors according topriorities set by law.Under the Orderly Liquidation Authority (OLA) of theDodd-Frank Act, the FDIC may also be called upon toresolve the failure of a large, systemically importantfinancial company. OLA provides a backup authority toplace a failed or failing financial company into an FDICreceivership process if no viable private-sectoralternative is available to prevent the default of thecompany and if a resolution through the bankruptcyprocess would have a serious adverse effect on U.S.financial stability.To ensure that the resolution of the failure of a large,complex financial institution could be carried out underbankruptcy in an orderly manner, the FDIC assesses theresolution plans submitted by bank holding companies,other covered companies, and IDIs. These plans must beable to be transmitted through the FDIC's securecommunication channel with financial institutions andmust be maintained in a secure environment.FDIC IT Strategic Plan3

IT LandscapeResearch was conducted across agencies, other financialregulators, and the financial and banking industry, tofind operational, economic, and technological trendsthat drive the way IT services are delivered.Emerging TechnologiesThree major emerging technologies will change how ITenables businesses cross-industry: mobility, cloudtechnology, and data analytics. These three technologieshave become a major government IT focus as agenciesmodernize and enhance IT capabilities.Mobility. Research has shown that agencies movingtoward mobility have reduced costs, engaged the publicbetter, and enhanced flexibility for staff. Mobileapplications help organizations become more efficientand enable real time access to data. Additionally,pervasive public mobile device adoption is anopportunity for government and industry services tobecome more accessible to authorized users.Cloud Technology. The emergence and adoption ofcloud technology has forced cross-industry reevaluationof how IT supports business functions. Cloud technologyenables continuous availability of services, scalablecomputing power and storage, and long-term costreduction because users pay for only the capacity that isactually used. This is a shift from traditionalinfrastructure and services that are subject to thechallenge of trying to estimate usage before it occurs,which increases cost regardless of actual usage andprovides limited scalability. To better enable federalagencies to leverage the benefits of cloud technology,the General Services Administration (GSA) establishedthe Federal Risk and Authorization ManagementProgram (FedRAMP) in 2011 to provide a standardizedapproach to security assessment, authorization, andcontinuous monitoring for cloud products and servicesfor federal agency use. Agencies and businessescontinue to move, build, and buy applications, systems,and infrastructure in the cloud. Vendor owned andoperated infrastructure has also increased in use asagencies continue to move toward shared or managedservices, which frees up resources to be redistributed aspriorities change.IT Service DeliveryToday, annual federal IT budgets continue to spendmore on operations and maintenance of current ITcapabilities leaving less to mitigate the critical risks oftechnological obsolescence and to develop new andenhanced IT applications. IT organizations must take acritical look at the cost of operating and maintainingtheir existing IT infrastructures and legacy applicationsystems and seek opportunities to improve efficiencythrough the implementation of new or enhancedcapabilities. This is causing many agencies to considernewer operating models, such as shared or managed ITservices, to reduce the costs of ongoing operations andmaintenance and free up additional resources.Portfolio management challenges continue to exist.These include the immediate need to address theperformance shortcomings or deficiencies of existingapplications before attention can be given to concernsabout technology obsolescence and applicationmodernization. In some cases, this may involve thereplacement of current applications with modularsolutions in a shared services environment. Clear criteriaand repeatable processes are required to assign priorityfor these actions consistent with available resources.In many cases, traditional development and deliverytechniques are being replaced with rapidexperimentation and capability delivery. Incrementaldevelopment lowers upfront costs and provides moreopportunities to introduce innovation with eachsuccessive release of an application.Data Analytics. Increased data analytic capabilities are acontinued focus not only across federal agencies, butcross-industry, as organizations recognize data can bebetter collected, categorized, analyzed for decisionmaking, and published.FDIC IT Strategic Plan4

Goals & ThemesThis plan identifies five goals and three cross-cutting themes. Each goal presents an opportunity to improve how FDICconducts its business through new IT capabilities. As FDIC addresses each goal, these three themes provide the foundationfor implementation. The following pages provide more detail on the objectives identified to achieve these goals.FDIC IT Strategic Plan5

Goal 1Information Security & PrivacyInformation security and privacy are ingrained in FDICculture ensuring IT solutions are secure by design andcyber risks are well-understood, managed, andminimized in accordance with business needsDESCRIPTIONOBJECTIVE 1.3The FDIC receives and works with sensitive information includingSafeguard information wherever it resides, providingnonpublic supervisory information and Personally Identifiablesecurity and privacy protections commensurate with itsInformation (PII) that must be kept secure and private, despite asensitivitylandscape of constantly evolving threats. Information securitycontributes to achieving the other four goals by providingassurances that information can be shared and usedappropriately by authorized persons.OBJECTIVE 1.1Use multi-factor authentication (MFA) to provide higherThe FDIC will assign safeguarding requirements to informationaccording to its sensitivity and risk. Data owners will approverequirements for storage and use. The FDIC will exploretechnologies that can improve the FDIC’s ability to protectsensitive data from unauthorized sharing as it travels outside theFDIC’s security perimeter. The FDIC will assess and updatelevels of assurance when accessing FDIC systemssecurity and privacy solutions as business needs change.The FDIC will require multi-factor authentication to access end-OBJECTIVE 1.4user devices and its computer systems as one approach forEnsure that authorized users understand, accept, and followachieving comprehensive information security and privacy. TheFDIC will provide Personal Identity Verification (PIV) cards andpasswords to authorized users as a primary means toauthenticate access to FDIC systems. Authorized external userswill use other methods for MFA.OBJECTIVE 1.2Address emerging regulatory requirements, technologyadvancements, and the risks associated with new andsecurity and privacy responsibilitiesAll FDIC employees, contractors, outsourced service providers,financial institutions, and other federal agencies, will completesecurity awareness training commensurate with theirresponsibilities. Through partnership with Human Resources,activities will lead to improved personal accountability forsecurity and privacy. Regular communications will raise securityand privacy awareness and reinforce individuals’ safeguardingevolving threatsresponsibilities.In addition to adopting MFA, the FDIC will adhere to internal andOUTCOMEexternal requirements such as the Federal Information SecurityModernization Act (FISMA), Privacy Act, and the NationalInstitute of Standards and Technology (NIST) CybersecurityFramework. All new and existing contracts, when applicable, willData and information systems are secure; confidentiality,integrity, and availability are maintained by people,processes, and technologyalso require service providers comply with these re

IT Service Delivery - Improving how information technology is delivered throughout the FDIC. The IT Strategic Plan is data-driven, focuses on FDIC business needs, and is the result of extensive input from FDIC staff over the past year. I asked all of the Division and Office Directors to review the plan before finalizing it.