Federal Reports

The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII). HUD maintained a significant number of records that contain PII with limited zero trust controls in place to secure these data. In FY 2022, HUD established a zero trust implementation plan to help the agency address the five zero trust pillars established by CISA; however, by FY 2024, HUD had made limited progress in the initiatives established in its plan. In FY 2024, HUD began to implement some technical controls to support identity pillar functions but lacked overall direction and a clear plan to make significant zero trust progress. HUD did not have an automated process to inventory or categorize data, which restricted its visibility into its PII. HUD monitored its information technology (IT) and cybersecurity risks through its OCIO risk register process; However, the register did not contain specific ZTA implementation risks. HUD did not ensure that systems applied granular access controls, including access tailored to individual actions and individual resource needs. Lastly, agencies were required to fully implement multifactor authentication (MFA) by November 2021 and phishing-resistant MFA for external users by January 2023. As of May 2024, HUD had begun phishing-resistant MFA implementation for just one of its authentication systems. We issued six recommendations to improve HUD’s management of PII in a zero trust environment.

The VA Office of Inspector General (OIG) conducted a national review of the Veterans Health Administration (VHA) to assess the policy pertaining to osteoporosis screening and to determine osteoporosis screening rates in women patients enrolled in VHA primary care who are age 65 and older. Osteoporosis is a disease characterized by decreased bone mineral density (BMD) and bone quality, resulting in an increased risk of fractures.

VHA policy states that preventive care for women patients must include osteoporosis screening, and the OIG found that VHA osteoporosis screening practices generally align with United States Preventive Service Task Force recommendations. VHA offers BMD testing at most of its facilities and utilizes BMD testing in the community when not available at the facility or for otherwise eligible patients.

The OIG estimated that 87 percent of the review population completed BMD testing and 93 percent of the review population had or were offered BMD testing. OIG-estimated screening rates were higher than VHA-estimated screening rates, although different methodologies were used to determine screening rates. The OIG identified patients who were at risk for osteoporosis and fracture who were not offered BMD testing.

VHA implemented measures to improve osteoporosis screening, including introduction of a toolkit and a clinical reminder. Improvement in osteoporosis screening rates temporally correlated with the implementation of the clinical reminder. Clinical reminder use appeared to vary between facilities as the OIG observed that there were sites where none of the sampled patients had identified osteoporosis clinical reminder use after implementation of the clinical reminder.

The OIG recommended that the Under Secretary for Health work with the Women’s Program Office to gain an understanding of barriers to osteoporosis clinical reminder use and, based on results, implement action as needed.

OIG reviewed the Forest Service’s funding and monitoring of selected IIJA project proposals for the Collaborative Aquatic Landscape Restoration Program.