VA Facility Security:
Policy Review and Improved Oversight Strategy Needed
GAO-18-201: Published: Jan 11, 2018. Publicly Released: Jan 11, 2018.
What GAO Found
The Department of Veterans Affairs' (VA) risk management policies include some but not all of the elements of standards set by the Interagency Security Committee (ISC). ISC was established via executive order to develop security standards and best practices that federal agencies are to follow when developing and conducting risk assessments. As part of this process, VA's policy identifies minimum countermeasures as called for in ISC's standards. In other areas, VA policy only partially adheres or does not adhere to ISC's standards, for example:
Of the five factors ISC calls for when calculating a facility's security level, VA considers three but does not consider a facility's population and size.
VA policy does not include performance measures, such as the number of countermeasures in use or the percentage of facility assessments completed; this percentage is a key element of ISC's standards for assessing the effectiveness of an agency's security programs.
Officials at VA said that its risk management program was developed prior to the ISC standards' being issued in 2013 and that it is up to each agency to determine how to best apply the standards. Nevertheless, VA officials said they are currently reexamining their policies. Until VA reviews its policies in accordance with ISC standards, its approach to risk management may not yield the appropriate security posture needed to adequately protect its medical centers.
VA's oversight activities for risk management do not encompass key aspects of the Standards for Internal Control in the Federal Government and Circular A-123 from the Office of Management and Budget that require agencies to conduct oversight activities to ensure the accountability and effectiveness of agency programs. VA has an oversight process to ensure that biennial assessments of individual facilities' security are completed. However, VA:
does not review the quality of medical centers' required risk assessments,
does not identify whether countermeasures were implemented appropriately by the medical centers, and
does not collect system-wide data to gain an understanding of physical security issues across medical centers.
In the absence of a comprehensive VA-wide strategy or guidance that reflects these internal control standards, individual sites have established their own approaches to carrying out VA's risk management policy. For example, the nine sites GAO reviewed conducted their security assessments differently, and none of the assessments indicated that all of the threat categories in VA's policy were reviewed. The lack of a system-wide oversight strategy means that the differences among medical center approaches, along with the security effects of those different approaches, are unknown. Accordingly, VA does not know if its medical centers are adequately protected, and it may be missing opportunities to leverage resources nationally and make better informed, proactive policy decisions.
Why GAO Did This Study
The Veterans Health Administration (VHA is responsible for providing a safe and secure, yet welcoming environment for staff, patients, and visitors at nearly 170 medical centers. These facilities have been the target of violence, threats, and other security-related incidents. Assessing and managing risks a critical element for ensuring adequate physical security at these facilities.
GAO was asked to review VA's physical security risk-management policies and practices. This report: (1) assesses how VA's policies for risk management reflect prevailing standards, and (2) evaluates VA's oversight of risk management at VHA medical facilities. GAO compared VA policies to ISC standards; reviewed VA documents; interviewed VA and ISC officials; and assessed risk assessment activities at nine medical centers selected based on factors such as patient and security-incident data and geographical diversity. While not generalizable, these nine locations provide illustrative examples of how VA's policies are carried out.
What GAO Recommends
GAO recommends that the Department of Veterans Affairs review and revise its risk management policies to reflect prevailing standards, and develop an oversight strategy to assess the effectiveness of risk management programs at VHA facilities. VA agreed with GAO's recommendations and identified steps to implement them.
For more information, contact Lori Rectanus at (202) 512-2834 or firstname.lastname@example.org.
Recommendations for Executive Action
Comments: On March 20, 2018, VA notified GAO that it was in the process of updating its vulnerability assessment program and working with the lnteragency Security Committee (ISC) to do so, with a target completion date of January 2019. VA reported having taken the following four steps 1) Representatives from OS&LE met with the Program Director and staff members of ISC on January 20, 2018 to discuss the process of incorporating ISC standards with the applicable VA Handbook and Directives. During the meeting, the ISC Program Director provided OS&LE with a point of contact from ISC to assist with this project; 2) Creating of the OS&LE/ISC task force to ensure that the applicable ISC standards are part of the VA Vulnerability Assessment process. The task force members include three members from OS&LE who are subject matter experts in physical security, and ISC security specialist, and an ISC Regional Advisor, as well as a senior security officer from VHA. 3) Initiating a revisions to applicable VA Handbooks and Directives to reflect the new Vulnerability Assessment Program requirements; and 4) Articulation that OS&LE will implement the updated VA Handbooks, Directives, and Vulnerability Assessment tool.
Recommendation: The Secretary of VA should, in collaboration with ISC, review and revise VA's risk management policies for VHA facilities to ensure VA incorporates ISC standards, as appropriate. (Recommendation 1)
Agency Affected: Department of Veterans Affairs
Comments: On March 20, 2018, VA identified OS&LE as the internal entity responsible for conducting a complete review of VA's current risk management policies and processes for VA facilities. Working with ISC, VA reported that OS&LE will make changes as necessary to ensure we have effective oversight of VA's risk management process. Additionally, OS&LE formed a task force on January 20, 2018 whose members participated in a scheduled ISC Steering Committee meeting on February 2, 2018. Moreover, on February 21, 2018, OS&LE task force members met with the Office of Personal Management Security Director to review an ISC-certified risk assessment tool for possible implementation consideration. This tool is currently under review. The task force is scheduled to meet on a monthly basis to chart the progress and outline next steps.
Recommendation: The Secretary of VA should develop an oversight strategy that allows VA to assess the effectiveness of risk management programs at VHA facilities system-wide. (Recommendation 2)
Agency Affected: Department of Veterans Affairs