Facility Security: VA Should Fully Implement Federal Security Requirements and Improve Performance Reporting

What GAO Found

Department of Veterans Affairs (VA) police records report around 74,700 crimes at VA medical facilities in fiscal years 2024 and 2025. The overwhelming majority were nonviolent and included disorderly conduct, theft, and drug offenses, according to GAO analysis. GAO found that the average crime rate for the 2-year period was about two times higher in areas with more urban VA facilities (214 crimes per facility) than rural facilities (123 crimes per facility), which is consistent with a Department of Justice report on overall criminal trends.

The Interagency Security Committee (ISC)—which VA is a member of—developed a risk management standard that federal agencies are required to follow to identify and address security risks. However, VA has not fully implemented all ISC requirements, such as documenting decisions on which security strategies it will adopt or measuring the performance of its security strategies. In covert tests, VA staff did not detect a prohibited weapon that GAO investigators carried into any of the 30 tested VA medical facilities, including two that had metal detectors. In 25 of 26 covert tests, VA staff did not confront an investigator drinking in plain view from a bottle labeled vodka—which is prohibited at VA facilities. Developing a plan with milestones and assessing resource requirements to fully implement the standard could help VA better manage security risks to create a safe environment for veterans and VA staff.

Undercover GAO Investigator Appearing to Drink Alcohol in a VA Medical Facility

Consistent with ISC and internal control standards, VA obtains security and threat information and works to address security gaps through its capital planning. VA has a performance goal to address security gaps for capital projects. While VA has met its overall security gap planning goal, two of the 18 regions did not in fiscal years 2023 through 2025 and did not take actions to improve performance. This is because VA headquarters—the entity that tracks each region’s progress—did not communicate to the regions that they were not meeting this goal. Communicating this information to the regions could help VA ensure that it continues to meet this goal.

Why GAO Did This Study

VA oversees the largest integrated health care system in the U.S., serving 9 million enrolled veterans at over 1,300 facilities. These facilities have been the target of violence, threats, and other security-related incidents. VA is responsible for physical security at its medical facilities.

GAO was asked to review security at VA medical facilities. This report examines (1) the nature of reported criminal activity at VA medical facilities, (2) the extent VA implemented federal security requirements and detected security vulnerabilities at VA facilities, and (3) VA processes for obtaining and incorporating security and threat information into infrastructure planning.

GAO reviewed VA security and infrastructure planning policies, crime data from fiscal years 2024 and 2025, and risk assessment and infrastructure performance data from fiscal years 2023, 2024, and 2025. GAO also conducted covert security tests at a non-generalizable sample of 30 VA facilities, selected to ensure variation in the size and geographic locations of facilities, among other factors. GAO interviewed VA personnel and veterans in Arkansas and California.