VA Facility Security: Policy Review and Improved Oversight Strategy Needed

GAO-18-201 Published: Jan 11, 2018. Publicly Released: Jan 11, 2018.
Jump To:
Skip to Highlights

What GAO Found

The Department of Veterans Affairs' (VA) risk management policies include some but not all of the elements of standards set by the Interagency Security Committee (ISC). ISC was established via executive order to develop security standards and best practices that federal agencies are to follow when developing and conducting risk assessments. As part of this process, VA's policy identifies minimum countermeasures as called for in ISC's standards. In other areas, VA policy only partially adheres or does not adhere to ISC's standards, for example:

Of the five factors ISC calls for when calculating a facility's security level, VA considers three but does not consider a facility's population and size.

VA policy does not include performance measures, such as the number of countermeasures in use or the percentage of facility assessments completed; this percentage is a key element of ISC's standards for assessing the effectiveness of an agency's security programs.

Officials at VA said that its risk management program was developed prior to the ISC standards' being issued in 2013 and that it is up to each agency to determine how to best apply the standards. Nevertheless, VA officials said they are currently reexamining their policies. Until VA reviews its policies in accordance with ISC standards, its approach to risk management may not yield the appropriate security posture needed to adequately protect its medical centers.

VA's oversight activities for risk management do not encompass key aspects of the Standards for Internal Control in the Federal Government and Circular A-123 from the Office of Management and Budget that require agencies to conduct oversight activities to ensure the accountability and effectiveness of agency programs. VA has an oversight process to ensure that biennial assessments of individual facilities' security are completed. However, VA:

does not review the quality of medical centers' required risk assessments,

does not identify whether countermeasures were implemented appropriately by the medical centers, and

does not collect system-wide data to gain an understanding of physical security issues across medical centers.

In the absence of a comprehensive VA-wide strategy or guidance that reflects these internal control standards, individual sites have established their own approaches to carrying out VA's risk management policy. For example, the nine sites GAO reviewed conducted their security assessments differently, and none of the assessments indicated that all of the threat categories in VA's policy were reviewed. The lack of a system-wide oversight strategy means that the differences among medical center approaches, along with the security effects of those different approaches, are unknown. Accordingly, VA does not know if its medical centers are adequately protected, and it may be missing opportunities to leverage resources nationally and make better informed, proactive policy decisions.

Why GAO Did This Study

The Veterans Health Administration (VHA is responsible for providing a safe and secure, yet welcoming environment for staff, patients, and visitors at nearly 170 medical centers. These facilities have been the target of violence, threats, and other security-related incidents. Assessing and managing risks a critical element for ensuring adequate physical security at these facilities.

GAO was asked to review VA's physical security risk-management policies and practices. This report: (1) assesses how VA's policies for risk management reflect prevailing standards, and (2) evaluates VA's oversight of risk management at VHA medical facilities. GAO compared VA policies to ISC standards; reviewed VA documents; interviewed VA and ISC officials; and assessed risk assessment activities at nine medical centers selected based on factors such as patient and security-incident data and geographical diversity. While not generalizable, these nine locations provide illustrative examples of how VA's policies are carried out.

Skip to Recommendations


GAO recommends that the Department of Veterans Affairs review and revise its risk management policies to reflect prevailing standards, and develop an oversight strategy to assess the effectiveness of risk management programs at VHA facilities. VA agreed with GAO's recommendations and identified steps to implement them.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Veterans Affairs The Secretary of VA should, in collaboration with ISC, review and revise VA's risk management policies for VHA facilities to ensure VA incorporates ISC standards, as appropriate. (Recommendation 1)
As of March 2022, VA had drafted updates its risk management policies but had not yet implemented the changes. GAO confirmed that VA had drafted revisions to its risk management policy and Handbook that incorporate lnteragency Security Committee (ISC) standards. For example, the draft policy requires VA police to consider all undesirable events when assessing risk, in line with ISC standards. According to VA officials, they met with ISC officials throughout the process of revising its policies. VA officials said their goal is to complete its efforts to incorporate applicable ISC standards by April 2022. GAO will continue to monitor VA's efforts to implement this recommendation.
Department of Veterans Affairs The Secretary of VA should develop an oversight strategy that allows VA to assess the effectiveness of risk management programs at VHA facilities system-wide. (Recommendation 2)
As of March 2022, VA had plans to fully deploy the Modified Infrastructure Survey Tool 2.0 (MIST) to help oversee the effectiveness of risk management processes across medical centers. This tool was developed by DHS's Federal Protective Service and has been validated by ISC as following its standards. The tool will enable VA to capture, store, and access information associated with risk assessments and countermeasure recommendations at individual facilities. When implemented, MIST will provide VA the capability to oversee the risk assessment process performed by VA police at individual medical centers. MIST will also enable management to observe trends in security issues, such as vulnerabilities and repeat security incidents, at medical centers nationwide or by VISN. VA plans to purchase the license to use MIST across police departments at medical centers and provide associated training for all of its police officers in fiscal year 2022. GAO will continue to monitor VA's efforts to implement this recommendation.

Full Report

GAO Contacts