GAO: VA hasn’t fully implemented federal facility-security standards; covert tests missed prohibited weapon

The Department of Veterans Affairs still has not fully implemented required federal facility-security standards, the Government Accountability Office said in a report released Thursday, and in covert tests a prohibited weapon was not detected at any of 30 selected VA medical facilities.

The findings point to systemwide oversight and performance problems at the nation’s largest integrated health care system. The VA serves about 9 million enrolled veterans through more than 1,300 facilities, including roughly 170 medical centers. According to the report, “The VA police reported 74,706 crimes in fiscal years 2024 and 2025.” GAO said about 98% of those reported crimes were nonviolent, with common incidents including disorderly conduct, theft and drug offenses. Disorderly conduct was the largest single category, at 22,819 incidents over the two-year period.

Crime levels also varied by location. GAO found the average crime rate during fiscal 2024 and 2025 was about twice as high at facilities in more urban areas, at 214 crimes per facility, as at majority-rural facilities, at 123 per facility.

The watchdog’s covert testing results came with an important limit: The 30 medical facilities were a selected sample chosen to vary by size and geography, not a statistically representative cross-section of all VA sites. Still, GAO said, “In covert tests, VA staff did not detect a prohibited weapon that GAO investigators carried into any of the 30 tested VA medical facilities…”

The report said VA has not fully implemented the Interagency Security Committee’s risk-management standard for federal facilities. That standard is meant to guide agencies in assessing risk, selecting security measures and documenting why particular strategies are used. GAO found VA had not consistently documented the security strategies it chose for facilities and had not measured how well those strategies worked.

As part of the covert testing, GAO investigators carried a multi-tool with a knife blade longer than 2.5 inches, which the report treated as a prohibited weapon under the applicable federal standard. At the 30 facilities tested, VA staff did not detect it.

GAO observed metal detectors at only two of those sites. At one facility, the detector was not in use. At the other, the detector alarmed, but the investigator was not questioned or searched, according to the report.

In a separate covert test, GAO said that in 25 of 26 cases, VA staff did not detect or confront an investigator who appeared to be drinking from a bottle labeled “vodka.” GAO said alcohol is generally prohibited at VA medical facilities. The report presented that test as another example of inconsistent screening and enforcement practices.

The report also identified management problems in how the department tracks and communicates progress on addressing facility-security gaps through capital planning. GAO said VA met its overall internal goal for addressing those gaps in capital projects, but two of its 18 regional health care networks — Veterans Integrated Service Network, or VISN, 10 and VISN 15 — did not meet the 95% goal in fiscal years 2023 through 2025.

GAO said VA headquarters did not tell those regions they were underperforming, and as a result they did not take corrective action. The watchdog recommended that VA develop a plan with milestones to fully implement the Interagency Security Committee standard, assess the resources needed to do so, and create a mechanism to communicate regional progress on security-gap planning. All three recommendations were listed as open.

The report suggests the problems are longstanding. GAO said it had already recommended in 2018 that VA align its risk-management policies with the Interagency Security Committee standard, and that work remains incomplete. In this latest review, GAO said, “VA did not provide comments on the report.”