FACILITY SECURITY:

Report to the Chairman

Committee on Veterans’ Affairs

U.S. Senate

April 2026

GAO-26-107952

United States Government Accountability Office

A report to the Chairman, Committee on Veterans’ Affairs, U.S. Senate

For more information, contact: Triana McNeil at mcneilt@gao.gov

What GAO Found

Department of Veterans Affairs (VA) police records report around 74,700 crimes at VA medical facilities in fiscal years 2024 and 2025. The overwhelming majority were nonviolent and included disorderly conduct, theft, and drug offenses, according to GAO analysis. GAO found that the average crime rate for the 2-year period was about two times higher in areas with more urban VA facilities (214 crimes per facility) than rural facilities (123 crimes per facility), which is consistent with a Department of Justice report on overall criminal trends.

The Interagency Security Committee (ISC)—which VA is a member of—developed a risk management standard that federal agencies are required to follow to identify and address security risks. However, VA has not fully implemented all ISC requirements, such as documenting decisions on which security strategies it will adopt or measuring the performance of its security strategies. In covert tests, VA staff did not detect a prohibited weapon that GAO investigators carried into any of the 30 tested VA medical facilities, including two that had metal detectors. In 25 of 26 covert tests, VA staff did not confront an investigator drinking in plain view from a bottle labeled vodka—which is prohibited at VA facilities. Developing a plan with milestones and assessing resource requirements to fully implement the standard could help VA better manage security risks to create a safe environment for veterans and VA staff.

Consistent with ISC and internal control standards, VA obtains security and threat information and works to address security gaps through its capital planning. VA has a performance goal to address security gaps for capital projects. While VA has met its overall security gap planning goal, two of the 18 regions did not in fiscal years 2023 through 2025 and did not take actions to improve performance. This is because VA headquarters—the entity that tracks each region’s progress—did not communicate to the regions that they were not meeting this goal. Communicating this information to the regions could help VA ensure that it continues to meet this goal.  

Why GAO Did This Study

VA oversees the largest integrated health care system in the U.S., serving 9 million enrolled veterans at over 1,300 facilities. These facilities have been the target of violence, threats, and other security-related incidents. VA is responsible for physical security at its medical facilities.

GAO was asked to review security at VA medical facilities. This report examines (1) the nature of reported criminal activity at VA medical facilities, (2) the extent VA implemented federal security requirements and detected security vulnerabilities at VA facilities, and (3) VA processes for obtaining and incorporating security and threat information into infrastructure planning.

GAO reviewed VA security and infrastructure planning policies, crime data from fiscal years 2024 and 2025, and risk assessment and infrastructure performance data from fiscal years 2023, 2024, and 2025. GAO also conducted covert security tests at a non-generalizable sample of 30 VA facilities, selected to ensure variation in the size and geographic locations of facilities, among other factors. GAO interviewed VA personnel and veterans in Arkansas and California.

What GAO Recommends

GAO is recommending VA develop a plan with milestones and assess resources needed to fully implement the ISC’s risk management standard and communicate to the regions their progress in meeting the security gap planning goal. We provided a draft of this report to VA for review and comment. VA did not provide comments on the report.

 

 

 

 

ISC                  Interagency Security Committee

SCIP               Strategic Capital Investment Planning

VA                   Department of Veterans Affairs

VISN               Veterans Integrated Service Networks

April 29, 2026

The Honorable Jerry Moran
Chairman
Committee on Veterans’ Affairs
United States Senate

Dear Mr. Chairman:

The Department of Veterans Affairs (VA) oversees the largest integrated health care system in America, serving 9 million enrolled veterans at over 1,300 facilities, including 170 medical centers. VA employees, veteran patients, and medical facilities have been the targets of violence, threats, and other security-related incidents in recent years, including nonviolent crimes such as disorderly conduct and theft. In 2024, for example, VA medical facilities reported security incidents including homicides, sexual assaults, veteran suicides by firearm, an officer-involved shooting, a bomb threat, and individuals brandishing weapons. Health care workers, of which VA employs more than 188,000, are among the occupations most at risk for workplace violence. The Bureau of Labor Statistics reported that the health care industry has a workplace violence rate more than four times the national average.[1]

VA is responsible for physical security at its medical facilities and has an armed and uniformed police force—the VA police—that provides law enforcement services at VA medical facilities nationwide. The agency employs more than 4,300 officers, physical security specialists, and investigators.[2] VA also augments its police force with about 800 contract security guards.[3] The infrastructure of VA medical facilities is another important component of physical security. For example, VA medical facilities may employ measures such as card readers, bollards, and surveillance cameras to enhance security.

We identified managing federal real property as a high-risk area in part because of security risks and the condition and configuration of federal facilities.[4] For VA, ensuring physical security for its medical facilities can be complicated because the agency has to balance safety and security with providing an open and welcoming health care environment. In addition, many VA facilities were constructed to meet the needs of World War II veterans 80 years ago and currently lack well-configured security space and equipment. According to VA, much of this infrastructure requires either costly renovation or replacement to meet modern health care and security design standards. The President’s fiscal year 2026 budget request stated that addressing all projected capital planning gaps would require $187 to $207 billion over the next ten years. Given the fiscal year 2026 capital budget request for VA was $7.8 billion, it is unlikely VA will be able to address all infrastructure gaps within the next ten years.

You asked us to review issues related to security at VA medical facilities. This report examines (1) the nature of criminal activity reported at VA medical facilities; (2) the extent to which VA implemented federal facility security requirements and detected potential security vulnerabilities at VA medical facilities; and (3) the extent to which VA established processes for obtaining security and threat information and incorporating it into infrastructure management planning.

To address all objectives, we reviewed VA policies, conducted site visits to VA’s Law Enforcement Training Center and four VA medical facilities, and interviewed VA officials and patients. To review the nature of reported criminal activity at VA medical facilities, we analyzed VA crime data from fiscal years 2024 and 2025, the period for which reliable data were available.[5]

To review the extent to which VA implemented federal facility security requirements, we analyzed data from VA facility risk assessments from fiscal year 2023 through March 2025.[6] We examined these risk assessments to determine the extent to which VA has implemented requirements from the Interagency Security Committee (ISC) standard for risk management.[7] This ISC standard is applicable to all federally owned or leased buildings regularly occupied by executive branch federal employees or federal contract workers for nonmilitary activities, and in 2023, an executive order required executive agencies, including VA, to comply with the standard.[8] To assess VA’s ability to detect potential security vulnerabilities, we conducted covert tests of VA’s response to the presence of certain federally prohibited items during unannounced site visits to a nonprobability selection of 30 VA medical facilities.[9] We conducted our covert tests at facilities with differing characteristics, including geographic variation, rurality, facility type, and facility security risk levels.

To review VA’s processes for addressing security in infrastructure management, we assessed the extent to which VA’s Strategic Capital Investment Planning (SCIP) process incorporates security and threat information—consistent with internal control risk assessment criteria.[10] We also assessed VA’s efforts to implement a performance measure to track closing security gaps in accordance with VA guidance.[11] For additional details regarding our objectives, scope, and methodology, see appendix I.

We conducted this performance audit from December 2024 to April 2026 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We conducted our related investigative work in accordance with standards prescribed by the Council of the Inspectors General on Integrity and Efficiency. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Background

VA headquarters, regional, and local offices carry out physical security responsibilities. At the headquarters level, VA’s Office of Security and Law Enforcement—located within VA’s Office of Operations, Security, and Preparedness—develops policies and standards for assessing physical security risks and providing physical security for VA medical facilities. The Office of Security and Law Enforcement also oversees VA police training at the Law Enforcement Training Center in North Little Rock, Arkansas and inspections of VA police. For additional information on VA police training and police inspections, see appendix II. VA headquarters is also responsible for reviewing infrastructure project requests from medical facilities and determining which to prioritize for funding based on the agency’s strategic priorities and available budget resources.

VA has 18 regional networks called Veterans Integrated Service Networks (VISN) that are responsible for managing and overseeing medical facilities within defined geographic areas. For example, VISNs review infrastructure project requests from medical facilities. See figure 1 for a map of the VISNs and information on the number of medical facilities.

Note: The Department of Veterans Affairs made changes to VISN boundaries and reduced the number of VISNs to 18 in 2015. As a result, there are no longer VISNs numbered 3, 11, 13, 14, or 18. VISNs 4, 8,10, 12, 16, 19, 22, and 23 each have 1 to 3 stand-alone residential care facilities. VISN 19 has one stand-alone extended care facility. The other VISNs do not have stand-alone residential care or extended care facilities; however, some medical centers may include extended care and residential care facilities.

VA medical facilities range in size and complexity—and include primary care clinics, specialty care clinics, and medical centers. Some VA medical centers are on campuses with multiple facilities. Figure 2 shows an example of a rural clinic as well as the West Los Angeles VA Medical Center, which is on a campus with a number of facilities, including a hospital and veteran housing.

At the local level, medical center directors are responsible for implementing VA security policies and standards and overseeing VA police activities. Medical centers are also responsible for identifying, submitting, and overseeing capital construction projects, which may address security. Police at each medical center provide law enforcement services and conduct facility risk assessments.

In an April 2025 memorandum from the Secretary of VA, VA announced plans to reorganize its police into a single command structure within the Office of Operations, Security, and Preparedness.[12] According to the memorandum, this is intended to streamline the reporting structure and transfer some of the responsibilities that had been carried out by the medical facilities to the Office of Operations, Security, and Preparedness. This includes funding police salaries, equipment, training, and contracts. The Secretary stated in the memorandum this consolidation will also “eliminate waste, ensure appropriate staffing, training, and resourcing, in addition to standardizing field operations, compliance, and accountability throughout the VA police.”

The Majority of Reported Criminal Activity at VA Medical Facilities Was Nonviolent and Occurred in Areas with More Urban VA Facilities

Around 98 percent of the 74,706 crimes reported by the VA police in fiscal years 2024 and 2025 were nonviolent, according to our analysis of VA police records. Both violent and nonviolent crimes can create safety and security concerns for VA employees and staff, though VA patients generally reported feeling safe at VA medical facilities, according to VA survey data and our interviews. Crime rates at VA facilities located in stations with a majority of facilities in urban areas are higher than for facilities in stations with a majority of rural facilities, according to our analysis of VA police records.[13]

Disorderly Conduct, Assault, and Theft Were the Most Frequently Reported Crimes at VA Medical Facilities in 2024 and 2025

VA police reported 74,706 crimes at VA medical facilities in fiscal years 2024 and 2025, and the overwhelming majority—around 98 percent—of these reported crimes were nonviolent.[14] As shown in figure 3, the most frequently reported nonviolent crimes were disorderly conduct, theft, and drug offenses, which accounted for about 48 percent of all crimes.[15] These figures represent crimes reported by VA police officers using the department’s record management systems. Accordingly, these figures may not be inclusive of all crimes that occur at VA medical facilities.[16]

Note: The VA police reported 74,706 crimes in fiscal years 2024 and 2025. The all other offenses category is composed of 28 crimes; see appendix III for a full list. Our report uses the criminal offense categories and definitions used by the Federal Bureau of Investigation to collect crime statistics through its National Incident-Based Reporting System.

Drug offenses and liquor law violations. VA characterizes illegal drug and alcohol use as health and safety concerns. About 8 percent—6,044 of 74,706—of crimes reported by the VA police in fiscal years 2024 and 2025 were drug offenses and less than 1 percent—407—were liquor law violations. VA officials told us that the VA police charged more offenders for drug offenses than for liquor law violations for two main reasons. First, VA police officers are more likely to charge an offender for using or possessing illegal drugs because they pose a more immediate health hazard than alcohol. According to VA officials, drugs pose a greater threat because they are more likely to kill patients than alcohol. Second, it is not against state law to possess or consume alcohol, and VA considers liquor law violations to be less serious than drug crimes. National efforts to prevent, respond to, and recover from drug misuse are on GAO’s High-Risk List because this issue has been a persistent and long-standing public health challenge.[17]

Weapon law violations. Weapon law violations create safety concerns among the VA employees we interviewed. About 7 percent—5,266 of 74,706—of crimes reported by the VA police in fiscal years 2024 and 2025 were weapon law violations. VA employees at three medical facilities we visited told us that patient possession of concealed weapons was a safety concern. For example, according to one VA health care provider, a patient brought a machete into a VA medical facility and used the weapon to threaten the provider. According to VA officials, it can be challenging for VA police to detect concealed weapons because VA medical facilities are not generally equipped with weapons detection systems such as metal detectors.

Trespassing. VA employees told us that trespassing is a safety concern. Trespassing is the unlawful entry into a physical location, according to the Federal Bureau of Investigation. Trespassing crimes made up about 4 percent—3,092 of 74,706—of crimes reported by the VA police in fiscal years 2024 and 2025. Trespassing was a concern to the employees we spoke to because offenders sometimes trespass in sensitive locations, such as patient treatment areas. According to these employees, some building entrances at VA medical facilities are not guarded and lack physical access control systems like key card readers. VA guidance for newly constructed or renovated VA facilities generally requires the installation of access control systems to prevent trespassing in nonpublic areas.

Sex crimes, aggravated assaults, and murders. Violent sex crimes—such as sexual assault and rape—were the most common types of violent crime reported at VA medical facilities in fiscal years 2024 and 2025 and made up about 1.2 percent—888 of 74,706—of crimes reported by the VA police during these fiscal years, according to our analysis of VA police data.[18] Other violent crimes were also reported at VA medical facilities during this period. For example, the VA police reported 233 aggravated assaults in fiscal years 2024 and 2025.[19] The VA police also reported three murders during these two fiscal years.[20]

Victims and perpetrators. VA officials told us that they do not keep records on whether victims or perpetrators of crimes are patients, visitors, or VA employees. VA officials, however, stated that patients, families of patients, and other visitors commit most of the reported crimes at VA medical facilities.[21]

Some studies of violent crimes committed at non-VA medical facilities have found that patients most commonly perpetrate violent crime and that violent crime victims are most commonly health care workers. For example, a study of workplace violence at 18 emergency departments found that physical assaults were most often perpetrated by patients, based on surveys of emergency department staff administered in 2020.[22] A study of assaults at psychiatric facilities at 327 hospitals between 2011 and 2013 found that the majority of victims were hospital personnel.[23]

Factors affecting crime trends. The layout and location of VA facilities affect crime trends, according to VA officials. Older VA hospitals typically consist of multiple large buildings spread out on a large campus, making it more difficult for VA to secure these facilities. Newer VA hospitals consist of a central main building, which is easier to secure and upgrade with new security technologies, according to VA officials.

Effects of crime on perceived patient safety. While crime is a safety concern for VA patients, most patients reported feeling safe during visits to outpatient VA medical facilities, according to VA survey results. VA surveyed patients between fiscal year 2022 and April 2025; 94 to 97 percent of respondents reported feeling safe during their visits, as shown in table 1.[24] Similarly, VA patients we spoke with at two VA medical facilities told us they generally felt safe during their visits to VA medical facilities. However, these patients shared safety concerns about specific locations at VA facilities such as parking lots, citing thefts and car accidents. According to VA officials, theft is common in VA and non-VA hospital parking lots because they are large and difficult to secure and because cars are an attractive target for criminals.

Fiscal Year	Male Patients	Female Patients
2022	95%	94%
2023	96%	95%
2024	97%	95%
2025 (As of April 2025)	97%	95%

Source: Department of Veterans Affairs.  l  GAO‑26‑107952

Notes: The percentages above are the number of patients who responded “4 (Agree)” or “5 (strongly agree)” on a five-point scale in response to the statement: “During my health care visit on [Date], I felt safe while I was at [Facility Name].” These survey results were weighted to address non-response because around 85 percent of patients that received the survey did not complete it.

Locations where reported crimes occurred. Reported crimes at VA facilities most commonly occurred in emergency departments, inpatient treatment areas, and common areas such as lobbies, hallways, medical facility grounds, and parking lots according to VA police records for fiscal year 2024 and 2025, as shown in table 2.

Location	Number of crimes reported	Percent of crimes reported
Emergency department	7,683	10%
Inpatient medical unit	6,793	9%
Police department	5,915	8%
No location listed	4,929	7%
Grounds	4,646	6%
Main lobby/common area/hallway	4,173	6%
Inpatient psychiatric unit	3,987	5%
Parking lot	3,966	5%
Community living center	3,428	5%
Domiciliary	2,230	3%
Other	26,956	36%

Source: GAO analysis of Department of Veterans Affairs data.  l  GAO‑26‑107952

Notes: The VA police reported 74,706 crimes during fiscal years 2024 and 2025. The Other category includes crimes where the VA police recorded the location of the crime as “other”—8,800 crimes—as well as other locations where less than three percent of crimes were reported—18,156 of 74,706 crimes.

According to VA officials, patients receiving care in the emergency departments might be experiencing mental or emotional difficulties that cause them to commit crimes. Officials from the American Hospital Association—which represents and provides guidance to private hospitals—and the Joint Commission, which develops leading practices and standards for patient safety in health—told us that crime at non-VA hospitals most commonly occurs at emergency departments. Figure 4 shows examples of areas at a VA medical facility that are monitored by VA security personnel, including hospital grounds, a lobby, and a parking lot.

Average Crime Rates Per Facility Were Higher in Areas with More Urban than Rural VA Facilities in Fiscal Years 2024 and 2025

The average crime rate per facility was higher for majority urban VA stations than for majority rural VA stations in fiscal years 2024 and 2025, according to our analysis of VA police records.[25] A VA station is a geographic grouping made up of multiple medical facilities—for example a hospital or medical center and neighboring clinics. Since the VA stations are geographic groupings, the rural and urban designation for the station may be different than its assigned facilities. For example, a crime registered as occurring at a majority urban station could have occurred at a facility in a rural area within its geographic grouping. This finding regarding crime rates for urban and rural areas is consistent with a Department of Justice study of national crime statistics.[26] According to this study, the violent crime rate in urban areas was about twice as high as the rate in rural areas and the property crime rate was about 4 times higher in urban areas.

As shown in figure 5, our analysis found that the average crime rate for crimes of all types was about twice as high at VA stations we classified as majority urban than at those we classified as majority rural in fiscal years 2024 and 2025. Additionally, as shown in figure 6, the VA police generally reported the same types of crimes at majority urban and majority rural stations. Both violent crimes, such as sexual assault and rape, and nonviolent crimes, such as theft, were, on average, more frequently reported at majority urban VA stations. VA officials told us that crime rates at VA facilities reflect crime trends in the surrounding area, and the fact that crime rates are higher in some areas are caused by socioeconomic differences, such as poverty and the concentration of at-risk populations. The prevailing crime rate in the area surrounding VA facilities is a factor in how management decides where to station police officers and security guards, according to VA officials.

The results of our analysis match what VA patients and staff told us during our visits to rural VA facilities. VA staff at two rural clinics we visited told us they rarely or never observed criminal activity while at work. Additionally, patients at one rural clinic told us that they had not seen or experienced crime while receiving treatment at the clinic.

Note: A station is a geographic grouping that includes multiple medical facilities. We divided stations into two groups. Those with more than half of the facilities in the station in urban areas were defined as stations with majority urban medical facilities, and those with more than half of the facilities in the station in rural areas were defined as stations with majority rural medical facilities. We used the U.S. Department of Agriculture’s Rural-Urban Commuting Area code framework to determine if a facility was in an urban or rural area. We calculated the average crime rate by calculating the average rate of reported crime incidents per facility across stations, grouped by rurality category. For each group, we computed the rate of criminal incidents as the number of reported incidents divided by the number of facilities in each station then averaged these rates within each rural classification group.

Notes: A station is a geographic grouping that includes multiple medical facilities. We divided stations into two groups. Those with more than half of the facilities in the station in urban areas were defined as stations with majority urban medical facilities, and those with more than half of the facilities in the station in rural areas were defined as stations with majority rural medical facilities. We used the U.S. Department of Agriculture’s Rural-Urban Commuting Area code framework to determine if a facility was in an urban or rural area. The VA police reported 64,205 crimes in fiscal years 2024 and 2025 at stations with majority urban medical facilities and 8,617 crimes at stations with majority rural facilities. Our report uses the criminal offense categories and definitions used by the Federal Bureau of Investigation to collect crime statistics through its National Incident-Based Reporting System. Percentages may not total 100 due to rounding.

VA Has Not Fully Implemented Federal Security Standard and GAO’s Covert Testing Found Vulnerabilities at VA Medical Facilities

VA Has Not Fully Implemented the Federal Facility Risk Management Standard

The Interagency Security Committee (ISC) risk management standard defines a five-step risk management process that is designed to help ensure the scope of security requirements is commensurate with the risk posed to the facility, as shown in figure 7.[27] All federally owned or leased buildings, such as VA facilities, regularly occupied by executive branch federal employees or federal contract workers for nonmilitary activities are subject to the standard. The first version of the comprehensive risk management standard was issued in August 2013, and it has since been updated three times, most recently in July 2024.[28]

In 2013 and 2014 we reported that VA’s risk assessment methodology did not align with ISC standards and made recommendations to the ISC to take steps to help ensure compliance with these standards.[29] Subsequently, in 2018, we found additional limitations with VA’s risk assessment methodology and recommended VA review and revise its risk management policies to reflect ISC standards, and develop an oversight strategy to assess the effectiveness of risk management programs at its facilities, which VA has not addressed as of April 2026.[30] See figure 8 for a timeline of ISC, VA, and GAO actions.

While VA has not fully implemented our recommendations, VA has taken actions to implement some steps of the ISC’s risk management process for federal facilities. Specifically, VA has determined facility security levels, conducted security risk assessments, and developed risk management strategies with recommended countermeasures to address vulnerabilities at its medical facilities using the Modified Infrastructure Survey Tool—an ISC-compliant tool. As shown in figure 9, VA identified 3,609 vulnerabilities and recommendations to mitigate associated risk at VA medical facilities in fiscal year 2023 through March 2025.[31] For example, about 4 percent of vulnerabilities and related recommendations concerned the security force at medical facilities (see text box below for information on VA police staffing).

Note: This figure does not include vulnerabilities at other types of facilities owned or leased by VA, such as warehouses, administrative buildings, cemeteries, or benefits administration offices.

 

 

 

Department of Veterans Affairs (VA) Police Staffing VA police staffing was also identified as a vulnerability in VA risk assessment data and during our site visits. About 4 percent of the vulnerabilities were related to the security profile of the facility, such as the use of security patrols and fixed security posts. In addition, the VA Office of the Inspector General reported that police positions were the most common nonclinical staffing shortage among VA medical facilities in fiscal year 2025. VA staffing data show the agency had a 19.5 percent vacancy rate for police officers across all VA facilities as of May 31, 2025.  The managers we met with at three VA medical centers explained they have to balance their facilities’ security staffing needs with health care needs. VA officials from the three selected medical centers we visited also reported police staffing challenges related to competition from other law enforcement agencies that offer higher pay and limitations placed on police recruiting due to a VA review to ensure compliance with Office of Personnel Management standards for occupational series and grade levels. To address VA police shortages and facilitate hiring, VA leverages federal regulations that allow agencies to offer recruitment, relocation, and retention incentives. As of June 2025, VA officials reported that they spent nearly 17 million dollars in fiscal year 2025 on recruitment, relocation, and retention incentives for 2,940 police officers across 92 medical centers.

Source: GAO analysis of VA information.  l  GAO‑26‑107952

Note: VA estimates a 5-percent error rate for its data on new positions at a given point in time, as the data are manually entered and continuously reviewed and corrected. Recruitment, relocation, and retention incentives are authorized under 5 U.S.C. §§ 5753 and 5754. See also 5 C.F.R. pt. 575, subpts. A-C. For additional information on federal police pay, recruitment, and retention, see GAO, Federal Police Officers: Considerations on Retirement and Pay, GAO‑25‑107099 (Washington D.C.: Apr. 2, 2025) and Law Enforcement Officers: Observations on Recruitment and Retention at the Federal, Tribal, State, and Local Levels, GAO‑26‑108495 (Washington D.C.: Feb. 3, 2026).

However, VA has not fully implemented the required ISC steps of implementing the risk management strategies or measuring performance. The ISC’s risk management standard recognizes that it is not always possible for agencies to implement all security recommendations because of budget limitations and competing priorities. The standard requires that the responsible agency document its decisions on which aspects of the risk management strategy it plans to implement and which aspects it will not implement, along with the reasons for accepting greater security risks.

As shown in figure 10, VA risk assessment data indicate that VA did not document whether it would act on over 80 percent of recommendations in its risk assessments in fiscal years 2023 through March 2025. In addition, VA has not measured performance by tracking the percentage of countermeasures implemented or testing the functionality of security measures, for example.[32]

Note: According to VA officials, “acknowledged” means the medical facility is not in a position to act on the recommendation at the current time due to factors such as resource constraints, but may in the future. “Exception” means that implementing the recommendation is too expensive because of the age of the building so the recommendation will not be implemented. “Approved” indicates the medical facility plans to implement the recommendation; it does not mean the recommendation has been implemented. “Rejected” means the medical facility does not plan to implement the recommendation. “No response” indicates the medical facility did not document whether it would act on the recommendation.

VA officials said the lack of an agencywide policy instructing officials in the field on how to implement the ISC’s risk management process was one factor impeding implementation. VA has set a goal of issuing a policy that incorporates ISC standards in the first quarter of fiscal year 2027, in response to our 2018 recommendation.[33] However, while these efforts have been underway since we issued the recommendation, the agency does not have a timeframe for fully implementing its forthcoming policy or ISC’s risk management standard. VA officials said this was due to resource constraints and competing priorities. For example, VA officials cited the large number of VA facilities as well as a limited number of physical security specialists trained on the ISC standard and the Modified Infrastructure Survey Tool. While VA has identified staffing goals for physical security specialists, it has not assessed other resources, such as training, needed to fully implement this ISC standard. For example, VA medical center management officials play an important role in deciding what countermeasures to implement and the ISC recommends that these officials also receive training on the ISC standard and use a facility security committee model to make and document decisions.

According to selected characteristics from GAO’s Key Questions to Assess Agency Reform Efforts, government reform efforts should have an implementation plan with milestones to track implementation progress, and the agency should determine needed resources, such as staffing and training.[34] By taking these steps, VA would be better positioned to fully implement its forthcoming policy and the ISC risk management standard.

VA Failed to Detect Most of GAO’s Covert Tests Related to Selected Security Vulnerabilities at 30 Selected Facilities

We conducted covert testing to assess security at 30 selected medical facilities and found security vulnerabilities.[35] These security vulnerabilities included those related to reported types of crimes at VA facilities and vulnerabilities identified in VA’s risk assessments of its medical facilities. Specifically, we conducted tests related to weapons, alcohol, and accessing nonpublic spaces, as described further below.

Prohibited weapon tests. VA staff did not detect the prohibited weapon in any of the 30 selected VA facilities tested. During the covert tests, our investigators brought in a multi-tool with a knife blade, as shown in figure 11. The blade exceeded 2.5 inches, so it was longer than the maximum length allowed in federal facilities by law,[36] and was carried into facilities in a backpack.

Our investigators saw metal detectors at two of the 30 facilities, but in one case the metal detector was not in use. In the other case, the test triggered the metal detector to alert, but the investigator was not questioned or searched. The other 28 facilities did not have metal detectors. Management from the three medical centers we met with had differing views on using metal detectors. Management at two centers raised concerns, one regarding metal detectors impeding the flow of foot traffic into the facility and the additional resources needed to monitor the detectors.

Management from another center said that detectors could detract from the warm and welcoming environment they are trying to create. In contrast, the third center had recently started using the weapon detection system pictured in figure 12 below in response to staff safety concerns and a suicide involving a gun at the hospital. Metal detectors are not required by VA policy or the ISC standard, but they are one of the mitigation methods facilities can adopt to help prevent individuals from bringing weapons into facilities.

Other health care organizations also advise providers to assess safety risks at their facilities to determine appropriate security measures. Representatives from the American Hospital Association and the Joint Commission corroborated the importance of a safe environment. Officials from both organizations said maintaining a safe environment of care was important and noted that hospitals are required to address workplace violence to receive accreditation from the Joint Commission. For example, the American Hospital Association states on its website that providing compassionate, high-quality care is difficult when hospital workers are afraid for their safety.

However, there are no specific requirements for using weapon detection systems or other specific security measures, according to these officials. Nonetheless, representatives from both organizations noted that it is not uncommon for hospitals to use weapon detection systems. For example, the CEO of the Cleveland Clinic, a health care system with nearly 300 locations, stated in a public address that the organization had installed magnetometers in every Emergency Department and confiscated 30,000 weapons in 2023.

Alcoholic beverage tests. In 25 of the 26 tests we conducted at selected VA medical facilities, VA staff did not detect and confront our undercover investigator appearing to drink an alcoholic beverage in plain view.[37] VA generally prohibits the introduction or possession of alcoholic beverages at VA medical facilities.[38] During our covert tests, our investigators drank from a bottle appearing to contain alcohol in a waiting room for a period of 5 minutes, as pictured in figure 13 below.[39] In over a quarter of these tests (eight of 26), security personnel (VA police or security guards) were nearby but failed to notice or act. Similarly, in five of the 26 tests, other nearby VA personnel failed to notice or act.

In nine of the 26 tests, our investigators did not observe any security personnel. Officials from VA’s Law Enforcement Training Center said that when VA police encounter veterans exhibiting concerning behavior, one goal is to connect the veterans to medical staff for treatment. Alcohol use is associated with a higher risk of violence and other harmful health effects, according to the Centers for Disease Control and Prevention.[40]

Nonpublic spaces tests. We also tested for security vulnerabilities by trying to gain access to nonpublic spaces at 16 of the 30 selected VA medical facilities. In half of the locations (8 of 16), investigators were able to gain access to nonpublic spaces such as staff offices, storage areas, patient treatment rooms, and a lab for drawing blood. At five locations, our attempts to gain access were unsuccessful because the nonpublic spaces were secured with locked doors. At two locations, VA staff stopped our investigators to question them after they entered the nonpublic space.[41]

These tests were conducted on an ad hoc basis, as the investigators saw opportunities while at the medical facilities. VA policy requires that areas such as patient treatment rooms, labs, storage areas, staff offices, and information technology and telecommunication closets have access controls based on risk, with the lowest risk areas requiring visual authentication by VA police or other personnel of a facility identification card.[42]

When possible, our investigators also interviewed the local law enforcement agencies responsible for the area where the 30 selected VA facilities were located to discuss coordination efforts. We met with local law enforcement agencies covering eight of the 30 VA facilities and found that many (6 of 8) of the agencies did not know if they shared criminal intelligence with VA. In addition, none of the eight agencies had conducted joint training with VA. VA policy states that VA police should establish liaisons with local law enforcement and that participating in criminal intelligence information-sharing organizations can help VA identify threats and appropriate countermeasures, which are key steps in the ISC’s risk management process.

While the results of our local law enforcement interviews do not necessarily indicate that VA did not meet VA or ISC requirements, they may indicate that relationships with local law enforcement could be strengthened to improve facility security planning and response. For example, officials from six of the local law enforcement agencies said there were opportunities to coordinate more with VA on issues such as threat assessments, crisis intervention training, active shooter training, and establishing agency points of contact.

The ISC’s risk management standard is designed to help agencies identify and address the types of security vulnerabilities impacting their facilities. Our covert testing found that there are security vulnerabilities at selected VA facilities and in some cases the security measures in place were not effective. Without information on the status and performance of VA facilities’ security risk management strategies—as required by the ISC’s risk management standard—VA does not have the information needed to make informed decisions, allocate resources effectively, and prioritize security efforts.

Given the amount of time—approximately 8 years—it has been since our prior recommendation to address ISC standards, establishing a plan with milestones and assessing the resources required for implementing the ISC’s risk management standard could help the agency build momentum and track progress. In turn, fully implementing this standard can help VA ensure its medical facilities have appropriate levels of security to create a safe environment for veterans and VA staff.

VA Addresses Security During Its Infrastructure Planning Process, But Not All VISNs Have Met VA’s Security Goal

VA Has Processes for Addressing Security Vulnerabilities During Infrastructure Planning

VA addresses security vulnerabilities as part of its overall capital investment planning process, consistent with federal standards for internal control and the ISC’s risk management standard.[43] VA’s portfolio includes many medical facilities that were originally constructed to meet the needs of World War II veterans and require renovation or replacement to address modern health care and security concerns. VA’s Strategic Capital Investment Planning (SCIP) process is the agency’s main mechanism for planning and prioritizing capital projects.[44] According to VA guidance, SCIP is a structured, data-driven process that VA conducts annually to identify and prioritize capital projects submitted by VA VISN—regional VA networks—and medical center officials.

The SCIP process informs the annual budget request for VA by identifying the total capital needed to address VA’s service and infrastructure deficits and prioritizing which deficits to address based on available budgetary resources. VA refers to service and infrastructure deficits as gaps. Security gaps are one type of VA SCIP gap, according to VA guidance, along with, for example, gaps relating clinical space requirements, energy use, and emergency preparedness. Security gaps are identified and measured by VA officials at the VISN and medical center level.

VA guidance directs VISN and medical center staff to identify these security gaps using three types of assessments: (1) facility condition assessments; (2) physical security surveys; and (3) infrastructure risk assessments, as shown in figure 15 and described further below. These assessments align with federal standards for internal control and the ISC’s risk management standard.[45] Federal standards for internal control state that management should identify, analyze, and respond to risks on a periodic basis to achieve defined objectives. The ISC risk management standard states that agencies should conduct risk assessments as part of a comprehensive approach to providing security to federal facilities.

·         Facility condition assessments. VA uses facility condition assessments to identify and analyze risks associated with the agency’s most critical repair and maintenance needs. Facility condition assessments are conducted by contractors and VA staff at all VA facilities every three years. VA guidance directs facility management to analyze the results of these assessments and identify their facilities’ most serious infrastructure risks. These risks include events that could interrupt VA operations and prevent the agency from providing medical care.

·         Physical security surveys. The VA police conduct annual physical security surveys to identify crime threat risk and provide this information to VA management. VA management uses this information to determine how to mitigate crime risks. VA guidance directs facility management to develop mitigation plans to address the vulnerabilities identified by physical security surveys. The surveys and their corresponding mitigation plans are periodically reviewed by VA headquarters’ Office of Security and Law Enforcement.

·         Infrastructure risk assessments. VA guidance directs project planners to conduct a risk assessment during the planning phase for construction or renovation projects, and this guidance aligns with the ISC’s risk management standard. This standard calls for a project-specific risk assessment to be conducted during the requirements phase for new construction and renovation projects so that security features may be included in the design specifications.[46]

VA staff conduct infrastructure risk assessments by identifying potential threats and determining the possible impact of these threats on security and resiliency, according to VA guidance. VA staff determine how to address threats using VA’s baseline security and resiliency requirements and adjusting them to account for project constraints.

VA closes the security gaps identified by these assessments using three methods, as shown in figure 14. First, VA builds new infrastructure, for instance by building an emergency call box station in a VA facility parking lot. Second, VA renovates existing security infrastructure, for example by replacing an existing perimeter fence to restrict unauthorized access to its facilities. Finally, VA incorporates security improvements into other capital projects primarily intended to close other types of gaps. For example, VA could upgrade windows to resist explosions as part of a project to expand an emergency department at a VA medical center. VA requires all of its construction and renovation projects to use the department’s physical security and resiliency standards.[47] These standards direct planners to incorporate security infrastructure, including security cameras, perimeter fences, and badge readers, into construction and renovation projects.

VA Met its Security Gap Planning Goal, but Two VISNs’ Performance Lagged

VA reported that it has consistently met its overall capital planning goal to establish plans to address security risks associated with SCIP infrastructure projects, but two VISNs’ performance fell below the goal. In October 2022, VA established capital planning metrics to assess the performance of its capital asset management program in response to our 2021 recommendation.[48] One capital planning metric calls for VA to meet 100 percent of its SCIP gap closure goals, including a goal to close 95 percent of security gaps identified during the SCIP process.[49] This planning goal is specific to SCIP infrastructure projects and does not measure the extent to which all VA security gaps and vulnerabilities, such as those identified through ISC risk assessments, have been addressed.[50] VA improved how it measured this goal during the course of our review; however, two VISNs did not meet the 95 percent planning goal in fiscal years 2023, 2024 and 2025, as shown in figure 15.[51]

Note: “N/A” means that the VISN did not identify any security gaps in the capital investment projects it submitted to VA headquarters for approval and funding, so the security gap performance measure does not apply. Figure 15 does not include security gap planning goal performance for the Veterans Benefit Administration, the National Cemetery Administration, or VA’s Office of Information and Technology, which do not operate medical facilities. The scope of our report is security at VA medical facilities.

VA headquarters did not inform VISNs 10 and 15 that they were not meeting the 95 percent security gap planning goal because it has not established an effective communication mechanism to do so. In the absence of this information, the VISNs did not take action to improve their performance. VA headquarters officials told us that they provide VISN officials with initial training on SCIP project submission and additional support when needed, and that SCIP projects are reviewed by VA subject matter experts. However, VA headquarters officials told us that the 95 percent security gap planning goal is not centrally managed and that local planning officials are responsible for identifying security gaps and determining how to close them. VA headquarters officials did not communicate with VISN 10 or 15 officials to tell them that they were not meeting the agency’s security gap closure goal or take steps to determine why these two VISNs were not meeting VA’s security gap planning goal. VA guidance states that VA headquarters is responsible for calculating the agency’s performance in meeting the 95 percent security gap planning goal. Accordingly, VA headquarters is best positioned to identify performance shortfalls and to communicate that information to the appropriate local planning officials so they know to take action to address the shortfalls.

VISN 10 and 15 officials confirmed that VA headquarters did not inform them they were not meeting the 95 percent security gap planning goal. These officials said that prior to our review, they were not aware that they were not meeting the goal and cited challenges such as staff turnover and resource constraints as possible reasons. Additionally, VISN 15 officials told us that an administrative error likely contributed to the fact that the VISN did not meet the planning goal, and that VISN officials will receive additional training so that this error does not reoccur. VISN 15 officials may have been able to correct this error earlier if VA headquarters had told them that they were not meeting the 95 percent security gap planning goal.

In addition, VISN 10 and 15 officials told us that, as also stated in VA guidance, addressing security gaps is a department-wide measure and not specific to a particular VISN. However, as shown by figure 15 above, VISN 10 and 15’s performance fell below the goal all three years and lowered VA’s overall performance.

The purpose of the SCIP gap closure goals, including VA’s security gap planning goal, is to improve the quality of the capital plan included in the annual budget request submitted to Congress. In addition, meeting these goals helps ensure the accuracy of VA’s total long-range plan cost estimates, according to VA guidance. By establishing a mechanism to communicate with VISNs on their progress in meeting the security gap closure performance goal, VA would be better positioned to ensure all regions consistently meet their security gap goal and overall planning goal and provide decisionmakers with credible, accurate information on infrastructure budget requirements.

Conclusions

VA manages the largest integrated health care system in the U.S. and is responsible for the safety of the 9 million veterans it serves, and its staff. While VA staff, veteran patients, and medical facilities have been the target of violence, threats, and other security-related incidents in recent years, VA has not fully addressed longstanding and known risks. For example, while VA agreed with our 2018 recommendation to revise its risk management policies to incorporate the ISC’s risk management standard, VA has not finished doing so. Moreover, the results of our 2025 covert testing at 30 selected VA facilities demonstrate ongoing risks to patients and employees, including medical providers.

Developing a plan with milestones and assessing resources needed, such as staffing and training, to fully implement its forthcoming policy and the ISC’s risk management standard would better position VA to address these risks. By fully implementing this standard, VA will be better able to make informed decisions, effectively allocate resources, and prioritize security efforts at its medical facilities. In addition, fully implementing this standard could help VA ensure it has appropriate security at its medical facilities to create a safe environment for veterans and VA staff.

VA manages a large portfolio of property, including over 1,300 medical facilities—much of which was constructed to meet the needs of World War II veterans. To address modern security concerns, VA policy requires planners to identify and plan to close security gaps as part of renovations, new construction, or maintenance projects. VA uses its capital planning process to identify and address service and infrastructure deficits. According to VA guidance, consistently meeting the agency’s 95 percent security gap closure planning goal helps ensure that its capital planning process accounts for security needs at VA medical facilities and provides Congress with credible long-range cost estimates.

VA headquarters has taken important steps to assess the performance of its capital planning program by developing its security gap closure goal and improving how it is measured. Going forward, establishing a mechanism to communicate with the VISNs on their progress in meeting this goal could help VA headquarters ensure that all VISNs meet its capital planning performance goal. It would also better position the agency to provide decisionmakers with an accurate assessment of its security-related capital needs.

Recommendations for Executive Action

We are making the following three recommendations to VA:

The Secretary of Veterans Affairs should develop a plan with milestones for fully implementing the ISC’s risk management standard. (Recommendation 1)

The Secretary of Veterans Affairs should assess the resources needed to fully implement the ISC’s risk management standard. (Recommendation 2)

The Secretary of Veterans Affairs should develop a mechanism for VA headquarters to communicate with VISN officials on their progress in meeting VA’s 95-percent security gap closure planning goal. (Recommendation 3)

Agency Comments

We provided a copy of this report to VA for review and comment. VA did not provide comments on the report.

As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 14 days from the report date. At that time, we will send copies to the appropriate congressional committees and the Secretary of Veterans Affairs. In addition, the report will be available at no charge on the GAO website at https://www.gao.gov.

If you or your staff have any questions about this report, please contact me at mcneilt@gao.gov. Contact points for our Offices of Congressional Relations and Media Relations may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix IV.

Sincerely yours,

Triana McNeil
Director, Homeland Security and Justice

This report examines (1) the nature of criminal activity reported at Department of Veterans Affairs (VA) medical facilities; (2) the extent to which VA implemented federal facility security requirements and detected potential security vulnerabilities at VA medical facilities; and (3) the extent to which VA established processes for obtaining security and threat information and incorporating it into infrastructure management planning.

To address all objectives, we reviewed VA policies and conducted site visits to VA’s Law Enforcement Training Center and four VA medical facilities, selected to include a range of facility sizes in urban and rural settings. These facilities included VA medical centers in Los Angeles, California and Little Rock, Arkansas, and clinics in Searcy, Arkansas and Blythe, California. During our site visits we met with medical facility leadership, VA police, VA employees, and veterans.[52] We also interviewed officials from VA’s Veterans Health Administration and Office of Operations, Security, and Preparedness.

To address the first objective on the nature of criminal activity reported at VA medical facilities, we analyzed VA crime data from fiscal years 2024 and 2025. To assess the reliability of the data, we reviewed documentation on VA’s police record keeping systems; interviewed knowledgeable VA officials; and reviewed the data for missing values, outliers, and obvious errors. We determined that the fiscal year 2024 and 2025 data were reliable for the purposes of providing information on reported crime at VA facilities. However, we found that the data from prior years were not comparable or reliable. We also conducted a literature search to identify studies that provide insights on crime in health care settings.

To address the second objective on the extent to which VA implemented federal facility security requirements, we analyzed data from VA facility risk assessments conducted using the Modified Infrastructure Survey Tool from fiscal year 2023, when VA started using this tool, through March 2025. To assess the reliability of the risk assessment data, we reviewed documentation, including the risk assessment questions in the Modified Infrastructure Survey Tool; analyzed the risk assessment data for missing data, outliers, and obvious errors; and interviewed knowledgeable officials. We determined that the data were sufficiently reliable for the purposes of reporting the vulnerabilities and recommended countermeasures VA identified through the risk assessments. We evaluated VA’s risk assessment efforts using the Interagency Security Committee’s risk management standard and selected key questions to assess agency reform efforts.[53]

We also conducted covert tests during unannounced site visits to a nonprobability selection of 30 VA medical facilities, selected to have a range of characteristics. Specifically, we selected facilities in 6 of the 18 designated Veterans Integrated Service Networks to ensure geographic variation. We selected facilities in both rural and urban areas and both medical centers and clinics with a range of facility security risk levels, as identified by VA in its risk assessments.

At each facility, we attempted to test VA’s response to two prohibited items: a weapon and an alcoholic beverage.[54] For the prohibited weapon covert test, an undercover investigator entered the VA medical facility carrying a multi-tool with a knife blade that exceeded 2.5 inches inside of a backpack. This blade length was longer than the maximum length allowed in federal facilities by law. For the alcoholic beverage covert test, an undercover investigator entered the VA medical facility and displayed and drank from a bottle appearing to contain vodka for at least 5 minutes. The undercover investigators also conducted tests at 16 of the 30 facilities to gain access to unauthorized areas. These tests were conducted on an ad hoc basis, based on investigators’ observations on whether there were additional entry and exit points to test at the facility or other opportunities within the facility to gain access.

When possible, the investigators interviewed the local law enforcement agency responsible for the areas where the 30 selected VA medical facilities were located. Specifically, the investigators interviewed eight law enforcement agencies about their coordination efforts with VA. These tests and interviews are not generalizable to all VA facilities but provide insights into security vulnerabilities.

To address the third objective on VA’s processes for addressing security in infrastructure management, we assessed the extent to which VA’s Strategic Capital Investment Planning process incorporates security and threat information—consistent with internal control risk assessment criteria.[55] We also assessed VA’s efforts to implement a performance measure to track closing security gaps in accordance with VA guidance.[56]

We conducted this performance audit from December 2024 to April 2026 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We conducted our related investigative work in accordance with standards prescribed by the Council of the Inspectors General on Integrity and Efficiency. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Training Center

The Department of Veterans Affairs (VA) Law Enforcement Training Center in North Little Rock, Arkansas, is responsible for training VA police. The training center is accredited by the Federal Law Enforcement Training Accreditation Board. The accreditation standards require the training center to take certain steps to develop and review its curriculum, such as determining the needs of its customer base, conducting course evaluations, and reviewing the curriculum at least every 5 years. Federal Law Enforcement Training Accreditation assessors are responsible for conducting a comprehensive review of the training organization’s files, interviews, and observations as part of the accreditation process.[57] The training center has established a process to develop training to meet the accreditation standards and address VA police needs, as described in figure 16.

VA identifies training needs of VA police and designs training to address these needs through this process, according to VA policy. For example, training center officials identified de-escalation as an important skill for VA police officers. VA’s Police Officer Standardized Training course—the initial training all VA police officers are required to take—includes sections on de-escalation and veteran-centered policing.[58] The training center makes clear the distinct status of the VA police, stating that “the VA police officer is not a municipal police officer” and he or she should exhibit a demeanor of “understanding and compassion, not overzealous and threatening.” VA police officers are to prioritize obtaining voluntary compliance over issuing court citations, according to training materials.

The training center’s curriculum is to reflect course evaluations as well as perspectives from VA police chiefs and other subject matter experts, according to center policy. For example, training center officials stated that in response to a curriculum review, the center shortened its Police Officer Standardized Training course from 10 to 7 weeks at the beginning of fiscal year 2025 by reducing in-person training in favor of expanding the online training it provides to newly hired officers. This change addressed concerns with the cost of in-person training to VA medical centers and helps ensure that trainees completed training in a timely fashion, according to VA center officials.

Police Inspections

VA conducts police inspections to assess each VA police station’s compliance with key policies on a 3-year cycle. These inspections include sections to assess compliance with training, equipment, and operational requirements. For example, the training section of the police inspection includes a review of all VA police staff training records to ensure staff have taken required training. The equipment section of the police inspection includes a review to assess if on-duty police service staff have all required equipment, including a handgun, body-worn camera, and protective vest. The equipment section also includes a review of requirements related to firearm storage and inventories. The operational section includes a review of police incident reports to ensure all required fields have been completed.

Stations are required to respond to all deficiencies identified in the inspection with information on the actions that have been taken or will be taken to address the deficiencies. In addition, each station is given an overall score and rating based on the number of deficiencies, as described in table 3.

Overall Score	Rating
75 percent and above	Accredited
65 to 74 percent	Provisionally Accredited
Less than 65 percent	Not Accredited

Source: Department of Veterans Affairs.  |  GAO‑26‑107952

Stations that are provisionally accredited are to receive an unannounced spot check within the next fiscal year. Stations that are not accredited are to be re-inspected in 90 to 180 days. As of August 2025, VA officials reported 132 stations (95 percent) were accredited, four were provisionally accredited (3 percent) and three were not accredited (2 percent).

The VA police reported 74,706 crimes in fiscal years 2024 and 2025, as shown in table 4. We categorized these crimes using the crime offense categories used by the Federal Bureau of Investigation for its National Incident-Based Reporting System. We excluded 166,782 VA police records that lacked an identifiable criminal offense category from our analysis. These records documented other VA police actions, such as welfare checks or instances when VA police officers assisted patients or staff. We determined that the VA police’s records were not reliable for years prior to fiscal year 2024. These statistics are for crimes reported by the VA police and therefore may not be inclusive of all crimes that occurred at VA medical facilities in fiscal years 2024 and 2025.

Crime	Number of Crimes Reported by VA Police	Percent of Total Crimes Reported by VA Police
Disorderly conduct	22,819	30.5%
Assault	12,545	16.8%
All other offensesa	11,365	15.2%
Larceny/Theft	6,798	9.1%
Drug/Narcotic offenses	6,044	8.1%
Weapon law violations	5,266	7.0%
Trespassing	3,092	4.1%
Curfew, loitering, or vagrancy	2,861	3.8%
Destruction, damage, or vandalism of property	1,007	1.3%
Sex offenses	889	1.2%
Fraud	499	0.7%
Liquor law violations	407	0.5%
Burglary or breaking and entering	359	0.5%
Motor vehicle theft	268	0.4%
Driving under the influence	178	0.2%
Counterfeiting or forgery	57	0.1%
Embezzlement	45	0.1%
Stolen property offensesb	44	0.1%
Robbery	31	<0.1%
Prostitution offenses	28	<0.1%
Pornography/obscene Material	24	<0.1%
Kidnapping or abduction	16	<0.1%
Drunkenness	14	<0.1%
Animal cruelty	10	<0.1%
Fugitive offensesc	7	<0.1%
Arson	6	<0.1%
Human trafficking	6	<0.1%
Nonviolent family offensesd	5	<0.1%
Homicide offensese	4	<0.1%
Gambling offenses	3	<0.1%
Peeping Tom	3	<0.1%
Bribery	2	<0.1%
Extortion or blackmail	2	<0.1%
Bond default	1	<0.1%
Commerce violations	1	<0.1%

Source: GAO analysis of VA data.  l  GAO‑26‑107952

Notes: We categorized these crimes using the crime offense categories used by the Federal Bureau of Investigation for its National Incident-Based Reporting System. We excluded VA crime records that lacked an identifiable criminal offense category from our analysis. All percents are rounded to the nearest tenth of a percent.

^aThe all other offenses category includes 101 miscellaneous crimes, such as littering, fish and game law violations, and parole violations.

^bStolen property crimes refer to the act of purchasing, receiving, possessing, selling, concealing, or transporting property with the knowledge that it has been unlawfully taken.

^cFugitive crimes refer to harboring or concealing a fugitive as well as fleeing to avoid prosecution.

^dNonviolent family crimes refer to nonviolent acts by a family member or legal guardian that threaten the well-being of another family member that are not classifiable as another type of crime, such as assault, incest, or statutory rape.

^eThe VA police reported three murders and one negligent manslaughter. The Federal Bureau of Investigation defines negligent manslaughter as the unlawful killing of another person through negligence—for, example killing another person as the result of reckless driving.

GAO Contact

Triana McNeil, McNeilT@gao.gov

Staff Acknowledgments

In addition to the contact named above, Andrew Curry (Assistant Director), Heather May (Analyst in Charge), Howard Arp, Justine Augeri, Ryan Basen, Ben Crossley, Elizabeth Dretsch, Pete Haderlein, Mark MacPherson, Sam Portnoy, Angel Zollicoffer, and Christopher Zubowicz made key contributions to this report.

GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.

Order by Phone

The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.

Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on X, LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.

To Report Fraud, Waste, and Abuse in Federal Programs

Contact FraudNet:

Website: https://www.gao.gov/about/what-gao-does/fraudnet

Automated answering system: (800) 424-5454

Media Relations

Sarah Kaczmarek, Managing Director, Media@gao.gov

Congressional Relations

David A. Powner, Acting Managing Director, CongRel@gao.gov

General Inquiries

https://www.gao.gov/about/contact-us