Before the Committee on Veterans' Affairs, U.S. Senate
For Release on Delivery Expected at 4 p.m. ET
United States Government Accountability Office
A testimony before the Committee on Veterans' Affairs, U.S. Senate
For more information, contact: Triana McNeil at McNeilT@gao.gov
What GAO Found
The Department of Veterans Affairs (VA) is responsible for securing its facilities. GAO has identified security challenges at VA medical facilities and made recommendations to help manage related risks.
In January 2018, for example, GAO found limitations with VA’s risk assessment methodology and recommended VA review and revise its risk management policies to reflect interagency standards, and develop an oversight strategy to assess its facilities’ risk management programs. VA has not yet fully implemented these recommendations as of April 2026.
In April 2026, GAO reported that its 2025 covert testing found security vulnerabilities at selected VA facilities. In some cases, VA security measures were not effective. Specifically, VA failed to detect most of GAO’s covert tests related to security vulnerabilities it had previously identified in its risk assessments of its medical facilities. For example:
· In all 30 tests, VA staff did not detect a prohibited weapon that GAO investigators carried into the VA facilities, including two that had metal detectors.
· In 25 of 26 tests, VA staff did not confront an investigator drinking in plain view from a bottle labeled vodka—which is generally prohibited at VA facilities.
Taking actions to address GAO recommendations would better provide VA with information it needs to make informed decisions, allocate resources effectively, and prioritize security efforts to create a safe environment for veterans and VA staff.
Why GAO Did This Study
VA oversees the largest integrated health care system in the U.S., serving 9 million enrolled veterans at over 1,300 facilities. VA employees, veteran patients, and medical facilities have been the targets of violence, threats, and other security-related incidents in recent years, including nonviolent crimes such as disorderly conduct and theft.
The Interagency Security Committee (ISC)—which VA is a member of— developed a risk management standard that federal agencies must follow to identify and address the types of security vulnerabilities impacting their facilities.
GAO has conducted work related to the ISC’s risk management standard and security at VA medical facilities. This statement, based primarily on three reports published from January 2013 to April 2026, discusses challenges VA faces related to the security of its facilities and actions that could help address those challenges, among other issues.
What GAO Recommends
GAO has made five recommendations to VA in two reports to help address challenges related to securing its facilities. In April 2026 for example, GAO made three recommendations, including that VA develop a plan with milestones and assess resources needed to fully implement the ISC’s risk management standard.
GAO will continue to monitor the agency’s progress in implementing the recommendations.
Chairman Moran, Ranking Member Blumenthal, and Members of the Committee:
I am pleased to be here today to discuss our work examining Department of Veterans Affairs (VA) challenges with securing medical facilities. VA oversees the largest integrated health care system in the U.S., serving 9 million enrolled veterans at over 1,300 medical facilities. VA employees, veteran patients, and medical facilities have been the targets of violence, threats, and other security-related incidents in recent years, including nonviolent crimes such as disorderly conduct and theft. In 2025, for example, a VA employee was assaulted and injured by a man with a knife outside of a VA Hospital in Fresno, California. In another incident in 2025, a man brandishing a weapon entered the emergency room of a VA hospital in Reno, Nevada. The man was shot and killed by law enforcement after charging at the officers, according to news reports. We placed managing federal real property on our High-Risk List, in part, due to threats to federal facilities.[1]
VA is responsible for physical security at its medical facilities. Its armed and uniformed police force—VA police—provides law enforcement services at these facilities nationwide. The agency employs more than 4,300 officers, physical security specialists, and investigators along with about 800 contract security guards.[2] The design of the facilities is another important component of physical security. For example, facilities may employ measures such as card readers, bollards, and surveillance cameras to enhance security.
My statement today discusses (1) the nature of crime at VA medical facilities and (2) challenges VA faces securing its facilities and actions that could help address those challenges. It is based primarily on three reports we published from January 2013 to April 2026.[3]
For the three reports we cite in this statement, we reviewed VA policies and documentation, analyzed data, conducted covert tests, interviewed officials from agency headquarters and conducted site visits to selected field units (among other methodologies). More detailed information on our scope and methodology, including how we analyzed data and assessed their reliability, is in the reports. For this statement, we also reviewed the status of VA implementation of selected recommendations we made through April 2026.
We conducted the work on which this statement is based in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We conducted our related investigative work in accordance with standards prescribed by the Council of the Inspectors General on Integrity and Efficiency. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
The Majority of Reported Criminal Activity at VA Medical Facilities Was Nonviolent and Occurred in Areas with More Urban VA Facilities
Our prior work has shown that the majority of reported criminal activity at VA medical facilities was nonviolent and occurred in areas with more urban VA facilities. In April 2026, we reported that around 98 percent of the 74,706 crimes reported by VA police in fiscal years 2024 and 2025 were nonviolent, according to our analysis of VA police records.[4]
The most frequently reported nonviolent crimes were disorderly conduct, larceny or theft, and drug or narcotics offenses, which accounted for about 48 percent of all crimes in fiscal years 2024 and 2025, as shown in figure 1.[5] These are crimes that VA police officers reported using the department’s record management systems. Accordingly, they may not include all crimes that occur at VA medical facilities. Violent crimes were also reported at VA medical facilities during this period. Violent sex crimes—such as sexual assault and rape—were the most common types of violent crime reported, accounting for 888 of the 74,706 crimes reported by VA police.[6] VA police also reported 233 aggravated assaults and three murders.
Note: VA police reported 74,706 crimes in fiscal years 2024 and 2025. The “all other offenses” category is composed of 28 crimes. For a full list, see GAO, Facility Security: VA Should Fully Implement Federal Security Requirements and Improve Performance Reporting, GAO‑26‑107952 (Washington, D.C.: Apr. 29, 2026). Our report uses the criminal offense categories and definitions used by the Federal Bureau of Investigation to collect crime statistics through its National Incident-Based Reporting System.
Our prior work found there may be a variety of factors associated with crime trends at VA facilities. For example, VA officials told us the layout and location of VA facilities affect crime trends. Older VA hospitals typically consist of multiple large buildings spread out on a large campus, making it more difficult for VA to secure them. Newer VA hospitals consist of a central main building, which is easier to secure and upgrade with new security technologies, according to VA officials.[7]
Reported crimes at VA facilities most commonly occurred in emergency departments and inpatient treatment areas, and common areas such as lobbies, hallways, medical facility grounds, and parking lots, according to VA police records for fiscal years 2024 and 2025. According to VA officials, patients receiving care in the emergency departments might be experiencing mental or emotional difficulties that cause them to commit crimes. Crime at non-VA hospitals most commonly occurs at emergency departments, according to officials from the American Hospital Association—which represents and provides guidance to private hospitals—and the Joint Commission—which develops leading practices and standards for patient safety in health care. Figure 2 shows examples of areas at a VA medical facility that VA security personnel monitor, including hospital grounds, a lobby, and a parking lot.
We previously found that the average crime rate for crimes of all types was about twice as high at VA stations we classified as majority urban than at those we classified as majority rural in fiscal years 2024 and 2025, as shown in figure 3.[8] The VA police generally reported the same types of crimes at majority urban and majority rural stations. Both violent crimes, such as sexual assault and rape, and nonviolent crimes, such as theft, were more frequently reported at majority urban VA stations on average. VA officials told us that crime rates at VA facilities reflect crime trends in the surrounding area, and higher crime rates in some areas are caused by socioeconomic differences, such as poverty and the concentration of at-risk populations. The prevailing crime rate in the area surrounding VA facilities is a factor in how VA management decides where to station police officers and security guards, according to VA officials.
The results of our analysis reported in April 2026 match what some VA patients and staff told us during our visits to rural VA facilities. VA staff at two rural clinics we visited told us they rarely or never observed criminal activity while at work. Additionally, patients at one rural clinic told us that they had not seen or experienced crime while receiving treatment at the clinic.
Figure 3: Crime Rates at Majority Rural and Majority Urban Department of Veterans Affairs (VA) Stations, Fiscal Years 2024 and 2025 Combined
Note: A station is a geographic grouping that includes multiple medical facilities. We divided stations into two groups. Those with more than half of the facilities in the station in urban areas were defined as stations with majority urban medical facilities, and those with more than half of the facilities in the station in rural areas were defined as stations with majority rural medical facilities. We used the U.S. Department of Agriculture’s Rural-Urban Commuting Area code framework to determine if a facility was in an urban or rural area. We calculated the average crime rate by calculating the average rate of reported crime incidents per facility across stations, grouped by rurality category. For each group, we computed the rate of criminal incidents as the number of reported incidents divided by the number of facilities in each station, then averaged these rates within each rural classification group.
GAO’s Covert Testing Found Vulnerabilities at VA Medical Facilities Related to Longstanding Security Challenges
VA Failed to Detect Almost All of GAO’s Covert Security Tests
In 2025, we conducted covert testing to assess security at 30 selected VA medical facilities and found security vulnerabilities.[9] In April 2026, we reported that these security vulnerabilities included those related to reported types of crimes at VA facilities and vulnerabilities that VA identified in its medical facility risk assessments. Specifically, we conducted tests related to weapons, alcohol, and accessing nonpublic spaces.[10]
VA staff did not detect the prohibited weapon in any of the 30 selected VA facilities we tested. During our covert tests, our investigators successfully brought in a multi-tool with a knife blade, as shown in figure 4. The blade exceeded 2.5 inches, so it was longer than the maximum length allowed in federal facilities by law,[11] and was carried into facilities in a backpack.
Metal detectors are not required by VA policy or the federal Interagency Security Committee (ISC) standard, but they both state that they are one of the mitigation methods facilities can adopt to help prevent individuals from bringing weapons into facilities. Twenty-eight of the 30 facilities in our 2025 covert tests did not have metal detectors. Of the two facilities where our investigators saw metal detectors, in one case the metal detector was not in use. In the other case, the weapon test triggered the metal detector to alert, but the investigator was not questioned or searched.
VA management from the three medical centers we met with had differing views on using metal detectors. Management at two centers raised concerns, one regarding metal detectors impeding the flow of foot traffic into the facility and the additional resources needed to monitor the detectors. Management from another center said that detectors could detract from the warm and welcoming environment they are trying to create. In contrast, the third center had recently started using the weapon detection system in response to staff safety concerns and a suicide involving a gun at the hospital.
VA generally prohibits possessing alcoholic beverages at VA medical facilities.[12] Alcohol use is associated with a higher risk of violence and other harmful health effects, according to the Centers for Disease Control and Prevention.[13] Officials from VA’s Law Enforcement Training Center said that when VA police encounter veterans exhibiting concerning behavior, one goal is to connect the veterans to medical staff for treatment.
However, in 25 of the 26 tests we conducted at selected VA medical facilities in 2025, VA staff did not detect and confront our undercover investigator appearing to drink an alcoholic beverage in plain view.[14] During our covert tests, our investigators drank from a bottle appearing to contain alcohol in a waiting room for a period of 5 minutes, as pictured in figure 5 below.[15] In over one quarter of these tests (eight of 26), security personnel (VA police or security guards) were nearby but failed to notice or act. Similarly, in five of the 26 tests, other nearby VA personnel failed to notice or act. In nine of the 26 tests, our investigators did not observe any security personnel.
Figure 5: GAO Investigator Appearing to Drink Alcohol in a Department of Veterans Affairs Waiting Room in the Vicinity of Security Personnel
VA Has Faced Longstanding Challenges Addressing the Federal Facility Risk Management Standard and Law Enforcement Staffing
Since at least 2013, we have reported that agencies face challenges addressing the ISC’s standards. The ISC’s risk management standard is designed to help agencies identify and address the types of security vulnerabilities impacting their facilities. We have also made recommendations to help agencies ensure compliance with these standards.[16] Prior to our covert testing, we reported in 2018 that VA faces challenges addressing risks at its medical facilities, including fully implementing the ISC’s risk management standard.[17] Specifically, in 2018, we found limitations with VA’s risk assessment methodology. For example, we found that VA considered only three of the five factors the ISC calls for when calculating a facility’s security level. We recommended VA review and revise its risk management policies to reflect ISC standards and develop an oversight strategy to assess the effectiveness of risk management programs at its facilities.[18] VA concurred with these recommendations and stated that it planned to issue a policy that would address both recommendations by January 2027.
Additionally, in April 2026, we reported that VA has taken steps to implement the ISC’s risk management standard but had not fully implemented the required ISC steps of implementing the risk management strategies or measuring performance.[19] The ISC’s risk management standard recognizes that it is not always possible for agencies to implement all security recommendations because of budget limitations and competing priorities. The standard requires that the responsible agency document its decisions on which aspects of the risk management strategy it plans to implement and which aspects it will not implement, along with the reasons for accepting greater security risks.
We also reported in April 2026 that VA officials said the lack of an agencywide policy instructing officials in the field on how to implement the ISC’s risk management process was one factor impeding implementation. As previously discussed, VA set a goal of issuing a policy that incorporates the ISC’s standards by January 2027 in response to our 2018 recommendation.[20] However, while these efforts have been underway for years, the agency does not have a timeframe for fully implementing its forthcoming policy or the ISC’s risk management standard. VA officials said this was due to resource constraints and competing priorities.
As we reported in April 2026, the ISC’s risk management standard is designed to help agencies identify and address the types of security vulnerabilities impacting their facilities. Our covert testing found that there are security vulnerabilities at selected VA facilities and in some cases the security measures in place were not effective. Without information on the status and performance of VA facilities’ security risk management strategies—as required by the ISC’s risk management standard—VA does not have the information needed to make informed decisions, allocate resources effectively, and prioritize security efforts.
Given the amount of time—approximately 8 years—it has been since our prior recommendation to address ISC standards, in April 2026 we recommended VA establish a plan with milestones and assess the resources required for implementing the ISC’s risk management standard to help the agency build momentum and track progress.[21] We heard from VA after we issued our report that it concurred with the recommendations and we will monitor VA’s progress in implementing them. Fully implementing the ISC’s risk management standard can help VA ensure its medical facilities have appropriate levels of security to create a safe environment for veterans and staff.
Directly related to maintaining a safe environment, in February 2026, we reported that law enforcement officers comprise one of VA’s top nonclinical occupation shortages, according to agency officials.[22] Officials said one factor leading to understaffing is budget constraints which required the agency to weigh competing priorities in hiring clinical and nonclinical staff. As a result, they said that officers were not always available to patrol facilities, potentially making them less safe. VA data show that from fiscal year 2020 through fiscal year 2024, the agency’s law enforcement officer staffing levels ranged from a low of 4,669 in 2021 to a high of 6,281 in 2024; however, staffing levels were consistently below VA’s staffing level targets for these years.
In summary, VA manages the largest integrated health care system in the U.S. and is responsible for the safety of the 9 million veterans it serves and its staff. While VA staff, veteran patients, and medical facilities have been the target of violence, threats, and other security-related incidents in recent years, VA has not fully addressed longstanding and known risks. We have identified challenges with VA’s management of its medical facility security and have made recommendations to help address these challenges. The results of our 2025 covert testing at 30 selected VA facilities demonstrate ongoing risks to patients and employees, including medical providers. Implementing our recommendations pertaining to resource needs assessments and the ISC’s risk management standard would better position VA to address these risks.
Chairman Moran, Ranking Member Blumenthal, and Members of the Committee, this completes my prepared statement. I would be pleased to respond to any questions that you may have at this time.
GAO Contacts and Staff Acknowledgments
If you or your staff have any questions about this testimony, please contact Triana McNeil, Director, Homeland Security and Justice, at McNeilT@gao.gov. Contact points for our Offices of Congressional Relations and Media Relations may be found on the last page of this statement. GAO staff who made key contributions to this statement are Andrew Curry (Assistant Director), and Heather May (Analyst in Charge). Other staff who made key contributions to the reports cited in the testimony are identified in the source products.
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on X,
LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454
Media Relations
Sarah Kaczmarek, Managing Director, Media@gao.gov
Congressional Relations
David A. Powner, Acting Managing Director, CongRel@gao.gov
General Inquiries
[1]GAO, High-Risk Series: Heightened Attention Could Save Billions More and Improve Government Efficiency and Effectiveness, GAO‑25‑107743 (Washington, D.C.: Feb. 2025).
[2]VA staffing data are as of May 31, 2025. VA estimates the data has a 5 percent error rate on newly hired positions at a given point in time, as VA manually enters and continuously reviews and corrects it.
[3]See GAO, Facility Security: VA Should Fully Implement Federal Security Requirements and Improve Performance Reporting, GAO‑26‑107952 (Washington, D.C.: Apr. 29, 2026); VA Facility Security: Policy Review and Improved Oversight Strategy Needed, GAO‑18‑201 (Washington, D.C.: Jan. 11, 2018); and Facility Security: Greater Outreach by DHS on Standards and Management Practices Could Benefit Federal Agencies, GAO‑13‑222 (Washington, D.C.: Jan. 24, 2013).
[5]According to the Federal Bureau of Investigation, disorderly conduct is any behavior that tends to disturb the public or decorum, scandalize the community, or shock the public sense of morality. VA police reported 12,545 assaults of all types in fiscal years 2024 and 2025. The Federal Bureau of Investigation defines assault as any unlawful attack by one person upon another and collects statistics on three types of assault crimes: (1) simple assaults, which do not involve a weapon or result in severe bodily injury; (2) intimidation, which is the use of threatening words or behaviors that places another person in reasonable fear of harm; and (3) aggravated assaults, which are attacks involving the use of a dangerous weapon or that resulted in serious injuries. The Federal Bureau of Investigation does not classify simple assault or intimidation as violent crimes.
[6]In fiscal year 2025, VA police reported one sex crime—failing to register as a sex offender—that the Federal Bureau of Investigation does not classify as a violent crime.
[9]We were able to perform the weapon test at all 30 locations and the alcoholic beverage test at 26 of the 30 locations. While these tests are not generalizable to all VA facilities, they provide insights into security vulnerabilities.
[11]18 U.S.C. § 930(a)-(b), (g)(2); see also Interagency Security Committee, Items Prohibited in Federal Facilities: An Interagency Security Committee Standard 8, 10 (2022). VA has a regulation that prohibits possession of knives on VA property that exceed a blade length of 3 inches. 38 C.F.R. § 1.218(b)(39). We used the more restrictive Interagency Security Committee standard, which applies to federal facilities and is based on federal law.
[12]38 C.F.R. § 1.218(a)(7).
[13]Centers for Disease Control and Prevention, “Alcohol Use and Your Health,” accessed Nov. 14, 2025, https://www.cdc.gov/alcohol/about-alcohol-use/index.html.
[14]We determined it was not feasible to conduct this test at four selected VA facilities.
[15]The bottles were labeled as containing vodka but did not contain alcohol.
[16]See GAO‑13‑222 and Federal Facility Security: Additional Actions Needed to Help Agencies Comply With Risk Assessment Methodology Standards, GAO‑14‑86 (Washington, D.C.: Mar. 5, 2014). We recommended that the Department of Homeland Security, as the leader of the ISC, direct the ISC to conduct additional outreach and assess agency compliance with its standards. These recommendations have been implemented.
[17]In response to the 1995 terrorist attack at the Alfred P. Murrah Federal Building in Oklahoma City, President Clinton issued an executive order creating the ISC. Exec. Order No. 12977, 60 Fed. Reg. 54,411 (Oct. 19, 1995). The ISC was tasked with enhancing the quality and effectiveness of security in facilities in the U.S. occupied by federal employees for nonmilitary activities, and to provide a permanent body to address continuing government-wide security for federal facilities. The committee is chaired by the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security and consists of 66 departments and agencies, including VA.
[21]We also recommended that VA develop a mechanism for VA headquarters to communicate with Veterans Integrated Service Network officials on their progress in meeting VA’s 95 percent security gap closure planning goal. See GAO‑26‑107952.
[22]See GAO, Law Enforcement Officers: Observations on Recruitment and Retention at the Federal, Tribal, State, and Local Levels, GAO‑26‑108495 (Washington, D.C.: Feb. 3, 2026).