Skip to main content

VA Facility Security: Policy Review and Improved Oversight Strategy Needed

GAO-18-201 Published: Jan 11, 2018. Publicly Released: Jan 11, 2018.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The Department of Veterans Affairs' (VA) risk management policies include some but not all of the elements of standards set by the Interagency Security Committee (ISC). ISC was established via executive order to develop security standards and best practices that federal agencies are to follow when developing and conducting risk assessments. As part of this process, VA's policy identifies minimum countermeasures as called for in ISC's standards. In other areas, VA policy only partially adheres or does not adhere to ISC's standards, for example:

Of the five factors ISC calls for when calculating a facility's security level, VA considers three but does not consider a facility's population and size.

VA policy does not include performance measures, such as the number of countermeasures in use or the percentage of facility assessments completed; this percentage is a key element of ISC's standards for assessing the effectiveness of an agency's security programs.

Officials at VA said that its risk management program was developed prior to the ISC standards' being issued in 2013 and that it is up to each agency to determine how to best apply the standards. Nevertheless, VA officials said they are currently reexamining their policies. Until VA reviews its policies in accordance with ISC standards, its approach to risk management may not yield the appropriate security posture needed to adequately protect its medical centers.

VA's oversight activities for risk management do not encompass key aspects of the Standards for Internal Control in the Federal Government and Circular A-123 from the Office of Management and Budget that require agencies to conduct oversight activities to ensure the accountability and effectiveness of agency programs. VA has an oversight process to ensure that biennial assessments of individual facilities' security are completed. However, VA:

does not review the quality of medical centers' required risk assessments,

does not identify whether countermeasures were implemented appropriately by the medical centers, and

does not collect system-wide data to gain an understanding of physical security issues across medical centers.

In the absence of a comprehensive VA-wide strategy or guidance that reflects these internal control standards, individual sites have established their own approaches to carrying out VA's risk management policy. For example, the nine sites GAO reviewed conducted their security assessments differently, and none of the assessments indicated that all of the threat categories in VA's policy were reviewed. The lack of a system-wide oversight strategy means that the differences among medical center approaches, along with the security effects of those different approaches, are unknown. Accordingly, VA does not know if its medical centers are adequately protected, and it may be missing opportunities to leverage resources nationally and make better informed, proactive policy decisions.

Why GAO Did This Study

The Veterans Health Administration (VHA is responsible for providing a safe and secure, yet welcoming environment for staff, patients, and visitors at nearly 170 medical centers. These facilities have been the target of violence, threats, and other security-related incidents. Assessing and managing risks a critical element for ensuring adequate physical security at these facilities.

GAO was asked to review VA's physical security risk-management policies and practices. This report: (1) assesses how VA's policies for risk management reflect prevailing standards, and (2) evaluates VA's oversight of risk management at VHA medical facilities. GAO compared VA policies to ISC standards; reviewed VA documents; interviewed VA and ISC officials; and assessed risk assessment activities at nine medical centers selected based on factors such as patient and security-incident data and geographical diversity. While not generalizable, these nine locations provide illustrative examples of how VA's policies are carried out.

Recommendations

GAO recommends that the Department of Veterans Affairs review and revise its risk management policies to reflect prevailing standards, and develop an oversight strategy to assess the effectiveness of risk management programs at VHA facilities. VA agreed with GAO's recommendations and identified steps to implement them.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Veterans Affairs The Secretary of VA should, in collaboration with ISC, review and revise VA's risk management policies for VHA facilities to ensure VA incorporates ISC standards, as appropriate. (Recommendation 1)
Open
VA has purchased licenses to use the Federal Protective Service's Modified Infrastructure Survey Tool in VA's Risk Management Process. This tool has been validated by the Interagency Security Committee (ISC) as following its standards. VA officials are currently using the tool to complete Facility Assessments and Threat Assessment Reports. As of April 2024, VA stated that it developed draft policy for its new Vulnerability Assessment Program in accordance with the ISC Risk Management Process. GAO will continue to monitor VA's progress on this recommendation and will review its policy for the new Vulnerability Assessment Program once it is finalized.
Department of Veterans Affairs The Secretary of VA should develop an oversight strategy that allows VA to assess the effectiveness of risk management programs at VHA facilities system-wide. (Recommendation 2)
Open
VA has purchased licenses to use the Federal Protective Service's Modified Infrastructure Survey Tool in VA's Risk Management Process. This tool has the capability to capture, store, and provide access to information associated with risk assessments and countermeasure recommendations at individual facilities. VA is in the process of updating its Vulnerability Assessment Program Directive and Handbook to include a VA-wide oversight strategy that will include conducting analysis of trends on security vulnerabilities and deficiencies, as well as oversight of applied countermeasures across VA facilities. As of April 2024, VA officials stated that all VA facilities have completed a facility security assessment. In addition, VA stated that it developed a draft policy for the Vulnerability Assessment Program and the policy will include a VA-wide oversight strategy to conduct analysis of trends on security vulnerabilities and deficiencies, as well as oversight of applied countermeasures across the enterprise. Once available, GAO will review VA's updated policy to determine if it addresses this recommendation.

Full Report

GAO Contacts

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Best practicesFacility securityFederal facilitiesHealth care centersInternal controlsLaw enforcementPerformance measurementPhysical securityPolicePolicies and proceduresRisk assessmentRisk managementSecurity incidentsSecurity policiesVeterans affairsSecurity assessments