New GAO Report finds Weaknesses in Physical Security Risk Assessment Process at VA facilities RISKAlert Report # 1003

A new GAO (Government Accountability Office) Report reviewed The Department of Veterans Affairs’ (VA) risk management policies including the security standards set by the Interagency Security Committee (ISC). ISC was established via executive order to develop security standards and best practices that federal agencies are to follow when developing and conducting risk assessments.

Many of the findings are related to how the VA does required Security Risk Assessments including the elements that are used in the assessments, the evaluation of protective controls (countermeasures), and that the assessments are not tracked.

The report concluded that VA policy only partially adheres or does not adhere to ISC’s standards, for example: ISC calls for using 5 elements when calculating a facilities security level, but the VA only uses 3, not taking the size of the facility or the facility’s population into consideration!

VA policy does not include performance measures, such as the number of countermeasures (controls) in use or the percentage of facility assessments completed; this percentage is a key element of ISC’s standards for assessing the effectiveness of an agency’s security programs.

The report also pointed out that the VA doesn’t review the quality of the VA medical centers’ required security risk assessments, and also fails to identify whether the recommended countermeasures (controls) were implemented effectively after being identified in the risk assessments.

The VA is the largest integrated health care system in the US, providing care at 1,233 health care facilities, including 168 VA Medical Centers and 1,053 outpatient sites of care of varying complexity (VHA outpatient clinics), serving more than 8.9 million Veterans each year.

You can access the 36-page report at:


For more information and more great content:                #RISKAlerts  #riskandsecurityllc or

To subscribe, write to:


This entry was posted in active shooter, Hospital Emergency Departments, Hospital Violence, Risk, risk assessment, Risk Assessment & Compliance, RiskAlert, RiskAlert Incident Report, Security Governance and tagged by Caroline Ramsey-Hamilton. Bookmark the permalink.

About Caroline Ramsey-Hamilton

Caroline Ramsey-Hamilton is a leading expert in assessing security risk in both information security and facilities security including security risk assessments, active shooter and security risk assessments for hospitals and healthcare organizations, cybersecurity, nuclear security, and also auditing, analyzing and measuring compliance with all major security standards, like DHS, FEMA 426-428, The Joint Commission, HIPAA Security & Privacy Rules, the HIPAA Omnibus Rule, and OSHA 3148 for Preventing Workplace Violence. And including both C-TPAT and CFATS. She is currently working on a universal set of easy security tools that will make it easy to assess risk in a variety of companies, agencies and business. Her company, Risk & Security LLC, works with more than 500 clients around the world using a program that standardizes site surveys and assessments and makes it easier to compare facilities and measure their level of security. She posts breaking security & risk alerts at She's also an animal lover and tree hugger, and musician who loves dogs, horses, kitties, house rabbits, parrots, and especially beagles! I support and other animal rescue organizations and work toward a more peaceful and green world.

Leave a Reply