Weapons Smuggled Into Every VA Facility Tested Despite Years of Warnings

Why It Matters

The Department of Veterans Affairs runs the largest integrated health care system in the United States, serving nine million enrolled veterans across more than 1,300 facilities. A new Government Accountability Office report, released publicly on May 13, 2026, raises serious questions about whether those facilities are safe.

Investigators found that VA facility security has failed to meet federal standards for years and that the department has left two key GAO recommendations unaddressed for more than eight years.

GAO investigators conducted covert tests at 30 VA facilities and, in every single one, successfully carried a prohibited weapon past VA staff without being detected, including at two facilities that had metal detectors. In 25 of 26 separate tests, investigators drank openly from a bottle labeled vodka inside VA facilities without being confronted by staff. VA did not provide comments on the draft of the underlying report, a notable departure from standard practice in the GAO review process.

A Security System Built Before the Rules Changed

The roots of the problem stretch back more than a decade. In 2013, the Interagency Security Committee, an executive-branch body that sets physical security standards for federal facilities, issued a risk management standard that all federal agencies, including VA, are required to follow. VA's own risk management program, however, had been developed before those standards were issued and was never fully updated to comply with them.

A 2018 GAO report found that VA's policies included only three of the five factors ISC requires when calculating a facility's security level. The department was not accounting for a facility's population or its physical size, two elements that directly shape how security resources should be deployed. VA also lacked performance measures to track whether its security strategies were working, such as counting the number of countermeasures in use or tracking the percentage of facility assessments completed.

GAO made two recommendations in January 2018: that VA revise its risk management policies to align with ISC standards, and that VA develop an oversight strategy to assess the effectiveness of its security programs system-wide. Both recommendations remain open as of May 2026.

As of April 2025, VA told GAO that draft policies were under internal review, with an anticipated completion date in the second quarter of fiscal year 2026.

What the Numbers Show

The April 2026 report that forms the basis of the Senate testimony provides a detailed picture of the security landscape across VA medical facilities. VA police records document approximately 74,700 crimes at VA medical facilities during fiscal years 2024 and 2025. The overwhelming majority were nonviolent offenses such as disorderly conduct, theft, and drug-related incidents.

Crime rates varied significantly by geography. Urban VA facilities reported an average of 214 crimes per facility over the two-year period, roughly two times the rate at rural facilities, which averaged 123 crimes per facility. GAO noted this pattern is consistent with broader Department of Justice data on urban versus rural crime trends.

The more alarming findings came from covert testing. GAO investigators visited a non-generalizable sample of 30 VA facilities, selected to represent variation in size and geographic location. The results were consistent across the board: in all 30 tests, VA staff failed to detect a prohibited weapon. In 25 of 26 tests, staff failed to confront an investigator visibly drinking alcohol, which is generally prohibited on VA grounds. The failures occurred even at facilities equipped with metal detectors.

The Oversight Gap

Beyond the testing failures, GAO identified a structural problem in how VA manages security performance across its 18 regional networks, known as Veterans Integrated Service Networks, or VISNs.

VA has a goal that 95 percent of security gaps identified in capital projects be addressed through planning. While VA met that goal overall, two of the 18 VISNs failed to meet it in fiscal years 2023 through 2025. The reason those regions continued to fall short, according to GAO, was straightforward: VA headquarters never told them they were failing. There was no mechanism in place to communicate performance data back to the regions that needed to act on it.

GAO's third new recommendation addresses this directly, calling on the Secretary of Veterans Affairs to develop a communication mechanism between VA headquarters and VISN officials on their progress toward the security gap closure goal. The other two new recommendations ask VA to develop a plan with milestones for fully implementing ISC's risk management standard and to assess the resources needed to do so. All three are currently open.

Combined with the two unresolved 2018 recommendations, VA now faces five open GAO recommendations on facility security, spanning nearly a decade of findings.

Federal Security Requirements VA Has Yet to Meet

The ISC standard at the center of this report is a requirement for federal civilian facilities, and VA is a member of the ISC. The standard calls for a structured risk management process: assessing threats, determining facility security levels based on a defined set of factors, identifying countermeasures, and measuring whether those countermeasures are working.

VA's failure to fully adopt this framework means the department has been operating without a consistent, documented basis for its security decisions. GAO found that none of the nine medical center assessments it reviewed in 2018 indicated that all threat categories in VA's own policy had been reviewed. The department has not demonstrated meaningful progress on that front in the eight years since.

The Senate Committee on Veterans' Affairs called the GAO testimony on May 13, 2026, as part of its oversight of VA medical facility security challenges. The testimony drew on three GAO reports published between January 2013 and April 2026, presenting a through-line of recurring findings that VA has consistently struggled to act on.

Veterans, VA employees, and anyone who visits a VA medical facility are the people most directly affected by what the data shows. The covert test results (a 100 percent failure rate on weapon detection across 30 facilities) represent a concrete, documented risk to the people those facilities are meant to serve.

Access the Legis1 platform for comprehensive political news, data, and insights.