Nationwide Suspicious Activity Reporting (SAR) Initiative IJIS Institute Winter Briefing
Nationwide SAR Initiative (NSI) Purpose: To establish a unified approach at all levels of government to gather, document, process, analyze, and share information about terrorism- related suspicious activities Responds directly to the Intelligence Reform and Terrorism Prevention Act of 2004 requiring the Program Manager, Information Sharing Environment (ISE) to provide “a decentralized, distributed, and coordinated environment” for sharing of terrorism-related information Responds to the direction of the National Strategy for Information Sharing (October 2007) to establish a “unified process for reporting, tracking, and accessing [SARs]” for federal, state, local, and tribal entities Ensures that terrorism-related SARs are made available to federal, state, and local law enforcement agencies and state and major urban area fusion centers Integrates state, local, and tribal law enforcement agencies’ SAR processes into a nationwide standardized and institutionalized effort 2
What Makes an Activity Suspicious? A citizen observes or reports to law enforcement authorities that something is alarming, out of the ordinary, or “just not right” Law enforcement or government official observes something Based on training or experience to recognize behaviors and indicators that are associated with a criminal activity associated with terrorism Knowledge of laws and regulations Interactivity with other agencies Studies and research done on activities leading to crimes and terrorist acts (e.g., LAPD, NCTC, FBI) 3
What Is the SAR Process? A grassroots effort Involves the gathering, processing, reporting, analyzing, and sharing of suspicious activity Focuses on what law enforcement agencies have been doing for years—gathering information regarding behaviors and incidents associated with crime and establishing a process whereby information can be shared to detect and prevent criminal activity, including that associated with domestic and international terrorism
5 State, Local, Tribal LE Agency Involvement Is Critical SAR process will assist local efforts to identify emerging crime, including terrorism Each agency’s internal SAR process can be tailored to the needs of its city and state but should be based on general standards that provide interoperability and the sharing of information Each agency’s internal SAR process, once developed, can be incorporated into the nationwide SAR capability and will support efforts to protect our nation from terrorist attack Build upon community policing advancements Harness the more than 800,000 full-time sworn law enforcement officers in the United States Without the support and participation by local, state, and tribal agencies, the amount of valuable terrorism-related SARs in the ISE would be limited (e.g., Oklahoma City bombing, Japanese bomber case, New Jersey Fort Dix plot case)
Implementation Challenges for the NSI How to institutionalize law enforcement processes to ensure that a SAR has been legally gathered and is determined to have a potential nexus with terrorism-related criminal activity How to ensure that citizen privacy and civil liberties are protected How to implement common ISE-SAR business processes that can be accomplished within an agency’s existing procedural and legal framework to gather, process, analyze, and report behaviors and events that are indicative of criminal activity How to establish effective guidance and feedback mechanisms between local, state, tribal and federal agencies to communicate risks and results How to provide comprehensive and uniform training to all participants in the SAR process: Front-line Officers, Analysts, Executives How to leverage information exchange standards and existing technology, where possible, to securely share terrorism-related SARs across the ISE 6
7 Defining a Comprehensive ISE-SAR Process Nationwide SAR Cycle State and major urban area fusion centers, in coordination with local and federal officials, develop risk assessments State and major urban area fusion centers, in coordination with local and federal officials, develop information needs based on risk assessment Frontline law enforcement personnel (federal, state, local, and tribal) trained to recognize behavior and incidents indicative of criminal activity associated with terrorism. Community outreach plan implemented Observation and reporting of behaviors and incidents by trained law enforcement personnel during their routine activity Supervisory review of the report in accordance with departmental policy SAR made available to fusion center and/or JTTF At fusion center or JTTF, a trained analyst or law enforcement officer determines, based on information available, knowledge, experience, and personal judgment, whether the information meeting the ISE-SAR criteria may have a terrorism nexus Determination and documentation of an ISE-SAR ISE-SAR posted in an ISE Shared Space Authorized ISE participants access and view ISE-SAR Federal agencies produce and make available information products to support the development of geographic risk assessments by state and major urban area fusion centers Planning Gathering and Processing Analysis and ProductionDisseminationReevaluation In major cities, SAR reviewed by trained counterterrorism expert Suspicious Activity Processing Steps National coordinated information needs on annual and ad hoc basis
Responding to the National Strategy for Information Sharing-issued direction to establish a “unified process for reporting, tracking, and accessing [SARs]” for federal, state, local, and tribal entities (October 2007) Developed and issued ISE-SAR Functional Standard (January 2008) Integrated all ISE-SAR activities into a Nationwide SAR Initiative (NSI) Major City Chiefs Association (MCCA) project DoD Force Protection components FBI eGuardian and DHS participation Defined the top-level business processes and information flow based upon state, local, and tribal practices agencies in Los Angeles, Boston, Chicago, etc. Developed the NSI CONOPS Established an ISE-SAR Evaluation Environment and technical infrastructure to test ISE-SAR concepts and objectives and evaluate outcomes 8 Overall Progress to Date
MCCA, IACP, and BJA are developing training for frontline personnel, senior officers, investigators, and analysts to... Recognize indicators (incidents, behaviors, and modus operandi of individuals and organizations) of criminal activity associated with terrorism Safeguard privacy and civil liberties Standard Privacy Guidelines and Templates have been developed and distributed toa assist LE agencies adopt best practices Operational SAR-EE capabilities have been deployed in New York, Florida, Virginia, D.C Ten addition SAR-EE sites planned by May 09 9 Progress to Date (continued)
The ISE-SAR Evaluation Environment (ISE-SAR EE) was established in 2008 to provide an operational technical infrastructure to enable Operational testing of Common Terrorism Information Sharing Standards (CTISS) and NIEM data exchange standards, Identification of best practices (training, analysis, privacy, technology) Evaluation of business and technical performance measures /outcomes. Per PM-ISE guidance and the IRTPA of 2004, the ISE-SAR EE represents a distributed and decentralized solution to allow agencies to locally hold and control SAR data and yet make data easily and securely accessible (viewable) by other authorized agencies. This local repository of suspicious activity reports having a “potential” nexus with terrorism is referred to as an ISE “Shared Space” and collectively as the ISE Shared Spaces. SAR data in the ISE Shared Spaces is accessible via secure CUI networks by authorized users using a federated search / query tool hosted at 10 What is the ISE-SAR Evaluation Environment?
Secure Networks ISE Shared Spaces Federated Search ( (HSIN Intel, LEO, RISS) Conducting a Federated SAR Search Federal Servers (eGuardian DHS)
Fusion Center Department Approval JTTF eGuardian Shared Spaces SARSAR OPTION 1 OPTION 2 OPTION 3 Sharing SAR Information LEO NATIONAL SAR INITIATIVE Federated Search REQUIRING IMMEDIATE ACTION Fusion Center Department Approval
The primary source for information about the NSI is at the PM-ISE website: Specific documents in suggested reading order: Fact Sheet: Nationwide Suspicious Activities Reporting Initiative Fact Sheet: Suspicious Activity Reporting (SAR) Functional Standard for the Information Sharing Environment NSI Concept of Operations Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting (SAR) Version 1.0 ISE-SAR Evaluation Environment Segment Architecture Fact Sheet: Initial Privacy and Civil Liberties Analysis of the Information Sharing Environment ‐ Suspicious Activity Reporting (ISE ‐ SAR) Functional Standard and Evaluation Environment Initial Privacy and Civil Liberties Analysis 13 Want to Learn More About the NSI?
Despite the fact that there have been no actual terrorist attacks within the United States since 9/11, there is a growing sense that the risk is increasing. Commission on the Prevention of WMD Proliferation and Terrorism (Dec 08) “The United States can expect a terror attack using nuclear or more likely biological weapons before 2013” The Mumbai, India attack brought terrorism back into focus The Nationwide SAR Initiative will involve new processes, policies, training initiatives and public outreach. Technology will play a major role in providing the enabling infrastructure to support improved information sharing and agency collaboration. Over time, Case Management systems, Records Management systems, CAD systems, Analytics and Modeling systems, etc, will all need modifications to support SAR information exchange standards being tested now. While funding streams are uncertain at this point, if the Commision is correct, that situation could change very quickly and early positioning will pay off. 14 What does this mean to you?
Questions? Thomas O’Reilly Senior Policy Advisor, BJA (202) David Lewis Senior Policy Advisor, BJA (202) Don Sutherland SAR Proj Manager, IJIS (703)