ODNI releases standards for suspicious-activity reporting

They place fusion centers at the center of how information moves among local, state and federal law enforcement officials.

The Office of the Director of National Intelligence has released for the first time a set of standards for how state, local and federal law enforcement officials should share information on suspicious activity with potential links to terrorism. The Common Terrorism Information Sharing Standards place state and local intelligence fusion centers at the center of how information on perceived terrorist threats or tips flows among all departments and agencies that use terrorism or homeland security information. The standards describe suspicious behavior as “observed behavior that may be indicative of intelligence gathering or pre-operational planning related to terrorism, criminal or other illicit intention.” Behavior that could be considered suspicious and potentially tied to terrorism, and thus warrant a report, includes surveillance, photography of facilities, site breaches or physical intrusions, cyberattacks and the examination of security. The standards for suspicious activity reporting released by ODNI’s Program Manager for the Information Sharing Environment (PM-ISE) are based on National Information Exchange Model standards and are effective immediately for all entities working with PM-ISE systems. John Cohen, a spokesman for PM-ISE, said the standards establish functional criteria to provide general categories of behavior that can be seen as suspicious and a map for how information and intelligence should be shared among fusion centers. “It provides a definition that is communicated and understood across all communities,” he said. He also added that the hope is that by giving law enforcement more intelligence or information about what they should be looking for they can avoid relying on profiling. PM-ISE breaks the suspicious activity reporting process into five phases: information acquisition, organizational processing, integration and consolidation, data retrieval and distribution, and feedback. In the first, information acquisition, a local law enforcement organization collects all suspicious activity observations and then validates them through the second step of organizational processing, in which the data is reviewed by a supervisor or expert before it is sent to a fusion center. Next the fusion center reviews the data to compare it to ISE’s Suspicious Activity Reporting (ISE-SAR) standards and determine if the information has a potential nexus to terrorism. If the standards are met and a connection to terrorism is suspected, the information is then shared with the rest of the fusion center and the ISE community. The data is then disseminated to officials at the agencies that the potential threat most affects. Finally, in the feedback process, the law enforcement officials who used the intelligence report back on how it was used, and to correct and update any information. The sharing of personal information and law enforcement is governed by state and municipal privacy laws, the federal Privacy Act, criminal intelligence law and the E-Government Act. ISE plans to make certain aspects of SAR reports anonymous to mitigate privacy issues. The Homeland Security Department is requiring state and local fusion centers that do not have a privacy policy to complete them shortly. PM-ISE also breaks the process of data sharing into nine steps from observation, which may be done by a private citizen, government or law enforcement official, through the final step at which point the information comes full circle after having been used and passed back up through the fusion center. PM-ISE says that the ISE-SAR guidelines comply with privacy laws regarding the sharing of personal information among agencies. Furthermore, the ISE Shared Space that will be used to facilitate the information flow is to be used only for terrorism-related information and the program is not meant to affect existing interactions among stat , local and federal officials, including the Joint Terrorism Task Force.

The nine steps of data sharing

  • Observation — A citizen or official witnesses something suspicious and reports it.


  • Initial response and investigation — A law enforcement official gathers additional facts through interviews and reporting and then uses fact-based databases such as Department of Motor Vehicles records or the consolidated terrorist watch list.


  • Local and regional processing — The reporting agency stores the information in its record management system, regardless of whether the agency is local or federal.


  • Creation of the Information Sharing Environment’s Suspicious Activity Reporting (ISE_SAR) standards — The intelligence is reviewed by the fusion center to compare it to ISE-SAR standards and determine if the information has a potential nexus to terrorism.


  • ISE-SAR sharing and dissemination — At the fusion center, ISE-SAR is shared with FBI and Homeland Security Department representatives who are co-located at the fusion center. That information is then entered into the FBI and DHS systems and sent back Washington.


  • Headquarters processing — In Washington the ISE-SAR information is combined with other state and local authorities to create an agency-specific national threat assessment, which is shared with other ISE members.


  • National Counter Terrorism Center Analysis — The center then processes that data with information from intelligence, defense, law enforcement, foreign affairs and Homeland Security.


  • NCTC alerts — NCTC products are distributed to different federal, state, local and tribal officials through the fusion centers.


  • Focused collection — The process begins again.






























  • NEXT STORY: Davis to leave House