U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


  1. Home
  2. News
  3. Testimony
  4. Written testimony of I&A for a House Homeland Security Subcommittee on Counterterrorism and Intelligence hearing titled “Sixteen Years After 9/11: Assessing Suspicious Activity Reporting Efforts”

Written testimony of I&A Acting Deputy Under Secretary for Intelligence Operations Robin Taylor for a House Committee on Homeland Security, Subcommittee on Counter-terrorism and Intelligence hearing titled “Sixteen Years After 9/11: Assessing Suspicious Activity Reporting Efforts”

Release Date: September 13, 2017

210 House Capitol Visitor Center

Chairman King, Ranking Member Rice, and members of the subcommittee, thank you for the invitation to be here and to represent the men and women who serve in the Department of Homeland Security’s (DHS) Office of Intelligence and Analysis (I&A) and the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI).

Today’s hearing addresses a topic critical to the security of our Nation, as we have seen time and time again the vital role that law enforcement and a vigilant public play in keeping our communities safe. In the years since the terrorist attacks on September 11, 2001, the NSI program has become a critical facet in our overall counter-terrorism posture. Further, in the five years since the Department took over the reins of the NSI, the NSI Program Management Office has continued its work to advance the program and provide the tools, training, expertise and assistance called for by our partners, the law enforcement officers, fusion center analysts and community stakeholders who all perform critical roles within the NSI information sharing framework.

Assessing the Need

As we all know, the threat to our Nation, our citizens, and our communities has not diminished since the attacks of 9/11. Our major cities remain attractive terrorist targets, as reflected in the Boston bombing attacks and the repeated attempts to perpetrate terrorist attacks in New York City. We have also seen terrorist attacks carried out in our mid-size cities and smaller communities. Attacks such as those in San Bernardino, Orlando, and recently in Charlottesville all reflect the evolving threat landscape we now face.

As we continue to adapt our efforts to meet the changing nature of this threat picture, the infrastructure we have built to further our counter-terrorism efforts remains critical. The Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI) was developed in response to a number of separate drivers, to include the 9/11 commission report, the Intelligence Reform and Terrorism Prevention Act (IRTPA) and a number of separate but related activities that respond directly to the mandate to establish a “unified process for reporting, tracking, and accessing [SARs]” as called for in the National Strategy for Information Sharing (October 2007). In 2009, the Program Manager for the Information Sharing Environment (PM-ISE), working with a number of federal, state, and local partner organizations, conducted an “evaluation environment” at five state fusion centers and seven DHS recognized major urban area fusion centers, in coordination with DHS and the FBI’s eGuardian system, to test and evaluate policies, procedures, and technology needed for a unified process for the gathering, documenting, processing, analyzing and sharing of suspicious activity determined as being observed behaviors reasonably indicative of preoperational planning related to terrorism or other criminal activity.

Those early efforts by PM-ISE and others led to the creation of the NSI and the NSI PMO. Subsequently, in 2012, the Under Secretary of I&A sent a notice to Congress of our intent to take responsibility for the management and support of the NSI Program Management Office (PMO). The FBI co-manages the NSI and is primarily responsible for the technical aspects of the NSI. Since the FBI is also recognized as the lead for counter terrorism investigations, they are not only a partner in the advancement of the NSI, but also a key consumer and benefactor of the information gathered and shared within the NSI framework.

Law enforcement professionals cannot protect their communities effectively without the help of a vigilant public, who in turn must be able to identify and report suspicious behavior and incidents. This creates a need for an effective, standardized methodology for sharing information that is both meaningful and actionable in the face of an imminent threat. Since 2010, over 100,000 Suspicious Activity Reports have generated over 2,300 Information Sharing Environment (ISE) SARs that initiated or enhanced an FBI investigation and/or were connected to the Terrorism Screening Center (TSC) Watchlist. Further, ISE-SAR information was included in over 2,000 intelligence products.

While addressing terrorism and other violent crimes, we must also be sure to safeguard the protection of civil rights, civil liberties and privacy. As such, this program is subject to extensive scrutiny and oversight.

Although terrorist attacks on our communities have federal jurisdictional impact, pre-incident activities carried out by terrorists prior to conducting attacks may be unknown to federal law enforcement. In February 2015, the National Consortium for the Study of Terrorism and Responses to Terrorism (START), published a report titled Validation of the Nationwide Suspicious Activity Reporting (SAR) Initiative: Identifying Suspicious Activities from the Extremist Crime Database (ECDB) and the American Terrorism Study (ATS). The START study looked at SAR reporting in two open source projects, the ECDB and the ATS, referencing the 16 indicators and behaviors utilized to determine if a tip or lead was reasonably indicative of a potential link to terrorism. The START study verifies the utility of the NSI, which provides law enforcement and homeland security agencies with a uniform method for gathering and reporting raw tips, leads, and reports of suspicious activity. This data is reviewed and vetted by trained fusion center personnel using established standards. From an analytical perspective, the study supports how the vetting efforts of trained analysts may ultimately lead to the enhancement of terrorist investigations. Furthermore, analysts’ reliance upon the established 16 ISE-SAR behaviors is validated by this study and will ultimately assist them in the potential reporting of SAR and the development of products that use and evaluate SAR.

The Functions of the NSI PMO

The NSI is not a single monolithic program, rather it is a coordinated, distributed effort that leverages and integrates all ISE-SAR-related activities into a national unified process. The overarching strategy is to implement common processes, policies, and technical solutions for gathering, documenting, processing, analyzing, and sharing information about terrorism-related suspicious activities. The ultimate objective is for NSI participants at all levels of government to adopt consistent policies, standards, and procedures that foster broader sharing of SARs while ensuring that privacy and civil liberties are appropriately protected in accordance with federal, state, and local laws and regulations.

The NSI is a shared responsibility, and consists of a decentralized structure that relies on every stakeholder to do its part. The NSI Enterprise as a whole cannot function and will not serve its mandate without each person and partner organization doing its part.

Specifically, the NSI PMO is responsible for overall planning and coordination of the NSI, to include development of top level policies, processes, and standards, but defers to respective federal, state, and local agencies to implement and deploy system solutions that are consistent with that direction and are tailored to their local business process and system environments. The PMO coordinates the nationwide implementation of the SAR process. In this role, it advises and assists participating agencies in implementing NSI solutions and adjudicating conflicts where necessary to achieve a smooth implementation across the Information Sharing Enterprise (ISE).

The PMO is also responsible for maintaining and updating the NSI operating procedures, including publication of updates to the Concept of Operations (CONOPS) as required to reflect operational improvements. The NSI provides guidance to participating agencies on the operating procedures associated with the individual steps in the NSI cycle, but relies heavily on participating agency expertise in key areas such as tactical risk assessment and information analysis. Further, the PMO is responsible for working to ensure that all NSI activities are carried out in a manner consistent with the ISE Privacy Guidelines, the ISE-SAR Functional Standard, and other federal, state, and local laws and regulations.

A comprehensive training program for NSI participants is a vital component of an effective NSI process. This training program addresses the needs of all levels of law enforcement personnel so that they can recognize the behaviors and incidents that represent terrorism-related suspicious activity, while ensuring that privacy and civil liberties are protected. DHS I&A, in coordination with DHS Office of Operations Coordination (OPS), leads the NSI’s efforts related to policy, training, and outreach, while the FBI leads the deployment, maintenance, and access efforts surrounding the NSI technology platform, eGuardian.

The NSI PMO is responsible for maintaining and updating the ISE-SAR Functional Standard and its associated technical artifacts. Finally, although neither an acquisition nor an implementing organization, the NSI PMO is responsible for providing implementation guidance and operational support to NSI participants. This support includes presentations at conferences, workshops, and similar forums as well as direct interaction with sites where required. The PMO and FBI eGuardian managers provide day-to-day operational support capabilities such as 24-7 help-desks, on-call support, etc., but typically rely on partners and contracted support to actually provide these services.

By design, the NSI PMO is a relatively small operation, working as part of a multi-agency, interagency process. The NSI PMO prioritizes focusing resources on the program to the greatest extent possible, and minimizing overhead costs to ensure available resources are dedicated to the efforts of law enforcement officers and the Enterprise partners. The NSI PMO operates on a small budget relative to the impact the office has demonstrated, and continues to expand on the program.

The Role of Our Strategic Partners

The Department of Justice (DOJ), through the Bureau of Justice Assistance (BJA), provided initial stand-up funding for the NSI and managed the program from its inception until the program was transitioned out of BJA. DOJ also provides legal and policy expertise on historic policy and implementation decisions associated with the NSI, as well as facilitating input from its Global Advisory Committee (GAC),1 and the Criminal Intelligence Coordinating Council (CICC).2

Crime Stoppers USA (CSUSA) is the national Crime Stoppers organization that spans the United States to create a network of local programs that work together to prevent and solve crimes in communities and schools across the nation. Its mission is to develop innovative resources and partnerships that promote Crime Stoppers throughout the United States. The NSI and CSUSA have a Memorandum of Understanding establishing a partnership that has directly increased the amount of quality reporting through their unique anonymous tips programs. The NSI and CSUSA are committed to advancing our respective missions through enhanced training, strategic partnerships and support in many areas where mutual interest is identified.

1 The GAC consists of organizations appointed by the U.S. Attorney General or his/her designee. The GAC acts as the focal point for justice information sharing activities and works to provide the U.S. Attorney General and the U.S. Department of Justice (DOJ) with appropriate input from local, state, tribal, and federal agencies/associations in the ongoing pursuit of interjurisdictional and multidisciplinary justice information sharing.
2 The Criminal Intelligence Coordinating Council (CICC) is sponsored and supported by DOJ and works across the full spectrum of law enforcement and intelligence agencies to establish priorities, national best practices and support for federal, state, local, and tribal law enforcement and homeland security agencies in their ability to develop and share criminal intelligence and information nationwide.


Key Metrics

Through June 2017, the NSI has received over 100,000 SAR submissions, of which over 35,000 contained a potential nexus to terrorism and were submitted to eGuardian as ISE-SARs. Of those reports, over 2,300 have been identified as being either associated with an FBI investigation and/or associated with a subject known to the Terrorism Screening Center (TSC). These numbers represent both a testament to the good work being done in vetting, validating and assessing these reports, and to the work being done by our state, local, tribal and territorial (SLTT) partners to distill a limited number of reports from the millions of tips and leads received throughout the country annually.

Over 2,000 intelligence products have been produced that incorporate some aspect of an ISE-SAR into the product itself. These products include the Roll Call Release, the Field Analysis Report, and Joint Special Event Threat Assessments. The products exemplify the value being placed on ISE-SAR reporting when coupled with additional information at the federal and SLTT levels.

The quality reporting being provided through the NSI is evident by the examples provided above; however, those numbers are directly associated with the level of effort that has been focused on training and outreach. The NSI conducted 181 technical assistance deliveries in support of our SLTT partners from 2010 to June 2017. The NSI’s hometown security partners’ video series, which focuses on specific sector outreach, such as private sector security, point of sale retailers, and line officers, was viewed over 480,000 times. Within that same time period, over 3,000 federal, state, and local criminal intelligence personnel have received more in depth training through our SAR in-residence training. This course focuses on the ISE-SAR vetting process, the use of technology for reporting, and the importance of protecting the privacy and civil rights/civil liberties of our citizens.

More recently, from January 2016 through June 2017, the NSI conducted 21 technical assistance deliveries, the hometown security partner videos were viewed over 56,000 times, and over 400 federal, state, and local criminal intelligence personnel went through our SAR in-residence training.

In addition to its intended benefits, the NSI has also allowed for numerous tips and leads to reach law enforcement. As just one example of many being reviewed, the State of Texas Fusion Center alone reported over 2,300 non-terrorism related criminal SARs that came in through the NSI established SAR framework but were not shared through the FBI eGuardian platform because they did not meet the ISE-SAR threshold outlined in the Functional Standard. Still, those suspicious activity reports resulted in significant investigations into a wide range of felony cases including murder, robbery, sexual assaults, high risk threats to children, human trafficking, drug trafficking, violent gangs and many others. We continue to work with state and local law enforcement partners across the country to begin capturing more information on the broader hometown security and public safety impacts of the NSI framework.

Moving Forward

The NSI PMO will continue to focus on the core mission of keeping our communities safe and protecting our critical infrastructure and key resources. It will do this by continuing to focus on ensuring a standardized process for conducting stakeholder outreach; ensuring civil rights and privacy protections continue to be the cornerstone of the program; delivering training, and facilitating continued improvements in program support; and advancing technology to simplify and expand sharing of critical information and reporting.

The NSI PMO and our partners across government and the private sector will continue to identify new opportunities and build strategic partnerships to advance the NSI and encourage our partners and our stakeholders to increase reporting and strengthen the NSI Enterprise.

With your support, the NSI PMO will continue to improve its systems, and expand training support to our law enforcement partners and key stakeholders.

Ultimately, the NSI relies on the public to report what they see, and to know that if they “See Something, Say Something”. The NSI does not only need individuals to do their duty, it also needs organizations, associations, corporations and industries to do their part. Congress can add great value here by creating meaningful incentives for private industry and corporations to train their workforce on what to look for and how to report what they see. Most private sector organizations do not think a major event will affect them, so they weigh the cost of devoting personnel time to NSI training against the improbability they will see something major occurring, and thus forgo what we see as a critical need. The NSI would like the opportunity to discuss further with Congress and this Committee innovative ways to increase participation by the private sector.

Thank you for the opportunity to testify, and I look forward to your questions.

Last Updated: 08/31/2023
Was this page helpful?
This page was not helpful because the content