Shortly after the September 11 terrorist attacks, three FBI field offices began using an application called the Terrorist Activity Reporting System to track and monitor terrorist threats and suspicious incidents.⁸ Soon after, this application was further developed and integrated throughout the FBI. It has become the cornerstone of the FBI’s terrorist threat assessment process for supporting the identification, collection, management, evaluation, analysis, and dissemination of all terrorist threats and suspicious incidents up to the secret classification level.

Guardian Threat Tracking System

In 2002, the FBI upgraded the Terrorist Activity Reporting System to allow for multi-field office use and deployed a pilot terrorist threat tracking application, called Guardian, to select field offices. After successfully testing the pilot program in 2004, the FBI deployed an updated version of Guardian, Guardian 1.4, for use throughout the FBI on its internal computer network. In October 2006, the FBI deployed another upgraded version, Guardian 2.0, which remains in use today.

Counterterrorism threats and suspicious incidents are captured, stored, and assigned in Guardian, which can be searched by all FBI employees and other government agency partners who the FBI has determined need counterterrorism-related intelligence information. Guardian has grown into a sizeable threat tracking system over the years. As of November 2007, FBI officials stated that the system included approximately 108,000 potential threats, suspicious incidents, and terrorist watchlist encounters.⁹

The FBI is developing an additional threat tracking system to complement Guardian, called E-Guardian. E-Guardian is designed to facilitate the sharing of threat and suspicious incident information between the FBI and its state, local, and tribal law enforcement partners that do not have access to Guardian. Users will be able to access E-Guardian to enter incidents, view incidents, search data, or build reports. Additionally, users will be able to transfer data to other software applications using E‑Guardian’s data export capabilities. However, deployment of E-Guardian, originally scheduled for October 2007, has been delayed. E-Guardian is now planned to be implemented in phases nationwide, and the FBI plans to fully complete its rollout by the end of 2008.

Guardian 1.4

The initial deployment of Guardian 1.4 in 2004 provided the FBI with a terrorist threat tracking system that included:  (1) an electronic environment for the management of counterterrorism threats, (2) a centralized database for all counterterrorism threats received by both the FBI headquarters and the field offices, (3) a database to enter and search threats in real time, (4) an historical record of the investigative activities applied to address the threat, from entry of the threat to closure in the system, and (5) a tool to ensure threats are expeditiously assigned to an agent to investigate.

Guardian 2.0

The current version of the terrorist threat tracking system, Guardian 2.0, provides additional features to enhance the FBI’s ability to assess and resolve terrorist threats and suspicious incidents. Guardian 2.0 enhancements include:  (1) improved methods to route work, assign and accept tasks, and manage resources; (2) improved methods to share investigative data in support of intelligence analysis; (3) an increased capability to share investigative data with other government agency partners; and (4) a new capability that permits agents to auto-populate Guardian threat information directly in the FBI’s Automated Case Support (ACS) system for additional investigation and threat resolution.

Guardian Concept of Operations

Guardian was developed to assure that all threats and suspicious activities are assigned and investigated, multiple users have real time access to investigative developments, and trend analysis up to the SECRET level can be conducted.

Guardian was intended to provide both the FBI and its government agency partners with the tools to track suspicious activity, add or update terrorist threat information, and perform analysis against the collected data. A definition for each class of Guardian user follows.

Guardian Classes of Users

User Roles	Definition
Administrator	Privileged user who creates and administers user accounts and the application to ensure compliance with policy. There are local and enterprise administrators. Local administrators can only affect their assigned office, while enterprise administrators can affect the entire organization.
Incident Assignee	An individual responsible for an incident.
Incident Author	An individual who initially enters the threat or suspicious activity report.
Supervisor	Supervisor of a group that owns and is responsible for the incident.10
Guardian User	An individual granted access to system functionality in accordance with FBI policies.

Guardian’s Threat and Suspicious Activity Service is used to manage and track all suspicious activities and threats entered by Guardian users. This service is based on the following activities:

Incident Entry – As threats and suspicious activities are reported, the details associated with the threat are entered in Guardian. As additional investigative work is completed, information is added to the incident to update the status.

Incident Management – Assistance can be requested from offices to ensure incidents are investigated in a timely manner. These tasking requests are tracked and the system provides reporting capabilities on the status of the requests. For example, if investigative assistance is required by a field office from the FBI Counterterrorism Division (CTD) or another field office, the request can be tracked in Guardian.

Guardian Processing

The Guardian process to manage suspicious activities and threats can be summarized in three major areas.

Entering a Suspicious Activity/Threat – An incident entry is created when a suspicious activity or threat is entered in Guardian. The Guardian user records details about the suspicious activity or threat and enters this information in the Facts of Incident field. Once the incident is recorded and saved, it is available for review and assignment.

Modifying an Existing Suspicious Activity/Threat – Through their investigative lifecycle, incidents are updated with additional information. Authorized users have the ability to add information to an incident. For example, Intelligence Analysts, Special Agents, and Supervisory Special Agents (SSA) can add individual notes to an incident after the incident is assigned to them.

Closing a Suspicious Activity/Threat – Once a field office has completed its investigation of an incident, it can mark the incident as completed. The supervisor adds additional remarks as to the assessment of the incident to close the incident.

After completing the entry of an incident, a user submits the incident to the SSA for approval. After the SSA approves the incident entry, Guardian automatically generates a FD-71a complaint form, and the information from the FD-71a is automatically entered in the ACS system.¹¹ The FBI provided the following hypothetical example to describe a typical initial threat assessment utilizing Guardian’s capabilities.

Guardian is intended to provide the capability to manage incidents through their entire lifecycle and account for all work performed against the incident. Guardian also provides a Workflow and Task Management Service that allows users to electronically task individuals and groups to investigate an incident. The workflow service allows supervisors to route incidents through various FBI field offices. Within the field office, the investigative squad supervisor can assign the incident to a squad member for investigative follow up.

Guardian Analytical Tools

Guardian also provides a Search Service that allows users to search all incidents in the system. The Search Service can locate records and search information contained in all Guardian incidents. Users can filter the information against which the search is conducted, such as:

• the organizational structure (e.g., individual, group, office);
  
  
• the time period in which the information was obtained;
  
  
• incident location (e.g., all incidents within Los Angeles, CA);
  
  
• information categorizing incidents (e.g., type of incident, type of method, alleged organization); or
  
  
• information categorizing sources of information (e.g., state, local, or federal agency).

To provide the capability for trend analysis of threats, and to ensure that threats are properly investigated, Guardian also provides a Threat Reporting Service. Guardian can create both ad hoc and predefined reports to allow users to track investigative activity on an incident and provide trend analysis of threats. Ad hoc reports address unique or specialized needs, such as reports summarizing the number of terrorist incidents related to the oil and natural gas industry. The user specifies the report’s criteria and parameters, identifies the information to include in the report, and formats the display of the information reported.

Predefined reports are designed to present statistical measures of information within Guardian. Guardian supports several broad categories of predefined reports including statistical, resource management, program management, incident management, and audit reports. The FBI provided the following two examples of typical reports that Guardian can generate:

1. To support the yearly reallocation of personnel, an Assistant Special Agent in Charge in an FBI field office can generate a report showing all incidents assigned to the office’s operational squads and detailing the statistics on each incident to evaluate the relative performance of the squads.
   
   
2. FBI Headquarters can generate a report to answer a Congressional inquiry about the number of threats reported last year and how many of those threats resulted in the opening of a terrorism investigation.¹²

Department of Justice and FBI Terrorist Threat Policies and Guidelines

During our review, we tested the FBI’s compliance with the Guardian 2.0 Policy and System Guidelines (Guardian System Guidelines), and the FBI’s Guardian 2.0 User’s Guide (User’s Guide) regarding the accuracy, timeliness, and completeness of the incident information entered by users in Guardian. We also tested the FBI’s compliance with the Attorney General’s Guidelines on General Crimes, Racketeering, and Terrorism Investigations (General Crimes Guidelines) and the partially classified Attorney General’s Guidelines for National Security Investigations (NSI Guidelines) regarding the FBI’s process for requesting subpoenas.

Guardian-related Guidelines

To ensure all threats and suspicious incidents recorded in Guardian are assessed in a timely manner, the Threat Monitoring Unit (TMU) established Guardian-related Guidelines. These guidelines identify the requirements for the administration and management of Guardian and for the training of Guardian users. Additionally, the CTD developed a comprehensive Guardian User’s Guide that identifies the specific actions required by Guardian users to enter, approve, assign, assess, and close potential or known terrorist threats and suspicious incidents.

Attorney General Guidelines

The Attorney General’s General Crimes Guidelines provide guidance for FBI general crimes and criminal intelligence investigations. These guidelines identify the circumstances when threat assessments and counterterrorism investigations may be started, as well as the permissible scope, duration, subject matters, and objectives of the investigations.

The NSI Guidelines establish additional standards for the FBI to follow when investigating threats related to national security. The guidelines require that the FBI open a preliminary investigation or full field investigation before conducting certain investigative activity in national security cases, such as obtaining a subpoena.

OIG Audit Approach

The Department of Justice Office of the Inspector General (OIG) initiated this audit to evaluate the FBI’s use of Guardian to identify, track, and address terrorist threats and suspicious incidents. To accomplish these objectives we examined:  (1) the FBI’s use of Guardian, (2) its threat assessment processes and operational guidance established by FBI headquarters, and (3) its threat assessment policies and procedures in practice at the six field offices we visited.

To conduct this review we:  (1) reviewed threat management documents developed by the FBI’s Counterterrorism Division; (2) interviewed FBI officials and Guardian users assigned to various headquarters locations; (3) interviewed FBI officials and Guardian users at select field offices; (4) examined the process followed by the FBI in developing, implementing, maintaining, and updating Guardian; (5) tested samples of terrorism-related incidents tracked in Guardian; and (6) tested samples of counterterrorism-related cases in the FBI’s Automated Case Support system.

Threat assessment investigative activities are normally conducted by Special Agents assigned to FBI field offices, supplemented by investigative support from the CTD. Our audit focused on the investigative activities reported in Guardian to address terrorist threats and suspicious incidents at the six field offices we visited, as well as the investigative support and oversight provided by the FBI’s CTD.

We tested 218 Guardian incidents to determine if the FBI: (1) completed the required supervisory reviews of each threat and suspicious incident reported in Guardian, (2) addressed each incident in a timely manner, and (3) accurately and thoroughly reported the details of the incident in Guardian. We also tested 177 FBI terrorism cases reported in the ACS system to determine if the FBI included in Guardian all of the threat and suspicious incident activities identified during ongoing investigations. In addition, we tested the FBI’s compliance with the Attorney General’s investigative guidelines regarding subpoenas requested prior to opening a preliminary or full field investigation. Appendix I contains further discussion on our audit objectives, scope, and methodology.