The Federal Bureau of Investigation's Terrorist Threat and Suspicious Incident Tracking System

Audit Report 09-02
November 2008
Office of the Inspector General

Findings and Recommendations

FBI Process to Address Potential Threats and Suspicious Incidents

The FBI receives terrorist threat and suspicious incident information from a variety of sources, including:  (1) the general public, (2) other government agency partners, (3) state and local law enforcement, (4) ongoing FBI investigations and intelligence assessments, and (5) FBI Legal Attachés.

Contacts from the general public generate a large number of threats and suspicious incidents that are reported to the FBI through telephone calls, e-mail, mail correspondence, or through the FBI’s website. From our review of FBI database information, we determined that during fiscal year (FY) 2006, the public provided the FBI with approximately 219,000 tips that resulted in over 2,800 counterterrorism threats and suspicious incidents entered in Guardian for investigative follow up.

Regardless of the reporting source, FBI policy requires that each threat or suspicious incident should receive some level of review and assessment to determine the potential nexus to terrorism and the creditability of the threat or suspicious incident. Guardian provides the vehicle for the FBI to track, assess, and manage pre-case threats and suspicious incidents. The results of those assessments are recorded in Guardian. Certain assessments are upgraded to preliminary inquiries or full field investigations, and other assessments are closed with the information retained in Guardian for possible future intelligence value. The graphic on the following page provides an overview of the FBI’s threat disposition process.


Threat Incident is reported to the FBI by state or local law enforcement, the general public, or another government agency. The incident is recorded and is available for search in either ACS or Guardian.

Arrow pointing down

The FBI performs a threat assessment of the incident.

Arrow pointing down

The incident is submitted for supervisory review and closure, which is recorded in Guardian.

Arrow pointing down                              Arrow pointing down

If no nexus or a possible nexus to terrorism is found, the incident is archived in Guardian and remains available for search in ACS and Guardian.
If a definite nexus to terrorism is found, a Preliminary Inquiry or Full Field Investigation is opened in ACS, searchable in both Guardian and ACS.*

*If the incident was initially reported in ACS and no corresponding entry was made in Guardian, the incident will only be searchable in ACS.

At FBI field offices, threats and suspicious incidents are normally entered in Guardian by either Special Agents specifically assigned to Guardian squads, or by the Special Agent or Intelligence Analyst who initially received the threat information.13 A Guardian pre-case incident entry field creates a task for the supervisor to determine if the threat is credible.14

If the supervisor determines the threat is credible, the supervisor assigns a Special Agent or Intelligence Analyst to investigate the threat or incident. The agent or analyst performs the necessary investigative work, returns the results to the supervisor, and requests closure of the incident in Guardian. The supervisor reviews the completed investigative work and, if the supervisor determines the incident is adequately investigated, the incident is considered addressed and the supervisor closes the pre-case incident in Guardian.

If the supervisor determines that additional investigative work is necessary, the supervisor returns the task to the agent or analyst. If the FBI’s pre-case threat and suspicious incident assessment work finds a nexus to terrorism, a preliminary or full field investigation is initiated. If no definite nexus to terrorism is found, the incident information is retained in Guardian for its intelligence value, but no investigation is initiated.

OIG Evaluation of the FBI’s Terrorist Threat Processing

We visited six FBI field offices and tested a sample of the terrorism-related incidents entered in Guardian to determine if the field offices:  (1) completed the required supervisory reviews of each threat and suspicious incident reported in Guardian, (2) addressed each incident in a timely manner, and (3) reported the details of the incident in Guardian. We selected the following field offices to provide perspective from a cross-section of the FBI field organization in terms of field office size, operational activity, and geographic location.


We obtained from the FBI a universe of Guardian threat incidents for each of the field offices we selected. The universe included incidents with inactivity of 30 days or more and recorded after October 23, 2006 – the date the latest version of Guardian was implemented. We did not test incidents recorded in the previous version of Guardian because that version had substantially less functionality than the current version of Guardian and did not archive the same data in the current version of Guardian.

In selecting our judgmental test samples for each field office, we sought to include a minimum of 10 percent of the total threat incidents recorded in Guardian for the 6 sampled field offices in our universe, with a minimum of 25 and a maximum of 50 incidents tested at each field office. Our testing sample included all incidents open for over 30 days at each field office. Our total testing sample for the 6 field offices included 218 threat incidents. The following table illustrates the threat universes we found for each of the six field offices during the period October 23, 2006, through June 22, 2007, and the testing sample we drew from each.

Guardian Incident Universe and
Number of Incidents Selected for Testing by Field Office

FBI Field Office Total Guardian
Incident Universe
Guardian Incidents
Selected For Testing
Philadelphia 81 25
Washington 285 33
New York 537 50
Detroit 115 30
Kansas City 32 30
Los Angeles 571 50
Total 1,621 218
Source: FBI Counterterrorism Division

We reviewed additional data from the New York Field Office because we found, in addition to the 537 incidents in our sample universe, over 700 open incidents in the prior version of Guardian that were entered before October 2006. We added a sample of 30 more incidents at the New York Field Office only to determine the causes for these incidents remaining open for an extended period.


Guardian’s ability to accurately track threats depends on the accuracy, timeliness, and completeness of the incident information entered by users of the system. At each field office we visited, we tested the key attributes we considered essential to successfully entering, updating, and managing incidents in Guardian:  (1) the completeness of the incident summary, (2) supervisory oversight of the incident, (3) timeliness of investigative activity, and (4) completion of Guardian’s supplementary search tabs.

Guardian Incident Summary

Users are required to enter threat data in Guardian through a screen called the Incident Summary Screen, which provides a summary of the terrorist threat or suspicious incident and describes the details of a terrorist threat or suspicious incident. We reviewed the Incident Summary Screen for the 218 sampled incidents to determine if the users entered the incident completely. We found that all of the necessary summary information was included in the incidents we tested.

We believe the FBI’s completeness in the initial incident recording is a result of the training provided to Guardian users through its Virtual Academy. The FBI’s Virtual Academy is a computer-based training initiative that provides FBI personnel with access to a wide range of training from their desktop computers. In addition, the Foreign Terrorist Tracking Task Force (FTTTF) and the Threat Monitoring Unit (TMU) formed a deployable Guardian training team that visited most of the FBI’s field offices. We believe that the initial training provided to the field agents contributed to the rapid assimilation and complete entry of initial incident information in the latest version of Guardian at the FBI’s field offices.

Supervisory Oversight of the Guardian Incident

To provide supervisory oversight and improve the workflow process, users who enter information in Guardian are assigned one of three user roles:  (1) investigator or analyst, (2) supervisor, or (3) administrator.

According to the Guardian User’s Guide, an SSA or a Supervisory Intelligence Analyst is responsible for reviewing and closing each threat or suspicious incident in Guardian. The User’s Guide requires the supervisor to then make a determination as to whether the threat is satisfactorily addressed or if additional investigation, analysis, or updating of the incident is required. The supervisor performs critical oversight during the Guardian threat assessment process because the supervisor provides the FBI’s final quality assurance check to ensure that each Guardian threat assessment is resolved completely and accurately.

The FBI provided an example of an SSA initially receiving, assigning, and evaluating the Guardian incident: 

We reviewed the supervisory actions taken in each of the 218 Guardian incidents tested. For 191 (88 percent) of the incidents tested, we found the required supervisory review was entered in Guardian. However, in 27 (12 percent) of the incidents, the supervisor did not record the required supervisory review prior to closing the Guardian incidents.

Supervisory Oversight in Guardian
Threat closure approved by supervisor: 88%/191. Threat closure approved by non-supervisory personnel: 12%/27.

Source: OIG analysis of FBI data

At three FBI field offices that we visited (Washington, New York, and Los Angeles), we found that a supervisor reviewed each of the Guardian incidents we tested. We also found that the SSAs and the investigative squads responsible for the Guardian program in these offices understood the requirements of the Guardian threat tracking system. At these three field offices, the Guardian SSAs reviewed Guardian threats and suspicious incidents and rarely delegated the supervisory review of the incidents to another supervisor.

At the other three FBI field offices we visited (Detroit, Kansas City, and Philadelphia), we determined that supervisors did not review all Guardian incidents. At one of the field offices, the SSA assigned oversight responsibilities for the Guardian program was not aware of the Guardian supervisory requirements. At another field office, we found that the responsible SSA had technical problems accessing Guardian, and he delegated the closure of some incidents to a non-supervisor. At the third field office, the SSA delegated the supervisory closure to the Guardian administrator who was not a supervisory agent or analyst.

Thus, although CTD guidance clearly states the Guardian supervisory review requirements, three of the six field offices we visited did not meet those requirements. Threats and suspicious incidents are at risk of closure without complete and thorough assessment if a supervisor does not review Guardian incidents. We therefore recommend that the CTD should increase its oversight of the Guardian review program to ensure all Guardian incidents receive the required supervisory review.

Timeliness of Investigative Activity to Address Guardian Incidents

Guardian users are prompted by the system when entering an incident in Guardian to establish a priority rating for the reported incident. The system includes three ratings.

The prompt assessment of terrorist threats and suspicious incidents is essential to ensure Guardianís database is complete and promptly updated. Delays in assessing Guardian incidents could also result in incorrect assessments of the threat or duplication of the Special Agentís work because the most current threat information will not be included in Guardianís database. During our review of 218 Guardian incidents, we examined the timeliness of the Guardian threat assessment process. At 5 of the 6 field offices we visited, we found 60 incidents (28 percent) that did not meet the 30-day criteria for routine assessments. At the remaining field office we found that all 25 incidents sampled were closed within the 30-day criteria. Because Guardian 2.0 provides real time threat information to all users we found that both the CTD and field office supervisors exercised adequate oversight over each threat and suspicious incident assessed at the priority or immediate level.

We discussed the timeliness criteria with SSAs at the FBI’s headquarters and Special Agents at the field offices and found that they considered the 30-day period to address routine threats as guidance, not required criteria. We were told that some complex threats, such as threats that require contact with sources outside the United States, cannot be fully addressed within the 30-day guideline. FBI officials agreed that the current policy needs to be clarified.

Therefore, we also evaluated timeliness by examining threat assessments that included periods of inactivity in excess of 30 days.

We analyzed FBI documentation and identified Guardian incidents that had not been addressed for a period in excess of 30 days. From the Guardian universe of over 2,450 open Guardian incidents, we identified 1,621 (66 percent) that remained open for a period in excess of 30 days.

Timeliness Testing
Threat resolved within 30 day criteria: 72%/158. Threat inactive over 30 days: 28%/60.

Source: OIG analysis of FBI data

We found 60 of the 218 incidents we tested (28 percent) with periods of inactivity that exceeded 30 days. We could not readily determine the reason for the extended period of inactivity based on the information available in Guardian because the incident information in Guardian did not include reasons for the periods of inactivity.

We found differing records of adherence to timelines for threat assessments in the field offices we visited. At the Philadelphia Field Office, we found that all 25 routine incidents sampled were closed within the 30-day requirement. The SSA responsible for the field office’s threat management used a spreadsheet that accurately tracked the status of each of the open Guardian incidents at the field office. He also provided evidence that he routinely briefed the field office’s senior managers on the status of all ongoing threat assessments in progress. Although other field offices produced evidence of briefings to field office senior management, in our view the Philadelphia Field Office’s controls on the timely management of threat assessments was the most effective of the six field offices we visited.

By contrast, at the New York Field Office we identified 700 Guardian incidents that remained open for a period in excess of 90 days. We expanded our testing at this location to include an additional 30 Guardian incidents. We found 27 of the 30 additional tested incidents (90 percent) remained open beyond 90 days and several remained open for over 1 year. An SSA there said he believed the incidents had been closed at some point, but the conversion process that occurred during an update of Guardian caused the incidents to re-open. We did not find a problem with the Guardian 1.4 conversion process at any of the other field offices we visited. From our review of the 27 incidents that remained open for over 90 days, we could not determine if the incidents were ever closed in Guardian.15

Based on our overall review of the Guardian incidents and our interviews with FBI officials, we concluded that some Guardian incidents in the system were perceived to have a very low priority and remained unaddressed in the threat tracking system for several months. We recommend that both the field offices and the CTD develop additional guidelines and controls for addressing Guardian incidents in a timely manner.

Completeness of Guardian Data

Guardian can separate threat incident information into its basic components, such as sources, targets (places), subjects (people), weapons or methods, and vehicles. The additional breakdown of threat information can provide Guardian users with enhanced search and trend analysis capability. After a user enters the threat information in Guardian, information can be searched by a particular threat component. The user completes a series of tabs within Guardian that provide specific details on the aforementioned threat components, such as sources, targets (places), subjects (people), weapons or methods, and vehicles. As a result, searches can be done for various types of information in Guardian, and trend information can be readily established.

For example, Guardian’s Incident Vehicles Screen allows users to search for vehicles associated with an incident to determine if they were also associated in another incident. Guardian also has the ability to add a picture of a vehicle to the database. However, if a user does not enter full and complete data on a vehicle associated with an incident, the effectiveness of Guardian as a search tool to aid in the threat assessment process is reduced. Additionally, Guardian’s ability to provide users with useful trend analysis of threats and suspicious incidents is similarly diminished.

As noted in the following chart, our testing found that users did not complete the supplementary tabs in 66 of the 218 incidents (30 percent) we tested.

Supplementary Tabs Testing
Applicable tabs completed: 30%/66. Applicable tabs not completed: 70%/152.

Source: OIG analysis of FBI data

We also determined that the guidance the FBI provided to its Guardian users about completion of the supplementary tabs was inadequate. FBI policy does not clearly establish whether the completion of the supplementary tabs is required. Some FBI officials stated that they believed the completion of the supplementary tabs was essential because it improved Guardian’s search and trend analysis capabilities. Other FBI officials stated that the increased workload generated by completing the supplementary tabs was not justified. As a result of the inconsistent application of this guidance, searches of Guardian can result in incomplete and inaccurate threat assessment information. We believe the CTD should issue definitive guidance to Guardian users regarding the completion of the supplementary tabs based on its assessment of the value added by the completion of the tabs.

Results of Automated Case Support System Testing

FBI field offices frequently uncover threat and suspicious incident information during the course of ongoing investigations. Sometimes the imminent nature of the threat requires that the FBI bypass the threat assessment process and immediately open an investigative case. The FBI currently tracks investigative cases electronically in its ACS system.16

The CTD recognized that threat information could be developed from an existing case and that an investigation should be opened immediately. Therefore, following the deployment of Guardian 2.0, the CTD provided the field offices with the following guidance:

In all instances that involve the immediate opening of an official investigation, upon receipt of a terrorist related threat or suspicious activity report, a Guardian record must be created to summarize the nature of the incident. The record can be immediately marked complete after referencing the case file number.

To assess the number of incidents that were investigated with case files created in the ACS system but not included in the Guardian threat tracking system, we obtained a listing of all terrorism-related cases in the ACS system that did not have a corresponding reference to a Guardian incident number for the six field offices we visited. The report identified 546 ACS cases without an associated Guardian incident number. We selected a sample of 177 of the 546 ACS cases and found that 81 cases (46 percent) were opened in the ACS system but did not have an associated Guardian record. Appendix III shows the universe of FBI terrorism cases without a corresponding Guardian incident number for each of the six field offices we visited.

The FBI guidance regarding Guardian generally requires that all threat information obtained during counterterrorism investigations be included in Guardian. However, the FBI has issued additional guidance for specific instances when threat information should be excluded from Guardian. Specifically, information derived from investigations utilizing sensitive sources or information obtained from more intrusive investigative techniques should not be included in Guardian. Whether to exclude information from Guardian is left to the judgment of the agent performing the investigation.

In reviewing those cases where information was contained within ACS but not entered in Guardian, we asked agents why they did not include some of the required threat information in Guardian. Some agents said they were not aware of the requirement to enter threat information in Guardian after an investigative case had been opened in the ACS system. Other agents said that they thought it was redundant to include threat information in both the ACS system and Guardian because an agent who had access to Guardian would also have access to the ACS system. However, according to FBI management officials, some government agency partners have access to threat information in Guardian but do not have access to the ACS system. As a result, incident information entered only in the ACS system may not be available to all other government agency partners.

Moreover, the E-Guardian application currently under development, discussed later in this report, is designed to share threat information with state and local law enforcement partners, and E‑Guardian uses threat information that is only available in Guardian. State and local law enforcement partners generally do not have access to the FBI’s ACS system. Consequently, threat information entered only in the ACS system will not be shared with the state and local law enforcement community.

During the development of Guardian, FBI agents requested that the development team include the ability to enter threat information once in Guardian and automatically transfer the threat information to the ACS system. The development team included this capability in Guardian, and as a result threats entered in Guardian are now auto-populated in the ACS system. However, the reverse of the threat data entry process does not exist. That is, when threat information is entered in the ACS system, the information is not automatically entered in Guardian. Thus, useful threat information obtained during preliminary or full investigations and entered in the ACS system must be entered twice – once in the ACS system and a second time in Guardian. We believe this double-entry process contributed to the exclusion of some of the ACS-related threat data from Guardian.

We also found that the organizational structure of the field offices contributed to the exclusion of some threat information from Guardian. The investigative structure of each field office we visited varied slightly. The basic structure included a Guardian squad that was responsible for entering, tracking, and addressing threats in Guardian, and a counterterrorism investigative squad that was normally part of the field office’s Joint Terrorism Task Force (JTTF).17 The JTTF squad members conducted most counterterrorism investigations after the threat had been entered in Guardian and assigned to the JTTF for further investigation. Because the JTTF members typically enter counterterrorism investigations in the ACS system, they were not as familiar with the requirement to include most threat information in both Guardian and the ACS system.

We believe the CTD should ensure that all agents are aware of and follow the requirement to include appropriate threat information obtained from ongoing counterterrorism investigations in Guardian. This also would ensure that potentially valuable counterterrorism information gathered during the course of investigative case work is retained for future intelligence value and information sharing.

Attorney General Guidelines Testing

During our review of Guardian, we also found that in many instances the FBI had asked United States Attorneys’ Offices to issue grand jury subpoenas related to the assessment of suspicious incidents before opening a preliminary or full field investigation.18 We found that two of the four field offices we visited, New York and Los Angeles, sought and obtained grand jury subpoenas without opening preliminary or full field investigations. However, at the other two sites, Detroit and Kansas City, the FBI would not obtain grand jury subpoenas without first opening a preliminary or full investigation. Officials from the Kansas City and Detroit field offices indicated that they understood that obtaining grand jury subpoenas required the opening of a preliminary or full field investigation.

First, we sought to determine the extent of the FBI’s practice of requesting subpoenas without opening a preliminary or full field investigation. To do this, we reviewed a computer-generated report from FBI headquarters that identified FBI subpoena requests supported by administrative case control file numbers for the period October 2006 through July 2007. Control files are administrative case files used by the FBI to store information in the ACS system that do not relate to preliminary or full field investigations.

The FBI report that we reviewed identified 4,067 grand jury subpoenas issued from October 2006 to July 2007. Our analysis of the report data identified 1,785 potential instances where the FBI requested subpoenas based on information found exclusively in the administrative case files, where no investigation had been initiated. Because of the large number of subpoenas that would be required for testing, we did not attempt to project our results over the FBI’s entire universe of subpoenas. However, we concluded from our testing that the practice of issuing subpoenas supported by administrative control files was not confined to the two FBI field offices where we first discovered the issue.

Of the 200 subpoenas we tested, we removed 64 because we could not readily locate electronic files. We then reviewed the remaining 136 of the 1,785 potential instances and found that the FBI had requested and obtained grand jury subpoenas without opening a preliminary or full field investigation for 119 (87.5 percent) of the files tested. In 17 (12.5 percent) of the cases tested, we found documentation that indicated the subpoena request could be supported by investigative information from a preliminary or full field investigation.19

Second, we sought to determine whether the FBI’s use of grand jury subpoenas in these instances was consistent with the applicable Attorney General’s Guidelines. At the time of our audit, two sets of Attorney General’s Guidelines governed the FBI’s efforts to address potential terrorist threats and suspicious incidents:  (1) the Attorney General’s Guidelines on General Crimes, Racketeering Enterprise, and Terrorism Enterprise Investigations (General Crimes Guidelines); and (2) the Attorney General’s partially classified Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (NSI Guidelines).

The General Crimes Guidelines govern the FBI’s general crimes and criminal intelligence investigations, and also identify the circumstances under which domestic threat assessments and counterterrorism investigations may be started. In addition, the General Crimes Guidelines govern the permissible scope, duration, subject matters, and objectives of such investigations. There are three stages of investigative activity described in the General Crimes Guidelines – checking of leads, preliminary inquiries, and full investigations.

The General Crimes Guidelines do not specifically address whether grand jury subpoenas can be used in the checking of leads investigative stage – that is, before opening a preliminary inquiry or a full field investigation. Rather, the Guidelines authorize the use of “all lawful investigative techniques,” with limited exceptions not relevant to this review. However, the Guidelines also state that the investigative activity that is permissible prior to the opening of a preliminary inquiry or full field investigation is restricted to “the prompt and extremely limited checking out of initial leads.” The General Crimes Guidelines do not address whether specific investigative techniques, such as grand jury subpoenas, are or are not covered by this limitation.

By contrast, the NSI Guidelines, which relate to the investigation of international threats related to national security, specifically describe the investigative techniques permitted at each stage of investigation. The NSI Guidelines clearly state that the FBI may not use grand jury subpoenas during pre-investigation threat assessments. The NSI Guidelines further state that threat assessments are “comparable to the checking of initial leads in ordinary criminal investigations.” However, the NSI Guidelines also provide that matters within their scope, such as crimes related to international terrorism, may also be investigated under the General Crimes Guidelines.

We discussed with the FBI Office of the General Counsel (FBI OGC) and the Department of Justice Office of Legal Policy (OLP) whether the FBI’s use of grand jury subpoenas to assess leads without first opening a preliminary inquiry or full investigation was consistent with the Attorney General Guidelines. The FBI OGC asserted that the FBI was permitted to obtain grand jury subpoenas in these cases at the pre-investigation stage, noting that nothing in either the NSI or General Crimes Guidelines requires the FBI to make an immediate determination at this early investigative stage regarding which set of guidelines govern a case and that therefore any technique permitted by the General Crimes Guidelines was available to the FBI to assess Guardian leads. Moreover, the FBI asserted that because the General Crimes Guidelines do not specifically prohibit the use of grand jury subpoenas during the “checking of leads,” but rather permit “any lawful investigative technique,” grand jury subpoenas were a legitimate investigatory tool for the FBI to utilize. The FBI OGC stated that the use of grand jury subpoenas was an efficient and effective means of determining whether further investigation of a particular threat was warranted.

We also discussed this issue with the attorney in OLP who is an expert on the Attorney General Guidelines. The OLP attorney recognized that the General Crimes Guidelines were somewhat ambiguous regarding the propriety of using grand jury subpoenas at the checking of leads stage, but agreed with the FBI OGC’s view that the technique was permissible under these Guidelines. He explained that the General Crimes and NSI guidelines are structured differently and use different means to limit the scope of permissible investigative activity. The General Crimes Guidelines do not place specific restrictions on the techniques permitted at any given stage of investigation and instead create time limits on investigative activity. He also said that the language in the General Crimes Guidelines restricting the earliest stage of investigative activity to the “prompt and extremely limited checking out of initial leads” means that, with two exceptions not relevant here, the FBI can use any lawful investigative technique to check out a lead, so long as that pre-investigative stage is concluded quickly. In contrast, the NSI guidelines explicitly list the investigative techniques available at each stage, without regard to how long each stage of investigative activity takes, and explicitly prohibit the use of grand jury subpoenas. Accordingly, in his view it is not sound to draw analogies between investigative techniques permitted under the General Crimes and NSI Guidelines. The OLP attorney also agreed that neither set of guidelines requires the FBI to determine immediately which set of guidelines govern in a particular case.

In sum, it appears that the FBI is not required before initiating pre-investigative activity to determine which set of guidelines apply. Moreover, according to the OLP the FBI’s use of grand jury subpoenas to assess the threats in the matters we tested was permissible under the Attorney General Guidelines.

We note that the Department of Justice recently revised and combined into one document the General Crimes Guidelines, the NSI Guidelines, and other Attorney General guidelines. The new guidelines – the Attorney General Guidelines on Domestic FBI Operations – were issued and made public by the Attorney General and FBI Director on October 3, 2008, and are slated to go into effect on December 1, 2008. These new, consolidated guidelines carry forward the three stages of investigation used in the NSI Guidelines – assessments, preliminary investigations, and full investigations. The guidelines specifically authorize certain methods that can be used during an assessment, including the use of grand jury subpoenas for telephone or electronic mail subscriber information.

FBI Headquarters Threat Assessment Management

The threat assessment process is centrally controlled and managed from FBI headquarters through three mechanisms:  (1) the CT Watch, which operates a 24-hour global command center that has complete visibility and oversight responsibility over Guardian; (2) the Threat Monitoring Unit (TMU), which disseminates counterterrorism policy guidance to the field locations; and (3) the FTTTF, which develops Guardian terrorist threat tracking software. FBI field offices and Legal Attaché offices assist in administering the threat assessment process by tracking and following up on leads that reside within their geographic areas of responsibility.

To measure the effectiveness of the policy and procedural guidance as well as the oversight of the threat assessment process, we:  (1) reviewed threat management documents developed by the CTD; (2) interviewed FBI officials at the FBI headquarters and Guardian users at field offices we visited; (3) reviewed the process followed by the FBI in developing, implementing, maintaining, and updating Guardian; (4) tested a sample of terrorism-related incidents tracked in Guardian; and (5) tested a sample of counterterrorism-related cases in the ACS system.

Counterterrorism Watch Unit

The primary mission of the CT Watch is to direct the immediate response to terrorism threats, incidents, and suspicious activities, and to provide oversight to FBI response operations. The CT Watch is the focal point for the receipt, preliminary analysis, and immediate assignment for action on all domestic and international terrorism threats. It also ensures the timely alert within the FBI and to its other government agency partners.

The CT Watch functions as the clearinghouse for counterterrorism threat information, and its personnel provide input to the FBI Director’s morning and afternoon threat briefings. The CT Watch receives periodic updates regarding completed and pending investigative actions for dissemination to FBI leadership and the Intelligence Community. The CT Watch also shares terrorist threat information with the National Joint Terrorism Task Force (NJTTF), Homeland Security Operations Center, and Transportation Security Operations Center.

To facilitate the sharing of terrorist threat information: (1) the CT Watch is co-located with the NJTTF. The Department of Homeland Security (DHS) provides an analyst for each CT Watch shift, and the CT Watch Commander communicates directly with the Transportation Security Operations Center. Both the FBI’s agents and analysts, as well as analysts at the FBI’s other government agency partners who are approved Guardian users, have access to all of the terrorism threat tracking information in Guardian.

As threats are identified, the CT Watch acts as the conduit between the field and the FBI leadership. The CT Watch sometimes initiates certain investigative steps, although the vast majority of the investigative effort is performed by Special Agents in the field. The CT Watch oversees the investigative effort to ensure the FBI responds to these threats in a coordinated and logical manner. Guardian provides the CT Watch and FBI field agents with a counterterrorism incident management application to aid the management and tracking of terrorist threats and suspicious incidents.

The CTD developed an operating manual that includes threat assessment investigative oversight procedures. We also reviewed terrorist threat incidents in Guardian at each of the field offices we visited and found evidence of CT Watch oversight in the investigative process.20 In addition, we interviewed field office supervisors, investigators, and analysts, who said they were satisfied with the support they received from the CT Watch.

Threat Monitoring Unit

The Threat Monitoring Unit (TMU) administers Guardian by:

During our field office visits, Guardian users said they were satisfied with the training they received on the system. The TMU, working with the FTTTF, has developed a computer-based Guardian training program. Guardian users have access to the program through the FBI’s Virtual Academy. Additionally, most of the Guardian users we interviewed were satisfied with the latest version of Guardian and the support provided by the Help Desk Team.

Foreign Terrorist Tracking Task Force

According to the FBI, the mission of the FTTTF is to provide information that helps keep foreign terrorists and their supporters out of the United States or leads to other legal action, such as deportation, detention, or prosecution. One of the FTTTF’s roles is to provide technical assistance for projects such as the E-Guardian and Guardian applications.

FTTTF officials stated that the Guardian 2.0 development process did not initially follow the Life Cycle Management Directive (LCMD) guidelines because at the time of Guardian’s development the LCMD process was under revision.21 However, FTTTF officials provided us with documentation demonstrating they attempted to adhere to the revised LCMD development requirements after they developed the system. Additionally, FTTTF officials stated that they considered the LCMD process to be cumbersome at times and that the Office of the Chief Information Officer’s (OCIO) officials were not always responsive to their needs. One FTTTF official commented that the Guardian 2.0 system would have taken more time to develop and the cost of the system would have been much higher had the full LCMD process been followed.

The FTTTF also provided enhancements to Guardian through a series of maintenance patches designed to update Guardian’s software and ensure optimal system operation. An FTTTF official said the goal for implementing the patches was to provide quarterly updates to Guardian. However, an SSA who was involved with threat assessments said the quarterly patches were 6 months behind schedule. This SSA believed Guardian needed to be updated more frequently.

During our audit, the FBI replaced the contractor that developed and provided technical support to Guardian. FBI officials stated that the change in the contractor supporting Guardian reduced the number of technical professional staff with the expertise to provide enhancements and maintenance patches. Consequently, the Guardian update program fell behind schedule and further delays could inhibit the system’s ability to track terrorist threats and suspicious incidents. Because Guardian is critical to the FBI’s terrorist threat tracking and management process, we recommend that the FTTTF prioritize updates to the system and develop a schedule to ensure enhancements and maintenance patches are completed in a timely manner.22

Updates to the FBI’s Threat Tracking System

The FBI is designing the E-Guardian application to provide state and local law enforcement with the capability to share its local terrorism incident information with the FBI and to receive nationwide unclassified terrorism incident information from the FBI’s Guardian application. State and local law enforcement users will be able to enter, view, search, and create reports from threat data entered by both state and local law enforcement and the FBI. The initial assessment of the threat or suspicious incident begins when the threat or suspicious incident is entered into Guardian. E-Guardian users will enter those activities, incidents, or citizen complaints that may have a nexus to terrorism.

As previously mentioned, during our audit the FBI replaced the contractor that designed and provided technical support to Guardian. Both FTTTF and OCIO officials said that because the E‑Guardian creation relies on technology used to develop Guardian the project’s delay was affected by the contractor change. As a result, deployment of the E-Guardian application under development during our audit has been significantly delayed. In addition, the FBI is developing and purchasing new software to complete E-Guardian because the FBI’s original contractor did not completely document the software used to develop Guardian.

FTTTF and OCIO officials also stated that the lessons learned during the Guardian development process are being applied to the E‑Guardian development process and that the FBI is following the OCIO’s LCMD guidelines in creating E-Guardian. We verified that the OCIO and FTTTF are currently working together, developing or purchasing new software, applying the lessons learned during Guardian’s development, and following the LCMD process. The FBI reported in September 2008 that E-Guardian was being tested on a pilot basis by certain agencies and that the FBI planned to complete rolling out E‑Guardian in phases nationwide by the end of 2008.

E-Guardian Concept of Operations

The E-Guardian application is intended to allow terrorist threat reporting, threat data sharing, and threat information tracking for Fusion Centers and Joint Terrorism Task Forces as well as state, local, and tribal law enforcement agencies.23 The unclassified E-Guardian application will include agencies that do not already have access to the classified Guardian application through the FBI’s Fusion Centers and JTTFs. The application will allow the FBI and state and local law enforcement to collect, share, and analyze threat and suspicious activity data electronically. The E-Guardian application is expected to be an unclassified version of the current Guardian application and should include many of the features developed for the Guardian classified application.

The E-Guardian application is intended to enable users to enter, view, and search threat information as well as create useful reports from state and local law enforcement data and from FBI unclassified threat information exported from the classified Guardian application. Unclassified information from Guardian is expected to be routinely added to E-Guardian to enhance information sharing. All E-Guardian users will be able to read the data, but only a limited number will be able to add data. The FBI expects its local law enforcement partners will submit incidents through both the Fusion Centers and JTTFs.

Talon – The Department of Defense Threat Reporting System

The U.S. Department of Defense (DOD) implemented the Talon threat reporting system to collect and evaluate information about possible threats to U.S. service members and defense civilians at both domestic and overseas military installations. According to the DOD, the system was closed on September 17, 2007, because the number of threats entered into the system had declined so significantly that it determined Talon possessed little analytical value.

The DOD is working to develop a new threat reporting system to replace Talon. According to the DOD, in the interim all information concerning the DOD’s force protection threats will be entered into the FBI’s Guardian application. In the future, the DOD will evaluate reporting systems to replace Talon, but the DOD has not established a timeline to acquire a replacement system. The DOD is considering Guardian as a permanent replacement for Talon, and the FBI is granting Talon users read-only access to Guardian.

The increased use of Guardian by the DOD also suggests that the potential exists for a dramatic increase in the number of terrorism-related incidents reported to the FBI.

Threat and Suspicious Incident Performance Reporting

Since the beginning of Guardian’s implementation, the number of terrorist threats and suspicious incidents entered into the system has increased on an annual basis. Based on documentation provided by the FBI, between FYs 2005 and 2006, the number of incidents recorded in Guardian increased by 51 percent. Over the same period of time, the number of registered Guardian users increased 11 percent. In addition to the increases that have taken place with Guardian, it is anticipated that the implementation of E-Guardian will further increase the number of threats and incidents entered into Guardian. However, we found that the FBI has not taken adequate steps to plan for such increases.

As discussed earlier in this report, the FBI’s policy is to investigate every credible threat it receives. During our fieldwork, we found that field offices collected terrorist threat and suspicious incident performance measurement data and reported the data to field office senior management on a regular basis. However, we found that the CTD did not track or periodically report such information to FBI senior management on a regular basis. We also found no evidence to indicate that the FBI established performance measurements to address the number of hours expended during the threat resolution process or to report the effectiveness of its efforts to resolve terrorist threats and suspicious incidents. Performance measurements would help the FBI to consistently manage the Special Agent’s and supervisor’s counterterrorism workload and enhance the FBI’s efforts to deploy these critical resources.

FBI officials told us that they were reluctant to establish targets for the number of threats resolved. The number of threats the FBI is expected to resolve varies from year to year, and FBI officials said it is difficult to assign a value for the number of threats to be resolved. In our view, though it may be difficult to project the number of incoming threats and incidents, by identifying the number of threats resolved based on the reporting capabilities available in Guardian, valuable trend information could be gathered to assist FBI management with assigning investigative and analytical resources to historically high threat areas. Moreover, performance goals and measurements, based on the time to resolve immediate, priority, and routine threats, could be developed without the requirement to project the number of threats in future years.

As previously discussed, we identified 60 routine threats and suspicious incidents (28 percent of those tested) at FBI field offices we visited that received no investigative activity for over 30 days. We believe that developing performance measures could also help the FBI ensure that extended periods of inactivity would be recognized more quickly by supervisors and management.

In addition, because the threat resolution process relies heavily on the investigative judgment of both the Special Agents and the supervisor, threat resolution-based performance measurements could also help the FBI identify instances where resource reallocations are warranted. Prior Office of the Inspector General audit reports have also identified the need for the FBI to allocate resources based on its assessment of both current and future threats.24

The latest version of Guardian, Guardian 2.0, includes significant improvements in terrorist threat and suspicious incident performance-related reporting. For example, Guardian can now produce the following reports:

  1. Incidents by Office – a summary of the status and number of incidents broken down by field office;

  2. Overdue Investigations – a summary of the overdue incident closures by field office;

  3. Current Activity – a summary of FBI system-wide incident activity by field office for the last 24 hours, 7-days, and 30-days by field office; and

  4. Incidents and Sessions by Month – a summary of the total number of incidents and Guardian sessions by month and the average incidents and sessions by day or month by field office.

We believe that the FBI can improve its threat and suspicious incident reporting and resource allocation by effectively utilizing Guardian’s improved reporting capabilities and in developing performance measures to support the efforts of resolving every terrorist threat and suspicious incident.


We believe that the development and deployment of Guardian has enhanced the FBI’s ability to address and track terrorist threats and suspicious incidents. Guardian provides the FBI with ability to:  (1) route work, assign and accept tasks, and manage resources; (2) share investigative data to support intelligence analyses; (3) share investigative data with other government agency partners; and (4) allow agents to auto-populate Guardian threat information directly into ACS for additional investigation and threat resolution. We also found the FBI successfully deployed an improved version of Guardian and developed a comprehensive Guardian User’s Manual. Moreover, although the deployment of E-Guardian has been delayed, E-Guardian should further enhance the FBI’s efforts to share threat information.

However, during our audit we identified several areas of concern regarding the FBI’s use of Guardian. Although the summaries of the incidents we reviewed in Guardian were complete and accurate, we found several incidents that were not properly reviewed by a supervisor. We concluded the quality control provided by the supervisory review needs to be improved.

Many of the incidents we tested in Guardian were resolved in a timely manner. However, we found 60 of the 218 incidents (27 percent) we tested exceeded the FBI’s guideline for timeliness. Based on our review of the Guardian incidents and our interviews with FBI officials we concluded that some Guardian incidents in the system were perceived to have a very low priority and were permitted to remain inactive in the threat management system for several months at a time. The prompt assessment of terrorist threats and suspicious incidents is essential. We believe both the field offices and the CTD should develop additional controls to ensure all Guardian incidents are acted upon in a timely manner.

The supplementary tabs introduced with Guardian 2.0 improve the user’s ability to search for specific threats. Yet we found the guidance provided to the field offices concerning the completion of the supplementary tabs was not clear, and as a result supplementary tabs were not always completed. Incomplete or inconsistent completion of this supplementary information could cause agents to obtain an inaccurate threat assessment. The FBI should review its requirement to complete the supplementary tabs, issue clear guidance for completing the tabs, and ensure the field offices consistently follow the guidance.

Frequently, the FBI obtains additional threat information during an existing investigation or the imminent nature of the threat results in a case opening in the ACS system without an assessment in Guardian. We tested cases in the ACS system and found that agents did not always create a Guardian incident record based on information derived from active investigations. In our test cases we found threat information obtained during active investigations that should have been included in Guardian.

E-Guardian should improve the FBI’s ability to share counterterrorism information with its state and local law enforcement partners. However, we found that the change in the contractor developing E-Guardian and early problems with the system’s development have contributed to delays in implementing the system.

While Guardian has enhanced the FBI’s ability to address and track terrorist threats and suspicious incidents, because of its policy to investigate every credible threat it receives the FBI must ensure that it uses its resources as effectively as possible. We found that performance measures were not in place to measure the FBI’s effectiveness to resolve threats and incidents. Performance measures would help ensure that the FBI consistently manages staffing workloads and that it deploys critical resources according to priority and need.

OIG Recommendations

We recommend that the FBI:

  1. Ensure SSAs and Supervisory Intelligence Analysts review threat incidents entered into Guardian.

  2. Ensure that terrorist threats and suspicious incidents entered in Guardian are closed or forwarded for investigation in a timely manner.

  3. Determine the value added by the completion of Guardian’s supplementary tabs, issue comprehensive guidance, and ensure the field offices follow the guidance for completing the supplementary tabs.

  4. Ensure that all threat information obtained from ongoing counterterrorism investigations that meets Guardian entry requirements is entered in Guardian.

  5. Develop and implement a schedule to ensure technical patches to the Guardian system are completed in a timely manner.

  6. Develop performance measurements to support the FBI’s efforts to resolve terrorist threats and suspicious incidents.

  7. Incorporate threat and incident performance measurements into existing resource allocation plans.


  1. Guardian squads are specialized units at FBI field offices that conduct terrorism-related threat assessments utilizing the Guardian system.

  2. A non-credible threat submitted solely due to a person’s nationality could be immediately removed from Guardian based on the supervisor’s judgment. Alternatively, a non-credible threat with no obvious nexus to terrorism could be immediately closed by the supervisor, but retained in Guardian for its intelligence value, based on the supervisor’s judgment.

  3. Most of the incident information we reviewed was entered through Guardian 1.4, and because of the limitations inherent in Guardian 1.4 we could not determine why the incidents remained open for long periods.

  4. The FBI plans to replace the ACS system with the Sentinel Case Management System. The projected implementation date is 2009.

  5. The JTTFs include teams consisting of FBI Special Agents, state and local law enforcement officers, and other federal agencies who share information and work together to prevent acts of terrorism.

  6. In most instances, these grand jury subpoenas were issued to identify the owners of specific telephone numbers or internet service provider addresses.

  7. We completed a subject search within the ACS system, and for the 17 subpoenas we found the subject matter of the subpoena also pertained to an additional active case. However, based on the information available to us in the ACS system, we could not conclusively determine if the case supported the subpoena in our sample.

  8. CT Watch oversight is limited to the initial review and assignment of the threat. Long term oversight concerning the management and timeliness of the Guardian records is the responsibility of the TMU and the field offices.

  9. To ensure the FBI’s IT processes and resources align with the OCIO’s information system requirements, the OCIO developed the LCMD. The LCMD provides guidance and direction for the technical management and engineering practices used in the planning, acquisition, operation, maintenance, and replacement of IT systems and services. The LCMD provides direction to each Program and Project Manager charged with the responsibility to manage IT programs and projects through their entire life cycles, from inception through deactivation.

  10. At our audit exit conference FBI officials told us the Guardian maintenance patch program is now on schedule and the system has not experienced significant down time resulting from maintenance patch issues.

  11. Fusion Centers are facilities created by state and local entities where homeland security, criminal–related information, and intelligence are shared.

  12. U.S. Department of Justice Office of the Inspector General, The Federal Bureau of Investigation’s Efforts to Hire, Train, and Retain Intelligence Analysts, Audit Report 05-20 (April 2005), 40-44; OIG, The Federal Bureau of Investigation’s Effort to Protect the Nation’s Seaports, Audit Report 06-26 (March 2006), 72; and OIG, Follow-up Audit of the Federal Bureau of Investigation’s Efforts to Hire, Train, and Retain Intelligence Analysts, Audit Report 07-30 (April 2007), 16-17.


« Previous Table of Contents Next »