In the aftermath of the September 11 terrorist attacks, the Federal Bureau of Investigation’s (FBI) top priorities shifted from traditional law enforcement investigations to the prevention of terrorist attacks. In fulfillment of its new priorities, the FBI began to require that every terrorism-related lead from its sources, or from its federal, state, or local partners, be addressed, even if it required the diversion of resources from other priority areas. The FBI’s principal automated system to track terrorist threats and suspicious incidents is its Guardian Threat Tracking System (Guardian).
Guardian is an automated system that records, stores, and assigns responsibility for follow up on counterterrorism threats and suspicious incidents. It also records the outcome of the FBI’s handling of terrorist threats and suspicious incidents. Guardian can be used to distribute immediate threat information to users, and it also provides the capability to analyze threat information for trends and patterns.
The Department of Justice Office of the Inspector General (OIG) initiated this audit to evaluate the policies and procedures the FBI uses to identify, assess, and track terrorist threats and suspicious incidents. In particular, we examined the FBI’s: (1) Guardian Threat Tracking System; (2) Guardian threat assessment processes and operational guidance established by FBI headquarters; and (3) Guardian threat assessment policies and procedures in practice at six FBI field offices we visited.
To conduct this review we: (1) reviewed threat management documents developed by the FBI’s Counterterrorism Division (CTD); (2) interviewed FBI officials and Guardian users assigned to various headquarters locations; (3) interviewed FBI officials and Guardian users at select field offices; (4) examined the process followed by the FBI in developing, implementing, maintaining, and updating Guardian; (5) tested samples of terrorism-related incidents tracked in Guardian; and (6) tested samples of counterterrorism-related cases in the Automated Case Support (ACS) system.1
Results in Brief
From July 2004 through November 2007, the FBI documented approximately 108,000 potential terrorism-related threats, reports of suspicious incidents, and terrorist watchlist encounters in Guardian. The FBI determined that the overwhelming majority of the threat information documented in Guardian had no nexus to terrorism. However, as a result of information reported in Guardian the FBI initiated over 600 criminal and terrorism-related investigations from October 2006 to December 2007.
According to internal FBI assessments, the number of reported terrorist threats and suspicious incidents is expected to continue to grow. To adequately address this growth, the FBI recognizes that it must continually improve its ability to rapidly share this information and also improve communications among its federal, state, and local law enforcement partners.
In October 2006, the FBI implemented Guardian 2.0, an enhanced version of its primary threat tracking system. Guardian 2.0 allows threat information to be immediately available to users and provides the capability to search threat information for trends and patterns.
We found that Guardian represents a significant improvement over how the FBI tracked and handled threat information in the past because it provides users with the ability to enter suspicious activity and threat information and manage threat assessments through an automated electronic workflow process. However, we also found important aspects of Guardian that need improvement.
We determined that although FBI CTD guidance states that an FBI supervisor is responsible for reviewing and closing each threat or suspicious incident in Guardian, we found that supervisors did not perform the supervisory review prior to closing the Guardian incident in 27 (12 percent) of the 218 incidents we tested.
Additionally, we found that the FBI considered some Guardian incidents to have a low priority. These routine incidents remained unaddressed in the threat tracking system for several months, even though CTD guidance states that all threats are to be resolved within 30 days. We found that priority and immediate level threats were generally addressed in a timely fashion.
In addition to the incident summary, information is entered in Guardian through supplementary tabs that separate an incident or threat into its basic components, such as sources, targets (places), subjects (people), weapons or methods, and vehicles. However, we found that the users did not consistently include basic component information in Guardian. Therefore, users who complete searches or trend analyses in Guardian could receive an inaccurate assessment of the threat due to this incomplete data.
FBI guidance regarding Guardian generally requires that all threat information developed during counterterrorism investigations and recorded in the FBI’s Automated Case Support system also be entered in Guardian. However, we found that in almost half the cases in ACS we tested users did not enter the corresponding threat information in Guardian. As a result, threat information entered only in the ACS system may not be available to the FBI’s government agency partners.
We also found that the deployment of Guardian’s companion threat tracking system – E-Guardian – was delayed. After a planned October 2007 deployment, the FBI reported in September 2008 that E-Guardian was being tested on a pilot basis and that it planned to roll out E-Guardian in phases nationwide by the end of 2008. Implementation of Guardian maintenance patches designed to ensure optimal system operation were also delayed. FBI officials said that both delays were affected by a contractor change. Moreover, the FBI must develop or purchase new software to complete E‑Guardian because the FBI’s original contractor did not completely document the software used to develop Guardian. Because both Guardian and E-Guardian are critical to the FBI’s terrorist threat tracking and management process, any additional delays in the deployment of E-Guardian could inhibit the system’s ability to track terrorist threats and suspicious incidents.
The FBI’s policy to investigate every credible terrorist threat that it receives requires the FBI to ensure that it uses its resources as effectively as possible. However, we found that the FBI did not have performance measures to assess its overall effectiveness in resolving potential terrorist threats and suspicious incidents. Performance measures would help the FBI consistently manage its staffing workloads and enhance the FBI’s efforts to deploy critical resources to the areas of need and priority.
Based on our audit, we believe the FBI should take additional steps to enhance Guardian’s capability to track, manage, and resolve terrorist threats and suspicious incidents. In our report we make seven recommendations related to the FBI’s tracking of terrorist threats and suspicious incidents. These recommendations are designed to help the FBI improve the data quality of Guardian information; ensure all required information is entered in Guardian; ensure all threat assessments are addressed, completed, and reviewed by supervisory personnel; resolve technical problems and delays identified in the development and implementation of its Guardian 2.0 and E‑Guardian systems; and develop and utilize performance measures to ensure critical resources are deployed effectively.
The remaining sections of this Executive Summary summarize in more detail our audit findings.
Terrorist Threat and Suspicious Incident Assessment Process
The FBI receives terrorist threat and suspicious incident information from a variety of sources, including: (1) the public, (2) other government agency partners, (3) state and local law enforcement, (4) FBI field offices during ongoing investigations, and (5) FBI Legal Attachés. Regardless of the reporting source, the FBI requires that each threat or suspicious incident be reviewed, documented, and assessed to determine if a potential nexus to terrorism exits.
In October 2006, the FBI deployed the latest version of its tracking system, Guardian 2.0. Guardian is an automated tracking system that records, stores, and assigns responsibility for follow up on counterterrorism threats and suspicious incidents. Moreover, it can provide immediate threat information to all users. Guardian can be searched by FBI employees and other government agency partners who the FBI has determined need counterterrorism-related intelligence information. Guardian also provides the capability to search threat information for trends and patterns.
The number of incidents in Guardian has grown dramatically since it was first implemented in 2004, and as of November 2007 the system included approximately 108,000 individual threats, suspicious incidents, and terrorist watchlist encounters.
The FBI is developing an additional threat tracking system to complement Guardian, called E-Guardian. E-Guardian is designed to facilitate the sharing of threat and suspicious incident information between the FBI and its state and local law enforcement partners that do not currently have access to Guardian due to security limitations. The FBI plans to routinely export unclassified threat information from Guardian to E‑Guardian to enable access through Law Enforcement Online.2 FBI law enforcement partners will also have the ability to enter local threat information directly in E-Guardian. E‑Guardian users will be able to enter, view, search, and create reports based on threat data input by both state and local law enforcement and the FBI. However, the deployment of E-Guardian has been delayed. As previously stated, the FBI reported in September 2008 that E-Guardian was being tested on a pilot basis by certain agencies and that the FBI planned to complete rolling out E‑Guardian in phases nationwide by the end of 2008.
OIG Evaluation of the FBI’s Terrorist Threats and Suspicious Incidents Processing
The FBI’s threat assessment process is centrally controlled and managed from FBI headquarters through three mechanisms: (1) the Counterterrorism Watch Unit (CT Watch), which operates a 24-hour global command center with complete visibility and oversight responsibility over Guardian; (2) the Threat Monitoring Unit (TMU), which disseminates counterterrorism policy guidance to FBI field components; and (3) the Foreign Terrorist Tracking Task Force (FTTTF), which develops Guardian terrorist threat tracking software.3 FBI field offices and Legal Attachés are responsible for tracking and following up on leads that reside within their geographic areas of responsibility.
Field Office Terrorism-Related Incident Testing
To assess the FBI’s terrorist threat management policies and procedures, we visited six FBI field offices and tested a sample of the terrorism-related incidents entered in Guardian. We selected the following field offices to provide perspectives from a cross-section in terms of field office size, operational activity, and geographic location.
- Philadelphia, Pennsylvania
- Washington, D.C.
- New York, New York
- Detroit, Michigan
- Kansas City, Missouri
- Los Angeles, California
Guardian’s ability to accurately track threats depends on the accuracy, timeliness, and completeness of the incident information entered by system users. For example, inaccurate, incomplete, or untimely threat information entered in Guardian could cause a terrorist threat to go unaddressed or not be timely investigated.
At the six field offices, we therefore tested key attributes that we considered essential to successfully entering, updating, and managing incidents in Guardian: (1) the completeness of the incident summary, (2) supervisory oversight of the incident, (3) timeliness of investigative activity to address the incident, and (4) completion of supplementary search tabs.
In addition, we tested a judgmental sample of 218 terrorism-related incidents from a universe of 1,621 potential terrorism-related incidents in Guardian. As discussed below, we found 133 (61 percent) of the incidents we tested did not adhere to the FBI’s policy or procedural guidelines in at least one of the four key areas in our testing.
Guardian Incident Summary
Guardian users are required to enter threat data in Guardian through a screen called the Incident Summary Screen. The Incident Summary Screen provides an overview of the terrorist threat or suspicious incident. To determine if the users entered the incident completely, we reviewed the Incident Summary Screen for the 218 sampled incidents. We found that all of the necessary summary information was included in the incidents we tested.
Supervisory Oversight of Guardian Incidents
According to the Guardian User’s Guide, an FBI supervisor is responsible for reviewing and closing each threat or suspicious incident. The supervisor must determine whether the threat is satisfactorily addressed or if additional investigation, analysis, or incident updating is required. This supervisory review provides critical oversight and the final quality assurance check for completed Guardian incidents.
We reviewed the supervisory actions taken in each of the 218 Guardian incidents tested. We found that supervisors did not perform the supervisory review prior to closing the Guardian incident in 27 (12 percent) of the incidents tested.
According to CTD guidance, supervisory review and closure of all Guardian incidents should only be performed by an FBI Supervisory Special Agent (SSA) or Supervisory Intelligence Analyst. We found that three of the six field offices we visited did not meet those requirements because supervisors had delegated the review and closure of Guardian incidents to a non-supervisor.
Timeliness of Threat Assessments
Guardian users are prompted by the system when entering an incident in Guardian to establish a priority rating for the reported incident. The system includes three ratings.
Immediate. Threat assessment begins upon receipt and the threat is normally addressed on the same day.
Priority. Threat assessment begins shortly after receipt and the threat is normally addressed on the same or the next day.
Routine. Threat assessment begins as time permits and the threat is normally addressed within 30 days.
We discussed the timeliness criteria with SSAs at FBI headquarters and Special Agents in field offices who were responsible for terrorist threat assessments.4 In general, they said that they considered the 30-day period to address routine threats as guidance, not required criteria. They also said that some complex threats, such as threats that require contact with sources outside the United States, cannot be fully addressed within the 30-day guideline. Therefore, we evaluated timeliness by examining threat assessments that included periods of inactivity in excess of 30 days.
We reviewed 218 Guardian incidents in our sample for the timeliness of the Guardian threat assessment process. For 5 of the 6 field offices we visited, we found 60 incidents (28 percent) that did not meet the 30-day criteria for routine assessments. For the remaining field office we found that all 25 incidents sampled were closed within the 30-day criteria. We found that both the CTD and field office supervisors exercised adequate oversight over threats and suspicious incidents identified in the system as priority or immediate.
Completeness of Guardian Supplementary Tabs
Information is entered in Guardian in two stages. Information is first entered into the incident summary in narrative form. Information in the narrative is searchable, but these searches are limited by the amount of information entered by the user. In addition to the incident summary, information is entered in Guardian through supplementary tabs that separate an incident or threat into its basic components, such as sources, targets (places), subjects (people), weapons or methods, and vehicles. These tabs must be completed separately by Guardian users from the incident summary, because the data is not automatically transferred from the incident summary. When the tabs are completed, Guardian users have enhanced ability to conduct search and trend analysis with the information contained specifically within the tabs.
However, we found that users did not complete the supplementary tabs in 66 of the 218 incidents (30 percent) we tested. From our analysis, we determined that guidance provided to the users was inadequate because FBI policy does not clearly establish whether the completion of the supplementary tabs is required. Some FBI officials stated that they believed the completion of the supplementary tabs was essential because it improved Guardian’s search and trend analysis capabilities. However, other FBI officials stated that the increased workload generated by completing the supplementary tabs was not justified.
As a result of the inconsistent application of this guidance and data not being entered into the supplementary tabs, searches relying on the information contained within the tabs will return incomplete and inaccurate threat assessment information.
Attorney General Guidelines Testing
During our review of Guardian, we also found that in many instances the FBI had asked United States Attorneys’ Offices to issue grand jury subpoenas related to the assessment of suspicious incidents before opening a preliminary or full field investigation.5 We found that two of the four field offices we visited, New York and Los Angeles, sought and obtained grand jury subpoenas without opening preliminary or full field investigations. However, at the other two sites, Detroit and Kansas City, the FBI would not obtain grand jury subpoenas without first opening a preliminary or full investigation. Officials from the Kansas City and Detroit field offices indicated that they understood that obtaining grand jury subpoenas required the opening of a preliminary or full field investigation.
First, we sought to determine the extent of the FBI’s practice of requesting subpoenas without opening a preliminary or full field investigation. To do this, we reviewed a computer-generated report from FBI headquarters that identified FBI subpoena requests supported by administrative case control file numbers for the period October 2006 through July 2007. Control files are administrative case files used by the FBI to store information in the ACS system that do not relate to preliminary or full field investigations.
The FBI report that we reviewed identified 4,067 grand jury subpoenas issued from October 2006 to July 2007. Our analysis of the report data identified 1,785 potential instances where the FBI requested subpoenas based on information found exclusively in the administrative case files, where no investigation had been initiated. We reviewed 136 of the 1,785 potential instances and found that the FBI had requested and obtained grand jury subpoenas without opening a preliminary or full field investigation for 119 (87.5 percent) of the 136 files tested.
Second, we sought to determine whether the FBI’s use of grand jury subpoenas in these instances was consistent with the applicable Attorney General’s Guidelines. At the time of our audit, two sets of Attorney General’s Guidelines governed the FBI’s efforts to address potential terrorist threats and suspicious incidents: (1) the Attorney General’s Guidelines on General Crimes, Racketeering Enterprise, and Terrorism Enterprise Investigations (General Crimes Guidelines); and (2) the Attorney General’s partially classified Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (NSI Guidelines).
The General Crimes Guidelines govern the FBI’s general crimes and criminal intelligence investigations, and also identify the circumstances under which domestic threat assessments and counterterrorism investigations may be started. In addition, the General Crimes Guidelines govern the permissible scope, duration, subject matters, and objectives of such investigations. There are three stages of investigative activity described in the General Crimes Guidelines – checking of leads, preliminary inquiries, and full investigations.
The General Crimes Guidelines do not specifically address whether grand jury subpoenas can be used in the checking of leads investigative stage – that is, before opening a preliminary inquiry or a full field investigation. Rather, the Guidelines authorize the use of “all lawful investigative techniques,” with limited exceptions not relevant to this review. However, the Guidelines also state that the investigative activity that is permissible prior to the opening of a preliminary inquiry or full field investigation is restricted to “the prompt and extremely limited checking out of initial leads.” The General Crimes Guidelines do not address whether specific investigative techniques, such as grand jury subpoenas, are or are not covered by this limitation.
By contrast, the NSI Guidelines, which relate to the investigation of international threats related to national security, specifically describe the investigative techniques permitted at each stage of investigation. The NSI Guidelines clearly state that the FBI may not use grand jury subpoenas during pre-investigation threat assessments. The NSI Guidelines further state that threat assessments are “comparable to the checking of initial leads in ordinary criminal investigations.” However, the NSI Guidelines also provide that matters within their scope, such as crimes related to international terrorism, may also be investigated under the General Crimes Guidelines.
We discussed with the FBI Office of the General Counsel (FBI OGC) and the Department of Justice Office of Legal Policy (OLP) whether the FBI’s use of grand jury subpoenas to assess leads without first opening a preliminary inquiry or full investigation was consistent with the Attorney General Guidelines. The FBI OGC asserted that the FBI was permitted to obtain grand jury subpoenas in these cases at the pre-investigation stage, noting that nothing in either the NSI or General Crimes Guidelines requires the FBI to make an immediate determination at this early investigative stage regarding which set of guidelines govern a case and that therefore any technique permitted by the General Crimes Guidelines was available to the FBI to assess Guardian leads. Moreover, the FBI asserted that, because the General Crimes Guidelines do not specifically prohibit the use of grand jury subpoenas during the “checking of leads,” but rather permit “any lawful investigative technique,” grand jury subpoenas were a legitimate investigatory tool for the FBI to utilize. The FBI OGC stated that the use of grand jury subpoenas was an efficient and effective means of determining whether further investigation of a particular threat was warranted.
We also discussed this issue with the attorney in OLP who is an expert on the Attorney General Guidelines. The OLP attorney recognized that the General Crimes Guidelines were not explicit regarding the propriety of using grand jury subpoenas at the leads-checking stage, but agreed with the FBI OGC’s view that the technique was permissible. He explained that the General Crimes and NSI guidelines are structured differently and use different means to limit the scope of permissible investigative activity in this context. The General Crimes Guidelines do not place specific restrictions on the techniques permitted at the lowest stage of investigative activity – the “prompt and extremely limited checking out of initial leads” – but rather limit activities at that stage through the requirement that they be “prompt and extremely limited” in character. In contrast, the NSI guidelines do not limit the duration of activities conducted at the corresponding (“threat assessment”) stage, but limit such activities in a different way by listing the investigative techniques available at that stage, a list that does not include the use of grand jury subpoenas. Accordingly, in his view it is not sound to draw analogies between investigative techniques permitted under the General Crimes and NSI Guidelines in checking investigative leads. The OLP attorney also agreed that neither set of guidelines requires the FBI to decide immediately to proceed under the NSI Guidelines rather than the General Crimes Guidelines in a particular case.
In sum, it appears that the FBI is not required before initiating pre-investigative activity to determine which set of guidelines apply. Moreover, according to the OLP, the FBI’s use of grand jury subpoenas to assess the threats in the matters we tested was permissible under the Attorney General Guidelines.
We note that the Department of Justice has revised and combined into one document the General Crimes Guidelines, the NSI Guidelines, and other Attorney General guidelines. The new guidelines were issued and made public by the Attorney General and FBI Director on October 3, 2008. The Attorney General Guidelines on Domestic FBI Operations are slated to go into effect on December 1, 2008. These new, consolidated guidelines carry forward the three stages of investigation used in the NSI Guidelines – assessments, preliminary investigations, and full investigations. The guidelines specifically authorize certain methods that can be used during an assessment, including the use of grand jury subpoenas for telephone or electronic mail subscriber information.
Automated Case Support System Testing
FBI field offices frequently uncover threat and suspicious incident activity during the course of ongoing counterterrorism investigations. The FBI currently tracks investigative cases in its ACS system.6
The CTD recognizes that some threat information can be so critical that an investigation should be opened immediately without entering the threat information in Guardian. Following the issuance of Guardian 2.0, the CTD provided the field offices with the following guidance for recording this type of threat information in Guardian:
In all instances that involve the immediate opening of an official investigation, upon receipt of a terrorist related threat or suspicious activity report, a Guardian record must be created to summarize the nature of the incident. The record can be immediately marked complete after referencing the case file number.
To assess the number of incidents that were investigated with case files created in the ACS system but not included in the Guardian threat tracking system, we obtained a listing of all terrorism-related cases in the ACS system that did not have a corresponding reference to a Guardian incident number for the six field offices we visited. The report identified 546 ACS cases without an associated Guardian incident number. We selected a sample of 177 of the 546 ACS cases and found that 81 cases (46 percent) were opened in the ACS system but did not have an associated Guardian record.
FBI guidance identifies certain instances where threat information can be excluded from Guardian. Specifically, FBI guidance states that information derived from investigations utilizing sensitive sources or information obtained from more intrusive investigative techniques should not be included in Guardian.7 We applied this criteria during our testing and found that the 81 cases we identified that required an entry in Guardian did not include information obtained through sensitive sources or intrusive investigative techniques.
We asked case agents why they did not include some of the threat information in Guardian. Some agents said that they thought it was redundant to include threat information in both the ACS system and Guardian because agents who had access to Guardian would also have access to the ACS system. However, according to FBI management officials, some of the FBI’s other government partners have access to threat information in Guardian but do not have access to the ACS system. As a result, incident information entered only in the ACS system may not be available to all government agency partners. Other agents told us that they were not aware of the requirement to enter threat information in Guardian after an investigative case had been opened in the ACS system.
Other E-Guardian and Guardian Concerns
We also discovered additional concerns relating to delays in the deployment of E-Guardian and the implementation of Guardian maintenance patches designed to ensure optimal system operation.
The Foreign Terrorist Tracking Task Force provides technical assistance for projects such as the E-Guardian and Guardian applications. During the course of our audit, we found the Foreign Terrorist Tracking Task Force experienced considerable staff turnover. In addition, the FBI replaced the contractor that developed and provided technical support to Guardian. As a result, deployment of the E-Guardian application under development during our audit was delayed. Both the FTTTF and Office of the Chief Information Officer officials said that the E-Guardian project’s delay was affected by the contractor change. Moreover, the FBI must develop or purchase new software to complete E-Guardian because the FBI’s original contractor did not completely document the software used to develop Guardian.
The FTTTF also provided enhancements to Guardian through a series of maintenance patches designed to update Guardian’s software and ensure optimal system operation. An FTTTF official said the goal for implementing the patches was to provide quarterly updates to Guardian. However, an SSA who was involved with threat assessments said the quarterly patches were 6 months behind schedule, and she believed Guardian needed to be updated more frequently.
FBI officials acknowledged that the change in contractor support reduced the number of technical professionals with the expertise to provide enhancements and maintenance patches. Consequently, the Guardian update program fell behind schedule. Because Guardian is critical to the FBI’s terrorist threat tracking and management process, any additional delays in the implementation of maintenance patches could hamper the system’s ability to track terrorist threats and suspicious incidents. We believe that the FTTTF needs to prioritize updates to the system and develop a schedule to ensure enhancements and maintenance patches are completed in a timely manner.
Threat and Suspicious Incident Performance Reporting
With the FBI’s policy to investigate every credible threat it receives, the allocation of resources to perform this function is critical. The number of terrorist threats and suspicious incidents entered into Guardian has increased on an annual basis, rising 51 percent between FYs 2005 and 2006. Over the same period of time, the number of registered Guardian users increased 11 percent. However, we found that the FBI has not taken adequate steps to plan for such increases.
During our fieldwork, we found that certain field offices collected terrorist threat and suspicious incident performance measurement data and that Guardian has the capability to create reports that could be used to measure performance. However, the FBI had not established performance measurements to address the number of hours expended during the threat resolution process or to report the effectiveness of its efforts to resolve terrorist threats and suspicious incidents.
As previously discussed, we identified a number of threats that received no investigative activity for over 30 days. We believe that developing performance measures could also help the FBI ensure that extended periods of inactivity would be recognized more quickly by supervisors and management. Additionally, performance measures would help the FBI consistently manage its staffing workloads and enhance the FBI’s efforts to deploy critical resources to the areas of need and priority. Further, because the threat resolution process relies heavily on the investigative judgment of both Special Agents and supervisors, threat resolution-based performance measurements could also help the FBI identify instances where resource reallocations are warranted.
Conclusion and Recommendations
Guardian is an incident reporting and management system that collects, stores, and manages terrorist threats and reports of suspicious activities. Moreover, E-Guardian’s future deployment should further enhance the FBI’s efforts to share threat information among state and local law enforcement partners.
However, our review found that the FBI’s use and maintenance of its Guardian system requires several improvements. The FBI needs to better ensure the accuracy, timeliness, and completeness of the information entered in Guardian. Additionally, we found that the Guardian system requires better oversight and updates to improve its functionality and value. We also concluded that the FBI should better utilize the reporting functions within Guardian to better determine the workload needs of addressing every terrorist threat and suspicious incident.Our audit made seven recommendations to improve the FBI’s tracking of terrorist threats and suspicious incidents, including ensuring the timely completion and supervisory review of all Guardian incidents, assuring appropriate information from ongoing counterterrorism cases is included in Guardian, developing and implementing a schedule to ensure technical patches to the Guardian system are completed in a timely manner, and develop and utilize performance measures to ensure critical resources for addressing threats and suspicious incidents are deployed effectively.
Typically, the FBI records and tracks terrorist threats and suspicious incidents in the Guardian system as pre-case incidents. After the FBI completes its investigative work on the pre-case incidents, the incidents are closed in Guardian. Some of the pre-case threats and suspicious incidents result in the opening of preliminary inquiries or full field investigations and are tracked as counterterrorism-related investigative cases in the FBI’s ACS system. When the FBI completes investigations, the cases are resolved and closed in the ACS system.
The FBI conducts threat assessments during many stages of its investigative process. Unless otherwise noted in this report, threat assessment refers to the FBI’s initial assessment of the threat during its pre-case determination of the credibility of the threat information.
The Attorney General’s Guidelines identify more intrusive investigative techniques that may only be used during preliminary and full investigations. The information obtained during these investigations should not be included in a system that is designed for pre-case threat information.