The Police Chief, the Professional Voice of Law Enforcement
Advanced Search
September 2016HomeSite MapContact UsFAQsSubscribe/Renew/UpdateIACP

Current Issue
Search Archives
Web-Only Articles
About Police Chief
Law Enforcement Jobs
buyers Your Oppinion

Back to Archives | Back to February 2010 Contents 

Suspicious Activity Reporting: An Overview for Chiefs Engaging Untapped Local Law Enforcement and Private Industry Capabilities to fight Crime and Terrorism

By Lee Colwell, President, Pegasus Research Foundation, Little Rock, Arkansas, and Dennis Kelly, Project Executive, Pegasus Technology Consortium, New Orleans, Louisiana

very law enforcement agency has an obligation to report suspicious activity and monitor suspicious activity reports made by other agencies.1 Fortunately, law enforcement executives can implement suspicious activity reporting and monitoring at any local or tribal law enforcement agency regardless of size. The process involves taking some technical steps and refining some law enforcement business processes, but it need not be a burden. This article is intended to provide chiefs—especially those from rural and smaller agencies—with information that can help them make informed decisions about participating in the Nationwide SAR Initiative (NSI).

Law enforcement can participate in the NSI by making and monitoring suspicious activity reports, or SARs. There are compelling reasons for local agencies to access and monitor SARs through a secure portal like Law Enforcement Online (LEO); Regional Information Sharing Systems (RISS); or Pegasus, acting as a trusted identity broker, as federal planners anticipate. While local agencies may each individually implement suspicious activity reporting, the implementation required for reporting will be a technical and resource challenge for many local agencies, especially rural and smaller agencies. For this reason, the NSI and its federal partners, including the International Association of Chiefs of Police, are focused on providing training and resources to state, local, and tribal law enforcement executives, analysts, and line officers.

What Is a SAR?

A SAR is “a report used to document any reported or observed activity, or any criminal act or attempted criminal act, which an officer believes may reveal a nexus to foreign or domestic terrorism. The information reported in a SAR may be the result of observations or investigations by police officers, or may be reported to them by private parties.”2

The SAR process “focuses on what law enforcement agencies have been doing for years—gathering information regarding behaviors and incidents associated with crime and establishing a process whereby information can be shared to detect and prevent criminal activity, including that associated with domestic and international terrorism.”3

The purpose is to provide an “all-crimes approach to gathering, processing, reporting, analyzing, and sharing” suspicious activity information by law enforcement agencies,4 especially at the local level where most policing takes place. Development of the SAR process has been largely driven by law enforcement, 5 with overall coordination provided by the Office of the Program Manager, Information Sharing Environment (PM-ISE) within the Office of the Director of National Intelligence (ODNI), the federal agency responsible for developing the Information Sharing Environment (ISE).

Suspicious Activity Reporting Technical Processes

Implementing NSI business processes6 and activities in front-line law enforcement agencies will involve five technical and business process steps specified in the SAR technical documents:7

  1. Information Acquisition: the mostly technical processes used to enable field interview reports and field incident reports to be further processed by the owning law enforcement agency.

  2. Organizational Processing: decision making by law enforcement managers regarding what information to send to a fusion center or other SAR analyst.8

  3. Integration and Consolidation: the technical process of making the owning agency’s potential SAR information available for integration in the ISE.

  4. Data Retrieval and Distribution: mostly technical activities that will allow local, tribal, and state agencies and other ISE participants to receive or retrieve ISE-SARs from across the ISE population.

  5. Feedback: steps to capture feedback designed to improve the overall quality and effectiveness of the ISE-SAR process.

SAR Business Process

Figure 1 represents the business processes involved with suspicious activity reporting.

Key points are as follows:

  1. New SAR processes are built on existing law enforcement foundations. Existing law enforcement and information exchange processes, represented by the top half of figure 1, are the foundation for new SAR processes, represented by the bottom half of figure 1. Existing processes are linked to the new processes by the SAR technical standard.

  2. A terrorism nexus is required. ISE-SAR relates only to terrorism-related activities; suspicious activities must be evaluated and judged by trained personnel to have a terrorism nexus before they advance in the ISE-SAR process.

  3. Raising awareness and training are keys. Suspicious activity reporting begins as part of the traditional and routine law enforcement activity of law enforcement personnel—which may be triggered by an observation by a law enforcement officer, a citizen observer, or by someone in private industry. The SAR process relies on training observers to recognize suspicious activity and making everyone aware of the importance of reporting suspicious activities.

  4. The SAR process engages a largely untapped resource: 800,000 law enforcement officers nationwide. SAR processes are designed to work for law enforcement agencies of all sizes, regardless of the state of development of their law enforcement intelligence functions. Many rural and smaller agencies must be engaged if the untapped resource of 800,000 law enforcement officers across the nation is to be engaged in suspicious activity reporting and monitoring.

  5. The process involves the appropriate sharing of suspicious activity reports by appropriate means. After internal vetting by SAR-trained personnel, law enforcement records management systems managers and trained private industry personnel feed data judged to meet requirements for suspicious activity reporting to the FBI Joint Terrorism Task Force and fusion center systems for review and decision making before the data are included in the ISE-SAR system. After legal and policy reviews, federal entities have indicated that the NSI is not an intelligence project, which means the sharing process is not governed by 28 C.F.R. 23.

  6. SAR monitoring and feedback complete the picture. Figure 1 describes the principal steps of suspicious activity reporting. The NSI processes also include a follow-on step, SAR feedback, which enables local law enforcement to ask whether anyone else found anything in the reports, whether anyone else used them, and how to follow up on information it owns using information from other agencies. SAR monitoring, the function for accessing SARs, can be enabled by secure portals such as LEO, RISS, and Pegasus, which can act as trusted identity brokers and provide an entry point to the SAR search tool located at

Private Industry Engagement in the SAR Collection Process

The NSI is designed to engage two key and largely untapped resources in the suspicious activity reporting and monitoring process: all law enforcement agencies, regardless of size,9 and, through those agencies, private industry and other stakeholders in their communities. “Incorporating outreach to the public, law enforcement, and the private sector in the collection process is important to the success of the program.”10

Private industry eyes and ears can act as force multipliers for law enforcement, and the NSI creates opportunities for law enforcement to collaborate with private industry. A number of ways to engage private industry have been recommended, including the following:

  • Routing reported suspicious activities through one of the nation’s 72 recognized fusion centers whose staff have been trained in vetting such information and ensuring necessary privacy considerations.

  • Coordinating with “appropriate entities to ensure that SARs are made available to and from appropriate agencies/organizations,” including the FBI InfraGard Program11

  • Developing a private sector outreach program,12 including private industry outreach materials13

  • Developing an online tips system that private industry and others can use to report suspicious activity to the law enforcement agency for evaluation14

  • Using a liaison officer program to help foster trust and teach private industry how to recognize and report suspicious activity15

  • Communicating to the private sector through a daily report with redacted sensitive information16

Private industry is affirmatively looking for ways to form partnerships with law enforcement. The Pegasus Program and the InfraGard National Members’ Alliance, the FBI’s public-private alliance for the critical infrastructure sector, have developed a strong strategic partnership on identity management and credentialing and have begun efforts to expand that relationship into other areas, including the NSI.

Success Stories

The Los Angeles Police Department, which spearheaded the SAR initiative and brought it to national prominence,17 has reported a number of success stories in its initial SAR implementation.18 Here are a few:

  • An LAPD motor officer conducting a traffic stop noticed that a driver appeared extremely nervous and was unable to answer routine questions. Upon discovering an expired international driver’s license, the officer called the department’s counterterrorism division and learned that the vehicle was of interest. As a result, an LAPD officer completed a SAR.

  • After a citizen returned a purchased sink to a Home Depot outlet, a store employee discovered a detailed diagram of an airplane cockpit on the packaging of the returned sink. LAPD officers responded to the scene, booked the evidence, and completed a SAR.

  • An LAPD officer conducting a traffic stop on a vehicle driving erratically found that the driver had multiple passports, had an outstanding felony warrant, and was on probation. When the vehicle was impounded, police found $10,000 in cash and multiple credit cards in multiple names. A counterterrorism officer completed a SAR.

Implications for Front-Line Law Enforcement Leaders

The Major Cities Chiefs Association has been deeply engaged in the development of the business processes and policies behind suspicious activity reporting.19 As a result of leadership by the Los Angeles Police Department, the Major Cities Chiefs Association, and others, local law enforcement has helped refine the policies that control suspicious activity reporting to ensure that those policies are respected in implementation. As a result, chiefs can be reasonably assured that local law enforcement’s concerns have been addressed in the process design.

Although driven by big-city police leaders, suspicious activity reporting is not just for the nation’s largest agencies. Rural, tribal, and smaller law enforcement agencies play a key role in protecting the nation against crime and terrorist threats.

  • Many rural and smaller agencies protect significant components of the nation’s critical infrastructure—highways, bridges, dams, pipelines, and telecommunications and electric utility generation and distribution facilities.

  • Timothy McVeigh,20Ted Kaczynski,21 the September 11 hijackers,22 and other terrorists in many recent U.S. cases have lived in, worked in, traveled through, and sometimes carried out their crimes in rural areas.

  • Significant national crime threats move easily between urban and rural areas. Meth labs and drugs sold on the street in urban and suburban areas originate in or travel through rural areas to get to the consumer. Large urban gangs have begun to establish rural franchises. And antigovernment militias and activists all too often have home bases in rural areas far from population centers.

  • Indian Country is largely rural. Because of the unique legal status they enjoy and especially because some tribes occupy large areas along or close to the Southern and Northern borders, tribal law enforcement agencies are a vital part of the nation’s law enforcement and homeland security fabric.

For these reasons, and others, rural and smaller law enforcement agencies and tribal police must be actively engaged in the NSI. Secure portals such as LEO, RISS, and Pegasus will not host SAR information but can act as trusted brokers for law enforcement agencies and tribal police nationwide. They provide an entry point for the SAR search tool, located at

In considering whether and when to implement suspicious activity reporting, chiefs and members of their command staff should be aware that, in addition to technical enhancements that they or a shared service like Pegasus may be able to provide, suspicious activity reporting and monitoring will require some refinement of law enforcement business processes—new or different activities that officers and managers do daily—and some training of officers and managers. Participating law enforcement agencies must be willing to change some business processes. And most front-line agencies will probably need some technical assistance to help them refine their processes and train officers and managers on the new processes. To facilitate implementation if and when an agency is ready, the NSI has developed SAR training for all levels of law enforcement—including chief executives, analysts, and line officers.

Chiefs should be especially aware of the benefits of reusing technical implementations, business process documentation, and training materials.23 Because the NSI is built on National Information Exchange Model standards, records management system vendors will have the benefit of creating one compliant upgrade for their system for SARs—and front-line agencies should be able to realize the benefit of reusing that upgrade.

Importantly, while the technical infrastructure requirements are significant, it appears that the new business processes are not burdensome. The officer needs to fill out a form completely and well, and the manager reviewing the report needs to ask a new question: Should this be reported as a possible SAR?

Field interview and field incident reports identified by front-line agency managers as possibly suspicious will be sent to state or federal fusion centers or other analysts for a determination that the information meets federal guidelines for classification as a SAR. It seems likely that only a small percentage of field interview and field incident report information will be reported by front-line agency managers. Every decision to report an item of information will be made by the owning agency managers—with no independent federal or system access to or ability to review the universe of front-line agency information.

Several years ago, intelligence experts estimated that 3 percent of field interview reports contain information with intelligence value, making them a valuable law enforcement resource that is seldom used in the fight against crime and terrorism.24 In this connection, the NSI processes do not involve federal intelligence systems or personnel trolling through massive quantities of information collected by local or tribal law enforcement; intelligence analysts will have access to only those few field interview and field incident reports that local, tribal, and state law enforcement managers affirmatively decide to share with state and federal authorities. This key design feature should give chiefs and their command staffs some comfort about participating in suspicious activity reporting. In effect, it automates and creates a standard format to enable front-line decision making.

Finally, chiefs and their command staff should understand that the privacy aspects of SARs have been carefully thought through. As chiefs know, some critics question the need for any laws and procedures that might represent an erosion of citizen privacy rights. Accordingly, some agency leaders are avoiding taking any steps that might compromise their control of their own information.

It is apparent from a technical analysis of the NSI documentation that the ISE Program Manager and others involved in the NSI policy decisions carefully considered the comments of the IACP, the Major Cities Chiefs Association, the National Sheriffs’ Association, and other law enforcement associations regarding these concerns, and they designed a process that respects those privacy considerations.


With an understanding of the NSI processes, chiefs and members of their command staff can feel comfortable engaging in an informed discussion of the SAR process with individuals and organizations questioning the continued need for procedures like SAR reporting. They can also be comfortable that reporting suspicious activity does not conflict with local agency efforts to control their own information and to protect citizen privacy rights. And they can feel comfortable that, if they themselves make informed decisions about implementing the SAR process, the information they own and control is being properly used by them to protect the public they serve. ■



1“All agencies, regardless of size, have a responsibility to develop and implement a process for gathering, processing, reporting, analyzing, and sharing suspicious activity information within their jurisdiction.” Major Cities Chiefs Association et al., Findings and Recommendations of the Suspicious Activity Report (SAR) Support and Implementation Project (June 2008), 14 (hereinafter cited as Major Cities Chiefs Report).
2Ibid., 36.
3Ibid., 1.
5Initial recommendations for the SAR process were developed by the Bureau of Justice Assistance, U.S. Department of Justice; the Major Cities Chiefs Association; the Global Justice Information Sharing Initiative; the Criminal Intelligence Coordinating Council; the U.S. Department of Homeland Security; and the Federal Bureau of Investigation.
6The ISE Functional Standard for Suspicious Activity Reporting was recently updated to incorporate feedback from law enforcement and from privacy and civil liberties advocates. The updated standard inserts new processes and clarifying language intended to help fight crime while being protective of privacy and civil liberties concerns. The updated standard now separates behaviors that could be observed as suspicious into two categories: defined criminal activity with a potential link to terrorism, and others that are potentially criminal or non-criminal activity that requires additional support to be considered a SAR. The updated standard clarifies that the type of activity that requires additional support includes taking pictures or video of facilities in a way that arouses suspicion, having unusual amounts of weapons or explosives, or demonstrating unusual interest in buildings or infrastructure.
7This discussion necessarily borrows heavily from the ISE-SAR documentation, which should be consulted for additional information. See ISE Program Manager, Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting, version 1.5 (ISE-FS-200; May 21, 2009). See also
8Note that additional processes have been inserted in the latest version of the ISE Functional Standard to make it more responsive to privacy and civil liberties concerns. See note 6.
9See note 1.
10Major Cities Chiefs Report, 3.
11Ibid., 15.
12Ibid., 3.
13Ibid., 22.
14Ibid., 16
15Ibid., 22.
16Ibid., 23.
17See Major Cities Chiefs Report, i.
18See “Suspicious Activity Reporting,” a presentation by Joan T. McNamara, Commander, Assistant Commanding Officer Counter-Terrorism and Criminal Intelligence Bureau, Los Angeles Police Department, (accessed August 3, 2009).
19See Major Cities Chiefs Report, supra.
20Lou Michel and Dan Herbeck, American Terrorist: Timothy McVeigh and the Tragedy at Oklahoma City (New York: Avon Books), 59.
21U.S. Federal Bureau of Investigation, “Headline Archives: FBI 100: The Unabomber,” (accessed October 7, 2009).
22On various dates between June 2000 and August 2001, alleged 9/11 hijackers Mohammed Atta, Marwan al-Shehhi, and Nawaf al-Hazmi, along with convicted 9/11 conspirator Zacarias Moussaoui, traveled and engaged in various activities in and around Norman and Oklahoma City, Oklahoma, including attending a flight school, opening bank accounts, joining a gym, making inquiries about starting a crop-dusting company, receiving money order wires, and purchasing knives. United States v. Moussaoui – Indictment, United States District Court for the Eastern District of Virginia, Alexandria Division, December 11, 2001, paragraphs 19, 45, 46, 48, 49, 53, 65, 67, and 68, (accessed October 11, 2009).
23For a discussion of the benefits of standards and reuse, see IJIS, SAR for Local and State Entities IEPD (version 1.0): Reference Document (revised January 17, 2009), 8-9.
24Dale Watson, former FBI executive assistant director in charge of counterterrorism and counterintelligence, personal communication, October 22, 2004.

Lee Colwell, D.P.A., is president of the Pegasus Research Foundation. Dr. Colwell, a Life Member of IACP, was formerly associate director of the FBI and has been involved in law enforcement at all levels of government over the past 40 years. Colwell holds a doctorate in public administration from the University of Southern California and resides in Little Rock with his wife Barbara.

Dennis Kelly, J.D., M.B.A., is project executive for the Pegasus Technology Consortium. He is an attorney and a member of the National Sheriffs’ Association’s Ethics, Standards and Accreditation Committee and Legal Advisors Committee. President of the New Orleans Chapter of InfraGard, an FBI-private sector alliance, he is a graduate of the Harvard Business School (M.B.A.) and the University of Virginia Law School (J.D.) and lives in New Orleans.

Doctors Colwell and Kelly are affiliated with the Pegasus Program, a nationwide program for local-to-local law enforcement information exchange that has a special focus on meeting the information service needs of rural and small local law enforcement agencies.



From The Police Chief, vol. LXXVII, no. 2, February 2010. Copyright held by the International Association of Chiefs of Police, 515 North Washington Street, Alexandria, VA 22314 USA.

The official publication of the International Association of Chiefs of Police.
The online version of the Police Chief Magazine is possible through a grant from the IACP Foundation. To learn more about the IACP Foundation, click here.

All contents Copyright © 2003 - International Association of Chiefs of Police. All Rights Reserved.
Copyright and Trademark Notice | Member and Non-Member Supplied Information | Links Policy

44 Canal Center Plaza, Suite 200, Alexandria, VA USA 22314 phone: 703.836.6767 or 1.800.THE IACP fax: 703.836.4543

Created by Matrix Group International, Inc.®