SUSPICIOUS ACTIVITY REPORTING CATAGORIES
Defined Criminal Activity and Potential Terrorism Nexus Activity:
Breach/Attempted Intrusion
• Unauthorized personnel attempting to our actually entering a restricted area or protected site.
• Impersonation of authorized personnel (e.g., police/security, janitor).
Misrepresentation
• Presenting false of misusing insignia, documents and/or identification to misrepresent one’s
affiliation to cover possible illicit activity.
Theft/Loss Diversion
• Stealing or diverting something associated with a facility/infrastructure ( e.g., badges, uniforms,
identification, emergency vehicles, technology or documents - classified or unclassified - which are
property to the facility.)
Sabotage/Tampering/Vandalism
• Damaging, manipulating or defacing part of a facility/infrastructure or protected site.
Cyber Attack
• Compromising, or attempting to compromise or disrupt, an organization’s information technology
infrastructure.
Aviation Activity
• Operating an aircraft in a manner that may reasonably be interpreted as suspicious, or posing a
threat to people or property. Such operations may or may not be a violation of Federal Aviation
Regulations.
Expressed of Implied Threat
• Communicating a spoken or written threat to damage or compromise a facility/infrastructure.
Potential Criminal or Noncriminal Activity Requiring Additional Fact Information During Investigation:
Eliciting Information
• Questioning individuals at a level beyond mere curiosity about particular facets of a facility’s or
building’s purpose, operations, security procedures, etc., that would arouse suspicion in a
reasonable person.
Testing or Probing of Security
• Deliberate interactions with, or challenges to, installations, personal or systems that reveal physical,
personnel or cyber security capabilities.
Photography
• Taking pictures or video of facilities, buildings or infrastructures in a manner that would arouse
suspicion in a reasonable person.
• Examples include:
=> Taking pictures or video of infrequently used access points.
=> Personnel performing security functions (patrols, badge/vehicle checking).
=> Security-related equipment (perimeter fencing, security cameras, etc.)
Observation/Surveillance
• Demonstrating unusual interest in facilities, buildings or infrastructures beyond mere casual or
professional (e.g.’ engineers) interest such that a reasonable person would consider the activity
suspicious.
• Examples include:
=> Observation through binoculars.
=> Taking notes.
=> Attempting to measure distances, etc.
Recruiting
• Building of operations teams and contacts, personnel data, banking data or travel data.
Materials Acquisition/Storage
• Acquisition and/or storage of unusual quantities of materials, such as cell phones, pagers, fuel,
chemicals, toxic materials and timers, such that a reasonable person would suspect possible
criminal activity.
Acquisition of Expertise
• Attempts to obtain or conduct training in security concepts, military weapons or tactics, or other
unusual capabilities that would arouse suspicion in a reasonable person.
Weapons Discovery
• Discovery of unusual amounts of weapons or explosives that would arouse suspicion in a
reasonable person.
Sector-Specific Incident
• Actions associated with a characteristic of unique concern to specific sectors, such as the public
health sector, with regard to their personnel, facilities, systems or functions.
**Note: These activities are generally First Amendment protected activities and should not be reported in a SAR or ISE-SAR without articulable facts and circumstances that support the source agency’s suspicion that the behavior observed is not innocent, but rather reasonably indicates criminal activity associated with terrorism, including evidence of preoperational planning related to terrorism. Race, ethnicity, national origin or religious affiliation should not be considered as factors that create suspicion (although these factors may be used as specific suspect descriptions).