Joint Terrorism Task Force - Workflow Overview

Overview#

A JTTF investigation rarely follows a straight line. Intelligence arrives fragmented: a travel record here, a financial flag there, a field report from an officer who noticed something off. The Argus platform imposes structure on that complexity, guiding each piece of information through defined workflows that connect collection to analysis to coordinated action. These workflows are designed to meet the unique requirements of counterterrorism operations: classified information handling, multi-agency participation, and the need to escalate emerging threats rapidly while maintaining documentation standards that hold up in court.

Open Standards#

• OASIS STIX 2.1 / TAXII 2.1: Intelligence structures and sharing envelopes are expressed in STIX 2.1 Structured Threat Information Expression format and exchanged via TAXII 2.1 collections, enabling interoperability with Europol, Interpol-aligned networks, and national fusion centres.
• POLE Data Model (Person, Object, Location, Event): Every entity ingested through the intelligence fusion pipeline is normalised to the POLE structure, providing a consistent cross-agency reference model for entity resolution and link analysis.
• 28 CFR Part 23: Criminal intelligence sharing operations enforce the source-reliability and content-validity ratings mandated by 28 CFR Part 23, with compliance documentation required before any CRIMINAL_INTELLIGENCE record is shared across agencies.
• MITRE ATT&CK: Threat actor techniques and tactics are tagged using MITRE ATT&CK identifiers, allowing analysts to map adversary behaviour to a common framework and correlate findings across parallel investigations.
• FBI CJIS Security Policy: Data classification, access controls, audit logging, and evidence handling throughout the investigation lifecycle conform to the FBI Criminal Justice Information Services Security Policy, covering both criminal intelligence and body-worn camera evidence.
• ISO 19005 (PDF/A) / FRE 901: Court-ready case packages and chain-of-custody exports are generated as ISO 19005-compliant PDF/A archival documents, satisfying the Federal Rules of Evidence Rule 901 authentication requirements for court admissibility.
• ISO/IEC 27037:2012 / NIST SP 800-101r1: Digital evidence collection and preservation follow the guidelines in ISO/IEC 27037 and NIST SP 800-101r1, ensuring that evidence gathered across agencies meets forensic integrity standards for prosecution.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Key Workflows#

Intelligence Fusion#

Multiple intelligence sources, including field reports, suspicious activity reports, federal intelligence bulletins, social media alerts, financial intelligence, and travel records, flow into a correlation engine that performs entity resolution, link analysis, geographic clustering, temporal analysis, behavioural pattern matching, and predictive analytics. The POLE model (Person, Object, Location, Event) structures every entity for consistent cross-agency reference. Outputs are prioritised threat assessments, investigation leads, and automated alerts distributed to relevant task force members based on classification level and operational need.

Investigation Lifecycle#

JTTF investigations progress through defined phases:

• Initial threat assessment and case opening with classification determination
• Intelligence collection and analysis with source validation and corroboration
• Multi-agency coordination and task assignment with progress tracking
• Evidence gathering and documentation with chain of custody preservation
• Prosecution referral or case closure with comprehensive case documentation
• Continuous monitoring of ongoing threats and post-case intelligence retention
• Target development documentation tracking investigation evolution from initial lead to operational action
• Legal compliance checkpoints ensuring proper authorisation at each investigative stage

Watchlist Operations#

The watchlist workflow covers the full nomination-to-resolution cycle:

• Nomination processing with supporting evidence documentation
• Screening automation across travel, financial, and communication systems using OpenSanctions and federal watchlist feeds
• Match review and adjudication with analyst verification
• Alert generation and dissemination to appropriate response teams
• Status monitoring and periodic review for subjects of interest
• Removal processing when watchlist criteria are no longer met
• Evidence preservation workflows ensuring digital and physical evidence meets prosecutorial standards
• Analytical product quality control with peer review and supervisory approval processes

Multi-Agency Coordination#

Cross-agency operations follow structured coordination patterns:

• Intelligence sharing with appropriate classification controls and need-to-know verification
• Joint task assignment and resource allocation across participating agencies
• Synchronised operational execution with real-time status communication
• Evidence consolidation from multiple agencies with provenance tracking
• Unified reporting and case documentation meeting all participating agency requirements
• STIX/TAXII-format intelligence exchange for interoperability with Europol, Interpol-aligned networks, and national fusion centres

Use Cases#

Threat Assessment. Convert raw intelligence inputs into structured threat assessments through automated correlation, pattern analysis, and risk scoring that prioritise the highest-risk subjects and activities. Distribute assessments to relevant stakeholders based on classification level and operational need.

Operational Coordination. Coordinate multi-agency counterterrorism operations through secure communication, task management, and real-time situational awareness across all participating agencies. Maintain complete documentation of operational decisions and actions.

Evidence Integration. Consolidate evidence from multiple agencies and sources into unified investigation files with complete provenance tracking and chain of custody documentation. Ensure all evidence meets admissibility requirements across federal and state jurisdictions.

Watchlist Management. Process nominations, manage screening operations, review and adjudicate matches, and maintain subject status records with complete audit trails. Ensure watchlist accuracy through periodic reviews and timely updates.

Evidence and Case Building. Manage the progression from intelligence collection through case development with structured workflows ensuring proper evidence handling, legal authorisation, and documentation at each stage. Generate prosecution-ready case packages with complete evidentiary chains.

Integration#

• Works within the broader JTTF Operations module for full investigation capabilities
• Supports the intelligence fusion and threat assessment workflows described in the main JTTF documentation
• Coordinates with watchlist screening and monitoring systems across participating agencies
• Links to secure communication platforms for classified information exchange
• Compatible with federal case management systems for prosecution referral workflows
• Connects with travel screening and border security systems for subject monitoring
• Integrates with financial intelligence platforms for terrorism financing investigations
• Supports evidence management systems for court-ready case documentation
• Compatible with social media monitoring platforms for online threat detection
• Connects with training management for operational readiness tracking
• Feeds into national counterterrorism threat assessment frameworks
• Post-arrest coordination workflows managing transition from investigation to prosecution phase
• Lessons learned documentation capturing investigative practices for training and improvement
• Supports prosecution briefing preparation with case summary generation and evidence organisation
• Connects with detention management systems for subject custody and transfer tracking