Detect. Protect. Respond.

Incident Reporting to Federal Authorities

A critical function of the Real Estate Information Sharing and Analysis Center is to help real estate owners and operators report to government authorities on credible threats against real estate assets.

With more and better real-world information, the government can more effectively assess threat levels, detect patterns or trends in types of threats or incidents, and develop action steps.

Working through the Real Estate ISAC, industry security experts have developed a standard national protocol for reporting threats and incidents against real estate assets.

Reports of all incidents meeting the "Basic Criteria" and one or more of the thresholds outlined below should be made initially to local authorities and, in most cases, to your local FBI office. Local FBI contact information is listed in the telephone directory as well as online at

In the case of multifamily housing and lodging facilities, incidents regarding suspicious activity of prospective, current or former tenants or guests should be reported through the ISAC only after the incidents have been reported to local, regional or federal counter-terrorism authorities and only if the authorities took concrete follow-up actions.

Suspicious activity should be always be reported to State and local law enforcement first and subsequently to fusion centers and, after local reporting, incidents that meet these criteria and thresholds should be reported by an authorized company representative to the National Infrastructure Coordination Center (NICC) of the U.S. Department of Homeland Security. Reports may be submitted via the Commercial Facilities (CF) Suspicious Activity Reporting (SAR) Tool on the CF portal in HSIN-CS (to sign up for HSIN-CS, contact the DHS Commercial Facilities Team). If partners do not have access to HSIN-CS, an email may be sent directly to the NICC and should include the following information:

  • Date / Time of Incident
  • Sector Name (Commercial Facilities)
  • Sub-Sector Name (Real Estate, Entertainment & Media, Gaming Facilities, Lodging, Public Assembly, Outdoor Events, Retail, Sports Leagues)
  • Site / Property Type (commercial office building, shopping mall, stadium, hotel, casino, resort, apartment building, etc.)
  • Site / Property Address (City, State, Zip Code and any other relevant location information)
  • Description (Text describing the target [e.g., Lincoln Bridge])
  • Type of Incident (Breach / Attempted Intrusion, Misrepresentation, Theft / Loss / Diversion, Sabotage / Tampering / Vandalism, Cyberattack, Expressed or Implied Threat, Aviation Activity, Eliciting Information, Testing or Probing of Security, Photography, Observation / Surveillance, Materials Acquisition / Storage, Acquisition of Expertise, Weapons Discovery, Sector-Specific Incident)
  • Description of Incident (Description of the incident including rational for potential terrorism nexus. Why is this significant? Is the building iconic?)
  • State if this report been shared with any other agencies or security (e.g. FBI, Local Police). If so, provide agency or security information (include Agency Name, POC, Telephone, Email)
  • State if there have been suspicious incidents at this property in the past. If so, include Explanation of Incident, Agency Name, Telephone, Email, SAR Identifying Number)
  • Submitting Organization Name
  • Submitter’s Name, Position / Title, Address (City, State, Zip Code), Phone Number and Email
  • A description of any attached files

If you as a building owner or operator have questions about incident reporting or other issues related to the protection of real estate assets and wish to discuss them with the Department of Homeland Security, you can reach the DHS NICC directly anytime at (202) 282-9201 or (202) 282-9202.

Basic Criteria for Incident Reporting

Reports of incidents or events should be submitted through the ISAC when they meet these Basic Criteria and one or more of the specific thresholds below. Notably, reports should be submitted when the cause is known or suspected to be of malicious origin. Routine criminal activity, vandalism and other minor crime should not be reported via the Nationwide SAR Initiative / Suspicious Activity Reporting. If the cause is uncertain or unknown, reports still are strongly encouraged.

Reports should be submitted when actual or suspected attacks are in preparation or under way targeting any building types and associated parking facilities, including but not limited to:

  • Lodging facilities: Including hotels, motels, inns, resorts, and bed and breakfasts.
  • Multi-housing: Including rental apartment, condominium, co-op or other multi-housing buildings.
  • Office and industrial properties: Including urban and suburban buildings or complexes and light-industrial/R&D properties.
  • Retail centers: Including most especially regional, super-regional, mega or retail destination shopping centers or malls.

In the case of multi-housing and lodging facilities, incidents regarding suspicious activity of prospective, current or former tenants or guests should be reported through the ISAC only after the incidents are reported to local, regional or federal counter-terrorism authorities and only if the authorities took concrete follow-up actions.

Thresholds for Incident Reporting

Incidents or events that meet the Basic Criteria should be submitted if they also meet one or more of the following general or sector-specific thresholds.

General Thresholds (for All Building Types)

  • Intelligence Gathering: Suspicious surveillance or intelligence gathering activities occurring either physically from within or from outside the building, or by means of security related or security sensitive questions (including but not limited to requests for blueprints) from persons with no legitimate need to know.
  • Terror/Bomb Threats: Single threats of terrorist attack, including bomb threats, that result in partial or total evacuation, or multiple threats that are received within any 48-hour period whether deemed credible or not.
  • Unauthorized Access: Unauthorized and suspicious requests (by vendors, guests, occupants or others) for access to highly sensitive areas of a building or for ongoing use of such areas; the discovery of unauthorized individuals in sensitive areas that are behaving suspiciously; or a suspicious change in vendor personnel with access to sensitive areas (e.g., management's cleaning service employees or outside cleaning service's employees).
  • Public Health/HVAC Incidents: Including incidents involving known or unknown environmental contamination such as but not limited to aerial spraying or atmospheric release via HVAC that could lead to, or does cause, multiple illnesses or deaths or that causes an extensive area to be evacuated and isolated for a prolonged period of time; or actual or suspected attempts at delivering contamination through HVAC systems, including tampering with the systems.
  • Thwarted Terrorist Attacks: Including the types of attacks described in all generic- and building-specific incident reporting thresholds.
  • Suspicious Mail or Delivered Package Contamination.
  • Extended Service Outage: Suspicious and extended loss (for more than 24-hour period) of water, electrical or telecommunications service.
  • Official Threat Warning: Including information provided by local authorities that building(s) or the immediate local area may be targeted for a future terrorist incident.
  • Suspected Arson.
  • Discovery of Suspicious Bomb-Making Materials: Including bottles of liquid propane or other highly flammable liquids, on or near the premises.

Additional Lodging-Specific Thresholds
Additional Multi-Housing Specific Thresholds
Additional Retail-Specific Thresholds