The federal judiciary said it will deploy its modernized online system used to manage and file court cases and documents within the next two years after a series of recent cyberattacks put sensitive information in those systems at risk.
The Administrative Office of the U.S. Courts (AO) said that it began its planning phase in its effort to modernize its case management and electronic case files (CM/ECF) in 2022 and is now moving into the development and implementation phase.
The CMF/ECF contains court documents for 65 million cases and has 1.7 billion docket entries across more than 200 courts, according to the AO.
“We expect implementation will begin in the next two years in a modular and iterative manner,” wrote Judge Robert Conrad, director of the AO, in a letter to Sen. Ron Wyden, D-Ore., sent on Oct. 3.
“For the past few years we have been analyzing and developing operations standards while testing technical components,” Judge Conrad continued. “The AO is centralizing the operation and data standards for the system to allow a more secure environment and to ensure local rules and procedures are accommodated.”
In August, Sen. Wyden wrote to Chief Justice John Roberts to conduct a comprehensive review of the federal court system’s cybersecurity protections following a July breach of its CM/ECF, which likely exposed sensitive court information across multiple states.
That was the second breach of the federal court’s systems in five years.
In his written response to the senator, Judge Conrad said that while details on the courts’ cybersecurity responses are confidential due to national security risks, that the AO is working with Congress and the executive branch to address “challenges.”
In his letter, Sen. Wyden said that the judiciary had ignored advice from government entities on how to secure its systems. He also noted that while federal agencies have minimum cybersecurity standards, the court system had not yet established that baseline.
Judge Conrad responded that the AO has used recommendations from the General Services Administration’s 18F team – which offered digital services consulting to federal agencies and was eliminated by the Trump administration in March – to plan its modernization efforts.
The judge also pointed to other efforts, such as using a phased approach to implementing multi-factor authentication (MFA) to access PACER, the electronic system available to the public to access non-sensitive court documents.
“PACER users range from sophisticated, high-volume data aggregators and well-resourced law firms to journalists and ordinary citizens, to indigent litigants,” wrote Judge Conrad. “All PACER users need access to court records, but some do not have traditional forms of MFA they can use. The design and implementation of our MFA implementation requires consideration of these unique needs.”
The slow implementation of MFA was a concern that Sen. Wyden had, saying that while agencies have been using MFA for years, the court systems will not be required to use phishing-resistant MFA until the end of 2025.